Error after setting nsslapd-allow-anonymous-access:rootdse

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This is a fresh install on RHEL 7.

389-adminutil-1.1.21-2.el7.x86_64
389-admin-console-doc-1.1.12-1.el7.noarch
389-admin-console-1.1.12-1.el7.noarch
389-ds-base-libs-1.3.6.1-16.el7.x86_64
389-ds-console-1.2.16-1.el7.noarch
389-ds-1.2.2-6.el7.noarch
389-ds-base-1.3.6.1-16.el7.x86_64
389-ds-console-doc-1.2.16-1.el7.noarch
389-admin-1.1.46-1.el7.x86_64
389-console-1.1.18-1.el7.noarch
389-dsgw-1.1.11-5.el7.x86_64

Installation went fine and I was able to secure the directory server and
admin server with certificates and restrict access to secure connections
only.

But after I changed nsslapd-allow-anonymous-access:rootdse to prevent
anonymous binds the admin server now complains at startup:

[Sat Sep 02 15:53:14.402180 2017] [:crit] [pid 2640:tid 139788241741952] populate_tasks_from_server(): Unable to search [cn=admin-serv-ldap-prod1,cn=389 Administration Server,cn=Server Group,cn=SERVER,ou=DOMAIN,o=NetscapeRoot] for LDAPConnection [SERVER:636]

I am still able to use the console and the error doesn't seem to affect operation.

If I set nsslapd-allow-anonymous-access:on the error goes away.

If I set nsslapd-allow-anonymous-access:off I get additional errors (which would be expected):

[Sat Sep 02 16:18:36.559764 2017] [:error] [pid 3298:tid 139706415569024] Could not bind as []: ldap error 48: Inappropriate authentication
[Sat Sep 02 16:18:36.559933 2017] [:warn] [pid 3298:tid 139706415569024] Unable to bind as LocalAdmin to populate LocalAdmin tasks into cache.


I did find an old issue in Pagure

https://pagure.io/389-ds-base/issue/47850

which was for a different issue related to setting nsslapd-allow-anonymous-access:rootdse
In that issue Mark mentions adding a separate user entry to be used to search o=netscaperoot
but I can't find any other references to this solution (and don't know if it would solve this issue).

--

Patrick Landry
Director, UCSS
University of Louisiana at Lafayette
pml@xxxxxxxxxxxxx



_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux