On 15 May 2020, at 08:47, Matt Zagrabelny <mzagrabe(a)d.umn.edu>
wrote:
Hey William,
Thanks for the welcome!
> Hey there, welcome to LDAP and 389-ds!
>
>
> Yeah, this socket file name is encoded. Check for /var/run/slapd-<instance
> name>.socket, which in your case, is slapd-gopher.socket.
Hmmm. Nope. No sockets. Here is what is in /var/run...
# find -L /var/run -name '*sock*'
/var/run/dbus/system_bus_socket
/var/run/rpcbind.sock
/var/run/systemd/journal/socket
/var/run/systemd/inaccessible/sock
>
>
> Which program did you use to create the server? It should be dscreate as setup-ds.pl
has
> been deprecated and should be removed ....
Hmm. Okay. I did use the Perl script setup-ds. Debian documentation should be updated.
I'll file a bug.
I'll also try recreating things with the dscreate Python script.
Yeh, I'd recreate with dscreate, because it actually sets up things as you would
expect. setup-ds.pl should never be packaged on a 1.4.x release :(
>
>
> Whin you run dsidm you need to use it as root or user dirsrv - this is because it
reads
> the .dsrc of the user, finds the ldapi socket, and then uses the uid/gid of the
current
> process to map your authetication through.
Agreed.
>
> When you use ldapmodify, you need to configure the related openldap tools instead,
at
> /etc/openldap/ldap.conf. You can generate a configuration for this with:
Ahh. Okay. Good to know.
>
> #
> # OpenLDAP client configuration
> # Generated by 389 Directory Server - dsidm
> #
>
> # See ldap.conf(5) for details
> # This file should be world readable but not world writable.
>
> BASE dc=blackhats,dc=net,dc=au
> # Remember to check this: you can have multiple uris on this line. You may have
> # multiple servers or load balancers in your environment.
> URI ldapi://%2fdata%2frun%2fslapd-localhost.socket
> # If you have DNS SRV records you can use:
> # URI ldaps:///dc%3Dblackhats%2Cdc%3Dnet%2Cdc%3Dau
>
> DEREF never
> # To use cacert dir, place *.crt files in this path then run:
> # /usr/bin/c_rehash /etc/openldap/certs
> TLS_CACERTDIR /etc/openldap/certs
> # TLS_CACERT /etc/openldap/certs/ca.crt
>
>
>
> It depends who the user is. If you have .dsrc with ldapi, you won't need a
password as
> your are binding with cn=Directory Manager aka "root for 389-ds ldap".
Agreed.
If you
> end up delegating privileges, you wouldbind as "that users dn".
>
> Hope that helps somewhat!
Thanks for the hints and help!
Have a good night!
If you have any more questions, please let us know!
-m
_______________________________________________
389-users mailing list -- 389-users(a)lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
—
Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server
SUSE Labs