Re: [Freeipa-users] Where has my LDAP server gone!
Thank you, that has solved the issue wonderfully! I do remember the update hanging now you mention it, but I didn't put two and two together! Regards Simon On 7 Apr 2013 21:47, Rob Crittenden rcrit...@redhat.com wrote: Simon Williams wrote: Hi I ran a yum update on my CentOS 6 server that runs FreeIPA a couple of days ago and it upgraded FreeIPA to version 3. I use a couple of web applications that cannot use Kerberos, but can use LDAP to authenticate. These stopped working. When I investigated the issue, I discovered that the LDAP server wasn't there any more. Google searches have proved fruitless and I can't find any documentation for v3. Can anyone tell me how to get my LDAP server back? There is a bug in 389-ds that is affecting some IPA upgrades. It causes the upgrade process to hang and breaking out of it leaves the LDAP server not listening to anything (note that if the upgrade outright fails we do restore things). What you want to do is this: 1. service dirsrv stop (you MUST do this before editing dse.ldif) 2. edit dse.ldif and set nsslapd-port: 389 nsslapd-security: on 3. service dirsrv start 4. as root, ipa-ldap-updater --ldapi Updated 389-ds packages are being worked on. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Where has my LDAP server gone!
Hi I ran a yum update on my CentOS 6 server that runs FreeIPA a couple of days ago and it upgraded FreeIPA to version 3. I use a couple of web applications that cannot use Kerberos, but can use LDAP to authenticate. These stopped working. When I investigated the issue, I discovered that the LDAP server wasn't there any more. Google searches have proved fruitless and I can't find any documentation for v3. Can anyone tell me how to get my LDAP server back? Regards Simon ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Where has my LDAP server gone!
On 04/07/2013 05:44 AM, Simon Williams wrote: Hi I ran a yum update on my CentOS 6 server that runs FreeIPA a couple of days ago and it upgraded FreeIPA to version 3. I use a couple of web applications that cannot use Kerberos, but can use LDAP to authenticate. These stopped working. When I investigated the issue, I discovered that the LDAP server wasn't there any more. Google searches have proved fruitless and I can't find any documentation for v3. Can anyone tell me how to get my LDAP server back? Regards Simon Hello Simon, Can you please clarify: Did you have an earlier version of the apps that used IPA via LDAP or you had a different LDAP instance and FreeIPA now took over the whole machine and you do not have access to those instances? I assume you had 389 DS, right? Or OpenLDAP? What is the general goal? Do you want to have the apps be able to access IPA data via LDAP or you want to be able to use different LDAP databases on the same machine? If the apps you mention used to work against IPA and now they do not I would suggest checking the logs from those applications to see what is failing. It might be that they have been using an insecure way to authenticate and the upgraded bits enforce a higher security standard. If this is the case you either need to lower the authentication requirements on the server (not recommended) or provide a more secure way to authenticate from those apps (recommended). ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Where has my LDAP server gone!
Sorry, I didn’t include much in the way of specifics did I?! Before yum updated my IPA server from 2.2 to 3, FreeIPA provided (or appeared to provide) an instance of an LDAP server that was accessible locally on port 389. The web applications I am concerned with is Atlassian Crowd, which I use to authenticate to Jira, Confluence, Bamboo and Fisheye on the local network and also Google Apps. Crowd is on the same server as FreeIPA so as to allow me to keep port 389 behind the server’s firewall. Crowd was configured to treat the LDAP server as a read only 389 DS server as experimentation showed that that worked, but I did not install or configure any LDAP software myself. The LDAP server had been installed as part of the FreeIPA installation. Crowd is failing since the update as there is no server listening on port 389. It gets a ‘connection refused’ message. Netstat confirms that there is no server listening on port 389 and also shows that there is nothing listening on port 636. Prior to the upgrade, FreeIPA had been running with default settings, I had done nothing to reduce security. Regards Simon From: Dmitri Pal Sent: Sunday, 7 April 2013 20:20 To: freeipa-users@redhat.com On 04/07/2013 05:44 AM, Simon Williams wrote: Hi I ran a yum update on my CentOS 6 server that runs FreeIPA a couple of days ago and it upgraded FreeIPA to version 3. I use a couple of web applications that cannot use Kerberos, but can use LDAP to authenticate. These stopped working. When I investigated the issue, I discovered that the LDAP server wasn't there any more. Google searches have proved fruitless and I can't find any documentation for v3. Can anyone tell me how to get my LDAP server back? Regards Simon Hello Simon, Can you please clarify: Did you have an earlier version of the apps that used IPA via LDAP or you had a different LDAP instance and FreeIPA now took over the whole machine and you do not have access to those instances? I assume you had 389 DS, right? Or OpenLDAP? What is the general goal? Do you want to have the apps be able to access IPA data via LDAP or you want to be able to use different LDAP databases on the same machine? If the apps you mention used to work against IPA and now they do not I would suggest checking the logs from those applications to see what is failing. It might be that they have been using an insecure way to authenticate and the upgraded bits enforce a higher security standard. If this is the case you either need to lower the authentication requirements on the server (not recommended) or provide a more secure way to authenticate from those apps (recommended). ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Where has my LDAP server gone!
Simon Williams wrote: Hi I ran a yum update on my CentOS 6 server that runs FreeIPA a couple of days ago and it upgraded FreeIPA to version 3. I use a couple of web applications that cannot use Kerberos, but can use LDAP to authenticate. These stopped working. When I investigated the issue, I discovered that the LDAP server wasn't there any more. Google searches have proved fruitless and I can't find any documentation for v3. Can anyone tell me how to get my LDAP server back? There is a bug in 389-ds that is affecting some IPA upgrades. It causes the upgrade process to hang and breaking out of it leaves the LDAP server not listening to anything (note that if the upgrade outright fails we do restore things). What you want to do is this: 1. service dirsrv stop (you MUST do this before editing dse.ldif) 2. edit dse.ldif and set nsslapd-port: 389 nsslapd-security: on 3. service dirsrv start 4. as root, ipa-ldap-updater --ldapi Updated 389-ds packages are being worked on. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
