Problem browsing LDAP with Outlook
by Chris Bryant
When configuring Microsoft Outlook (not Outlook Express) to access an LDAP directory, there is an option to 'Enable Browsing (requires server support)'. If this option is chosen and the directory server supports it, then you should be able to open the LDAP address book and page up and down through the results. I have been unable to get this working properly with 389 DS.
When I try to browse from Outlook against the 389 DS directory, I am able to see the first page of results perfectly. However, if I move to the next page, only the first object returned will have any attributes included, and all of the rest of the objects in the page will have no attributes. I have a test perl script that duplicates this functionality as well.
I can get this to work properly with an older version of Netscape Directory Server, and I can get it working with OpenDS. Since 389 DS advertises support for the controls that are required for this to work, just like the other two servers, then I would expect it to work there also.
Has anyone out there gotten this to work with 389 DS? If so, can you share if there was anything special that you needed to do to get this to work? I'm trying to determine if this is a bug in the server, or if I'm just missing something in the configuration.
Thanks,
Chris
USA.NET
You Run Your Business. We'll Run Your Email.
This message is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information of USA.NET, Inc. Any unauthorized review, use, copying, disclosure, or distribution is prohibited. If you are not the intended recipient, please immediately contact the sender by reply email and delete all copies of the original message.
3 years, 1 month
changelog
by Denise Cosso
Hi,
How to modify the attribute nsslapd-encryptionalgorithm in Centos?
Thanks,
Denise
Stop Master servers and set nsslapd-encryptionalgorithm. The allowed value is AES or 3DES.
dn: cn=changelog5,cn=config
[...]
nsslapd-encryptionalgorithm: AES
--- Em ter, 4/6/13, Rich Megginson <rmeggins(a)redhat.com> escreveu:
De: Rich Megginson <rmeggins(a)redhat.com>
Assunto: Re: [389-users] changelog
Para: "Denise Cosso" <guanaes51(a)yahoo.com.br>
Data: Terça-feira, 4 de Junho de 2013, 16:34
On 06/04/2013 01:26 PM, Denise Cosso
wrote:
Hi, Rich
CentOS release 6.3 (Final)
389-ds-base-libs-1.2.10.2-20.el6_3.x86_64
389-ds-1.2.2-1.el6.noarch
389-dsgw-1.1.10-1.el6.x86_64
389-ds-console-1.2.6-1.el6.noarch
389-ds-console-doc-1.2.6-1.el6.noarch
389-ds-base-1.2.10.2-20.el6_3.x86_64
As far as replication goes - you will need to use a security layer
(SSL, TLS, or GSSAPI) to protect the clear text password on the wire
As far as encrypting it in the changelog - not sure
Denise
--- Em ter, 4/6/13, Rich Megginson <rmeggins(a)redhat.com>
escreveu:
De: Rich Megginson <rmeggins(a)redhat.com>
Assunto: Re: [389-users] changelog
Para: "General discussion list for the 389 Directory
server project."
<389-users(a)lists.fedoraproject.org>
Cc: "Denise Cosso" <guanaes51(a)yahoo.com.br>
Data: Terça-feira, 4 de Junho de 2013, 16:11
On
06/04/2013 12:39 PM, Denise Cosso wrote:
Hi,
Description of problem:
When a userPassword is changed in a server with changelog, the hashed password
is logged and also a cleartext pseudo-attribute version. It looks like this:
change::
replace: userPassword
userPassword: {SHA256}vqtiN2LHdrEUOJUKu+IBVqAVFsAlvFw+11kD/Q==
-
replace: unhashed#user#password
unhashed#user#password: secret12
This unhashed version is used in winsync where the cleartext version of the
password must be written to the AD.
Now if the DS is involved in replication with another DS, the change will be
replayed exactly as it is logged to the other DS replicas, including the
cleartext pseudo-attribute password.
What platform? What version of 389-ds-base are you
using?
thanks,
Denise
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
8 years, 5 months
389 GUI/Console
by Gonzalo Fernandez Ordas
Hi
I got 389 running on a remote linux box,and I would like to get use of
the Console without the need of exporting the X-Windows whenever I want
to make a change as I also would prefer not to keep tweaking the
configuration files all the time.
is there anyway of doing this through any remote client?
Any advise on this matter?
Thanks very much
8 years, 6 months
Question about accountunlocktime
by harry.devine@faa.gov
I've noticed that when any of our users get locked out, the date that gets put into their accountunlocktime attribute is always in the past. I have our 389-DS set to lock after 3 log in failures, and unlock after 30 minutes. I've noticed that none of our users unlock without admin intervention. We have to go into their account and delete the accountunlocktime and passwordretrycount attributes.
How can I straighten this out?
Thanks,
Harry Devine
DOT/FAA/AJM-245
Common ARTS Software Development
harry.devine(a)faa.gov
(609)485-4218
8 years, 7 months
shrink changelogdb - Help
by Jordan, Phillip
Can someone forward a link on how to shrink down the changelogdb, we tried the LDIF method to create the values but the schema is not present in the directory to create the object. Does a better document exist or someone that has come across this same issue let me know. Thanks in advance.
We are running 1.2.11.15 B2013.357.1711
Phillip Jordan
Lead Engineer, Web Hosting
555 W. Adams
Chicago, IL 60661
transunion.com <http://www.transunion.com/>
This email including, without limitation, the attachments, if any, accompanying this email, may contain information which is confidential or privileged and exempt from disclosure under applicable law. The information is for the use of the intended recipient. If you are not the intended recipient, be aware that any disclosure, copying, distribution, review or use of the contents of this email, and/or its attachments, is without authorization and is prohibited. If you have received this email in error, please notify us by reply email immediately and destroy all copies of this email and its attachments.
8 years, 8 months
Issue with LDAP modify to change replication schedule
by Justin Edmands
389 List,
I need to modify the replication schedule via LDIF import. I have no issues
doing it in the 389-console.
I am attempting to import this ldif (with dc changes to mask our info)
dn: cn=dirsrv1 to devdirsrv1,cn=replica,cn=dc\3Dourdomain\2Cdc\3Dcom,cn=map
ping tree,cn=config
changetype: modify
replace: nsDS5ReplicaUpdateSchedule
nsDS5ReplicaUpdateSchedule: 0200-0300 0
I have also tried it with the carriage return removed and everything on one
line:
dn: cn=dirsrv1 to
devdirsrv1,cn=replica,cn=dc\3Dourdomain\2Cdc\3Dcom,cn=mapping tree,cn=config
8 years, 8 months
Fwd: LDAPCon 2015 Call for Papers
by Rolf E. Sonneveld
Hi,
excuse me if you get this more than once (via multiple mailing lists).
For those, interested, see below the CfP for LDAPCon 2015.
Regards,
/rolf
-------- Forwarded Message --------
Subject: LDAPCon 2015 Call for Papers
Date: Thu, 29 Jan 2015 13:44:50 +0000
From: Andrew Findlay <andrew.findlay(a)skills-1st.co.uk>
Reply-To: enquiries(a)lists.ldapcon.org
To: ldap(a)umich.edu
LDAPCon 2015
============
The fifth International Conference on LDAP and Directory Services will be
held in the UK at the University of Edinburgh School of Informatics Forum.
Tutorials: 11th November 2015
Conference: 12th and 13th November 2015
Call for papers and tutorials
=============================
Topics
You are using LDAP in interesting projects?
You do LDAP client or server development?
You have used LDAP in a new way?
You do identity and access management on top of LDAP?
Why not share your ideas and experiences with others?
We are looking for speakers who are willing to talk about any topic
related to LDAP and identity management, including:
LDAP technology implementation (Servers, API, User interfaces etc.)
LDAP Usage (Schema, Security, Operations, Scaling, big data, etc.)
LDAP related technologies (PKI, XACML, SAML, etc.)
LDAP and Beyond (IAM, Identity Federation, Authentication on the web, etc.)
Best Practices for directory services.
Accepted talks will be grouped into tracks such as a
standards/development and deployment/administration.
Deadlines & Important Dates
Submission Deadline: 28th June
Author Notification: 10th July
Final Papers due: 10th October 2015
Tutorials: 11th November 2015
Conference: 12th-13th November 2015
Talk Submissions
Main presentations should last about 45 minutes including discussion;
we will also provide smaller slots of 15 minutes and 5 minutes for
poster presentations or lightning talks. Please tell us which duration
you prefer when proposing your talk. The talk must be in English.
The one and only way to submit your abstract (approximately 200-800 words,
accompanied by your biography of about 100-300 words) is via email to
submissions(a)lists.ldapcon.org. Abstracts must reach the Program Committee
by 28th June 2015. Early submission is encouraged.
All abstracts will be reviewed by the program committee.
For accepted talks we expect you to submit slides and/or a paper
of approximately 2-10 pages (A4 or US Letter format, 25mm borders,
preferably LaTeX source or OpenOffice).
For 5-minute talks, a brief abstract is required. A short paper, slides or
a poster should be provided for accepted talks. We will provide display
boards for posters throughout the conference.
By submitting a paper you grant the conference organizers the
non-exclusive right to publish your paper in the conference proceedings
and on the website; you maintain the right to publish it elsewhere at
your discretion.
Tutorial Submissions
We are looking for high-quality tutorials on LDAP and related subjects,
at any level from introductory to advanced. Tutorial length can range from an
hour to a full day. Wireless Internet access will be available if required.
The purpose of the tutorials is focussed education, so they should cover
established topics and best practice rather than presenting new work.
Tutorials will be on Wednesday 11th November 2015.
The Programme Committee has an open mind about the format of the tutorial
day, but has a limited number of rooms available. Make your proposal early
and we will aim to build an attractive programme for the day.
Expenses
Speakers get free access to the conference, including the social event.
If requested in advance we will provide accommodation for speakers.
Travel expenses might also be covered in special cases.
If you need this, please contact us early so we can try to arrange it.
Website
http://ldapcon.org/2015/
Contacts
General enquiries: enquiries(a)lists.ldapcon.org
Paper/Tutorial submissions: submissions(a)lists.ldapcon.org
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------
8 years, 8 months
Searching for userCertificate - what encoding is used in the query filter?
by Graham Leggett
Hi all,
I have a query filter that looks like this: (userCertificate={0}${1})
I am trying to search for an explicit certificate in a directory, based on the serial number and the issuer DN. Can anyone confirm what encoding these values need to be in, and hat java library might help provide that encoding?
Regards,
Graham
—
8 years, 8 months
389ds and certificateExactMatch - is it supported?
by Graham Leggett
Hi all,
After struggling to get a certificateExactMatch query to work, I’ve discovered that in 389ds the certificateExactMatch rule in the schema has been marked as commented out like this:
# TODO - Add Certificate syntax
#attributeTypes: ( 2.5.4.36 NAME 'userCertificate'
# DESC 'X.509 user certificate'
# EQUALITY certificateExactMatch
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 )
attributeTypes: ( 2.5.4.36 NAME 'userCertificate'
DESC 'X.509 user certificate'
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
X-ORIGIN 'RFC 4523’)
Does 389ds offer certificateExactMatch support as per the RFCs? Simply uncommenting out the above results in startup failure below:
[28/Jan/2015:15:55:53 +0000] dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-monica/schema/05rfc4523.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - attribute type userCertificate: Unknown attribute syntax OID “1.3.6.1.4.1.1466.115.121.1.8"
Regards,
Graham
—
8 years, 8 months
