Opened 7 years ago

Closed 7 years ago

#2043 closed task (wontfix)

ldapsearch no longer works on staging.www.osgeo.org

Reported by: robe Owned by: sac@…
Priority: normal Milestone: Website rebranding 2017
Component: SysAdmin Keywords:
Cc:

Description

Originally when I setup staging.www.osgeo.org

I did a test to verify ldapsearch worked like this:

ldapsearch -x uid=robe

gives error:

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Trying to debug with

ldapsearch -x -d5 uid=robe

Gives a bit more information looks like it's trying to use localhost now instead of ldaps://ldap.osgeo.org, so maybe it relies on ldap.conf which perhaps was taken out

ldap_create
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_pvt_connect: fd: 4 tm: -1 async: 0
attempting to connect:
connect errno: 111
ldap_close_socket: 4
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

I thought I tried like 2 weeks ago and it worked. Were ldap changes made in past 2 weeks to server?

Though this still works

getent passwd robe

Thanks, Regina

Change History (4)

comment:1 by robe, 7 years ago

I should add, it works if I fill in all the details. So not a huge deal I just don't remember it being this way and why it was changed if it was.

ldapsearch -x -b "dc=osgeo,dc=org" uid=robe -H ldaps://ldap.osgeo.org 

comment:2 by martin, 7 years ago

Indeed, the "ldapsearch" command refers to /etc/ldap/ldap.conf, but this file has been moved away more than one month ago, when I switched the machine over to using pam_ldapd/nslcd for authentication.

Personally I prefer to have just one system-wide file in /etc/ to make clear, where exactly the active configuration resides. I usually have a shell alias for "ldapsearch" to set the additional parameters.

If we *need* to have "ldapsearch" work without them, then we can put it back in - but in this case we should do so on all machines.

comment:3 by strk, 7 years ago

The use of /etc/ldal/ldap.conf is documented here: https://wiki.osgeo.org/wiki/SAC:LDAP#Command_line_interface

I don't find documentation about the other mechanism on the wiki. I'm happy if you find a way to have a single configuration for multiple tools but such configuration should be clearly documented so it's easier to debug problems when they arise and configure new machines when needed.

Can you add documentation for the pam setup on that wiki page ?

comment:4 by robe, 7 years ago

Resolution: wontfix
Status: newclosed

It's the same tool though I suspect Martin just wiped out the ldap.conf because it wasn't needed for sshing but is convenient for ldapsearch to look up defaults.

Anyrate I updated the doc you have above to describe how to do the query if ldap.conf is not configured for ldap.osgeo.org

Since didn't impact my wordpress setup I'm closing out and leaving as is.

Note: See TracTickets for help on using tickets.