#48213 Admin server registration requires anonymous binds
Closed: Fixed None Opened 4 years ago by rmeggins.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Directory Server): Bug 1238786

Description of problem:
I'm running into a problem when trying to setup additional DS
instances with setup-ds-admin.pl so they can be managed via the console. The
master DS node with o=NetscapeRoot has anon. binds disabled.

When I attempt to install another node, I receive:

The server at URL
'ldaps://xxxxx:636/o=NetscapeRoot' is not
reachable.  Error: unknown error

I've already gone through the config for TLS and the replica
install/registration works fine if I set nsslapd-allow-anonymous-access
= on. Looking at the logs on the primary, setup-ds-admin.pl appears to
perform an anon. bind:

[22/Jun/2015:14:23:45 -0400] conn=8 fd=66 slot=66 SSL connection from
xx.xx.xx.xx to yy.yy.yy.yy
[22/Jun/2015:14:23:45 -0400] conn=8 op=0 BIND dn="" method=128 version=3
[22/Jun/2015:14:23:45 -0400] conn=8 op=0 RESULT err=48 tag=97 nentries=0
etime=0
[22/Jun/2015:14:23:45 -0400] conn=8 op=1 UNBIND
[22/Jun/2015:14:23:45 -0400] conn=8 op=1 fd=66 closed - U1

I've tried updating my install file to use the full admin DN
(uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot)
instead of just 'admin', but no luck.


Here is the silent install file for the replicant:

************************************
[General]
FullMachineName= xxxxxxxxxx
SuiteSpotUserID= ldap
SuiteSpotGroup= ldap
AdminDomain= XXXXXXXXXXX
ConfigDirectoryAdminID=
uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot
ConfigDirectoryAdminPwd= secret
ConfigDirectoryLdapURL=
ldaps://xxxxxxxxxxxxxxxxxx:636/o=NetscapeRoot
UserDirectoryAdminID= cn=Directory Manager
UserDirectoryAdminPwd= secret
UserDirectoryLdapURL= ldap://xxxxxxxxxxxxxxxxx:389/o=Netscape
Root

[slapd]
SlapdConfigForMC= No
SecurityOn= No
UseExistingMC= Yes
UseExistingUG= No
ServerPort= 389
ServerIdentifier= xxxxxx
Suffix= dc=xxxx,dc=xxxxx,dc=xxx
RootDN= cn=Directory Manager
AddSampleEntries= No
InstallLdifFile= none
AddOrgEntries= No
DisableSchemaChecking= No
RootDNPwd= secret

[admin]
SysUser= ldap
Port= 9830
ServerAdminID=
uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot
ServerAdminPwd= password

**************************


Version-Release number of selected component (if applicable):
389-admin-console-1.1.10-1
389-admin-console-doc-1.1.10-1
389-admin-1.1.42-1
389-ds-console-1.2.12-1
389-console-1.1.8-1
389-ds-base-libs-1.3.3.1-16
389-adminutil-1.1.22-1
389-ds-base-1.3.3.1-16
389-ds-console-doc-1.2.12-1


How reproducible:
Always

Steps to Reproduce:
1. disable anon. binds on the master
2. attempt to install a new replica using the existing admin domain


Actual results:
setup-ds-admin errors out

af9de30..cd9fd5d master -> master
commit cd9fd5dc5efd417a093d3e2e22aedac1f7433efa
Author: Mark Reynolds mreynolds@redhat.com
Date: Wed Jun 29 14:44:55 2016 -0400

Metadata Update from @mreynolds:
- Issue assigned to mreynolds
- Issue set to the milestone: 389-admin,console 1.1.44

2 years ago

Login to comment on this ticket.

Metadata