Accessing TCP options data in 389ds Hello,
by Justin Kinney
Hello,
I'm investigating the possibility of logging client IP address where 389ds
is deployed behind a load balancer. Today, we lose the true client IP
address as the source IP is replaced with the load balancer's before the
packet hits the 389 host. Has anybody solved this issue before?
For HTTP based services, this problem is trivial to overcome by grokking
the X-Forwarded-For header from the request, but obviously this doesn't
work with a service like LDAP deployed behind a TCP based load balancing
instance.
One option is to use a direct server return (DSR) configuration with our
load balancer and host, but that adds a lot of overhead to our environment
in terms of configuration complexity, so I'd like to avoid that.
Another option is using an interesting capability of our load balancer (and
I'm not sure how unique this feature is - I'd be interested in hearing if
anyone else has run across it). It can insert the client IP address into
the TCP stream, as arbitrary data in the options field of the TCP header.
Existence of an address is also indicated by a magic number (which can
uniquely identify the VIP on the load balancer).
What would it take to modify 389 to access the raw TCP header, parse the
options field to get the true client IP, and then associate it with the
request? Ideally, the client IP would be accessible in the access log.
Thanks in advance,
Justin
10 years, 8 months
Re: [389-users] problems with dsgw
by Barton, Joseph B.
>Date: Thu, 11 Jul 2013 14:55:01 -0600
>From: Rich Megginson <rmeggins(a)redhat.com>
>To: 389-users(a)lists.fedoraproject.org
>Subject: Re: [389-users] problems with dsgw
>Message-ID: <51DF1BA5.5010003(a)redhat.com>
>Content-Type: text/plain; charset=UTF-8; format=flowed
>On 07/11/2013 02:32 PM, Barton, Joseph B. wrote:
>> Hi,
>>
>> I am just starting to work with 389 on centos 6.3 , and run into a
bit
>> of a snag on a test install of 389. Everything seems to work fine
>> with the basic install. I am able to access the
>> /usr/bin/389-console, run commands from a prompt, plus I am able to
>> access the 389 administration express page from the web server
running on port 9830.
>>
>> We need to be able to utilize the directory server gateway web
>> interface. After verifying the 389-dsgw-1.1.10-1.el6_3.x86_64 was
>> installed along with the rest of the 389 packages, I then ran the
>> setup-ds-admin.pl script. This seemed to complete without error, and
>> I was then able to go to the web server running on port 9830 and
>> notice that the directory server express, directory server org charts
>> and (most
>> importantly) directory server gateway links were now added to the
page.
>I'm assuming you meant "ran setup-ds-admin.pl first, then ran
setup-ds-dsgw"?
Yes!
>>
>>
>> The problems are that I get a "Not Found" error for each of the newly
>> added links.
>> 1. If I click on directory server gateway I get:
>> Not Found
>> The requested URL /clients/dsgw/bin/lang was not found on this
server.
>>
>> 2. If I click on directory server gateway I get:
>> Not Found
>> The requested URL /clients/dsgw/bin/lang was not found on this
server.
>>
>> 3. If I click on the Directory Server Org Charts link, I get:
>> Not found
>> The requested URL /clients/orgchart/html/index.html was not found on
>> this server.
>>
>> All documentation seems to point that this should be working.
>>
>> I would appreciate it if someone could point me in the right
direction
>> to get this fixed.
>>
>> Thanks!
>>
>> Joe
>> --
10 years, 8 months
problems with dsgw
by Barton, Joseph B.
Hi,
I am just starting to work with 389 on centos 6.3 , and run into a bit
of a snag on a test install of 389. Everything seems to work fine with
the basic install. I am able to access the /usr/bin/389-console, run
commands from a prompt, plus I am able to access the 389 administration
express page from the web server running on port 9830.
We need to be able to utilize the directory server gateway web
interface. After verifying the 389-dsgw-1.1.10-1.el6_3.x86_64 was
installed along with the rest of the 389 packages, I then ran the
setup-ds-admin.pl script. This seemed to complete without error, and I
was then able to go to the web server running on port 9830 and notice
that the directory server express, directory server org charts and (most
importantly) directory server gateway links were now added to the page.
The problems are that I get a "Not Found" error for each of the newly
added links.
1. If I click on directory server gateway I get:
Not Found
The requested URL /clients/dsgw/bin/lang was not found on this server.
2. If I click on directory server gateway I get:
Not Found
The requested URL /clients/dsgw/bin/lang was not found on this server.
3. If I click on the Directory Server Org Charts link, I get:
Not found
The requested URL /clients/orgchart/html/index.html was not found on
this server.
All documentation seems to point that this should be working.
I would appreciate it if someone could point me in the right direction
to get this fixed.
Thanks!
Joe
10 years, 8 months
default password parameters
by Elizabeth Jones
We recently discovered that some of our users can pad their login
passwords with additional characters and still get authenticated by our
389DS. Our server was migrated from another server and we didn't set
anything as far as password requirements in the 389DS because we didn't
want to end up locking any migrated users out. Would the default settings
for 389DS have a max number of characters that it looks at/returns, so
that when these users are logging in and padding their passwords, it
doesn't matter because it is only using the first 8 characters or
something?
We also found that after a user has changed their password using our
password change program, which does enforce password rules, they are no
longer able to pad their passwords.
thanks for any insight -
EJ
10 years, 8 months
Multi master replication problem (389 DS - AD)
by Alberto Viana
Hello,
DS base: 1.3.0.4
DS admin: 1.3.1.31
I´m trying to setup a new version of 389 DS multi master replication with
active directory(win 2008) and I´m getting the following erros:
[04/Jul/2013:16:57:32 -0300] NSMMReplicationPlugin - agmt="cn=AD-HMG1"
(hmg1:636): binddn = CN=Conta de sincronizacao do AD com LDAP
389,CN=Users,DC=homolog,DC=rnp, passwd = {DES}Zdi9SkO9E8Jpy/LJq528zg==
[04/Jul/2013:16:57:32 -0300] slapi_ldap_bind - Error: could not send bind
request for id [CN=Conta de sincronizacao do AD com LDAP
389,CN=Users,DC=homolog,DC=rnp] mech [SIMPLE]: error -1 (Can't contact LDAP
server) -5987 (Invalid function argument.) 115 (Operation now in progress
"hmg1.homolog.rnp")
[04/Jul/2013:16:57:32 -0300] NSMMReplicationPlugin - agmt="cn=AD-HMG1"
(hmg1:636): Replication bind with SIMPLE auth failed: LDAP error -1 (Can't
contact LDAP server) ((unknown error code))
If I run a manual ldapsearch everything is ok and I can see all my objects
in AD:
ldapsearch -b "dc=homolog,dc=rnp" -x -H ldaps://hmg1.homolog.rnp -D
"CN=Conta de sincronizacao do AD com LDAP 389,CN=Users,DC=homolog,DC=rnp"
-W objectclass=*
My AD user (CN=Conta de sincronizacao do AD com LDAP
389,CN=Users,DC=homolog,DC=rnp) has full access to the AD tree, and it was
working normally with my previous 389 version (1.2.10.12) . The only thing
that changed at windows machine was the winsync version.
The only difference to my production enviroment is that I was using MOZILA
SDK to compile 389 and now I´m using the OPENLDAP.
Any clue?
Thanks
Alberto Viana
10 years, 8 months
How do I restrict groups
by Andy Spooner
How do I restrict the number of groups or users that an application/service can see?
I have an application that authenticates against 389. I want to restrict the groups that are available to the application.
Regards
Andy
The contents of this email are strictly confidential to the intended recipient(s). If received in error you may not copy or distribute this message and should delete and destroy all copies and kindly notify the sender by return email. Emails may be interfered with, may contain computer viruses or other defects. SHORT FILMS 4 U Limited gives no warranties in relation to these matters.
10 years, 8 months
connection time outs
by Liutauras Adomaitis
Hi,
I am trying to debug a problem, then under certain load postfix, which is
configured to use ldap lookups, throughs "warning: dict_ldap_lookup: Search
error -5: Timed out" messages. In dirsrv slapd access logs I can see a lot
of ABANDON messages and that is all I can find in logs related to this,
meaning that dirsrv doesn't give me any clue what the time outs happen. I
don't get any file descriptor shortage errors.
Of course there are too many possible causes for that, but my question
first of all is how to debug, what causes dirsrv timeouts.
Liutauras
10 years, 8 months
Call for Papers for the 4th International Conference on LDAP
by Peter Gietz
With the usual apologies for cross posting
Fourth International Conference on LDAP (LDAPCon) will take place in November 18-19 in Paris, France.
The International Conference on LDAP is a technical forum for IT professionals interested in LDAP and related topics like directory servers, directory management applications, directory integration, identity and access management, and meta directories.
It focuses on implementation and integration of LDAP servers and LDAP-enabled client applications. The event will bring together vendors, developers, active and prospective LDAP practitioners to share their experiences about deployment strategies, service operations, interoperability, discuss LDAP usage in new projects and learn about upcoming trends and developments.
The call for papers is out and can be found at: http://ldapcon.org/#cfp
Peter (on behalf of the organisers)
--
Peter Gietz, CEO
DAASI International GmbH
Europaplatz 3
D-72072 Tübingen
Germany
phone: +49 7071 407109-0
fax: +49 7071 407109-9
email: peter.gietz(a)daasi.de
web: www.daasi.de
Sitz der Gesellschaft: Tübingen
Registergericht: Amtsgericht Stuttgart, HRB 382175
Geschäftsleitung: Peter Gietz
10 years, 9 months