Re: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.
On Mon, 2011-02-28 at 18:15 +, JR Aquino wrote: On 2/25/11 9:27 AM, Pavel Zůna pz...@redhat.com wrote: On 2011-02-25 18:12, JR Aquino wrote: On 2/25/11 5:58 AM, Pavel Zunapz...@redhat.com wrote: On 02/23/2011 11:53 PM, Simo Sorce wrote: On Wed, 23 Feb 2011 23:41:33 +0100 Pavel Zůnapz...@redhat.com wrote: On 2011-02-15 16:36, JR Aquino wrote: On 2/15/11 6:52 AM, Simo Sorcesso...@redhat.comwrote: On Tue, 15 Feb 2011 15:19:50 +0100 Pavel Zunapz...@redhat.comwrote: I can't reproduce this. :-/ For me it goes fine: [root@ipadev tools]# ./ipa-nis-manage enable Directory Manager password: Enabling plugin This setting will not take effect until you restart Directory Server. The rpcbind service may need to be started. Pavel, Jr has set the minimum ssf to a non default value to test a configuration in which all communications are required to be encrypted. That's why you can't reproduce with the vanilla configuration. We want to support that mode although it won't be the default, so we need to fix any issue that causes that configuration to break (ie all non-encrypted/non-ldapi connections). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The best way to do this is: -=- service ipa stop Edit /etc/dirsrv/slapd-DOMAIN/dse.ldif Change: nsslapd-minssf: 0 To: nsslapd-minssf: 56- 56 is chosen because SASL communicates a 56bit handshake even though we utilize a much strong cipher... (It is a known bug/feature) service ipa start I tried to use the LDAPUpdate class (ipaserver/install/ldapupdate.py) with ldapi=True, but it raises a NotFound exception when trying to call IPAdmin.do_external_bind() (ipaserver/ipaldap.py). This exception originates in IPAdmin.__lateinit() when trying to retrieve this cn=config,cn=ldbm database,cn=plugins,cn=config For some reason it looks like this entry is inaccessible when doing a SASL EXTERNAL bind as root. I can retrieve the entry as cn=directory manager: [root@vm-090 freeipa]# ldapsearch -D cn=directory manager -W -H ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b cn=config,cn=ldbm database,cn=plugins,cn=config -s one Enter LDAP Password: # extended LDIF # # LDAPv3 # basecn=config,cn=ldbm database,cn=plugins,cn=config with scope oneLevel # filter: (objectclass=*) # requesting: ALL # # default indexes, config, ldbm database, plugins, config dn: cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: default indexes # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 but not as root: [root@vm-090 freeipa]# ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b cn=config SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # basecn=config with scope subtree # filter: (objectclass=*) # requesting: ALL # # SNMP, config dn: cn=SNMP,cn=config objectClass: top objectClass: nsSNMP cn: SNMP nsSNMPEnabled: on # 2.16.840.1.113730.3.4.9, features, config dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config objectClass: top objectClass: directoryServerFeature oid: 2.16.840.1.113730.3.4.9 cn: VLV Request Control # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 I'm not sure what the problem is, I tried setting different SASL security properties, but nothing helped. :( Next step is to analyze DS logs, but before I do that, I wanted to ask if anyone has any tips on what the solution might be. We have very strict ACIs when using EXTERNAL SASL as root. Is there any reason you need to operate as root ? you can also authenticate with SIMPLE (Dir MGr credentials), or SASL/GSSAPI if you ahve credentials. If you need to run unattended as root then we may need to make root+SASL/EXTERNAL more powerful but I'd like to understand exactly why you need that and can't use regular authentication with DirMgr or GSSAPI credentials. Simo. Thanks for advice! New version of the patch attached. Sorry Pavel, I Have to NACK again: It looks like some comment info got left in the patch perhaps. [root@auth2 ~]# ipa-compat-manage status File /usr/sbin/ipa-compat-manage, line 169 HEAD [root@auth2 ~]# ipa-host-net-manage status File /usr/sbin/ipa-host-net-manage, line 195 HEAD ^ That's cool, I just wonder how it got there. :) Fixed version attached. Pavel I've verified the following: install/migration/migration.py
Re: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.
On Thu, 2011-03-03 at 15:29 +0100, Martin Kosek wrote: On Mon, 2011-02-28 at 18:15 +, JR Aquino wrote: On 2/25/11 9:27 AM, Pavel Zůna pz...@redhat.com wrote: On 2011-02-25 18:12, JR Aquino wrote: On 2/25/11 5:58 AM, Pavel Zunapz...@redhat.com wrote: On 02/23/2011 11:53 PM, Simo Sorce wrote: On Wed, 23 Feb 2011 23:41:33 +0100 Pavel Zůnapz...@redhat.com wrote: On 2011-02-15 16:36, JR Aquino wrote: On 2/15/11 6:52 AM, Simo Sorcesso...@redhat.comwrote: On Tue, 15 Feb 2011 15:19:50 +0100 Pavel Zunapz...@redhat.comwrote: I can't reproduce this. :-/ For me it goes fine: [root@ipadev tools]# ./ipa-nis-manage enable Directory Manager password: Enabling plugin This setting will not take effect until you restart Directory Server. The rpcbind service may need to be started. Pavel, Jr has set the minimum ssf to a non default value to test a configuration in which all communications are required to be encrypted. That's why you can't reproduce with the vanilla configuration. We want to support that mode although it won't be the default, so we need to fix any issue that causes that configuration to break (ie all non-encrypted/non-ldapi connections). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The best way to do this is: -=- service ipa stop Edit /etc/dirsrv/slapd-DOMAIN/dse.ldif Change: nsslapd-minssf: 0 To: nsslapd-minssf: 56- 56 is chosen because SASL communicates a 56bit handshake even though we utilize a much strong cipher... (It is a known bug/feature) service ipa start I tried to use the LDAPUpdate class (ipaserver/install/ldapupdate.py) with ldapi=True, but it raises a NotFound exception when trying to call IPAdmin.do_external_bind() (ipaserver/ipaldap.py). This exception originates in IPAdmin.__lateinit() when trying to retrieve this cn=config,cn=ldbm database,cn=plugins,cn=config For some reason it looks like this entry is inaccessible when doing a SASL EXTERNAL bind as root. I can retrieve the entry as cn=directory manager: [root@vm-090 freeipa]# ldapsearch -D cn=directory manager -W -H ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b cn=config,cn=ldbm database,cn=plugins,cn=config -s one Enter LDAP Password: # extended LDIF # # LDAPv3 # basecn=config,cn=ldbm database,cn=plugins,cn=config with scope oneLevel # filter: (objectclass=*) # requesting: ALL # # default indexes, config, ldbm database, plugins, config dn: cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: default indexes # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 but not as root: [root@vm-090 freeipa]# ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b cn=config SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # basecn=config with scope subtree # filter: (objectclass=*) # requesting: ALL # # SNMP, config dn: cn=SNMP,cn=config objectClass: top objectClass: nsSNMP cn: SNMP nsSNMPEnabled: on # 2.16.840.1.113730.3.4.9, features, config dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config objectClass: top objectClass: directoryServerFeature oid: 2.16.840.1.113730.3.4.9 cn: VLV Request Control # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 I'm not sure what the problem is, I tried setting different SASL security properties, but nothing helped. :( Next step is to analyze DS logs, but before I do that, I wanted to ask if anyone has any tips on what the solution might be. We have very strict ACIs when using EXTERNAL SASL as root. Is there any reason you need to operate as root ? you can also authenticate with SIMPLE (Dir MGr credentials), or SASL/GSSAPI if you ahve credentials. If you need to run unattended as root then we may need to make root+SASL/EXTERNAL more powerful but I'd like to understand exactly why you need that and can't use regular authentication with DirMgr or GSSAPI credentials. Simo. Thanks for advice! New version of the patch attached. Sorry Pavel, I Have to NACK again: It looks like some comment info got left in the patch perhaps. [root@auth2 ~]# ipa-compat-manage status File /usr/sbin/ipa-compat-manage, line 169 HEAD [root@auth2 ~]# ipa-host-net-manage
Re: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.
Martin Kosek wrote: On Thu, 2011-03-03 at 15:29 +0100, Martin Kosek wrote: On Mon, 2011-02-28 at 18:15 +, JR Aquino wrote: On 2/25/11 9:27 AM, Pavel Zůnapz...@redhat.com wrote: On 2011-02-25 18:12, JR Aquino wrote: On 2/25/11 5:58 AM, Pavel Zunapz...@redhat.com wrote: On 02/23/2011 11:53 PM, Simo Sorce wrote: On Wed, 23 Feb 2011 23:41:33 +0100 Pavel Zůnapz...@redhat.comwrote: On 2011-02-15 16:36, JR Aquino wrote: On 2/15/11 6:52 AM, Simo Sorcesso...@redhat.com wrote: On Tue, 15 Feb 2011 15:19:50 +0100 Pavel Zunapz...@redhat.com wrote: I can't reproduce this. :-/ For me it goes fine: [root@ipadev tools]# ./ipa-nis-manage enable Directory Manager password: Enabling plugin This setting will not take effect until you restart Directory Server. The rpcbind service may need to be started. Pavel, Jr has set the minimum ssf to a non default value to test a configuration in which all communications are required to be encrypted. That's why you can't reproduce with the vanilla configuration. We want to support that mode although it won't be the default, so we need to fix any issue that causes that configuration to break (ie all non-encrypted/non-ldapi connections). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The best way to do this is: -=- service ipa stop Edit /etc/dirsrv/slapd-DOMAIN/dse.ldif Change: nsslapd-minssf: 0 To: nsslapd-minssf: 56- 56 is chosen because SASL communicates a 56bit handshake even though we utilize a much strong cipher... (It is a known bug/feature) service ipa start I tried to use the LDAPUpdate class (ipaserver/install/ldapupdate.py) with ldapi=True, but it raises a NotFound exception when trying to call IPAdmin.do_external_bind() (ipaserver/ipaldap.py). This exception originates in IPAdmin.__lateinit() when trying to retrieve this cn=config,cn=ldbm database,cn=plugins,cn=config For some reason it looks like this entry is inaccessible when doing a SASL EXTERNAL bind as root. I can retrieve the entry as cn=directory manager: [root@vm-090 freeipa]# ldapsearch -D cn=directory manager -W -H ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b cn=config,cn=ldbm database,cn=plugins,cn=config -s one Enter LDAP Password: # extended LDIF # # LDAPv3 # basecn=config,cn=ldbm database,cn=plugins,cn=configwith scope oneLevel # filter: (objectclass=*) # requesting: ALL # # default indexes, config, ldbm database, plugins, config dn: cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: default indexes # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 but not as root: [root@vm-090 freeipa]# ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b cn=config SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # basecn=configwith scope subtree # filter: (objectclass=*) # requesting: ALL # # SNMP, config dn: cn=SNMP,cn=config objectClass: top objectClass: nsSNMP cn: SNMP nsSNMPEnabled: on # 2.16.840.1.113730.3.4.9, features, config dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config objectClass: top objectClass: directoryServerFeature oid: 2.16.840.1.113730.3.4.9 cn: VLV Request Control # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 I'm not sure what the problem is, I tried setting different SASL security properties, but nothing helped. :( Next step is to analyze DS logs, but before I do that, I wanted to ask if anyone has any tips on what the solution might be. We have very strict ACIs when using EXTERNAL SASL as root. Is there any reason you need to operate as root ? you can also authenticate with SIMPLE (Dir MGr credentials), or SASL/GSSAPI if you ahve credentials. If you need to run unattended as root then we may need to make root+SASL/EXTERNAL more powerful but I'd like to understand exactly why you need that and can't use regular authentication with DirMgr or GSSAPI credentials. Simo. Thanks for advice! New version of the patch attached. Sorry Pavel, I Have to NACK again: It looks like some comment info got left in the patch perhaps. [root@auth2 ~]# ipa-compat-manage status File /usr/sbin/ipa-compat-manage, line 169 HEAD [root@auth2 ~]# ipa-host-net-manage status File /usr/sbin/ipa-host-net-manage, line 195 HEAD ^ That's cool, I just wonder how it got there. :) Fixed version attached. Pavel I've verified the following: install/migration/migration.py install/tools/ipa-compat-manage install/tools/ipa-compliance install/tools/ipa-host-net-manage install/tools/ipa-nis-manage install/tools/ipa-replica-prepare install/tools/ipa-server-install
Re: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.
On 2/25/11 9:27 AM, Pavel Zůna pz...@redhat.com wrote: On 2011-02-25 18:12, JR Aquino wrote: On 2/25/11 5:58 AM, Pavel Zunapz...@redhat.com wrote: On 02/23/2011 11:53 PM, Simo Sorce wrote: On Wed, 23 Feb 2011 23:41:33 +0100 Pavel Zůnapz...@redhat.com wrote: On 2011-02-15 16:36, JR Aquino wrote: On 2/15/11 6:52 AM, Simo Sorcesso...@redhat.comwrote: On Tue, 15 Feb 2011 15:19:50 +0100 Pavel Zunapz...@redhat.comwrote: I can't reproduce this. :-/ For me it goes fine: [root@ipadev tools]# ./ipa-nis-manage enable Directory Manager password: Enabling plugin This setting will not take effect until you restart Directory Server. The rpcbind service may need to be started. Pavel, Jr has set the minimum ssf to a non default value to test a configuration in which all communications are required to be encrypted. That's why you can't reproduce with the vanilla configuration. We want to support that mode although it won't be the default, so we need to fix any issue that causes that configuration to break (ie all non-encrypted/non-ldapi connections). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The best way to do this is: -=- service ipa stop Edit /etc/dirsrv/slapd-DOMAIN/dse.ldif Change: nsslapd-minssf: 0 To: nsslapd-minssf: 56- 56 is chosen because SASL communicates a 56bit handshake even though we utilize a much strong cipher... (It is a known bug/feature) service ipa start I tried to use the LDAPUpdate class (ipaserver/install/ldapupdate.py) with ldapi=True, but it raises a NotFound exception when trying to call IPAdmin.do_external_bind() (ipaserver/ipaldap.py). This exception originates in IPAdmin.__lateinit() when trying to retrieve this cn=config,cn=ldbm database,cn=plugins,cn=config For some reason it looks like this entry is inaccessible when doing a SASL EXTERNAL bind as root. I can retrieve the entry as cn=directory manager: [root@vm-090 freeipa]# ldapsearch -D cn=directory manager -W -H ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b cn=config,cn=ldbm database,cn=plugins,cn=config -s one Enter LDAP Password: # extended LDIF # # LDAPv3 # basecn=config,cn=ldbm database,cn=plugins,cn=config with scope oneLevel # filter: (objectclass=*) # requesting: ALL # # default indexes, config, ldbm database, plugins, config dn: cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: default indexes # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 but not as root: [root@vm-090 freeipa]# ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b cn=config SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # basecn=config with scope subtree # filter: (objectclass=*) # requesting: ALL # # SNMP, config dn: cn=SNMP,cn=config objectClass: top objectClass: nsSNMP cn: SNMP nsSNMPEnabled: on # 2.16.840.1.113730.3.4.9, features, config dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config objectClass: top objectClass: directoryServerFeature oid: 2.16.840.1.113730.3.4.9 cn: VLV Request Control # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 I'm not sure what the problem is, I tried setting different SASL security properties, but nothing helped. :( Next step is to analyze DS logs, but before I do that, I wanted to ask if anyone has any tips on what the solution might be. We have very strict ACIs when using EXTERNAL SASL as root. Is there any reason you need to operate as root ? you can also authenticate with SIMPLE (Dir MGr credentials), or SASL/GSSAPI if you ahve credentials. If you need to run unattended as root then we may need to make root+SASL/EXTERNAL more powerful but I'd like to understand exactly why you need that and can't use regular authentication with DirMgr or GSSAPI credentials. Simo. Thanks for advice! New version of the patch attached. Sorry Pavel, I Have to NACK again: It looks like some comment info got left in the patch perhaps. [root@auth2 ~]# ipa-compat-manage status File /usr/sbin/ipa-compat-manage, line 169 HEAD [root@auth2 ~]# ipa-host-net-manage status File /usr/sbin/ipa-host-net-manage, line 195 HEAD ^ That's cool, I just wonder how it got there. :) Fixed version attached. Pavel I've verified the following: install/migration/migration.py install/tools/ipa-compat-manage install/tools/ipa-compliance install/tools/ipa-host-net-manage install/tools/ipa-nis-manage install/tools/ipa-replica-prepare install/tools/ipa-server-install ipaserver/install/ldapupdate.py ACK for
Re: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.
On 02/23/2011 11:53 PM, Simo Sorce wrote: On Wed, 23 Feb 2011 23:41:33 +0100 Pavel Zůnapz...@redhat.com wrote: On 2011-02-15 16:36, JR Aquino wrote: On 2/15/11 6:52 AM, Simo Sorcesso...@redhat.com wrote: On Tue, 15 Feb 2011 15:19:50 +0100 Pavel Zunapz...@redhat.com wrote: I can't reproduce this. :-/ For me it goes fine: [root@ipadev tools]# ./ipa-nis-manage enable Directory Manager password: Enabling plugin This setting will not take effect until you restart Directory Server. The rpcbind service may need to be started. Pavel, Jr has set the minimum ssf to a non default value to test a configuration in which all communications are required to be encrypted. That's why you can't reproduce with the vanilla configuration. We want to support that mode although it won't be the default, so we need to fix any issue that causes that configuration to break (ie all non-encrypted/non-ldapi connections). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The best way to do this is: -=- service ipa stop Edit /etc/dirsrv/slapd-DOMAIN/dse.ldif Change: nsslapd-minssf: 0 To: nsslapd-minssf: 56- 56 is chosen because SASL communicates a 56bit handshake even though we utilize a much strong cipher... (It is a known bug/feature) service ipa start I tried to use the LDAPUpdate class (ipaserver/install/ldapupdate.py) with ldapi=True, but it raises a NotFound exception when trying to call IPAdmin.do_external_bind() (ipaserver/ipaldap.py). This exception originates in IPAdmin.__lateinit() when trying to retrieve this cn=config,cn=ldbm database,cn=plugins,cn=config For some reason it looks like this entry is inaccessible when doing a SASL EXTERNAL bind as root. I can retrieve the entry as cn=directory manager: [root@vm-090 freeipa]# ldapsearch -D cn=directory manager -W -H ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b cn=config,cn=ldbm database,cn=plugins,cn=config -s one Enter LDAP Password: # extended LDIF # # LDAPv3 # basecn=config,cn=ldbm database,cn=plugins,cn=config with scope oneLevel # filter: (objectclass=*) # requesting: ALL # # default indexes, config, ldbm database, plugins, config dn: cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: default indexes # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 but not as root: [root@vm-090 freeipa]# ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b cn=config SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # basecn=config with scope subtree # filter: (objectclass=*) # requesting: ALL # # SNMP, config dn: cn=SNMP,cn=config objectClass: top objectClass: nsSNMP cn: SNMP nsSNMPEnabled: on # 2.16.840.1.113730.3.4.9, features, config dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config objectClass: top objectClass: directoryServerFeature oid: 2.16.840.1.113730.3.4.9 cn: VLV Request Control # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 I'm not sure what the problem is, I tried setting different SASL security properties, but nothing helped. :( Next step is to analyze DS logs, but before I do that, I wanted to ask if anyone has any tips on what the solution might be. We have very strict ACIs when using EXTERNAL SASL as root. Is there any reason you need to operate as root ? you can also authenticate with SIMPLE (Dir MGr credentials), or SASL/GSSAPI if you ahve credentials. If you need to run unattended as root then we may need to make root+SASL/EXTERNAL more powerful but I'd like to understand exactly why you need that and can't use regular authentication with DirMgr or GSSAPI credentials. Simo. Thanks for advice! New version of the patch attached. Pavel freeipa-pzuna-78-4-toolsldapi.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.
On 2/25/11 5:58 AM, Pavel Zuna pz...@redhat.com wrote: On 02/23/2011 11:53 PM, Simo Sorce wrote: On Wed, 23 Feb 2011 23:41:33 +0100 Pavel Zůnapz...@redhat.com wrote: On 2011-02-15 16:36, JR Aquino wrote: On 2/15/11 6:52 AM, Simo Sorcesso...@redhat.com wrote: On Tue, 15 Feb 2011 15:19:50 +0100 Pavel Zunapz...@redhat.com wrote: I can't reproduce this. :-/ For me it goes fine: [root@ipadev tools]# ./ipa-nis-manage enable Directory Manager password: Enabling plugin This setting will not take effect until you restart Directory Server. The rpcbind service may need to be started. Pavel, Jr has set the minimum ssf to a non default value to test a configuration in which all communications are required to be encrypted. That's why you can't reproduce with the vanilla configuration. We want to support that mode although it won't be the default, so we need to fix any issue that causes that configuration to break (ie all non-encrypted/non-ldapi connections). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The best way to do this is: -=- service ipa stop Edit /etc/dirsrv/slapd-DOMAIN/dse.ldif Change: nsslapd-minssf: 0 To: nsslapd-minssf: 56- 56 is chosen because SASL communicates a 56bit handshake even though we utilize a much strong cipher... (It is a known bug/feature) service ipa start I tried to use the LDAPUpdate class (ipaserver/install/ldapupdate.py) with ldapi=True, but it raises a NotFound exception when trying to call IPAdmin.do_external_bind() (ipaserver/ipaldap.py). This exception originates in IPAdmin.__lateinit() when trying to retrieve this cn=config,cn=ldbm database,cn=plugins,cn=config For some reason it looks like this entry is inaccessible when doing a SASL EXTERNAL bind as root. I can retrieve the entry as cn=directory manager: [root@vm-090 freeipa]# ldapsearch -D cn=directory manager -W -H ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b cn=config,cn=ldbm database,cn=plugins,cn=config -s one Enter LDAP Password: # extended LDIF # # LDAPv3 # basecn=config,cn=ldbm database,cn=plugins,cn=config with scope oneLevel # filter: (objectclass=*) # requesting: ALL # # default indexes, config, ldbm database, plugins, config dn: cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: default indexes # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 but not as root: [root@vm-090 freeipa]# ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b cn=config SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # basecn=config with scope subtree # filter: (objectclass=*) # requesting: ALL # # SNMP, config dn: cn=SNMP,cn=config objectClass: top objectClass: nsSNMP cn: SNMP nsSNMPEnabled: on # 2.16.840.1.113730.3.4.9, features, config dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config objectClass: top objectClass: directoryServerFeature oid: 2.16.840.1.113730.3.4.9 cn: VLV Request Control # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 I'm not sure what the problem is, I tried setting different SASL security properties, but nothing helped. :( Next step is to analyze DS logs, but before I do that, I wanted to ask if anyone has any tips on what the solution might be. We have very strict ACIs when using EXTERNAL SASL as root. Is there any reason you need to operate as root ? you can also authenticate with SIMPLE (Dir MGr credentials), or SASL/GSSAPI if you ahve credentials. If you need to run unattended as root then we may need to make root+SASL/EXTERNAL more powerful but I'd like to understand exactly why you need that and can't use regular authentication with DirMgr or GSSAPI credentials. Simo. Thanks for advice! New version of the patch attached. Sorry Pavel, I Have to NACK again: It looks like some comment info got left in the patch perhaps. [root@auth2 ~]# ipa-compat-manage status File /usr/sbin/ipa-compat-manage, line 169 HEAD [root@auth2 ~]# ipa-host-net-manage status File /usr/sbin/ipa-host-net-manage, line 195 HEAD ^ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.
On Thu, 24 Feb 2011 10:38:50 +0100 Pavel Zuna pz...@redhat.com wrote: On 02/23/2011 11:53 PM, Simo Sorce wrote: On Wed, 23 Feb 2011 23:41:33 +0100 Pavel Zůnapz...@redhat.com wrote: On 2011-02-15 16:36, JR Aquino wrote: On 2/15/11 6:52 AM, Simo Sorcesso...@redhat.com wrote: On Tue, 15 Feb 2011 15:19:50 +0100 Pavel Zunapz...@redhat.com wrote: I can't reproduce this. :-/ For me it goes fine: [root@ipadev tools]# ./ipa-nis-manage enable Directory Manager password: Enabling plugin This setting will not take effect until you restart Directory Server. The rpcbind service may need to be started. Pavel, Jr has set the minimum ssf to a non default value to test a configuration in which all communications are required to be encrypted. That's why you can't reproduce with the vanilla configuration. We want to support that mode although it won't be the default, so we need to fix any issue that causes that configuration to break (ie all non-encrypted/non-ldapi connections). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The best way to do this is: -=- service ipa stop Edit /etc/dirsrv/slapd-DOMAIN/dse.ldif Change: nsslapd-minssf: 0 To: nsslapd-minssf: 56- 56 is chosen because SASL communicates a 56bit handshake even though we utilize a much strong cipher... (It is a known bug/feature) service ipa start I tried to use the LDAPUpdate class (ipaserver/install/ldapupdate.py) with ldapi=True, but it raises a NotFound exception when trying to call IPAdmin.do_external_bind() (ipaserver/ipaldap.py). This exception originates in IPAdmin.__lateinit() when trying to retrieve this cn=config,cn=ldbm database,cn=plugins,cn=config For some reason it looks like this entry is inaccessible when doing a SASL EXTERNAL bind as root. I can retrieve the entry as cn=directory manager: [root@vm-090 freeipa]# ldapsearch -D cn=directory manager -W -H ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b cn=config,cn=ldbm database,cn=plugins,cn=config -s one Enter LDAP Password: # extended LDIF # # LDAPv3 # basecn=config,cn=ldbm database,cn=plugins,cn=config with scope oneLevel # filter: (objectclass=*) # requesting: ALL # # default indexes, config, ldbm database, plugins, config dn: cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: default indexes # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 but not as root: [root@vm-090 freeipa]# ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b cn=config SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # basecn=config with scope subtree # filter: (objectclass=*) # requesting: ALL # # SNMP, config dn: cn=SNMP,cn=config objectClass: top objectClass: nsSNMP cn: SNMP nsSNMPEnabled: on # 2.16.840.1.113730.3.4.9, features, config dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config objectClass: top objectClass: directoryServerFeature oid: 2.16.840.1.113730.3.4.9 cn: VLV Request Control # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 I'm not sure what the problem is, I tried setting different SASL security properties, but nothing helped. :( Next step is to analyze DS logs, but before I do that, I wanted to ask if anyone has any tips on what the solution might be. We have very strict ACIs when using EXTERNAL SASL as root. Is there any reason you need to operate as root ? you can also authenticate with SIMPLE (Dir MGr credentials), or SASL/GSSAPI if you ahve credentials. If you need to run unattended as root then we may need to make root+SASL/EXTERNAL more powerful but I'd like to understand exactly why you need that and can't use regular authentication with DirMgr or GSSAPI credentials. Simo. I need it for IPA tools like ipa-nis-manage. SIMPLE bind is probably not good enough because of the SSF requirements and I'm not sure if it's OK to require a Kerberos ticket to run them. ldapi is considered safe and has a ssf of 72, so no problem there. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.
On 2011-02-15 16:36, JR Aquino wrote: On 2/15/11 6:52 AM, Simo Sorcesso...@redhat.com wrote: On Tue, 15 Feb 2011 15:19:50 +0100 Pavel Zunapz...@redhat.com wrote: I can't reproduce this. :-/ For me it goes fine: [root@ipadev tools]# ./ipa-nis-manage enable Directory Manager password: Enabling plugin This setting will not take effect until you restart Directory Server. The rpcbind service may need to be started. Pavel, Jr has set the minimum ssf to a non default value to test a configuration in which all communications are required to be encrypted. That's why you can't reproduce with the vanilla configuration. We want to support that mode although it won't be the default, so we need to fix any issue that causes that configuration to break (ie all non-encrypted/non-ldapi connections). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The best way to do this is: -=- service ipa stop Edit /etc/dirsrv/slapd-DOMAIN/dse.ldif Change: nsslapd-minssf: 0 To: nsslapd-minssf: 56- 56 is chosen because SASL communicates a 56bit handshake even though we utilize a much strong cipher... (It is a known bug/feature) service ipa start I tried to use the LDAPUpdate class (ipaserver/install/ldapupdate.py) with ldapi=True, but it raises a NotFound exception when trying to call IPAdmin.do_external_bind() (ipaserver/ipaldap.py). This exception originates in IPAdmin.__lateinit() when trying to retrieve this cn=config,cn=ldbm database,cn=plugins,cn=config For some reason it looks like this entry is inaccessible when doing a SASL EXTERNAL bind as root. I can retrieve the entry as cn=directory manager: [root@vm-090 freeipa]# ldapsearch -D cn=directory manager -W -H ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b cn=config,cn=ldbm database,cn=plugins,cn=config -s one Enter LDAP Password: # extended LDIF # # LDAPv3 # base cn=config,cn=ldbm database,cn=plugins,cn=config with scope oneLevel # filter: (objectclass=*) # requesting: ALL # # default indexes, config, ldbm database, plugins, config dn: cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: default indexes # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 but not as root: [root@vm-090 freeipa]# ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b cn=config SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base cn=config with scope subtree # filter: (objectclass=*) # requesting: ALL # # SNMP, config dn: cn=SNMP,cn=config objectClass: top objectClass: nsSNMP cn: SNMP nsSNMPEnabled: on # 2.16.840.1.113730.3.4.9, features, config dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config objectClass: top objectClass: directoryServerFeature oid: 2.16.840.1.113730.3.4.9 cn: VLV Request Control # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 I'm not sure what the problem is, I tried setting different SASL security properties, but nothing helped. :( Next step is to analyze DS logs, but before I do that, I wanted to ask if anyone has any tips on what the solution might be. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.
On Wed, 23 Feb 2011 23:41:33 +0100 Pavel Zůna pz...@redhat.com wrote: On 2011-02-15 16:36, JR Aquino wrote: On 2/15/11 6:52 AM, Simo Sorcesso...@redhat.com wrote: On Tue, 15 Feb 2011 15:19:50 +0100 Pavel Zunapz...@redhat.com wrote: I can't reproduce this. :-/ For me it goes fine: [root@ipadev tools]# ./ipa-nis-manage enable Directory Manager password: Enabling plugin This setting will not take effect until you restart Directory Server. The rpcbind service may need to be started. Pavel, Jr has set the minimum ssf to a non default value to test a configuration in which all communications are required to be encrypted. That's why you can't reproduce with the vanilla configuration. We want to support that mode although it won't be the default, so we need to fix any issue that causes that configuration to break (ie all non-encrypted/non-ldapi connections). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The best way to do this is: -=- service ipa stop Edit /etc/dirsrv/slapd-DOMAIN/dse.ldif Change: nsslapd-minssf: 0 To: nsslapd-minssf: 56- 56 is chosen because SASL communicates a 56bit handshake even though we utilize a much strong cipher... (It is a known bug/feature) service ipa start I tried to use the LDAPUpdate class (ipaserver/install/ldapupdate.py) with ldapi=True, but it raises a NotFound exception when trying to call IPAdmin.do_external_bind() (ipaserver/ipaldap.py). This exception originates in IPAdmin.__lateinit() when trying to retrieve this cn=config,cn=ldbm database,cn=plugins,cn=config For some reason it looks like this entry is inaccessible when doing a SASL EXTERNAL bind as root. I can retrieve the entry as cn=directory manager: [root@vm-090 freeipa]# ldapsearch -D cn=directory manager -W -H ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b cn=config,cn=ldbm database,cn=plugins,cn=config -s one Enter LDAP Password: # extended LDIF # # LDAPv3 # base cn=config,cn=ldbm database,cn=plugins,cn=config with scope oneLevel # filter: (objectclass=*) # requesting: ALL # # default indexes, config, ldbm database, plugins, config dn: cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: default indexes # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 but not as root: [root@vm-090 freeipa]# ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b cn=config SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base cn=config with scope subtree # filter: (objectclass=*) # requesting: ALL # # SNMP, config dn: cn=SNMP,cn=config objectClass: top objectClass: nsSNMP cn: SNMP nsSNMPEnabled: on # 2.16.840.1.113730.3.4.9, features, config dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config objectClass: top objectClass: directoryServerFeature oid: 2.16.840.1.113730.3.4.9 cn: VLV Request Control # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 I'm not sure what the problem is, I tried setting different SASL security properties, but nothing helped. :( Next step is to analyze DS logs, but before I do that, I wanted to ask if anyone has any tips on what the solution might be. We have very strict ACIs when using EXTERNAL SASL as root. Is there any reason you need to operate as root ? you can also authenticate with SIMPLE (Dir MGr credentials), or SASL/GSSAPI if you ahve credentials. If you need to run unattended as root then we may need to make root+SASL/EXTERNAL more powerful but I'd like to understand exactly why you need that and can't use regular authentication with DirMgr or GSSAPI credentials. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.
On 2/15/11 6:19 AM, Pavel Zuna pz...@redhat.com wrote: On 02/14/2011 04:56 PM, JR Aquino wrote: On 2/10/11 2:42 AM, Pavel Zunapz...@redhat.com wrote: On 02/08/2011 01:06 PM, Pavel Zuna wrote: The patch also corrects exception handling in some of the tools. Fix #874 Pavel Updated patch attached. Forgot to rename an identifier in exception handling. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel NACK It looks like LDAPUpdate calls may want to include ldapi=True? -=- # ipa-nis-manage enable Directory Manager password: Enabling plugin Traceback (most recent call last): File /usr/sbin/ipa-nis-manage, line 211, inmodule sys.exit(main()) File /usr/sbin/ipa-nis-manage, line 151, in main ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}) File /usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py, line 101, in __init__ conn.do_simple_bind(bindpw=self.dm_password) File /usr/lib/python2.7/site-packages/ipaserver/ipaldap.py, line 350, in do_simple_bind self.simple_bind_s(binddn, bindpw) File /usr/lib/python2.7/site-packages/ipaserver/ipaldap.py, line 204, in inner return f(*args, **kargs) File /usr/lib64/python2.7/site-packages/ldap/ldapobject.py, line 207, in simple_bind_s return self.result(msgid,all=1,timeout=self.timeout) File /usr/lib/python2.7/site-packages/ipaserver/ipaldap.py, line 181, in inner objtype, data = f(*args, **kargs) File /usr/lib64/python2.7/site-packages/ldap/ldapobject.py, line 436, in result res_type,res_data,res_msgid = self.result2(msgid,all,timeout) File /usr/lib/python2.7/site-packages/ipaserver/ipaldap.py, line 204, in inner return f(*args, **kargs) File /usr/lib64/python2.7/site-packages/ldap/ldapobject.py, line 440, in result2 res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout) File /usr/lib/python2.7/site-packages/ipaserver/ipaldap.py, line 204, in inner return f(*args, **kargs) File /usr/lib64/python2.7/site-packages/ldap/ldapobject.py, line 446, in result3 ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout) File /usr/lib/python2.7/site-packages/ipaserver/ipaldap.py, line 204, in inner return f(*args, **kargs) File /usr/lib64/python2.7/site-packages/ldap/ldapobject.py, line 96, in _ldap_call result = func(*args,**kwargs) ldap.UNWILLING_TO_PERFORM: {'info': 'Minimum SSF not met.', 'desc': 'Server is unwilling to perform'} I can't reproduce this. :-/ For me it goes fine: [root@ipadev tools]# ./ipa-nis-manage enable Directory Manager password: Enabling plugin This setting will not take effect until you restart Directory Server. The rpcbind service may need to be started. Pavel To reproduce this, you must have minssf set in the dse.ldif on the ipa server. The highest number you can put in is: 56 due to some oddities with how SASL communicates bit strength. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.
On 02/14/2011 04:53 PM, Rob Crittenden wrote: Pavel Zuna wrote: On 02/08/2011 01:06 PM, Pavel Zuna wrote: The patch also corrects exception handling in some of the tools. Fix #874 Pavel Updated patch attached. Forgot to rename an identifier in exception handling. Pavel This isn't applying cleanly to master, can you rebase it? rob Rebased patch attached. Pavel freeipa-pzuna-78-3-toolsldapi.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.
On 02/14/2011 04:56 PM, JR Aquino wrote: On 2/10/11 2:42 AM, Pavel Zunapz...@redhat.com wrote: On 02/08/2011 01:06 PM, Pavel Zuna wrote: The patch also corrects exception handling in some of the tools. Fix #874 Pavel Updated patch attached. Forgot to rename an identifier in exception handling. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel NACK It looks like LDAPUpdate calls may want to include ldapi=True? -=- # ipa-nis-manage enable Directory Manager password: Enabling plugin Traceback (most recent call last): File /usr/sbin/ipa-nis-manage, line 211, inmodule sys.exit(main()) File /usr/sbin/ipa-nis-manage, line 151, in main ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}) File /usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py, line 101, in __init__ conn.do_simple_bind(bindpw=self.dm_password) File /usr/lib/python2.7/site-packages/ipaserver/ipaldap.py, line 350, in do_simple_bind self.simple_bind_s(binddn, bindpw) File /usr/lib/python2.7/site-packages/ipaserver/ipaldap.py, line 204, in inner return f(*args, **kargs) File /usr/lib64/python2.7/site-packages/ldap/ldapobject.py, line 207, in simple_bind_s return self.result(msgid,all=1,timeout=self.timeout) File /usr/lib/python2.7/site-packages/ipaserver/ipaldap.py, line 181, in inner objtype, data = f(*args, **kargs) File /usr/lib64/python2.7/site-packages/ldap/ldapobject.py, line 436, in result res_type,res_data,res_msgid = self.result2(msgid,all,timeout) File /usr/lib/python2.7/site-packages/ipaserver/ipaldap.py, line 204, in inner return f(*args, **kargs) File /usr/lib64/python2.7/site-packages/ldap/ldapobject.py, line 440, in result2 res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout) File /usr/lib/python2.7/site-packages/ipaserver/ipaldap.py, line 204, in inner return f(*args, **kargs) File /usr/lib64/python2.7/site-packages/ldap/ldapobject.py, line 446, in result3 ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout) File /usr/lib/python2.7/site-packages/ipaserver/ipaldap.py, line 204, in inner return f(*args, **kargs) File /usr/lib64/python2.7/site-packages/ldap/ldapobject.py, line 96, in _ldap_call result = func(*args,**kwargs) ldap.UNWILLING_TO_PERFORM: {'info': 'Minimum SSF not met.', 'desc': 'Server is unwilling to perform'} I can't reproduce this. :-/ For me it goes fine: [root@ipadev tools]# ./ipa-nis-manage enable Directory Manager password: Enabling plugin This setting will not take effect until you restart Directory Server. The rpcbind service may need to be started. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.
Pavel Zuna wrote: On 02/08/2011 01:06 PM, Pavel Zuna wrote: The patch also corrects exception handling in some of the tools. Fix #874 Pavel Updated patch attached. Forgot to rename an identifier in exception handling. Pavel This isn't applying cleanly to master, can you rebase it? rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.
On 2/10/11 2:42 AM, Pavel Zuna pz...@redhat.com wrote: On 02/08/2011 01:06 PM, Pavel Zuna wrote: The patch also corrects exception handling in some of the tools. Fix #874 Pavel Updated patch attached. Forgot to rename an identifier in exception handling. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel NACK It looks like LDAPUpdate calls may want to include ldapi=True? -=- # ipa-nis-manage enable Directory Manager password: Enabling plugin Traceback (most recent call last): File /usr/sbin/ipa-nis-manage, line 211, in module sys.exit(main()) File /usr/sbin/ipa-nis-manage, line 151, in main ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}) File /usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py, line 101, in __init__ conn.do_simple_bind(bindpw=self.dm_password) File /usr/lib/python2.7/site-packages/ipaserver/ipaldap.py, line 350, in do_simple_bind self.simple_bind_s(binddn, bindpw) File /usr/lib/python2.7/site-packages/ipaserver/ipaldap.py, line 204, in inner return f(*args, **kargs) File /usr/lib64/python2.7/site-packages/ldap/ldapobject.py, line 207, in simple_bind_s return self.result(msgid,all=1,timeout=self.timeout) File /usr/lib/python2.7/site-packages/ipaserver/ipaldap.py, line 181, in inner objtype, data = f(*args, **kargs) File /usr/lib64/python2.7/site-packages/ldap/ldapobject.py, line 436, in result res_type,res_data,res_msgid = self.result2(msgid,all,timeout) File /usr/lib/python2.7/site-packages/ipaserver/ipaldap.py, line 204, in inner return f(*args, **kargs) File /usr/lib64/python2.7/site-packages/ldap/ldapobject.py, line 440, in result2 res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout) File /usr/lib/python2.7/site-packages/ipaserver/ipaldap.py, line 204, in inner return f(*args, **kargs) File /usr/lib64/python2.7/site-packages/ldap/ldapobject.py, line 446, in result3 ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout) File /usr/lib/python2.7/site-packages/ipaserver/ipaldap.py, line 204, in inner return f(*args, **kargs) File /usr/lib64/python2.7/site-packages/ldap/ldapobject.py, line 96, in _ldap_call result = func(*args,**kwargs) ldap.UNWILLING_TO_PERFORM: {'info': 'Minimum SSF not met.', 'desc': 'Server is unwilling to perform'} ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.
Pavel Zuna pz...@redhat.com wrote: On 02/08/2011 01:06 PM, Pavel Zuna wrote: The patch also corrects exception handling in some of the tools. Fix #874 Pavel Updated patch attached. Forgot to rename an identifier in exception handling. Pavel ack Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.
The patch also corrects exception handling in some of the tools. Fix #874 Pavel freeipa-pzuna-78-toolsldapi.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel