Hi all,
I am struggling with automating the install of 389ds.
In the world of RHEL7 and below, there was a script called setup-ds.pl which did a bare bones configuration of a 389ds instance, allowing you to then connect to the instance and configure the instance appropriately. The script was painful to automate, but it was possible to work around most of the issues in it.
In the world of RHEL8 and above, there is a replacement tool called dscreate, which appears to try and configure more of the server. The dscreate tool however does not appear to be able to install a server without starting that server (https://bugzilla.redhat.com/show_bug.cgi?id=1872910) and cannot install a server without binding that server to all ports and enabling a self signed certificate nor can it configure a server to bind to localhost (https://bugzilla.redhat.com/show_bug.cgi?id=1872915), nor can dscreate make me a server bound to a unix domain socket (https://bugzilla.redhat.com/show_bug.cgi?id=1872930).
Is there a documented method of installing an instance from scratch without setup-ds.pl or dscreate?
In other words, create directory X, create config file from template in Y, etc? Obviously I can reverse engineer the process from first principles, but I would like some confirmation I am on the right track.
Regards, Graham —
Is there a documented method of installing an instance from scratch without setup-ds.pl or dscreate?
look at "dscreate create-template" and "dscreate from-template".
The options you want are likely:
self_sign_cert = False start = False
The template is extremely well documented and commented when generated.
— Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server SUSE Labs
On 27 Aug 2020, at 02:32, William Brown wbrown@suse.de wrote:
Is there a documented method of installing an instance from scratch without setup-ds.pl or dscreate?
look at "dscreate create-template" and "dscreate from-template".
That’s what I've been working from.
The options you want are likely:
self_sign_cert = False
This flag doesn’t work, as per https://bugzilla.redhat.com/show_bug.cgi?id=1872915.
start = False
This flag doesn’t work, as per https://bugzilla.redhat.com/show_bug.cgi?id=1872910
The template is extremely well documented and commented when generated.
While it is true the template is well documented, all of the options in the template I’ve tried to date don’t work. Thus the question - is there a document anywhere that describes the steps needed to go from no instance to a running instance?
Regards, Graham —
On 8/27/20 5:52 AM, Graham Leggett wrote:
On 27 Aug 2020, at 02:32, William Brown wbrown@suse.de wrote:
Is there a documented method of installing an instance from scratch without setup-ds.pl or dscreate?
look at "dscreate create-template" and "dscreate from-template".
That’s what I've been working from.
The options you want are likely:
self_sign_cert = False
This flag doesn’t work, as per https://bugzilla.redhat.com/show_bug.cgi?id=1872915.
start = False
This flag doesn’t work, as per https://bugzilla.redhat.com/show_bug.cgi?id=1872910
The template is extremely well documented and commented when generated.
While it is true the template is well documented, all of the options in the template I’ve tried to date don’t work. Thus the question - is there a document anywhere that describes the steps needed to go from no instance to a running instance?
All of this works correctly for me:
[general] config_version = 2 full_machine_name = localhost.localdomain start = False
[slapd] instance_name = graham port = 389 root_dn = cn=dm root_password = PASSWORD self_sign_cert = False
[backend-userroot] sample_entries = yes suffix = dc=example,dc=com
Server is created, but not started, and TLS is disabled. Did I miss a step?
Mark
Regards, Graham — _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
On 27 Aug 2020, at 15:32, Mark Reynolds mreynolds@redhat.com wrote:
All of this works correctly for me:
[general] config_version = 2 full_machine_name = localhost.localdomain start = False
[slapd] instance_name = graham port = 389 root_dn = cn=dm root_password = PASSWORD self_sign_cert = False
[backend-userroot] sample_entries = yes suffix = dc=example,dc=com
Server is created, but not started, and TLS is disabled. Did I miss a step?
No luck for me:
[root@gatekeeper dirsrv]# cat /etc/dirsrv/slapd-default.inf [general] config_version = 2 full_machine_name = localhost.localdomain start = False
[slapd] instance_name = default port = 389 root_dn = cn=dm root_password = PASSWORD self_sign_cert = False
[backend-userroot] sample_entries = yes suffix = dc=example,dc=com [root@gatekeeper dirsrv]# /usr/sbin/dscreate from-file /etc/dirsrv/slapd-default.inf Starting installation... Error: Can't contact LDAP server - 107 - Transport endpoint is not connected [root@gatekeeper dirsrv]# ps -auxwww | grep slap dirsrv 25283 1.6 2.4 971356 197544 ? Ssl 16:55 0:02 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-default -i /run/dirsrv/slapd-default.pid root 25360 0.0 0.0 221900 1092 pts/0 S+ 16:58 0:00 grep --color=auto slap
Running dscreate through strace shows that despite being told the name of the server is localhost.localdomain, and despite being told not to start the server, dscreate tries to connect to the server using the FQDN of the machine on port 389, and not localhost.localdomain.
Regards, Graham —
On 8/27/20 11:08 AM, Graham Leggett wrote:
On 27 Aug 2020, at 15:32, Mark Reynolds <mreynolds@redhat.com mailto:mreynolds@redhat.com> wrote:
All of this works correctly for me:
[general] config_version = 2 full_machine_name = localhost.localdomain start = False
[slapd] instance_name = graham port = 389 root_dn = cn=dm root_password = PASSWORD self_sign_cert = False
[backend-userroot] sample_entries = yes suffix = dc=example,dc=com
Server is created, but not started, and TLS is disabled. Did I miss a step?
No luck for me:
[root@gatekeeper dirsrv]# cat /etc/dirsrv/slapd-default.inf [general] config_version = 2 full_machine_name = localhost.localdomain start = False
[slapd] instance_name = default port = 389 root_dn = cn=dm root_password = PASSWORD self_sign_cert = False
[backend-userroot] sample_entries = yes suffix = dc=example,dc=com [root@gatekeeper dirsrv]# /usr/sbin/dscreate from-file /etc/dirsrv/slapd-default.inf Starting installation... Error: Can't contact LDAP server - 107 - Transport endpoint is not connected [root@gatekeeper dirsrv]# ps -auxwww | grep slap dirsrv 25283 1.6 2.4 971356 197544 ? Ssl 16:55 0:02 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-default -i /run/dirsrv/slapd-default.pid root 25360 0.0 0.0 221900 1092 pts/0 S+ 16:58 0:00 grep --color=auto slap
Running dscreate through strace shows that despite being told the name of the server is localhost.localdomain, and despite being told not to start the server, dscreate tries to connect to the server using the FQDN of the machine on port 389, and not localhost.localdomain.
Can you run dscreate with "-v" to get the full stack trace?
Now dscreate does start the server to do some bootstrapping but then if start=False it will stop it at the end of the install. So it does start it but it will stop it after it is installed. I think in your case it's failing, so it never gets to the step where it stops the server.
I also doubled checked the code, if you set full_machine_name is does NOT override it. So now sure what is going on. Maybe try setting "strict_host_checking" to True in the "general" section and see if it complains about your host name. And like I said the "-v" output should provide more info...
Thanks,
Mark
Regards, Graham —
389-users@lists.fedoraproject.org