Problem browsing LDAP with Outlook
by Chris Bryant
When configuring Microsoft Outlook (not Outlook Express) to access an LDAP directory, there is an option to 'Enable Browsing (requires server support)'. If this option is chosen and the directory server supports it, then you should be able to open the LDAP address book and page up and down through the results. I have been unable to get this working properly with 389 DS.
When I try to browse from Outlook against the 389 DS directory, I am able to see the first page of results perfectly. However, if I move to the next page, only the first object returned will have any attributes included, and all of the rest of the objects in the page will have no attributes. I have a test perl script that duplicates this functionality as well.
I can get this to work properly with an older version of Netscape Directory Server, and I can get it working with OpenDS. Since 389 DS advertises support for the controls that are required for this to work, just like the other two servers, then I would expect it to work there also.
Has anyone out there gotten this to work with 389 DS? If so, can you share if there was anything special that you needed to do to get this to work? I'm trying to determine if this is a bug in the server, or if I'm just missing something in the configuration.
Thanks,
Chris
USA.NET
You Run Your Business. We'll Run Your Email.
This message is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information of USA.NET, Inc. Any unauthorized review, use, copying, disclosure, or distribution is prohibited. If you are not the intended recipient, please immediately contact the sender by reply email and delete all copies of the original message.
3 years, 3 months
MemberOf group restrictions to a client system (server and client running CentOS 7)
by Janet Houser
Hi,
I'm new to 389-ds and last week downloaded and installed the software.
I have a running instance of the server, and I've added TLS/SSL. I've configured a CentOS 7 client to be able to query
the server using TLS/SSL, and all appears working.
I've created users and groups on the 389-ds server successfully. For each user and group, I've enabled posix attributes and my client
can see the unix users and groups using the "getent password" or "getent group" commands.
Now, here's where I'm getting tripped up..........
I need to limit which users have access to which systems. I've been trying to do this via memberOf group limitations.
I found the following online resource (https://thornelabs.net/2013/01/28/aix-restrict-server-login-via-ldap-grou...)
which is close enough to CentOS that the initial commands worked.
I enabled the MemberOf plugin and changed the attributes per the link, and restarted the system.
I created a test group (that I didn't enable a posix GID) and tried to add a single user via:
Right click on group -- > click Properties --> then Members --> click Add --> Search for user --> click Add.
When I try to go this route (which worked before enabling the memberOf plugin) it worked. Now it seems I get the error:
"Cannot save to directory server.
netscape.ldap.LDAPException: error resiult(65): Object class violation"
And the messages file throws the error (/var/log/dirsrv/slapd-<instancename>/errors:
"Entry "uid=test,ou=People,dc=int,dc=com" -- attribute "memberOf" not allowed
[17/Feb/2016:11:22:58 -0700] memberof-plugin - memberof_postop_modify: failed to add dn (cn=testgroup,ou=Groups,dc=int,dc=com) to target. Error (65)"
So it seems my server isn't quite using the memberOf plugin properly, but I'm not sure what else to enable. I'll have to solve this issue before
I even try to filter login access via groups on my client system.
I should mention that if I go under the advanced tab for one of the groups I created, I can add the the attribute "uniquemember", but I'm not sure what I
should set the "value" to be.
I've tried creating new users to see if I could set their "uniquemember" attributes, but no luck. It seems that I don't have the ability to set this attribute
on individual users, only groups.
This might not be the right road to head down when trying to restrict access to servers via groups, so I'm open to any suggestions.
Any suggestions would be appreciated.
3 years, 4 months
ldapsearch doesn't return the userpassword field
by Janet Houser
Hi,
I've been looking through the archives for information, but I haven't stumbled on a solution to my problem.
I'm running ds-389 (389-ds-base-1.3.4.0) on a centos 7 box (CentOS Linux release 7.2.1511). I have a centos OS client configured using SSL/TLS
which queries the LDAP server. Per a previous thread, I configured the memeberOf plugin and all seems to be working properly.
I have a php script that will run on the client and change the LDAP password for the user. The problem is, the script looks for the SSHA has
of the password when an ldapsearch is issued.
However, when I issue a general ldapsearch (anonymously) I don't get the userpassword field. I read in your archives that I might have
to be the "directory manager" user in order to see the hashed password. I've been playing around with the ldapsearch syntax, but I can't
quite get it right.
Anyway, my question is, can I set a flag in 389-ds that will display the hashed userpassword? I think that will solve my problem with the php script returning an error that it can't retrieve the old password.
Thanks,
5 years, 6 months
export / import ldif with userpassword
by Giuseppe Sarno
Hello,
Is there a way to export users including the userPassword hashed and then reimporting again ?
I tried but I keep getting the following:
#!RESULT ERROR
#!CONNECTION ldap://localhost:389
#!DATE 2016-06-30T16:07:09.508
#!ERROR [LDAP: error code 19 - pre-hashed passwords are not valid ]
Thanks,
Giuseppe.
7 years, 5 months
How to change nsaccountlock using ldif file?
by kashefi@arissystem.com
I am able to change nsaccountlock value using 389ds client software by right clicking on users and selecting active or inactive. but I need to change nsaccountlock value using an ldif file. The content of the file is :
dn: uid=user001,ou=People,dc=test,dc=test2,dc=local
changetype: modify
replace: nsaccountlock
nsaccountlock: false
but unfortunately the value doesn't change. the ldapmodify command returns no error and there is no error in logs either.
I appreciate any help on this subject.
7 years, 5 months
How can I restrict bind operation based on attributes?
by kashefi@arissystem.com
I have three applications that use my ldap installation to authenticate users with Bind operation. I need to restrict each app so it only be able to bind it's own users. my idea was to create a multi-value attribute for each user named "App" which has the name of the application that the user is allowed use (For instance: mail, portal and office). I'm looking for a way to restrict each application from binding users who do not have that application in their "App" attribute. for example portal application must only be able to bind users which have the attribute "App=portal". I was unable to do such thing using ACI.
Is it possible to implement such restriction?
7 years, 5 months
problem running setup ds admin "Error: Could not create directory server instance"
by martin.michalsky@jalasoft.com
Hi, I am trying to deploy 389ds but I have an error running setup-ds-admin, after select the typical setup and provide the required data, the isntaller ends with the following error:
The interactive phase is complete. The script will now set up your
servers. Enter No or go Back if you want to change something.
Are you ready to set up your servers? [yes]: y
Creating directory server . . .
Hostname 'ds389.limbo.local' is valid, but none of the IP addresses
resolve back to ds389.limbo.local
- address 10.30.33.10 resolves to host ds389.jalacloud.local
Error: Could not create directory server instance 'ds389'.
Exiting . . .
Log file is '/tmp/setupyR6ywt.log'
where ds389 is the hostname, and limbo.local the domain
I googled for any references without luck, the only references was 6 ago, I tried in a fresh installed centos 7.1 server, any clue about this?
7 years, 5 months
Is it possible to bind using nsview as part of DN?
by kashefi@arissystem.com
In a normal setup environment I have created an organizationUnit named View, which is an nsView object. using nsViewFilter, I have several users in this organizationUnit. I can bind to these users with their actual DN with no problem :
uid=a.agh,ou=People,dc=test,dc=iic,dc=local
but when I specify DN using the view, it says "ldap_bind: No such object (32)".
uid=a.agh,ou=View,dc=test,dc=iic,dc=local
I was wondering is it possible to authenticate(Bind) using a DN using a view . and if it is possible, how can it be done.
7 years, 5 months
Managing user password policy problem
by xinhuan zheng
Hi All,
I am having difficulty to make managing user password policy working. I want to use local per-user based password policy. Here is the configuration I use:
containter configuration -
dn: cn=nsPwPolicyContainer,ou=people,dc=christianbook,dc=com
objectClass: top
objectClass: nsContainer
cn: nsPwPolicyContainer
entry configuration -
dn: cn=userPasswordPolicy,cn=nsPwPolicyContainer,ou=people,dc=christianbook,dc=com
cn: userPasswordPolicy
objectclass: top
objectclass: extensibleObject
objectclass: ldapsubentry
objectclass: passwordpolicy
passwordGraceLimit: 3
passwordMustChange: on
passwordChange: on
passwordExp: on
passwordMaxAge: 2
passwordHistory: on
passwordCheckSyntax: on
nsslapd-pwpolicy-local -
dn: cn=config
changetype: modify
replace: nsslapd-pwpolicy-local
nsslapd-pwpolicy-local: on
per-user password policy configuration -
dn: uid=xinhuan,ou=people,dc=christianbook,dc=com
changetype: modify
add: pwdpolicysubentry
pwdpolicysubentry: cn=userPasswordPolicy,cn=nsPwPolicyContainer,ou=people,dc=christianbook,dc=com
However, when I did my userpassword reset using ldapmodify command, I am able to login from the remote client that authenticates with my 389 directory server, without prompting to change my password the first time I login, which is against the 'passwordMustChange' policy.
The second thing is that I tried to expire my password so I can test 'passwordExp'. However, when I did 'passwd -e xinhuan' on LDAP client, I got error:
Expiring password for user xinhuan.
passwd: Error
What's going on?
Thanks,
- xinhuan
7 years, 5 months
