Re: Error after setting nsslapd-allow-anonymous-access:rootdse

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



OK. I guess no one has run into this one.

Can anyone tell me what the impact of the admin server not being able to search the specified DIT is?
Is this something to worry about or something which can be ignored?

[Sat Sep 02 15:53:14.402180 2017] [:crit] [pid 2640:tid 139788241741952] populate_tasks_from_server(): Unable to search [cn=admin-serv-ldap-prod1,cn=389 Administration Server,cn=Server Group,cn=SERVER,ou=DOMAIN,o=NetscapeRoot] for LDAPConnection [SERVER:636]



From: "Patrick Landry" <patrick.landry@xxxxxxxxxxxxx>
To: 389-users@xxxxxxxxxxxxxxxxxxxxxxx
Sent: Saturday, September 2, 2017 4:40:27 PM
Subject: [389-users] Error after setting nsslapd-allow-anonymous-access:rootdse

This is a fresh install on RHEL 7.

389-adminutil-1.1.21-2.el7.x86_64
389-admin-console-doc-1.1.12-1.el7.noarch
389-admin-console-1.1.12-1.el7.noarch
389-ds-base-libs-1.3.6.1-16.el7.x86_64
389-ds-console-1.2.16-1.el7.noarch
389-ds-1.2.2-6.el7.noarch
389-ds-base-1.3.6.1-16.el7.x86_64
389-ds-console-doc-1.2.16-1.el7.noarch
389-admin-1.1.46-1.el7.x86_64
389-console-1.1.18-1.el7.noarch
389-dsgw-1.1.11-5.el7.x86_64

Installation went fine and I was able to secure the directory server and
admin server with certificates and restrict access to secure connections
only.

But after I changed nsslapd-allow-anonymous-access:rootdse to prevent
anonymous binds the admin server now complains at startup:

[Sat Sep 02 15:53:14.402180 2017] [:crit] [pid 2640:tid 139788241741952] populate_tasks_from_server(): Unable to search [cn=admin-serv-ldap-prod1,cn=389 Administration Server,cn=Server Group,cn=SERVER,ou=DOMAIN,o=NetscapeRoot] for LDAPConnection [SERVER:636]

I am still able to use the console and the error doesn't seem to affect operation.

If I set nsslapd-allow-anonymous-access:on the error goes away.

If I set nsslapd-allow-anonymous-access:off I get additional errors (which would be expected):

[Sat Sep 02 16:18:36.559764 2017] [:error] [pid 3298:tid 139706415569024] Could not bind as []: ldap error 48: Inappropriate authentication
[Sat Sep 02 16:18:36.559933 2017] [:warn] [pid 3298:tid 139706415569024] Unable to bind as LocalAdmin to populate LocalAdmin tasks into cache.


I did find an old issue in Pagure

https://pagure.io/389-ds-base/issue/47850

which was for a different issue related to setting nsslapd-allow-anonymous-access:rootdse
In that issue Mark mentions adding a separate user entry to be used to search o=netscaperoot
but I can't find any other references to this solution (and don't know if it would solve this issue).

--

Patrick Landry
Director, UCSS
University of Louisiana at Lafayette
pml@xxxxxxxxxxxxx




_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx



--

Patrick Landry
Director, UCSS
University of Louisiana at Lafayette
pml@xxxxxxxxxxxxx



_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx

[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux