Hi Bryan,
What version of 389-ds-base is installed?
On 4/5/21 10:18 AM, Bryan K. Walton
wrote:
We have/had a working 389 directory server running on Centos 8. It was
working fine, and for the most part, it still is. We can sucessfully
manage it through the cockpit service. We can successfully manage the
directory with ApacheDirectoryStudio. ldapsearch/ldapmodify works fine.
But it appears that sometime in the last month or two, when we use the
command dsidm, we have started getting a cert error. Again, it is only
with dsidm.
The error we get is:
Error: Can't contact LDAP server - error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain)
I can't figure out where it is seeing this self-signed cert. When I run
dsidm commands with "-v", I see the following:
DEBUG: Using dirsrv ca certificate /etc/dirsrv/slapd-{instance_name}
DEBUG: Using external ca certificate /etc/dirsrv/slapd-{instance_name}
DEBUG: Using external ca certificate /etc/dirsrv/slapd-{instance_name}
But we have our certs in that directory. And there are no self-signed
certs in our cert or its intermediate and root certs. The cert is a
GoDaddy cert.
This is a known issue when trying to use LDAPS with
dsconf/dsidm. Changes were made in the CLI tools that caused the
settings in /etc/openldap/ldap.conf to basically be ignored. Fix
is not trivial, but for now the best option is to setup the
".dsrc" file in the root home directory. This file contains
predefined settings so you don't need to set them on the command
line. There you can set the CA certificate path, etc.
In this example the instance is named 'localhost", so you will need to change this to match your setup:
/root/.dsrc
[localhost]
tls_cacertdir = /etc/dirsrv/slapd-localhost
uri = ldaps://localhost.localdomain:636
basedn = dc=example,dc=com
binddn = cn=Directory Manager
Then you will use dsidm as follows:
# dsidm localhost user create ...
You can also mange the ".dsrc" file using dsctl:
# dsctl localhost dsrc --help
Let me know if you still have any problems,
Mark
How can I find out what cert dsidm is reading, so as to resolve this issue? Thanks, Bryan _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
-- 389 Directory Server Development Team
_______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
