Hello 389 Group,
Is there an object class/attribute that I can add to a user's entry that
will capture their last authenticated time stamp. I want to capture this
so I can go delete users that have not authenticated after so many days.
Hello folks, I'm running Centos 6 LDAP masters/replicas in a multi master
setup. I am running the latest version of 389ds available through EPEL
So what I am seeing is an issue with the attributes: shadowFlag,
shadowWarning, shadowMin, shadowMax, shadowLastChange, shadowExpire
My issue is that if I add or change these values, they replicate down as
one would expect. If I, however, delete the attributes, this change does
*not* get replicated. It does not get replicated to the other master nor
I have tried to re-initialize one of my replicas, but the issue persists.
I'm not really seeing anything too out of the ordinary in the logs. I
enabled replication debug logging and the log blocks seem the same when an
attr is changed (replication works as expected) and when an attr is deleted
(seems to not work as expected).
It seems that any other attributes I tried behave as I would expect.
It would be possible to create a scenario where 389 ds became a box for all
users through winsync and replication,We have some users in Windows AD and
some other in Freeipa, however we are looking a way to put together all the
user in one place 389 DS, (just the users) to create a single email system
for all users. Any input will be appreciated. Regards
Reading  and  I can't seem to find how to grant an object the
right to execute the getEffectiveRights extended operation. At this
time I seem to only be able to carry this out with Directory Manager.
What aci is needed to allow some groupdn access to the GER operation?
I would like to return to a problem that I have had since I first posted
about it on Feb 29, 2012, and which was never resolved. I have been
successfully running 2 FDS multi-masters since I installed them in ~2007,
and which have been updated ever since with yum. My current package set is:
The directory service is working fine. I use it only to authenticate user
logins on ~dozen fedora clients. I can run 389-console on one of the
masters, but not the other. I used to be able to run it before 2012. Now
when I run 389-console and log in, I get:
Cannot connect to the directory server:
netscape.ldap.LDAPException: error result (32): No such object
I tried running setup-ds-admin.pl -u, but it yields:
Configuration directory server URL [ldap://XXXX.org:389/o%3DNetscapeRoot]:
Configuration directory server admin ID [uid=admin, ou=Administrators,
Configuration directory server admin password:
Configuration directory server admin domain [org]:
Could not authenticate as user 'uid=admin, ou=Administrators,
ou=TopologyManagement, o=NetscapeRoot' to server
'ldap://XXXX.org:389/o%3DNetscapeRoot'. Error: No such object
I notice that when I start dirsrv-admin, I get the following message in
[:crit] [pid 18514:tid 140642010404992] populate_tasks_from_server():
Unable to search [cn=admin-serv-XXXX, cn=389 Administration Server,
cn=Server Group, cn=XXXX.org, ou=org, o=NetscapeRoot] for LDAPConnection
Each server is its own configuration directory server. There is a
replication agreement between the two servers, but only on userRoot, not
I also note that ldapsearch -x -b "o=NetscapeRoot" on the problem server
# extended LDIF
# base <o=NetscapeRoot> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
# search result
result: 0 Success
# numResponses: 2
# numEntries: 1
The same command on the working server produces a response with 46 entries
and lots of good things in it. Did my NetscapeRoot somehow get emptied?
How do I get it back?
I thought a "restoreconfig" command would help me, but I never did a
"saveconfig" and don't have any /var/lib/dirsrv/slapd-XXXX/bak/*.ldif
files. I do have a
file, but it's quite old and from the documentation that I read, it says it
is an "example" file. I do have backups in
/var/lib/dirsrv/slapd-XXXX/bak/. Among others, I have ones from
2011_07_20_10_54_37/ and 2012_02_20_13_29_00/. I believe everything was
working correctly in 2011, but not by 2012. Could this help in any way?
Alternatively, I just now did a saveconfig, and it produced an .ldif file
with 146 entries! If I now restore from that file, might that fix things
up? Can it hurt to try?
Under the MS AD, the information „user must change password at next logon“
is reflected through three attributes:
- the maxPwdAge attribute of the domain object,
- the pwdLastSet of the user object
- the userAccountControlof the user object
1) When the difference between the current date and pwdLastSet exceeds
maxPwdAge, the password is expired,
but nothing changes in AD. If you reset the password, please take care to
update the pwdLastSet date.
2) there are complex relationships between the operations to update the
password and the userAccountControlOf.
This is detailed status encoded in the single bits of a 32-bit word along
the following table:
ADS_UF_SCRIPT = 1, // 0x1
ADS_UF_ACCOUNTDISABLE = 2, // 0x2
ADS_UF_HOMEDIR_REQUIRED = 8, // 0x8
ADS_UF_LOCKOUT = 16, // 0x10
ADS_UF_PASSWD_NOTREQD = 32, // 0x20
ADS_UF_PASSWD_CANT_CHANGE = 64, // 0x40
ADS_UF_ENCRYPTED_TEXT_PWD = 128, // 0x80
ADS_UF_TEMP_DUPLICATE_ACCOUNT = 256, // 0x100
ADS_UF_NORMAL_ACCOUNT = 512, // 0x200
ADS_UF_INTERDOMAIN_TRUST_ACCOUNT = 2048, // 0x800
ADS_UF_WORKSTATION_TRUST_ACCOUNT = 4096, // 0x1000
ADS_UF_SERVER_TRUST_ACCOUNT = 8192, // 0x2000
ADS_UF_DONT_EXPIRE_PASSWD = 65536, // 0x10000
ADS_UF_MNS_LOGON_ACCOUNT = 131072, // 0x20000
ADS_UF_SMARTCARD_REQUIRED = 262144, // 0x40000
ADS_UF_TRUSTED_FOR_DELEGATION = 524288, // 0x80000
ADS_UF_NOT_DELEGATED = 1048576, // 0x100000
ADS_UF_USE_DES_KEY_ONLY = 2097152, // 0x200000
ADS_UF_DONT_REQUIRE_PREAUTH = 4194304, // 0x400000
ADS_UF_PASSWORD_EXPIRED = 8388608, // 0x800000
ADS_UF_TRUSTED_AUTH_DELEGATION = 16777216, // 0x1000000
ADS_UF_PARTIAL_SECRETS_ACCOUNT = 67108864, // 0x4000000
You must take care of the bits „ADS_UF_PASSWD_CANT_CHANGE“,
IF you maintain the password without using the native methods, you have to
take care to update the pwdLastSet and reset the bit
For more information relate to the article under:
>Date: Wed, 20 May 2015 14:28:25 +0300
>From: Mihai Carabas <mihai.carabas(a)gmail.com>
>To: "General discussion list for the 389 Directory server project."
>Subject: [389-users] flag "user must change password at next logon"
> remains active after PassSync
>Content-Type: text/plain; charset="utf-8"
>We've setup an 389 Directory Server on a Fedora21 and configured
>synchronization with an Active Directory (running on an Windows2012R2
>Datacenter). We've managed to synchronize all the accounts from the 389DS
>to AD (about 44000). All the accounts have the "user must change password
>at next logon" in the AD, even if the users change their passwords on the
>389DS, The password gets to the AD, but the flag for "user must change
>password at next logon" still remains active (basically forces the user to
>change their password on the Active Directory). Is there any workaround
>The attribute passwordMustChange in the 389DS is set to Off.
>University POLITEHNICA of Bucharest
>-------------- next part --------------
>An HTML attachment was scrubbed...
Can I have multiple storage schemes at the same in 389DS? For example right
now I have active the SSHA scheme, but I want to import a UNIX shadow
database too. Is this scenario possible?
We've setup an 389 Directory Server on a Fedora21 and configured
synchronization with an Active Directory (running on an Windows2012R2
Datacenter). We've managed to synchronize all the accounts from the 389DS
to AD (about 44000). All the accounts have the "user must change password
at next logon" in the AD, even if the users change their passwords on the
389DS, The password gets to the AD, but the flag for "user must change
password at next logon" still remains active (basically forces the user to
change their password on the Active Directory). Is there any workaround for
The attribute passwordMustChange in the 389DS is set to Off.
University POLITEHNICA of Bucharest