We are currently using 389-DS as a LDAP server for our university
(University Politehnica from Bucharest). Right now we have about 35000
accounts created into the 389-DS. We need to synchronize all the
accounts with an Active Directory server for various purposes (Wifi
authentication/e-mail authentication, etc). I've setup the 389-DS /
Active Directory replication succesfully but we have a design problem:
a very high number of users has the username (uid: field) larger than
20 characters and I can't pass this uid to the ntUserDomainId (which
is equivelant with the sAMAccount in AD). Is there any way that I can
populate the userPrincipalName with this uid? (which does not have the
limit indicated above)
Thank you in advance,
I am having an issue where and LDAP authenticated user cannot overwrite or remove a file on the LDAP-client system even though the permission are set to 777. However, the user is able to create a new file (file is owned by that user) and can be removed by that user.
Is there some limitation on actions on a file owned by different user but permissions set to 777 (rwxrwxrwx)? I have checked to make sure no special attributes are enabled on the file (lsattr).
Paul M. Whitney
Sent from my browser.
We have a service desk account that I created in our LDAP that has the
ability to add/delete/modify all our user accounts. Except that now that
we have password policy in place, it can no longer modify our user account
passwords. I have confirmed that the password changes that it is doing
conform to our password policy, but every time it comes back with
constraint violation. But I can do anything with password changes as
directory manager. One thing that I haven't confirmed is whether the
accounts that they are trying to change are accounts that have expired.
So does anyone know if an account has locked, can only directory manager
change the password at that point? Or does anyone know what attributes I
would need to have on my servicedesk account to allow it to change these
passwords now? I don't want to give them directory manager if I can avoid
it but I need to find some way to let them override password policy!
I recently updated my server to 188.8.131.52 and the "memberof" plugin is not
working as expected, it's not updating my user "memberOf" attribute whe I
put a user in a group.
How can I debug it?
I tried to set my nsslapd-errorlog-level to 65536 but could not find any
We seem to have something odd going on with our password policy.
I configured global password policy on our LDAPs so that all accounts
under our userRoot subtree expire, then under the subtrees that contain
our service accounts I configured to never expire. But I just noticed
that the accounts under those subtrees actually have expiration date
attributes. I went into one of the accounts and set the password policy
explicitly on that account, but the attribute still shows that it is going
to expire two days from now. So I'm waiting to see what happens in two
days - will the password policy that I set for the subtree/user work, or
will it expire because the attribute is set to make it expire. I'm kind
of confused as to why it would even have that attribute set when the
subtree is set to never expire.
I have a customer which have
installed 389-ds-base-184.108.40.206-32.el6_5.x86_64 on his server.
This server is acting as a HUB, cascading replications from the master to
the slave servers.
The issue is the fact of this server dies some times during a day. I look
to the error log and see messages like this
"pagedresults_parse_control_value: invalid cookie: -1" nothing relevant
before it, and after it, I see that message when the server was started up.
In my research on the internet, I've found this bug , which was already
So my question right now is: Which version, exactly, this bug was
corrected? In the webpage, it's say version 1.2.11, but how can I know if
the version I'm using have this bug corrected?
Thanks in advance.
I'm new to 389 DS reading the RH DS docbefore start implementing, have
Q's trying tohave system with high performance cfg
Q1: Bellow in black is from RH DS documentation, I was expecting just
creating the indexes in GUI DS console should be suficient , is this the
correct, still need to run the manually script?
Q2: What are operations to maintain the indexes are any updates
statistics, reorg rebuild need to be run to maintainthe high performance
Q3: Access controls what 's average of user rules do you ususually have
per db or user. are there any maintenance jobs to perform, I believe the
more AC rules you have you have the chance to affect login performance ,
is this correct?
9.3. Applying New Indexes to Existing Databases
New indexes are not added to existing databases automatically. They must
be added manually, and Directory Server has two methods for applying new
indexes to an existing database: running the |db2index.pl| script or
running a |cn=index,cn=tasks| task.
Isabella A. Ghiurea
Canadian Astronomy Data Centre |http://www.nrc-cnrc.gc.ca/eng/services/hia/data-centre.html
National Research Council of Canada, Herzberg Institute of Astrophysics
5071 West Saanich Road, Victoria BC V9E 2E7, Canada
Phone: 250 363-3446 fax: 250 363-0045
I would like a design cfg suggestionfor implementing a hot standby LDAP
solution, would multimmaster configuration be sufficient?
I need some cfg which will switch the clients instantaneous to a second
master , transparent to clients,
no downtime and "0" loss of transactions.