Re: intro to 389 LDAP administration

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




> On 15 May 2020, at 08:47, Matt Zagrabelny <mzagrabe@xxxxxxxxx> wrote:
> 
> Hey William,
> 
> Thanks for the welcome!
> 
>> Hey there, welcome to LDAP and 389-ds!
>> 
>> 
>> Yeah, this socket file name is encoded. Check for /var/run/slapd-<instance
>> name>.socket, which in your case, is slapd-gopher.socket.
> 
> Hmmm. Nope. No sockets. Here is what is in /var/run...
> 
> # find -L /var/run -name '*sock*'
> /var/run/dbus/system_bus_socket
> /var/run/rpcbind.sock
> /var/run/systemd/journal/socket
> /var/run/systemd/inaccessible/sock
> 
> 
>> 
>> 
>> Which program did you use to create the server? It should be dscreate as setup-ds.pl has
>> been deprecated and should be removed ....
> 
> Hmm. Okay. I did use the Perl script setup-ds. Debian documentation should be updated. I'll file a bug.
> 
> I'll also try recreating things with the dscreate Python script.

Yeh, I'd recreate with dscreate, because it actually sets up things as you would expect. setup-ds.pl should never be packaged on a 1.4.x release :(

> 
>> 
>> 
>> Whin you run dsidm you need to use it as root or user dirsrv - this is because it reads
>> the .dsrc of the user, finds the ldapi socket, and then uses the uid/gid of the current
>> process to map your authetication through. 
> 
> Agreed.
> 
>> 
>> When you use ldapmodify, you need to configure the related openldap tools instead, at
>> /etc/openldap/ldap.conf. You can generate a configuration for this with:
> 
> Ahh. Okay. Good to know.
> 
> 
>> 
>> #
>> # OpenLDAP client configuration
>> # Generated by 389 Directory Server - dsidm
>> #
>> 
>> # See ldap.conf(5) for details
>> # This file should be world readable but not world writable.
>> 
>> BASE    dc=blackhats,dc=net,dc=au
>> # Remember to check this: you can have multiple uris on this line. You may have
>> # multiple servers or load balancers in your environment.
>> URI     ldapi://%2fdata%2frun%2fslapd-localhost.socket
>> # If you have DNS SRV records you can use:
>> # URI   ldaps:///dc%3Dblackhats%2Cdc%3Dnet%2Cdc%3Dau
>> 
>> DEREF   never
>> # To use cacert dir, place *.crt files in this path then run:
>> # /usr/bin/c_rehash /etc/openldap/certs
>> TLS_CACERTDIR /etc/openldap/certs
>> # TLS_CACERT /etc/openldap/certs/ca.crt
>> 
>> 
>> 
>> It depends who the user is. If you have .dsrc with ldapi, you won't need a password as
>> your are binding with cn=Directory Manager aka "root for 389-ds ldap".
> 
> Agreed.
> 
> If you
>> end up delegating privileges, you wouldbind as "that users dn".
>> 
>> Hope that helps somewhat! 
> 
> Thanks for the hints and help!
> 
> Have a good night!

If you have any more questions, please let us know! 

> 
> -m
> _______________________________________________
> 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx

—
Sincerely,

William Brown

Senior Software Engineer, 389 Directory Server
SUSE Labs
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux