On Thu, 7 Oct 2021 at 19:53, Chris Lambertus <c...@apache.org> wrote:
> Authenticated bind example: > > > > $ ldapsearch -H ldaps://idmtest1-ec2-va.apache.org:636 -W -b > "dc=apache,dc=org" -L -D "uid=cml,ou=people,dc=apache,dc=org" uid=cml > Enter LDAP Password: > version: 1 > > # > # LDAPv3 > # base <dc=apache,dc=org> with scope subtree > # filter: uid=cml > # requesting: ALL > # > > # cml, people, apache.org > dn: uid=cml,ou=people,dc=apache,dc=org > [snip] > > > Does not work for me on the whimsy host: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) Nor on my macOS system: No such object (32) (Yes, I did change the bind details) If I enter an incorrect password on macOS, I get: ldap_bind: Invalid credentials (49) This shows the server has been contacted at least. However using a bad password on Whimsy makes no difference. Any tooling relying on UN-authenticated bind will need to switch to using a > role account. We're starting a process of locating and adjusting any of > these use cases. There are also a number of cases where tools like > 'ldapsearch' will use the nss_ldap bind account which is defined in > /etc/ldap/ldap.conf, so sometimes it appears the tools work without > passwords, but they are actually using the ldap.conf credentials. > > -Chris > > > > > > On Oct 6, 2021, at 7:40 PM, Matt Sicker <boa...@gmail.com> wrote: > > > > What authentication methods are supported now? I remember being unable > to find an incantation of ldapsearch that could authenticate. > > > > Matt Sicker > > > >> On Oct 6, 2021, at 18:40, Chris Lambertus <c...@apache.org> wrote: > >> > >> Hi folks, just to let you know, my primary testing and implementation > of replication between idmtest1-ec2-va and idmtest2-ec2-va is complete. The > next stage in testing may be more disruptive -- the slapd.conf ACLs have > been changed to prevent unauthenticated access to the LDAP directory. > >> > >> If your project has the capability to test, I would be interested to > know if Whimsy still functions properly with these security and privacy > enhancements in place. There will be a more broad discussion on this topic > brought to Infra lists once initial validation is complete. > >> > >> Cheers, > >> Chris > >> > >> > >> > >>> On Sep 29, 2021, at 11:15 AM, Chris Lambertus <c...@apache.org> wrote: > >>> > >>> FYI, > >>> > >>> In https://issues.apache.org/jira/browse/INFRA-22091 < > https://issues.apache.org/jira/browse/INFRA-22091> a test ldap instance > was provided to the Whimsy project. This is a notification that Infra will > be performing work on that host over the next few days. The system may be > down and data may be unavailable during various operations. I will reply > here when work is completed. You may continue using the service, but you > may get timeouts or null results. > >>> > >>> -Chris > >>> > >> > >
