It will not currently work on ASF hosts against idmtest without setting TLS_REQCERT=never because the puppet-based ldap.conf is configured to only use the existing self-signed CA cert:
TLS_REQCERT=never ldapsearch -H ldaps://idmtest1-ec2-va.apache.org:636 -W -b "dc=apache,dc=org" -L -D "uid=cml,ou=people,dc=apache,dc=org" uid=cml What is the command line/bind DN you are specifying when you get the error 32? > On Oct 15, 2021, at 4:47 AM, sebb <seb...@gmail.com> wrote: > > On Thu, 7 Oct 2021 at 19:53, Chris Lambertus <c...@apache.org > <mailto:c...@apache.org>> wrote: > >> Authenticated bind example: >> >> >> >> $ ldapsearch -H ldaps://idmtest1-ec2-va.apache.org:636 -W -b >> "dc=apache,dc=org" -L -D "uid=cml,ou=people,dc=apache,dc=org" uid=cml >> Enter LDAP Password: >> version: 1 >> >> # >> # LDAPv3 >> # base <dc=apache,dc=org> with scope subtree >> # filter: uid=cml >> # requesting: ALL >> # >> >> # cml, people, apache.org >> dn: uid=cml,ou=people,dc=apache,dc=org >> [snip] >> >> >> > Does not work for me on the whimsy host: > > > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) > > > Nor on my macOS system: > > No such object (32) > > (Yes, I did change the bind details) > > If I enter an incorrect password on macOS, I get: > > ldap_bind: Invalid credentials (49) > > This shows the server has been contacted at least. > However using a bad password on Whimsy makes no difference. > > Any tooling relying on UN-authenticated bind will need to switch to using a >> role account. We're starting a process of locating and adjusting any of >> these use cases. There are also a number of cases where tools like >> 'ldapsearch' will use the nss_ldap bind account which is defined in >> /etc/ldap/ldap.conf, so sometimes it appears the tools work without >> passwords, but they are actually using the ldap.conf credentials. >> >> -Chris >> >> >> >> >>> On Oct 6, 2021, at 7:40 PM, Matt Sicker <boa...@gmail.com> wrote: >>> >>> What authentication methods are supported now? I remember being unable >> to find an incantation of ldapsearch that could authenticate. >>> >>> Matt Sicker >>> >>>> On Oct 6, 2021, at 18:40, Chris Lambertus <c...@apache.org> wrote: >>>> >>>> Hi folks, just to let you know, my primary testing and implementation >> of replication between idmtest1-ec2-va and idmtest2-ec2-va is complete. The >> next stage in testing may be more disruptive -- the slapd.conf ACLs have >> been changed to prevent unauthenticated access to the LDAP directory. >>>> >>>> If your project has the capability to test, I would be interested to >> know if Whimsy still functions properly with these security and privacy >> enhancements in place. There will be a more broad discussion on this topic >> brought to Infra lists once initial validation is complete. >>>> >>>> Cheers, >>>> Chris >>>> >>>> >>>> >>>>> On Sep 29, 2021, at 11:15 AM, Chris Lambertus <c...@apache.org> wrote: >>>>> >>>>> FYI, >>>>> >>>>> In https://issues.apache.org/jira/browse/INFRA-22091 < >> https://issues.apache.org/jira/browse/INFRA-22091> a test ldap instance >> was provided to the Whimsy project. This is a notification that Infra will >> be performing work on that host over the next few days. The system may be >> down and data may be unavailable during various operations. I will reply >> here when work is completed. You may continue using the service, but you >> may get timeouts or null results. >>>>> >>>>> -Chris
