Re: [389-users] Solaris 10 Clients without anonymous binds
by Nathan Kinder
On 03/11/2012 11:02 PM, MATON Brett wrote:
>
> I was blind, and now I can see! (Life of Brian)
>
> Thanks Nathan,
>
> Is that documented anywhere?
>
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Confi...
>
> Brett
>
> *From:*Nathan Kinder [mailto:nkinder@redhat.com]
> *Sent:* 09 March 2012 17:03
> *To:* General discussion list for the 389 Directory server project.
> *Cc:* MATON Brett
> *Subject:* Re: [389-users] Solaris 10 Clients without anonymous binds
>
> On 03/09/2012 04:27 AM, MATON Brett wrote:
>
> Hi Carsten,
>
> I found a solution to my problem.
>
> I edited dse.ldif and set
>
> require_secure_binds: on
>
> allow_anonymous_access: on (<- this is the default, I did have it
> set off which works fine with openldap clients).
>
> I then deleted the “Enable anonymous access” ACI:
>
> aci: (targetattr != "userPassword") (version 3.0;acl "Enable anonymous
> access";allow (read,compare,search)(userdn = "ldap:///anyone"
> <ldap://anyone>);)
>
> and added
>
> aci: (targetattr = "*") (version 3.0;acl "Allow Bound Users";allow
> (read,compare,search,selfwrite)(userdn = "ldap:///all" <ldap://all>);)
>
> It would appear that the dse.ldif option “allow_anonymous_binds: off”
> stops all anonymous binds to anything, including the rootdse.
>
> Your observation is correct, but there is a third setting for
> nsslapd-allow-anonymous-access. If you set it's value to "rootdse",
> it will only allow anonymous access to the root DSE. Anonymous access
> to anything else will be denied.
>
> Thanks for your help all the same,
>
> Brett
>
> *From:*389-users-bounces@lists.fedoraproject.org
> <mailto:389-users-bounces@lists.fedoraproject.org>
> [mailto:389-users-bounces@lists.fedoraproject.org] *On Behalf Of
> *Carsten Grzemba
> *Sent:* 09 March 2012 11:18
> *To:* General discussion list for the 389 Directory server project.
> *Subject:* Re: [389-users] Solaris 10 Clients without anonymous binds
>
> ldapmodify -a -f <ldif> -D ...
> is more recommended and
> it not possible to put this aci in the dse.ldif directly.
>
> Am 09.03.12, schrieb *MATON Brett *<Brett.Maton(a)nrb.be
> <mailto:Brett.Maton@nrb.be>>:
>
> Thanks again Carsten,
>
> To put the ACI’s in the root do I need to edit
> /etc/dirsrv/slapd<instance>/dse.ldif and add them there, or simply do
> an ldapadd ?
>
> Thanks Brett
>
> *From:*389-users-bounces@lists.fedoraproject.org
> <mailto:389-users-bounces@lists.fedoraproject.org>
> [mailto:389-users-bounces@lists.fedoraproject.org] *On Behalf Of
> *Carsten Grzemba
> *Sent:* 09 March 2012 09:51
> *To:* General discussion list for the 389 Directory server project.
> *Subject:* Re: [389-users] Solaris 10 Clients without anonymous binds
>
> Hi,
>
> so far I know the access to the nisdomain attribute is only necessary
> for the Solaris LDAP Client so that it can pull and refresh the
> configuration profile from LDAP-Server (refresh after TTL is expired
> (default 1d)). It is a marker that where the nisdomain value matched,
> is the right namingContex/BaseDN for search the profile. The profile
> is located commonly in the ou=profile container and has the
> objectclass=DUAConfigProfile.
>
> But the ACI should be placed on the root entry dc=example,dc=com.
>
> If you want to use the LDAP server Profile concept for Solaris Clients
> you can run /usr/lib/ldap/idsconfig.
> There you must adjust the version checking, so that 389DS matches DS 5.2.
>
> Am 09.03.12, schrieb *MATON Brett *<Brett.Maton(a)nrb.be
> <mailto:Brett.Maton@nrb.be>>:
>
> I came across this link
> https://blogs.oracle.com/jo/entry/anonymous_access_and_solaris_native
>
> Which mentions adding the following ACL’s:
>
> the baseDN- (target = ldap:///dc=example,dc=com
> <ldap://dc=example,dc=com>) (targetscope = base) (targetattr="\*")
> (version 3.0; acl "anonymousBaseDN"; allow (read, compare, search)
> (userdn = "ldap:///anyone" <ldap://anyone>) ;) .
>
> /For super secure access, this aci could be modified thus to only
> allow access to the/*/nisDomain/*/attribute/
>
> /(target = ldap:///dc=example,dc=com <ldap://dc=example,dc=com>)
> (targetscope = base) (targetattr="/*/nisdomain/*/") (version 3.0; acl
> "anonymousBaseDN"; allow (read, compare, search) (userdn =
> "ldap:///anyone" <ldap://anyone>) ;) ./
>
> the profile container- (target =
> "ldap:///ou=profile,dc=example,dc=com"
> <ldap://ou=profile,dc=example,dc=com>) (targetscope = subtree)
> (targetattr="\*") (version 3.0; acl "anonymousProfile"; allow
> (read,compare,search) (userdn = "ldap:///anyone" <ldap://anyone>) ;)
>
> /For super secure access, this aci could be modified thus to only
> allow access to the/*/proxyagent user/*/object/
>
> /(target = "ldap:///
> <ldap://>/*/cn=proxyagent,ou=profile/*/,dc=example,dc=com")
> (targetscope = subtree) (targetattr="\*") (version 3.0; acl
> "anonymousProfile"; allow (all) (userdn = "ldap:///anyone"
> <ldap://anyone>) ;)/
>
> I just can’t figure out where to put them, any help appreciated!
>
> *From:*389-users-bounces@lists.fedoraproject.org
> <mailto:389-users-bounces@lists.fedoraproject.org>
> [mailto:389-users-bounces@lists.fedoraproject.org] *On Behalf Of
> *MATON Brett
> *Sent:* 08 March 2012 14:39
> *To:* General discussion list for the 389 Directory server project.
> *Subject:* Re: [389-users] Solaris 10 Clients without anonymous binds
>
> Hi Carsten,
>
> I’ll give it ago, thanks.
>
> Brett
>
> *From:*389-users-bounces@lists.fedoraproject.org
> <mailto:389-users-bounces@lists.fedoraproject.org>
> [mailto:389-users-bounces@lists.fedoraproject.org] *On Behalf Of
> *Carsten Grzemba
> *Sent:* 08 March 2012 14:34
> *To:* General discussion list for the 389 Directory server project.
> *Subject:* Re: [389-users] Solaris 10 Clients without anonymous binds
>
> Hi,
>
> I guess it must be able for the Solaris client to read at least the
> base so the client can see the supported features:
> # ldapsearch -h <ldapserver> -b "" -s base objectclass="*"
> should return the supportedcontrols, etc.
>
>
> Am 08.03.12, schrieb *MATON Brett *<Brett.Maton(a)nrb.be
> <mailto:Brett.Maton@nrb.be>>:
>
> I’ve got some hosts using Solaris 10
>
> cat /etc/release
>
> Solaris 10 10/09 s10s_u8wos_08a SPARC
>
> Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
>
> Use is subject to license terms.
>
> Assembled 16 September 2009
>
> Which I’ve configured with ldapclient manual (failed miserably until I
> allowed anonymous binds in dse.ldif).
>
> ldapclient manual -vv \
>
> -a defaultSearchBase=<blah> \
>
> -a defaultSearchScope=sub \
>
> -a authenticationMethod=tls:simple \
>
> -a credentialLevel=proxy \
>
> -a proxyDN=cn=ldapsearch,cn=config \
>
> -a proxyPassword=<blah> \
>
> -a serviceAuthenticationMethod=pam_ldap:tls:simple \
>
> -a domainName=<blah> \
>
> -a certificatePath=/var/ldap \
>
> -a serviceSearchDescriptor=group:ou=Groups,<blah> <389 server>
>
> If I turn anonymous binds off once the client is configured, it fails
> to connect because the Solaris client is still insisting on making
> anonymous binds.
>
> I’m getting these in my access log:
>
> [08/Mar/2012:15:04:49 +0100] conn=1 fd=64 slot=64 SSL connection from
> <Solaris 10> to <389 DS>
>
> [08/Mar/2012:15:04:49 +0100] conn=1 SSL 128-bit RC4
>
> [08/Mar/2012:15:04:49 +0100] conn=1 op=0 UNPROCESSED OPERATION -
> Anonymous access not allowed
>
> [08/Mar/2012:15:04:49 +0100] conn=1 op=0 RESULT err=48 tag=101
> nentries=0 etime=0
>
> [08/Mar/2012:15:04:49 +0100] conn=1 op=1 UNBIND
>
> [08/Mar/2012:15:04:49 +0100] conn=1 op=1 fd=64 closed - U1
>
> Anyone come across this before and have a solution? I really don’t
> want to have to allow anonymous binds...
>
> Brett
>
> -------------------------------------------------------------------
>
> *GreeNRB
> */NRB considers its environmental responsibility and goes for green IT./
> /May we ask you to consider yours before printing this e-mail? /**
>
> *NRB, daring to commit
> */This e-mail and any attachments, which may contain information that
> is confidential and/or protected by intellectual property rights, are
> intended for the exclusive use of the above-mentioned addressee(s).
> Any use (including reproduction, disclosure and whole or partial
> distribution in any form whatsoever) of their content is prohibited
> without prior authorization of NRB. If you have received this message
> by error, please contact the sender promptly by resending this e-mail
> back to him (her), or by calling the above number. Thank you for
> subsequently deleting this e-mail and any files attached thereto./
>
> -------------------------------------------------------------------
>
> *GreeNRB
> */NRB considers its environmental responsibility and goes for green IT./
> /May we ask you to consider yours before printing this e-mail? /
>
> *NRB, daring to commit
> */This e-mail and any attachments, which may contain information that
> is confidential and/or protected by intellectual property rights, are
> intended for the exclusive use of the above-mentioned addressee(s).
> Any use (including reproduction, disclosure and whole or partial
> distribution in any form whatsoever) of their content is prohibited
> without prior authorization of NRB. If you have received this message
> by error, please contact the sender promptly by resending this e-mail
> back to him (her), or by calling the above number. Thank you for
> subsequently deleting this e-mail and any files attached thereto./
>
> --
>
> -------------------------------------------------------------------
>
> *GreeNRB
> */NRB considers its environmental responsibility and goes for green IT./
> /May we ask you to consider yours before printing this e-mail? /
>
> *NRB, daring to commit
> */This e-mail and any attachments, which may contain information that
> is confidential and/or protected by intellectual property rights, are
> intended for the exclusive use of the above-mentioned addressee(s).
> Any use (including reproduction, disclosure and whole or partial
> distribution in any form whatsoever) of their content is prohibited
> without prior authorization of NRB. If you have received this message
> by error, please contact the sender promptly by resending this e-mail
> back to him (her), or by calling the above number. Thank you for
> subsequently deleting this e-mail and any files attached thereto./
>
> -------------------------------------------------------------------
>
> *GreeNRB**
> */NRB considers its environmental responsibility and goes for green IT./
> /May we ask you to consider yours before printing this e-mail? /**
>
> *NRB, daring to commit
> */This e-mail and any attachments, which may contain information that
> is confidential and/or protected by intellectual property rights, are
> intended for the exclusive use of the above-mentioned addressee(s).
> Any use (including reproduction, disclosure and whole or partial
> distribution in any form whatsoever) of their content is prohibited
> without prior authorization of NRB. If you have received this message
> by error, please contact the sender promptly by resending this e-mail
> back to him (her), or by calling the above number. Thank you for
> subsequently deleting this e-mail and any files attached thereto./
>
>
>
>
> --
> 389 users mailing list
> 389-users(a)lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org>
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
> -------------------------------------------------------------------
>
> *GreeNRB
> */NRB considers its environmental responsibility and goes for green IT./
> /May we ask you to consider yours before printing this e-mail? /**
>
> *NRB, daring to commit
> */This e-mail and any attachments, which may contain information that
> is confidential and/or protected by intellectual property rights, are
> intended for the exclusive use of the above-mentioned addressee(s).
> Any use (including reproduction, disclosure and whole or partial
> distribution in any form whatsoever) of their content is prohibited
> without prior authorization of NRB. If you have received this message
> by error, please contact the sender promptly by resending this e-mail
> back to him (her), or by calling the above number. Thank you for
> subsequently deleting this e-mail and any files attached thereto./
>
12 years
Re: [389-users] Solaris 10 Clients without anonymous binds
by Nathan Kinder
On 03/09/2012 04:27 AM, MATON Brett wrote:
>
> Hi Carsten,
>
> I found a solution to my problem.
>
> I edited dse.ldif and set
>
> require_secure_binds: on
>
> allow_anonymous_access: on (<- this is the default, I did have it
> set off which works fine with openldap clients).
>
> I then deleted the “Enable anonymous access” ACI:
>
> aci: (targetattr != "userPassword") (version 3.0;acl "Enable anonymous
> access";allow (read,compare,search)(userdn = "ldap:///anyone");)
>
> and added
>
> aci: (targetattr = "*") (version 3.0;acl "Allow Bound Users";allow
> (read,compare,search,selfwrite)(userdn = "ldap:///all");)
>
> It would appear that the dse.ldif option “allow_anonymous_binds: off”
> stops all anonymous binds to anything, including the rootdse.
>
Your observation is correct, but there is a third setting for
nsslapd-allow-anonymous-access. If you set it's value to "rootdse", it
will only allow anonymous access to the root DSE. Anonymous access to
anything else will be denied.
>
> Thanks for your help all the same,
>
> Brett
>
> *From:*389-users-bounces@lists.fedoraproject.org
> [mailto:389-users-bounces@lists.fedoraproject.org] *On Behalf Of
> *Carsten Grzemba
> *Sent:* 09 March 2012 11:18
> *To:* General discussion list for the 389 Directory server project.
> *Subject:* Re: [389-users] Solaris 10 Clients without anonymous binds
>
> ldapmodify -a -f <ldif> -D ...
> is more recommended and
> it not possible to put this aci in the dse.ldif directly.
>
> Am 09.03.12, schrieb *MATON Brett *<Brett.Maton(a)nrb.be
> <mailto:Brett.Maton@nrb.be>>:
>
> Thanks again Carsten,
>
> To put the ACI’s in the root do I need to edit
> /etc/dirsrv/slapd<instance>/dse.ldif and add them there, or simply do
> an ldapadd ?
>
> Thanks Brett
>
> *From:*389-users-bounces@lists.fedoraproject.org
> <mailto:389-users-bounces@lists.fedoraproject.org>
> [mailto:389-users-bounces@lists.fedoraproject.org] *On Behalf Of
> *Carsten Grzemba
> *Sent:* 09 March 2012 09:51
> *To:* General discussion list for the 389 Directory server project.
> *Subject:* Re: [389-users] Solaris 10 Clients without anonymous binds
>
> Hi,
>
> so far I know the access to the nisdomain attribute is only necessary
> for the Solaris LDAP Client so that it can pull and refresh the
> configuration profile from LDAP-Server (refresh after TTL is expired
> (default 1d)). It is a marker that where the nisdomain value matched,
> is the right namingContex/BaseDN for search the profile. The profile
> is located commonly in the ou=profile container and has the
> objectclass=DUAConfigProfile.
>
> But the ACI should be placed on the root entry dc=example,dc=com.
>
> If you want to use the LDAP server Profile concept for Solaris Clients
> you can run /usr/lib/ldap/idsconfig.
> There you must adjust the version checking, so that 389DS matches DS 5.2.
>
> Am 09.03.12, schrieb *MATON Brett *<Brett.Maton(a)nrb.be
> <mailto:Brett.Maton@nrb.be>>:
>
> I came across this link
> https://blogs.oracle.com/jo/entry/anonymous_access_and_solaris_native
>
> Which mentions adding the following ACL’s:
>
> the baseDN- (target = ldap:///dc=example,dc=com) (targetscope = base)
> (targetattr="\*") (version 3.0; acl "anonymousBaseDN"; allow (read,
> compare, search) (userdn = "ldap:///anyone") ;) .
>
> /For super secure access, this aci could be modified thus to only
> allow access to the/*/nisDomain/*/attribute/
>
> /(target = ldap:///dc=example,dc=com) (targetscope = base)
> (targetattr="/*/nisdomain/*/") (version 3.0; acl "anonymousBaseDN";
> allow (read, compare, search) (userdn = "ldap:///anyone") ;) ./
>
> the profile container- (target =
> "ldap:///ou=profile,dc=example,dc=com") (targetscope = subtree)
> (targetattr="\*") (version 3.0; acl "anonymousProfile"; allow
> (read,compare,search) (userdn = "ldap:///anyone") ;)
>
> /For super secure access, this aci could be modified thus to only
> allow access to the/*/proxyagent user/*/object/
>
> /(target = "ldap:////*/cn=proxyagent,ou=profile/*/,dc=example,dc=com")
> (targetscope = subtree) (targetattr="\*") (version 3.0; acl
> "anonymousProfile"; allow (all) (userdn = "ldap:///anyone") ;)/
>
> I just can’t figure out where to put them, any help appreciated!
>
> *From:*389-users-bounces@lists.fedoraproject.org
> <mailto:389-users-bounces@lists.fedoraproject.org>
> [mailto:389-users-bounces@lists.fedoraproject.org] *On Behalf Of
> *MATON Brett
> *Sent:* 08 March 2012 14:39
> *To:* General discussion list for the 389 Directory server project.
> *Subject:* Re: [389-users] Solaris 10 Clients without anonymous binds
>
> Hi Carsten,
>
> I’ll give it ago, thanks.
>
> Brett
>
> *From:*389-users-bounces@lists.fedoraproject.org
> <mailto:389-users-bounces@lists.fedoraproject.org>
> [mailto:389-users-bounces@lists.fedoraproject.org] *On Behalf Of
> *Carsten Grzemba
> *Sent:* 08 March 2012 14:34
> *To:* General discussion list for the 389 Directory server project.
> *Subject:* Re: [389-users] Solaris 10 Clients without anonymous binds
>
> Hi,
>
> I guess it must be able for the Solaris client to read at least the
> base so the client can see the supported features:
> # ldapsearch -h <ldapserver> -b "" -s base objectclass="*"
> should return the supportedcontrols, etc.
>
>
> Am 08.03.12, schrieb *MATON Brett *<Brett.Maton(a)nrb.be
> <mailto:Brett.Maton@nrb.be>>:
>
> I’ve got some hosts using Solaris 10
>
> cat /etc/release
>
> Solaris 10 10/09 s10s_u8wos_08a SPARC
>
> Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
>
> Use is subject to license terms.
>
> Assembled 16 September 2009
>
> Which I’ve configured with ldapclient manual (failed miserably until I
> allowed anonymous binds in dse.ldif).
>
> ldapclient manual -vv \
>
> -a defaultSearchBase=<blah> \
>
> -a defaultSearchScope=sub \
>
> -a authenticationMethod=tls:simple \
>
> -a credentialLevel=proxy \
>
> -a proxyDN=cn=ldapsearch,cn=config \
>
> -a proxyPassword=<blah> \
>
> -a serviceAuthenticationMethod=pam_ldap:tls:simple \
>
> -a domainName=<blah> \
>
> -a certificatePath=/var/ldap \
>
> -a serviceSearchDescriptor=group:ou=Groups,<blah> <389 server>
>
> If I turn anonymous binds off once the client is configured, it fails
> to connect because the Solaris client is still insisting on making
> anonymous binds.
>
> I’m getting these in my access log:
>
> [08/Mar/2012:15:04:49 +0100] conn=1 fd=64 slot=64 SSL connection from
> <Solaris 10> to <389 DS>
>
> [08/Mar/2012:15:04:49 +0100] conn=1 SSL 128-bit RC4
>
> [08/Mar/2012:15:04:49 +0100] conn=1 op=0 UNPROCESSED OPERATION -
> Anonymous access not allowed
>
> [08/Mar/2012:15:04:49 +0100] conn=1 op=0 RESULT err=48 tag=101
> nentries=0 etime=0
>
> [08/Mar/2012:15:04:49 +0100] conn=1 op=1 UNBIND
>
> [08/Mar/2012:15:04:49 +0100] conn=1 op=1 fd=64 closed - U1
>
> Anyone come across this before and have a solution? I really don’t
> want to have to allow anonymous binds...
>
> Brett
>
> -------------------------------------------------------------------
>
> *GreeNRB
> */NRB considers its environmental responsibility and goes for green IT./
> /May we ask you to consider yours before printing this e-mail? /**
>
> *NRB, daring to commit
> */This e-mail and any attachments, which may contain information that
> is confidential and/or protected by intellectual property rights, are
> intended for the exclusive use of the above-mentioned addressee(s).
> Any use (including reproduction, disclosure and whole or partial
> distribution in any form whatsoever) of their content is prohibited
> without prior authorization of NRB. If you have received this message
> by error, please contact the sender promptly by resending this e-mail
> back to him (her), or by calling the above number. Thank you for
> subsequently deleting this e-mail and any files attached thereto./
>
> -------------------------------------------------------------------
>
> *GreeNRB
> */NRB considers its environmental responsibility and goes for green IT./
> /May we ask you to consider yours before printing this e-mail? /
>
> *NRB, daring to commit
> */This e-mail and any attachments, which may contain information that
> is confidential and/or protected by intellectual property rights, are
> intended for the exclusive use of the above-mentioned addressee(s).
> Any use (including reproduction, disclosure and whole or partial
> distribution in any form whatsoever) of their content is prohibited
> without prior authorization of NRB. If you have received this message
> by error, please contact the sender promptly by resending this e-mail
> back to him (her), or by calling the above number. Thank you for
> subsequently deleting this e-mail and any files attached thereto./
>
> --
>
> -------------------------------------------------------------------
>
> *GreeNRB
> */NRB considers its environmental responsibility and goes for green IT./
> /May we ask you to consider yours before printing this e-mail? /
>
> *NRB, daring to commit
> */This e-mail and any attachments, which may contain information that
> is confidential and/or protected by intellectual property rights, are
> intended for the exclusive use of the above-mentioned addressee(s).
> Any use (including reproduction, disclosure and whole or partial
> distribution in any form whatsoever) of their content is prohibited
> without prior authorization of NRB. If you have received this message
> by error, please contact the sender promptly by resending this e-mail
> back to him (her), or by calling the above number. Thank you for
> subsequently deleting this e-mail and any files attached thereto./
>
> -------------------------------------------------------------------
>
> *GreeNRB
> */NRB considers its environmental responsibility and goes for green IT./
> /May we ask you to consider yours before printing this e-mail? /**
>
> *NRB, daring to commit
> */This e-mail and any attachments, which may contain information that
> is confidential and/or protected by intellectual property rights, are
> intended for the exclusive use of the above-mentioned addressee(s).
> Any use (including reproduction, disclosure and whole or partial
> distribution in any form whatsoever) of their content is prohibited
> without prior authorization of NRB. If you have received this message
> by error, please contact the sender promptly by resending this e-mail
> back to him (her), or by calling the above number. Thank you for
> subsequently deleting this e-mail and any files attached thereto./
>
>
>
> --
> 389 users mailing list
> 389-users(a)lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
12 years
Re: [389-users] Solaris 10 Clients without anonymous binds
by Carsten Grzemba
ldapmodify -a -f <ldif> -D ...
is more recommended and
it not possible to put this aci in the dse.ldif directly.
Am 09.03.12, schrieb MATON Brett <Brett.Maton(a)nrb.be>:
>
> <!--
> /* Font Definitions */
> @font-face
> {font-family:"Cambria Math";
> panose-1:2 4 5 3 5 4 6 3 2 4;}
> @font-face
> {font-family:Calibri;
> panose-1:2 15 5 2 2 2 4 3 2 4;}
> @font-face
> {font-family:Tahoma;
> panose-1:2 11 6 4 3 5 4 4 2 4;}
> @font-face
> {font-family:Verdana;
> panose-1:2 11 6 4 3 5 4 4 2 4;}
> /* Style Definitions */
> p.MsoNormal, li.MsoNormal, div.MsoNormal
> {margin:0cm;
> margin-bottom:.0001pt;
> font-size:12.0pt;
> font-family:"Times New Roman","serif";}
> a:link, span.MsoHyperlink
> {mso-style-priority:99;
> color:blue;
> text-decoration:underline;}
> a:visited, span.MsoHyperlinkFollowed
> {mso-style-priority:99;
> color:purple;
> text-decoration:underline;}
> p
> {mso-style-priority:99;
> mso-margin-top-alt:auto;
> margin-right:0cm;
> mso-margin-bottom-alt:auto;
> margin-left:0cm;
> font-size:12.0pt;
> font-family:"Times New Roman","serif";}
> span.EmailStyle18
> {mso-style-type:personal-reply;
> font-family:"Calibri","sans-serif";
> color:#1F497D;}
> .MsoChpDefault
> {mso-style-type:export-only;}
> @page WordSection1
> {size:612.0pt 792.0pt;
> margin:72.0pt 72.0pt 72.0pt 72.0pt;}
> div.WordSection1
> {page:WordSection1;}
> -->
>
>
>
>
> Thanks again Carsten,
>
>
>
> To put the ACI’s in the root do I need to edit /etc/dirsrv/slapd<instance>/dse.ldif and add them there, or simply do an ldapadd ?
>
>
>
> Thanks Brett
>
>
>
> From: 389-users-bounces(a)lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of Carsten Grzemba
> Sent: 09 March 2012 09:51
> To: General discussion list for the 389 Directory server project.
> Subject: Re: [389-users] Solaris 10 Clients without anonymous binds
>
>
>
>
> Hi,
>
> so far I know the access to the nisdomain attribute is only necessary for the Solaris LDAP Client so that it can pull and refresh the configuration profile from LDAP-Server (refresh after TTL is expired (default 1d)). It is a marker that where the nisdomain value matched, is the right namingContex/BaseDN for search the profile. The profile is located commonly in the ou=profile container and has the objectclass=DUAConfigProfile.
>
> But the ACI should be placed on the root entry dc=example,dc=com.
>
> If you want to use the LDAP server Profile concept for Solaris Clients you can run /usr/lib/ldap/idsconfig.
> There you must adjust the version checking, so that 389DS matches DS 5.2.
>
> Am 09.03.12, schrieb MATON Brett <Brett.Maton(a)nrb.be>:
>
>
>
> I came across this link https://blogs.oracle.com/jo/entry/anonymous_access_and_solaris_native
>
>
>
> Which mentions adding the following ACL’s:
>
>
>
> the baseDN- (target = ldap:///dc=example,dc=com) (targetscope = base) (targetattr="\*") (version 3.0; acl "anonymousBaseDN"; allow (read, compare, search) (userdn = "ldap:///anyone") ;) .
>
> For super secure access, this aci could be modified thus to only allow access to thenisDomainattribute
>
> (target = ldap:///dc=example,dc=com) (targetscope = base) (targetattr="nisdomain") (version 3.0; acl "anonymousBaseDN"; allow (read, compare, search) (userdn = "ldap:///anyone") ;) .
>
> the profile container- (target = "ldap:///ou=profile,dc=example,dc=com") (targetscope = subtree) (targetattr="\*") (version 3.0; acl "anonymousProfile"; allow (read,compare,search) (userdn = "ldap:///anyone") ;)
>
> For super secure access, this aci could be modified thus to only allow access to theproxyagent userobject
>
> (target = "ldap:///cn=proxyagent,ou=profile,dc=example,dc=com") (targetscope = subtree) (targetattr="\*") (version 3.0; acl "anonymousProfile"; allow (all) (userdn = "ldap:///anyone") ;)
>
>
>
> I just can’t figure out where to put them, any help appreciated!
>
>
>
> From: 389-users-bounces(a)lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org <389-users-bounces(a)lists.fedoraproject.org>] On Behalf Of MATON Brett
> Sent: 08 March 2012 14:39
> To: General discussion list for the 389 Directory server project.
> Subject: Re: [389-users] Solaris 10 Clients without anonymous binds
>
>
>
>
>
> Hi Carsten,
>
>
>
> I’ll give it ago, thanks.
>
>
>
> Brett
>
>
>
> From: 389-users-bounces(a)lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org <389-users-bounces(a)lists.fedoraproject.org>] On Behalf Of Carsten Grzemba
> Sent: 08 March 2012 14:34
> To: General discussion list for the 389 Directory server project.
> Subject: Re: [389-users] Solaris 10 Clients without anonymous binds
>
>
>
>
> Hi,
>
> I guess it must be able for the Solaris client to read at least the base so the client can see the supported features:
> # ldapsearch -h <ldapserver> -b "" -s base objectclass="*"
> should return the supportedcontrols, etc.
>
>
> Am 08.03.12, schrieb MATON Brett <Brett.Maton(a)nrb.be>:
>
>
>
> I’ve got some hosts using Solaris 10
>
>
>
> cat /etc/release
>
> Solaris 10 10/09 s10s_u8wos_08a SPARC
>
> Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
>
> Use is subject to license terms.
>
> Assembled 16 September 2009
>
>
>
> Which I’ve configured with ldapclient manual (failed miserably until I allowed anonymous binds in dse.ldif).
>
>
>
> ldapclient manual -vv \
>
> -a defaultSearchBase=<blah> \
>
> -a defaultSearchScope=sub \
>
> -a authenticationMethod=tls:simple \
>
> -a credentialLevel=proxy \
>
> -a proxyDN=cn=ldapsearch,cn=config \
>
> -a proxyPassword=<blah> \
>
> -a serviceAuthenticationMethod=pam_ldap:tls:simple \
>
> -a domainName=<blah> \
>
> -a certificatePath=/var/ldap \
>
> -a serviceSearchDescriptor=group:ou=Groups,<blah> <389 server>
>
>
>
> If I turn anonymous binds off once the client is configured, it fails to connect because the Solaris client is still insisting on making anonymous binds.
>
> I’m getting these in my access log:
>
>
>
> [08/Mar/2012:15:04:49 +0100] conn=1 fd=64 slot=64 SSL connection from <Solaris 10> to <389 DS>
>
> [08/Mar/2012:15:04:49 +0100] conn=1 SSL 128-bit RC4
>
> [08/Mar/2012:15:04:49 +0100] conn=1 op=0 UNPROCESSED OPERATION - Anonymous access not allowed
>
> [08/Mar/2012:15:04:49 +0100] conn=1 op=0 RESULT err=48 tag=101 nentries=0 etime=0
>
> [08/Mar/2012:15:04:49 +0100] conn=1 op=1 UNBIND
>
> [08/Mar/2012:15:04:49 +0100] conn=1 op=1 fd=64 closed - U1
>
>
>
> Anyone come across this before and have a solution? I really don’t want to have to allow anonymous binds...
>
> Brett
>
>
>
>
>
>
> -------------------------------------------------------------------
>
> GreeNRB
> NRB considers its environmental responsibility and goes for green IT.
> May we ask you to consider yours before printing this e-mail?
>
> NRB, daring to commit
> This e-mail and any attachments, which may contain information that is confidential and/or protected by intellectual property rights, are intended for the exclusive use of the above-mentioned addressee(s). Any use (including reproduction, disclosure and whole or partial distribution in any form whatsoever) of their content is prohibited without prior authorization of NRB. If you have received this message by error, please contact the sender promptly by resending this e-mail back to him (her), or by calling the above number. Thank you for subsequently deleting this e-mail and any files attached thereto.
>
>
> -------------------------------------------------------------------
>
> GreeNRB
> NRB considers its environmental responsibility and goes for green IT.
> May we ask you to consider yours before printing this e-mail?
>
> NRB, daring to commit
> This e-mail and any attachments, which may contain information that is confidential and/or protected by intellectual property rights, are intended for the exclusive use of the above-mentioned addressee(s). Any use (including reproduction, disclosure and whole or partial distribution in any form whatsoever) of their content is prohibited without prior authorization of NRB. If you have received this message by error, please contact the sender promptly by resending this e-mail back to him (her), or by calling the above number. Thank you for subsequently deleting this e-mail and any files attached thereto.
>
>
>
> --
>
>
>
> -------------------------------------------------------------------
>
> GreeNRB
> NRB considers its environmental responsibility and goes for green IT.
> May we ask you to consider yours before printing this e-mail?
>
>
>
> NRB, daring to commit
> This e-mail and any attachments, which may contain information that is confidential and/or protected by intellectual property rights, are intended for the exclusive use of the above-mentioned addressee(s). Any use (including reproduction, disclosure and whole or partial distribution in any form whatsoever) of their content is prohibited without prior authorization of NRB. If you have received this message by error, please contact the sender promptly by resending this e-mail back to him (her), or by calling the above number. Thank you for subsequently deleting this e-mail and any files attached thereto.
>
>
>
>
12 years
Re: [389-users] Solaris 10 Clients without anonymous binds
by Carsten Grzemba
Hi,
so far I know the access to the nisdomain attribute is only necessary for the Solaris LDAP Client so that it can pull and refresh the configuration profile from LDAP-Server (refresh after TTL is expired (default 1d)). It is a marker that where the nisdomain value matched, is the right namingContex/BaseDN for search the profile. The profile is located commonly in the ou=profile container and has the objectclass=DUAConfigProfile.
But the ACI should be placed on the root entry dc=example,dc=com.
If you want to use the LDAP server Profile concept for Solaris Clients you can run /usr/lib/ldap/idsconfig.
There you must adjust the version checking, so that 389DS matches DS 5.2.
Am 09.03.12, schrieb MATON Brett <Brett.Maton(a)nrb.be>:
>
> <!--
> /* Font Definitions */
> @font-face
> {font-family:"Cambria Math";
> panose-1:2 4 5 3 5 4 6 3 2 4;}
> @font-face
> {font-family:Calibri;
> panose-1:2 15 5 2 2 2 4 3 2 4;}
> @font-face
> {font-family:Tahoma;
> panose-1:2 11 6 4 3 5 4 4 2 4;}
> @font-face
> {font-family:Verdana;
> panose-1:2 11 6 4 3 5 4 4 2 4;}
> /* Style Definitions */
> p.MsoNormal, li.MsoNormal, div.MsoNormal
> {margin:0cm;
> margin-bottom:.0001pt;
> font-size:12.0pt;
> font-family:"Times New Roman","serif";}
> a:link, span.MsoHyperlink
> {mso-style-priority:99;
> color:blue;
> text-decoration:underline;}
> a:visited, span.MsoHyperlinkFollowed
> {mso-style-priority:99;
> color:purple;
> text-decoration:underline;}
> p
> {mso-style-priority:99;
> mso-margin-top-alt:auto;
> margin-right:0cm;
> mso-margin-bottom-alt:auto;
> margin-left:0cm;
> font-size:12.0pt;
> font-family:"Times New Roman","serif";}
> p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
> {mso-style-priority:99;
> mso-style-link:"Balloon Text Char";
> margin:0cm;
> margin-bottom:.0001pt;
> font-size:8.0pt;
> font-family:"Tahoma","sans-serif";}
> span.EmailStyle18
> {mso-style-type:personal;
> font-family:"Calibri","sans-serif";
> color:#1F497D;}
> span.EmailStyle21
> {mso-style-type:personal-reply;
> font-family:"Calibri","sans-serif";
> color:#1F497D;}
> span.BalloonTextChar
> {mso-style-name:"Balloon Text Char";
> mso-style-priority:99;
> mso-style-link:"Balloon Text";
> font-family:"Tahoma","sans-serif";}
> span.apple-converted-space
> {mso-style-name:apple-converted-space;}
> .MsoChpDefault
> {mso-style-type:export-only;
> font-size:10.0pt;}
> @page WordSection1
> {size:612.0pt 792.0pt;
> margin:72.0pt 72.0pt 72.0pt 72.0pt;}
> div.WordSection1
> {page:WordSection1;}
> -->
>
>
>
>
> I came across this link https://blogs.oracle.com/jo/entry/anonymous_access_and_solaris_native
>
>
>
> Which mentions adding the following ACL’s:
>
>
>
> the baseDN - (target = ldap:///dc=example,dc=com) (targetscope = base) (targetattr="\*") (version 3.0; acl "anonymousBaseDN"; allow (read, compare, search) (userdn = "ldap:///anyone") ;) .
>
> For super secure access, this aci could be modified thus to only allow access to the nisDomain attribute
>
> (target = ldap:///dc=example,dc=com) (targetscope = base) (targetattr="nisdomain") (version 3.0; acl "anonymousBaseDN"; allow (read, compare, search) (userdn = "ldap:///anyone") ;) .
>
> the profile container - (target = "ldap:///ou=profile,dc=example,dc=com") (targetscope = subtree) (targetattr="\*") (version 3.0; acl "anonymousProfile"; allow (read,compare,search) (userdn = "ldap:///anyone") ;)
>
> For super secure access, this aci could be modified thus to only allow access to the proxyagent user object
>
> (target = "ldap:///cn=proxyagent,ou=profile,dc=example,dc=com") (targetscope = subtree) (targetattr="\*") (version 3.0; acl "anonymousProfile"; allow (all) (userdn = "ldap:///anyone") ;)
>
>
>
> I just can’t figure out where to put them, any help appreciated!
>
>
>
> From: 389-users-bounces(a)lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of MATON Brett
> Sent: 08 March 2012 14:39
> To: General discussion list for the 389 Directory server project.
> Subject: Re: [389-users] Solaris 10 Clients without anonymous binds
>
>
>
>
>
> Hi Carsten,
>
>
>
> I’ll give it ago, thanks.
>
>
>
> Brett
>
>
>
> From: 389-users-bounces(a)lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org <389-users-bounces(a)lists.fedoraproject.org>] On Behalf Of Carsten Grzemba
> Sent: 08 March 2012 14:34
> To: General discussion list for the 389 Directory server project.
> Subject: Re: [389-users] Solaris 10 Clients without anonymous binds
>
>
>
>
> Hi,
>
> I guess it must be able for the Solaris client to read at least the base so the client can see the supported features:
> # ldapsearch -h <ldapserver> -b "" -s base objectclass="*"
> should return the supportedcontrols, etc.
>
>
> Am 08.03.12, schrieb MATON Brett <Brett.Maton(a)nrb.be>:
>
>
>
> I’ve got some hosts using Solaris 10
>
>
>
> cat /etc/release
>
> Solaris 10 10/09 s10s_u8wos_08a SPARC
>
> Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
>
> Use is subject to license terms.
>
> Assembled 16 September 2009
>
>
>
> Which I’ve configured with ldapclient manual (failed miserably until I allowed anonymous binds in dse.ldif).
>
>
>
> ldapclient manual -vv \
>
> -a defaultSearchBase=<blah> \
>
> -a defaultSearchScope=sub \
>
> -a authenticationMethod=tls:simple \
>
> -a credentialLevel=proxy \
>
> -a proxyDN=cn=ldapsearch,cn=config \
>
> -a proxyPassword=<blah> \
>
> -a serviceAuthenticationMethod=pam_ldap:tls:simple \
>
> -a domainName=<blah> \
>
> -a certificatePath=/var/ldap \
>
> -a serviceSearchDescriptor=group:ou=Groups,<blah> <389 server>
>
>
>
> If I turn anonymous binds off once the client is configured, it fails to connect because the Solaris client is still insisting on making anonymous binds.
>
> I’m getting these in my access log:
>
>
>
> [08/Mar/2012:15:04:49 +0100] conn=1 fd=64 slot=64 SSL connection from <Solaris 10> to <389 DS>
>
> [08/Mar/2012:15:04:49 +0100] conn=1 SSL 128-bit RC4
>
> [08/Mar/2012:15:04:49 +0100] conn=1 op=0 UNPROCESSED OPERATION - Anonymous access not allowed
>
> [08/Mar/2012:15:04:49 +0100] conn=1 op=0 RESULT err=48 tag=101 nentries=0 etime=0
>
> [08/Mar/2012:15:04:49 +0100] conn=1 op=1 UNBIND
>
> [08/Mar/2012:15:04:49 +0100] conn=1 op=1 fd=64 closed - U1
>
>
>
> Anyone come across this before and have a solution? I really don’t want to have to allow anonymous binds...
>
> Brett
>
>
>
>
>
>
> -------------------------------------------------------------------
>
> GreeNRB
> NRB considers its environmental responsibility and goes for green IT.
> May we ask you to consider yours before printing this e-mail?
>
> NRB, daring to commit
> This e-mail and any attachments, which may contain information that is confidential and/or protected by intellectual property rights, are intended for the exclusive use of the above-mentioned addressee(s). Any use (including reproduction, disclosure and whole or partial distribution in any form whatsoever) of their content is prohibited without prior authorization of NRB. If you have received this message by error, please contact the sender promptly by resending this e-mail back to him (her), or by calling the above number. Thank you for subsequently deleting this e-mail and any files attached thereto.
>
>
> -------------------------------------------------------------------
>
> GreeNRB
> NRB considers its environmental responsibility and goes for green IT.
> May we ask you to consider yours before printing this e-mail?
>
>
>
> NRB, daring to commit
> This e-mail and any attachments, which may contain information that is confidential and/or protected by intellectual property rights, are intended for the exclusive use of the above-mentioned addressee(s). Any use (including reproduction, disclosure and whole or partial distribution in any form whatsoever) of their content is prohibited without prior authorization of NRB. If you have received this message by error, please contact the sender promptly by resending this e-mail back to him (her), or by calling the above number. Thank you for subsequently deleting this e-mail and any files attached thereto.
>
>
>
>
>
>
--
Carsten Grzemba
Tel.: +49 3677 64740
Mobil: +49 171 9749479
Fax:: +49 3677 6474111
Email: carsten.grzemba(a)contac-dt.de
contac Datentechnik GmbH
12 years
Replacing a DS server
by mjames@guesswho.com
We are replacing one of our two 389 servers. I want to re-use the IP address of the old server on the new one. What's the correct order of events for replication, shutdown and replacement?
Thanks, Mike
12 years
Announcing 389 Directory Server version 1.2.10.3 Testing
by Rich Megginson
The 389 Project team is pleased to announce the release of
389-ds-base-1.2.10.3. No new features were added after alpha 8, just
many bug fixes. There are also 389-adminutil, 389-admin, and 389-dsgw
packages in Testing.
NEW: EL6 support
Beginning with RHEL 6.2, the 389-ds-base package is included in the base
OS. Therefore, the 389-ds-base package can no longer be provided via
EPEL, due to RHEL/EPEL packaging restrictions.
However, the 389 Project will still make the full 389-ds-base package
available via http://repos.fedorapeople.org/repos/rmeggins/389-ds-base.
See http://directory.fedoraproject.org/wiki/Download for more information.
NEW: Issue Tracking System
We have moved our ticket tracking system from the Red Hat Bugzilla
https://bugzilla.redhat.com/enter_bug.cgi?product=389 to our Fedora
Hosted Trac https://fedorahosted.org/389. All of the old 389 bugs have
been copied to Trac. All new bugs, feature requests, and tasks should be
entered in Trac
This link shows all of the issues fixed in the 1.2.10 branch -
https://fedorahosted.org/389/report/12
In addition to the tickets for Milestone 1.2.10.3 there were a couple of
issues found by valgrind that have been fixed.
NEW: Plugin Authors
WARNING: Plugins should be made transaction aware so that they can be
called from within a backend pre/post transaction plugin. Otherwise,
attempting to perform an internal operation will cause a deadlock. See
http://directory.fedoraproject.org/wiki/Plugins
Installation
yum install --enablerepo=updates-testing 389-ds
# or for EPEL
yum install --enablerepo=epel-testing
[--enablerepo=epel-testing-389-ds-base] 389-ds
setup-ds-admin.pl
Upgrade
yum upgrade --enablerepo=updates-testing 389-ds-base
idm-console-framework 389-admin 389-ds-console 389-admin-console
389-dsgw 389-adminutil
# or for EPEL
yum upgrade --enablerepo=epel-testing
[--enablerepo=epel-testing-389-ds-base] 389-ds-base
idm-console-framework 389-admin 389-ds-console 389-admin-console
389-dsgw 389-adminutil
setup-ds-admin.pl -u
How to Give Feedback
The best way to provide feedback is via the Fedora Update system.
* Go to https://admin.fedoraproject.org/updates
* In the Search box in the upper right hand corner, type in the name of
the package
* In the list, find the version and release you are using (if you're not
sure, use rpm -qi <package name> on your system) and click on the release
* On the page for the update, scroll down to "Add a comment" and provide
your input
Or just send us an email to 389-users(a)lists.fedoraproject.org
Reporting Issues
https://fedorahosted.org/389
More Information
* Release Notes - http://port389.org/wiki/Release_Notes
* Install_Guide - http://port389.org/wiki/Install_Guide
* Download - http://port389.org/wiki/Download
12 years
Re: [389-users] Solaris 10 Clients without anonymous binds
by Carsten Grzemba
Hi,
I guess it must be able for the Solaris client to read at least the base so the client can see the supported features:
# ldapsearch -h <ldapserver> -b "" -s base objectclass="*"
should return the supportedcontrols, etc.
Am 08.03.12, schrieb MATON Brett <Brett.Maton(a)nrb.be>:
>
> <!--
> /* Font Definitions */
> @font-face
> {font-family:"Cambria Math";
> panose-1:2 4 5 3 5 4 6 3 2 4;}
> @font-face
> {font-family:Calibri;
> panose-1:2 15 5 2 2 2 4 3 2 4;}
> /* Style Definitions */
> p.MsoNormal, li.MsoNormal, div.MsoNormal
> {margin:0cm;
> margin-bottom:.0001pt;
> font-size:11.0pt;
> font-family:"Calibri","sans-serif";}
> a:link, span.MsoHyperlink
> {mso-style-priority:99;
> color:blue;
> text-decoration:underline;}
> a:visited, span.MsoHyperlinkFollowed
> {mso-style-priority:99;
> color:purple;
> text-decoration:underline;}
> span.EmailStyle17
> {mso-style-type:personal-compose;
> font-family:"Calibri","sans-serif";
> color:windowtext;}
> .MsoChpDefault
> {mso-style-type:export-only;}
> @page WordSection1
> {size:612.0pt 792.0pt;
> margin:72.0pt 72.0pt 72.0pt 72.0pt;}
> div.WordSection1
> {page:WordSection1;}
> -->
>
>
>
>
> I’ve got some hosts using Solaris 10
>
>
>
> cat /etc/release
>
> Solaris 10 10/09 s10s_u8wos_08a SPARC
>
> Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
>
> Use is subject to license terms.
>
> Assembled 16 September 2009
>
>
>
> Which I’ve configured with ldapclient manual (failed miserably until I allowed anonymous binds in dse.ldif).
>
>
>
> ldapclient manual -vv \
>
> -a defaultSearchBase=<blah> \
>
> -a defaultSearchScope=sub \
>
> -a authenticationMethod=tls:simple \
>
> -a credentialLevel=proxy \
>
> -a proxyDN=cn=ldapsearch,cn=config \
>
> -a proxyPassword=<blah> \
>
> -a serviceAuthenticationMethod=pam_ldap:tls:simple \
>
> -a domainName=<blah> \
>
> -a certificatePath=/var/ldap \
>
> -a serviceSearchDescriptor=group:ou=Groups,<blah> <389 server>
>
>
>
> If I turn anonymous binds off once the client is configured, it fails to connect because the Solaris client is still insisting on making anonymous binds.
>
> I’m getting these in my access log:
>
>
>
> [08/Mar/2012:15:04:49 +0100] conn=1 fd=64 slot=64 SSL connection from <Solaris 10> to <389 DS>
>
> [08/Mar/2012:15:04:49 +0100] conn=1 SSL 128-bit RC4
>
> [08/Mar/2012:15:04:49 +0100] conn=1 op=0 UNPROCESSED OPERATION - Anonymous access not allowed
>
> [08/Mar/2012:15:04:49 +0100] conn=1 op=0 RESULT err=48 tag=101 nentries=0 etime=0
>
> [08/Mar/2012:15:04:49 +0100] conn=1 op=1 UNBIND
>
> [08/Mar/2012:15:04:49 +0100] conn=1 op=1 fd=64 closed - U1
>
>
>
> Anyone come across this before and have a solution? I really don’t want to have to allow anonymous binds...
>
>
>
> Brett
>
>
>
>
> -------------------------------------------------------------------
>
> GreeNRB
> NRB considers its environmental responsibility and goes for green IT.
> May we ask you to consider yours before printing this e-mail?
>
>
>
> NRB, daring to commit
> This e-mail and any attachments, which may contain information that is confidential and/or protected by intellectual property rights, are intended for the exclusive use of the above-mentioned addressee(s). Any use (including reproduction, disclosure and whole or partial distribution in any form whatsoever) of their content is prohibited without prior authorization of NRB. If you have received this message by error, please contact the sender promptly by resending this e-mail back to him (her), or by calling the above number. Thank you for subsequently deleting this e-mail and any files attached thereto.
>
>
>
>
>
>
12 years
DSGW jpegPhoto upload
by Eric Raymond
Hello All,
I have gone through the documentation with dsgw, and editing the content, but was suprised to find nothing about uploading photos through the webUI. Is there any documentation on how this can be added to the web pages? I wanted to verify I am not missing anything on an easy way to accomplish this without building a cgi app to upload and modify the LDAP directory..
Has anyone else come across this issue?
Any help would be greatly appreciated!
Eric
12 years
SSL initialization Failed
by Luigi Santangelo
Hi guru,
i have a problem with enabling SSL in my Fedora Directory Server. I already
searched with google and I have found other people that have same problem
but, following the instructions, I cannot resolve my problem (maybe my
problem has a different source).
I start by saing that in the past I have enabled SSL on FDS 1.2.5
succesfully, but with FDS 1.2.12 rc2 I cannot.
On my Fedora 16, with kernel 3.2.7-1, I installed FDS 1.2.12rc2. Then, I
created a request for the Directory Server (using Manage Certificates).
During this operation, I inserted the FQDN in Server Name field and I
completed other field (Organization, State, etc). Then I exported the
request and, using a my self-signed CA, I created a cert for the server. I
imported server and CA certs succesfully. In the Certification Path tab of
server cert, I can see the correct chain (server and ca certs). But when I
enable SSL for my server (with Encryption tab) and I restart my server, it
cannot start correctly and give me this error:
SSL alert: Security Initialization: Unable to authenticate (Netscape
Portable Runtime error -8192 - An I/O error occurred during security
authorization.)
ERROR: SSL Initialization Failed.
But if I create a key and cert with openssl for my server (then not
creating the request and sign it, but creating the cert directly with
openssl), I export the cert in p12 format and I import it with certutil
utility, it works fine: I can enable SSL and I can restart my server
without any problem.
Then, I thing that I wrong to insert the information during generation
request. Can you help me?
Another question (mere curiosity): why RedHat Directory Server and Fedora
Directory Server have different version number? Its doesn't offer the same
features? Thanks
12 years
Replication Referrals being reset unexpectedly
by Michael Gettes
389-ds-base is 1.2.9.9 on EL5
I have an MMR setup, 2 suppliers to 3 consumers. I am replicating userRoot and netscapeRoot.
All replication agreements are over SSL:636 using simple binds. On the consumers, the referrals shown in the mapping tree (nsslapd-referral) are ldap://hostname:389/suffix for each supplier. I need them to be ldaps://hostname:636/suffix. I have changed them live and then I make an object change and it works as I would expect. But when I restart the dsa the referrals are reset to ldap://hostname:389/suffix
how do i prevent the nsslapd-referral attributes from being reset?
Thanks.
/mrg
12 years