August 2016 - 389-users - Fedora Mailing-Lists

by Chris Bryant

When configuring Microsoft Outlook (not Outlook Express) to access an LDAP directory, there is an option to 'Enable Browsing (requires server support)'. If this option is chosen and the directory server supports it, then you should be able to open the LDAP address book and page up and down through the results. I have been unable to get this working properly with 389 DS. When I try to browse from Outlook against the 389 DS directory, I am able to see the first page of results perfectly. However, if I move to the next page, only the first object returned will have any attributes included, and all of the rest of the objects in the page will have no attributes. I have a test perl script that duplicates this functionality as well. I can get this to work properly with an older version of Netscape Directory Server, and I can get it working with OpenDS. Since 389 DS advertises support for the controls that are required for this to work, just like the other two servers, then I would expect it to work there also. Has anyone out there gotten this to work with 389 DS? If so, can you share if there was anything special that you needed to do to get this to work? I'm trying to determine if this is a bug in the server, or if I'm just missing something in the configuration. Thanks, Chris USA.NET You Run Your Business. We'll Run Your Email. This message is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information of USA.NET, Inc. Any unauthorized review, use, copying, disclosure, or distribution is prohibited. If you are not the intended recipient, please immediately contact the sender by reply email and delete all copies of the original message.

3 years, 3 months

3
2
0 / 0

MemberOf group restrictions to a client system (server and client running CentOS 7)

by Janet Houser

Hi, I'm new to 389-ds and last week downloaded and installed the software. I have a running instance of the server, and I've added TLS/SSL. I've configured a CentOS 7 client to be able to query the server using TLS/SSL, and all appears working. I've created users and groups on the 389-ds server successfully. For each user and group, I've enabled posix attributes and my client can see the unix users and groups using the "getent password" or "getent group" commands. Now, here's where I'm getting tripped up.......... I need to limit which users have access to which systems. I've been trying to do this via memberOf group limitations. I found the following online resource (https://thornelabs.net/2013/01/28/aix-restrict-server-login-via-ldap-grou...) which is close enough to CentOS that the initial commands worked. I enabled the MemberOf plugin and changed the attributes per the link, and restarted the system. I created a test group (that I didn't enable a posix GID) and tried to add a single user via: Right click on group -- > click Properties --> then Members --> click Add --> Search for user --> click Add. When I try to go this route (which worked before enabling the memberOf plugin) it worked. Now it seems I get the error: "Cannot save to directory server. netscape.ldap.LDAPException: error resiult(65): Object class violation" And the messages file throws the error (/var/log/dirsrv/slapd-<instancename>/errors: "Entry "uid=test,ou=People,dc=int,dc=com" -- attribute "memberOf" not allowed [17/Feb/2016:11:22:58 -0700] memberof-plugin - memberof_postop_modify: failed to add dn (cn=testgroup,ou=Groups,dc=int,dc=com) to target. Error (65)" So it seems my server isn't quite using the memberOf plugin properly, but I'm not sure what else to enable. I'll have to solve this issue before I even try to filter login access via groups on my client system. I should mention that if I go under the advanced tab for one of the groups I created, I can add the the attribute "uniquemember", but I'm not sure what I should set the "value" to be. I've tried creating new users to see if I could set their "uniquemember" attributes, but no luck. It seems that I don't have the ability to set this attribute on individual users, only groups. This might not be the right road to head down when trying to restrict access to servers via groups, so I'm open to any suggestions. Any suggestions would be appreciated.

3 years, 4 months

6
19
0 / 0

ldapsearch doesn't return the userpassword field

by Janet Houser

Hi, I've been looking through the archives for information, but I haven't stumbled on a solution to my problem. I'm running ds-389 (389-ds-base-1.3.4.0) on a centos 7 box (CentOS Linux release 7.2.1511). I have a centos OS client configured using SSL/TLS which queries the LDAP server. Per a previous thread, I configured the memeberOf plugin and all seems to be working properly. I have a php script that will run on the client and change the LDAP password for the user. The problem is, the script looks for the SSHA has of the password when an ldapsearch is issued. However, when I issue a general ldapsearch (anonymously) I don't get the userpassword field. I read in your archives that I might have to be the "directory manager" user in order to see the hashed password. I've been playing around with the ldapsearch syntax, but I can't quite get it right. Anyway, my question is, can I set a flag in 389-ds that will display the hashed userpassword? I think that will solve my problem with the php script returning an error that it can't retrieve the old password. Thanks,

5 years, 6 months

5
12
0 / 0

Strange behaviour password sync , windows 2012 r2

by Juan Carlos Camargo

Hi, 389ds'ers, I have two 2012 r2 domain controllers with passsync 1.6 x64 installed. They're both targeting 389-ds-base-1.3.4.9-1.fc22.x86_64 . They're working flawlessly. I dont know if it's been a software update or a change in the domain settings. Thing is today, one of the controllers has stopped sync'ing. Whenever I change one password in that controller, the following message is logged in passsync.log: 08/29/16 11:30:07: Password list has 1 entries 08/29/16 11:30:07: Attempting to sync password for juankar 08/29/16 11:30:07: Searching for (ntuserdomainid=juankar) 08/29/16 11:30:07: Checking password failed for remote entry: uid=juankar,ou=xxx.... 08/29/16 11:30:07: Deferring password change for juankar and in the server access log I get ldap bind err=53 when the passsync user tries to check the password: [29/Aug/2016:11:30:07 +0200] conn=276 fd=67 slot=67 SSL connection from xxxx [29/Aug/2016:11:30:07 +0200] conn=276 TLS1.2 128-bit AES [29/Aug/2016:11:30:07 +0200] conn=276 op=0 BIND dn="uid=juankar,ou=xxx...." method=128 version=3 [29/Aug/2016:11:30:07 +0200] conn=276 op=0 RESULT err=53 tag=97 nentries=0 etime=0 [29/Aug/2016:11:30:07 +0200] conn=276 op=1 UNBIND [29/Aug/2016:11:30:07 +0200] conn=276 op=1 fd=67 closed - U1 [29/Aug/2016:11:30:07 +0200] conn=275 op=2 UNBIND Any hints? Could be a problem with certificates? They're both using the same CA (windows CA Cert serv is installed in one of the DCs) Regards!

7 years, 2 months

3
5
0 / 0

user changing pass crashes 389ds

by Frank Rosquin

Hi, I am writing a simple app to let users change their own ldap password in go, using gopkg.in/ldap.v2 binding and searching works great. But when I try to change a password as a user, 389ds just crashes. This happens on both 389-Directory/1.3.2.16 B2014.098.2147 on Ubuntu 14.04 and 389-Directory/1.2.11.15 B2016.132.835 on CentOS 6. The only things I can see is the error log stating: [21/Aug/2016:12:12:44 +0000] - 389-Directory/1.3.2.16 B2014.098.2147 starting up [21/Aug/2016:12:12:44 +0000] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [21/Aug/2016:12:12:45 +0000] - slapd started. Listening on All Interfaces port 389 for LDAP requests [21/Aug/2016:12:12:45 +0000] - Listening on All Interfaces port 636 for LDAPS requests Frank

7 years, 3 months

4
9
0 / 0

Upgrading to TLSv1.2.. any caveats?

by vladimir Safoo

I am looking into upgrading TLS to v1.2, This bi-directionally syncs with Active Directory and I am wondering if there are any caveats to following this article: http://directory.fedoraproject.org/docs/389ds/howto/howto-disable-sslv3.html for the 389ds side Do i need to install a TLSv1.2 package onto my servers first? ~# openssl ciphers -s -tls1_2 Error in cipher list 140350244230984:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1314: ~# I am assuming that I do not have the supported ciphers. # rpm -qa 389* 389-ds-console-1.2.6-1.el6.noarch 389-ds-1.2.2-1.el6.noarch 389-ds-base-libs-1.2.11.15-48.el6_6.x86_64 389-dsgw-1.1.11-1.el6.x86_64 389-admin-console-1.1.8-1.el6.noarch 389-ds-console-doc-1.2.6-1.el6.noarch 389-console-1.1.7-1.el6.noarch 389-admin-1.1.35-1.el6.x86_64 389-admin-console-doc-1.1.8-1.el6.noarch 389-adminutil-1.1.19-1.el6.x86_64 389-ds-base-1.2.11.15-48.el6_6.x86_64 Thank you in advance for your time!

7 years, 3 months

2
1
0 / 0

389-ds-base upgrade

by xinhuan zheng

Hello, I received the announcement on Friday about 389-ds-base upgrade. below is the short excerpt from the email: --- 389 Directory Server 1.3.5.13 The 389 Directory Server team is proud to announce 389-ds-base version 1.3.5.13. Fedora packages are available from the Fedora 24, 25 and Rawhide repositories. The new packages and versions are: 389-ds-base-1.3.5.13-1 --- However, since I am using Cent OS 6, I don't see the latest package available in epel. I tried to do 'yum upgrade 389-ds-base' but I just get the same version as my previous installation, not the newer version. What is the good way to upgrade on Cent OS 6? Thank you, - xinhuan

7 years, 3 months

2
1
0 / 0

Incoming BER Element was 3 bytes, max allowable is 2097152 bytes

by Frank Rosquin

Hi, when I try to link the rancher.com to my 389ds for authentication, I get the following log entry: [20/Aug/2016:14:42:02 +0000] connection - conn=160 fd=64 Incoming BER Element was 3 bytes, max allowable is 2097152 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. whatever I set nsslapd-maxbersize to, I always get that log entry. I am using 389-Directory/1.3.2.16 B2014.098.2147 on Ubuntu 14.04 Thanks Frank

7 years, 3 months

2
1
0 / 0

How to configure MMR using command line interface only?

by eSupport eSupport

Hi, everyone! I have question regarding article "Walk Through of MMR TLS/SSL Setup" ( http://directory.fedoraproject.org/docs/389ds/howto/howto-walkthroughmult... ) All actions comes in command line until section Set Up Multi-Master Replication. In this section all action comes in GUI. Why? Is this not a possible configure MMR using command line only?

7 years, 3 months

2
1
0 / 0

Password expiration - few questions

by Todor Petkov

Hello, we are about to implement password expiration and I have the following questions: 1) All my users are in ou=People,dc=domain,dc=com. Let's say, on 1.10.2016 via the GUI I will force password expiration on this OU. If the expiration is set to 90 days, will the password expire on 1.1.2017 or it gets the last set date? 2) I have several service accounts in the OU, and I need to set non-expire for their password, I see in the GUI it can be done per user, is this correct? 3) Is there some script, which checks the password expiration date and send the user warning via email? Thanks in advance

7 years, 3 months

1
0
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-users August 2016