389-users July 2010

389-users@lists.fedoraproject.org

33 participants
38 discussions

Problem browsing LDAP with Outlook
by Chris Bryant 26 Aug '20

26 Aug '20

When configuring Microsoft Outlook (not Outlook Express) to access an LDAP directory, there is an option to 'Enable Browsing (requires server support)'. If this option is chosen and the directory server supports it, then you should be able to open the LDAP address book and page up and down through the results. I have been unable to get this working properly with 389 DS. When I try to browse from Outlook against the 389 DS directory, I am able to see the first page of results perfectly. However, if I move to the next page, only the first object returned will have any attributes included, and all of the rest of the objects in the page will have no attributes. I have a test perl script that duplicates this functionality as well. I can get this to work properly with an older version of Netscape Directory Server, and I can get it working with OpenDS. Since 389 DS advertises support for the controls that are required for this to work, just like the other two servers, then I would expect it to work there also. Has anyone out there gotten this to work with 389 DS? If so, can you share if there was anything special that you needed to do to get this to work? I'm trying to determine if this is a bug in the server, or if I'm just missing something in the configuration. Thanks, Chris USA.NET You Run Your Business. We'll Run Your Email. This message is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information of USA.NET, Inc. Any unauthorized review, use, copying, disclosure, or distribution is prohibited. If you are not the intended recipient, please immediately contact the sender by reply email and delete all copies of the original message.

3 2

changelogdb has gotten large...
by Hartmann, Tim 09 Sep '10

09 Sep '10

Hi, I've run into a situation where one of the files in /var/lib/dirsrv/<instance>/changelogdb has grown almost as large as the partition it's on. In my directory server configs, I noticed I was keeping an unlimited changelog, so I set that to what seems like a reasonably long amount of time (18 weeks) but didn't see any decrease in the file size. I'm wondering now about the best course of action. I can a) move the whole dirsrv directory to another partition with more space available and symlink the old location to the new, which worked when I tested it, but I wanted to make sure I wouldn't be hosing something up the next time I upgrade. b) find some means of manually shrinking the *.db ( can you even do that?) c) point dirsrv at a new location, and reinitialize the consumers (which doesn't seem all that desirable) Has anyone else found it necessary to shrink your changelogdb? Thanks -Tim

4 3

Announcing CN=Monitor 1.3
by Andreas Andersson 30 Aug '10

30 Aug '10

Hi! It’s been a year since I announced the 1.0 release of my little open source project CN=Monitor (LDAP Monitoring) here on the 389 Users list. A lot of features and improvements have been added since then. If you are running 389 DS / CentOS DS or Red Hat DS and needs a web application to monitor your directory server environment(s) you should download the today released stable version 1.3. Features: * Live monitoring to view current load * Collect historical events and view trends * Replication, Cache status verification * Verify server performance and load balancing * Mobile phone GUI support Project website: http://cnmonitor.sourceforge.net/ Freshmeat: http://freshmeat.net/projects/cnmonitor Best Regards - Andreas Andersson

2 1

Problems with chaining (was: RE: Sanity check for install approach)
by Jonathan Boulle 04 Aug '10

04 Aug '10

I've done a colossal amount of reading and experimentation to remedy the ignorance demonstrated in my last email, so let's start again: I have, in a simple two-node (one supplier, one consumer) setup: - Consumer set up with one local database (replicated from the supplier), + one database link back to the supplier - Suffix dc=example using both of these databases, + replication plugin (with repl_chain_on_update) enabled, + suffix request processing set to "use the databases" (i.e. no referrals) - Database link on the consumer using cn=replication manager,cn=config; an ACI on the supplier of (targetattr = "*")(version 3.0; acl "proxy acl"; allow(proxy) userdn="ldap:///cn=replication manager,cn=config";) So, on a client which is pointed towards the consumer, let's try modify something: [bloggsj@client02 ~]$ ldapmodify -x -ZZ -D uid=bloggsj,ou=people,dc=example -w example dn: uid=bloggsj,ou=People,dc=example changetype: modify replace: title title: Sir modifying entry "uid=bloggsj,ou=People,dc=example" --- On the supplier I see the relevant bind requests (as replication user *and* as the bloggsj user, i.e. successfully proxied), and also that the change succeeds (I turned on some ACL logging): <snip> [30/Jul/2010:17:10:03 +0100] NSACLPlugin - proxied authorization dn is (uid=bloggsj,ou=people,dc=example) [30/Jul/2010:17:10:03 +0100] NSACLPlugin - #### conn=26 op=2 binddn="cn=replication manager,cn=config" [30/Jul/2010:17:10:03 +0100] NSACLPlugin - #### conn=26 op=2 binddn="cn=replication manager,cn=config" <snip> [30/Jul/2010:16:56:27 +0100] NSACLPlugin - conn=20 op=2 (main): Allow write on entry(uid=bloggsj,ou=people,dc=example).attr(title) to proxy (uid=bloggsj,ou=people,dc=example): allowed by aci(51): aciname= "Enable self write for common attributes", acidn="dc=example <snip> Great. Works fine, as expected. But if I try to change the userPassword, for some reason the database link does _not proxy the authorisation_, but instead uses the replication user to try make the change: [bloggsj@client02 ~]$ ldapmodify -x -ZZ -D uid=bloggsj,ou=people,dc=example -w example dn: uid=bloggsj,ou=People,dc=example changetype: modify replace: userPassword userPassword: abc123!@# modifying entry "uid=bloggsj,ou=People,dc=example" ldapmodify: Insufficient access (50) additional info: Insufficient 'write' privilege to the 'userPassword' attribute of entry 'uid=bloggsj,ou=people,dc=example'. --- On the supplier: <snip> [30/Jul/2010:17:08:13 +0100] NSACLPlugin - #### conn=24 op=2 binddn="cn=replication manager,cn=config" <snip> [30/Jul/2010:16:57:09 +0100] NSACLPlugin - conn=21 op=2 (main): Deny write on entry(uid=bloggsj,ou=people,dc=example).attr(userPassword) to cn=replication manager,cn=config: no aci matched the subject by aci(53): aciname= "self", acidn="dc=example" <snip> Why do userPassword changes not proxy? I have tried - enabling/disabling "ACL Plugin" component to chain - enabling/disabling "password policy" component to chain - enabling/disabling various LDAP controls to chain - other attributes (homephone, surname, etc), all of which proxy fine to no avail. Rich (or anyone else :-), do you have any ideas? This really looks like a bug to me - I haven't started poking around in the source yet though. -----Original Message----- From: 389-users-bounces(a)lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of Jonathan Boulle Sent: 29 July 2010 14:54 To: 'General discussion list for the 389 Directory server project.' Subject: Re: [389-users] Sanity check for install approach On closer examination of the doc, it appears that chaining updates is only possible when using database links. However, as I infer, using database links removes the possibility of replication, because the link would pass any modification back to the remote database. Thus, if you had a consumer configured with a database link back to a supplier, and then set up a replication agreement from the supplier to the consumer, it would be replicating to its own database! Am I understanding this correctly? Is there a way to achieve our desired scenario: where no clients can directly access a read-write supplier (i.e. referrals are disabled, because network access is blocked); but they're still able to change their passwords, because the read-only consumer chains the update request back to a supplier? Cheers ________________________________________________________________________ In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. ________________________________________________________________________

3 3

Synching with multiple Windows ADs
by John A. Sullivan III 02 Aug '10

02 Aug '10

Hello, all. I know one can only have one sync agreement with an AD. However, is it possible to have a sync agreement with multiple ADs. We would like to synchronize the top of our tree with our main, multi-tenant AD and then synchronize lower levels of the domains with separate domains controlled by our clients. Thus, the same users and groups are synchronized to two different AD trees. As much as we dearly want this to work, I think it is asking for trouble as the GUID from AD is passed back to LDAP as part of the synchronization. Since these GUIDs will be different for the same user from different AD trees, is this a problem? I know that sounds a bit convoluted so let me give an example. I have a user Joe in LDAP. I synchronize him to MyAD so he is MyAD\Joe. I also synchronize him to TheirAD so he is also TheirAD\Joe. The GUID for MyAD \Joe is different from the GUID for TheirAD\Joe even though it is the same LDAP Joe. Is that a problem? Thanks - John

2 1

Re: [389-users] Synching with multiple Windows ADs
by Phil Daws 02 Aug '10

02 Aug '10

Is the DIT object ntuniqueid constructed from the Windows user object uuid and domain sid to keep the uniqueness ? Sent from Zimbra and my HTC Desire ----- Reply message ----- From: "John A. Sullivan III" <jsullivan(a)opensourcedevel.com> Date: Tue, Jul 27, 2010 21:42 Subject: [389-users] Synching with multiple Windows ADs To: <389-users(a)lists.fedoraproject.org> Hello, all. I know one can only have one sync agreement with an AD. However, is it possible to have a sync agreement with multiple ADs. We would like to synchronize the top of our tree with our main, multi-tenant AD and then synchronize lower levels of the domains with separate domains controlled by our clients. Thus, the same users and groups are synchronized to two different AD trees. As much as we dearly want this to work, I think it is asking for trouble as the GUID from AD is passed back to LDAP as part of the synchronization. Since these GUIDs will be different for the same user from different AD trees, is this a problem? I know that sounds a bit convoluted so let me give an example. I have a user Joe in LDAP. I synchronize him to MyAD so he is MyAD\Joe. I also synchronize him to TheirAD so he is also TheirAD\Joe. The GUID for MyAD \Joe is different from the GUID for TheirAD\Joe even though it is the same LDAP Joe. Is that a problem? Thanks - John -- 389 users mailing list 389-users(a)lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users

2 1

issue getting schema - Version 1.2.x return no operational attributes
by Rudolf Hatheyer 29 Jul '10

29 Jul '10

Hi, I've noticed a difference in behavior between 1.0.x and 1.2.x Version of FDS. Version 1.2.x will not return the hole schema (without specifying attributes objectClasses, matchingRules ). This a problem when querying by use of VBScript (i need this ugly stuff in a windows login script to get specific user data from the LDAP). ADSI will first do a root-DSE query to determine the provided schema. If the server returns no schema, ADSI will allow you to query only standard LDAP V2 attributes (and not my special ones). Query a Server with Version 1.2.5 # ./ldapsearch -h 192.168.1.202 -b cn=schema -s base "objectclass=*" version: 1 dn: cn=schema objectClass: top objectClass: ldapSubentry objectClass: subschema cn: schema Specifying for instance "objectClasses" attribut in the query returns the wanted data: version: 1 dn: cn=schema objectClasses: ( 2.5.6.0 NAME 'top' ABSTRACT MUST objectClass X-ORIGIN 'RFC 45 12' ) objectClasses: ( 2.5.6.1 NAME 'alias' SUP top STRUCTURAL MUST aliasedObjectNam e X-ORIGIN 'RFC 4512' ) objectClasses: ( 2.5.20.1 NAME 'subschema' AUXILIARY MAY ( dITStructureRules $ nameForms $ dITContentRules $ objectClasses $ attributeTypes $ matchingRule s $ matchingRuleUse ) X-ORIGIN 'RFC 4512' ) objectClasses: ( 1.3.6.1.4.1.1466.101.120.111 NAME 'extensibleObject' SUP top [...] Query a Server with Version 1.0.4 version: 1 dn: cn=schema objectClass: top objectClass: ldapSubentry objectClass: subschema cn: schema objectClasses: ( 2.5.6.0 NAME 'top' DESC 'Standard LDAP objectclass' ABSTRACT MUST objectClass X-ORIGIN 'RFC 2256' ) objectClasses: ( 2.5.6.1 NAME 'alias' DESC 'Standard LDAP objectclass' SUP top ABSTRACT MUST aliasedObjectName X-ORIGIN 'RFC 2256' ) objectClasses: ( 1.3.6.1.4.1.1466.101.120.111 NAME 'extensibleObject' DESC 'LD APv3 extensible object' SUP top AUXILIARY X-ORIGIN 'RFC 2252' ) [...] Is there a way to configure the 1.2.x series to get the old behavior? Regards, Rudolf -- Rudolf Hatheyer alpha nova Betriebsgesm.b.H. Idlhofgasse 59-63 8020 Graz Tel: 0043/316/722622 Fax: 0043/316/722622-16 Mobil: 0699/14032570 http://www.alphanova.at

2 1

Sanity check for install approach
by Gerrard Geldenhuis 29 Jul '10

29 Jul '10

Hi I would appreciate anyone just giving the tasks below a sanity check. We will have a multimaster setup with various consumers from which clients will be authenticating off. Clients can not reach the masters directly and can only reach the consumer servers. To enable password policies to work correctly I will configure the consumer servers to chain requests back to the masters and enable chaining for the Password policy component. My understanding is thus that when a client tries to authenticate against the consumer server and fails, the password policy configured on the consumer will activate and the counter incremented for failed logins. This incremented counter change will then be chained back to the master which will replicate it back to the consumer and any other consumers. To rephrase the above... in a user story. User authenticates against consumer01 Authentication fails Consumer01 has password policy configured and replication from master01. What happens next? Does the consumer automatically communicate this failure back to master01, or do you need to setup chaining for this to happen? Regards ________________________________________________________________________ In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. ________________________________________________________________________

2 1

dynamic group expansion: writing a patch...
by Roberto Polli 28 Jul '10

28 Jul '10

Hi all, I'd like to start a patch on dynamic group expansion, but dunno where to start. Can you point me? Should be something like reusing VLV code? Thx+Peace, R- -- Roberto Polli Babel S.r.l. - http://www.babel.it Tel. +39.06.91801075 - fax +39.06.91612446 Tel. cel +39.340.6522736 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) "Il seguente messaggio contiene informazioni riservate. Qualora questo messaggio fosse da Voi ricevuto per errore, Vogliate cortesemente darcene notizia a mezzo e-mail. Vi sollecitiamo altresì a distruggere il messaggio erroneamente ricevuto. Quanto precede Vi viene chiesto ai fini del rispetto della legge in materia di protezione dei dati personali."

3 10

Windows Replication Agreement Help
by Phil Daws 27 Jul '10

27 Jul '10

Hi, We are setting up a new Windows 2K3 AD server and attempting to syncronise the users from our LDAP server version 8.1.0. Performing the full sync fails after about 30 seconds with a message in the error log: [14/Jul/2010:07:46:10 -0400] - add value "^V" to attribute type "ARecord" in entry "DC=@,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=domain,DC=com" failed: duplicate new value [14/Jul/2010:07:46:10 -0400] - add value "null or non-ASCII" to attribute type "dnsproperty" in entry "DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=domain,DC=com" failed: duplicate new value and none of the users or groups are sent to AD. I am guessing it may be how our LDAP server schema is setup as we use something like: dc=domain,dc=com |_ o=Internal |___o=a0000 |____ou=Desktops |_____uid=fred We have set the Windows subtree to be dc=domain,dc=com and the replication subtree to be dc=domain,dc=com with a DS subtree of o=Internal,dc=domain,dc=com. Our understanding was that within AD Users & Groups GUI we should have seen a similar schema created. Though for some reason the replication is traversing the whole of the internal AD tree. Should we create a new Organisational Unit within AD called, for arguments sake, clients and set the Windows subtree to be ou=clients,dc=domain,dc=com so that it forces it to that branch ? -- Thanks, Phil

3 19

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-users July 2010