[Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.
Pavel Zůna
pzuna at redhat.com
Wed Feb 23 22:41:33 UTC 2011
On 2011-02-15 16:36, JR Aquino wrote:
> On 2/15/11 6:52 AM, "Simo Sorce"<ssorce at redhat.com> wrote:
>
>> On Tue, 15 Feb 2011 15:19:50 +0100
>> Pavel Zuna<pzuna at redhat.com> wrote:
>>
>>> I can't reproduce this. :-/
>>>
>>> For me it goes fine:
>>>
>>> [root at ipadev tools]# ./ipa-nis-manage enable
>>> Directory Manager password:
>>>
>>> Enabling plugin
>>> This setting will not take effect until you restart Directory Server.
>>> The rpcbind service may need to be started.
>>>
>>
>> Pavel,
>> Jr has set the minimum ssf to a non default value to test a
>> configuration in which all communications are required to be encrypted.
>> That's why you can't reproduce with the vanilla configuration.
>>
>> We want to support that mode although it won't be the default, so we
>> need to fix any issue that causes that configuration to break (ie all
>> non-encrypted/non-ldapi connections).
>>
>> Simo.
>>
>> --
>> Simo Sorce * Red Hat, Inc * New York
>>
>> _______________________________________________
>> Freeipa-devel mailing list
>> Freeipa-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
> The best way to do this is:
>
> -=-
> service ipa stop
> Edit /etc/dirsrv/slapd-DOMAIN/dse.ldif
>
> Change:
> nsslapd-minssf: 0
>
> To:
> nsslapd-minssf: 56<- 56 is chosen because SASL communicates a 56bit
> handshake even though we utilize a much strong cipher... (It is a known
> bug/feature)
>
> service ipa start
>
I tried to use the LDAPUpdate class (ipaserver/install/ldapupdate.py)
with ldapi=True, but it raises a NotFound exception when trying to call
IPAdmin.do_external_bind() (ipaserver/ipaldap.py). This exception
originates in IPAdmin.__lateinit() when trying to retrieve this
cn=config,cn=ldbm database,cn=plugins,cn=config
For some reason it looks like this entry is inaccessible when doing a
SASL EXTERNAL bind as root.
I can retrieve the entry as "cn=directory manager":
[root at vm-090 freeipa]# ldapsearch -D "cn=directory manager" -W -H
ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b
"cn=config,cn=ldbm database,cn=plugins,cn=config" -s one
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=config,cn=ldbm database,cn=plugins,cn=config> with scope oneLevel
# filter: (objectclass=*)
# requesting: ALL
#
# default indexes, config, ldbm database, plugins, config
dn: cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
cn: default indexes
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
but not as root:
[root at vm-090 freeipa]# ldapsearch -Y EXTERNAL -H
ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b "cn=config"
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# SNMP, config
dn: cn=SNMP,cn=config
objectClass: top
objectClass: nsSNMP
cn: SNMP
nsSNMPEnabled: on
# 2.16.840.1.113730.3.4.9, features, config
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
objectClass: top
objectClass: directoryServerFeature
oid: 2.16.840.1.113730.3.4.9
cn: VLV Request Control
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
I'm not sure what the problem is, I tried setting different SASL
security properties, but nothing helped. :( Next step is to analyze DS
logs, but before I do that, I wanted to ask if anyone has any tips on
what the solution might be.
Pavel
More information about the Freeipa-devel
mailing list