Problem browsing LDAP with Outlook
by Chris Bryant
When configuring Microsoft Outlook (not Outlook Express) to access an LDAP directory, there is an option to 'Enable Browsing (requires server support)'. If this option is chosen and the directory server supports it, then you should be able to open the LDAP address book and page up and down through the results. I have been unable to get this working properly with 389 DS.
When I try to browse from Outlook against the 389 DS directory, I am able to see the first page of results perfectly. However, if I move to the next page, only the first object returned will have any attributes included, and all of the rest of the objects in the page will have no attributes. I have a test perl script that duplicates this functionality as well.
I can get this to work properly with an older version of Netscape Directory Server, and I can get it working with OpenDS. Since 389 DS advertises support for the controls that are required for this to work, just like the other two servers, then I would expect it to work there also.
Has anyone out there gotten this to work with 389 DS? If so, can you share if there was anything special that you needed to do to get this to work? I'm trying to determine if this is a bug in the server, or if I'm just missing something in the configuration.
Thanks,
Chris
USA.NET
You Run Your Business. We'll Run Your Email.
This message is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information of USA.NET, Inc. Any unauthorized review, use, copying, disclosure, or distribution is prohibited. If you are not the intended recipient, please immediately contact the sender by reply email and delete all copies of the original message.
3 years, 6 months
changelog
by Denise Cosso
Hi,
How to modify the attribute nsslapd-encryptionalgorithm in Centos?
Thanks,
Denise
Stop Master servers and set nsslapd-encryptionalgorithm. The allowed value is AES or 3DES.
dn: cn=changelog5,cn=config
[...]
nsslapd-encryptionalgorithm: AES
--- Em ter, 4/6/13, Rich Megginson <rmeggins(a)redhat.com> escreveu:
De: Rich Megginson <rmeggins(a)redhat.com>
Assunto: Re: [389-users] changelog
Para: "Denise Cosso" <guanaes51(a)yahoo.com.br>
Data: Terça-feira, 4 de Junho de 2013, 16:34
On 06/04/2013 01:26 PM, Denise Cosso
wrote:
Hi, Rich
CentOS release 6.3 (Final)
389-ds-base-libs-1.2.10.2-20.el6_3.x86_64
389-ds-1.2.2-1.el6.noarch
389-dsgw-1.1.10-1.el6.x86_64
389-ds-console-1.2.6-1.el6.noarch
389-ds-console-doc-1.2.6-1.el6.noarch
389-ds-base-1.2.10.2-20.el6_3.x86_64
As far as replication goes - you will need to use a security layer
(SSL, TLS, or GSSAPI) to protect the clear text password on the wire
As far as encrypting it in the changelog - not sure
Denise
--- Em ter, 4/6/13, Rich Megginson <rmeggins(a)redhat.com>
escreveu:
De: Rich Megginson <rmeggins(a)redhat.com>
Assunto: Re: [389-users] changelog
Para: "General discussion list for the 389 Directory
server project."
<389-users(a)lists.fedoraproject.org>
Cc: "Denise Cosso" <guanaes51(a)yahoo.com.br>
Data: Terça-feira, 4 de Junho de 2013, 16:11
On
06/04/2013 12:39 PM, Denise Cosso wrote:
Hi,
Description of problem:
When a userPassword is changed in a server with changelog, the hashed password
is logged and also a cleartext pseudo-attribute version. It looks like this:
change::
replace: userPassword
userPassword: {SHA256}vqtiN2LHdrEUOJUKu+IBVqAVFsAlvFw+11kD/Q==
-
replace: unhashed#user#password
unhashed#user#password: secret12
This unhashed version is used in winsync where the cleartext version of the
password must be written to the AD.
Now if the DS is involved in replication with another DS, the change will be
replayed exactly as it is logged to the other DS replicas, including the
cleartext pseudo-attribute password.
What platform? What version of 389-ds-base are you
using?
thanks,
Denise
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
8 years, 11 months
389 Master - Master Replication
by Santos Ramirez
Good Morning,
We have a master - master replication agreement. When we initialize the replication it works perfectly we can see changes to a test user we have set up go up and down from the two servers. However at some point the replication stops and we cannot get replication to start once again. The only way we can get replication to start once again is to recreate the replication agreement and then it fails again. Can anyone please point us in a direction. I am relatively new to 389 so any help would be greatly appreciated.
Santos U. Ramirez
Linux Systems Administrator
National DCP, LLC
150 Depot Street
Bellingham, Ma. 02019
Phone: 508-422-3089
Fax: 508-422-3866
Santos.Ramirez(a)natdcp.com<mailto:Santos.Ramirez@natdcp.com>
This email and any attachments are intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, do not copy or forward to any unauthorized persons, permanently delete the original and notify the sender by replying to this email.
9 years, 5 months
Netscape Portable Runtime error -5982
by Paolo Barbato
After a while I start again to work on 389 ds.
389ds last released from epel, is installed on a rhel 6.5, that host also other services (bind, dhcpd, radius.....). Such server is configured with some virtual nic.
I noticed starting 389ds the following error:
intranet5...[14/Feb/2014:08:30:20 +0100] createprlistensockets - PR_Bind() on All Interfaces port 636 failed: Netscape Portable Runtime error -5982 (Local Network address is in use.)
I've tried to insert in dse.ldif directives like
nsslapd-listenhost: 192.168.60.23
nsslapd-securelistenhost: 192.168.60.23
but it comes a more "IP specific" error :
intranet5...[14/Feb/2014:10:01:34 +0100] createprlistensockets - PR_Bind() on 192.168.60.23 port 636 failed: Netscape Portable Runtime error -5982 (Local Network address is in use.)
finally I noticed:
[root@intranet5 dirsrv]# netstat -anp | grep 636
udp 0 0 0.0.0.0:636 0.0.0.0:* 1342/portreserve
such service clearly conflict with 389ds ldaps
It seems I'm facing bug https://bugzilla.redhat.com/show_bug.cgi?id=848414
since I really have tested also openldap
[root@intranet5 dirsrv]# more /etc/portreserve/slapd
ldaps
from portreserve man I read
For each service configuration file, a socket is created and bound to the appropriate port. A service wishing to bind to its port must first run portrelease, which instructs
portreserve to release the port associated with the service.
It seems so that 389ds be not aware of portreserve . Shoud I simply remove /etc/portreserve/slapd and restart portreserve ?
Regards,
Paolo.
------------------------------------------------------------------------------------------------
Paolo Barbato
Consorzio RFX
corso Stati Uniti,4
35127 Padova - Italy
Network Administrator
phone: +39 049 8295097 fax: +39 049 8700718
------------------------------------------------------------------------------------------------
9 years, 11 months
Upgraded 389-admin rpms and now I can't start dirsrv-admin
by Groten, Ryan
Just upgraded my packages from:
389-ds-console-1.2.6-1.el5
389-console-1.1.7-1.el5
389-ds-console-doc-1.2.6-1.el5
389-admin-console-1.1.8-1.el5
389-admin-console-doc-1.1.8-1.el5
389-ds-base-1.2.9.9-1.el5
389-dsgw-1.1.7-2.el5
389-adminutil-1.1.14-1.el5
389-admin-1.1.23-1.el5
389-ds-base-libs-1.2.9.9-1.el5
To:
389-ds-console-1.2.6-1.el5
389-console-1.1.7-3.el5
389-ds-console-doc-1.2.6-1.el5
389-adminutil-1.1.19-1.el5
389-admin-console-1.1.8-1.el5
389-admin-1.1.29-1.el5
389-admin-console-doc-1.1.8-1.el5
389-dsgw-1.1.11-1.el5
389-ds-base-1.2.11.25-1.el5
389-ds-base-libs-1.2.11.25-1.el5
+perl-NetAddr-IP.x86_64 0:4.027-5.el5
+perl-Socket6.x86_64 0:0.19-3.fc6
After that I ran "setup-ds-admin.pl -u". Now I'm having problems starting dirsrv-admin:
# service dirsrv-admin start
Starting dirsrv-admin:
httpd.worker: Syntax error on line 136 of /etc/dirsrv/admin-serv/httpd.conf: Cannot load /usr/lib64/dirsrv/modules/mod_admserv.so into server: /usr/lib64/libadminutil.so.0: undefined symbol: ldap_explode
Server failed to start !!! Please check errors log for problems
[FAILED]
# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.9 (Tikanga)
I checked any error logs I could think of but found nothing.
Thanks in advance for the help!
Ryan
________________________________
This communication, including any attached documentation, is intended only for the person or entity to which it is addressed, and may contain confidential, personal and/or privileged information. Any unauthorized disclosure, copying, or taking action on the contents is strictly prohibited. If you have received this message in error, please contact us immediately so we may correct our records. Please then delete or destroy the original transmission and any subsequent reply.
10 years
ACL processing
by Russell Beall
Hi all,
We've just set up monster-sized server nodes to run 389 as a replacement to Sun DS. I've been running my tests and I am pleased to report that the memory issue seems to be in check with growth only up to double the initial memory usage after large quantities of ldapmodify calls. We have plenty of room in these boxes to accommodate caching the entire database.
The key blocker on this is still the ACL processing times for which I have been unable to find a decent resolution. We have 135 ACIs at the root of the suffix. When I comment out most of them but leave one service account active, processing times are very nicely fast. When I leave them all on, that same service account takes 2.5 seconds to respond when only one request is pending. A new kink in the puzzle here which is probably going to be a deal breaker is that if I run the same request on multiple threads, each thread takes proportionately longer to respond depending on the number of threads. If I have 12 threads going doing a simple lookup, each thread responds in 45-55 seconds. If I have 24 threads going, each thread takes 1m45s - 1m55s to respond. The box has 32 cores available. While processing, each thread is burning 100% of an available CPU thread for the entire time. Theoretically when up to 32 requests are simultaneously processing, each thread should return in 2.5 seconds just as if it were one thread.
Since all threads are burning 100% the entire time, it doesn't seem like that would be caused by simple thread locking where some threads are waiting for others.
I'm thinking the system is not properly configured in some way and there is a system bottleneck blocking the processing. When burning the CPU there is very little percentage allocated to the user percentage, most of the CPU usage is listed under the system CPU usage. Is this normal, or is this indicative of some system layer that is bottlenecking the processing?
Another question I posed earlier is whether or not it is possible to replicate three subtrees independently and then keep the aci entry at the root suffix independent so it can be set separately for multiple downstream replicants. That way we could possibly subdivide the service accounts across different nodes. Is that possible?
Thanks,
Russ.
==============================
Russell Beall
Systems Programmer IV
Enterprise Identity Management
University of Southern California
beall(a)usc.edu<mailto:beall@usc.edu>
==============================
10 years
Synchronizing with Active Directory
by Riss Nicolas
Hi,
We are making some test in order to synchronize 389 Directory with an Active Directory. We don't install pass sync because we need only to synchronize password from the 389 Directory instance. Everything works well, but when we analyze the user on Active Directory that were synchronized from the 389 Directory, we notice that the AccountUserControl value was 544, that's mean NORMAL ACCOUNT + PASSWD_NOTREQD. Due to security reason it is not acceptable for us, at least it must be 514 (only NORMAL_ACCOUNT).
We search a way to modify this behavior, but we cannot find anything. Is there any way to force this value for new user synchronize to the Active Directory ?
OS : CentOS 6.5
389 Directory version : 389-Directory/1.2.11.15 B2013.357.177
Active Directory on Windows 2008R2
Thanks.
10 years
Fwd: I'm about to start coding a plugin for Heimdal Kerberos V and have a question
by Paul Robert Marino
I tried asking this on the developer list and didn't get an answer so
im trying the user list now
So here is my goal I am about to write a plugin for Heimdal KDC's to
update matching password fields in LDAP servers.
In the case of 389 server it will also allow 389 server to manage
password quality checks.
Ive been looking over the 389 servers docs and there is something I'm
unclear about.
How do I pass the password to 389 server to trigger the quality check
and update?
Is it simply just a bind as an administrator then update the users
password field with clear text password and let 389 server check and
hash it from there, or is there more to it like a C API call?
If any one can point me to the appropriate doc or even better section
of the appropriate doc that would be very helpful.
If any one just happens to knows the answer I would appreciate that too.
Note: The resulting plugin will be posted on Github with a GPL license
when I'm done.
Thank You
10 years
389DS on SD-Card
by hede
Hi all,
I'm planning to use 389ds from SD-Card. So I would like to minimise write I/O.
It's absolutely fine if there's only a consistent state saved once a day.
For example via some cronjob running ns-slapd db2archive (which I've done so far).
I do not need any database-logs to have even the last seconds in a disaster recovery.
Any hints to tune it for this use case?
There are files constantly written, AFAIK by the Berkeley DB:
__db.00*
log.000000000*
(in /var/lib/dirsrv/slapd-kolab/db/)
Can I get rid of those files? Move them to a Ram Disk?
Regards
hede
10 years