> On Oct 19, 2021, at 2:14 AM, sebb <seb...@gmail.com> wrote:
>
> On Tue, 19 Oct 2021 at 05:23, Chris Lambertus <c...@apache.org> wrote:
>>
>> It will not currently work on ASF hosts against idmtest without setting
>> TLS_REQCERT=never because the puppet-based ldap.conf is configured to only
>> use the existing self-signed CA cert:
>>
>>
>>
>> TLS_REQCERT=never ldapsearch -H ldaps://idmtest1-ec2-va.apache.org:636 -W -b
>> "dc=apache,dc=org" -L -D "uid=cml,ou=people,dc=apache,dc=org" uid=cml
>
> Surely that should be LDAPTLS_REQCERT= ... ?
Apparently so.
>> What is the command line/bind DN you are specifying when you get the error
>> 32?
> # search result
> No such object (32)
>
> # numResponses: 1
>
> It assume you have karma to log in to Whimsy so you could try it for yourself.
I have, and it works, but I have additional (apldap) karma. I will look into
this further, it is likely related to DSN access. I'll get back to you...
Thanks for testing.
-C
>
>>
>>
>>
>>
>>
>>
>>> On Oct 15, 2021, at 4:47 AM, sebb <seb...@gmail.com> wrote:
>>>
>>> On Thu, 7 Oct 2021 at 19:53, Chris Lambertus <c...@apache.org
>>> <mailto:c...@apache.org>> wrote:
>>>
>>>> Authenticated bind example:
>>>>
>>>>
>>>>
>>>> $ ldapsearch -H ldaps://idmtest1-ec2-va.apache.org:636 -W -b
>>>> "dc=apache,dc=org" -L -D "uid=cml,ou=people,dc=apache,dc=org" uid=cml
>>>> Enter LDAP Password:
>>>> version: 1
>>>>
>>>> #
>>>> # LDAPv3
>>>> # base <dc=apache,dc=org> with scope subtree
>>>> # filter: uid=cml
>>>> # requesting: ALL
>>>> #
>>>>
>>>> # cml, people, apache.org
>>>> dn: uid=cml,ou=people,dc=apache,dc=org
>>>> [snip]
>>>>
>>>>
>>>>
>>> Does not work for me on the whimsy host:
>>>
>>>
>>> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>>>
>>>
>>> Nor on my macOS system:
>>>
>>> No such object (32)
>>>
>>> (Yes, I did change the bind details)
>>>
>>> If I enter an incorrect password on macOS, I get:
>>>
>>> ldap_bind: Invalid credentials (49)
>>>
>>> This shows the server has been contacted at least.
>>> However using a bad password on Whimsy makes no difference.
>>>
>>> Any tooling relying on UN-authenticated bind will need to switch to using a
>>>> role account. We're starting a process of locating and adjusting any of
>>>> these use cases. There are also a number of cases where tools like
>>>> 'ldapsearch' will use the nss_ldap bind account which is defined in
>>>> /etc/ldap/ldap.conf, so sometimes it appears the tools work without
>>>> passwords, but they are actually using the ldap.conf credentials.
>>>>
>>>> -Chris
>>>>
>>>>
>>>>
>>>>
>>>>> On Oct 6, 2021, at 7:40 PM, Matt Sicker <boa...@gmail.com> wrote:
>>>>>
>>>>> What authentication methods are supported now? I remember being unable
>>>> to find an incantation of ldapsearch that could authenticate.
>>>>>
>>>>> Matt Sicker
>>>>>
>>>>>> On Oct 6, 2021, at 18:40, Chris Lambertus <c...@apache.org> wrote:
>>>>>>
>>>>>> Hi folks, just to let you know, my primary testing and implementation
>>>> of replication between idmtest1-ec2-va and idmtest2-ec2-va is complete. The
>>>> next stage in testing may be more disruptive -- the slapd.conf ACLs have
>>>> been changed to prevent unauthenticated access to the LDAP directory.
>>>>>>
>>>>>> If your project has the capability to test, I would be interested to
>>>> know if Whimsy still functions properly with these security and privacy
>>>> enhancements in place. There will be a more broad discussion on this topic
>>>> brought to Infra lists once initial validation is complete.
>>>>>>
>>>>>> Cheers,
>>>>>> Chris
>>>>>>
>>>>>>
>>>>>>
>>>>>>> On Sep 29, 2021, at 11:15 AM, Chris Lambertus <c...@apache.org> wrote:
>>>>>>>
>>>>>>> FYI,
>>>>>>>
>>>>>>> In https://issues.apache.org/jira/browse/INFRA-22091 <
>>>> https://issues.apache.org/jira/browse/INFRA-22091> a test ldap instance
>>>> was provided to the Whimsy project. This is a notification that Infra will
>>>> be performing work on that host over the next few days. The system may be
>>>> down and data may be unavailable during various operations. I will reply
>>>> here when work is completed. You may continue using the service, but you
>>>> may get timeouts or null results.
>>>>>>>
>>>>>>> -Chris
>>
