Re: 389-ds on Leap 15.1 - teething pains - it is running (with some issues) - but I still cannot test authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

On 17.04.20 at 18:01 Clayvahn Hunt wrote:

> I have done as you suggest (see dsrc contents below), restarted the instance, then (note: ldaps://ent-a.aeho.lan):
> LDAPTLS_CACERT=/etc/dirsrv/slapd-localhost/ca.crt ldapwhoami -v -H ldaps://ent-a.aeho.lan -D uid=huncl01,ou=people,dc=aeho,dc=lan -W -x

Actually I pointed you in the wrong direction. For the ldawhoami the .dsrc is
not used at all.

So the error must be somewhere else.

Is "ent-a.aeho.lan" the hostname of the local system (run "hostname -s" or
hostnamectl" or similar)? Can you ping that name, i.e. is is in DNS or in your
local /etc/hosts?

> If that worked, I would be very concerned as the whole idea is not *not* be tied to a specific hostname (unless running multiple LDAP servers, no?)

Please correct me if I am wrong:

For having multiple masters you need to have a name in the server's certificate,
that is *not* the local system's hostname. Or any other one server's hostname.
You would rather use some kind of alias or DNS round-robin name or similar, that
points to one of your servers on each connection, and use that name in the
certificate.

Running just a single server only means that the same name, that you use to
connect to the server (via ssh or via LDAP or for ping ...) needs to be in the
certificate. And you need to use that name when using ldaps://

> I've put everything back the way it  should (?!) be... but here's my .dsrc file to test your theory:
> 
> 
> [localhost]
> [localhost-ldaps]

As Mark already replied, I would remove one of these sections.
As far as I understood the documentation, you can point your dsctl command to
many different hosts, that you define here and use with "dsctl <name> status" or
similar. And two different sections for the same host seem strange to me...

Johannes

-- 
Johannes Kastl
Linux Consultant & Trainer
Tel.: +49 (0) 151 2372 5802
Mail: kastl@xxxxxxxxxxxxx

B1 Systems GmbH
Osterfeldstraße 7 / 85088 Vohburg
http://www.b1-systems.de
GF: Ralph Dehner
Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux