December 2015 - 389-users - Fedora Mailing-Lists

by Chris Bryant

When configuring Microsoft Outlook (not Outlook Express) to access an LDAP directory, there is an option to 'Enable Browsing (requires server support)'. If this option is chosen and the directory server supports it, then you should be able to open the LDAP address book and page up and down through the results. I have been unable to get this working properly with 389 DS. When I try to browse from Outlook against the 389 DS directory, I am able to see the first page of results perfectly. However, if I move to the next page, only the first object returned will have any attributes included, and all of the rest of the objects in the page will have no attributes. I have a test perl script that duplicates this functionality as well. I can get this to work properly with an older version of Netscape Directory Server, and I can get it working with OpenDS. Since 389 DS advertises support for the controls that are required for this to work, just like the other two servers, then I would expect it to work there also. Has anyone out there gotten this to work with 389 DS? If so, can you share if there was anything special that you needed to do to get this to work? I'm trying to determine if this is a bug in the server, or if I'm just missing something in the configuration. Thanks, Chris USA.NET You Run Your Business. We'll Run Your Email. This message is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information of USA.NET, Inc. Any unauthorized review, use, copying, disclosure, or distribution is prohibited. If you are not the intended recipient, please immediately contact the sender by reply email and delete all copies of the original message.

3 years, 3 months

3
2
0 / 0

Announcing 389 Windows Console 1.1.15

by Noriko Hosoi

389 Windows Console 1.1.15 The 389 Directory Server team is proud to announce 389-console-win version 1.1.15. Windows installers are available to download from Download 389 Windows Console (32-bit) <http://www.port389.org/binaries/389-Console-1.1.15-i386.msi> and Download 389 Windows Console (64-bit) <http://www.port389.org/binaries/389-Console-1.1.15-x86_64.msi>. Highlights in 389-console-win-1.1.15 * Windows Console now has the same bug fixes and enhancements made for the Fedora 389-console. Installation and Upgrade See Download <http://www.port389.org/docs/389ds/download.html> for information about setting up your yum repositories. To install and update, use Programs and Features on Control Panel. Feedback We are very interested in your feedback! If you find a bug, or would like to see a new feature, file it in our Trac instance: https://fedorahosted.org/389 Detailed Changelogs Please refer 389-console-1.1.19, 389-admin-console-1.1.10 release notes <http://www.port389.org/docs/389ds/releases/release-console-1-1-9.html> and 389-ds-console-1.2.12 and idm-console-framework-1.1.14 release notes <http://www.port389.org/docs/389ds/releases/release-ds-console-1-2-12.html>. http://www.port389.org/docs/389ds/releases/release-windows-console-1-1-15...

7 years, 9 months

2
2
0 / 0

389 Windows Console

by Phil Daws

Hello, I have 389 up and running in my lab, with encryption enabled, but when I connect too the Administration panel and double click on the Directory Server it just hangs. The CA certificate has been imported using: d:\Scratch\firefox_add-certs\bin>certutil -A -d "C:\Documents and Settings\phild\.389-console" -n "CA Certificate" -t CT,, -i d:\Downloads\CA-chain.pem -a Am I missing something obvious please ? Thanks, Phil

7 years, 10 months

3
14
0 / 0

PCI SSL TLS certificate requirements change

by Mayberry, Alexander

Hi, we are using SSLv3 certs, and have a multi-master replication environment. I have over 2000 clients currently using these CAs, and updating them to TLS seems highly disruptive. Does anyone know of a way to add the updated TLS cert, while still honoring the old SSLv3 certs from clients? Or perhaps a way to add new replicas in to the environment with the new TLS certs, but also add them in to the replication pool with the old SSLv3 systems? Maybe a good guide/white paper on how to achieve this for PCI requirements? Alexander Mayberry Enterprise Systems Engineer SD Group: EIT Infrastructure – OMA Enterprise.Systems Engineering.Infrastructure

7 years, 10 months

2
5
0 / 0

NSMMReplicationPlugin - replication keep alive entry <cn=repl keep alive 6,dc=mydomain> already exists

by bahan w

Hello. I'm using FreeIPA and I have 4 masters which replicates to each others. On all the masters, I can see the following message from time to time : ### NSMMReplicationPlugin - replication keep alive entry <cn=repl keep alive 6,dc=mydomain> already exists ### I don't really understand this message in fact. May you explain it to me please ? Best regards. Bahan

7 years, 11 months

2
5
0 / 0

How to show all the config in dirsrv

by bahan w

Hello ! I'm currently checking how to show the whole configuration of dirsrv with ldapsearch but I cannot find a proper way to do it for the moment. I was thinking to use this : ### ldapsearch -x -D "cn=Directory Manager" -h <myserver> -p 389 -W -b "cn=config,dc=mydomain" ### But it returns me a 32 return code, no such object. Do you know how to show all the attributes of config please ? Best regards. Bahan

7 years, 11 months

2
2
0 / 0

unsubscribe

by Mark Hammons

-------------------- Mark Hammons - +33 06 03 69 56 56 Research Engineer @ BioEmergences[1] Lab Phone: 01 69 82 34 19 -------- [1] bioemergences.iscpif.fr

7 years, 11 months

1
0
0 / 0

389 replication issue

by Frank Munsche

Hi Guys, I got a replication issue with the 389 ds running at centos 6.7 and the following 389 pkgs installed: 389-admin.x86_64 1.1.35-1.el6 @epel 389-admin-console.noarch 1.1.8-1.el6 @epel 389-adminutil.x86_64 1.1.19-1.el6 @epel 389-console.noarch 1.1.7-1.el6 @epel 389-ds-base.x86_64 1.2.11.15-65.el6_7 @updates 389-ds-base-libs.x86_64 1.2.11.15-65.el6_7 @updates 389-ds-console.noarch 1.2.6-1.el6 @epel 389-dsgw.x86_64 1.1.11-1.el6 @epel I'm running a multimaster configuration based on two directory servers (ds1, ds2) When the replication is initiated at ds1 (replication from ds1 to ds2, nsds5BeginReplicaRefresh set to 'start') , I find these entries in the error log of ds1: [15/Dec/2015:19:10:11 +0000] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=ds1TOds2" (ds2:389)". [15/Dec/2015:19:10:11 +0000] NSMMReplicationPlugin - Need to create replication keep alive entry <cn=repl keep alive 1,dc=example,dc=org> [15/Dec/2015:19:10:11 +0000] NSMMReplicationPlugin - add dn: cn=repl keep alive 1,dc=example,dc=org objectclass: top objectclass: ldapsubentry objectclass: extensibleObject cn: repl keep alive 1 [15/Dec/2015:19:10:14 +0000] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=ds1TOds2" (ds2:389)". Sent 341 entries. [15/Dec/2015:19:10:14 +0000] NSMMReplicationPlugin - agmt="cn=ds1TOds2" (ds2:389): Consumer failed to replay change (uniqueid 72eca481-a35f11e5- a546a0ed-cca505a5, CSN 56706593000100010000): Server is unwilling to perform (53). Will retry later. [15/Dec/2015:19:15:16 +0000] NSMMReplicationPlugin - agmt="cn=ds1TOds2" (ds2:389): Consumer failed to replay change (uniqueid 72eca481-a35f11e5- a546a0ed-cca505a5, CSN 56706593000100010000): Server is unwilling to perform (53). Will retry later. I was wondering about : NSMMReplicationPlugin - agmt="cn=ds1TOds2" (ds2:389): Consumer failed to replay change (uniqueid 72eca481-a35f11e5-a546a0ed-cca505a5, CSN 56706593000100010000): Server is unwilling to perform (53). Will retry later. Checked the access log at ds2: [15/Dec/2015:19:10:14 +0000] conn=28 fd=64 slot=64 connection from 192.168.22.11 to 172.17.0.12 [15/Dec/2015:19:10:14 +0000] conn=28 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [15/Dec/2015:19:10:14 +0000] conn=28 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [15/Dec/2015:19:10:14 +0000] conn=28 TLS1.2 256-bit AES [15/Dec/2015:19:10:14 +0000] conn=28 op=1 BIND dn="cn=replication manager,cn=config" method=128 version=3 [15/Dec/2015:19:10:14 +0000] conn=28 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=replication manager,cn=config" [15/Dec/2015:19:10:14 +0000] conn=28 op=2 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension" [15/Dec/2015:19:10:14 +0000] conn=28 op=2 RESULT err=0 tag=101 nentries=1 etime=0 [15/Dec/2015:19:10:14 +0000] conn=28 op=3 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension" [15/Dec/2015:19:10:14 +0000] conn=28 op=3 RESULT err=0 tag=101 nentries=1 etime=0 [15/Dec/2015:19:10:14 +0000] conn=28 op=4 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Dec/2015:19:10:14 +0000] conn=28 op=4 RESULT err=0 tag=120 nentries=0 etime=0 [15/Dec/2015:19:10:14 +0000] conn=28 op=5 SRCH base="cn=replica,cn=dc\3Dexample\2Cdc\3Dorg,cn=mapping tree,cn=config" scope=0 filter="(objectClass=*)" attrs="nsDS5ReplicaId" [15/Dec/2015:19:10:14 +0000] conn=28 op=5 RESULT err=0 tag=101 nentries=1 etime=0 [15/Dec/2015:19:10:14 +0000] conn=28 op=6 ADD dn="cn=repl keep alive 1,dc=example,dc=org" [15/Dec/2015:19:10:14 +0000] conn=28 op=6 RESULT err=53 tag=105 nentries=0 etime=0 csn=56706593000100010000 [15/Dec/2015:19:10:16 +0000] conn=28 op=7 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Dec/2015:19:10:16 +0000] conn=28 op=7 RESULT err=0 tag=120 nentries=0 etime=0 And crosschecked the csn 56706593000100010000 at ds1 with the changelog dump: changetype: add replgen: 566feaa1000000010000 csn: 56706593000100010000 nsuniqueid: 72eca481-a35f11e5-a546a0ed-cca505a5 parentuniqueid: 2cbf2300-a31611e5-8f779323-18f831a8 dn: cn=repl keep alive 1,dc=example,dc=org change:: add: objectClass objectClass: top objectClass: ldapsubentry objectClass: extensibleObject - add: cn cn: repl keep alive 1 - add: internalCreatorsName internalCreatorsName: cn=Multimaster Replication Plugin,cn=plugins,cn=config - add: internalModifiersName internalModifiersName: cn=Multimaster Replication Plugin,cn=plugins,cn=config - add: creatorsName creatorsName: - add: modifiersName modifiersName: - add: createTimestamp createTimestamp: 20151215191011Z - add: modifyTimestamp modifyTimestamp: 20151215191011Z - add: nsUniqueId nsUniqueId: 72eca481-a35f11e5-a546a0ed-cca505a5 - add: parentid parentid: 1 - add: entryid entryid: 342 - add: entrydn entrydn: cn=repl keep alive 1,dc=example,dc=org Does someone have a glue what the cn=repl keep alive 1,dc=example,dc=org is for and what causes the problem here? thank you very much, cheers, Frank

7 years, 11 months

2
1
0 / 0

nsAccountLock - Server is unwilling to perform

by Mitja Mihelič

Hi! We are using using nsAccountLock=true to lock user accounts. We also have dovecot authenticating users against the 389DS. If we set nsAccountLock=true, then we get Oct 20 14:39:30 SERVER dovecot: auth: Error: ldap(USERNAME,193.X.Y.Z,<aaaaaaaaaaaaaaaa>): ldap_bind() failed: Server is unwilling to perform Oct 20 14:39:31 SERVER dovecot: auth: ldap(USERNAME,193.X.Y.Z,<aaaaaaaaaaaaaaaa>): Falling back to expired data from cache Dovecot thinks the server is not working properly so it reads login info from its cache and authentication succeeds. Can I set 389DS to return a different response? Something that says: "User is locked" or "Authentication failed"... Kind regards, Mitja -- -- Mitja Mihelič ARNES, Tehnološki park 18, p.p. 7, SI-1001 Ljubljana, Slovenia tel: +386 1 479 8800, fax: +386 1 479 88 99

7 years, 11 months

3
4
0 / 0

Re: ldapsearch question

by Rich Megginson

On 12/14/2015 11:16 PM, Frank Munsche wrote: > > Hi Guys, > > I'm trying to understand why ldapsearch returns some objects of the > dit only > > when the dn is set to the object I'm looking for and the search scope > has to > > be base, e.g.: > > There is an object at the dn: cn=repl keep alive 1,dc=example,dc=org" > > A search operation using dc=example,dc=org as base and the scope 'sub' > will > > not return the entry. Setting the search base to the object itself > does not > > work either: > > ldapsearch -H ldap://ldap.example.org -D "cn=directory manager" -w > secret -ZZZ > > -x -s sub -b "cn=repl keep alive 1,dc=example,dc=org" > > # extended LDIF > > # > > # LDAPv3 > > # base <cn=repl keep alive 1,dc=example,dc=org> with scope subtree > > # filter: (objectclass=*) > > # requesting: ALL > > # > > # search result > > search: 3 > > result: 0 Success > > But using the object's dn and setting the scope to 'base' does return the > > entry: > > ldapsearch -H ldap://ldap.example.org -D "cn=directory manager" -w > secret -ZZZ > > -x -s base -b "cn=repl keep alive 1,dc=example,dc=org" > > # extended LDIF > > # > > # LDAPv3 > > # base <cn=repl keep alive 1,dc=example,dc=org> with scope baseObject > > # filter: (objectclass=*) > > # requesting: ALL > > # > > # repl keep alive 1, example.org > > dn: cn=repl keep alive 1,dc=example,dc=org > > objectClass: top > > objectClass: ldapsubentry > > objectClass: extensibleObject > > cn: repl keep alive 1 > > # search result > > search: 3 > > result: 0 Success > > Does someone have an explanation for this? > Yes. This entry is an "ldapSubEntry". Entries with this objectclass do not appear in regular searches. They only appear if you a) include (objectclass=ldapsubentry) in your search filter or b) specify the DN exactly as the base DN. > thank you, > > cheers, frank >

7 years, 11 months

1
0
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-users December 2015