Problem browsing LDAP with Outlook
by Chris Bryant
When configuring Microsoft Outlook (not Outlook Express) to access an LDAP directory, there is an option to 'Enable Browsing (requires server support)'. If this option is chosen and the directory server supports it, then you should be able to open the LDAP address book and page up and down through the results. I have been unable to get this working properly with 389 DS.
When I try to browse from Outlook against the 389 DS directory, I am able to see the first page of results perfectly. However, if I move to the next page, only the first object returned will have any attributes included, and all of the rest of the objects in the page will have no attributes. I have a test perl script that duplicates this functionality as well.
I can get this to work properly with an older version of Netscape Directory Server, and I can get it working with OpenDS. Since 389 DS advertises support for the controls that are required for this to work, just like the other two servers, then I would expect it to work there also.
Has anyone out there gotten this to work with 389 DS? If so, can you share if there was anything special that you needed to do to get this to work? I'm trying to determine if this is a bug in the server, or if I'm just missing something in the configuration.
Thanks,
Chris
USA.NET
You Run Your Business. We'll Run Your Email.
This message is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information of USA.NET, Inc. Any unauthorized review, use, copying, disclosure, or distribution is prohibited. If you are not the intended recipient, please immediately contact the sender by reply email and delete all copies of the original message.
2 years, 9 months
Views, Filtered roles and CoS
by Colin Panisset
I have a pretty flat DIT, with all users currently under
ou=people,dc=example,dc=com; these user objects also have posixAccount
attributes, of which loginShell is one.
What I'm trying to achieve is to be able to set a "default" loginShell
to be a restricted shell (/bin/rbash) for developers, but allow that to
be a non-restricted shell on systems which are development hosts.
As an example, on a production host I'd like:
$ ldapsearch -x "(uid=devuser)" uid loginshell
to return:
dn: cn=Dev User,ou=People,dc=example,dc=com
loginShell: /bin/rbash
uid: devuser
while on a development host, I'd like the same search to return
dn: cn=Dev User,ou=People,dc=example,dc=com
loginShell: /bin/bash
uid: devuser
I thought I might be able to achieve this by creating a view called
ou=Developers,dc=example,dc=com and using that as a base DN on the
development boxes, then applying a CoS within the view to override the
loginShell attribute, but then the CoS ends up being applied to the
original entry too.
Is there any way that I could:
- have a CoS apply based on client system attributes, like IP
address/hostname?
- have a CoS which applies to a view that *doesn't* affect the original
object?
- perhaps make use of cosPriority through two different views, so as to
have ou=Development,... and ou=Production,... (but that would be
answered by the previous option anyway)?
Is there some other clever way to achieve what I'd like? I'd really like
to avoid maintaining 2 separate DITs for the same set of users.
-- C.
11 years, 7 months
LDAPCon 2011 Call for Papers
by Peter Gietz
With the usual apologies.
The 3rd Edition of the International Conference on LDAP (LDAPCon
2011[1]) will be held on October, 10-11, 2011 in Heidelberg, Germany.
A Call For Papers[2] has been raised and the Program Committee asks you
to submit abstracts by July 8th.
The International Conference on LDAP is a technical forum for IT
professionals interested in LDAP and related topics like directory
servers, directory management applications, directory integration,
identity and access management, and meta directories.
It focuses on implementation and integration of LDAP servers and
LDAP-enabled client applications. The event will bring together vendors,
developers, active and prospective LDAP practitioners to share their
experiences about deployment strategies, service operations,
interoperability, discuss LDAP usage in new projects and learn about
upcoming trends and developments.
The 1st LDAPCon[3] was held in September 2007 in Germany, the 2nd
LDAPCon[4] was held in September 2009 in Portland, Oregon, USA
(Some pictures from LDAPCon 2007 [5] and a nice summary of LDAPCon 2009 [6])
So if you're involved with LDAP in interesting projects and you want to
share your experiences, please check the Call For Papers and submit a
proposal.
Best,
Peter
[1]: http://www.ldapcon.org
[2]: http://www.daasi.de/ldapcon2011/index.php?site=cfp
[3]: http://www.guug.de/veranstaltungen/ldapcon2007/index.html
[4]: http://www.symas.com/ldapcon2009
[5]: http://www.flickr.com/photos/ludovic_p/sets/72157601937159198/detail/
[6]: http://blogs.sun.com/Ludo/entry/ldapcon_2009_summary
--
_______________________________________________________________________
Peter Gietz (CEO)
DAASI International GmbH phone: +49 7071 407109-0
Europaplatz 3 Fax: +49 7071 407109-9
D-72074 Tübingen mail: peter.gietz(a)daasi.de
Germany Web: www.daasi.de
DAASI International GmbH, Tübingen
Geschäftsführer Peter Gietz, Amtsgericht Stuttgart HRB 382175
Directory Applications for Advanced Security and Information Management
_______________________________________________________________________
11 years, 9 months
Delete object on Consumer
by Jim Tyrrell
Hi,
We have a setup with multiple masters which are replicating down to 389
Directory Server consumers via 2 hubs, but have a consistency issue.
It appears a few objects were deleted and re-added to the masters but
the object was not deleted from the 389 consumers. We now have 1
object on the masters and 2 objects on the consumers which causes
problems for the mail servers. If we delete the object from the master
we are still left with one object on the slaves. The slaves currently
have a few duplicate objects like this:
dn: cn=mx::10, cn=somedomain.co.uk, ou=dns, o=acmesystems.com
cn: mx::10
mailtransport: nexthop:[mailserver.ourdomain.com]
dnspreference: 10
dnstype: MX
dn:
nsuniqueid=7edfa581-1dd211b2-8014f995-55bd0000+cn=mx::10,cn=somedomain.co.uk,
ou=dns,o=acmesystems.com
cn: mx::10
mailtransport: nexthop:[mailserver.ourdomain.com]
dnspreference: 10
dnstype: MX
The object showing nsuniqueid is the valid one that exists on the
master. Is there a way to remove the 2nd object from the consumer
without re-initialising?
I have seen this before on a single consumer so we re-initialised it,
but its a much bigger problem to re-initialise all of the consumers. It
would be ideal if there is a way to manually delete an object direct on
a consumer?
Thanks.
Jim.
11 years, 9 months
Re: [389-users] get base dn from ldapsearch
by Angel Bosch Mora
> Maybe I am understanding this wrong but could you not just check in
> the config what the search base is set to on the client side? What is
> the problem you are trying to solve?
>
yes, you're right. i can just take a look at ldap.conf but there's several places to look:
- debian/ubuntu uses /etc/ldap/ldap.conf
- RHEL/CentOS uses /etc/openldap/ldap.conf
- custom compilations can use any path. ex: /usr/local/ldap/ldap.conf
- windows openldap uses... i don't really know :P
so what im trying to do is resolving configured base without knowing anything about the client.
for example, this command gives me the server even if i dont know anything about the conf:
ldapsearch -d1 -x -LLL "(uid=example)" uid 2>&1 | grep ldap_connect_to_host
im just a little bit surprised that i can't find any debuglevel that gives me the BASE
abosch
11 years, 10 months
Users unable to change their passwords on replicas
by G
Greetings!
I have a domain with a single master and four replicas. Everything is
working fine and replicas are getting updates, etc... However, users
are unable to change their own passwords on hosts bound to the
replicas. They are able to change their passwords on hosts bound to the
master.
_When they attempt to change their password this is what they get:_
/[testpasswd@aurusdl-dns02 ~]$ passwd
Changing password for user testpasswd.
Enter login(LDAP) password:
New UNIX password:
Retype new UNIX password:
LDAP password information update failed: Operations error
Mapping tree node for dc=usdl,dc=gpsocx,dc=gov is set to return a
referral, but no referral is configured for it
passwd: Permission denied/
_It is hard to capture what is happening in the access log on a replica
but I think it is this:_
/[30/Jun/2011:10:59:40 -0600] conn=1282 op=4 BIND
dn="uid=testpasswd,ou=People,dc=usdl,dc=gpsocx,dc=gov" method=128 version=3
[30/Jun/2011:10:59:40 -0600] conn=1282 op=4 RESULT err=0 tag=97
nentries=0 etime=0 dn="uid=testpasswd,ou=people,dc=usdl,dc=gpsocx,dc=gov"
[30/Jun/2011:10:59:40 -0600] conn=1282 op=5 MOD
dn="uid=testpasswd,ou=People,dc=usdl,dc=gpsocx,dc=gov"
[30/Jun/2011:10:59:40 -0600] conn=1282 op=5 RESULT err=1 tag=103
nentries=0 etime=0
[30/Jun/2011:10:59:42 -0600] conn=1217 op=-1 fd=66 closed error 11
(Resource temporarily unavailable) - T1
[30/Jun/2011:10:59:42 -0600] conn=1213 op=-1 fd=96 closed error 11
(Resource temporarily unavailable) - T1
[30/Jun/2011:10:59:42 -0600] conn=1144 op=-1 fd=86 closed error 11
(Resource temporarily unavailable) - T1
[30/Jun/2011:10:59:42 -0600] conn=1132 op=-1 fd=78 closed error 11
(Resource temporarily unavailable) - T1
[30/Jun/2011:10:59:42 -0600] conn=1282 op=7 UNBIND
[30/Jun/2011:10:59:42 -0600] conn=1282 op=7 fd=73 closed - U1
[30/Jun/2011:10:59:42 -0600] conn=1281 op=-1 fd=65 closed - B1/
_I do get this persistent error on my replicas:_
/[30/Jun/2011:10:54:00 -0600] NSMMReplicationPlugin -
repl_set_mtn_referrals: could not set referrals for replica dc=usdl,
dc=gpsocx, dc=gov: 1/
This is a pretty busy domain in production. I've had to rebuild it a
couple of times and I don't doubt that through these rebuilds something
got screwy which is causing this issue.
Any help is greatly appreciated!
G
11 years, 11 months
perl update
by Jon
hi
I updated fedora 14 to 15 using preupgrade. all of the RPMS work except perl
won't upgrade. the error when I do yum update is the following..
any help..
thanks
Loaded plugins: downloadonly, presto, refresh-packagekit
Setting up Update Process
Resolving Dependencies
--> Running transaction check
---> Package perl.i686 4:5.12.3-157.fc15 will be updated
---> Package perl.i686 4:5.12.4-159.fc15 will be an update
---> Package perl-libs.i686 4:5.12.3-157.fc15 will be updated
---> Package perl-libs.i686 4:5.12.4-159.fc15 will be an update
--> Finished Dependency Resolution
Dependencies Resolved
=====================================================================================================================
Package Arch Version
Repository Size
=====================================================================================================================
Updating:
perl i686 4:5.12.4-159.fc15
updates 10 M
perl-libs i686 4:5.12.4-159.fc15
updates 604 k
Transaction Summary
=====================================================================================================================
Upgrade 2 Package(s)
Total download size: 11 M
Is this ok [y/N]: y
Downloading Packages:
Setting up and reading Presto delta metadata
Processing delta metadata
/usr/lib/perl5/Config_heavy.pl: contents have been changed
/usr/lib/perl5/auto/Devel/PPPort/PPPort.so: contents have been changed
/usr/lib/perl5/bits/resource.ph: contents have been changed
/usr/lib/perl5/bits/time.ph: contents have been changed
/usr/lib/perl5/gnu/stubs-32.ph: contents have been changed
delta does not match installed data
/usr/lib/perl5/CORE/libperl.so: contents have been changed
delta does not match installed data
Package(s) data still to download: 11 M
(1/2): perl-5.12.4-159.fc15.i686.rpm
| 10 MB 00:05
(2/2): perl-libs-5.12.4-159.fc15.i686.rpm
| 604 kB 00:00
---------------------------------------------------------------------------------------------------------------------
Total
1.8 MB/s | 11 MB 00:06
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Updating : 4:perl-libs-5.12.4-159.fc15.i686
1/4
Error unpacking rpm package 4:perl-libs-5.12.4-159.fc15.i686
error: unpacking of archive failed on file /usr/local/lib/perl5: cpio: mkdir
Updating : 4:perl-5.12.4-159.fc15.i686
2/4
Error unpacking rpm package 4:perl-5.12.4-159.fc15.i686
error: perl-libs-4:5.12.4-159.fc15.i686: install failed
error: unpacking of archive failed on file /usr/local/share/perl5: cpio:
mkdir
4:perl-5.12.3-157.fc15.i686 was supposed to be removed but is not!
4:perl-libs-5.12.3-157.fc15.i686 was supposed to be removed but is not!
Failed:
perl.i686 4:5.12.4-159.fc15 perl-libs.i686
4:5.12.4-159.fc15
Complete!
11 years, 11 months
Password Policy
by Gioachino Bartolotta
Hi all!!!
There is a doc explaining how it's possible to enable password
policies on 389-ds for use with a Samba PDC??
I googled for a while without success ...
Thanks
--
-------------------------------------------
Gioachino Bartolotta
ICQ #: 9103167
MSN Messenger: astraroth(a)email.it
Yahoo & Skype: gioachino_bartolotta
11 years, 11 months
Users unable to change their passwords
by G
Greetings!
My RHDS 8.1 instance recently starting denying users the ability to
change their own passwords. Users are unable to change their own
passwords on any clients or the master itself. Root is also unable to
change users passwords via passwd on any machine. The Directory Manager
is unable to change passwords via command line ldapmodify. However, the
Directory Manager is able to change passwords via the redhat-idm-console.
The error looks like this:
LDAP password information update failed: insufficient access.
Insufficient write privileges to the 'UserPassword' attribute of entry
'uid=<uid>, ou=people,dc=<domain>'
There are no errors in the dirsrv log directory. Any help will be
gratefully appreciated.
Thank you,
G
11 years, 11 months
DN doesn't update.
by Patrik Martinez
Hi everybody,
I've just installed the 389-DS sync against AD (windows 2008) and everything
seemed to be working fine till I've changed one user's location in the AD
subtree.
The other attributes are syncronizing whithout problems but "dn" does not
update.
I've tried to find in docs whether something specific is required or not but
seems there is nothing.
Someone knows how I could solve this issue?
Many thanks in advanced!
Cheers.
--
Patrik Martinez
Técnico de Comunicaciones y Sistemas
Infraestructuras IT
Brújula
www.brujula.es
__________________________________________
11 years, 11 months
