Re: errors with ldap/init-directory

Hi Jan, I think I had similar problems My guess is that the client is trying to connect to the wrong port on the wrong uri. Since enable_tls (StartTLS over port 389) is true, but the uri is ldaps:// (SSL over port 636), the StartTLS request fails. The client should try to connect to ldap:// or the variable ldap__start_tls could be set to false. SSL is flagged as deprecated in the debops documentation, but I remember wondering why TLS is preferred when I read it. Having now researched it the last 10 Minutes I am still unsure. LDAPS has been deprecated since 2000 but there seem to exist good reasons to still force a wholly encrypted session by using LDAPS. See this blogpost and comments: https://averageguyx.blogspot.com/2019/04/ldaps-is-dead-long-live-ldaps.html Hope that helped and now to, ugh, sleep. On 31.03.21 01:28, Jan Kowalsky wrote: > Hi all, > > since my first test with the debops_service_slapd role and an slapd > server worked at a first glance I now run into an error: > > My proceeding was like: > > Set up an slapd server with > > debops bootstrap -l test-ldap.test.example.de > > (-> put host in group debops_service_slapd) > > debops -l test-ldap.test.example.de > > slapd server is up and running and i can connect with ssl and the > cn=admin user via ldapsearch. > > next step was: > > debops ldap/init-directory -l test-ldap.test.example.de -vvv > > and now I get: > > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > task path: > /usr/local/share/debops/debops/ansible/roles/ldap/tasks/ldap_tasks.yml:6 > The full traceback is: > Traceback (most recent call last): > File > "/tmp/ansible_ldap_entry_payload_ks3b4tbf/ansible_ldap_entry_payload.zip/ansible/module_utils/ldap.py", > line 66, in _connect_to_ldap > connection.start_tls_s() > File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 864, in > start_tls_s > return self._ldap_call(self._l.start_tls_s) > File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 329, in > _ldap_call > reraise(exc_type, exc_value, exc_traceback) > File "/usr/lib/python3/dist-packages/ldap/compat.py", line 44, in reraise > raise exc_value > File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 313, in > _ldap_call > result = func(*args,**kwargs) > ldap.SERVER_DOWN: {'desc': "Can't contact LDAP server", 'errno': 22, > 'info': 'Invalid argument'} > fatal: [test-ldap.test.example.de -> localhost]: FAILED! => changed=false > details: '{''desc'': "Can''t contact LDAP server", ''errno'': 22, > ''info'': ''Invalid argument''}' > invocation: > module_args: > attributes: {} > bind_dn: cn=admin,dc=test,dc=example,dc=de > bind_pw: VALUE_SPECIFIED_IN_NO_LOG_PARAMETER > dn: cn=admin,dc=test,dc=example,dc=de > objectClass: null > params: null > server_uri: ldaps://test-ldap.test.example.de > start_tls: true > state: absent > validate_certs: true > msg: Cannot start TLS. > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > Error messages sounds like there is a problem with tls. But ldapsearch > with TLS seems to work and pki looks fine. > > Any idea? > > Kind regards > Jan