Jacek Nykis wrote:
On Thursday 02 September 2010 18:45:44 Rich Megginson wrote:
> Jacek Nykis wrote:
>
>> Hi,
>>
>>
>>
>> I am trying to setup chaining backend and I encountered some problems.
>>
>> I setup nsBackendInstance object with all attributes but it would seem
>> that "nsusestarttls" does not have any effect. Here is what happens:
>>
>>
>>
>> If I use ldaps over port 636 everything is fine:
>>
>> nsusestarttls: off
>>
>> nsfarmserverurl: ldaps://xxx:636
>>
>>
>>
>> But when I change values to below it stops:
>>
>> nsusestarttls: on
>>
>> nsfarmserverurl: ldap://xxx:389
>>
>>
>>
>> Logs on master server suggest that slave does not use startTLS when
>> connecting.
>>
>>
>>
>> On slave server I can see this:
>>
>> [02/Sep/2010:15:53:22 +0000] conn=1 fd=64 slot=64 connection from
>> <client IP> to <Slave IP>
>>
>> [02/Sep/2010:15:53:22 +0000] conn=1 op=0 EXT
>> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
>>
>> [02/Sep/2010:15:53:22 +0000] conn=1 op=0 RESULT err=0 tag=120
>> nentries=0 etime=0
>>
>> [02/Sep/2010:15:53:22 +0000] conn=1 SSL 256-bit AES
>>
>> [02/Sep/2010:15:53:22 +0000] conn=1 op=1 BIND
>> dn="uid=xxx,ou=xxx,dc=xxx" method=128 version=3
>>
>> [02/Sep/2010:15:53:22 +0000] conn=1 op=1 RESULT err=13 tag=97
>> nentries=0 etime=0
>>
>> [02/Sep/2010:15:53:22 +0000] conn=1 op=-1 fd=64 closed - B1
>>
>>
>>
>> On master:
>>
>> [02/Sep/2010:15:53:22 +0000] conn=34 fd=64 slot=64 connection from
>> <Slave IP> to <Master IP>
>>
>> [02/Sep/2010:15:53:22 +0000] conn=34 op=0 BIND
>> dn="uid=xxx,ou=xxx,dc=xxx" method=128 version=3
>>
>> [02/Sep/2010:15:53:22 +0000] conn=34 op=0 RESULT err=13 tag=97
>> nentries=0 etime=0
>>
>>
>>
>> We would prefer to use startTLS on port 389, does anybody know if this
>> is possible or if anything else is required to make it work?
>>
> What platform? What version of 389-ds-base?
>
>
Hi,
I am using CentOS 5.5 x86_64 on all machines.
389-ds-base v 1.2.6
which version of 1.2.6? 1.2.6-1, the official released version, or one
of the .a or .rc releases?
I also noticed something strange. I am trying to setup global
password lockout
policy:
http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Replication-
Replicating-Password-Attributes.html
When I set "passwordIsGlobalPolicy" to off problem disappears and I can bind
and change passwords fine with startTLS on port 389. When I set it to on I
cannot even bind.
err=13 is LDAP_CONFIDENTIALITY_REQUIRED - which means you attempted a
SIMPLE BIND (i.e. DN and password) over a clear text connection. The
log from the master shows that the connection attempt was made without
LDAPS or a startTLS operation.
--
Jacek Nykis
IS Unix Frontend Engineer
Fax: +44 (0) 20 8834 8001
Yahoo! Messenger: nykisj
Betfair Limited | Winslow Road | Hammersmith Embankment | London | W6 9HP
Company No. 5140986
The information in this e-mail and any attachment is confidential and is
intended only for the named recipient(s). The e-mail may not be disclosed or
used by any person other than the addressee, nor may it be copied in any way.
If you are not a named recipient please notify the sender immediately and
delete any copies of this message. Any unauthorized copying, disclosure or
distribution of the material in this e-mail is strictly forbidden. Any view or
opinions presented are solely those of the author and do not necessarily
represent those of the company. Betfair (r) and the BETFAIR LOGO are
registered trade marks of The Sporting Exchange Limited.
________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.
________________________________________________________________________
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users