Referential Integrity
by William
Hi,
According to dirsrv docs [1] referential integrity should only be
enabled on a single server in a MMR scenario.
My topology is:
ROA <-- MA <--> MB --> ROB
Where RO is a readonly, M is a master. Arrows indicate data flow
direction.
Updates to the DS are done through MA or MB.
Should the advice of enabling on only a single host still be held true?
What are the potential issues of enabling this on multiple hosts? In the
future what would need to change in the plugin to support enabling on
multiple hosts if not already possible?
[1]:
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8....
--
William <william(a)firstyear.id.au>
9 years, 1 month
GUI console and Kerberos
by Paul Robert Marino
Hey every one
I have a question I know at least once in the past i setup the admin
console so it could utilize Kerberos passwords based on a howto I
found once which after I changed jobs I could never find again.
today I was looking for something else and I saw a mention on the site
about httpd needing to be compiled with http auth support.
well I did a little digging and I found this file
/etc/dirsrv/admin-serv/admserv.conf
in that file I found a lot of entries that look like this
"
<LocationMatch /*/[tT]asks/[Cc]onfiguration/*>
AuthUserFile /etc/dirsrv/admin-serv/admpw
AuthType basic
AuthName "Admin Server"
Require valid-user
AdminSDK on
ADMCgiBinDir /usr/lib64/dirsrv/cgi-bin
NESCompatEnv on
Options +ExecCGI
Order allow,deny
Allow from all
</LocationMatch>
"
when I checked /etc/dirsrv/admin-serv/admpw sure enough I found the
Password hash for the admin user.
So my question is before I wast time experimenting could it possibly
be as simple as changing the auth type to kerberos
http://modauthkerb.sourceforge.net/configure.html
keep in mind my Kerberos Servers do not use LDAP as the backend.
9 years, 1 month
attribute to works same as a sequence number
by ghiureai
Hi 389 List,
we have a need to use an existing attribute ( do not know wich
one:nspentrydn ,nsbackendsufix) or create a new one use defined which
will act similar as sequence number( integer values, incremental by 1
,range values known) I understand we can not rely on nsUniqueId . Is
there such an existing attribute in 389 , need to be unique , LDAP
generate values with gap1 , range values can be controlled ?
Isabella
9 years, 1 month
LDAP allows null bases
by Kay Cee
All clients connecting to our 389-ds server showed up this vulnerability on
the scan. How do I fix this on my 389-ds server?
LDAP allows null bases
Risk:High
Application:ldap
Port:389
Protocol:tcp
ScriptID:10722
Summary:
It is possible to disclose LDAP information.
Description :
Improperly configured LDAP servers will allow the directory BASE to be set
to NULL. This allows information to be culled without any prior knowledge
of the directory structure. Coupled with a NULL BIND, an anonymous user can
query your LDAP server using a tool such as 'LdapMiner'
Solution:
Disable NULL BASE queries on your LDAP server
CVSS Base Score : 5.0
Family name: Remote file access
Category: infos
Copyright: Copyright (C) 2000 John Lampe....j_lampe(a)bellsouth.net
Summary: Check for LDAP null base
Version: $Revision: 128 $
9 years, 1 month
Announcing 389 Console 1.1.9
by Noriko Hosoi
389 Console 1.1.9
The 389 Directory Server team is proud to announce 389-console version
1.1.9, 389-ds-console version 1.2.10, 389-admin-console version 1.1.10,
and idm-console-framework version 1.1.9.
Fedora packages are available from the EPEL7, Fedora 20, Fedora 21 and
Rawhide repositories.
The new packages and versions are:
* 389-console-1.1.9-1
* 389-ds-console-1.2.10-1
* 389-admin-console-1.1.10-1
* idm-console-framework-1.1.9-1
Source tarballs are available for download at Download 389 Console
Source <http://www.port389.org/binaries/389-console-1.1.9.tar.bz2>,
Download 389 Ds Console Source
<http://www.port389.org/binaries/389-ds-console-1.2.10.tar.bz2>,
Download 389 Admin Console Source
<http://www.port389.org/binaries/389-admin-console-1.1.10.tar.bz2> and
Download Idm Console Framework Source
<http://www.port389.org/binaries/idm-console-framework-1.1.9.tar.bz2>.
Highlights in 389-console-1.1.9, 389-ds-console-1.2.10,
389-admin-console-1.1.10 and idm-console-framework-1.1.9-1
* Several bugs are fixed including security bugs – enable TLS version
1.1 and newer; stop using old SSL version.
Installation and Upgrade
See Download <http://www.port389.org/docs/389ds/download.html> for
information about setting up your yum repositories.
To install, use *yum install 389-ds* yum install 389-ds After install
completes, run *setup-ds-admin.pl* to set up your directory
server. setup-ds-admin.pl
To upgrade, use *yum upgrade* yum upgrade After upgrade completes, run
*setup-ds-admin.pl -u* to update your directory server/admin
server/console information. setup-ds-admin.pl -u
See Install_Guide
<http://www.port389.org/docs/389ds/legacy/install-guide.html> for more
information about the initial installation, setup, and upgrade
See Source <http://www.port389.org/docs/389ds/development/source.html>
for information about source tarballs and SCM (git) access.
Feedback
We are very interested in your feedback!
Please provide feedback and comments to the 389-users mailing list:
https://admin.fedoraproject.org/mailman/listinfo/389-users and
following pages:
* https://admin.fedoraproject.org/updates/389-console-1.1.9-1.el7
<https://admin.fedoraproject.org/updates/389-console-1.1.9-1.el7>
* https://admin.fedoraproject.org/updates/389-console-1.1.9-1.fc20
<https://admin.fedoraproject.org/updates/389-console-1.1.9-1.fc20>
* https://admin.fedoraproject.org/updates/389-console-1.1.9-1.fc21
<https://admin.fedoraproject.org/updates/389-console-1.1.9-1.fc21>
* https://admin.fedoraproject.org/updates/389-ds-console-1.2.10-1.el7
<https://admin.fedoraproject.org/updates/389-ds-console-1.2.10-1.el7>
* https://admin.fedoraproject.org/updates/389-ds-console-1.2.10-1.fc20
<https://admin.fedoraproject.org/updates/389-ds-console-1.2.10-1.fc20>
* https://admin.fedoraproject.org/updates/389-ds-console-1.2.10-1.fc21
<https://admin.fedoraproject.org/updates/389-ds-console-1.2.10-1.fc21>
* https://admin.fedoraproject.org/updates/389-admin-console-1.1.10-1.el7
<https://admin.fedoraproject.org/updates/389-admin-console-1.1.10-1.el7>
* https://admin.fedoraproject.org/updates/389-admin-console-1.1.10-1.fc20
<https://admin.fedoraproject.org/updates/389-admin-console-1.1.10-1.fc20>
* https://admin.fedoraproject.org/updates/389-admin-console-1.1.10-1.fc21
<https://admin.fedoraproject.org/updates/389-admin-console-1.1.10-1.fc21>
* https://admin.fedoraproject.org/updates/idm-console-framework-1.1.9-2.el7
<https://admin.fedoraproject.org/updates/idm-console-framework-1.1.9-2.el7>
* https://admin.fedoraproject.org/updates/idm-console-framework-1.1.9-2.fc20
<https://admin.fedoraproject.org/updates/idm-console-framework-1.1.9-2.fc20>
* https://admin.fedoraproject.org/updates/idm-console-framework-1.1.9-1.fc21
<https://admin.fedoraproject.org/updates/idm-console-framework-1.1.9-1.fc21>
If you find a bug, or would like to see a new feature, file it in our
Trac instance: https://fedorahosted.org/389
Detailed Changelog since 389-console-1.1.7
* Ticket 47604 - 389-console: remove versioned jars from %{_javadir}
* Ticket 97 - 389-console should provide man page
Detailed Changelog since 389-ds-console-1.2.7
* Bug 1022104 - Remove versioned jarfiles from
_javadir (idm-console-framework)
* Ticket 47994 - DS Console always sets nsSSL3 to “on” when a securty
setting is adjusted
* Ticket 47380 - RFE: Winsync loses connection with AD objects when
they move from the console.
* Ticket 135 - DS console - right clicking an object does not select
that object
* Ticket 47887 - DS Console does not correctly disable SSL
* Ticket 47485 - DS instance cannot be restored from remote console
* Ticket 47886 - DS Console - mouse wheel speed very slow
* Ticket 176 - DS Console should timeout when mismatched port and
protocol combination is chosen
* Ticket 47883 - DS Console - java exception when refreshing schema
* Ticket 96 - Window too large for Manage password policy
Detailed Changelog since 389-admin-console-1.1.8
* Bug 1022104 - Remove versioned jarfiles from
_javadir (idm-console-framework)
* Ticket 47477 - Cannot restart SSL-admin server from console
* Ticket 47467 - Improve online help for Add CRL dialog
* Ticket 362 - Directory Console generates insufficient key strength
Detailed Changelog since idm-console-framework-1.1.7
* Ticket 47929 - idm-console-framework - set default min to tls1.0
* Ticket 47946 - ACI’s are replaced by “ACI_ALL” after editing group
of ACI’s including invalid one
* Ticket 47929 - Console - add tls1.1 support
* Ticket 47472 - Entries cannot be highlighted in the “Edit Aci”
Rights panel
* Ticket 47364 - Console does not support passwords containing
8-bit characters
* Ticket 47604 - idm-console-framework: remove versioned jars
from %{_javadir}
* Ticket 47480 - Admin Console “server restart dialog” disppears after
clicking OK
* Ticket 47467 - Improve CRL import dialog text
* Ticket 362 - Directory Console generates insufficient key strength
http://www.port389.org/docs/389ds/releases/release-console-1-1-9.html
9 years, 1 month
Announcing 389 Admin Server 1.1.38
by Noriko Hosoi
389 Admin Server 1.1.38
The 389 Directory Server team is proud to announce 389-admin version
1.1.38 and 389-adminutil version 1.1.21.
Fedora packages are available from the EPEL7, Fedora 20, Fedora 21 and
Rawhide repositories.
The new packages and versions are:
* 389-admin-1.1.38-1
* 389-adminutil-1.1.21-1
Source tarballs are available for download at Download Admin Source
<http://www.port389.org/binaries/389-admin-1.1.38.tar.bz2> and Download
Adminutil Source
<http://www.port389.org/binaries/389-adminutil-1.1.21.tar.bz2>.
Highlights in 389-admin-1.1.38 and 389-adminutil-1.1.21
* Several bugs are fixed including security bugs – stop using DES and
old SSL version.
Installation and Upgrade
See Download <http://www.port389.org/docs/389ds/download.html> for
information about setting up your yum repositories.
To install, use *yum install 389-ds* yum install 389-ds After install
completes, run *setup-ds-admin.pl* to set up your directory
server. setup-ds-admin.pl
To upgrade, use *yum upgrade* yum upgrade After upgrade completes, run
*setup-ds-admin.pl -u* to update your directory server/admin
server/console information. setup-ds-admin.pl -u
See Install_Guide
<http://www.port389.org/docs/389ds/legacy/install-guide.html> for more
information about the initial installation, setup, and upgrade
See Source <http://www.port389.org/docs/389ds/development/source.html>
for information about source tarballs and SCM (git) access.
Feedback
We are very interested in your feedback!
Please provide feedback and comments to the 389-users mailing list:
https://admin.fedoraproject.org/mailman/listinfo/389-users and
following pages:
* https://admin.fedoraproject.org/updates/389-admin-1.1.38-1.el7
<https://admin.fedoraproject.org/updates/389-admin-1.1.38-1.el7>
* https://admin.fedoraproject.org/updates/389-admin-1.1.38-1.fc20
<https://admin.fedoraproject.org/updates/389-admin-1.1.38-1.fc20>
* https://admin.fedoraproject.org/updates/389-admin-1.1.38-1.fc21
<https://admin.fedoraproject.org/updates/389-admin-1.1.38-1.fc21>
* https://admin.fedoraproject.org/updates/389-adminutil-1.1.21-2.el7
<https://admin.fedoraproject.org/updates/389-adminutil-1.1.21-2.el7>
* https://admin.fedoraproject.org/updates/389-adminutil-1.1.21-1.fc20
<https://admin.fedoraproject.org/updates/389-adminutil-1.1.21-1.fc20>
* https://admin.fedoraproject.org/updates/389-adminutil-1.1.21-1.fc21
<https://admin.fedoraproject.org/updates/389-adminutil-1.1.21-1.fc21>
If you find a bug, or would like to see a new feature, file it in our
Trac instance: https://fedorahosted.org/389
Detailed Changelog since 389-admin-1.1.35
* Ticket 48024 - repl-monitor invoked from adminserver cgi fails
* Ticket 47995 - Admin Server: source code cleaning
* Ticket 47891 - Admin Server reconfig breaks SSL config
* Ticket 47929 - Admin Server - disable SSLv3 by default
* Ticket 201 - nCipher HSM cannot be configured via the console
* Ticket 47493 - Configuration Tab does not work with FIPS mode enabled
* Ticket 47697 - Resource leak in lib/libdsa/dsalib_updown.c
* Ticket 47860 - register-ds-admin.pl problem when following steps to
replicate o=netscaperoot
* Ticket 47548 - register-ds-admin does not register into remote config ds
* Ticket 47893 - Admin Server should use Sys::Hostname instead Net::Domain
* Ticket 47891 - Admin Server reconfig breaks SSL config
* Ticket 47300 - Update man page for remove-ds-admin.pl
* Ticket 47850 - “nsslapd-allow-anonymous-access: rootdse” makes login
as “admin” fail at the first time
* Ticket 47497 - Admin Express - remove “Security Level”
* Ticket 47495 - admin express: wrong instance creation time
* Ticket 47665 - Create new instance results in setting wrong ACI for
the “cn=config” entry
* Ticket 47478 - No groups file? error restarting Admin server
* Ticket 47300 - [RFE] remove-ds-admin.pl: redesign the behaviour
* Ticket 434 - admin-serv logs filling with “admserv_host_ip_check:
ap_get_remote_host could not resolve “
* Ticket 47563 - cannot restart directory server from console
* Ticket 222 - Admin Express issues “Internal Server Error” when the
Config DS is down.
* Ticket 418 - Error with register-ds-admin.pl
* Ticket 377 - Unchecked use of SELinux command Reviewed by: rmeggins
* Ticket 47498 - Error Message for Failed to create the configuration
directory server
Detailed Changelog since 389-adminutil-1.1.19
* Ticket 47929 - adminutil - future proof getSSLVersion
* Ticket 47929 - Adminutil - do not use SSL3 by default
* Ticket 47850 - “nsslapd-allow-anonymous-access: rootdse” makes login
as “admin” fail at the first time
* Ticket 47881 - crash during debug session in adminutil
* Ticket 47680 - Upgraded 389-admin rpms and now I can’t
start dirsrv-admin
http://www.port389.org/docs/389ds/releases/release-admin-1-1-38.html
9 years, 1 month
Announcing 389 Directory Server version 1.3.3.9
by Noriko Hosoi
389 Directory Server 1.3.3.9
The 389 Directory Server team is proud to announce 389-ds-base version
1.3.3.9.
Fedora packages are available from the Fedora 21, 22 and
Rawhide repositories.
The new packages and versions are:
* 389-ds-base-1.3.3.9-1
A source tarball is available for download at Download Source
<http://www.port389.org/binaries/389-ds-base-1.3.3.9.tar.bz2>
Highlights in 1.3.3.9
* Several bugs are fixed including 2 security bugs
Installation and Upgrade
See Download <http://www.port389.org/docs/389ds/download.html> for
information about setting up your yum repositories.
To install, use *yum install 389-ds* yum install 389-ds After install
completes, run *setup-ds-admin.pl* to set up your directory
server. setup-ds-admin.pl
To upgrade, use *yum upgrade* yum upgrade After upgrade completes, run
*setup-ds-admin.pl -u* to update your directory server/admin
server/console information. setup-ds-admin.pl -u
See Install_Guide
<http://www.port389.org/docs/389ds/legacy/install-guide.html> for more
information about the initial installation, setup, and upgrade
See Source <http://www.port389.org/docs/389ds/development/source.html>
for information about source tarballs and SCM (git) access.
Feedback
We are very interested in your feedback!
Please provide feedback and comments to the 389-users mailing list:
https://admin.fedoraproject.org/mailman/listinfo/389-users as well as
https://admin.fedoraproject.org/updates/389-ds-base-1.3.3.9-1.fc21
<https://admin.fedoraproject.org/updates/389-ds-base-1.3.3.9-1.fc21> and
https://admin.fedoraproject.org/updates/389-ds-base-1.3.3.9-1.fc22
<https://admin.fedoraproject.org/updates/389-ds-base-1.3.3.9-1.fc22>.
If you find a bug, or would like to see a new feature, file it in our
Trac instance: https://fedorahosted.org/389
Detailed Changelog since 1.3.3.8
* Bug 1199675 - CVE-2014-8112 CVE-2014-8105 389-ds-base: various
flaws [fedora-all]
* Ticket 47431 - Duplicate values for the attribute nsslapd-pluginarg
are not handled correctly
* Ticket 47451 - dynamic plugins - fix crash caused by invalid
plugin config
* Ticket 47728 - compilation failed with ‘ incomplete
struct/union/enum’ if not set USE_POSIX_RWLOCKS
* Ticket 47742 - 64bit problem on big endian: auth method not supported
* Ticket 47801 - RHDS keeps on logging write_changelog_and_ruv: failed
to update RUV for unknown
* Ticket 47828 - DNA scope: allow to exlude some subtrees
* Ticket 47836 - Do not return ‘0’ as empty fallback value of
nsds5replicalastupdatestart and nsds5replicalastupdatestart
* Ticket 47901 - After total init, nsds5replicaLastInitStatus can
report an erroneous error status (like ‘Referral’)
* Ticket 47936 - Create a global lock to serialize write operations
over several backends
* Ticket 47957 - Make ReplicaWaitForAsyncResults configurable
* Ticket 48001 - ns-activate.pl fails to activate account if it was
disabled on AD
* Ticket 48003 - add template scripts
* Ticket 48003 - build “suite” framework
* Ticket 48005 - ns-slapd crash in shutdown phase
* Ticket 48021 - nsDS5ReplicaBindDNGroup checkinterval not
working properly
* Ticket 48027 - revise the rootdn plugin configuration validation
* Ticket 48030 - spec file should run “systemctl stop” against each
running instance instead of dirsrv.target
* Ticket 48048 - Fix coverity issues - 2015/2/24
* Ticket 48048 - Fix coverity issues - 2015/3/1
* Ticket 48109 - substring index with nssubstrbegin: 1 is not being
used with filters like (attr=x*)
http://www.port389.org/docs/389ds/releases/release-1-3-3-9.html
9 years, 1 month
error upgrading the server
by Timo Aaltonen
Hi
So I've bumped into an issue on my IPA install (debian), where the
package tries to run an offline upgrade when it's updated, but fails:
[15/03/05:01:13:10] - [Setup] Info Error adding entry
'cn=entryusn,cn=default indexes, cn=config,cn=ldbm
database,cn=plugins,cn=config'. Error: No such object
[15/03/05:01:13:10] - [Setup] Fatal Error: could not update the
directory server.
[15/03/05:01:13:10] - [Setup] Fatal Exiting . . .
any ideas what's wrong?
--
t
9 years, 1 month