Re: Error after setting nsslapd-allow-anonymous-access:rootdse

Patrick Landry <patrick.landry@xxxxxxxxxxxxx> · Thu, 7 Sep 2017 11:28:47 -0500 (CDT)

OK. I guess no one has run into this one.

Can anyone tell me what the impact of the admin server not being able to search the specified DIT is?
Is this something to worry about or something which can be ignored?

[Sat Sep 02 15:53:14.402180 2017] [:crit] [pid 2640:tid 139788241741952] populate_tasks_from_server(): Unable to search [cn=admin-serv-ldap-prod1,cn=389 Administration Server,cn=Server Group,cn=SERVER,ou=DOMAIN,o=NetscapeRoot] for LDAPConnection [SERVER:636]

From: "Patrick Landry" <patrick.landry@xxxxxxxxxxxxx>
To: 389-users@xxxxxxxxxxxxxxxxxxxxxxx
Sent: Saturday, September 2, 2017 4:40:27 PM
Subject: [389-users] Error after setting nsslapd-allow-anonymous-access:rootdse

This is a fresh install on RHEL 7.

389-adminutil-1.1.21-2.el7.x86_64
389-admin-console-doc-1.1.12-1.el7.noarch
389-admin-console-1.1.12-1.el7.noarch
389-ds-base-libs-1.3.6.1-16.el7.x86_64
389-ds-console-1.2.16-1.el7.noarch
389-ds-1.2.2-6.el7.noarch
389-ds-base-1.3.6.1-16.el7.x86_64
389-ds-console-doc-1.2.16-1.el7.noarch
389-admin-1.1.46-1.el7.x86_64
389-console-1.1.18-1.el7.noarch
389-dsgw-1.1.11-5.el7.x86_64

Installation went fine and I was able to secure the directory server and
admin server with certificates and restrict access to secure connections
only.

But after I changed nsslapd-allow-anonymous-access:rootdse to prevent
anonymous binds the admin server now complains at startup:

[Sat Sep 02 15:53:14.402180 2017] [:crit] [pid 2640:tid 139788241741952] populate_tasks_from_server(): Unable to search [cn=admin-serv-ldap-prod1,cn=389 Administration Server,cn=Server Group,cn=SERVER,ou=DOMAIN,o=NetscapeRoot] for LDAPConnection [SERVER:636]

I am still able to use the console and the error doesn't seem to affect operation.

If I set nsslapd-allow-anonymous-access:on the error goes away.

If I set nsslapd-allow-anonymous-access:off I get additional errors (which would be expected):

[Sat Sep 02 16:18:36.559764 2017] [:error] [pid 3298:tid 139706415569024] Could not bind as []: ldap error 48: Inappropriate authentication
[Sat Sep 02 16:18:36.559933 2017] [:warn] [pid 3298:tid 139706415569024] Unable to bind as LocalAdmin to populate LocalAdmin tasks into cache.

I did find an old issue in Pagure

https://pagure.io/389-ds-base/issue/47850

which was for a different issue related to setting nsslapd-allow-anonymous-access:rootdse
In that issue Mark mentions adding a separate user entry to be used to search o=netscaperoot
but I can't find any other references to this solution (and don't know if it would solve this issue).

-- 
Patrick Landry
Director, UCSS
University of Louisiana at Lafayette
pml@xxxxxxxxxxxxx

_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx

-- 
Patrick Landry
Director, UCSS
University of Louisiana at Lafayette
pml@xxxxxxxxxxxxx

_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx