389-users May 2011

389-users@lists.fedoraproject.org

36 participants
41 discussions

Problem browsing LDAP with Outlook
by Chris Bryant 26 Aug '20

26 Aug '20

When configuring Microsoft Outlook (not Outlook Express) to access an LDAP directory, there is an option to 'Enable Browsing (requires server support)'. If this option is chosen and the directory server supports it, then you should be able to open the LDAP address book and page up and down through the results. I have been unable to get this working properly with 389 DS. When I try to browse from Outlook against the 389 DS directory, I am able to see the first page of results perfectly. However, if I move to the next page, only the first object returned will have any attributes included, and all of the rest of the objects in the page will have no attributes. I have a test perl script that duplicates this functionality as well. I can get this to work properly with an older version of Netscape Directory Server, and I can get it working with OpenDS. Since 389 DS advertises support for the controls that are required for this to work, just like the other two servers, then I would expect it to work there also. Has anyone out there gotten this to work with 389 DS? If so, can you share if there was anything special that you needed to do to get this to work? I'm trying to determine if this is a bug in the server, or if I'm just missing something in the configuration. Thanks, Chris USA.NET You Run Your Business. We'll Run Your Email. This message is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information of USA.NET, Inc. Any unauthorized review, use, copying, disclosure, or distribution is prohibited. If you are not the intended recipient, please immediately contact the sender by reply email and delete all copies of the original message.

3 2

Views, Filtered roles and CoS
by Colin Panisset 06 Oct '11

06 Oct '11

I have a pretty flat DIT, with all users currently under ou=people,dc=example,dc=com; these user objects also have posixAccount attributes, of which loginShell is one. What I'm trying to achieve is to be able to set a "default" loginShell to be a restricted shell (/bin/rbash) for developers, but allow that to be a non-restricted shell on systems which are development hosts. As an example, on a production host I'd like: $ ldapsearch -x "(uid=devuser)" uid loginshell to return: dn: cn=Dev User,ou=People,dc=example,dc=com loginShell: /bin/rbash uid: devuser while on a development host, I'd like the same search to return dn: cn=Dev User,ou=People,dc=example,dc=com loginShell: /bin/bash uid: devuser I thought I might be able to achieve this by creating a view called ou=Developers,dc=example,dc=com and using that as a base DN on the development boxes, then applying a CoS within the view to override the loginShell attribute, but then the CoS ends up being applied to the original entry too. Is there any way that I could: - have a CoS apply based on client system attributes, like IP address/hostname? - have a CoS which applies to a view that *doesn't* affect the original object? - perhaps make use of cosPriority through two different views, so as to have ou=Development,... and ou=Production,... (but that would be answered by the previous option anyway)? Is there some other clever way to achieve what I'd like? I'd really like to avoid maintaining 2 separate DITs for the same set of users. -- C.

3 6

LDAPCon 2011 Call for Papers
by Peter Gietz 08 Aug '11

08 Aug '11

With the usual apologies. The 3rd Edition of the International Conference on LDAP (LDAPCon 2011[1]) will be held on October, 10-11, 2011 in Heidelberg, Germany. A Call For Papers[2] has been raised and the Program Committee asks you to submit abstracts by July 8th. The International Conference on LDAP is a technical forum for IT professionals interested in LDAP and related topics like directory servers, directory management applications, directory integration, identity and access management, and meta directories. It focuses on implementation and integration of LDAP servers and LDAP-enabled client applications. The event will bring together vendors, developers, active and prospective LDAP practitioners to share their experiences about deployment strategies, service operations, interoperability, discuss LDAP usage in new projects and learn about upcoming trends and developments. The 1st LDAPCon[3] was held in September 2007 in Germany, the 2nd LDAPCon[4] was held in September 2009 in Portland, Oregon, USA (Some pictures from LDAPCon 2007 [5] and a nice summary of LDAPCon 2009 [6]) So if you're involved with LDAP in interesting projects and you want to share your experiences, please check the Call For Papers and submit a proposal. Best, Peter [1]: http://www.ldapcon.org [2]: http://www.daasi.de/ldapcon2011/index.php?site=cfp [3]: http://www.guug.de/veranstaltungen/ldapcon2007/index.html [4]: http://www.symas.com/ldapcon2009 [5]: http://www.flickr.com/photos/ludovic_p/sets/72157601937159198/detail/ [6]: http://blogs.sun.com/Ludo/entry/ldapcon_2009_summary -- _______________________________________________________________________ Peter Gietz (CEO) DAASI International GmbH phone: +49 7071 407109-0 Europaplatz 3 Fax: +49 7071 407109-9 D-72074 Tübingen mail: peter.gietz(a)daasi.de Germany Web: www.daasi.de DAASI International GmbH, Tübingen Geschäftsführer Peter Gietz, Amtsgericht Stuttgart HRB 382175 Directory Applications for Advanced Security and Information Management _______________________________________________________________________

1 2

Delete object on Consumer
by Jim Tyrrell 04 Aug '11

04 Aug '11

Hi, We have a setup with multiple masters which are replicating down to 389 Directory Server consumers via 2 hubs, but have a consistency issue. It appears a few objects were deleted and re-added to the masters but the object was not deleted from the 389 consumers. We now have 1 object on the masters and 2 objects on the consumers which causes problems for the mail servers. If we delete the object from the master we are still left with one object on the slaves. The slaves currently have a few duplicate objects like this: dn: cn=mx::10, cn=somedomain.co.uk, ou=dns, o=acmesystems.com cn: mx::10 mailtransport: nexthop:[mailserver.ourdomain.com] dnspreference: 10 dnstype: MX dn: nsuniqueid=7edfa581-1dd211b2-8014f995-55bd0000+cn=mx::10,cn=somedomain.co.uk, ou=dns,o=acmesystems.com cn: mx::10 mailtransport: nexthop:[mailserver.ourdomain.com] dnspreference: 10 dnstype: MX The object showing nsuniqueid is the valid one that exists on the master. Is there a way to remove the 2nd object from the consumer without re-initialising? I have seen this before on a single consumer so we re-initialised it, but its a much bigger problem to re-initialise all of the consumers. It would be ideal if there is a way to manually delete an object direct on a consumer? Thanks. Jim.

4 14

Re: [389-users] get base dn from ldapsearch
by Angel Bosch Mora 15 Jul '11

15 Jul '11

> Maybe I am understanding this wrong but could you not just check in > the config what the search base is set to on the client side? What is > the problem you are trying to solve? > yes, you're right. i can just take a look at ldap.conf but there's several places to look: - debian/ubuntu uses /etc/ldap/ldap.conf - RHEL/CentOS uses /etc/openldap/ldap.conf - custom compilations can use any path. ex: /usr/local/ldap/ldap.conf - windows openldap uses... i don't really know :P so what im trying to do is resolving configured base without knowing anything about the client. for example, this command gives me the server even if i dont know anything about the conf: ldapsearch -d1 -x -LLL "(uid=example)" uid 2>&1 | grep ldap_connect_to_host im just a little bit surprised that i can't find any debuglevel that gives me the BASE abosch

8 17

Announcing 389 Directory Server version 1.2.8.3
by Rich Megginson 14 Jun '11

14 Jun '11

The 389 Project team is pleased to announce the release of 389-ds-base-1.2.8.3. This release fixes a few bugs found in 1.2.8.2. Installation yum install 389-ds # or for EPEL yum install 389-ds setup-ds-admin.pl Upgrade yum upgrade 389-ds-base idm-console-framework 389-admin 389-ds-console 389-admin-console # or for EPEL yum upgrade 389-ds-base idm-console-framework 389-admin 389-ds-console 389-admin-console setup-ds-admin.pl -u How to Give Feedback The best way to provide feedback is via the Fedora Update system. Each update is broken down by package and platform. For example, if you are using Fedora 13, and you have successfully installed or upgraded all of the packages, and the console and etc. works, then go to the links below for Fedora 13 and provide feedback. * EL-5 - https://admin.fedoraproject.org/updates/389-ds-base-1.2.8.3-1.el5 * Fedora 13 - https://admin.fedoraproject.org/updates/389-ds-base-1.2.8.3-1.fc13 * Fedora 14 - https://admin.fedoraproject.org/updates/389-ds-base-1.2.8.3-1.fc14 * Fedora 15 - https://admin.fedoraproject.org/updates/389-ds-base-1.2.8.3-1.fc15 scroll down to the bottom of the page, and click on the Add a comment >> link * select one of the Works for me or Does not work radio buttons, add text, and click on the Add Comment button If you are using a build on another platform, just send us an email to 389-users(a)lists.fedoraproject.org Reporting Bugs If you find a bug, or would like to see a new feature, you can enter it here - https://bugzilla.redhat.com/enter_bug.cgi?product=389 More Information * Release Notes - http://port389.org/wiki/Release_Notes * Install_Guide - http://port389.org/wiki/Install_Guide * Download - http://port389.org/wiki/Download

2 2

Reg ldif file import/export and ldap replication over ldaps
by s.varadha rajan 14 Jun '11

14 Jun '11

Hi, We are using Ubuntu 10.04 server OS and all the web applications are running on that.We have already implemented fedora-ds for ldap auth.now we are planning to go some up-gradation.kindly let me know the following, 1.How to migrate running fedora-ds server to another server ? 2.i have taken all the user/group+etc in ldif format.is it enough for migration or any other db (/var/lib/dirsrv/slapd-<instance>) also need to bacup ? if any procedure please share with me ? how to import/export .ldif file 3.in our setup,one server is in public network.so i am planning to do replication through "ldaps", i.e local server to public server replication through highly secure how to ? Please help me on the above topics. Regards, Varad

2 5

Windows Sync Agreement Help
by Albert Teh 31 May '11

31 May '11

Hi, We are setting up a new CENTOS-DS version 8.1.0. and CENTOS 5.5 and attempt to synchronize with the existing 2003 Windows AD server. Performing the full sync completed. There is no user created in the DS subtree. We would like to perform one way Sync: AD ----> DS. Once it works, we will set up the password Sync from the AD to DS. AD: cn=Users,cn=location,dc=ad,dc=domain,dc=com DS: ou=Peoples,dc=domain,dc=com errors log: [26/May/2011:10:20:34 -0400] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=ADsync" (wodcstage-1:389)". [26/May/2011:10:20:34 -0400] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=ADsync" (wodcstage-1:389)". Sent 0 entries. access log: 26/May/2011:10:20:37 -0400] conn=11 op=819 SRCH base="cn=ADsync, cn=replica, cn=\22dc=algonquincollege, dc=com\22, cn=mapping tree, cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nsds5replicaLastUpdateStart nsds5replicaLastUpdateEnd nsds5replicaChangesSentSinceStartup nsds5replicaLastUpdateStatus nsds5replicaUpdateInProgress nsds5replicaLastInitStart nsds5replicaLastInitEnd nsds5replicaLastInitStatus nsds5BeginReplicaRefresh" [26/May/2011:10:20:37 -0400] conn=11 op=819 RESULT err=0 tag=101 nentries=1 etime=0 Thanks. Albert

3 8

"no mechanism available" from CLI
by Andreas-Johann Ulvestad 31 May '11

31 May '11

Short story: After setting up 389 and adding users I attempt to run ldappasswd on a test user. The error message I get is: SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: Long story: I installed Fedora 15 and then 389 via yum. All packages were downloaded without any problems and setup-ds-admin.pl had no problems either. I then launched the admin console and added two test users with POSIX accounts. After this, I launched authconfig-tui and configured it as so: User Information: Cache, use LDAP Authentication: shadow passwords, LDAP auth, local auth sufficient No TLS Server ldap://localhost Base DN: dc=k,dc=unicornis,dc=no As said earlier, ldappasswd doesn't work (I use ldappasswrd -h localhost). However, ldapsearch works (see attached output). I appreciate any feedback on how to start debugging this :-).

3 2

Thunderbird/Squirrelmail - common address book? LDAP?
by Philip Rhoades 30 May '11

30 May '11

People, I have previously been asking questions about importing a TB addressbook book here and I think I can see how I can do that now but I guess I should ask a more fundamental question: Is using an LDAP server the best way of getting a commonly accessible addressbook for both TB and SM? Even if I could use a setup like that, there is still no way TB can automatically update the LDAP DB for mails that go out to new email addresses . . It seems that LDAP is the only common addressbook possibility between TB and SQ but that solution is not completely satisfactory either . . Thanks, Phil. -- Philip Rhoades GPO Box 3411 Sydney NSW 2001 Australia E-mail: phil(a)pricom.com.au

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-users May 2011