Problem browsing LDAP with Outlook
by Chris Bryant
When configuring Microsoft Outlook (not Outlook Express) to access an LDAP directory, there is an option to 'Enable Browsing (requires server support)'. If this option is chosen and the directory server supports it, then you should be able to open the LDAP address book and page up and down through the results. I have been unable to get this working properly with 389 DS.
When I try to browse from Outlook against the 389 DS directory, I am able to see the first page of results perfectly. However, if I move to the next page, only the first object returned will have any attributes included, and all of the rest of the objects in the page will have no attributes. I have a test perl script that duplicates this functionality as well.
I can get this to work properly with an older version of Netscape Directory Server, and I can get it working with OpenDS. Since 389 DS advertises support for the controls that are required for this to work, just like the other two servers, then I would expect it to work there also.
Has anyone out there gotten this to work with 389 DS? If so, can you share if there was anything special that you needed to do to get this to work? I'm trying to determine if this is a bug in the server, or if I'm just missing something in the configuration.
Thanks,
Chris
USA.NET
You Run Your Business. We'll Run Your Email.
This message is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information of USA.NET, Inc. Any unauthorized review, use, copying, disclosure, or distribution is prohibited. If you are not the intended recipient, please immediately contact the sender by reply email and delete all copies of the original message.
3 years, 7 months
changelog
by Denise Cosso
Hi,
How to modify the attribute nsslapd-encryptionalgorithm in Centos?
Thanks,
Denise
Stop Master servers and set nsslapd-encryptionalgorithm. The allowed value is AES or 3DES.
dn: cn=changelog5,cn=config
[...]
nsslapd-encryptionalgorithm: AES
--- Em ter, 4/6/13, Rich Megginson <rmeggins(a)redhat.com> escreveu:
De: Rich Megginson <rmeggins(a)redhat.com>
Assunto: Re: [389-users] changelog
Para: "Denise Cosso" <guanaes51(a)yahoo.com.br>
Data: Terça-feira, 4 de Junho de 2013, 16:34
On 06/04/2013 01:26 PM, Denise Cosso
wrote:
Hi, Rich
CentOS release 6.3 (Final)
389-ds-base-libs-1.2.10.2-20.el6_3.x86_64
389-ds-1.2.2-1.el6.noarch
389-dsgw-1.1.10-1.el6.x86_64
389-ds-console-1.2.6-1.el6.noarch
389-ds-console-doc-1.2.6-1.el6.noarch
389-ds-base-1.2.10.2-20.el6_3.x86_64
As far as replication goes - you will need to use a security layer
(SSL, TLS, or GSSAPI) to protect the clear text password on the wire
As far as encrypting it in the changelog - not sure
Denise
--- Em ter, 4/6/13, Rich Megginson <rmeggins(a)redhat.com>
escreveu:
De: Rich Megginson <rmeggins(a)redhat.com>
Assunto: Re: [389-users] changelog
Para: "General discussion list for the 389 Directory
server project."
<389-users(a)lists.fedoraproject.org>
Cc: "Denise Cosso" <guanaes51(a)yahoo.com.br>
Data: Terça-feira, 4 de Junho de 2013, 16:11
On
06/04/2013 12:39 PM, Denise Cosso wrote:
Hi,
Description of problem:
When a userPassword is changed in a server with changelog, the hashed password
is logged and also a cleartext pseudo-attribute version. It looks like this:
change::
replace: userPassword
userPassword: {SHA256}vqtiN2LHdrEUOJUKu+IBVqAVFsAlvFw+11kD/Q==
-
replace: unhashed#user#password
unhashed#user#password: secret12
This unhashed version is used in winsync where the cleartext version of the
password must be written to the AD.
Now if the DS is involved in replication with another DS, the change will be
replayed exactly as it is logged to the other DS replicas, including the
cleartext pseudo-attribute password.
What platform? What version of 389-ds-base are you
using?
thanks,
Denise
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
9 years
389 GUI/Console
by Gonzalo Fernandez Ordas
Hi
I got 389 running on a remote linux box,and I would like to get use of
the Console without the need of exporting the X-Windows whenever I want
to make a change as I also would prefer not to keep tweaking the
configuration files all the time.
is there anyway of doing this through any remote client?
Any advise on this matter?
Thanks very much
9 years, 1 month
db2bak on a provider/master
by Mitja Mihelič
Hi!
We have a provider/consumer (master/slave) setup and we wish to create a
database backup on the master.
Replica setting on the master are set to "Single Master".
But when I run
.../db2bak $backup_path/$current_date
Backup fails an the following error is written in the errors log:
ERROR: Standalone db2bak is not supported when a multimaster replication
enabled server is coexisting.
Please use db2bak.pl, instead.
Since multimaster replication is not used, should I consider this a bug?
Or is it referring to the "Single Master" setup as a multimaster setup?
Regards, Mitja
--
--
Mitja Mihelič
ARNES, Tehnološki park 18, p.p. 7, SI-1001 Ljubljana, Slovenia
tel: +386 1 479 8877, fax: +386 1 479 88 78
9 years, 1 month
Question about accountunlocktime
by harry.devine@faa.gov
I've noticed that when any of our users get locked out, the date that gets put into their accountunlocktime attribute is always in the past. I have our 389-DS set to lock after 3 log in failures, and unlock after 30 minutes. I've noticed that none of our users unlock without admin intervention. We have to go into their account and delete the accountunlocktime and passwordretrycount attributes.
How can I straighten this out?
Thanks,
Harry Devine
DOT/FAA/AJM-245
Common ARTS Software Development
harry.devine(a)faa.gov
(609)485-4218
9 years, 1 month
Passsync not changing passwords
by Daniel Franciscus
Hello,
We have two Windows server 2003 domain controllers and I installed passsync on both servers in order to sync password changes to our 389 LDAP. On one domain controller, it appears passsync is working correctly as I can see in the passsync.log when I change a password through that domain controller. On the other domain controller, when I change a password I do not see any activity in the passsync.log at all. I have passsync on both domain controllers set to verbose logging. I also restarted both domain controllers after installing passsync.
On the domain controller that is not syncing passwords the log appears as:
02/18/15 07:52:59: PassSync service initialized
02/18/15 07:52:59: PassSync service running
02/18/15 07:52:59: No entries yet
02/18/15 07:52:59: Password list is empty. Waiting for passhook event
Does anyone have an idea of what the issue could be?
Dan Franciscus
Systems Administrator
Information Technology Group
Institute for Advanced Study
609-734-8138
9 years, 1 month
Use of UUIDs
by John Trump
I have a requirement to switch to change to a UUID (128-bits) instead of
the usual uid. Is this possible within 389-ds? Would there be an attribute
of uuid or would it still be named uid?
john
9 years, 1 month
Fractional Replication - Account Lockout Attributes
by Joshua Brodie
Hi Everyone:
We have started the process to implement account logout - i.e. on 10 times
with incorrect password, over 10 mins, account locked for 30 mins.
Services bind to our MMR cluster on the consumers - is it possible to
replicate the account 'PasswordLockout' via fractional replication to other
suppliers/consumers (or are the 'PasswordLockout' always local to the
consumer instance?).
v 1.2.11.29
Thanks,
Josh
9 years, 1 month
PasswordLockout & passwordIsGlobalPolicy
by Mailvaganam, Hari
Hi List:
in MMR, w.r.t password lockout - is the 'passwordIsGlobalPolicy: on' only required on the consumers - i.e. the count replicates among all the consumers (irrespective on which the bind was made)? Or is it also required on the suppliers (although bind are not available).
config ---
PasswordLockout:on
passwordIsGlobalPolicy: on
Thanks.
9 years, 2 months
