Discussion:
[389-users] Cert Problems with dsidm
Bryan K. Walton
2021-04-05 14:18:26 UTC
Permalink
We have/had a working 389 directory server running on Centos 8. It was
working fine, and for the most part, it still is. We can sucessfully
manage it through the cockpit service. We can successfully manage the
directory with ApacheDirectoryStudio. ldapsearch/ldapmodify works fine.

But it appears that sometime in the last month or two, when we use the
command dsidm, we have started getting a cert error. Again, it is only
with dsidm.

The error we get is:

Error: Can't contact LDAP server - error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain)

I can't figure out where it is seeing this self-signed cert. When I run
dsidm commands with "-v", I see the following:

DEBUG: Using dirsrv ca certificate /etc/dirsrv/slapd-{instance_name}
DEBUG: Using external ca certificate /etc/dirsrv/slapd-{instance_name}
DEBUG: Using external ca certificate /etc/dirsrv/slapd-{instance_name}

But we have our certs in that directory. And there are no self-signed
certs in our cert or its intermediate and root certs. The cert is a
GoDaddy cert.

How can I find out what cert dsidm is reading, so as to resolve this
issue?

Thanks,
Bryan
_______________________________________________
389-users mailing list -- 389-***@lists.fedoraproject.org
To unsubscribe send an email to 389-users-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-***@lists.fedoraproject.org
Do not reply to spam on the list, repor
Mark Reynolds
2021-04-05 14:42:45 UTC
Permalink
Hi Bryan,

What version of 389-ds-base is installed?
Post by Bryan K. Walton
We have/had a working 389 directory server running on Centos 8. It was
working fine, and for the most part, it still is. We can sucessfully
manage it through the cockpit service. We can successfully manage the
directory with ApacheDirectoryStudio. ldapsearch/ldapmodify works fine.
But it appears that sometime in the last month or two, when we use the
command dsidm, we have started getting a cert error. Again, it is only
with dsidm.
Error: Can't contact LDAP server - error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain)
I can't figure out where it is seeing this self-signed cert. When I run
DEBUG: Using dirsrv ca certificate /etc/dirsrv/slapd-{instance_name}
DEBUG: Using external ca certificate /etc/dirsrv/slapd-{instance_name}
DEBUG: Using external ca certificate /etc/dirsrv/slapd-{instance_name}
But we have our certs in that directory. And there are no self-signed
certs in our cert or its intermediate and root certs. The cert is a
GoDaddy cert.
This is a known issue when trying to use LDAPS with dsconf/dsidm. 
Changes were made in the CLI tools that caused the settings in
/etc/openldap/ldap.conf to basically be ignored.  Fix is not trivial,
but for now the best option is to setup the ".dsrc" file in the root
home directory.  This file contains predefined settings so you don't
need to set them on the command line.  There you can set the CA
certificate path, etc.

In this example the instance is named 'localhost", so you will need to
change this to match your setup:

/root/.dsrc

[localhost]
tls_cacertdir = /etc/dirsrv/slapd-localhost
uri = ldaps://localhost.localdomain:636|basedn = dc=example,dc=com binddn = cn=Directory Manager|


Then you will use dsidm as follows:

# dsidm localhost user create ...


You can also mange the ".dsrc" file using dsctl:

# dsctl localhost dsrc --help


Let me know if you still have any problems,
Mark
Post by Bryan K. Walton
How can I find out what cert dsidm is reading, so as to resolve this
issue?
Thanks,
Bryan
_______________________________________________
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
--
389 Directory Server Development Team
Bryan K. Walton
2021-04-05 14:55:16 UTC
Permalink
Post by Mark Reynolds
Hi Bryan,
What version of 389-ds-base is installed?
Results of "rpm -qi 389-ds-base"

Version : 1.4.3.17
Release : 1.module_el8+10764+2b5f8656
Install Date: Mon 01 Feb 2021 09:33:07 AM CST
Source RPM : 389-ds-base-1.4.3.17-1.module_el8+10764+2b5f8656.src.rpm

-Bryan


--
Bryan K. Walton 319-337-3877
Linux Systems Administrator Leepfrog Technologies, Inc
_______________________________________________
389-users mailing list -- 389-***@lists.fedoraproject.org
To unsubscribe send an email to 389-users-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-***@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastru
Mark Reynolds
2021-04-05 16:06:30 UTC
Permalink
Post by Bryan K. Walton
Post by Mark Reynolds
Hi Bryan,
What version of 389-ds-base is installed?
Results of "rpm -qi 389-ds-base"
Version : 1.4.3.17
Release : 1.module_el8+10764+2b5f8656
Install Date: Mon 01 Feb 2021 09:33:07 AM CST
Source RPM : 389-ds-base-1.4.3.17-1.module_el8+10764+2b5f8656.src.rpm
Did you see my other comments from my previous email about the .dsrc file?
Post by Bryan K. Walton
-Bryan
--

389 Directory Server Development Team
_______________________________________________
389-users mailing list -- 389-***@lists.fedoraproject.org
To unsubscribe send an email to 389-users-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-***@lists.fedoraproject.org
Do not reply to spam on the list, report it: h
Mark Reynolds
2021-04-05 16:18:00 UTC
Permalink
Post by Mark Reynolds
Post by Bryan K. Walton
Post by Mark Reynolds
Hi Bryan,
What version of 389-ds-base is installed?
Results of "rpm -qi 389-ds-base"
Version     : 1.4.3.17
Release     : 1.module_el8+10764+2b5f8656
Install Date: Mon 01 Feb 2021 09:33:07 AM CST
Source RPM  : 389-ds-base-1.4.3.17-1.module_el8+10764+2b5f8656.src.rpm
Did you see my other comments from my previous email about the .dsrc file?
And, I strongly suggest upgrading to: 389-ds-base-1.4.3.22-1   I think
there are other bugs in 1.4.3.17 that might prevent the .dsrc from
working correctly.

Mark
Post by Mark Reynolds
Post by Bryan K. Walton
-Bryan
--
389 Directory Server Development Team
Bryan K. Walton
2021-04-05 18:02:47 UTC
Permalink
Hi Mark,

I've created our /root/.dsrc file. I'm still getting the same error:

Error: Can't contact LDAP server - error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain)

As for the version, our system is up to date. Maybe
389-ds-base-1.4.3.22-1 isn't in the CentOS repos, yet?

-Bryan
Post by Mark Reynolds
Post by Bryan K. Walton
Post by Mark Reynolds
Hi Bryan,
What version of 389-ds-base is installed?
Results of "rpm -qi 389-ds-base"
Version     : 1.4.3.17
Release     : 1.module_el8+10764+2b5f8656
Install Date: Mon 01 Feb 2021 09:33:07 AM CST
Source RPM  : 389-ds-base-1.4.3.17-1.module_el8+10764+2b5f8656.src.rpm
Did you see my other comments from my previous email about the .dsrc file?
And, I strongly suggest upgrading to: 389-ds-base-1.4.3.22-1   I think there
are other bugs in 1.4.3.17 that might prevent the .dsrc from working
correctly.
Mark
Post by Mark Reynolds
Post by Bryan K. Walton
-Bryan
--
389 Directory Server Development Team
_______________________________________________
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
--
Bryan K. Walton 319-337-3877
Linux Systems Administrator Leepfrog Technologies, Inc
_______________________________________________
389-users mailing list -- 389-***@lists.fedoraproject.org
To unsubscribe send an email to 389-users-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-***@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure
Mark Reynolds
2021-04-05 18:59:11 UTC
Permalink
Post by Bryan K. Walton
Hi Mark,
Error: Can't contact LDAP server - error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain)
As for the version, our system is up to date. Maybe
389-ds-base-1.4.3.22-1 isn't in the CentOS repos, yet?
The build was done two weeks ago, it should be available on centos 8:

https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-MODULAR-2021-5e13f174a7

Try this out.  If it still fails, can you confirm that the settings you
used in .dsrc match the server on that machine?  Your .dsrc. probaly
should not reference "slapd-localhost" but whatever instance name was
ued during server setup.

The last option is just to use ldapi instead of ldaps.  To use ldapi you
can remove the "uri" from the .dsrc because the tool use LDAPI by
default, or change "uri" to use "ldapi:// ..."

An example can be seen here:
https://www.port389.org/docs/389ds/howto/howto-install-389.html#setting-up-directory-manager-credentials

|uri = ldapi://%2fvar%2frun%2fslapd-YOUR_INSTANCE.socket|

HTH,
Mark
Post by Bryan K. Walton
-Bryan
Post by Mark Reynolds
Post by Bryan K. Walton
Post by Mark Reynolds
Hi Bryan,
What version of 389-ds-base is installed?
Results of "rpm -qi 389-ds-base"
Version     : 1.4.3.17
Release     : 1.module_el8+10764+2b5f8656
Install Date: Mon 01 Feb 2021 09:33:07 AM CST
Source RPM  : 389-ds-base-1.4.3.17-1.module_el8+10764+2b5f8656.src.rpm
Did you see my other comments from my previous email about the .dsrc file?
And, I strongly suggest upgrading to: 389-ds-base-1.4.3.22-1   I think there
are other bugs in 1.4.3.17 that might prevent the .dsrc from working
correctly.
Mark
Post by Mark Reynolds
Post by Bryan K. Walton
-Bryan
--
389 Directory Server Development Team
_______________________________________________
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
--
389 Directory Server Development Team
Bryan K. Walton
2021-04-05 19:36:56 UTC
Permalink
Post by Mark Reynolds
Post by Bryan K. Walton
As for the version, our system is up to date. Maybe
389-ds-base-1.4.3.22-1 isn't in the CentOS repos, yet?
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-MODULAR-2021-5e13f174a7
Looks like it is stuck in testing:
https://download-ib01.fedoraproject.org/pub/epel/testing/8/Modular/x86_64/Packages/3/
Post by Mark Reynolds
The last option is just to use ldapi instead of ldaps.  To use ldapi you can
remove the "uri" from the .dsrc because the tool use LDAPI by default, or
change "uri" to use "ldapi:// ..."
I did double check my settings. They are correct. However, using ldapi
works. So, we have a workaround. Once the new rpm gets out of testing,
I'll try it *without* ldapi.

We would prefer to not use ldapi, because we have more than one machine
making dsidm queries to our primary ldap server.

Thanks for your assistance!
-Bryan

--
Bryan K. Walton 319-337-3877
Linux Systems Administrator Leepfrog Technologies, Inc
_______________________________________________
389-users mailing list -- 389-***@lists.fedoraproject.org
To unsubscribe send an email to 389-users-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-***@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://p
William Brown
2021-04-06 02:06:02 UTC
Permalink
Post by Bryan K. Walton
Post by Mark Reynolds
Post by Bryan K. Walton
As for the version, our system is up to date. Maybe
389-ds-base-1.4.3.22-1 isn't in the CentOS repos, yet?
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-MODULAR-2021-5e13f174a7
https://download-ib01.fedoraproject.org/pub/epel/testing/8/Modular/x86_64/Packages/3/
Post by Mark Reynolds
The last option is just to use ldapi instead of ldaps. To use ldapi you can
remove the "uri" from the .dsrc because the tool use LDAPI by default, or
change "uri" to use "ldapi:// ..."
I did double check my settings. They are correct. However, using ldapi
works. So, we have a workaround. Once the new rpm gets out of testing,
I'll try it *without* ldapi.
We would prefer to not use ldapi, because we have more than one machine
making dsidm queries to our primary ldap server.
Because it's a cacertdir, have you run openssl rehash in the directory? Else it can't find and load the certs ...
Post by Bryan K. Walton
Thanks for your assistance!
-Bryan
--
Bryan K. Walton 319-337-3877
Linux Systems Administrator Leepfrog Technologies, Inc
_______________________________________________
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

Sincerely,

William Brown

Senior Software Engineer, 389 Directory Server
SUSE Labs, Australia
_______________________________________________
389-users mailing list -- 389-***@lists.fedoraproject.org
To unsubscribe send an email to 389-users-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-***@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/f
Bryan K. Walton
2021-04-06 13:25:18 UTC
Permalink
Post by William Brown
Because it's a cacertdir, have you run openssl rehash in the directory? Else it can't find and load the certs ...
Thank William. That helped a lot! We still need to make use of the
/root/.dsrc file. But running the rehash allows us to again use ldaps
(rather than ldapi) in our .dsrc.

Thanks!
Bryan
_______________________________________________
389-users mailing list -- 389-***@lists.fedoraproject.org
To unsubscribe send an email to 389-users-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-***@lists.fedoraproject.org
Do not reply to spam on the list, report
William Brown
2021-04-06 23:23:20 UTC
Permalink
Post by Bryan K. Walton
Post by William Brown
Because it's a cacertdir, have you run openssl rehash in the directory? Else it can't find and load the certs ...
Thank William. That helped a lot! We still need to make use of the
/root/.dsrc file. But running the rehash allows us to again use ldaps
(rather than ldapi) in our .dsrc.
Great! When you are on localhost, ldapi is the way to go, but if you need to do tasks remotely then this should get you unstuck.

If you have more questions, let us know :)
Post by Bryan K. Walton
Thanks!
Bryan
_______________________________________________
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

Sincerely,

William Brown

Senior Software Engineer, 389 Directory Server
SUSE Labs, Australia
_______________________________________________
389-users mailing list -- 389-***@lists.fedoraproject.org
To unsubscribe send an email to 389-users-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-***@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infr
Loading...