On Tue, 19 Oct 2021 at 21:06, Chris Lambertus <c...@apache.org> wrote: > > > > > On Oct 19, 2021, at 2:14 AM, sebb <seb...@gmail.com> wrote: > > > > On Tue, 19 Oct 2021 at 05:23, Chris Lambertus <c...@apache.org> wrote: > >> > >> It will not currently work on ASF hosts against idmtest without setting > >> TLS_REQCERT=never because the puppet-based ldap.conf is configured to only > >> use the existing self-signed CA cert: > >> > >> > >> > >> TLS_REQCERT=never ldapsearch -H ldaps://idmtest1-ec2-va.apache.org:636 -W > >> -b "dc=apache,dc=org" -L -D "uid=cml,ou=people,dc=apache,dc=org" uid=cml > > > > Surely that should be LDAPTLS_REQCERT= ... ? > > Apparently so. > > > > > >> What is the command line/bind DN you are specifying when you get the error > >> 32? > > > # search result > > No such object (32) > > > > # numResponses: 1 > > > > It assume you have karma to log in to Whimsy so you could try it for > > yourself. > > > I have, and it works, but I have additional (apldap) karma. I will look into > this further, it is likely related to DSN access. I'll get back to you... > > > Thanks for testing.
Don't you have a cml-test LDAP account? > -C > > > > > > > > >> > >> > >> > >> > >> > >> > >>> On Oct 15, 2021, at 4:47 AM, sebb <seb...@gmail.com> wrote: > >>> > >>> On Thu, 7 Oct 2021 at 19:53, Chris Lambertus <c...@apache.org > >>> <mailto:c...@apache.org>> wrote: > >>> > >>>> Authenticated bind example: > >>>> > >>>> > >>>> > >>>> $ ldapsearch -H ldaps://idmtest1-ec2-va.apache.org:636 -W -b > >>>> "dc=apache,dc=org" -L -D "uid=cml,ou=people,dc=apache,dc=org" uid=cml > >>>> Enter LDAP Password: > >>>> version: 1 > >>>> > >>>> # > >>>> # LDAPv3 > >>>> # base <dc=apache,dc=org> with scope subtree > >>>> # filter: uid=cml > >>>> # requesting: ALL > >>>> # > >>>> > >>>> # cml, people, apache.org > >>>> dn: uid=cml,ou=people,dc=apache,dc=org > >>>> [snip] > >>>> > >>>> > >>>> > >>> Does not work for me on the whimsy host: > >>> > >>> > >>> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) > >>> > >>> > >>> Nor on my macOS system: > >>> > >>> No such object (32) > >>> > >>> (Yes, I did change the bind details) > >>> > >>> If I enter an incorrect password on macOS, I get: > >>> > >>> ldap_bind: Invalid credentials (49) > >>> > >>> This shows the server has been contacted at least. > >>> However using a bad password on Whimsy makes no difference. > >>> > >>> Any tooling relying on UN-authenticated bind will need to switch to using > >>> a > >>>> role account. We're starting a process of locating and adjusting any of > >>>> these use cases. There are also a number of cases where tools like > >>>> 'ldapsearch' will use the nss_ldap bind account which is defined in > >>>> /etc/ldap/ldap.conf, so sometimes it appears the tools work without > >>>> passwords, but they are actually using the ldap.conf credentials. > >>>> > >>>> -Chris > >>>> > >>>> > >>>> > >>>> > >>>>> On Oct 6, 2021, at 7:40 PM, Matt Sicker <boa...@gmail.com> wrote: > >>>>> > >>>>> What authentication methods are supported now? I remember being unable > >>>> to find an incantation of ldapsearch that could authenticate. > >>>>> > >>>>> Matt Sicker > >>>>> > >>>>>> On Oct 6, 2021, at 18:40, Chris Lambertus <c...@apache.org> wrote: > >>>>>> > >>>>>> Hi folks, just to let you know, my primary testing and implementation > >>>> of replication between idmtest1-ec2-va and idmtest2-ec2-va is complete. > >>>> The > >>>> next stage in testing may be more disruptive -- the slapd.conf ACLs have > >>>> been changed to prevent unauthenticated access to the LDAP directory. > >>>>>> > >>>>>> If your project has the capability to test, I would be interested to > >>>> know if Whimsy still functions properly with these security and privacy > >>>> enhancements in place. There will be a more broad discussion on this > >>>> topic > >>>> brought to Infra lists once initial validation is complete. > >>>>>> > >>>>>> Cheers, > >>>>>> Chris > >>>>>> > >>>>>> > >>>>>> > >>>>>>> On Sep 29, 2021, at 11:15 AM, Chris Lambertus <c...@apache.org> wrote: > >>>>>>> > >>>>>>> FYI, > >>>>>>> > >>>>>>> In https://issues.apache.org/jira/browse/INFRA-22091 < > >>>> https://issues.apache.org/jira/browse/INFRA-22091> a test ldap instance > >>>> was provided to the Whimsy project. This is a notification that Infra > >>>> will > >>>> be performing work on that host over the next few days. The system may be > >>>> down and data may be unavailable during various operations. I will reply > >>>> here when work is completed. You may continue using the service, but you > >>>> may get timeouts or null results. > >>>>>>> > >>>>>>> -Chris > >> >
