Hi Brian,
You can just change nsslapd-referral attribute to use ldaps instead of
ldap.
Now you "should" be able to do that in the console, but I just found out
that there is a bug in the console where we don't actually grab the
referrals from the mapping tree entry. <sigh> Glad I found it now
because the cockpit console is going through a rewrite (to migrate to
Patternfly 4). So I will fix that, but it doesn't help you today.
So for now you will need to use ldapmodify to change the
nsslapd-referral attribute. I would say to use dsconf but it is also
broken for properly setting referrals <sigh again>. Once I fix dsconf it
would work like this:
#dsconf slapd-supplier1 backend suffix set userroot --del-referral
ldap://localhost:636
#dsconf slapd-supplier1 backend suffix set userroot --add-referral
ldaps://localhost:636
Right now dsconf updates the referral on the wrong entry :-( We'll get
this all fixed up!
HTH,
Mark
On 7/1/21 6:04 PM, Collins, Brian (CAI - Atlanta) wrote:
Good day,
I am doing prep work for replacing our older 389 servers (1.3.8)
running on RHEL 7 with newer ones on RHEL 8 and 1.4.4.
I have the two RHEL 7 boxes in a multi-master replication setup.
For this phase of testing I have one read-only replica on 1.4.4, as a
consumer to the two current servers. I set up a Linux client to login
using SSSD, bound to the consumer. It works fine except when I want to
change passwords. I was getting "Operation requires a secure
connection." After a lot of digging, I think I found the culprit
there: on the consumer, in "dn: cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping
tree,cn=config" the nsslapd-referral uri for my two current servers is
ldap: instead of ldaps:. Indeed, in the cockpit console, the Remote
RUV list shows both servers as ldap:.
But on the two suppliers, the old servers, the referral uri is ldaps.
When I set up the replication agreement for the new consumer, I did it
just as I did for the current setup, so I don't feel like that's where
I went wrong.
Thanks in advance for any pointers,
Brian Collins
_______________________________________________
389-users mailing list -- 389-users(a)lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
--
Directory Server Development Team