require ssl/tls only for binding as user
by Johannes Woerner
Hi,
I'm evaluating the migrating of an openldap installation to
389 directory server (ca 1200 user objects).
With openldap I can restrict client authentication to ssl/tls ldap
connections and
in parallel allow anonymous (unencrypted) access to items like phone number etc.
(slapd.conf with: "security simple_bind=56")
Is there a way you can do this with 389 directory server?
Regards
Johannes
14 years, 2 months
replication agreement accounts syncing but not passwords
by Jeff Gamsby
Recently upgraded to Windows Server 2008. Passwords sync fromAD -> FDS fine. Accounts sync fine but passwords do not. I see this in the logs. Any ideas? This log entry is an attempted password change from the FDS console. As a side, how do I delete a replica ID?
Thanks
10/Jan/2010:10:11:24 -0800] - _csngen_adjust_local_time: gen state before 4b4a184a0001:1263147082:0:0
[10/Jan/2010:10:11:24 -0800] - _csngen_adjust_local_time: gen state after 4b4a184c0000:1263147084:0:0
[10/Jan/2010:10:11:24 -0800] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4b4a184c000000010000 into pending list
[10/Jan/2010:10:11:24 -0800] NSMMReplicationPlugin - Purged state information from entry uid=lxwang,ou=People,dc=as,dc=com up to CSN 4b40d7c2000200010000
[10/Jan/2010:10:11:24 -0800] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4b4a184c000100010000 into pending list
[10/Jan/2010:10:11:24 -0800] NSMMReplicationPlugin - Purged state information from entry uid=lxwang,ou=People,dc=as,dc=com up to CSN 4b40d7c2000200010000
[10/Jan/2010:10:11:24 -0800] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2aaaac067900 for database 14c30202-fd5711de-9bff8d99-1ae18e2c_4b15edaa000000010000.db4
[10/Jan/2010:10:11:24 -0800] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2aaaac067900 for database 14c30202-fd5711de-9bff8d99-1ae18e2c_4b15edaa000000010000.db4
[10/Jan/2010:10:11:24 -0800] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 4b4a184c000100010000
[10/Jan/2010:10:11:24 -0800] NSMMReplicationPlugin - agmt="cn=AD2 sync" (ad2:636): State: wait_for_changes -> wait_for_changes
[10/Jan/2010:10:11:24 -0800] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2aaaac067900 for database 14c30202-fd5711de-9bff8d99-1ae18e2c_4b15edaa000000010000.db4
[10/Jan/2010:10:11:24 -0800] NSMMReplicationPlugin - agmt="cn=AD2 sync" (ad2:636): State: wait_for_changes -> ready_to_acquire_replica
[10/Jan/2010:10:11:24 -0800] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2aaaac067900 for database 14c30202-fd5711de-9bff8d99-1ae18e2c_4b15edaa000000010000.db4
[10/Jan/2010:10:11:24 -0800] - acquire_replica, supplier RUV:
[10/Jan/2010:10:11:24 -0800] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 4b4a184c000000010000
[10/Jan/2010:10:11:24 -0800] NSMMReplicationPlugin - supplier: {replicageneration} 4b15edaa000000010000
[10/Jan/2010:10:11:24 -0800] NSMMReplicationPlugin - supplier: {replica 1 ldap://as.com:389} 4b16a4c1000300010000 4b4a184c000100010000 4b4a184c
[10/Jan/2010:10:11:24 -0800] NSMMReplicationPlugin - supplier: {replica 10 ldap://as.com:389} 4b48dbe70000000a0000 4b48dbe80008000a0000 00000000
[10/Jan/2010:10:11:24 -0800] - acquire_replica, consumer RUV:
[10/Jan/2010:10:11:24 -0800] NSMMReplicationPlugin - consumer: {replicageneration} 4b15edaa000000010000
[10/Jan/2010:10:11:24 -0800] NSMMReplicationPlugin - consumer: {replica 1 ldap://as.com:389} 4b16a4c1000300010000 4b4a1242000200010000 4b4a1242
[10/Jan/2010:10:11:24 -0800] NSMMReplicationPlugin - consumer: {replica 10 ldap://as.com:389} 4b48dbe70000000a0000 4b48dbe80008000a0000 00000000
[10/Jan/2010:10:11:24 -0800] - acquire_replica, supplier RUV is newer
[10/Jan/2010:10:11:24 -0800] NSMMReplicationPlugin - agmt="cn=AD2 sync" (ad2:636): Trying secure slapi_ldap_init_ext
[10/Jan/2010:10:11:24 -0800] NSMMReplicationPlugin - agmt="cn=AD2 sync" (ad2:636): binddn = cn=Administrator,cn=Users,dc=as,dc=com, passwd = {DES}ZtDcdM63AQ==
[10/Jan/2010:10:11:24 -0800] - windows_conn_connect : detected Win2k3 peer
[10/Jan/2010:10:11:24 -0800] NSMMReplicationPlugin - agmt="cn=AD2 sync" (ad2:636): No linger to cancel on the connection
[10/Jan/2010:10:11:24 -0800] NSMMReplicationPlugin - windows_acquire_replica returned success (101)
[10/Jan/2010:10:11:24 -0800] NSMMReplicationPlugin - agmt="cn=AD2 sync" (ad2:636): State: ready_to_acquire_replica -> sending_updates
[10/Jan/2010:10:11:24 -0800] - csngen_adjust_time: gen state before 4b4a184c0003:1263147084:0:0
[10/Jan/2010:10:11:24 -0800] NSMMReplicationPlugin - changelog program - _cl5GetDBFile: found DB object 2aaaac067900 for database 14c30202-fd5711de-9bff8d99-1ae18e2c_4b15edaa000000010000.db4
[10/Jan/2010:10:11:24 -0800] - _cl5PositionCursorForReplay (agmt="cn=AD2 sync" (ad2:636)): Consumer RUV:
[10/Jan/2010:10:11:24 -0800] NSMMReplicationPlugin - agmt="cn=AD2 sync" (ad2:636): {replicageneration} 4b15edaa000000010000
[10/Jan/2010:10:11:24 -0800] NSMMReplicationPlugin - agmt="cn=AD2 sync" (ad2:636): {replica 1 ldap://as.com:389} 4b16a4c1000300010000 4b4a1242000200010000 4b4a1242
[10/Jan/2010:10:11:24 -0800] NSMMReplicationPlugin - agmt="cn=AD2 sync" (ad2:636): {replica 10 ldap://as.com:389} 4b48dbe70000000a0000 4b48dbe80008000a0000 00000000
[10/Jan/2010:10:11:24 -0800] - _cl5PositionCursorForReplay (agmt="cn=AD2 sync" (ad2:636)): Supplier RUV:
[10/Jan/2010:10:11:24 -0800] NSMMReplicationPlugin - agmt="cn=AD2 sync" (ad2:636): {replicageneration} 4b15edaa000000010000
[10/Jan/2010:10:11:24 -0800] NSMMReplicationPlugin - agmt="cn=AD2 sync" (ad2:636): {replica 1 ldap:/as.com:389} 4b16a4c1000300010000 4b4a184c000100010000 4b4a184c
[10/Jan/2010:10:11:24 -0800] NSMMReplicationPlugin - agmt="cn=AD2 sync" (ad2:636): {replica 10 ldap://as.com:389} 4b48dbe70000000a0000 4b48dbe80008000a0000 00000000
[10/Jan/2010:10:11:24 -0800] agmt="cn=AD2 sync" (ad2:636) - clcache_get_buffer: found thread private buffer cache 2aaaac030330
[10/Jan/2010:10:11:24 -0800] agmt="cn=AD2 sync" (ad2:636) - clcache_get_buffer: _pool is 1682e480 _pool->pl_busy_lists is 2aaaac067890 _pool->pl_busy_lists->bl_buffers is 2aaaac030330
[10/Jan/2010:10:11:24 -0800] agmt="cn=AD2 sync" (ad2:636) - session start: anchorcsn=4b4a1242000200010000
[10/Jan/2010:10:11:24 -0800] NSMMReplicationPlugin - changelog program - agmt="cn=AD2 sync" (ad2:636): CSN 4b4a1242000200010000 found, position set for replay
[10/Jan/2010:10:11:24 -0800] agmt="cn=AD2 sync" (ad2:636) - load=1 rec=1 csn=4b4a184c000000010000
[10/Jan/2010:10:11:24 -0800] NSMMReplicationPlugin - agmt="cn=AD2 sync" (ad2:636): windows_replay_update: Looking at modify operation local dn="uid=lxwang,ou=people,dc=as,dc=com" (ours,user,not group)
[10/Jan/2010:10:11:24 -0800] NSMMReplicationPlugin - agmt="cn=AD2 sync" (ad2:636): map_entry_dn_outbound: looking for AD entry for DS dn="uid=lxwang,ou=People,dc=as,dc=com" guid="2928864c927e554481ad8b32e20b80d5"
[10/Jan/2010:10:11:24 -0800] - Calling windows entry search request plugin
[10/Jan/2010:10:11:24 -0800] - windows_search_entry: recieved 2 messages, 1 entries, 0 references
[10/Jan/2010:10:11:24 -0800] NSMMReplicationPlugin - agmt="cn=AD2 sync" (ad2:636): map_entry_dn_outbound: return code 0 from search for AD entry dn="<GUID=2928864c927e554481ad8b32e20b80d5>" or dn="CN=Larry Wang,CN=Users,DC=as,DC=com"
[10/Jan/2010:10:11:24 -0800] NSMMReplicationPlugin - agmt="cn=AD2 sync" (ad2:636): windows_replay_update: Processing modify operation local dn="uid=lxwang,ou=people,dc=as,dc=com" remote dn="<GUID=2928864c927e554481ad8b32e20b80d5>"
[10/Jan/2010:10:11:24 -0800] NSMMReplicationPlugin - agmt="cn=AD2 sync" (ad2:636): map_entry_dn_outbound: looking for AD entry for DS dn="uid=lxwang,ou=People,dc=as,dc=com" guid="2928864c927e554481ad8b32e20b80d5"
[10/Jan/2010:10:11:24 -0800] NSMMReplicationPlugin - agmt="cn=AD2 sync" (ad2:636): map_entry_dn_outbound: looking for AD entry for DS dn="uid=lxwang,ou=People,dc=as,dc=com" username="lxwang"
[10/Jan/2010:10:11:24 -0800] - Calling windows entry search request plugin
[10/Jan/2010:10:11:24 -0800] - windows_search_entry: recieved 2 messages, 1 entries, 0 references
[10/Jan/2010:10:11:24 -0800] NSMMReplicationPlugin - agmt="cn=AD2 sync" (ad2:636): map_entry_dn_outbound: found AD entry dn="CN=Larry Wang,CN=Users,DC=as,DC=com"
[10/Jan/2010:10:11:24 -0800] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4b4a184c000300010000 into pending list
[10/Jan/2010:10:11:24 -0800] NSMMReplicationPlugin - conn=170359 op=1 csn=4b4a184c000300010000 process postop: canceling operation csn
[10/Jan/2010:10:11:26 -0800] - _csngen_adjust_local_time: gen state before 4b4a184c0004:1263147084:0:0
[10/Jan/2010:10:11:26 -0800] - _csngen_adjust_local_time: gen state after 4b4a184e0000:1263147086:0:0
[10/Jan/2010:10:11:26 -0800] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4b4a184e000000010000 into pending list
[10/Jan/2010:10:11:26 -0800] NSMMReplicationPlugin - conn=170364 op=1 csn=4b4a184e000000010000 process postop: canceling operation csn
[10/Jan/2010:10:11:28 -0800] - _csngen_adjust_local_time: gen state before 4b4a184e0001:1263147086:0:0
[10/Jan/2010:10:11:29 -0800] - _csngen_adjust_local_time: gen state after 4b4a18500000:1263147088:0:0
[10/Jan/2010:10:11:29 -0800] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4b4a1850000000010000 into pending list
[10/Jan/2010:10:11:29 -0800] NSMMReplicationPlugin - conn=170368 op=1 csn=4b4a1850000000010000 process postop: canceling operation csn
14 years, 2 months
How to setup 389-DS Client?
by Ajeet S Raina
I have successfully configured 389-DS with SSL.
I want to setup RHEL Client for the server.
I tried running:
authconfig-tui
Select LDAP
Next
Select TLS
ldap://<ip>
dc=im,dc=logic,dc=com
But when I am trying to run:
dapsearch -h 389-ds.sap.com -b "dc=im,dc=sap,dc=com" -L "objectclass=*"
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available:
Any Idea what should be the exact steps.
am I missing anything?
14 years, 2 months
Announcing 389 Directory Server 1.2.5 Release Candidate 4
by Rich Megginson
The 389 team is pleased to announce the availability of Release
Candidate 4 of version 1.2.5.
NOTE: Packages for Enterprise Linux are available from EPEL. We will no
longer have a separate yum repo for these packagse.
We need your help! Please help us test this software. It is a Release
Candidate, so it is fairly stable at this point. We have worked hard to
make sure upgrades from previous releases are as smooth as possible, and
we would really appreciate feedback about upgrades. The Fedora system
strongly encourages packages to be in Testing until verified and pushed
to Stable. If we don't get any feedback while the packages are in
Testing, the packages will remain in limbo, or get pushed to Stable.
The more testing we get, the faster we can release these packages to Stable.
The packages that need testing are:
* 389-ds-base-1.2.5.rc4
* Release Notes - http://port389.org/wiki/Release_Notes
* Install_Guide - http://port389.org/wiki/Install_Guide
* Download - http://port389.org/wiki/Download
=== New features ===
None - this release is primarily to fix the bug about Active Directory
password sync
=== Bugs Fixed ===
This release contains a couple of bug fixes. The complete list of bugs
fixed is found at the link below. Note that bugs marked as MODIFIED
have been fixed but are still in testing.
* Tracking bug for 1.2.5 release -
https://bugzilla.redhat.com/showdependencytree.cgi?id=533025&hide_resolved=0
* https://bugzilla.redhat.com/show_bug.cgi?id=537956 Password
replication from 389DS to AD2008(64bit) fails, all other replication
continues
14 years, 2 months
Need help on Views?
by Ajeet S Raina
Guys,
I have been following the link :
http://www.redhat.com/docs/manuals/dir-server/8.1/admin/using-views.html and
found it very informative as per my requirement.
What i need is help on further for the same.
I have created two Location View : Delhi and Noida.
We are Sysadmin Team located at Delhi and Noida. We have 5 Projects under
Delhi and 6 Projects under Noida.
Under those projects we have generic users like jboss, tomcat, admin1 etc
etc.
I am in verse to carry out the structure in my Directory Server.
Till now I only created two Location Views following exactly
http://www.redhat.com/docs/manuals/dir-server/8.1/admin/using-views.html
Just need your suggestion how to proceed?
Do I need to again create views respective of projects like P-1 to P-5 under
Delhi.?
Pls Suggest.
14 years, 2 months
How to Install SSL Certificate into 389 Directory Server
by Ajeet S Raina
Guys,
I have been following http://www.linuxmail.info/install-ssl-certificate-fds/ to
Manage Certificates under 389 Management Console. I have already ran
setupssl2.sh and restarted admin and directory server. Next I can also login
to 389 Management Console through Windows remotely.
My 389 Server is running on CentOS Linux.
I am stucked at point 6 of
http://www.linuxmail.info/install-ssl-certificate-fds/ where it ask for
Certificate Location.May I know what file its talking about.
All I can see these files under my /etc/dirsrv/slapd-389-ds :
[code]
[root@389-ds ~]# cd /etc/dirsrv/
[root@389-ds dirsrv]# pwd
/etc/dirsrv
[root@389-ds dirsrv]# ls
admin-serv config dsgw schema slapd-389-ds
[root@389-ds dirsrv]#
[root@389-ds slapd-389-ds]# ls
adminserver.p12 dse.ldif.startOK pin.txt
cacert.asc dse_original.ldif pwdfile.txt
cert8.db key3.db schema
certmap.conf noise.txt secmod.db
dse.ldif orig-cert8.db slapd-collations.conf
dse.ldif.bak orig-key3.db
[root@389-ds slapd-389-ds]#
[/code]
Pls Suggest.
14 years, 2 months
389 SSL setup?
by Ajeet S Raina
Let me brief. I have just got into 389 Management Console which does display
both the Administrative Server and Directory Server.
Now Before that, let me inform you that I have Fedora DS running on 636 port
which means SSL is running. I downloaded a script called setupssl2.pl from
Fedora DS website and ran the script, restarted the disrv and admin
server.So there should be nothing to have it get display for 389 port Right?
But why Secure Connection under my dc=im,dc=log,dc=com is getting displayed
as blank.
Do I need to manually edit the section and tick the Box.
It does ask for BIND DN and password which is also BLANK.
Pls Suggest?
--
”It is not possible to rescue everyone who is caught in the Windows
quicksand
--Make sure you are on solid Linux ground before trying.”
14 years, 2 months
require ssl/tls only for binding as user
by Johannes Woerner
Hi,
I'm evaluating the migrating of an openldap installation to
389 directory server (ca 1200 user objects).
With openldap I can restrict client authentication to ssl/tls ldap
connections and in parallel allow anonymous (unencrypted) access to items like phone
number etc. (slapd.conf with: "security simple_bind=56")
Is there a way you can do this with 389 directory server?
Regards
Johannes
14 years, 2 months
Unable to access 389-DS Server through remote LDAP Admin tool?
by Ajeet S Raina
I have 389-DS SSL running on my Linux Machine. I can see th output:
[code]
[root@389-ds ~]# nmap -vv localhost
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2010-01-10 01:26 IST
Initiating SYN Stealth Scan against localhost.localdomain (127.0.0.1) [1680
ports] at 01:26
Discovered open port 22/tcp on 127.0.0.1
Discovered open port 636/tcp on 127.0.0.1
The SYN Stealth Scan took 0.21s to scan 1680 total ports.
Host localhost.localdomain (127.0.0.1) appears to be up ... good.
Interesting ports on localhost.localdomain (127.0.0.1):
Not shown: 1678 closed ports
PORT STATE SERVICE
22/tcp open ssh
636/tcp open ldapssl
Nmap finished: 1 IP address (1 host up) scanned in 0.344 seconds
Raw packets sent: 1680 (73.920KB) | Rcvd: 3362 (141.208KB)
[root@389-ds ~]#
[/code]
This shows that 636 port is open.But When I am attempting to this Linux
Server from one of Windows Desktop it says "LDAP is Down".
I selected LDAPv3 and LDAPv3, hostname and SSL/TLS tried fetching base DN
but it dint work.
Pls Suggest.
14 years, 2 months