I have configured the openldap multimaster based on this guide:
https://kifarunix.com/setup-openldap-master-master-replication-on-centos-8/
but the replication between two servers doesn't work. and I get this error:
on server1: slap_client_connect: URI=ldaps://ldapmaster02.kifarunix-demo.com DN="cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com" ldap_sasl_bind_s failed (-1)
on server 2:slap_client_connect: URI=ldaps://ldapmaster01.kifarunix-demo.com DN="cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com" ldap_sasl_bind_s failed (-1).
what is wrong in the guide?
Regards
The issue is resolved.
I used the same password and hash text for all ldif configuration files.
Also I used the below link to generate certificate files with alternate dns names:
https://gist.github.com/KeithYeh/bb07cadd23645a6a62509b1ec8986bbc
Also the olcaccess for the cn=manager must be write. In that document the olcaccess for cn=manager is not set.
Regards
Related
I have an ubuntu server running openldap to connect to our phones.
A while back I set this to use ldaps with letsencrypt which has worked fine with most things until recently they made a change ref the X3 cert. I am unable to install a late enough version so I can run the --preferred-chain "ISRG ROOT X1 and can't use the snap version as the box ix on lcx and wont run it.
The company has now bought a digi cert wild card certificate and would like this to be on the ldap server, but I can't get it to load the config
The original ldif file I created to import is below with the domain name changed.
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/letsencrypt/live/directory.mydomain.co.uk/fullchain.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/letsencrypt/live/test-directory.mydomain.co.uk/cert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/letsencrypt/live/test-directory.mydomain.co.uk/privkey.pem
I have tried to change the file with modify commands and it's just wont have it and seem to keep getting the below.
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
ldap_modify: Inappropriate matching (18)
additional info: modify/add: olcTLSCACertificateFile: no equality matching rule
Any advise here would be great thanks.
I propose to check the contents of the ldif for special not intended characters. Like: $sudo cat -tve *.ldif?
System:
Maxscale 2.5.9
Ubuntu 20.04
In order to access the Web AdminGUI my maxsclale.cnf file looks like this:
[maxscale]
threads=auto
admin_host=0.0.0.0
admin_secure_gui=1
admin_auth=1
admin_enabled=1
admin_gui=1
admin_ssl_key=/etc/ssl/certs/maxscale-key.pem
admin_ssl_cert=/etc/ssl/certs/maxscale-cert.pem
admin_ssl_ca_cert=/etc/ssl/certs/ca-certificates.crt
[...all other configuration..]
With this configuration I can access the Web-AdminGUI on port 8989 from the internal ip address (not 127.0.0.1) by browser.
The SSL key/certs are self-signed .
BUT
When using the command line like:
maxctrl list servers
I get the following error:
Error: Error: socket hang up
When I remove or comment out the lines with the admin_ssl_XXX parameters and restart maxscale, command line works again, but of course the Web-AdminGUI does not.
I tried with various SSL certificate creations (also the one that is listed on the mariadb.com-Website
https://mariadb.com/docs/security/encryption/in-transit/create-self-signed-certificates-keys-openssl/#create-self-signed-certificates-keys-openssl),
the issue remains.
No errors in the maxscale.log whatsoever.
What is the best way to debug this issue?
Or do you have by any chance the right answer at hand?
YOUR help is greatly appreciated!
BR. Martin
You should use maxctrl --secure to encrypt the connections used by it.
Since you are using self-signed certificates, you have to also specify the CA certificate with --tls-ca-cert=/etc/ssl/certs/ca-certificates.crt if it's not installed in the system certificate store.
In addition, you probably need to use --tls-verify-server-cert=false to disable any warnings about self-signed certificates.
I have been using cloudogu (ecosystem) for almost a year now. Thank you #cloudogu team for this great product.
I'm facing a problem of certificate expiration, which for example, prevents jenkins to access to code in scm-universe git repository
Here the error log as reported by jenkins :
Failed to connect to repository : Command "git ls-remote -h -- https://my.cloudogu.instance/scm/git/my-project HEAD" returned status code 128:
stdout:
stderr: fatal: unable to access 'https://my.cloudogu.instance/scm/git/my-project': SSL certificate problem: certificate has expired
Since all dogus (jenkins, scm-manager, sonarqube, nginx) face the same pb of certificate expiration, I guess there is a way to be used in order to generate a new self signed certificate the will be used by all dogus.
Could anyone please give some hints in this direction.
Kind regards,
Thanks for using Cloudogu EcoSystem!
To generate new self signed certificates, just run /usr/local/bin/ssl.sh and restart the system.
Regards,
Robert
Open MPI: 4.0.1a
HostFile:
34bb0519eAAA
a2935f150BBB
I am in machine 34bb0519eAAA. And I could use ssh a2935f150BBB to connect a2935f150BBB successfully. And also ssh 34bb0519eAAA In machine a2935f150BBB to connect 34bb0519eAAA successfully .
But when I mpiexec command . I get error message
****Warning: Permanently added '[XX.XX.XX.XX]:XX' (a2935f150BBB'IP address) to the list of known hosts.**
----------------------**--------------------------------------
A process or daemon was unable to complete a TCP connection
to another process:
Local host: a2935f150BBB
Remote host: 34bb0519eAAA
This is usually caused by a firewall on the remote host. Please
check that any firewall (e.g., iptables) has been disabled and
ORTE was unable to reliably start one or more daemons.
This usually is caused by:
* not finding the required libraries and/or binaries on
one or more nodes. Please check your PATH and LD_LIBRARY_PATH
settings, or configure OMPI with --enable-orterun-prefix-by-default
* lack of authority to execute on one or more specified nodes.
Please verify your allocation and authorities.
* the inability to write startup files into /tmp (--tmpdir/orte_tmpdir_base).
Please check with your sys admin to determine the correct location to use.
* compilation of the orted with dynamic libraries when static are required
(e.g., on Cray). Please check your configure cmd line and consider using
one of the contrib/platform definitions for your system type.
* an inability to create a connection back to mpirun due to a
lack of common network interfaces and/or no route found between
them. Please check network connectivity (including firewalls
and network routing requirements).
I am very confused that.Because I run ssh to each other successfully . How could fail that.
Here is ssh connection
ssh a2935f150BBB
Warning: Permanently added '[XX.XX.XX.XX]:XX to the list of known hosts.
Welcome to Ubuntu 18.04.1 LTS (XXXXXXXXXXXXXXXXXX)
Documentation: https://help.ubuntu.com
Management: https://landscape.canonical.com
Support: https://ubuntu.com/advantage
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command.
Last login:XXXXXXXXXXXXX from XXXXXXXXXX
I try to install https://github.com/roots/bedrock-ansible to get a bedrock deployment (http://roots.io/wordpress-stack/) running.
When I run "vagrant up", after some time I get the error:
TASK: [capistrano-setup | Setup deploy group] *********************************
skipping: [default]
TASK: [capistrano-setup | Setup deploy user] **********************************
skipping: [default]
TASK: [capistrano-setup | Adding public key to server] ************************
fatal: [default] => could not locate file in lookup: ~/.ssh/id_rsa.pub
FATAL: all hosts have already failed -- aborting
PLAY RECAP ********************************************************************
to retry, use: --limit #/Users/johannes/site.retry
default : ok=46 changed=16 unreachable=1 failed=0
Ansible failed to complete successfully. Any error output should be
visible above. Please fix these errors and try again.
I do not have a clou how i can fix this. Do you have an idea?
It seems the role is trying to find your local public key. It should be in the location in the error message '~/.ssh/id_rsa.pub', but it's not. So either you don't have one, or you keep it in another location.
If you're not familiar with generating SSH keys you probably don't have one. I personally like the GitHub help page for this: https://help.github.com/articles/generating-ssh-keys/
(you only have to perform steps 1 and 2).
If you do have SSH keys, but in a different location, the capistrano-install role in bedrock uses some variables:
deploy_user: deploy
deploy_keys:
- "~/.ssh/id_rsa.pub"
So you can set (multiple) public key files in the deploy_keys list and they will be added to the deploy_user's authorized keys.
All this is needed because Capistrano will use the deploy user to connect to the remote server later. http://blakesmith.me/2010/02/08/understanding-public-key-private-key-concepts.html