Hi Jan, I think I had similar problems My guess is that the client is trying to connect to the wrong port on the wrong uri. Since enable_tls (StartTLS over port 389) is true, but the uri is ldaps:// (SSL over port 636), the StartTLS request fails. The client should try to connect to ldap:// or the variable ldap__start_tls could be set to false. SSL is flagged as deprecated in the debops documentation, but I remember wondering why TLS is preferred when I read it. Having now researched it the last 10 Minutes I am still unsure. LDAPS has been deprecated since 2000 but there seem to exist good reasons to still force a wholly encrypted session by using LDAPS. See this blogpost and comments: https://averageguyx.blogspot.com/2019/04/ldaps-is-dead-long-live-ldaps.html Hope that helped and now to, ugh, sleep. On 31.03.21 01:28, Jan Kowalsky wrote: > Hi all, > > since my first test with the debops_service_slapd role and an slapd > server worked at a first glance I now run into an error: > > My proceeding was like: > > Set up an slapd server with > > debops bootstrap -l test-ldap.test.example.de > > (-> put host in group debops_service_slapd) > > debops -l test-ldap.test.example.de > > slapd server is up and running and i can connect with ssl and the > cn=admin user via ldapsearch. > > next step was: > > debops ldap/init-directory -l test-ldap.test.example.de -vvv > > and now I get: > > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > task path: > /usr/local/share/debops/debops/ansible/roles/ldap/tasks/ldap_tasks.yml:6 > The full traceback is: > Traceback (most recent call last): > File > "/tmp/ansible_ldap_entry_payload_ks3b4tbf/ansible_ldap_entry_payload.zip/ansible/module_utils/ldap.py", > line 66, in _connect_to_ldap > connection.start_tls_s() > File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 864, in > start_tls_s > return self._ldap_call(self._l.start_tls_s) > File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 329, in > _ldap_call > reraise(exc_type, exc_value, exc_traceback) > File "/usr/lib/python3/dist-packages/ldap/compat.py", line 44, in reraise > raise exc_value > File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 313, in > _ldap_call > result = func(*args,**kwargs) > ldap.SERVER_DOWN: {'desc': "Can't contact LDAP server", 'errno': 22, > 'info': 'Invalid argument'} > fatal: [test-ldap.test.example.de -> localhost]: FAILED! => changed=false > details: '{''desc'': "Can''t contact LDAP server", ''errno'': 22, > ''info'': ''Invalid argument''}' > invocation: > module_args: > attributes: {} > bind_dn: cn=admin,dc=test,dc=example,dc=de > bind_pw: VALUE_SPECIFIED_IN_NO_LOG_PARAMETER > dn: cn=admin,dc=test,dc=example,dc=de > objectClass: null > params: null > server_uri: ldaps://test-ldap.test.example.de > start_tls: true > state: absent > validate_certs: true > msg: Cannot start TLS. > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > Error messages sounds like there is a problem with tls. But ldapsearch > with TLS seems to work and pki looks fine. > > Any idea? > > Kind regards > Jan

Hi Maciej, thanks for answer. Am Mittwoch, den 31.03.2021, 09:28 +0200 schrieb Maciej Delmanowski: yes, the ldapsearch command I tested on the remote host. I understand. You are right. Since we use an ansible controller for multiple debops projects the ca's from the several projects weren't included in the ca-certificates of the controller. No, since this isn't easy because the target ldap server is only reachable through ssh proxy jump and is not directly accessible. Ok, I did. But this wasn't enough. So my understanding now is that the ldap commands are executed directly from the controller - so the ldap port has to be open and routing has to work. I just brought the target ldap server into the local network and it worked. Since (most of? all?) other roles just rely on remote ssh connections I didn't think about this possibility. Is there any reason why the ldap statements are not executed remote? And is there any possiblity to change this behaviour? As long as I understand the ldap server (and all other hosts in the network?) have to be reachable from the ansible controller for all ldap based operations. This is in fact a limitation for our purposes. Is someone have any ideas ... Thanks and regards Jan

Am Mittwoch, den 31.03.2021, 13:41 +0200 schrieb Maciej Delmanowski: this works perfectly. I just can take the ldap server itselfs. but the creds of the ansible user are still stored in pass and they are only tranfered temporarily to the controller for this operation. Aren't they? What I don't understand: with which credentials the ansible controller then connects to the slapd server? We have this task: TASK [ldap : Remove the default cn=admin object] this removes the cn=admin,dc=example,dc=org object from DIT. But I can still connect with the cn=admin user? And debops tasks are executed also with this user. Let's say: I begin to understand more and more. What I don't understand: what is the idea to administer accounts in ldap directory with debops? I found the ldap__tasks but don't do anything, e.g.: ldap__host_tasks:   - name: 'create test user'     #dn: 'uid=dtuser,ou=People,dc=example,dc=org'     dn: '{{ [ "uid=" + "dtuser", ldap__people_rdn ] + ldap__base_dn }}'     objectClass: [ 'inetOrgPerson' ]     attributes:       cn: 'Debops Test User'       sn: 'User'       givenName: 'Debops'       uid: 'dtuser'       userPassword: 'secret' What do I have to do to perform this in debops? Or isn't this the idea behind ldap__tasks? Can we use this for just adding entries to the directory without enable ldap (ldap__enabled: False). Actually my plan is to use fusiondirectory for handling posix and samba3 (nt-style) accounts. I found https://github.com/debops/debops/is sues/1341 - and I get fusiondirectory basically working. But I get error on inserting posix users with  "Constraint violation (some attributes not unique, ". Maybe because https://bugs.openldap.org /show_bug.cgi?id=6825 The same problem occurs when I just try to add a posix user with gidNumber and a group with same gidNumber manually via ldifs. Did you ever got errors like this? Cheers Jan

Hi Maciej, this I got. fusiondirectory has this rfc2307bis schema on board and I worked earlier with this in 389-ds. Here began the problem in interaction with fusiondirectory and I think I understood now why: The User Private Groups are implemented in debops in a very special way I think. (I don't know how common it is - I haven't found much about. It seems quite clever because you only need one object - but I think it restricts interoperability with other tools. FusionDirectory creates two objects for User Private Groups: one in ou=People and one in ou=Groups, eg: uid=tuser,ou=people,dc=example,dc=org cname=tuser,ou=groups,dc=example,dc=org but both with gidNumber set to the same value. This clashs with the /etc/ldap/slapd.d/cn=config/olcDatabase={1}mdb/olcOverlay={2}unique.ldi f So I configured: slapd__tasks:   - name: 'Configure Unique overlay in the main database'     dn: 'olcOverlay={2}unique,olcDatabase={1}mdb,cn=config'     attributes:       olcUniqueURI:         #  - 'ldap:///{{ slapd__basedn }}?uidNumber?sub'         #  - 'ldap:///{{ slapd__basedn }}?gidNumber?sub'         - 'ldap:///{{ slapd__basedn }}?mail?sub'         - 'ldap:///{{ slapd__basedn }}?mailAddress,mailAlternateAddress?sub'         - 'ldap:///ou=People,{{ slapd__basedn }}?employeeNumber?sub'         - 'ldap:///ou=People,{{ slapd__basedn }}?uid?sub'         - 'ldap:///ou=People,{{ slapd__basedn }}?gid?sub'     state: 'exact' (omitted the ldap:///{{ slapd__basedn }}?gidNumber?sub) and now I can add Users with Private User Groups in fusiondirectory. They are stored in two objects anyway. But I think this is standard in many environments. Isn't it? Probably it would be enough to use       olcUniqueURI:           - 'ldap:///ou=People,{{ slapd__basedn }}?uidNumber?sub'           - 'ldap:///ou=groups,{{ slapd__basedn }}?gidNumber?sub' Because we only need same gidNumber in People/Groups once. What's interesting: fusiondirectory understands the objects written with debops. The default user is shown as posix user and also on editing everything is stored in one ldap object. My task is to use openldap and fusiondirectory for an "old style" samba directory with posix and samba users. This is in my opinion still the easiest way for mixed environments with mainly linux desktop clients and central file storage + home on network when we do not need any domain logon with Windows clients. I wanted to try to map as much as I can with debops. But we need a grafical user interface for ldap admin tasks for the local administration inside the organisations. Cheers Jan

Am Dienstag, den 06.04.2021, 23:44 +0200 schrieb Maciej Delmanowski: Where would be the right place to do? Is there any "howto" section in debops documentation? Yes, I know, this sounds a little bit weird ;-) Because we think a lot about this at the moment I gonna share our thoughts. Maybe other people have comments. Well, I have to admit that my experiences with kerberos are very little. My first ldap environment was 389-ds (and it's still our standard because wie use central kolab groupware) which lacks the kerberos password overlay openldap has. So the alternative had been freepa. But this was hard to integrate. For many small environment NFS and kerberos is overkill in my opinion. We've had some ltsp installations with sshfs. We also used this with fat clients. It's secure but leads to some expected issues with destop environments because of hardlink bugs... So we have actually the choice in network filesystems: sshfs: not all filesystem features are supported nfs: unsafe without kerberos and quite complex with. nfs+kerberos: secure but complex. Another drawback (but maybe I'm wrong): we can't use it for statically mounted filesystem without user interaction because only users have tickets and not machines. samba: It works, has at least an authentication layer and we need it anyway for cross-plattform support / BYOD. So we only have to configure ONE network filesystems. It works surprisingly well - even for /home over network. A big drawback: we need unix extentions for user homes - but this is only possible with samba vers=1.0 (https://lists.samba.org/ archive/samba/2017-October/211517.html). All in all network filesystem situation for linux is everything else then satisfactory. Cheers Jan

ok, you describe it here: https://docs.debops.org/en/master/ansible/rol es/slapd/ldap-schema.html#the-posixgroupid-schema - I should have read it more carefully ;-)