389-users April 2016

389-users@lists.fedoraproject.org

25 participants
29 discussions

Problem browsing LDAP with Outlook
by Chris Bryant 26 Aug '20

26 Aug '20

When configuring Microsoft Outlook (not Outlook Express) to access an LDAP directory, there is an option to 'Enable Browsing (requires server support)'. If this option is chosen and the directory server supports it, then you should be able to open the LDAP address book and page up and down through the results. I have been unable to get this working properly with 389 DS. When I try to browse from Outlook against the 389 DS directory, I am able to see the first page of results perfectly. However, if I move to the next page, only the first object returned will have any attributes included, and all of the rest of the objects in the page will have no attributes. I have a test perl script that duplicates this functionality as well. I can get this to work properly with an older version of Netscape Directory Server, and I can get it working with OpenDS. Since 389 DS advertises support for the controls that are required for this to work, just like the other two servers, then I would expect it to work there also. Has anyone out there gotten this to work with 389 DS? If so, can you share if there was anything special that you needed to do to get this to work? I'm trying to determine if this is a bug in the server, or if I'm just missing something in the configuration. Thanks, Chris USA.NET You Run Your Business. We'll Run Your Email. This message is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information of USA.NET, Inc. Any unauthorized review, use, copying, disclosure, or distribution is prohibited. If you are not the intended recipient, please immediately contact the sender by reply email and delete all copies of the original message.

3 2

MemberOf group restrictions to a client system (server and client running CentOS 7)
by Janet Houser 06 Aug '20

06 Aug '20

Hi, I'm new to 389-ds and last week downloaded and installed the software. I have a running instance of the server, and I've added TLS/SSL. I've configured a CentOS 7 client to be able to query the server using TLS/SSL, and all appears working. I've created users and groups on the 389-ds server successfully. For each user and group, I've enabled posix attributes and my client can see the unix users and groups using the "getent password" or "getent group" commands. Now, here's where I'm getting tripped up.......... I need to limit which users have access to which systems. I've been trying to do this via memberOf group limitations. I found the following online resource (https://thornelabs.net/2013/01/28/aix-restrict-server-login-via-ldap-groups…) which is close enough to CentOS that the initial commands worked. I enabled the MemberOf plugin and changed the attributes per the link, and restarted the system. I created a test group (that I didn't enable a posix GID) and tried to add a single user via: Right click on group -- > click Properties --> then Members --> click Add --> Search for user --> click Add. When I try to go this route (which worked before enabling the memberOf plugin) it worked. Now it seems I get the error: "Cannot save to directory server. netscape.ldap.LDAPException: error resiult(65): Object class violation" And the messages file throws the error (/var/log/dirsrv/slapd-<instancename>/errors: "Entry "uid=test,ou=People,dc=int,dc=com" -- attribute "memberOf" not allowed [17/Feb/2016:11:22:58 -0700] memberof-plugin - memberof_postop_modify: failed to add dn (cn=testgroup,ou=Groups,dc=int,dc=com) to target. Error (65)" So it seems my server isn't quite using the memberOf plugin properly, but I'm not sure what else to enable. I'll have to solve this issue before I even try to filter login access via groups on my client system. I should mention that if I go under the advanced tab for one of the groups I created, I can add the the attribute "uniquemember", but I'm not sure what I should set the "value" to be. I've tried creating new users to see if I could set their "uniquemember" attributes, but no luck. It seems that I don't have the ability to set this attribute on individual users, only groups. This might not be the right road to head down when trying to restrict access to servers via groups, so I'm open to any suggestions. Any suggestions would be appreciated.

6 19

ldapsearch doesn't return the userpassword field
by Janet Houser 14 May '18

14 May '18

Hi, I've been looking through the archives for information, but I haven't stumbled on a solution to my problem. I'm running ds-389 (389-ds-base-1.3.4.0) on a centos 7 box (CentOS Linux release 7.2.1511). I have a centos OS client configured using SSL/TLS which queries the LDAP server. Per a previous thread, I configured the memeberOf plugin and all seems to be working properly. I have a php script that will run on the client and change the LDAP password for the user. The problem is, the script looks for the SSHA has of the password when an ldapsearch is issued. However, when I issue a general ldapsearch (anonymously) I don't get the userpassword field. I read in your archives that I might have to be the "directory manager" user in order to see the hashed password. I've been playing around with the ldapsearch syntax, but I can't quite get it right. Anyway, my question is, can I set a flag in 389-ds that will display the hashed userpassword? I think that will solve my problem with the php script returning an error that it can't retrieve the old password. Thanks,

5 12

Re: Erasing and rewriting 389
by Patrick Landry 06 May '16

06 May '16

Well, I am far from an expert but if the directory server is working properly then your scripts have to create your DIT. If you are running a script to create the dc=tld,dc=dn entry and it is not being created there must be some error there. ----- Original Message ----- From: "Charlie Mordant" <cmordant1(a)gmail.com> To: "General discussion list for the 389 Directory server project." <389-users(a)lists.fedoraproject.org> Sent: Tuesday, April 26, 2016 11:59:28 AM Subject: [389-users] Re: Erasing and rewriting 389 Hi Patrick, Yes, my script does the exact inverse of the procedure. I didn't see any error while reinstalling, setup-ds-admin.pl says that all is right... Regards Le 25 avr. 2016 23:35, "Patrick M. Landry" < patrick.landry(a)louisiana.edu > a écrit : <blockquote> That's pretty much the steps I follow to completely remove a 389 DS installation. I presume your "existing scripts" attempt to recreate your DIT. Do they produce any error messages? <blockquote> From: "Charlie Mordant" < cmordant1(a)gmail.com > To: "General discussion list for the 389 Directory server project." < 389-users(a)lists.fedoraproject.org > Sent: Monday, April 25, 2016 3:51:28 PM Subject: [389-users] Erasing and rewriting 389 Hi Laposte experts (French national mailing delivery)! I'm trying some experiments some simple things on 389 ds. I've an existing 389 installation, with some users, groups and acls (on fedora 21), and I'm trying to uninstall, erase my existing ldap to reinstall it. So my script is: * remove-ds-admin.pl -a -f -y * service stop (dirsrv@myldap, dirsrv-admin) * yum uninstall 389-* * rm -rf /**dirsrv*/** * then reinstalling with my existing script. As it looks like a nice thing, it seems that there's a catch: my dc=tld,dc=dn subgroups are not created. Is there something somewhere that I should be aware to be able to remove everything? Best regards, Charlie -- Charlie Mordant Full OSGI/EE stack made with Karaf: https://github.com/OsgiliathEnterprise/net.osgiliath.parent -- 389-users mailing list 389-users(a)lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org -- Patrick Landry Director, UCSS University of Louisiana at Lafayette pml(a)louisiana.edu -- 389-users mailing list 389-users(a)lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org </blockquote> -- 389-users mailing list 389-users(a)lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org </blockquote> -- Patrick Landry Director, UCSS University of Louisiana at Lafayette pml(a)louisiana.edu

2 2

Admin-server connection
by Job Cacka 03 May '16

03 May '16

Recently, I was researching samba connections, and noticed that the Linux 'Domain Users' group was displaying as the Unix GID number instead of the name. I went to login to the admin-server express from 'https://zigzag.ccbox.com:9830/dist/download' and that page loads but when I click on the link I get. " Internal Server Error The server encountered an internal error ormisconfiguration and was unable to completeyour request.Please contact the server administrator, [no address given] and inform them of the time the error occurred,and anything you might have done that may havecaused the error.More information about this error may be availablein the server error log.ADDRESS: Apache/2.2 Server at zigzag.ccbox.com Port 9830 " So I went over to the 389 Management Console on my Windows box and I enter cn=Directory Manager the password and https://zigzag.ccbox.com:9830 and I get a message saying the URL is not correct or the server is not running. For kicks and giggles I tried it with http instead of https and it gives an error that says,"Cannot logon because of an incorrect User ID, Incorrect password, or Directory problem. java.io.InterruptedIOExceptio: HTTP response timeout"Which indicates to me that the correct protocol should be https: To further verify this I ran the following command at the Linux CLI on the server and a server that communicates with it. ldapsearch -H ldaps://zigzag.ccbox.com [-x] -b o=netscaperoot -D "cn=directory manager" -W "objectclass=nsAdminConfig" This returns 129 responses, but I don't know if they are valid or make sense. They look like they are unique to my system. Here is a pastbin of some error logs I noticed after I restarted the admin server with stop-ds-admin and start-ds-admin. #357156 • Fedora Project Pastebin | | | | | | | | | | | #357156 • Fedora Project Pastebin Fedora Sticky Notes is a feature-rich, yet lightweight paste utility | | | | Job Cacka

3 14

Pass through auth using krbPrincipalName
by Gary Algier 29 Apr '16

29 Apr '16

Hello, Has anyone used pass through authentication to Kerberos with the principal coming from an attribute like krbPrincipalName? I have pass through auth working where the list of users (nsswitch) comes from the LDAP server and the authentication is using pam such as: /etc/pam.d/ldapserver: auth required pam_env.so auth sufficient pam_krb5.so auth required pam_deny.so account required pam_krb5.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session required pam_krb5.so The pass through plugin is configured to use the RDN where everyone's RDN is like "uid=xxx". This works fine, but that's because the uid is the same as the part before the realm in the principal. For example: My login is "gary". My Kerberos principal is "gary(a)EXAMPLE.COM". EXAMPLE.COM is configured as the default realm on the system. However, I have people who's login does not match their principal: User Bob Smith has a login "bsmith". His Kerberos principal is "robert.smith(a)EXAMPLE.COM". I want to use "bsmith" for all the Unix/Linux name lookups, but use " robert.smith(a)EXAMPLE.COM" for the authentication. The latter information is stored in the krbPrincipal attribute. I also want to be able to use a non-default realm: User: "betty" Principal: "betty.jones(a)OTHERREALM.COM" I can configure the krb5.conf file to know about these other realms and I can use kinit to test them so I know the Kerberos works. I tried to change the plugin to pass the principal, but a name like " gary(a)EXAMPLE.COM" fails when in the user lookup. I need one name for the user and another for the authentication. Another option would be if the user did not need to be found in the passwd data. I don't really need it for pass through auth anyway. Unfortunately, pam fails if the user can't be found. Any ideas? -- Gary Algier

1 0

29 Apr '16

Is it possible to restrict login only to to whom bound to a determinated group? I tried to use the following lines in sssd.conf but doesn't works: access_provider = ldap ldap_access_order = filter ldap_access_filter = (gidNumber=900) -- ------------------------------------------------------------- Enrico Morelli System Administrator | Programmer | Web Developer CERM - Polo Scientifico Via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY phone: +39 055 457 4269 fax: +39 055 457 4927 -------------------------------------------------------------

4 8

ACI value selector?
by Simon Oscarsson 27 Apr '16

27 Apr '16

Hi, I wonder if there is an ACI statement that allows to filter the response on attribute values. OpenLDAP has something called ACI value selector (for example "attrs=memberof val.childern='ou=Dummy,dc=test,dc=org'" that will only return attribute values for 'memberof' having a value being part of the subtree 'ou=Dummy,dc=test,dc=org' and filter away other memberof values). There is an 'targattrfiltes' statement in 389 DS, but that only applies on 'add' or 'delete' operations (would like to have one for 'read') Thanks /Simon

4 4

Replication Delay
by shardulsk 27 Apr '16

27 Apr '16

We recently upgraded from Centos 5.4 389-ds Version 1.1.2 to Centos 6.7 389-ds version 1.2.11 389-console-1.1.7-1.el6.noarch 389-ds-base-1.2.11.15-48.el6_6.x86_64 389-ds-console-1.2.6-1.el6.noarch 389-ds-base-libs-1.2.11.15-48.el6_6.x86_64 389-admin-console-1.1.8-1.el6.noarch 389-adminutil-1.1.19-1.el6.x86_64 389-admin-1.1.35-1.el6.x86_64 The setup has a single master, hub and 5 replicas. For some reason we are experiencing replication delays of upto 40 secs between hub and replicas. This did not occur in the old setup. At the time access logs showed an average of 1000 MOD operations per minute. Some of our configured parameters: nsslapd-maxdescriptors: 16384 nsslapd-max-filter-nest-level: 40 nsslapd-timelimit: 7200 nsslapd-sizelimit: 10000000 nsslapd-reservedescriptors: 92 nsslapd-maxthreadsperconn: 10 nsslapd-threadnumber: 120 nsslapd-dbcachesize: 4000000000 nsslapd-cachememsize: 20000000000 The systems resources on the Hub (CPU/memory/disk) look fine, so it must be 389-ds resources either on the hub or the replicas that must be causing the delay. Where should I be looking? ~Shardul.

2 2

Erasing and rewriting 389
by Charlie Mordant 27 Apr '16

27 Apr '16

Hi Laposte experts (French national mailing delivery)! I'm trying some experiments some simple things on 389 ds. I've an existing 389 installation, with some users, groups and acls (on fedora 21), and I'm trying to uninstall, erase my existing ldap to reinstall it. So my script is: * remove-ds-admin.pl -a -f -y * service stop (dirsrv@myldap, dirsrv-admin) * yum uninstall 389-* * rm -rf /**dirsrv*/** * then reinstalling with my existing script. As it looks like a nice thing, it seems that there's a catch: my dc=tld,dc=dn subgroups are not created. Is there something somewhere that I should be aware to be able to remove everything? Best regards, Charlie -- Charlie Mordant Full OSGI/EE stack made with Karaf: https://github.com/OsgiliathEnterprise/net.osgiliath.parent

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-users April 2016