On Tue, 19 Oct 2021 at 05:23, Chris Lambertus <c...@apache.org> wrote: > > It will not currently work on ASF hosts against idmtest without setting > TLS_REQCERT=never because the puppet-based ldap.conf is configured to only > use the existing self-signed CA cert: > > > > TLS_REQCERT=never ldapsearch -H ldaps://idmtest1-ec2-va.apache.org:636 -W -b > "dc=apache,dc=org" -L -D "uid=cml,ou=people,dc=apache,dc=org" uid=cml
Surely that should be LDAPTLS_REQCERT= ... ? > > What is the command line/bind DN you are specifying when you get the error 32? Just tried the following on Whimsy: $ ldapsearch -H ldaps://idmtest1-ec2-va.apache.org:636 -W -b "dc=apache,dc=org" -L -D "uid=sebb,ou=people,dc=apache,dc=org" uid=sebb Enter LDAP Password: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) $ TLS_REQCERT=never ldapsearch -H ldaps://idmtest1-ec2-va.apache.org:636 -W -b "dc=apache,dc=org" -L -D "uid=sebb,ou=people,dc=apache,dc=org" uid=sebb Enter LDAP Password: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) $ LDAPTLS_REQCERT=never ldapsearch -H ldaps://idmtest1-ec2-va.apache.org:636 -W -b "dc=apache,dc=org" -L -D "uid=sebb,ou=people,dc=apache,dc=org" uid=sebb Enter LDAP Password: version: 1 # # LDAPv3 # base <dc=apache,dc=org> with scope subtree # filter: uid=* # requesting: ALL # # search result No such object (32) # numResponses: 1 It assume you have karma to log in to Whimsy so you could try it for yourself. > > > > > > > > On Oct 15, 2021, at 4:47 AM, sebb <seb...@gmail.com> wrote: > > > > On Thu, 7 Oct 2021 at 19:53, Chris Lambertus <c...@apache.org > > <mailto:c...@apache.org>> wrote: > > > >> Authenticated bind example: > >> > >> > >> > >> $ ldapsearch -H ldaps://idmtest1-ec2-va.apache.org:636 -W -b > >> "dc=apache,dc=org" -L -D "uid=cml,ou=people,dc=apache,dc=org" uid=cml > >> Enter LDAP Password: > >> version: 1 > >> > >> # > >> # LDAPv3 > >> # base <dc=apache,dc=org> with scope subtree > >> # filter: uid=cml > >> # requesting: ALL > >> # > >> > >> # cml, people, apache.org > >> dn: uid=cml,ou=people,dc=apache,dc=org > >> [snip] > >> > >> > >> > > Does not work for me on the whimsy host: > > > > > > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) > > > > > > Nor on my macOS system: > > > > No such object (32) > > > > (Yes, I did change the bind details) > > > > If I enter an incorrect password on macOS, I get: > > > > ldap_bind: Invalid credentials (49) > > > > This shows the server has been contacted at least. > > However using a bad password on Whimsy makes no difference. > > > > Any tooling relying on UN-authenticated bind will need to switch to using a > >> role account. We're starting a process of locating and adjusting any of > >> these use cases. There are also a number of cases where tools like > >> 'ldapsearch' will use the nss_ldap bind account which is defined in > >> /etc/ldap/ldap.conf, so sometimes it appears the tools work without > >> passwords, but they are actually using the ldap.conf credentials. > >> > >> -Chris > >> > >> > >> > >> > >>> On Oct 6, 2021, at 7:40 PM, Matt Sicker <boa...@gmail.com> wrote: > >>> > >>> What authentication methods are supported now? I remember being unable > >> to find an incantation of ldapsearch that could authenticate. > >>> > >>> Matt Sicker > >>> > >>>> On Oct 6, 2021, at 18:40, Chris Lambertus <c...@apache.org> wrote: > >>>> > >>>> Hi folks, just to let you know, my primary testing and implementation > >> of replication between idmtest1-ec2-va and idmtest2-ec2-va is complete. The > >> next stage in testing may be more disruptive -- the slapd.conf ACLs have > >> been changed to prevent unauthenticated access to the LDAP directory. > >>>> > >>>> If your project has the capability to test, I would be interested to > >> know if Whimsy still functions properly with these security and privacy > >> enhancements in place. There will be a more broad discussion on this topic > >> brought to Infra lists once initial validation is complete. > >>>> > >>>> Cheers, > >>>> Chris > >>>> > >>>> > >>>> > >>>>> On Sep 29, 2021, at 11:15 AM, Chris Lambertus <c...@apache.org> wrote: > >>>>> > >>>>> FYI, > >>>>> > >>>>> In https://issues.apache.org/jira/browse/INFRA-22091 < > >> https://issues.apache.org/jira/browse/INFRA-22091> a test ldap instance > >> was provided to the Whimsy project. This is a notification that Infra will > >> be performing work on that host over the next few days. The system may be > >> down and data may be unavailable during various operations. I will reply > >> here when work is completed. You may continue using the service, but you > >> may get timeouts or null results. > >>>>> > >>>>> -Chris >
