389-users June 2011

389-users@lists.fedoraproject.org

38 participants
45 discussions

Problem browsing LDAP with Outlook
by Chris Bryant 26 Aug '20

26 Aug '20

When configuring Microsoft Outlook (not Outlook Express) to access an LDAP directory, there is an option to 'Enable Browsing (requires server support)'. If this option is chosen and the directory server supports it, then you should be able to open the LDAP address book and page up and down through the results. I have been unable to get this working properly with 389 DS. When I try to browse from Outlook against the 389 DS directory, I am able to see the first page of results perfectly. However, if I move to the next page, only the first object returned will have any attributes included, and all of the rest of the objects in the page will have no attributes. I have a test perl script that duplicates this functionality as well. I can get this to work properly with an older version of Netscape Directory Server, and I can get it working with OpenDS. Since 389 DS advertises support for the controls that are required for this to work, just like the other two servers, then I would expect it to work there also. Has anyone out there gotten this to work with 389 DS? If so, can you share if there was anything special that you needed to do to get this to work? I'm trying to determine if this is a bug in the server, or if I'm just missing something in the configuration. Thanks, Chris USA.NET You Run Your Business. We'll Run Your Email. This message is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information of USA.NET, Inc. Any unauthorized review, use, copying, disclosure, or distribution is prohibited. If you are not the intended recipient, please immediately contact the sender by reply email and delete all copies of the original message.

3 2

Views, Filtered roles and CoS
by Colin Panisset 06 Oct '11

06 Oct '11

I have a pretty flat DIT, with all users currently under ou=people,dc=example,dc=com; these user objects also have posixAccount attributes, of which loginShell is one. What I'm trying to achieve is to be able to set a "default" loginShell to be a restricted shell (/bin/rbash) for developers, but allow that to be a non-restricted shell on systems which are development hosts. As an example, on a production host I'd like: $ ldapsearch -x "(uid=devuser)" uid loginshell to return: dn: cn=Dev User,ou=People,dc=example,dc=com loginShell: /bin/rbash uid: devuser while on a development host, I'd like the same search to return dn: cn=Dev User,ou=People,dc=example,dc=com loginShell: /bin/bash uid: devuser I thought I might be able to achieve this by creating a view called ou=Developers,dc=example,dc=com and using that as a base DN on the development boxes, then applying a CoS within the view to override the loginShell attribute, but then the CoS ends up being applied to the original entry too. Is there any way that I could: - have a CoS apply based on client system attributes, like IP address/hostname? - have a CoS which applies to a view that *doesn't* affect the original object? - perhaps make use of cosPriority through two different views, so as to have ou=Development,... and ou=Production,... (but that would be answered by the previous option anyway)? Is there some other clever way to achieve what I'd like? I'd really like to avoid maintaining 2 separate DITs for the same set of users. -- C.

3 6

LDAPCon 2011 Call for Papers
by Peter Gietz 08 Aug '11

08 Aug '11

With the usual apologies. The 3rd Edition of the International Conference on LDAP (LDAPCon 2011[1]) will be held on October, 10-11, 2011 in Heidelberg, Germany. A Call For Papers[2] has been raised and the Program Committee asks you to submit abstracts by July 8th. The International Conference on LDAP is a technical forum for IT professionals interested in LDAP and related topics like directory servers, directory management applications, directory integration, identity and access management, and meta directories. It focuses on implementation and integration of LDAP servers and LDAP-enabled client applications. The event will bring together vendors, developers, active and prospective LDAP practitioners to share their experiences about deployment strategies, service operations, interoperability, discuss LDAP usage in new projects and learn about upcoming trends and developments. The 1st LDAPCon[3] was held in September 2007 in Germany, the 2nd LDAPCon[4] was held in September 2009 in Portland, Oregon, USA (Some pictures from LDAPCon 2007 [5] and a nice summary of LDAPCon 2009 [6]) So if you're involved with LDAP in interesting projects and you want to share your experiences, please check the Call For Papers and submit a proposal. Best, Peter [1]: http://www.ldapcon.org [2]: http://www.daasi.de/ldapcon2011/index.php?site=cfp [3]: http://www.guug.de/veranstaltungen/ldapcon2007/index.html [4]: http://www.symas.com/ldapcon2009 [5]: http://www.flickr.com/photos/ludovic_p/sets/72157601937159198/detail/ [6]: http://blogs.sun.com/Ludo/entry/ldapcon_2009_summary -- _______________________________________________________________________ Peter Gietz (CEO) DAASI International GmbH phone: +49 7071 407109-0 Europaplatz 3 Fax: +49 7071 407109-9 D-72074 Tübingen mail: peter.gietz(a)daasi.de Germany Web: www.daasi.de DAASI International GmbH, Tübingen Geschäftsführer Peter Gietz, Amtsgericht Stuttgart HRB 382175 Directory Applications for Advanced Security and Information Management _______________________________________________________________________

1 2

Delete object on Consumer
by Jim Tyrrell 04 Aug '11

04 Aug '11

Hi, We have a setup with multiple masters which are replicating down to 389 Directory Server consumers via 2 hubs, but have a consistency issue. It appears a few objects were deleted and re-added to the masters but the object was not deleted from the 389 consumers. We now have 1 object on the masters and 2 objects on the consumers which causes problems for the mail servers. If we delete the object from the master we are still left with one object on the slaves. The slaves currently have a few duplicate objects like this: dn: cn=mx::10, cn=somedomain.co.uk, ou=dns, o=acmesystems.com cn: mx::10 mailtransport: nexthop:[mailserver.ourdomain.com] dnspreference: 10 dnstype: MX dn: nsuniqueid=7edfa581-1dd211b2-8014f995-55bd0000+cn=mx::10,cn=somedomain.co.uk, ou=dns,o=acmesystems.com cn: mx::10 mailtransport: nexthop:[mailserver.ourdomain.com] dnspreference: 10 dnstype: MX The object showing nsuniqueid is the valid one that exists on the master. Is there a way to remove the 2nd object from the consumer without re-initialising? I have seen this before on a single consumer so we re-initialised it, but its a much bigger problem to re-initialise all of the consumers. It would be ideal if there is a way to manually delete an object direct on a consumer? Thanks. Jim.

4 14

Re: [389-users] get base dn from ldapsearch
by Angel Bosch Mora 15 Jul '11

15 Jul '11

> Maybe I am understanding this wrong but could you not just check in > the config what the search base is set to on the client side? What is > the problem you are trying to solve? > yes, you're right. i can just take a look at ldap.conf but there's several places to look: - debian/ubuntu uses /etc/ldap/ldap.conf - RHEL/CentOS uses /etc/openldap/ldap.conf - custom compilations can use any path. ex: /usr/local/ldap/ldap.conf - windows openldap uses... i don't really know :P so what im trying to do is resolving configured base without knowing anything about the client. for example, this command gives me the server even if i dont know anything about the conf: ldapsearch -d1 -x -LLL "(uid=example)" uid 2>&1 | grep ldap_connect_to_host im just a little bit surprised that i can't find any debuglevel that gives me the BASE abosch

8 17

Users unable to change their passwords on replicas
by G 30 Jun '11

30 Jun '11

Greetings! I have a domain with a single master and four replicas. Everything is working fine and replicas are getting updates, etc... However, users are unable to change their own passwords on hosts bound to the replicas. They are able to change their passwords on hosts bound to the master. _When they attempt to change their password this is what they get:_ /[testpasswd@aurusdl-dns02 ~]$ passwd Changing password for user testpasswd. Enter login(LDAP) password: New UNIX password: Retype new UNIX password: LDAP password information update failed: Operations error Mapping tree node for dc=usdl,dc=gpsocx,dc=gov is set to return a referral, but no referral is configured for it passwd: Permission denied/ _It is hard to capture what is happening in the access log on a replica but I think it is this:_ /[30/Jun/2011:10:59:40 -0600] conn=1282 op=4 BIND dn="uid=testpasswd,ou=People,dc=usdl,dc=gpsocx,dc=gov" method=128 version=3 [30/Jun/2011:10:59:40 -0600] conn=1282 op=4 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=testpasswd,ou=people,dc=usdl,dc=gpsocx,dc=gov" [30/Jun/2011:10:59:40 -0600] conn=1282 op=5 MOD dn="uid=testpasswd,ou=People,dc=usdl,dc=gpsocx,dc=gov" [30/Jun/2011:10:59:40 -0600] conn=1282 op=5 RESULT err=1 tag=103 nentries=0 etime=0 [30/Jun/2011:10:59:42 -0600] conn=1217 op=-1 fd=66 closed error 11 (Resource temporarily unavailable) - T1 [30/Jun/2011:10:59:42 -0600] conn=1213 op=-1 fd=96 closed error 11 (Resource temporarily unavailable) - T1 [30/Jun/2011:10:59:42 -0600] conn=1144 op=-1 fd=86 closed error 11 (Resource temporarily unavailable) - T1 [30/Jun/2011:10:59:42 -0600] conn=1132 op=-1 fd=78 closed error 11 (Resource temporarily unavailable) - T1 [30/Jun/2011:10:59:42 -0600] conn=1282 op=7 UNBIND [30/Jun/2011:10:59:42 -0600] conn=1282 op=7 fd=73 closed - U1 [30/Jun/2011:10:59:42 -0600] conn=1281 op=-1 fd=65 closed - B1/ _I do get this persistent error on my replicas:_ /[30/Jun/2011:10:54:00 -0600] NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica dc=usdl, dc=gpsocx, dc=gov: 1/ This is a pretty busy domain in production. I've had to rebuild it a couple of times and I don't doubt that through these rebuilds something got screwy which is causing this issue. Any help is greatly appreciated! G

2 1

perl update
by Jon 30 Jun '11

30 Jun '11

hi I updated fedora 14 to 15 using preupgrade. all of the RPMS work except perl won't upgrade. the error when I do yum update is the following.. any help.. thanks Loaded plugins: downloadonly, presto, refresh-packagekit Setting up Update Process Resolving Dependencies --> Running transaction check ---> Package perl.i686 4:5.12.3-157.fc15 will be updated ---> Package perl.i686 4:5.12.4-159.fc15 will be an update ---> Package perl-libs.i686 4:5.12.3-157.fc15 will be updated ---> Package perl-libs.i686 4:5.12.4-159.fc15 will be an update --> Finished Dependency Resolution Dependencies Resolved ===================================================================================================================== Package Arch Version Repository Size ===================================================================================================================== Updating: perl i686 4:5.12.4-159.fc15 updates 10 M perl-libs i686 4:5.12.4-159.fc15 updates 604 k Transaction Summary ===================================================================================================================== Upgrade 2 Package(s) Total download size: 11 M Is this ok [y/N]: y Downloading Packages: Setting up and reading Presto delta metadata Processing delta metadata /usr/lib/perl5/Config_heavy.pl: contents have been changed /usr/lib/perl5/auto/Devel/PPPort/PPPort.so: contents have been changed /usr/lib/perl5/bits/resource.ph: contents have been changed /usr/lib/perl5/bits/time.ph: contents have been changed /usr/lib/perl5/gnu/stubs-32.ph: contents have been changed delta does not match installed data /usr/lib/perl5/CORE/libperl.so: contents have been changed delta does not match installed data Package(s) data still to download: 11 M (1/2): perl-5.12.4-159.fc15.i686.rpm | 10 MB 00:05 (2/2): perl-libs-5.12.4-159.fc15.i686.rpm | 604 kB 00:00 --------------------------------------------------------------------------------------------------------------------- Total 1.8 MB/s | 11 MB 00:06 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Updating : 4:perl-libs-5.12.4-159.fc15.i686 1/4 Error unpacking rpm package 4:perl-libs-5.12.4-159.fc15.i686 error: unpacking of archive failed on file /usr/local/lib/perl5: cpio: mkdir Updating : 4:perl-5.12.4-159.fc15.i686 2/4 Error unpacking rpm package 4:perl-5.12.4-159.fc15.i686 error: perl-libs-4:5.12.4-159.fc15.i686: install failed error: unpacking of archive failed on file /usr/local/share/perl5: cpio: mkdir 4:perl-5.12.3-157.fc15.i686 was supposed to be removed but is not! 4:perl-libs-5.12.3-157.fc15.i686 was supposed to be removed but is not! Failed: perl.i686 4:5.12.4-159.fc15 perl-libs.i686 4:5.12.4-159.fc15 Complete!

2 1

Password Policy
by Gioachino Bartolotta 30 Jun '11

30 Jun '11

Hi all!!! There is a doc explaining how it's possible to enable password policies on 389-ds for use with a Samba PDC?? I googled for a while without success ... Thanks -- ------------------------------------------- Gioachino Bartolotta ICQ #: 9103167 MSN Messenger: astraroth(a)email.it Yahoo & Skype: gioachino_bartolotta

1 0

Users unable to change their passwords
by G 29 Jun '11

29 Jun '11

Greetings! My RHDS 8.1 instance recently starting denying users the ability to change their own passwords. Users are unable to change their own passwords on any clients or the master itself. Root is also unable to change users passwords via passwd on any machine. The Directory Manager is unable to change passwords via command line ldapmodify. However, the Directory Manager is able to change passwords via the redhat-idm-console. The error looks like this: LDAP password information update failed: insufficient access. Insufficient write privileges to the 'UserPassword' attribute of entry 'uid=<uid>, ou=people,dc=<domain>' There are no errors in the dirsrv log directory. Any help will be gratefully appreciated. Thank you, G

1 0

DN doesn't update.
by Patrik Martinez 28 Jun '11

28 Jun '11

Hi everybody, I've just installed the 389-DS sync against AD (windows 2008) and everything seemed to be working fine till I've changed one user's location in the AD subtree. The other attributes are syncronizing whithout problems but "dn" does not update. I've tried to find in docs whether something specific is required or not but seems there is nothing. Someone knows how I could solve this issue? Many thanks in advanced! Cheers. -- Patrik Martinez Técnico de Comunicaciones y Sistemas Infraestructuras IT Brújula www.brujula.es __________________________________________

2 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-users June 2011