You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@whimsical.apache.org by Chris Lambertus <cm...@apache.org> on 2021/09/29 18:15:21 UTC
test LDAP instance downtime/updates
FYI,
In https://issues.apache.org/jira/browse/INFRA-22091 <https://issues.apache.org/jira/browse/INFRA-22091> a test ldap instance was provided to the Whimsy project. This is a notification that Infra will be performing work on that host over the next few days. The system may be down and data may be unavailable during various operations. I will reply here when work is completed. You may continue using the service, but you may get timeouts or null results.
-Chris
Re: test LDAP instance downtime/updates
Posted by sebb <se...@gmail.com>.
On Tue, 19 Oct 2021 at 21:06, Chris Lambertus <cm...@apache.org> wrote:
>
>
>
> > On Oct 19, 2021, at 2:14 AM, sebb <se...@gmail.com> wrote:
> >
> > On Tue, 19 Oct 2021 at 05:23, Chris Lambertus <cm...@apache.org> wrote:
> >>
> >> It will not currently work on ASF hosts against idmtest without setting TLS_REQCERT=never because the puppet-based ldap.conf is configured to only use the existing self-signed CA cert:
> >>
> >>
> >>
> >> TLS_REQCERT=never ldapsearch -H ldaps://idmtest1-ec2-va.apache.org:636 -W -b "dc=apache,dc=org" -L -D "uid=cml,ou=people,dc=apache,dc=org" uid=cml
> >
> > Surely that should be LDAPTLS_REQCERT= ... ?
>
> Apparently so.
>
>
>
>
> >> What is the command line/bind DN you are specifying when you get the error 32?
>
> > # search result
> > No such object (32)
> >
> > # numResponses: 1
> >
> > It assume you have karma to log in to Whimsy so you could try it for yourself.
>
>
> I have, and it works, but I have additional (apldap) karma. I will look into this further, it is likely related to DSN access. I'll get back to you...
>
>
> Thanks for testing.
Don't you have a cml-test LDAP account?
> -C
>
>
>
>
>
> >
> >>
> >>
> >>
> >>
> >>
> >>
> >>> On Oct 15, 2021, at 4:47 AM, sebb <se...@gmail.com> wrote:
> >>>
> >>> On Thu, 7 Oct 2021 at 19:53, Chris Lambertus <cml@apache.org <ma...@apache.org>> wrote:
> >>>
> >>>> Authenticated bind example:
> >>>>
> >>>>
> >>>>
> >>>> $ ldapsearch -H ldaps://idmtest1-ec2-va.apache.org:636 -W -b
> >>>> "dc=apache,dc=org" -L -D "uid=cml,ou=people,dc=apache,dc=org" uid=cml
> >>>> Enter LDAP Password:
> >>>> version: 1
> >>>>
> >>>> #
> >>>> # LDAPv3
> >>>> # base <dc=apache,dc=org> with scope subtree
> >>>> # filter: uid=cml
> >>>> # requesting: ALL
> >>>> #
> >>>>
> >>>> # cml, people, apache.org
> >>>> dn: uid=cml,ou=people,dc=apache,dc=org
> >>>> [snip]
> >>>>
> >>>>
> >>>>
> >>> Does not work for me on the whimsy host:
> >>>
> >>>
> >>> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
> >>>
> >>>
> >>> Nor on my macOS system:
> >>>
> >>> No such object (32)
> >>>
> >>> (Yes, I did change the bind details)
> >>>
> >>> If I enter an incorrect password on macOS, I get:
> >>>
> >>> ldap_bind: Invalid credentials (49)
> >>>
> >>> This shows the server has been contacted at least.
> >>> However using a bad password on Whimsy makes no difference.
> >>>
> >>> Any tooling relying on UN-authenticated bind will need to switch to using a
> >>>> role account. We're starting a process of locating and adjusting any of
> >>>> these use cases. There are also a number of cases where tools like
> >>>> 'ldapsearch' will use the nss_ldap bind account which is defined in
> >>>> /etc/ldap/ldap.conf, so sometimes it appears the tools work without
> >>>> passwords, but they are actually using the ldap.conf credentials.
> >>>>
> >>>> -Chris
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>> On Oct 6, 2021, at 7:40 PM, Matt Sicker <bo...@gmail.com> wrote:
> >>>>>
> >>>>> What authentication methods are supported now? I remember being unable
> >>>> to find an incantation of ldapsearch that could authenticate.
> >>>>>
> >>>>> Matt Sicker
> >>>>>
> >>>>>> On Oct 6, 2021, at 18:40, Chris Lambertus <cm...@apache.org> wrote:
> >>>>>>
> >>>>>> Hi folks, just to let you know, my primary testing and implementation
> >>>> of replication between idmtest1-ec2-va and idmtest2-ec2-va is complete. The
> >>>> next stage in testing may be more disruptive -- the slapd.conf ACLs have
> >>>> been changed to prevent unauthenticated access to the LDAP directory.
> >>>>>>
> >>>>>> If your project has the capability to test, I would be interested to
> >>>> know if Whimsy still functions properly with these security and privacy
> >>>> enhancements in place. There will be a more broad discussion on this topic
> >>>> brought to Infra lists once initial validation is complete.
> >>>>>>
> >>>>>> Cheers,
> >>>>>> Chris
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>> On Sep 29, 2021, at 11:15 AM, Chris Lambertus <cm...@apache.org> wrote:
> >>>>>>>
> >>>>>>> FYI,
> >>>>>>>
> >>>>>>> In https://issues.apache.org/jira/browse/INFRA-22091 <
> >>>> https://issues.apache.org/jira/browse/INFRA-22091> a test ldap instance
> >>>> was provided to the Whimsy project. This is a notification that Infra will
> >>>> be performing work on that host over the next few days. The system may be
> >>>> down and data may be unavailable during various operations. I will reply
> >>>> here when work is completed. You may continue using the service, but you
> >>>> may get timeouts or null results.
> >>>>>>>
> >>>>>>> -Chris
> >>
>
Re: test LDAP instance downtime/updates
Posted by Chris Lambertus <cm...@apache.org>.
> On Oct 19, 2021, at 2:14 AM, sebb <se...@gmail.com> wrote:
>
> On Tue, 19 Oct 2021 at 05:23, Chris Lambertus <cm...@apache.org> wrote:
>>
>> It will not currently work on ASF hosts against idmtest without setting TLS_REQCERT=never because the puppet-based ldap.conf is configured to only use the existing self-signed CA cert:
>>
>>
>>
>> TLS_REQCERT=never ldapsearch -H ldaps://idmtest1-ec2-va.apache.org:636 -W -b "dc=apache,dc=org" -L -D "uid=cml,ou=people,dc=apache,dc=org" uid=cml
>
> Surely that should be LDAPTLS_REQCERT= ... ?
Apparently so.
>> What is the command line/bind DN you are specifying when you get the error 32?
> # search result
> No such object (32)
>
> # numResponses: 1
>
> It assume you have karma to log in to Whimsy so you could try it for yourself.
I have, and it works, but I have additional (apldap) karma. I will look into this further, it is likely related to DSN access. I'll get back to you...
Thanks for testing.
-C
>
>>
>>
>>
>>
>>
>>
>>> On Oct 15, 2021, at 4:47 AM, sebb <se...@gmail.com> wrote:
>>>
>>> On Thu, 7 Oct 2021 at 19:53, Chris Lambertus <cml@apache.org <ma...@apache.org>> wrote:
>>>
>>>> Authenticated bind example:
>>>>
>>>>
>>>>
>>>> $ ldapsearch -H ldaps://idmtest1-ec2-va.apache.org:636 -W -b
>>>> "dc=apache,dc=org" -L -D "uid=cml,ou=people,dc=apache,dc=org" uid=cml
>>>> Enter LDAP Password:
>>>> version: 1
>>>>
>>>> #
>>>> # LDAPv3
>>>> # base <dc=apache,dc=org> with scope subtree
>>>> # filter: uid=cml
>>>> # requesting: ALL
>>>> #
>>>>
>>>> # cml, people, apache.org
>>>> dn: uid=cml,ou=people,dc=apache,dc=org
>>>> [snip]
>>>>
>>>>
>>>>
>>> Does not work for me on the whimsy host:
>>>
>>>
>>> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>>>
>>>
>>> Nor on my macOS system:
>>>
>>> No such object (32)
>>>
>>> (Yes, I did change the bind details)
>>>
>>> If I enter an incorrect password on macOS, I get:
>>>
>>> ldap_bind: Invalid credentials (49)
>>>
>>> This shows the server has been contacted at least.
>>> However using a bad password on Whimsy makes no difference.
>>>
>>> Any tooling relying on UN-authenticated bind will need to switch to using a
>>>> role account. We're starting a process of locating and adjusting any of
>>>> these use cases. There are also a number of cases where tools like
>>>> 'ldapsearch' will use the nss_ldap bind account which is defined in
>>>> /etc/ldap/ldap.conf, so sometimes it appears the tools work without
>>>> passwords, but they are actually using the ldap.conf credentials.
>>>>
>>>> -Chris
>>>>
>>>>
>>>>
>>>>
>>>>> On Oct 6, 2021, at 7:40 PM, Matt Sicker <bo...@gmail.com> wrote:
>>>>>
>>>>> What authentication methods are supported now? I remember being unable
>>>> to find an incantation of ldapsearch that could authenticate.
>>>>>
>>>>> Matt Sicker
>>>>>
>>>>>> On Oct 6, 2021, at 18:40, Chris Lambertus <cm...@apache.org> wrote:
>>>>>>
>>>>>> Hi folks, just to let you know, my primary testing and implementation
>>>> of replication between idmtest1-ec2-va and idmtest2-ec2-va is complete. The
>>>> next stage in testing may be more disruptive -- the slapd.conf ACLs have
>>>> been changed to prevent unauthenticated access to the LDAP directory.
>>>>>>
>>>>>> If your project has the capability to test, I would be interested to
>>>> know if Whimsy still functions properly with these security and privacy
>>>> enhancements in place. There will be a more broad discussion on this topic
>>>> brought to Infra lists once initial validation is complete.
>>>>>>
>>>>>> Cheers,
>>>>>> Chris
>>>>>>
>>>>>>
>>>>>>
>>>>>>> On Sep 29, 2021, at 11:15 AM, Chris Lambertus <cm...@apache.org> wrote:
>>>>>>>
>>>>>>> FYI,
>>>>>>>
>>>>>>> In https://issues.apache.org/jira/browse/INFRA-22091 <
>>>> https://issues.apache.org/jira/browse/INFRA-22091> a test ldap instance
>>>> was provided to the Whimsy project. This is a notification that Infra will
>>>> be performing work on that host over the next few days. The system may be
>>>> down and data may be unavailable during various operations. I will reply
>>>> here when work is completed. You may continue using the service, but you
>>>> may get timeouts or null results.
>>>>>>>
>>>>>>> -Chris
>>
Re: test LDAP instance downtime/updates
Posted by sebb <se...@gmail.com>.
On Tue, 19 Oct 2021 at 05:23, Chris Lambertus <cm...@apache.org> wrote:
>
> It will not currently work on ASF hosts against idmtest without setting TLS_REQCERT=never because the puppet-based ldap.conf is configured to only use the existing self-signed CA cert:
>
>
>
> TLS_REQCERT=never ldapsearch -H ldaps://idmtest1-ec2-va.apache.org:636 -W -b "dc=apache,dc=org" -L -D "uid=cml,ou=people,dc=apache,dc=org" uid=cml
Surely that should be LDAPTLS_REQCERT= ... ?
>
> What is the command line/bind DN you are specifying when you get the error 32?
Just tried the following on Whimsy:
$ ldapsearch -H ldaps://idmtest1-ec2-va.apache.org:636 -W -b
"dc=apache,dc=org" -L -D "uid=sebb,ou=people,dc=apache,dc=org"
uid=sebb
Enter LDAP Password:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
$ TLS_REQCERT=never ldapsearch -H
ldaps://idmtest1-ec2-va.apache.org:636 -W -b "dc=apache,dc=org" -L -D
"uid=sebb,ou=people,dc=apache,dc=org" uid=sebb
Enter LDAP Password:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
$ LDAPTLS_REQCERT=never ldapsearch -H
ldaps://idmtest1-ec2-va.apache.org:636 -W -b "dc=apache,dc=org" -L -D
"uid=sebb,ou=people,dc=apache,dc=org" uid=sebb
Enter LDAP Password:
version: 1
#
# LDAPv3
# base <dc=apache,dc=org> with scope subtree
# filter: uid=*
# requesting: ALL
#
# search result
No such object (32)
# numResponses: 1
It assume you have karma to log in to Whimsy so you could try it for yourself.
>
>
>
>
>
>
> > On Oct 15, 2021, at 4:47 AM, sebb <se...@gmail.com> wrote:
> >
> > On Thu, 7 Oct 2021 at 19:53, Chris Lambertus <cml@apache.org <ma...@apache.org>> wrote:
> >
> >> Authenticated bind example:
> >>
> >>
> >>
> >> $ ldapsearch -H ldaps://idmtest1-ec2-va.apache.org:636 -W -b
> >> "dc=apache,dc=org" -L -D "uid=cml,ou=people,dc=apache,dc=org" uid=cml
> >> Enter LDAP Password:
> >> version: 1
> >>
> >> #
> >> # LDAPv3
> >> # base <dc=apache,dc=org> with scope subtree
> >> # filter: uid=cml
> >> # requesting: ALL
> >> #
> >>
> >> # cml, people, apache.org
> >> dn: uid=cml,ou=people,dc=apache,dc=org
> >> [snip]
> >>
> >>
> >>
> > Does not work for me on the whimsy host:
> >
> >
> > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
> >
> >
> > Nor on my macOS system:
> >
> > No such object (32)
> >
> > (Yes, I did change the bind details)
> >
> > If I enter an incorrect password on macOS, I get:
> >
> > ldap_bind: Invalid credentials (49)
> >
> > This shows the server has been contacted at least.
> > However using a bad password on Whimsy makes no difference.
> >
> > Any tooling relying on UN-authenticated bind will need to switch to using a
> >> role account. We're starting a process of locating and adjusting any of
> >> these use cases. There are also a number of cases where tools like
> >> 'ldapsearch' will use the nss_ldap bind account which is defined in
> >> /etc/ldap/ldap.conf, so sometimes it appears the tools work without
> >> passwords, but they are actually using the ldap.conf credentials.
> >>
> >> -Chris
> >>
> >>
> >>
> >>
> >>> On Oct 6, 2021, at 7:40 PM, Matt Sicker <bo...@gmail.com> wrote:
> >>>
> >>> What authentication methods are supported now? I remember being unable
> >> to find an incantation of ldapsearch that could authenticate.
> >>>
> >>> Matt Sicker
> >>>
> >>>> On Oct 6, 2021, at 18:40, Chris Lambertus <cm...@apache.org> wrote:
> >>>>
> >>>> Hi folks, just to let you know, my primary testing and implementation
> >> of replication between idmtest1-ec2-va and idmtest2-ec2-va is complete. The
> >> next stage in testing may be more disruptive -- the slapd.conf ACLs have
> >> been changed to prevent unauthenticated access to the LDAP directory.
> >>>>
> >>>> If your project has the capability to test, I would be interested to
> >> know if Whimsy still functions properly with these security and privacy
> >> enhancements in place. There will be a more broad discussion on this topic
> >> brought to Infra lists once initial validation is complete.
> >>>>
> >>>> Cheers,
> >>>> Chris
> >>>>
> >>>>
> >>>>
> >>>>> On Sep 29, 2021, at 11:15 AM, Chris Lambertus <cm...@apache.org> wrote:
> >>>>>
> >>>>> FYI,
> >>>>>
> >>>>> In https://issues.apache.org/jira/browse/INFRA-22091 <
> >> https://issues.apache.org/jira/browse/INFRA-22091> a test ldap instance
> >> was provided to the Whimsy project. This is a notification that Infra will
> >> be performing work on that host over the next few days. The system may be
> >> down and data may be unavailable during various operations. I will reply
> >> here when work is completed. You may continue using the service, but you
> >> may get timeouts or null results.
> >>>>>
> >>>>> -Chris
>
Re: test LDAP instance downtime/updates
Posted by Chris Lambertus <cm...@apache.org>.
It will not currently work on ASF hosts against idmtest without setting TLS_REQCERT=never because the puppet-based ldap.conf is configured to only use the existing self-signed CA cert:
TLS_REQCERT=never ldapsearch -H ldaps://idmtest1-ec2-va.apache.org:636 -W -b "dc=apache,dc=org" -L -D "uid=cml,ou=people,dc=apache,dc=org" uid=cml
What is the command line/bind DN you are specifying when you get the error 32?
> On Oct 15, 2021, at 4:47 AM, sebb <se...@gmail.com> wrote:
>
> On Thu, 7 Oct 2021 at 19:53, Chris Lambertus <cml@apache.org <ma...@apache.org>> wrote:
>
>> Authenticated bind example:
>>
>>
>>
>> $ ldapsearch -H ldaps://idmtest1-ec2-va.apache.org:636 -W -b
>> "dc=apache,dc=org" -L -D "uid=cml,ou=people,dc=apache,dc=org" uid=cml
>> Enter LDAP Password:
>> version: 1
>>
>> #
>> # LDAPv3
>> # base <dc=apache,dc=org> with scope subtree
>> # filter: uid=cml
>> # requesting: ALL
>> #
>>
>> # cml, people, apache.org
>> dn: uid=cml,ou=people,dc=apache,dc=org
>> [snip]
>>
>>
>>
> Does not work for me on the whimsy host:
>
>
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>
>
> Nor on my macOS system:
>
> No such object (32)
>
> (Yes, I did change the bind details)
>
> If I enter an incorrect password on macOS, I get:
>
> ldap_bind: Invalid credentials (49)
>
> This shows the server has been contacted at least.
> However using a bad password on Whimsy makes no difference.
>
> Any tooling relying on UN-authenticated bind will need to switch to using a
>> role account. We're starting a process of locating and adjusting any of
>> these use cases. There are also a number of cases where tools like
>> 'ldapsearch' will use the nss_ldap bind account which is defined in
>> /etc/ldap/ldap.conf, so sometimes it appears the tools work without
>> passwords, but they are actually using the ldap.conf credentials.
>>
>> -Chris
>>
>>
>>
>>
>>> On Oct 6, 2021, at 7:40 PM, Matt Sicker <bo...@gmail.com> wrote:
>>>
>>> What authentication methods are supported now? I remember being unable
>> to find an incantation of ldapsearch that could authenticate.
>>>
>>> Matt Sicker
>>>
>>>> On Oct 6, 2021, at 18:40, Chris Lambertus <cm...@apache.org> wrote:
>>>>
>>>> Hi folks, just to let you know, my primary testing and implementation
>> of replication between idmtest1-ec2-va and idmtest2-ec2-va is complete. The
>> next stage in testing may be more disruptive -- the slapd.conf ACLs have
>> been changed to prevent unauthenticated access to the LDAP directory.
>>>>
>>>> If your project has the capability to test, I would be interested to
>> know if Whimsy still functions properly with these security and privacy
>> enhancements in place. There will be a more broad discussion on this topic
>> brought to Infra lists once initial validation is complete.
>>>>
>>>> Cheers,
>>>> Chris
>>>>
>>>>
>>>>
>>>>> On Sep 29, 2021, at 11:15 AM, Chris Lambertus <cm...@apache.org> wrote:
>>>>>
>>>>> FYI,
>>>>>
>>>>> In https://issues.apache.org/jira/browse/INFRA-22091 <
>> https://issues.apache.org/jira/browse/INFRA-22091> a test ldap instance
>> was provided to the Whimsy project. This is a notification that Infra will
>> be performing work on that host over the next few days. The system may be
>> down and data may be unavailable during various operations. I will reply
>> here when work is completed. You may continue using the service, but you
>> may get timeouts or null results.
>>>>>
>>>>> -Chris
Re: test LDAP instance downtime/updates
Posted by sebb <se...@gmail.com>.
On Thu, 7 Oct 2021 at 19:53, Chris Lambertus <cm...@apache.org> wrote:
> Authenticated bind example:
>
>
>
> $ ldapsearch -H ldaps://idmtest1-ec2-va.apache.org:636 -W -b
> "dc=apache,dc=org" -L -D "uid=cml,ou=people,dc=apache,dc=org" uid=cml
> Enter LDAP Password:
> version: 1
>
> #
> # LDAPv3
> # base <dc=apache,dc=org> with scope subtree
> # filter: uid=cml
> # requesting: ALL
> #
>
> # cml, people, apache.org
> dn: uid=cml,ou=people,dc=apache,dc=org
> [snip]
>
>
>
Does not work for me on the whimsy host:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Nor on my macOS system:
No such object (32)
(Yes, I did change the bind details)
If I enter an incorrect password on macOS, I get:
ldap_bind: Invalid credentials (49)
This shows the server has been contacted at least.
However using a bad password on Whimsy makes no difference.
Any tooling relying on UN-authenticated bind will need to switch to using a
> role account. We're starting a process of locating and adjusting any of
> these use cases. There are also a number of cases where tools like
> 'ldapsearch' will use the nss_ldap bind account which is defined in
> /etc/ldap/ldap.conf, so sometimes it appears the tools work without
> passwords, but they are actually using the ldap.conf credentials.
>
> -Chris
>
>
>
>
> > On Oct 6, 2021, at 7:40 PM, Matt Sicker <bo...@gmail.com> wrote:
> >
> > What authentication methods are supported now? I remember being unable
> to find an incantation of ldapsearch that could authenticate.
> >
> > Matt Sicker
> >
> >> On Oct 6, 2021, at 18:40, Chris Lambertus <cm...@apache.org> wrote:
> >>
> >> Hi folks, just to let you know, my primary testing and implementation
> of replication between idmtest1-ec2-va and idmtest2-ec2-va is complete. The
> next stage in testing may be more disruptive -- the slapd.conf ACLs have
> been changed to prevent unauthenticated access to the LDAP directory.
> >>
> >> If your project has the capability to test, I would be interested to
> know if Whimsy still functions properly with these security and privacy
> enhancements in place. There will be a more broad discussion on this topic
> brought to Infra lists once initial validation is complete.
> >>
> >> Cheers,
> >> Chris
> >>
> >>
> >>
> >>> On Sep 29, 2021, at 11:15 AM, Chris Lambertus <cm...@apache.org> wrote:
> >>>
> >>> FYI,
> >>>
> >>> In https://issues.apache.org/jira/browse/INFRA-22091 <
> https://issues.apache.org/jira/browse/INFRA-22091> a test ldap instance
> was provided to the Whimsy project. This is a notification that Infra will
> be performing work on that host over the next few days. The system may be
> down and data may be unavailable during various operations. I will reply
> here when work is completed. You may continue using the service, but you
> may get timeouts or null results.
> >>>
> >>> -Chris
> >>>
> >>
>
>
Re: test LDAP instance downtime/updates
Posted by Chris Lambertus <cm...@apache.org>.
Authenticated bind example:
$ ldapsearch -H ldaps://idmtest1-ec2-va.apache.org:636 -W -b "dc=apache,dc=org" -L -D "uid=cml,ou=people,dc=apache,dc=org" uid=cml
Enter LDAP Password:
version: 1
#
# LDAPv3
# base <dc=apache,dc=org> with scope subtree
# filter: uid=cml
# requesting: ALL
#
# cml, people, apache.org
dn: uid=cml,ou=people,dc=apache,dc=org
[snip]
Any tooling relying on UN-authenticated bind will need to switch to using a role account. We're starting a process of locating and adjusting any of these use cases. There are also a number of cases where tools like 'ldapsearch' will use the nss_ldap bind account which is defined in /etc/ldap/ldap.conf, so sometimes it appears the tools work without passwords, but they are actually using the ldap.conf credentials.
-Chris
> On Oct 6, 2021, at 7:40 PM, Matt Sicker <bo...@gmail.com> wrote:
>
> What authentication methods are supported now? I remember being unable to find an incantation of ldapsearch that could authenticate.
>
> Matt Sicker
>
>> On Oct 6, 2021, at 18:40, Chris Lambertus <cm...@apache.org> wrote:
>>
>> Hi folks, just to let you know, my primary testing and implementation of replication between idmtest1-ec2-va and idmtest2-ec2-va is complete. The next stage in testing may be more disruptive -- the slapd.conf ACLs have been changed to prevent unauthenticated access to the LDAP directory.
>>
>> If your project has the capability to test, I would be interested to know if Whimsy still functions properly with these security and privacy enhancements in place. There will be a more broad discussion on this topic brought to Infra lists once initial validation is complete.
>>
>> Cheers,
>> Chris
>>
>>
>>
>>> On Sep 29, 2021, at 11:15 AM, Chris Lambertus <cm...@apache.org> wrote:
>>>
>>> FYI,
>>>
>>> In https://issues.apache.org/jira/browse/INFRA-22091 <https://issues.apache.org/jira/browse/INFRA-22091> a test ldap instance was provided to the Whimsy project. This is a notification that Infra will be performing work on that host over the next few days. The system may be down and data may be unavailable during various operations. I will reply here when work is completed. You may continue using the service, but you may get timeouts or null results.
>>>
>>> -Chris
>>>
>>
Re: test LDAP instance downtime/updates
Posted by Matt Sicker <bo...@gmail.com>.
What authentication methods are supported now? I remember being unable to find an incantation of ldapsearch that could authenticate.
Matt Sicker
> On Oct 6, 2021, at 18:40, Chris Lambertus <cm...@apache.org> wrote:
>
> Hi folks, just to let you know, my primary testing and implementation of replication between idmtest1-ec2-va and idmtest2-ec2-va is complete. The next stage in testing may be more disruptive -- the slapd.conf ACLs have been changed to prevent unauthenticated access to the LDAP directory.
>
> If your project has the capability to test, I would be interested to know if Whimsy still functions properly with these security and privacy enhancements in place. There will be a more broad discussion on this topic brought to Infra lists once initial validation is complete.
>
> Cheers,
> Chris
>
>
>
>> On Sep 29, 2021, at 11:15 AM, Chris Lambertus <cm...@apache.org> wrote:
>>
>> FYI,
>>
>> In https://issues.apache.org/jira/browse/INFRA-22091 <https://issues.apache.org/jira/browse/INFRA-22091> a test ldap instance was provided to the Whimsy project. This is a notification that Infra will be performing work on that host over the next few days. The system may be down and data may be unavailable during various operations. I will reply here when work is completed. You may continue using the service, but you may get timeouts or null results.
>>
>> -Chris
>>
>
Re: test LDAP instance downtime/updates
Posted by Chris Lambertus <cm...@apache.org>.
Hi folks, just to let you know, my primary testing and implementation of replication between idmtest1-ec2-va and idmtest2-ec2-va is complete. The next stage in testing may be more disruptive -- the slapd.conf ACLs have been changed to prevent unauthenticated access to the LDAP directory.
If your project has the capability to test, I would be interested to know if Whimsy still functions properly with these security and privacy enhancements in place. There will be a more broad discussion on this topic brought to Infra lists once initial validation is complete.
Cheers,
Chris
> On Sep 29, 2021, at 11:15 AM, Chris Lambertus <cm...@apache.org> wrote:
>
> FYI,
>
> In https://issues.apache.org/jira/browse/INFRA-22091 <https://issues.apache.org/jira/browse/INFRA-22091> a test ldap instance was provided to the Whimsy project. This is a notification that Infra will be performing work on that host over the next few days. The system may be down and data may be unavailable during various operations. I will reply here when work is completed. You may continue using the service, but you may get timeouts or null results.
>
> -Chris
>