When configuring Microsoft Outlook (not Outlook Express) to access an LDAP directory, there is an option to 'Enable Browsing (requires server support)'. If this option is chosen and the directory server supports it, then you should be able to open the LDAP address book and page up and down through the results. I have been unable to get this working properly with 389 DS.
When I try to browse from Outlook against the 389 DS directory, I am able to see the first page of results perfectly. However, if I move to the next page, only the first object returned will have any attributes included, and all of the rest of the objects in the page will have no attributes. I have a test perl script that duplicates this functionality as well.
I can get this to work properly with an older version of Netscape Directory Server, and I can get it working with OpenDS. Since 389 DS advertises support for the controls that are required for this to work, just like the other two servers, then I would expect it to work there also.
Has anyone out there gotten this to work with 389 DS? If so, can you share if there was anything special that you needed to do to get this to work? I'm trying to determine if this is a bug in the server, or if I'm just missing something in the configuration.
You Run Your Business. We'll Run Your Email.
This message is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information of USA.NET, Inc. Any unauthorized review, use, copying, disclosure, or distribution is prohibited. If you are not the intended recipient, please immediately contact the sender by reply email and delete all copies of the original message.
few weeks ago I posted that I am experiencing crashes of the ldap
server and I was advised how to collect the logs. I have managed to
collect them, the file is around 120k, where do I have to post it?
Hi there folks
I have been struggling with TLS/SSL setup on a standalone Directory Server
running on Centos 6.7. I have followed instructions for setup of TLS/SSL
from here mainly:
Though I had to adapt a couple of things with pointers from elsewhere to
get the whole thing tied up. This is using a self-signed certificate. I
have searched the web high and low and have read through the official
389-ds doc above as well as Redhat docs and numerous random guides on the
web to try and piece this together.
The basic steps I ended up with after trial and error were as follows:
1) Create password files for use in certificate generation pwdfile and
2) Create new key and certificate databases for Directory Server - certutil
-N -d . -f pwdfile.txt
3) Generate an encryption key for the CA - certutil -G -d . -z
noisefile.txt -f pwdfile.txt)
4) Generate self signed CA certificate - certutil -S -n "CA certificate" -s
"cn=CAcert" -2 -x -t "CT,," -m 1000 -v 120 -d . -z noisefile.txt -f
5) Export CA certificate to ASCII (.pem) format for use on Admin Server
(and other LDAP servers) - certutil -L -d . -n “CA certificate” -a >
6) Generate Directory Server client certificate - certutil -S -n
"DS-Server-Cert" -s "cn=example.com,ou=389 Directory Server" -c "CA
certificate" -t "u,u,u" -m 1001 -v 120 -d . -z noisefile.txt -f pwdfile.txt
7) Generate server certificate for the Admin Server - certutil -S -n
"admin-server-cert" -s "cn=example.com,ou=389 Administration Server" -c "CA
certificate" -t "u,u,u" -m 1002 -v 120 -d . -z noisefile.txt -f pwdfile.txt
8) Use pk12util to create a pkcs12 file of all 3 certificates created -
pk12util -d . -o cacert.pk12 -n “CA certificate” -w pk12password.txt -k
9) Export Admin Server certificate/private key to admin-serv directory -
pk12util -d /etc/dirsrv/admin-serv/ -n “admin-server-cert” -i
admincert.p12 -w pk12password.txt -k pwdfile.txt
10) Import CA into the Admin-Serv directory - certutil -A -d
/etc/dirsrv/admin-serv/ -n "CA certificate" -t "CT,," -a -i cacert.asc
11) Set pin and password.conf files for use during server restarts
12) Add selinux role to fix Admin Server access post password.conf file
creation - restorecon -v /etc/dirsrv/admin-serv/nss.conf
13) Set server to only accept TLS/SSL connections
I have done this in stages snapshotting the vm and documenting as I go and
everything seems fine up til enabling SSL on the directory server. Note I
have ntpd setup pointing to an AD DC and after each snapshot reverse am
syncing time with that so its not a date/time sync issue or at least I
don't believe so.
Once I check the Use SSL on Console box on Directory Server I can login to
the console (over http) but on trying to open the Directory Server under
Server Group I'm presented with a login box with DN name populated as:
I saw someone else in the archives had this error and the suggested reason
from one of the users was: The prompt is a password to unlock the NSS DB
key file used for SSL on an RHDS instance. Which I take to be equivalent to
password set in the pwdfile.txt file but adding this I get "Cannot connect
to LDAP Server".
On setting the Admin Server console to use SSL I can no longer access the
web console and get error:
Cannot connect to the Admin Server "https://example.com:9830/"
The URL is not correct or the server is not running.
Checking the logs in /var/log/dirsrv/admin-serv/error I see the following:
[Mon Jan 25 00:01:06 2016] [error] SSL Library Error: -12271 SSL client
cannot verify your certificate
I have tested connection using openssl s_client -connect
target_server_fqdn:636 and get back what looks like valid content. And
-x -ZZ '(uid=tnumber1)' returns valid content also so looks to me like SSL
and TLS are setup correctly. Certs showed in the console ok though the
CAcert was listed on server tab of the directory console, is that correct?
Admin-Serv shows server cert on server tab and CAcert on cacert tab,
Am I correct in assuming that the admin server speaks to the directory
server over port 636 and that enabling SSL for the admin server should
allow connection using https://example.com:9830 still?
Have I missed any obvious steps in my certificate setup? Is there any way
other than what I've tried so far to verify that the SSL stuff is setup
correctly? And is enabling SSL on the Admin Server (encryption tab,
configuration ds tab and user ds tabs all completed) sufficient to require
https access to the java console?
Hoping someone can shed some light on where I've been going wrong. I'm
happy to provide more information or log output if required,
thanks in advance.
Using WinSync, is there any way to synchronize Active Directory custom extension attributes. Here is what I read from the Red Hat documentation:
Only a subset of Directory Server and Active Directory attributes are synchronized. These attributes are hard-coded and are defined regardless of which way the entry is being synchronized. Any other attributes present in the entry, either in Directory Server or in Active Directory, remain unaffected by synchronization.
Is this meaning that we can't synchronize Active Directory custom extension attributes ? Is there any workaround to make this work ?
Thanks in advance for your support.
I would like to know if there is a cfg option in a multimaster
replication ( 2 servers both accept read-writes) to prevent
users/clients application writes to one of the master without
affecting the replication agreements.
my env 389-ds 184.108.40.206
There close to a dozen 389-DS as part of our FreeIPA infra. On one of these
servers, I'm encountering a strange problem.
We monitor the state of replication among the 389 servers using a
python-ldap based script. This works on all servers except 1.
What I'm doing is fairly basic. Something along lines of ;
ldapsearch -x -b cn=config '(objectclass=nsds5replicationagreement)'
nsds5replicaLastUpdateStatus -LLL -o ldif-wrap=no
Corresponding python code is below;
Now for the strange issue.
The above commands return the status of replication on all servers except 1
which returns an empty response. This happens only for the python and the
example perl script here
The ldapsearch command works fine!!!
Below is the log from a server where this runs fine.
[18/Jan/2016:07:09:19 +0000] conn=420951 fd=564 slot=564 connection from
::1 to ::1
[18/Jan/2016:07:09:19 +0000] conn=420951 op=0 BIND dn="" method=128
[18/Jan/2016:07:09:19 +0000] conn=420951 op=0 RESULT err=0 tag=97
nentries=0 etime=0 dn=""
[18/Jan/2016:07:09:19 +0000] conn=420951 op=1 SRCH base="cn=config" scope=2
[18/Jan/2016:07:09:19 +0000] conn=420951 op=1 RESULT err=0 tag=101
[18/Jan/2016:07:09:19 +0000] conn=420951 op=2 UNBIND
[18/Jan/2016:07:09:19 +0000] conn=420951 op=2 fd=564 closed - U1
Below is the log from the 1 server where this fails.
[18/Jan/2016:07:05:20 +0000] conn=226 fd=80 slot=80 connection from ::1 to
[18/Jan/2016:07:05:20 +0000] conn=226 op=0 BIND dn="" method=128 version=3
[18/Jan/2016:07:05:20 +0000] conn=226 op=0 RESULT err=0 tag=97 nentries=0
[18/Jan/2016:07:05:20 +0000] conn=226 op=1 SRCH base="cn=config" scope=2
[18/Jan/2016:07:05:20 +0000] conn=226 op=1 RESULT err=0 tag=101 nentries=0
[18/Jan/2016:07:05:20 +0000] conn=226 op=2 UNBIND
[18/Jan/2016:07:05:20 +0000] conn=226 op=2 fd=80 closed - U1
I have an ACI which allows anonymous access to the replication info.
Version is : 389-ds-base-220.127.116.11-1.fc21.x86_64
Any help would be appreciated.
Have tried to get my lab set up with 389 and secure connections multiple times now with disasterous results; and yes have tried to follow http://www.port389.org/docs/389ds/howto/howto-ssl.html
Here is a very brief walkthrough of what I did:
* from my PKI created four certificates - node1 admin and node2 directory + node2 admin and node2 directory certificates
* on both node1 and node2 installed the following packages:
[root@ads01 ~]# rpm -qa | grep 389
* on node1 ran setup-ds-admin.pl and configured the initial directory server
* on node1 configured the admin to use TLS + the directory server so that it bound to 636
* on node2 ran setup-ds-admin.pl and joined the directory server on node1
* on node2 configured the admin to use TLS
* on node2 launch 389-console using https and then try to connect too the directory server on node2 and it just hangs and fails with an SSL error over and over:
[Fri Jan 15 17:22:14.391824 2016] [:crit] [pid 705:tid 140640199088192] sslinit: NSS is required to use LDAPS, but security initialization failed [-8015:The certificate/key database is in an old, unsupported format or failed to open.].
How does one perform an install, with two nodes, that each has an administration instance plus a directory server running TLS on 636 ?? Have not even been able to attempt multi-master replication yet :(
All help appreciated. Thanks, Phil