Jacek Nykis wrote: > On Thursday 02 September 2010 18:45:44 Rich Megginson wrote: > >> Jacek Nykis wrote: >> >>> Hi, >>> >>> >>> >>> I am trying to setup chaining backend and I encountered some problems. >>> >>> I setup nsBackendInstance object with all attributes but it would seem >>> that "nsusestarttls" does not have any effect. Here is what happens: >>> >>> >>> >>> If I use ldaps over port 636 everything is fine: >>> >>> nsusestarttls: off >>> >>> nsfarmserverurl: ldaps://xxx:636 >>> >>> >>> >>> But when I change values to below it stops: >>> >>> nsusestarttls: on >>> >>> nsfarmserverurl: ldap://xxx:389 >>> >>> >>> >>> Logs on master server suggest that slave does not use startTLS when >>> connecting. >>> >>> >>> >>> On slave server I can see this: >>> >>> [02/Sep/2010:15:53:22 +0000] conn=1 fd=64 slot=64 connection from >>> <client IP> to <Slave IP> >>> >>> [02/Sep/2010:15:53:22 +0000] conn=1 op=0 EXT >>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>> >>> [02/Sep/2010:15:53:22 +0000] conn=1 op=0 RESULT err=0 tag=120 >>> nentries=0 etime=0 >>> >>> [02/Sep/2010:15:53:22 +0000] conn=1 SSL 256-bit AES >>> >>> [02/Sep/2010:15:53:22 +0000] conn=1 op=1 BIND >>> dn="uid=xxx,ou=xxx,dc=xxx" method=128 version=3 >>> >>> [02/Sep/2010:15:53:22 +0000] conn=1 op=1 RESULT err=13 tag=97 >>> nentries=0 etime=0 >>> >>> [02/Sep/2010:15:53:22 +0000] conn=1 op=-1 fd=64 closed - B1 >>> >>> >>> >>> On master: >>> >>> [02/Sep/2010:15:53:22 +0000] conn=34 fd=64 slot=64 connection from >>> <Slave IP> to <Master IP> >>> >>> [02/Sep/2010:15:53:22 +0000] conn=34 op=0 BIND >>> dn="uid=xxx,ou=xxx,dc=xxx" method=128 version=3 >>> >>> [02/Sep/2010:15:53:22 +0000] conn=34 op=0 RESULT err=13 tag=97 >>> nentries=0 etime=0 >>> >>> >>> >>> We would prefer to use startTLS on port 389, does anybody know if this >>> is possible or if anything else is required to make it work? >>> >> What platform? What version of 389-ds-base? >> >> > > Hi, > > I am using CentOS 5.5 x86_64 on all machines. > 389-ds-base v 1.2.6 > which version of 1.2.6? 1.2.6-1, the official released version, or one of the .a or .rc releases? > I also noticed something strange. I am trying to setup global password lockout > policy: > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Replication- > Replicating-Password-Attributes.html > > When I set "passwordIsGlobalPolicy" to off problem disappears and I can bind > and change passwords fine with startTLS on port 389. When I set it to on I > cannot even bind. > err=13 is LDAP_CONFIDENTIALITY_REQUIRED - which means you attempted a SIMPLE BIND (i.e. DN and password) over a clear text connection. The log from the master shows that the connection attempt was made without LDAPS or a startTLS operation. > -- > Jacek Nykis > IS Unix Frontend Engineer > > Fax: +44 (0) 20 8834 8001 > Yahoo! Messenger: nykisj > > > Betfair Limited | Winslow Road | Hammersmith Embankment | London | W6 9HP > Company No. 5140986 > > > The information in this e-mail and any attachment is confidential and is > intended only for the named recipient(s). The e-mail may not be disclosed or > used by any person other than the addressee, nor may it be copied in any way. > If you are not a named recipient please notify the sender immediately and > delete any copies of this message. Any unauthorized copying, disclosure or > distribution of the material in this e-mail is strictly forbidden. Any view or > opinions presented are solely those of the author and do not necessarily > represent those of the company. Betfair (r) and the BETFAIR LOGO are > registered trade marks of The Sporting Exchange Limited. > > ________________________________________________________________________ > In order to protect our email recipients, Betfair Group use SkyScan from > MessageLabs to scan all Incoming and Outgoing mail for viruses. > > ________________________________________________________________________ > -- > 389 users mailing list > 389-users@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/389-users > -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
