Problem browsing LDAP with Outlook
by Chris Bryant
When configuring Microsoft Outlook (not Outlook Express) to access an LDAP directory, there is an option to 'Enable Browsing (requires server support)'. If this option is chosen and the directory server supports it, then you should be able to open the LDAP address book and page up and down through the results. I have been unable to get this working properly with 389 DS.
When I try to browse from Outlook against the 389 DS directory, I am able to see the first page of results perfectly. However, if I move to the next page, only the first object returned will have any attributes included, and all of the rest of the objects in the page will have no attributes. I have a test perl script that duplicates this functionality as well.
I can get this to work properly with an older version of Netscape Directory Server, and I can get it working with OpenDS. Since 389 DS advertises support for the controls that are required for this to work, just like the other two servers, then I would expect it to work there also.
Has anyone out there gotten this to work with 389 DS? If so, can you share if there was anything special that you needed to do to get this to work? I'm trying to determine if this is a bug in the server, or if I'm just missing something in the configuration.
Thanks,
Chris
USA.NET
You Run Your Business. We'll Run Your Email.
This message is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information of USA.NET, Inc. Any unauthorized review, use, copying, disclosure, or distribution is prohibited. If you are not the intended recipient, please immediately contact the sender by reply email and delete all copies of the original message.
2 years, 9 months
MemberOf group restrictions to a client system (server and client running CentOS 7)
by Janet Houser
Hi,
I'm new to 389-ds and last week downloaded and installed the software.
I have a running instance of the server, and I've added TLS/SSL. I've configured a CentOS 7 client to be able to query
the server using TLS/SSL, and all appears working.
I've created users and groups on the 389-ds server successfully. For each user and group, I've enabled posix attributes and my client
can see the unix users and groups using the "getent password" or "getent group" commands.
Now, here's where I'm getting tripped up..........
I need to limit which users have access to which systems. I've been trying to do this via memberOf group limitations.
I found the following online resource (https://thornelabs.net/2013/01/28/aix-restrict-server-login-via-ldap-grou...)
which is close enough to CentOS that the initial commands worked.
I enabled the MemberOf plugin and changed the attributes per the link, and restarted the system.
I created a test group (that I didn't enable a posix GID) and tried to add a single user via:
Right click on group -- > click Properties --> then Members --> click Add --> Search for user --> click Add.
When I try to go this route (which worked before enabling the memberOf plugin) it worked. Now it seems I get the error:
"Cannot save to directory server.
netscape.ldap.LDAPException: error resiult(65): Object class violation"
And the messages file throws the error (/var/log/dirsrv/slapd-<instancename>/errors:
"Entry "uid=test,ou=People,dc=int,dc=com" -- attribute "memberOf" not allowed
[17/Feb/2016:11:22:58 -0700] memberof-plugin - memberof_postop_modify: failed to add dn (cn=testgroup,ou=Groups,dc=int,dc=com) to target. Error (65)"
So it seems my server isn't quite using the memberOf plugin properly, but I'm not sure what else to enable. I'll have to solve this issue before
I even try to filter login access via groups on my client system.
I should mention that if I go under the advanced tab for one of the groups I created, I can add the the attribute "uniquemember", but I'm not sure what I
should set the "value" to be.
I've tried creating new users to see if I could set their "uniquemember" attributes, but no luck. It seems that I don't have the ability to set this attribute
on individual users, only groups.
This might not be the right road to head down when trying to restrict access to servers via groups, so I'm open to any suggestions.
Any suggestions would be appreciated.
2 years, 10 months
ldapsearch doesn't return the userpassword field
by Janet Houser
Hi,
I've been looking through the archives for information, but I haven't stumbled on a solution to my problem.
I'm running ds-389 (389-ds-base-1.3.4.0) on a centos 7 box (CentOS Linux release 7.2.1511). I have a centos OS client configured using SSL/TLS
which queries the LDAP server. Per a previous thread, I configured the memeberOf plugin and all seems to be working properly.
I have a php script that will run on the client and change the LDAP password for the user. The problem is, the script looks for the SSHA has
of the password when an ldapsearch is issued.
However, when I issue a general ldapsearch (anonymously) I don't get the userpassword field. I read in your archives that I might have
to be the "directory manager" user in order to see the hashed password. I've been playing around with the ldapsearch syntax, but I can't
quite get it right.
Anyway, my question is, can I set a flag in 389-ds that will display the hashed userpassword? I think that will solve my problem with the php script returning an error that it can't retrieve the old password.
Thanks,
5 years
Re: Erasing and rewriting 389
by Patrick Landry
Well, I am far from an expert but if the directory server is working properly
then your scripts have to create your DIT. If you are running a script to create
the dc=tld,dc=dn entry and it is not being created there must be some error
there.
----- Original Message -----
From: "Charlie Mordant" <cmordant1(a)gmail.com>
To: "General discussion list for the 389 Directory server project." <389-users(a)lists.fedoraproject.org>
Sent: Tuesday, April 26, 2016 11:59:28 AM
Subject: [389-users] Re: Erasing and rewriting 389
Hi Patrick,
Yes, my script does the exact inverse of the procedure.
I didn't see any error while reinstalling, setup-ds-admin.pl says that all is right...
Regards
Le 25 avr. 2016 23:35, "Patrick M. Landry" < patrick.landry(a)louisiana.edu > a écrit :
<blockquote>
That's pretty much the steps I follow to completely remove
a 389 DS installation.
I presume your "existing scripts" attempt to recreate your DIT. Do they
produce any error messages?
<blockquote>
From: "Charlie Mordant" < cmordant1(a)gmail.com >
To: "General discussion list for the 389 Directory server project." < 389-users(a)lists.fedoraproject.org >
Sent: Monday, April 25, 2016 3:51:28 PM
Subject: [389-users] Erasing and rewriting 389
Hi Laposte experts (French national mailing delivery)!
I'm trying some experiments some simple things on 389 ds.
I've an existing 389 installation, with some users, groups and acls (on fedora 21), and I'm trying to uninstall, erase my existing ldap to reinstall it.
So my script is:
* remove-ds-admin.pl -a -f -y
* service stop (dirsrv@myldap, dirsrv-admin)
* yum uninstall 389-*
* rm -rf /**dirsrv*/**
* then reinstalling with my existing script.
As it looks like a nice thing, it seems that there's a catch: my dc=tld,dc=dn subgroups are not created.
Is there something somewhere that I should be aware to be able to remove everything?
Best regards,
Charlie
--
Charlie Mordant
Full OSGI/EE stack made with Karaf: https://github.com/OsgiliathEnterprise/net.osgiliath.parent
--
389-users mailing list
389-users(a)lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
--
Patrick Landry
Director, UCSS
University of Louisiana at Lafayette
pml(a)louisiana.edu
--
389-users mailing list
389-users(a)lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
</blockquote>
--
389-users mailing list
389-users(a)lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
</blockquote>
--
Patrick Landry
Director, UCSS
University of Louisiana at Lafayette
pml(a)louisiana.edu
7 years, 1 month
Admin-server connection
by Job Cacka
Recently, I was researching samba connections, and noticed that the Linux 'Domain Users' group was displaying as the Unix GID number instead of the name. I went to login to the admin-server express from 'https://zigzag.ccbox.com:9830/dist/download' and that page loads but when I click on the link I get.
"
Internal Server Error
The server encountered an internal error ormisconfiguration and was unable to completeyour request.Please contact the server administrator, [no address given] and inform them of the time the error occurred,and anything you might have done that may havecaused the error.More information about this error may be availablein the server error log.ADDRESS:
Apache/2.2 Server at zigzag.ccbox.com Port 9830
"
So I went over to the 389 Management Console on my Windows box and I enter cn=Directory Manager the password and https://zigzag.ccbox.com:9830 and I get a message saying the URL is not correct or the server is not running. For kicks and giggles I tried it with http instead of https and it gives an error that says,"Cannot logon because of an incorrect User ID, Incorrect password, or Directory problem. java.io.InterruptedIOExceptio: HTTP response timeout"Which indicates to me that the correct protocol should be https:
To further verify this I ran the following command at the Linux CLI on the server and a server that communicates with it.
ldapsearch -H ldaps://zigzag.ccbox.com [-x] -b o=netscaperoot -D "cn=directory manager" -W "objectclass=nsAdminConfig"
This returns 129 responses, but I don't know if they are valid or make sense. They look like they are unique to my system.
Here is a pastbin of some error logs I noticed after I restarted the admin server with stop-ds-admin and start-ds-admin.
#357156 • Fedora Project Pastebin
|
|
|
| | |
|
|
|
| |
#357156 • Fedora Project Pastebin
Fedora Sticky Notes is a feature-rich, yet lightweight paste utility | |
|
|
Job Cacka
7 years, 1 month
Pass through auth using krbPrincipalName
by Gary Algier
Hello,
Has anyone used pass through authentication to Kerberos with the principal
coming from an attribute like krbPrincipalName?
I have pass through auth working where the list of users (nsswitch) comes
from the LDAP server and the authentication is using pam such as:
/etc/pam.d/ldapserver:
auth required pam_env.so
auth sufficient pam_krb5.so
auth required pam_deny.so
account required pam_krb5.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session required pam_krb5.so
The pass through plugin is configured to use the RDN where everyone's RDN
is like "uid=xxx".
This works fine, but that's because the uid is the same as the part before
the realm in the principal.
For example:
My login is "gary".
My Kerberos principal is "gary(a)EXAMPLE.COM".
EXAMPLE.COM is configured as the default realm on the system.
However, I have people who's login does not match their principal:
User Bob Smith has a login "bsmith".
His Kerberos principal is "robert.smith(a)EXAMPLE.COM".
I want to use "bsmith" for all the Unix/Linux name lookups, but use "
robert.smith(a)EXAMPLE.COM" for the authentication. The latter information
is stored in the krbPrincipal attribute.
I also want to be able to use a non-default realm:
User: "betty"
Principal: "betty.jones(a)OTHERREALM.COM"
I can configure the krb5.conf file to know about these other realms and I
can use kinit to test them so I know the Kerberos works.
I tried to change the plugin to pass the principal, but a name like "
gary(a)EXAMPLE.COM" fails when in the user lookup.
I need one name for the user and another for the authentication.
Another option would be if the user did not need to be found in the passwd
data. I don't really need it for pass through auth anyway. Unfortunately,
pam fails if the user can't be found.
Any ideas?
--
Gary Algier
7 years, 1 month
Login restrictions
by Enrico Morelli
Is it possible to restrict login only to to whom bound to a
determinated group?
I tried to use the following lines in sssd.conf but doesn't works:
access_provider = ldap
ldap_access_order = filter
ldap_access_filter = (gidNumber=900)
--
-------------------------------------------------------------
Enrico Morelli
System Administrator | Programmer | Web Developer
CERM - Polo Scientifico
Via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY
phone: +39 055 457 4269
fax: +39 055 457 4927
-------------------------------------------------------------
7 years, 1 month
ACI value selector?
by Simon Oscarsson
Hi,
I wonder if there is an ACI statement that allows to filter the response on
attribute values. OpenLDAP has something called ACI value selector (for
example "attrs=memberof val.childern='ou=Dummy,dc=test,dc=org'" that will
only return attribute values for 'memberof' having a value being part of
the subtree 'ou=Dummy,dc=test,dc=org' and filter away other memberof
values). There is an 'targattrfiltes' statement in 389 DS, but that only
applies on 'add' or 'delete' operations (would like to have one for 'read')
Thanks
/Simon
7 years, 1 month
Replication Delay
by shardulsk
We recently upgraded from Centos 5.4 389-ds Version 1.1.2 to Centos 6.7
389-ds version 1.2.11
389-console-1.1.7-1.el6.noarch
389-ds-base-1.2.11.15-48.el6_6.x86_64
389-ds-console-1.2.6-1.el6.noarch
389-ds-base-libs-1.2.11.15-48.el6_6.x86_64
389-admin-console-1.1.8-1.el6.noarch
389-adminutil-1.1.19-1.el6.x86_64
389-admin-1.1.35-1.el6.x86_64
The setup has a single master, hub and 5 replicas. For some reason we are
experiencing replication delays of upto 40 secs between hub and replicas.
This did not occur in the old setup. At the time access logs showed an
average of 1000 MOD operations per minute.
Some of our configured parameters:
nsslapd-maxdescriptors: 16384
nsslapd-max-filter-nest-level: 40
nsslapd-timelimit: 7200
nsslapd-sizelimit: 10000000
nsslapd-reservedescriptors: 92
nsslapd-maxthreadsperconn: 10
nsslapd-threadnumber: 120
nsslapd-dbcachesize: 4000000000
nsslapd-cachememsize: 20000000000
The systems resources on the Hub (CPU/memory/disk) look fine, so it must be
389-ds resources either on the hub or the replicas that must be causing the
delay. Where should I be looking?
~Shardul.
7 years, 1 month
Erasing and rewriting 389
by Charlie Mordant
Hi Laposte experts (French national mailing delivery)!
I'm trying some experiments some simple things on 389 ds.
I've an existing 389 installation, with some users, groups and acls (on
fedora 21), and I'm trying to uninstall, erase my existing ldap to
reinstall it.
So my script is:
* remove-ds-admin.pl -a -f -y
* service stop (dirsrv@myldap, dirsrv-admin)
* yum uninstall 389-*
* rm -rf /**dirsrv*/**
* then reinstalling with my existing script.
As it looks like a nice thing, it seems that there's a catch: my
dc=tld,dc=dn subgroups are not created.
Is there something somewhere that I should be aware to be able to remove
everything?
Best regards,
Charlie
--
Charlie Mordant
Full OSGI/EE stack made with Karaf:
https://github.com/OsgiliathEnterprise/net.osgiliath.parent
7 years, 1 month
