Send netdisco-users mailing list submissions to
netdisco-users@lists.sourceforge.net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/netdisco-users
or, via email, send a message with subject or body 'help' to
netdisco-users-requ...@lists.sourceforge.net
You can reach the person managing the list at
netdisco-users-ow...@lists.sourceforge.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of netdisco-users digest..."
Today's Topics:
1. Re: LDAPS authentication possible? (Basti S.)
--- Begin Message ---
Hello Chris,
I was the one who asked for LDAPS ;-) And we got it working, this is our
config:
ldap:
servers:
- 'DOMAINCONTROLLER'
user_string: 'DOMAIN\%USER%'
opts:
debug: 0
tls_opts:
start_tls:
verify: 'require'
sslversion: 'tlsv1_2'
Just ensure that your Linux box where Netdisco is running trusts the
certificate of the domain controller (so install the needed root
certificates of your domain).
It is running without any problems on several installations.
Regards,
Bastian
Am Di., 28. Juni 2022 um 07:52 Uhr schrieb Christopher Doolan <
christopher.doo...@usq.edu.au>:
> Hi Oliver, I am looking at how to move Netdisco over to LDAPS and in doing
> so I came across the previous e-mail discussions as shown below in the
> thread below.
>
>
>
> Regrettably, my knowledge for such things is more of a just in time type
> of knowledge, because I know I will not touch something like LDAP
> authentication until the next AD upgrade.
>
>
>
> By that time my documentation is usually out of date and I am back to
> square one.
>
>
>
> So currently, my LDAP configuration in deployment.yml looks something like
> this and for the time being it is working.
>
>
>
> ldap:
>
> servers: [1.1.1.1, 2.2.2.2, 3.3.3.3]
>
> user_string: 'DOMAIN\%USER%'
>
>
>
> I see in the https://github.com/netdisco/netdisco/wiki/Configuration#ldap
> the following option;
> tls_opts
>
> A hash which, when defined, causes the connection to use Transport Layer
> Security (TLS) which provides an encrypted connection. TLS is the preferred
> method of encryption, ldaps (port 636) is not supported.
>
> This is only possible if using LDAPv3 and the server supports it. These
> are the options for the TLS connection. See the Net::LDAP
> <https://metacpan.org/pod/Net::LDAP> documentation under start_tls for
> options, but the defaults should work in most cases.
>
> Does this mean I add the following to my deployment.yml (I know it can’t
> be that easy).
>
> ldap:
>
> servers: [1.1.1.1, 2.2.2.2, 3.3.3.3]
>
> user_string: 'DOMAIN\%USER%'
>
> *tls_opts: #*
>
>
>
> When it comes to implementing the other option, as shown in Net::LDAP, my
> problem right off is that I have no idea where I make, modify or add these
> changes.
>
>
>
> Any help would be appreciated.
>
>
>
> Regards
>
> Chris
>
>
>
> -----Original Message-----
> From: Christian Ramseyer <ramse...@netnea.com>
> Sent: Tuesday, 16 November 2021 10:42 PM
> To: Oliver Gorwits <oli...@cpan.org>; Basti S. <derbas...@gmail.com>
> Cc: netdisco-users@lists.sourceforge.net
> Subject: Re: [Netdisco] LDAPS authentication possible / How to discover
> all?
>
>
>
> Yet https://metacpan.org/pod/Net::LDAP has an ldaps URL as the second
> example. Maybe it used not to support it but does now?
>
>
>
> Cheers
>
> Christian
>
>
>
> On 16.11.21 12:24, Oliver Gorwits wrote:
>
> > Hi Bastian
>
> >
>
> > To clarify:
>
> >
>
> > * Netdisco _does_ support secure LDAP using TLS, using the
>
> > official StartTLS extension (see the docs...).
>
> > * Netdisco (and Net::LDAP) does not support the non-standard LDAPS
>
> >
>
> > I googled and found this explanation of the two approaches:
>
> > https://kb.sos-berlin.com/pages/viewpage.action?pageId=18778435
>
> > <https://kb.sos-berlin.com/pages/viewpage.action?pageId=18778435>
>
> > This is very similar to SMTP where the standard model is also using
>
> > StartTLS over the standard SMTP ports. SMTPS is an old and outdated
> model.
>
> >
>
> > I expect that whatever software you use for LDAP should support StartTLS.
>
> >
>
> > regards
>
> > Oliver.
>
> >
>
> > On Tue, 16 Nov 2021 at 10:44, Basti S. <derbas...@gmail.com
>
> > <mailto:derbas...@gmail.com <derbas...@gmail.com>>> wrote:
>
> >
>
> > It would be very nice if somebody patch this and make LDAPS
>
> > possible. :-)
>
> > In the meantime I would say LDAPS is state of the art and normal
>
> > LDAP should no longer be used.
>
> >
>
> > Thanks for the help with the discovery. I will use the loop with a
>
> > text file, good idea!
>
> >
>
> > Regards
>
> > Bastian
>
> >
>
> >
>
> > Am Fr., 12. Nov. 2021 um 13:35 Uhr schrieb Christian Ramseyer
>
> > <ramse...@netnea.com <mailto:ramse...@netnea.com>>:
>
> >
>
> > Hi Bastian
>
> >
>
> > On 12.11.21 09:26, Basti S. wrote:
>
> > > Hello,
>
> > >
>
> > > In the past we used the LDAP authentication for netdisco, a
>
> > very nice thing.
>
> > > But as far as I know LDAPS is not possible - is there a way
>
> > to make it
>
> > > possible?
>
> >
>
> > Yes it unsupported according to the doc:
>
> > <https://github.com/netdisco/netdisco/wiki/Configuration#ldap
>
> > <https://github.com/netdisco/netdisco/wiki/Configuration#ldap>>.
>
> > I never
>
> > looked into it too closely but Net::LDAP does ldaps just fine,
> so I
>
> > imagine it couldn't be too hard to patch in. Most likely nobody
>
> > wanted
>
> > it bad enough to submit a Patch/PR.
>
> >
>
> > >
>
> > > Second question: Should Netdisco find all other connected
>
> > switches if I
>
> > > just do the discovery for the back bone switch? Or how can I
>
> > achieve
>
> > > that without do it for every single switch?
>
> >
>
> > Theoretically Netdisco should find your whole network from a
> single
>
> > switch, but in practice that's not always working. If you have
>
> > chunks of
>
> > the network missing you can manually discover some IPs in these
>
> > chunks.
>
> >
>
> > Alternatively you can also discover whole IP ranges, e.g.
>
> >
>
> > netdisco-do discover --enqueue -d 192.168.7.0/24
>
> >
>
> > <http://secure-web.cisco.com/1g0AGcZ6tqw5eNyVzu1pedOkLFLXk62xXGiJDCKhL
>
> > wvToatSmFT62ntKbG1TmHcQmIN_LlZh104wjLTvUwy6YCbUY_r4AnrSJZHK4tM64CeAyTk
>
> > 1kK7ShIh9dr3LZ1VsoJlkbaKwrdSl3QtpbKume-S6JE2nfT9NLDVRqlC6y-GEIWBKxvBNb
>
> > cRdtdLWe3rtRYKnJEYWkk6cRsdjsk8VFdRgGlDoywrCC8RJjvzxMrAu3TMeN87hOc8qYxC
>
> > yPeh1rihXUNZJwfFam9c5EASw9DNWigb4u-lJt_01SdbKYzYNFMMeHwijLt9X7lR9fXQCy
>
> > mDicp-KHpE9FijCvN9gFAwfXCW7h_1RTVByRegbQ_RXAXF8IDbr5WQTp_jWqHfngjHNBzY
>
> > U_uutB4WBtTXczo1PyoMN6MNb_9zD3qjvFwnk/http%3A%2F%2F192.168.7.0%2F24>
>
> >
>
> > or discover a list of ip addresses from your inventory with:
>
> >
>
> > for ip in $(< mylist.txt) ; do netdisco-do discover --enqueue -d
>
> > $ip ; done
>
> >
>
> >
>
> > Cheers
>
> > Christian
>
> >
>
> >
>
> > --
>
> > Christian Ramseyer, netnea ag
>
> > Network Management. Security. OpenSource.
>
> > Phone: +41 79 644 77 64
>
> >
>
> > _______________________________________________
>
> > Netdisco mailing list
>
> > netdisco-users@lists.sourceforge.net
>
> > <mailto:netdisco-users@lists.sourceforge.net
> <netdisco-users@lists.sourceforge.net>>
>
> > https://sourceforge.net/p/netdisco/mailman/netdisco-users/
>
> > <https://sourceforge.net/p/netdisco/mailman/netdisco-users/>
>
> >
>
>
>
> --
>
> Christian Ramseyer, netnea ag
>
> Network Management. Security. OpenSource.
>
>
> https://secure-web.cisco.com/1zzBKP0ZKPlsyWTsNTF6tEJLhA4gaiSY-vaif_CEPAWZqadrrTJ7WNN7IKqWOLwacSTTdyG2VD-X-HT-gH8eewZX6YqXtKwKtGwXfI6k1olcdrlAon7Lr_yCqsQJmyfYWP8aDMh07T3jlQkta5U45kRDDaR8y-0UVBzGa2Zy-gC4elwFaUtNW8rYeaFSLxlmrDhR3LSutyTHnZ_tLA33n_N-pJBS4Rkwx0yUv_084Srv98E-3vXKaEPl8ijFvEokMrk5NX_29jk9oh5NKtFWBLqV096wegj4M0YdU9KahgDAuUV9UkbwkwXeE5ELQC2w8ayFDvyr57uxhjbS86lKJQsVPkzhsQgMC3QHogowcncI4mNfcRjZ7Qj9mauyMPTzUZyq2oMEsqARkbMlUNQ-mBnec5jhIIjjxKliSoToLZ94/https%3A%2F%2Fwww.netnea.com
>
> Phone: +41 79 644 77 64
>
>
>
>
>
> _______________________________________________
>
> Netdisco mailing list
>
> netdisco-users@lists.sourceforge.net
>
> https://sourceforge.net/p/netdisco/mailman/netdisco-users/
> __________________________________________________________________
> This email (including any attached files) is confidential and is
> for the intended recipient(s) only. If you received this email by
> mistake, please, as a courtesy, tell the sender, then delete this
> email.
> The views and opinions are the originator's and do not necessarily
> reflect those of the University of Southern Queensland. Although
> all reasonable precautions were taken to ensure that this email
> contained no viruses at the time it was sent we accept no
> liability for any losses arising from its receipt.
> The University of Southern Queensland is a registered provider
> of education with the Australian Government.
> (CRICOS Institution Code QLD 00244B / NSW 02225M, TEQSA PRV12081)
>
--- End Message ---
_______________________________________________
Netdisco mailing list - Digest Mode
netdisco-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/netdisco-users
