Re: [Freeipa-users] can live turn off nsslapd-security: to off ?

[Barry]

Already set nsslapd:sceruity off on server 1 <> server 2

BUt still produce error on replication. Is it possible to ignore any cert /
start tLS ?

/var/log/dirsrv/slapd-PKI-IPA
[28/Apr/2016:16:51:15 +0800] slapi_ldap_bind - Error: could not send
startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport
endpoint is not connected)

[26/Apr/2016:18:35:31 +0800] slapd_ldap_sasl_interactive_bind - Error:
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1
(Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not
connected)

2016-04-28 16:15 GMT+08:00 Martin Basti :

>
>
> On 28.04.2016 08:00, Barry wrote:
>
> NOT work tried ..cannot bind the command 389 or 636 ,,,but telnet work
>
> EOFnsslapd-security: offreplace: nsslapd-securitychangetype: modifydn:
> cn=configldapmodify -h ms -p 636 -D cn="Directory Manager" -w  << EOF
>
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>
> can you please try to put FQDN name of LDAP server to option -h ?
> I have doubts that -h 'ms' is server name
>
> Martin
>
>
>
> 2016-04-27 19:29 GMT+08:00 :
>
>> thx let me try as i dont want stop dirsrv but live disable nsslapd
>> security.
>> 2016年4月27日 下午7:26 於 "David Kupka"  寫道：
>>
>>> On 27/04/16 13:15, barry...@gmail.com wrote:
>>>
 Do u meant use ldapmodify?
 I tried update the dse.ldif but it will fall back after a while.

 2016年4月27日 下午7:10 於 "David Kupka" >>> > 寫道：

 On 27/04/16 12:48, barry...@gmail.com 
 wrote:

 Hi:

 Without restarting dirsrv possible do that ?


 thx Regards

 barry




 Hello Barry,

 this ldapsearch should list all attributes that needs restart after
 modification:

 $ ldapsearch -D "cn=Directory Manager" -w Secret123 -b cn=config
 nsslapd-requiresrestart

 I don't see nsslapd-security listed so it should be possible to
 change it in
 runtime.

 --
 David Kupka


>>> Yes, I mean ldapmodify.
>>>
>>> Editing dse.ldif while dirsrv is running has no effect because it is
>>> read only at start and written at least before exit.
>>>
>>> If you REALLY need to edit dse.ldif be sure to stop dirsrv then edit it
>>> and start dirsrv again.
>>>
>>> --
>>> David Kupka
>>>
>>
>
>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] can live turn off nsslapd-security: to off ?

[Martin Basti]

On 28.04.2016 08:00, Barry wrote:

NOT work tried ..cannot bind the command 389 or 636 ,,,but telnet work

EOFnsslapd-security: offreplace: nsslapd-securitychangetype: modifydn: 
cn=configldapmodify -h ms -p 636 -D cn="Directory Manager" -w  << EOF


ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)


can you please try to put FQDN name of LDAP server to option -h ?
I have doubts that -h 'ms' is server name

Martin



2016-04-27 19:29 GMT+08:00 >:


thx let me try as i dont want stop dirsrv but live disable nsslapd
security.

2016年4月27日 下午7:26 於 "David Kupka" mailto:dku...@redhat.com>> 寫道：

On 27/04/16 13:15, barry...@gmail.com
 wrote:

Do u meant use ldapmodify?
I tried update the dse.ldif but it will fall back after a
while.

2016年4月27日 下午7:10 於 "David Kupka" mailto:dku...@redhat.com>
>> 寫道：

On 27/04/16 12:48, barry...@gmail.com
 > wrote:

Hi:

Without restarting dirsrv possible do that ?


thx Regards

barry




Hello Barry,

this ldapsearch should list all attributes that needs
restart after
modification:

$ ldapsearch -D "cn=Directory Manager" -w Secret123 -b
cn=config
nsslapd-requiresrestart

I don't see nsslapd-security listed so it should be
possible to change it in
runtime.

--
David Kupka


Yes, I mean ldapmodify.

Editing dse.ldif while dirsrv is running has no effect because
it is read only at start and written at least before exit.

If you REALLY need to edit dse.ldif be sure to stop dirsrv
then edit it and start dirsrv again.

-- 
David Kupka







-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] can live turn off nsslapd-security: to off ?

[Barry]

NOT work tried ..cannot bind the command 389 or 636 ,,,but telnet work

EOFnsslapd-security: offreplace: nsslapd-securitychangetype: modifydn:
cn=configldapmodify -h ms -p 636 -D cn="Directory Manager" -w  << EOF

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)


2016-04-27 19:29 GMT+08:00 :

> thx let me try as i dont want stop dirsrv but live disable nsslapd
> security.
> 2016年4月27日 下午7:26 於 "David Kupka"  寫道：
>
>> On 27/04/16 13:15, barry...@gmail.com wrote:
>>
>>> Do u meant use ldapmodify?
>>> I tried update the dse.ldif but it will fall back after a while.
>>>
>>> 2016年4月27日 下午7:10 於 "David Kupka" >> > 寫道：
>>>
>>> On 27/04/16 12:48, barry...@gmail.com 
>>> wrote:
>>>
>>> Hi:
>>>
>>> Without restarting dirsrv possible do that ?
>>>
>>>
>>> thx Regards
>>>
>>> barry
>>>
>>>
>>>
>>>
>>> Hello Barry,
>>>
>>> this ldapsearch should list all attributes that needs restart after
>>> modification:
>>>
>>> $ ldapsearch -D "cn=Directory Manager" -w Secret123 -b cn=config
>>> nsslapd-requiresrestart
>>>
>>> I don't see nsslapd-security listed so it should be possible to
>>> change it in
>>> runtime.
>>>
>>> --
>>> David Kupka
>>>
>>>
>> Yes, I mean ldapmodify.
>>
>> Editing dse.ldif while dirsrv is running has no effect because it is read
>> only at start and written at least before exit.
>>
>> If you REALLY need to edit dse.ldif be sure to stop dirsrv then edit it
>> and start dirsrv again.
>>
>> --
>> David Kupka
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] can live turn off nsslapd-security: to off ?

[David Kupka]

On 27/04/16 13:15, barry...@gmail.com wrote:

Do u meant use ldapmodify?
I tried update the dse.ldif but it will fall back after a while.

2016年4月27日 下午7:10 於 "David Kupka" mailto:dku...@redhat.com>> 寫道：

On 27/04/16 12:48, barry...@gmail.com  wrote:

Hi:

Without restarting dirsrv possible do that ?


thx Regards

barry




Hello Barry,

this ldapsearch should list all attributes that needs restart after
modification:

$ ldapsearch -D "cn=Directory Manager" -w Secret123 -b cn=config
nsslapd-requiresrestart

I don't see nsslapd-security listed so it should be possible to change it in
runtime.

--
David Kupka



Yes, I mean ldapmodify.

Editing dse.ldif while dirsrv is running has no effect because it is 
read only at start and written at least before exit.


If you REALLY need to edit dse.ldif be sure to stop dirsrv then edit it 
and start dirsrv again.


--
David Kupka

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] can live turn off nsslapd-security: to off ?

[barrykfl]

thx let me try as i dont want stop dirsrv but live disable nsslapd security.
2016年4月27日 下午7:26 於 "David Kupka"  寫道：

> On 27/04/16 13:15, barry...@gmail.com wrote:
>
>> Do u meant use ldapmodify?
>> I tried update the dse.ldif but it will fall back after a while.
>>
>> 2016年4月27日 下午7:10 於 "David Kupka" > > 寫道：
>>
>> On 27/04/16 12:48, barry...@gmail.com 
>> wrote:
>>
>> Hi:
>>
>> Without restarting dirsrv possible do that ?
>>
>>
>> thx Regards
>>
>> barry
>>
>>
>>
>>
>> Hello Barry,
>>
>> this ldapsearch should list all attributes that needs restart after
>> modification:
>>
>> $ ldapsearch -D "cn=Directory Manager" -w Secret123 -b cn=config
>> nsslapd-requiresrestart
>>
>> I don't see nsslapd-security listed so it should be possible to
>> change it in
>> runtime.
>>
>> --
>> David Kupka
>>
>>
> Yes, I mean ldapmodify.
>
> Editing dse.ldif while dirsrv is running has no effect because it is read
> only at start and written at least before exit.
>
> If you REALLY need to edit dse.ldif be sure to stop dirsrv then edit it
> and start dirsrv again.
>
> --
> David Kupka
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] can live turn off nsslapd-security: to off ?

[barrykfl]

Do u meant use ldapmodify?
I tried update the dse.ldif but it will fall back after a while.
2016年4月27日 下午7:10 於 "David Kupka"  寫道：

> On 27/04/16 12:48, barry...@gmail.com wrote:
>
>> Hi:
>>
>> Without restarting dirsrv possible do that ?
>>
>>
>> thx Regards
>>
>> barry
>>
>>
>>
>>
> Hello Barry,
>
> this ldapsearch should list all attributes that needs restart after
> modification:
>
> $ ldapsearch -D "cn=Directory Manager" -w Secret123 -b cn=config
> nsslapd-requiresrestart
>
> I don't see nsslapd-security listed so it should be possible to change it
> in runtime.
>
> --
> David Kupka
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] can live turn off nsslapd-security: to off ?

[David Kupka]

On 27/04/16 12:48, barry...@gmail.com wrote:

Hi:

Without restarting dirsrv possible do that ?


thx Regards

barry





Hello Barry,

this ldapsearch should list all attributes that needs restart after 
modification:


$ ldapsearch -D "cn=Directory Manager" -w Secret123 -b cn=config 
nsslapd-requiresrestart


I don't see nsslapd-security listed so it should be possible to change 
it in runtime.


--
David Kupka

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] can live turn off nsslapd-security: to off ?

[barrykfl]

Hi:

Without restarting dirsrv possible do that ?


thx Regards

barry
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project