389-users April 2015

389-users@lists.fedoraproject.org

17 participants
19 discussions

Problem browsing LDAP with Outlook
by Chris Bryant 26 Aug '20

26 Aug '20

When configuring Microsoft Outlook (not Outlook Express) to access an LDAP directory, there is an option to 'Enable Browsing (requires server support)'. If this option is chosen and the directory server supports it, then you should be able to open the LDAP address book and page up and down through the results. I have been unable to get this working properly with 389 DS. When I try to browse from Outlook against the 389 DS directory, I am able to see the first page of results perfectly. However, if I move to the next page, only the first object returned will have any attributes included, and all of the rest of the objects in the page will have no attributes. I have a test perl script that duplicates this functionality as well. I can get this to work properly with an older version of Netscape Directory Server, and I can get it working with OpenDS. Since 389 DS advertises support for the controls that are required for this to work, just like the other two servers, then I would expect it to work there also. Has anyone out there gotten this to work with 389 DS? If so, can you share if there was anything special that you needed to do to get this to work? I'm trying to determine if this is a bug in the server, or if I'm just missing something in the configuration. Thanks, Chris USA.NET You Run Your Business. We'll Run Your Email. This message is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information of USA.NET, Inc. Any unauthorized review, use, copying, disclosure, or distribution is prohibited. If you are not the intended recipient, please immediately contact the sender by reply email and delete all copies of the original message.

3 2

multi-valued nsAccountLock
by Pierre ROUDIER 10 Jul '15

10 Jul '15

Hi all, RedHat DS's doc states that the nsAccountLock attribute is multi-valued [1]. Some tests with 389ds led me to think it's also true for 389ds. I cannot think of any reason explaining why it would have to be multi-valued. Do you have any idea? Thank you. [1] https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server…

3 2

Announcing 389 Directory Server version 1.3.3.10
by Noriko Hosoi 28 Apr '15

28 Apr '15

389 Directory Server 1.3.3.10 The 389 Directory Server team is proud to announce 389-ds-base version 1.3.3.10. Fedora packages are available from the Fedora 21, 22 and Rawhide repositories. The new packages and versions are: * 389-ds-base-1.3.3.10-1 A source tarball is available for download at Download Source <http://www.port389.org/binaries/389-ds-base-1.3.3.10.tar.bz2> Highlights in 1.3.3.10 * One important security bug was fixed. Installation and Upgrade See Download <http://www.port389.org/docs/389ds/download.html> for information about setting up your yum repositories. To install, use *yum install 389-ds* yum install 389-ds After install completes, run *setup-ds-admin.pl* to set up your directory server. setup-ds-admin.pl To upgrade, use *yum upgrade* yum upgrade After upgrade completes, run *setup-ds-admin.pl -u* to update your directory server/admin server/console information. setup-ds-admin.pl -u See Install_Guide <http://www.port389.org/docs/389ds/legacy/install-guide.html> for more information about the initial installation, setup, and upgrade See Source <http://www.port389.org/docs/389ds/development/source.html> for information about source tarballs and SCM (git) access. Feedback We are very interested in your feedback! Please provide feedback and comments to the 389-users mailing list: https://admin.fedoraproject.org/mailman/listinfo/389-users as well as https://admin.fedoraproject.org/updates/389-ds-base-1.3.3.10-1.fc21 <https://admin.fedoraproject.org/updates/389-ds-base-1.3.3.10-1.fc21> and https://admin.fedoraproject.org/updates/389-ds-base-1.3.3.10-1.fc22 <https://admin.fedoraproject.org/updates/389-ds-base-1.3.3.10-1.fc22>. If you find a bug, or would like to see a new feature, file it in our Trac instance: https://fedorahosted.org/389 Detailed Changelog since 1.3.3.8 * Bug 1216203 - CVE-2015-1854 389ds-base: access control bypass with modrdn [fedora-all] http://www.port389.org/docs/389ds/releases/release-1-3-3-10.html

1 0

DS start debug mode option
by ghiureai 28 Apr '15

28 Apr '15

Hi LIst, I would like to know if there an option to start DS in debug mode ? we re- installed the OS on host with DS and trying to use an existing full backup taken before shutdown , getting the following : error 1 when trying to start DS ,no errors or messages are written to DS log Isabella

1 0

Configuring StartTLS
by Galazios, Costa 27 Apr '15

27 Apr '15

Hello, I am converting my 389 instances to use StartTLS and have hit the following snag. After running setup-ssl.sh, and adding “nsslapd-security:on” to dse.ldif, and restarting both dirsrv and dirsrv-admin, I am trying to do an ldapsearch to test functionality over tcp/389 with StartTLS. == [root@ops-ldap-m-00001 slapd-ops-ldap-m-00001]# ldapsearch -x -LLL -ZZ -p 636 -h "ops-ldap-m-00001.svale.netledger.com" -D cn=manager -w password -b "" -s base objectclass=top ldap_start_tls: Can't contact LDAP server (-1) [root@ops-ldap-m-00001 slapd-ops-ldap-m-00001]# ldapsearch -x -LLL -ZZ -p 389 -h "ops-ldap-m-00001.svale.netledger.com" -D cn=manager -w password -b "" -s base objectclass=top ldap_start_tls: Protocol error (2) additional info: unsupported extended operation [root@ops-ldap-m-00001 slapd-ops-ldap-m-00001]# == Can someone help illuminate for me what I’ve done wrong? To learn more about SuiteWorld, visit www.netsuite.com/suiteworld. NOTICE: This email and any attachments may contain confidential and proprietary information of NetSuite Inc. and is for the sole use of the intended recipient for the stated purpose. Any improper use or distribution is prohibited. If you are not the intended recipient, please notify the sender; do not review, copy or distribute; and promptly delete or destroy all transmitted information. Please note that all communications and information transmitted through this email system may be monitored and retained by NetSuite or its agents and that all incoming email is automatically scanned by a third party spam and filtering service which may result in deletion of a legitimate e-mail before it is read by the intended recipient.

1 0

multimaster replication resync after one server offline
by ghiureai 27 Apr '15

27 Apr '15

Hi List, I would like to know what are the steps to resync a ldap server part of mutlmaster replication env, the server will be taken off line for 1 day ? Initially I put the server in read only mode while doing the failover to other master , and next I shutdown it down for some OS maintenance. What are steps to resync the replication when will be brought back online ? Isabella

1 0

multimaster replication one host offline
by ghiureai 27 Apr '15

27 Apr '15

Hi List, I have cfg LDAP multimaster replication, one of the hosts will be offline for some days, do I need to disable the replication agreement completely at this point? (what will be the minimum cfg) What are the steps to resync the master after is been brought online ? Thank you Isabella

3 2

problems building RPM for 389-admin
by Giovanni Baruzzi 26 Apr '15

26 Apr '15

Hi all, sorry for a newcomer question. After having built the RPM for 389-ds-base and 389-adminutil I’m stuck with a problem with 389-admin. I was not able to find an „official“ SPEC file and I resorted to one found somewhere in Internet. The problem is that this file requires the definition of the macro %{_unitdir}, which apparetnly is not defined anymore (?) for Fedora. How can I solve the problem? Is there a location for the „official“ spec files? thank you, Giovanni

3 2

selinux problem with centos 7.1
by Angel Bosch 17 Apr '15

17 Apr '15

hi, I'm having problems installing a new test environment on centos 7.1 when I execute setup-ds-admin.pl i get this message: Adding port 389 to selinux policy failed - ValueError: SELinux policy is not managed or store cannot be accessed. I've tried with --debug and it keeps retrying every 5 seconds with same message. # lsb_release -a LSB Version: :core-4.1-amd64:core-4.1-noarch Distributor ID: CentOS Description: CentOS Linux release 7.1.1503 (Core) Release: 7.1.1503 Codename: Core # sestatus SELinux status: disabled the only irregular thing is that im using an openvz container, but I have plenty of other DS inside openvz without any problems. i managed to continue with the installation with a very dirty hack, I modified DSCreate.pm script and added a return in the beggining of updateSelinuxPolicy sub: #################################################### sub updateSelinuxPolicy { my $inf = shift; return 0; #################################################### did anyone got this same problem? abosch --

3 4

question about samba and account lockout
by Kevin Taylor 17 Apr '15

17 Apr '15

We've been using the old Sun Directory Server (DSEE7) for a long time and have had things working in such a way that when a user on linux or windows locks the account after so many failures, neither windows nor linux will allow them to log in. The way that was done was to modify the samba source code (in lib/smbldap.c) to point the SambaKickoffTime variable to pwdaccountlockedtime from the LDAP server. This worked. We want to move to the 389 directory server and perform the same function, but I'm having some issues. The pwdaccountlockedtime isn't there anymore. When the account locks, I see that we have the accountunlocktime attribute being set. Unfortunately, I can't use that field for samba since it's looking for unix time in seconds. The default value of accountunlocktime is Jan 1 1970, so samba thinks that this is some date in the year 600,000+. So, are any of the following things possible? If so, how can I do it? 1) When an account locks out on the DS, automatically set the SambaKickoffTime attribute in DS to the current time in seconds 2) Change the default value of accountunlocktime to 00000000000000Z instead of 1970.... 3) Change the format of the sambakickofftime inside of samba so that it will acknowledge what the DS offers it. 4) Some other way to get samba to acknowledge that account cannot login automatically upon lockout from DS. Thanks for your help.

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-users April 2015