The OpenNET Project / Index page

[ новости /+++ | форум | теги | ]

форумы
правила/FAQ
поиск
регистрация
вход
слежка
RSS



Версия для распечатки Пред. тема | След. тема
Новые ответы [ Отслеживать ]
Solaris 10 родной ldap-клиент., !*! Alexandro, 22-Авг-08, 15:53  [смотреть все]
Не получается подружить Solaris 10 (sparc, обновление 08/05) с сервером OpenLDAP.

с помощью certutil экспортирую корневой и промежуточный сертификаты в хранилище:
# certutil -A -n "CA certificate" -i ca.crt -t "CT" -d /var/ldap/
# certutil -A -n "subCA certificate" -i subca.crt -t "CT" -d /var/ldap/
# chmod 0444 /var/ldap/*db
# ls -la /var/ldap/*db
-r--r--r--   1 root     root       65536 авг. 21 15:45 /var/ldap/cert8.db
-r--r--r--   1 root     root       32768 авг. 21 15:45 /var/ldap/key3.db
-r--r--r--   1 root     root       32768 авг. 21 11:12 /var/ldap/secmod.db


Проверяю работу ldapsearch:
# ldapsearch -h ldap1 -p 636 -b "" -s base -D "cn=pambrowser,..." -w <...>-Z -P /var/ldap "(objectclass=*)"
version: 1
dn:
objectClass: top
objectClass: OpenLDAProotDSE


А дальше ldapclient manual не хочет заводиться:
# ldapclient manual -v -a credentialLevel=proxy -a 'proxyDN=cn=pambrowser,...' -a 'proxyPassword=...' -a authenticationMethod=tls:simple -a 'serviceAuthenticationMethod=pam_ldap:tls:simple'  -a 'defaultSearchBase=o=...' -a 'servicesearchdescriptor=group:ou=Groups,o=...' -a 'defaultServerList=ldap1 ldap2'


Parsing credentialLevel=proxy
Parsing proxyDN=cn=pambrowser,...
Parsing proxyPassword=...
Parsing authenticationMethod=tls:simple
Parsing serviceAuthenticationMethod=pam_ldap:tls:simple
Parsing defaultSearchBase=...
Parsing servicesearchdescriptor=group:ou=Groups,...
Parsing defaultServerList=ldap1 ldap2
Arguments parsed:
        authenticationMethod: tls:simple
        serviceAuthenticationMethod:
                arg[0]: pam_ldap:tls:simple
        defaultSearchBase: ...
        credentialLevel: proxy
        proxyDN: cn=pambrowser,...
        serviceSearchDescriptor:
                arg[0]: group:ou=Groups,...
        proxyPassword: ...
        defaultServerList: ldap1 ldap2
Handling manual option
Proxy DN: cn=pambrowser,...
Proxy password: {NS1}......
Credential level: 1
Authentication method: 3
About to modify this machines configuration by writing the files
Stopping network services
Stopping sendmail
stop: network/smtp:sendmail... failed: entity not found
Stopping sendmail failed with (1). You may need to restart it manually for changes to take effect.
nscd not running
Stopping autofs
stop: system/filesystem/autofs:default... failed: entity not found
Stopping autofs failed with (1). You may need to restart it manually for changes to take effect.
ldap not running
nisd not running
nis(yp) not running
file_backup: stat(/etc/nsswitch.conf)=0
file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
file_backup: stat(/etc/defaultdomain)=0
file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
file_backup: stat(/var/nis/NIS_COLD_START)=-1
file_backup: No /var/nis/NIS_COLD_START file.
file_backup: nis domain is "..."
file_backup: stat(/var/yp/binding/...)=-1
file_backup: No /var/yp/binding/... directory.
file_backup: stat(/var/ldap/ldap_client_file)=0
file_backup: (/var/ldap/ldap_client_file -> /var/ldap/restore/ldap_client_file)
file_backup: (/var/ldap/ldap_client_cred -> /var/ldap/restore/ldap_client_cred)
Starting network services
start: /usr/bin/domainname ... ... success
start: sleep 100000 microseconds
start: sleep 200000 microseconds
start: sleep 400000 microseconds
start: sleep 800000 microseconds
start: sleep 1600000 microseconds
start: sleep 3200000 microseconds
start: sleep 6400000 microseconds
start: sleep 12800000 microseconds
start: sleep 25600000 microseconds
start: sleep 51200000 microseconds
start: sleep 17700000 microseconds
start: network/ldap/client:default... timed out
start: network/ldap/client:default... offline to disable
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: sleep 400000 microseconds
stop: sleep 800000 microseconds
stop: network/ldap/client:default... success
restart: sleep 100000 microseconds
restart: milestone/name-services:default... success
Error resetting system.
Recovering old system settings.
Stopping network services
Stopping sendmail
stop: network/smtp:sendmail... failed: entity not found
Stopping sendmail failed with (1). You may need to restart it manually for changes to take effect.
nscd not running
Stopping autofs
stop: system/filesystem/autofs:default... failed: entity not found
Stopping autofs failed with (1). You may need to restart it manually for changes to take effect.
ldap not running
nisd not running
nis(yp) not running
recover: stat(/var/ldap/restore/defaultdomain)=0
recover: open(/var/ldap/restore/defaultdomain)
recover: read(/var/ldap/restore/defaultdomain)
recover: old domainname "..."
recover: stat(/var/ldap/restore/ldap_client_file)=0
recover: file_move(/var/ldap/restore/ldap_client_file, /var/ldap/ldap_client_file)=0
recover: stat(/var/ldap/restore/ldap_client_cred)=0
recover: file_move(/var/ldap/restore/ldap_client_cred, /var/ldap/ldap_client_cred)=0
recover: stat(/var/ldap/restore/NIS_COLD_START)=-1
recover: stat(/var/ldap/restore/stacksoft.ru)=-1
recover: stat(/var/ldap/restore/nsswitch.conf)=0
recover: file_move(/var/ldap/restore/nsswitch.conf, /etc/nsswitch.conf)=0
recover: stat(/var/ldap/restore/defaultdomain)=0
recover: file_move(/var/ldap/restore/defaultdomain, /etc/defaultdomain)=0
Starting network services
start: /usr/bin/domainname ... ... success
restart: sleep 100000 microseconds
restart: milestone/name-services:default... success


# cat /var/svc/log/network-ldap-client\:default.log
[ Aug 22 15:43:48 Enabled. ]
[ Aug 22 15:43:49 Executing start method ("/usr/lib/ldap/ldap_cachemgr") ]
[ Aug 22 15:45:49 Method or service exit timed out.  Killing contract 110 ]
[ Aug 22 15:45:49 Leaving maintenance because disable requested. ]
[ Aug 22 15:45:49 Disabled. ]

# cat /var/ldap/cachemgr.log
Fri Aug 22 15:43:49.0324        Starting ldap_cachemgr, logfile /var/ldap/cachemgr.log

С помощью tcpdump'а видно, что сервер пытается соединяться с ldap-серверами по 389 порту. Если 389 порт открыт, то пытается делать запросы без starttls (который раньше он точно не умел, сейчас, похоже, тоже). Доступ к серверу без шифрования запрещен, поэтому soalris ничего в ответ не получает, кроме "TLS Confidentiality required".


Есть ли какой-нибудь способ побороть это, не переходя на библиотеки из openldap?

Ответить | Сообщить модератору
  • Solaris 10 родной ldap-клиент., !*! tungus, 02:45 , 23-Авг-08 (1)
    1. Собственно я делал - но с использованием ldap profiles. Клиенты  - solaris 10 sparc & x86

    Добавить в openldap ldap scheme:
    Updated to match RFC 4876 2007-2007
    # http://www.rfc-editor.org/rfc/rfc4876.txt
    objectIdentifier      DUAConfSchemaOID        1.3.6.1.4.1.11.1.3.1

    attributetype ( DUAConfSchemaOID:1.0 NAME 'defaultServerList'
                DESC 'Default LDAP server host address used by a DUA'
                EQUALITY caseIgnoreMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
                SINGLE-VALUE )

    attributetype ( DUAConfSchemaOID:1.1 NAME 'defaultSearchBase'
                DESC 'Default LDAP base DN used by a DUA'
                EQUALITY distinguishedNameMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
                SINGLE-VALUE )

    attributetype ( DUAConfSchemaOID:1.2 NAME 'preferredServerList'
                DESC 'Preferred LDAP server host addresses to be used by a
                DUA'
                EQUALITY caseIgnoreMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
                SINGLE-VALUE )

    attributetype ( DUAConfSchemaOID:1.3 NAME 'searchTimeLimit'
                DESC 'Maximum time in seconds a DUA should allow for a
                search to complete'
                EQUALITY integerMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
                SINGLE-VALUE )

    attributetype ( DUAConfSchemaOID:1.4 NAME 'bindTimeLimit'
                DESC 'Maximum time in seconds a DUA should allow for the
                bind operation to complete'
                EQUALITY integerMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
                SINGLE-VALUE )

    attributetype ( DUAConfSchemaOID:1.5 NAME 'followReferrals'
                DESC 'Tells DUA if it should follow referrals
                returned by a DSA search result'
                EQUALITY caseIgnoreIA5Match
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
                SINGLE-VALUE )

    attributetype ( DUAConfSchemaOID:1.6 NAME 'authenticationMethod'
                DESC 'A keystring which identifies the type of
                authentication method used to contact the DSA'
                EQUALITY caseIgnoreMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
                SINGLE-VALUE )

    attributetype ( DUAConfSchemaOID:1.7 NAME 'profileTTL'
                DESC 'Time to live, in seconds, before a client DUA
                should re-read this configuration profile'
                EQUALITY integerMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
                SINGLE-VALUE )

    attributetype ( DUAConfSchemaOID:1.9 NAME 'attributeMap'
                DESC 'Attribute mappings used by a DUA'
                EQUALITY caseIgnoreIA5Match
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

    attributetype ( DUAConfSchemaOID:1.10 NAME 'credentialLevel'
                DESC 'Identifies type of credentials a DUA should
                use when binding to the LDAP server'
                EQUALITY caseIgnoreIA5Match
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
                SINGLE-VALUE )

    attributetype ( DUAConfSchemaOID:1.11 NAME 'objectclassMap'
                DESC 'Objectclass mappings used by a DUA'
                EQUALITY caseIgnoreIA5Match
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

    attributetype ( DUAConfSchemaOID:1.12 NAME 'defaultSearchScope'
                DESC 'Default search scope used by a DUA'
                EQUALITY caseIgnoreIA5Match
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
                SINGLE-VALUE )

    attributetype ( DUAConfSchemaOID:1.13 NAME 'serviceCredentialLevel'
                DESC 'Identifies type of credentials a DUA
                should use when binding to the LDAP server for a
                specific service'
                EQUALITY caseIgnoreIA5Match
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

    attributetype ( DUAConfSchemaOID:1.14 NAME 'serviceSearchDescriptor'
                DESC 'LDAP search descriptor list used by a DUA'
                EQUALITY caseExactMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

    attributetype ( DUAConfSchemaOID:1.15 NAME 'serviceAuthenticationMethod'
                DESC 'Authentication method used by a service of the DUA'
                EQUALITY caseIgnoreMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

    attributeTypes: ( DUAConfSchemaOID:1.16 NAME 'dereferenceAliases'
                DESC 'Specifies if a service or agent either requires, supports, or uses dereferencing of aliases.'
                EQUALITY booleanMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )

    objectclass ( DUAConfSchemaOID:2.5 NAME 'DUAConfigProfile'
              SUP top STRUCTURAL
              DESC 'Abstraction of a base configuration for a DUA'
              MUST ( cn )
              MAY ( defaultServerList $ preferredServerList $
                    defaultSearchBase $ defaultSearchScope $
                    searchTimeLimit $ bindTimeLimit $
                    credentialLevel $ authenticationMethod $
                    followReferrals $ serviceSearchDescriptor $
                    serviceCredentialLevel $ serviceAuthenticationMethod $
                    objectclassMap $ attributeMap $
                    profileTTL $ dereferenceAliases ) )

    objectclass ( DUAConfSchemaOID:2.1 NAME 'posixNamingProfile'
          SUP top AUXILIARY
          DESC 'POSIX naming profile'
          MAY ( attributeMap $ serviceSearchDescriptor ) )

    objectclass ( DUAConfSchemaOID:2.2 NAME 'configurationProfile'
          SUP top AUXILIARY
          DESC 'Configuration profile'
          MUST ( cn )
          MAY ( attributeMap $ serviceSearchDescriptor ) )

    # depends on nis.schema
    # See http://docs.sun.com/app/docs/doc/816-4556/appendixa-2,
    # http://docs.hp.com/en/J4269-90074/ch04s02.html

    attributetype ( 1.3.6.1.1.1.1.1.30 NAME 'nisDomain'
           DESC 'NIS domain'
           EQUALITY caseIgnoreIA5Match
           SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

    objectclass ( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject'
          SUP top AUXILIARY
          DESC 'Associates a NIS domain with a naming context'
          MUST ( nisDomain ) )

    attributetype ( 1.3.6.1.1.1.1.31 NAME 'automountMapName'
          DESC 'automount Map Name'
          EQUALITY caseExactMatch
          SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
          SINGLE-VALUE )

    attributetype ( 1.3.6.1.1.1.1.32 NAME 'automountKey'
          DESC 'Automount Key value'
          EQUALITY caseExactMatch
          SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
          SINGLE-VALUE )

    attributetype ( 1.3.6.1.1.1.1.33 NAME 'automountInformation'
          DESC 'Automount information'
          EQUALITY caseExactMatch
          SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
          SINGLE-VALUE )

    objectclass (1.3.6.1.1.1.2.16 NAME 'automountMap'
          SUP top STRUCTURAL
          MUST ( automountMapName )
          MAY description )

    objectclass ( 1.3.6.1.1.1.2.17 NAME 'automount'
          SUP top STRUCTURAL
          DESC 'Automount'
          MUST ( automountKey $ automountInformation )
          MAY description )

    2. Начальный ldiff:

    dn: ou=Ldap,dc=someorg
    objectClass: organizationalUnit
    objectClass: top
    ou: Ldap
    description: Ldap Users

    dn: cn=Solaris,ou=Ldap,dc=someorg
    cn: Solaris
    objectClass: simpleSecurityObject
    objectClass: organizationalRole
    objectClass: top
    userPassword:: e1NTSEF9UzJSbGlpWG0wR09MTFhEall0UldDMTBFd1dJSks1RTdLempLUFE9PQ=
    =

    dn: ou=Posix,dc=someorg
    objectClass: organizationalUnit
    objectClass: top
    objectClass: nisDomainObject
    ou: Posix
    l: None
    nisDomain: someorg

    dn: ou=Computers,ou=Posix,dc=someorg
    objectClass: organizationalUnit
    objectClass: top
    ou: Computers

    dn: ou=Idmap,ou=Posix,dc=someorg
    objectClass: organizationalUnit
    objectClass: top
    ou: Idmap

    dn: sambaDomainName=SOMEORG,ou=Posix,dc=someorg
    objectClass: sambaDomain
    objectClass: sambaUnixIdPool
    objectClass: top
    sambaDomainName: SOMEORG
    sambaSID: S-1-5-21-2324298634-3382198163-123456789
    sambaRefuseMachinePwdChange: 0
    sambaLockoutThreshold: 0
    sambaMinPwdAge: 0
    sambaMinPwdLength: 5
    sambaLogonToChgPwd: 0
    sambaMaxPwdAge: -1
    sambaForceLogoff: -1
    gidNumber: 1004
    sambaPwdHistoryLength: 5
    uidNumber: 1028
    sambaNextRid: 1015

    dn: ou=Rpc,ou=Posix,dc=someorg
    objectClass: organizationalUnit
    objectClass: top
    ou: Rpc

    dn: ou=Protocols,ou=Posix,dc=someorg
    objectClass: organizationalUnit
    objectClass: top
    ou: Protocols

    dn: ou=Profile,ou=Posix,dc=someorg
    objectClass: organizationalUnit
    objectClass: top
    ou: Profile

    dn: ou=Networks,ou=Posix,dc=someorg
    objectClass: organizationalUnit
    objectClass: top
    ou: Networks

    dn: ou=Netgroup,ou=Posix,dc=someorg
    objectClass: organizationalUnit
    objectClass: top
    ou: Netgroup

    dn: ou=Mounts,ou=Posix,dc=someorg
    objectClass: organizationalUnit
    objectClass: top
    ou: Mounts

    dn: ou=Aliases,ou=Posix,dc=someorg
    objectClass: organizationalUnit
    objectClass: top
    ou: Aliases

    dn: ou=Ethers,ou=Posix,dc=someorg
    objectClass: organizationalUnit
    objectClass: top
    ou: Ethers

    dn: ou=Hosts,ou=Posix,dc=someorg
    objectClass: organizationalUnit
    objectClass: top
    ou: Hosts

    dn: ou=Services,ou=Posix,dc=someorg
    objectClass: organizationalUnit
    objectClass: top
    ou: Services

    dn: ou=Group,ou=Posix,dc=someorg
    objectClass: organizationalUnit
    objectClass: top
    ou: Group

    dn: ou=People,ou=Posix,dc=someorg
    objectClass: organizationalUnit
    objectClass: top
    ou: People

    dn: automountMapName=auto_home,ou=Posix,dc=someorg
    automountMapName: auto_home
    objectClass: automountMap
    objectClass: top

    dn: automountMapName=auto_master,ou=Posix,dc=someorg
    automountMapName: auto_master
    objectClass: automountMap
    objectClass: top

    dn: cn=Solaris,ou=Profile,ou=Posix,dc=someorg
    objectClass: DUAConfigProfile
    objectClass: top
    cn: Solaris
    defaultSearchBase: ou=Posix,dc=someorg
    defaultServerList: 10.1.2.10
    bindTimeLimit: 2
    searchTimeLimit: 30
    followReferrals: TRUE
    credentialLevel: proxy anonymous
    authenticationMethod: simple
    defaultSearchScope: sub
    profileTTL: 3600

    dn: cn=Padl,ou=Profile,ou=Posix,dc=someorg
    objectClass: DUAConfigProfile
    objectClass: posixNamingProfile
    objectClass: top
    cn: Padl
    defaultSearchScope: one
    defaultServerList: ldap.someorg
    serviceSearchDescriptor: aliases:ou=Aliases,dc=Posix,dc=someorg
    serviceSearchDescriptor: fstab:ou=Mounts,dc=Posix,dc=someorg
    serviceSearchDescriptor: group:ou=Group,dc=Posix,dc=someorg
    serviceSearchDescriptor: hosts:ou=Hosts,dc=Posix,dc=someorg
    serviceSearchDescriptor: netgroup:ou=Netgroup,dc=Posix,dc=someorg
    serviceSearchDescriptor: networks:ou=Networks,dc=Posix,dc=someorg
    serviceSearchDescriptor: passwd:ou=People,dc=Posix,dc=someorg
    serviceSearchDescriptor: protocols:ou=Protocols,dc=Posix,dc=someorg
    serviceSearchDescriptor: rpc:ou=Rpc,dc=Posix,dc=someorg
    serviceSearchDescriptor: services:ou=Services,dc=Posix,dc=someorg
    defaultSearchBase: ou=Posix,dc=someorg

    dn: cn=default,ou=Profile,ou=Posix,dc=someorg
    aliasedObjectName: cn=Solaris,ou=Profile,ou=Posix,dc=someorg
    cn: default
    objectClass: extensibleObject
    objectClass: alias
    objectClass: top
    credentialLevel: proxy
    profileTTL: 600

    dn: cn=Solaris_pam_ldap,ou=Profile,ou=Posix,dc=someorg
    cn: Solaris_pam_ldap
    objectClass: DUAConfigProfile
    objectClass: top
    authenticationMethod: none
    bindTimeLimit: 2
    credentialLevel: anonymous
    defaultSearchBase: ou=Posix,dc=someorg
    defaultSearchScope: sub
    followReferrals: TRUE
    searchTimeLimit: 30
    serviceAuthenticationMethod: pam_ldap:simple
    serviceAuthenticationMethod: passwd-cmd:simple
    preferredServerList: 10.1.2.10
    defaultServerList: 10.1.2.250
    profileTTL: 3600

    dn: cn=Solaris_pam_ldap_tls,ou=Profile,ou=Posix,dc=someorg
    bindTimeLimit: 2
    cn: Solaris_pam_ldap_tls
    defaultSearchBase: ou=Posix,dc=someorg
    defaultSearchScope: sub
    followReferrals: TRUE
    objectClass: DUAConfigProfile
    objectClass: top
    searchTimeLimit: 30
    serviceAuthenticationMethod: passwd-cmd:tls:simple
    serviceAuthenticationMethod: pam_ldap:tls:simple
    profileTTL: 3600
    preferredServerList: ldap.someorg
    credentialLevel: proxy
    authenticationMethod: tls:simple
    defaultServerList: 10.1.2.10

    dn: automountKey=*,automountMapName=auto_home,ou=Posix,dc=someorg
    automountKey: *
    objectClass: automount
    objectClass: top
    automountInformation: -fstype=nfs,vers=3 somehost:/home/&

    3. Нужно поправить /etc/nsswitch.ldap, например минималистичный вариант:
    passwd:     files ldap
    group:      files ldap
    hosts:      files dns
    ipnodes:    files dns
    networks:   files
    protocols:  files
    rpc:        files
    ethers:     files
    netmasks:   files
    bootparams: files
    publickey:  files
    netgroup:   ldap
    automount:  files
    aliases:    files
    services:   files
    printers:   user files
    auth_attr:  files
    prof_attr:  files
    project:    files
    tnrhtp:     files
    tnrhdb:     files

    4. Поправить /etc/pam.conf согласно System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP) http://docs.sun.com/app/docs/doc/816-4556/schemas-111

    5. Импортировать корневой сертификат:
    /usr/sfw/bin/certutil -N -d /var/ldap
    /usr/sfw/bin/certutil -A -n "ca-cert" -i /tmp/root.pem -a -t CT -d /var/ldap
    chmod 444 /var/ldap/*.db

    6. Включить использование ldap
    ldapclient -v init -a profileName=Solaris_pam_ldap_tls -a domainName=someorg -a proxyDN="cn=Solaris,ou=Ldap,dc=someorg" -a proxyPassword="solaris" ldap.ot.by

    Замечания:
    a) При использовании профиля Solaris_pam_ldap_tls аутентификация осуществляется с помощью ldap bind.
    b) Используются два (мастер/слэйв) сервера  - ldap.someorg и 10.1.2.10.
    c) Т.к. используется ldap bind, то cn=Solaris,ou=Ldap,dc=someorg не нужны какие-то дополнительные права (на чтение userpasswd и т.д.) - достаточно анонимных прав.

    Ответить | Сообщить модератору
    • Solaris 10 родной ldap-клиент., !*! Имя, 18:16 , 19-Сен-11 (2)
      > start: network/ldap/client:default... timed out
      > start: network/ldap/client:default... offline to disable

      Вот эта фигня из за того что при запуске команды ldapclient файл /etc/nsswitch.ldap копируется в /etc/nsswitch.conf. В итоге хосты начинают резолвиться через LDAP, где конечно же записей нет. Как результат клиент не может достучаться до сервера и не стартует.
      Что делать - описано в пункте 3 предыдущего поста.

      А вообще заставить нативный клиент (аффтар предыдущего поста использует не его, а PADL) ходить только по TLS мне так и не удалось. Т.е. похоже, что соединение он поддерживает по 389 порту, но все обращения: поиск, авторизация идут по 636, а там TLS и все как положено.

      А по 389 сыплется вот такая шняга в лог:
      conn=1022 fd=17 ACCEPT from IP=192.168.100.63:33168 (IP=0.0.0.0:389)
      conn=1022 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
      conn=1022 op=0 SRCH attr=supportedControl supportedsaslmechanisms
      conn=1022 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text=
      conn=1022 op=1 UNBIND
      conn=1022 fd=17 closed

      Остальное через ТЛС. Но в общем неплохо! =)

      Ответить | Сообщить модератору

Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей 		Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру