Seems straight forward enough but I keep getting errors. On a client...
err: Could not retrieve catalog from remote server: Error 400 on SERVER: Failed
when searching for node ubuntu5.ttinet: LDAP Search failed
on the puppet master...
puppet.conf [master]
# ENC (external node classificiations)
node_terminus = ldap
ldapnodes = true
ldapclassattrs = puppetclass
# LDAP
ldapserver = ubuntu.ttinet
ldapbase = ou=Hosts,dc=ttinet,dc=local
ldapuser = cn=admin,dc=ttinet,dc=local
ldappasswd = XXXXXXXXXXXX
ldapstring = (&(objectclass=puppetClient)(cn=%s))
ldaptls = false
ldapssl = false
ldapport = 389
and this is a piece of cake from CLI
# ldapsearch -x
''(&(objectclass=puppetClient)(cn=ubuntu5.ttinet))''
# extended LDIF
#
# LDAPv3
# base <dc=ttinet,dc=local> (default) with scope subtree
# filter: (&(objectclass=puppetClient)(cn=ubuntu5.ttinet))
# requesting: ALL
#
# ubuntu5.ttinet, Hosts, ttinet.local
dn: cn=ubuntu5.ttinet,ou=Hosts,dc=ttinet,dc=local
objectClass: device
objectClass: top
objectClass: puppetClient
objectClass: ipHost
ipHostNumber: 10.1.1.13
environment: production
cn: ubuntu.ttinet
cn: ubuntu5.ttinet
puppetClass: baseclass
puppetClass: nginx::configure: {$fqdn}
puppetClass: nginx::vhost: {$fqdn: port => 80, ssl => false, priority
=> 10, p
assenger_enable => ''Yes'', serveraliases =>
[''alias1'', ''alias2'']}
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
puppet 2.6.8
# ruby -rldap -e "puts :installed"
installed
ruby-ldap-ro is installed
--
Craig White ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ craig.white@ttiltd.com
1.800.869.6908 ~~~~~~~~~~~~~~~~~~~~~~~~~~~ www.ttiassessments.com
Need help communicating between generations at work to achieve your desired
success? Let us help!
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
On Jul 14, 2011, at 1:16 PM, Craig White wrote:> Seems straight forward enough but I keep getting errors. On a client... > > err: Could not retrieve catalog from remote server: Error 400 on SERVER: Failed when searching for node ubuntu5.ttinet: LDAP Search failedHave you looked at the logs on the LDAP server to see if the connection is being made and what the results are? -- Rob McBroom <http://www.skurfer.com/> -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Jul 14, 2011, at 11:16 AM, Rob McBroom wrote:> On Jul 14, 2011, at 1:16 PM, Craig White wrote: > >> Seems straight forward enough but I keep getting errors. On a client... >> >> err: Could not retrieve catalog from remote server: Error 400 on SERVER: Failed when searching for node ubuntu5.ttinet: LDAP Search failed > > Have you looked at the logs on the LDAP server to see if the connection is being made and what the results are?----- doesn''t appear to actually do anything other than bind - I don''t see the results of any search operation when I run slapd trace level (-d 1) slap_listener_activate(7):>>> slap_listener(ldap:///)connection_get(18): got connid=1000 connection_read(18): checking for input on id=1000 ber_get_next ber_get_next: tag 0x30 len 39 contents: op tag 0x60, time 1310668120 ber_get_next conn=1000 op=0 do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt (m}) ber:>>> dnPrettyNormal: <cn=admin,dc=ttinet,dc=local><<< dnPrettyNormal: <cn=admin,dc=ttinet,dc=local>, <cn=admin,dc=ttinet,dc=local> do_bind: version=3 dn="cn=admin,dc=ttinet,dc=local" method=128 send_ldap_result: conn=1000 op=0 p=3 send_ldap_response: msgid=1 tag=97 err=53 ber_flush2: 67 bytes to sd 18 do_bind: v3 anonymous bind slap_listener_activate(7):>>> slap_listener(ldap:///)connection_get(19): got connid=1001 connection_read(19): checking for input on id=1001 ber_get_next ber_get_next: tag 0x30 len 39 contents: op tag 0x60, time 1310668120 ber_get_next conn=1001 op=0 do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt (m}) ber:>>> dnPrettyNormal: <cn=admin,dc=ttinet,dc=local><<< dnPrettyNormal: <cn=admin,dc=ttinet,dc=local>, <cn=admin,dc=ttinet,dc=local> do_bind: version=3 dn="cn=admin,dc=ttinet,dc=local" method=128 send_ldap_result: conn=1001 op=0 p=3 send_ldap_response: msgid=1 tag=97 err=53 ber_flush2: 67 bytes to sd 19 do_bind: v3 anonymous bind ^Cdaemon: shutdown requested and initiated. connection_close: conn=1000 sd=18 connection_close: conn=1001 sd=19 and running slapd at -d 32 (filters) dead silence after startup and issuing command from a client ;-( This may have something to do with it... Puppet documentation on LDAP ENC says ruby -rldap -e ''puts :installed'' If this returns installed then you can try: ruby -rpuppet -e ''p Puppet.features.ldap?'' but the second fails - perhaps because I am using puppet 2.6.8 installed from gem. ruby: no such file to load -- puppet (LoadError) # gem list --local | grep -e "activeldap" -e "ruby-ldap" activeldap (3.1.0) ruby-ldap (0.9.11) Craig -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Jul 14, 2011, at 2:41 PM, Craig White wrote:> doesn''t appear to actually do anything other than bind - I don''t see the results of any search operation when I run slapd trace level (-d 1)It’s reporting error 53 when you bind, which is “unwilling to perform”. I think the only time I’ve seen that is using proxy authorization for chained updates (which are already proxied). But that wouldn’t explain this. It could be something with the access rules. For instance, my server won’t accept simple authentication unless TLS or SSL are used (but I had to explicitly configure that). Are you able to bind with that user from the command line? Or another approach: It looks like you were able to get the details for that host anonymously on the command-line. Is there any reason you want Puppet to authenticate when searching? -- Rob McBroom <http://www.skurfer.com/> -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Jul 14, 2011, at 12:32 PM, Rob McBroom wrote:> On Jul 14, 2011, at 2:41 PM, Craig White wrote: > >> doesn''t appear to actually do anything other than bind - I don''t see the results of any search operation when I run slapd trace level (-d 1) > > It’s reporting error 53 when you bind, which is “unwilling to perform”. I think the only time I’ve seen that is using proxy authorization for chained updates (which are already proxied). But that wouldn’t explain this. It could be something with the access rules. For instance, my server won’t accept simple authentication unless TLS or SSL are used (but I had to explicitly configure that). Are you able to bind with that user from the command line? > > Or another approach: It looks like you were able to get the details for that host anonymously on the command-line. Is there any reason you want Puppet to authenticate when searching?---- Yes, I allow an anonymous bind to read from there but my ultimate plan is to try to get foreman to write configurations there which is why I need to bind as a user - which does work from CLI (obviously I can''t use %s as in the filter) # ldapsearch -x ''(&(objectclass=puppetClient)(cn=ubuntu5.ttinet))'' -D ''cn=admin,dc=ttinet,dc=local'' -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=ttinet,dc=local> (default) with scope subtree # filter: (&(objectclass=puppetClient)(cn=ubuntu5.ttinet)) # requesting: ALL # # ubuntu5.ttinet, Hosts, ttinet.local dn: cn=ubuntu5.ttinet,ou=Hosts,dc=ttinet,dc=local objectClass: device objectClass: top objectClass: puppetClient objectClass: ipHost ipHostNumber: 10.1.1.13 environment: production cn: ubuntu.ttinet cn: ubuntu5.ttinet puppetClass: baseclass puppetClass: nginx::configure: {$fqdn} puppetClass: nginx::vhost: {$fqdn: port => 80, ssl => false, priority => 10, p assenger_enable => ''Yes'', serveraliases => [''alias1'', ''alias2'']} # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 same user/password as I have configured in puppet.conf It does happen to work if I comment out the username & password It doesn''t work even if I use rootbinddn and rootbinddn password ;-( Craig -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Jul 14, 2011, at 4:01 PM, Craig White wrote:> same user/password as I have configured in puppet.conf > > It does happen to work if I comment out the username & password > > It doesn''t work even if I use rootbinddn and rootbinddn passwordWell, then it’s probably a bug in Puppet or (more likely) Ruby. At thins point, I’d probably start looking at or writing some Ruby stuff to test it outside of Puppet. Maybe someone else has a better idea. -- Rob McBroom <http://www.skurfer.com/> -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.