#48213 Admin server registration requires anonymous binds
Closed: wontfix None Opened 5 years ago by rmeggins.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Directory Server): Bug 1238786

Description of problem:
I'm running into a problem when trying to setup additional DS
instances with setup-ds-admin.pl so they can be managed via the console. The
master DS node with o=NetscapeRoot has anon. binds disabled.

When I attempt to install another node, I receive:

The server at URL
'ldaps://xxxxx:636/o=NetscapeRoot' is not
reachable.  Error: unknown error

I've already gone through the config for TLS and the replica
install/registration works fine if I set nsslapd-allow-anonymous-access
= on. Looking at the logs on the primary, setup-ds-admin.pl appears to
perform an anon. bind:

[22/Jun/2015:14:23:45 -0400] conn=8 fd=66 slot=66 SSL connection from
xx.xx.xx.xx to yy.yy.yy.yy
[22/Jun/2015:14:23:45 -0400] conn=8 op=0 BIND dn="" method=128 version=3
[22/Jun/2015:14:23:45 -0400] conn=8 op=0 RESULT err=48 tag=97 nentries=0
etime=0
[22/Jun/2015:14:23:45 -0400] conn=8 op=1 UNBIND
[22/Jun/2015:14:23:45 -0400] conn=8 op=1 fd=66 closed - U1

I've tried updating my install file to use the full admin DN
(uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot)
instead of just 'admin', but no luck.


Here is the silent install file for the replicant:

************************************
[General]
FullMachineName= xxxxxxxxxx
SuiteSpotUserID= ldap
SuiteSpotGroup= ldap
AdminDomain= XXXXXXXXXXX
ConfigDirectoryAdminID=
uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot
ConfigDirectoryAdminPwd= secret
ConfigDirectoryLdapURL=
ldaps://xxxxxxxxxxxxxxxxxx:636/o=NetscapeRoot
UserDirectoryAdminID= cn=Directory Manager
UserDirectoryAdminPwd= secret
UserDirectoryLdapURL= ldap://xxxxxxxxxxxxxxxxx:389/o=Netscape
Root

[slapd]
SlapdConfigForMC= No
SecurityOn= No
UseExistingMC= Yes
UseExistingUG= No
ServerPort= 389
ServerIdentifier= xxxxxx
Suffix= dc=xxxx,dc=xxxxx,dc=xxx
RootDN= cn=Directory Manager
AddSampleEntries= No
InstallLdifFile= none
AddOrgEntries= No
DisableSchemaChecking= No
RootDNPwd= secret

[admin]
SysUser= ldap
Port= 9830
ServerAdminID=
uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot
ServerAdminPwd= password

**************************


Version-Release number of selected component (if applicable):
389-admin-console-1.1.10-1
389-admin-console-doc-1.1.10-1
389-admin-1.1.42-1
389-ds-console-1.2.12-1
389-console-1.1.8-1
389-ds-base-libs-1.3.3.1-16
389-adminutil-1.1.22-1
389-ds-base-1.3.3.1-16
389-ds-console-doc-1.2.12-1


How reproducible:
Always

Steps to Reproduce:
1. disable anon. binds on the master
2. attempt to install a new replica using the existing admin domain


Actual results:
setup-ds-admin errors out

af9de30..cd9fd5d master -> master
commit cd9fd5dc5efd417a093d3e2e22aedac1f7433efa
Author: Mark Reynolds mreynolds@redhat.com
Date: Wed Jun 29 14:44:55 2016 -0400

Metadata Update from @mreynolds:
- Issue assigned to mreynolds
- Issue set to the milestone: 389-admin,console 1.1.44

4 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/1544

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Fixed)

6 months ago

Login to comment on this ticket.

Metadata