[Freeipa-users] Where has my LDAP server gone!

simon.williams at thehelpfulcat.com simon.williams at thehelpfulcat.com
Sun Apr 7 20:15:57 UTC 2013 

Sorry, I didn’t include much in the way of specifics did I?!  Before yum updated my IPA server from 2.2 to 3, FreeIPA provided (or appeared to provide) an instance of an LDAP server that was accessible locally on port 389.  The web applications I am concerned with is Atlassian Crowd, which I use to authenticate to Jira, Confluence, Bamboo and Fisheye on the local network and also Google Apps.  Crowd is on the same server as FreeIPA so as to allow me to keep port 389 behind the server’s firewall.  Crowd was configured to treat the LDAP server as a read only 389 DS server as experimentation showed that that worked, but I did not install or configure any LDAP software myself.  The LDAP server had been installed as part of the FreeIPA installation.


Crowd is failing since the update as there is no server listening on port 389.  It gets a ‘connection refused’ message.  Netstat confirms that there is no server listening on port 389 and also shows that there is nothing listening on port 636.  Prior to the upgrade, FreeIPA had been running with default settings, I had done nothing to reduce security.


Regards


Simon



From: Dmitri Pal
Sent: ‎Sunday‎, ‎7‎ ‎April‎ ‎2013 ‎20‎:‎20
To: freeipa-users at redhat.com

On 04/07/2013 05:44 AM, Simon Williams wrote: 

Hi

I ran a yum update on my CentOS 6 server that runs FreeIPA a couple of days ago and it upgraded FreeIPA to version 3. I use a couple of web applications that cannot use Kerberos, but can use LDAP to authenticate.  These stopped working. When I investigated the issue, I discovered that the LDAP server wasn't there any more. Google searches have proved fruitless and I can't find any documentation for v3. Can anyone tell me how to get my LDAP server back?

Regards

Simon


Hello Simon,

Can you please clarify:
Did you have an earlier version of the apps that used IPA via LDAP or you had a different LDAP instance and FreeIPA now took over the whole machine and you do not have access to those instances?
I assume you had 389 DS, right? Or OpenLDAP?

What is the general goal? Do you want to have the apps be able to access IPA data via LDAP or you want to be able to use different LDAP databases on the same machine?

If the apps you mention used to work against IPA and now they do not I would suggest checking the logs from those applications to see what is failing. It might be that they have been using an insecure way to authenticate and the upgraded bits enforce a higher security standard. If this is the case you either need to lower the authentication requirements on the server (not recommended) or provide a more secure way to authenticate from those apps (recommended).





_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130407/f60a3c14/attachment.htm>

More information about the Freeipa-users mailing list