389-users October 2017

389-users@lists.fedoraproject.org

22 participants
25 discussions

Problem browsing LDAP with Outlook
by Chris Bryant 26 Aug '20

26 Aug '20

When configuring Microsoft Outlook (not Outlook Express) to access an LDAP directory, there is an option to 'Enable Browsing (requires server support)'. If this option is chosen and the directory server supports it, then you should be able to open the LDAP address book and page up and down through the results. I have been unable to get this working properly with 389 DS. When I try to browse from Outlook against the 389 DS directory, I am able to see the first page of results perfectly. However, if I move to the next page, only the first object returned will have any attributes included, and all of the rest of the objects in the page will have no attributes. I have a test perl script that duplicates this functionality as well. I can get this to work properly with an older version of Netscape Directory Server, and I can get it working with OpenDS. Since 389 DS advertises support for the controls that are required for this to work, just like the other two servers, then I would expect it to work there also. Has anyone out there gotten this to work with 389 DS? If so, can you share if there was anything special that you needed to do to get this to work? I'm trying to determine if this is a bug in the server, or if I'm just missing something in the configuration. Thanks, Chris USA.NET You Run Your Business. We'll Run Your Email. This message is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information of USA.NET, Inc. Any unauthorized review, use, copying, disclosure, or distribution is prohibited. If you are not the intended recipient, please immediately contact the sender by reply email and delete all copies of the original message.

3 2

MemberOf group restrictions to a client system (server and client running CentOS 7)
by Janet Houser 06 Aug '20

06 Aug '20

Hi, I'm new to 389-ds and last week downloaded and installed the software. I have a running instance of the server, and I've added TLS/SSL. I've configured a CentOS 7 client to be able to query the server using TLS/SSL, and all appears working. I've created users and groups on the 389-ds server successfully. For each user and group, I've enabled posix attributes and my client can see the unix users and groups using the "getent password" or "getent group" commands. Now, here's where I'm getting tripped up.......... I need to limit which users have access to which systems. I've been trying to do this via memberOf group limitations. I found the following online resource (https://thornelabs.net/2013/01/28/aix-restrict-server-login-via-ldap-groups…) which is close enough to CentOS that the initial commands worked. I enabled the MemberOf plugin and changed the attributes per the link, and restarted the system. I created a test group (that I didn't enable a posix GID) and tried to add a single user via: Right click on group -- > click Properties --> then Members --> click Add --> Search for user --> click Add. When I try to go this route (which worked before enabling the memberOf plugin) it worked. Now it seems I get the error: "Cannot save to directory server. netscape.ldap.LDAPException: error resiult(65): Object class violation" And the messages file throws the error (/var/log/dirsrv/slapd-<instancename>/errors: "Entry "uid=test,ou=People,dc=int,dc=com" -- attribute "memberOf" not allowed [17/Feb/2016:11:22:58 -0700] memberof-plugin - memberof_postop_modify: failed to add dn (cn=testgroup,ou=Groups,dc=int,dc=com) to target. Error (65)" So it seems my server isn't quite using the memberOf plugin properly, but I'm not sure what else to enable. I'll have to solve this issue before I even try to filter login access via groups on my client system. I should mention that if I go under the advanced tab for one of the groups I created, I can add the the attribute "uniquemember", but I'm not sure what I should set the "value" to be. I've tried creating new users to see if I could set their "uniquemember" attributes, but no luck. It seems that I don't have the ability to set this attribute on individual users, only groups. This might not be the right road to head down when trying to restrict access to servers via groups, so I'm open to any suggestions. Any suggestions would be appreciated.

6 19

ldapsearch doesn't return the userpassword field
by Janet Houser 14 May '18

14 May '18

Hi, I've been looking through the archives for information, but I haven't stumbled on a solution to my problem. I'm running ds-389 (389-ds-base-1.3.4.0) on a centos 7 box (CentOS Linux release 7.2.1511). I have a centos OS client configured using SSL/TLS which queries the LDAP server. Per a previous thread, I configured the memeberOf plugin and all seems to be working properly. I have a php script that will run on the client and change the LDAP password for the user. The problem is, the script looks for the SSHA has of the password when an ldapsearch is issued. However, when I issue a general ldapsearch (anonymously) I don't get the userpassword field. I read in your archives that I might have to be the "directory manager" user in order to see the hashed password. I've been playing around with the ldapsearch syntax, but I can't quite get it right. Anyway, my question is, can I set a flag in 389-ds that will display the hashed userpassword? I think that will solve my problem with the php script returning an error that it can't retrieve the old password. Thanks,

5 12

CPU usage jump after a few minutes when using PBKDF2 hashing
by Marian Rainer-Harbach 02 Nov '17

02 Nov '17

Hi everyone, we are running a small 389 DS cluster on two RHEL 7.4 machines. The version installed is the most recent in the Red Hat repositories, 1.3.6.1-19.el7_4. 389 DS is used as user storage for the Keycloak single sign-on system. It contains about 150k person objects. To test the whole system, we are running load tests each night. These tests login 100 users per second in Keycloak for 15 minutes, which in turn authenticates the users against 389 DS. On our machines, this normally results in a very low CPU load by 389 DS, about 10-25%. Up to now we used SSHA512 as password hashing algorithm. We now would like to switch to PBKDF2: As a first test, we changed the password of the user that Keycloak uses to bind to 389 DS to PBKDF2 hashing. In this configuration, we encountered a problem: When running the load tests, the system behaves normally for the first few minutes. After this, 389 DS CPU usage suddenly jumps to almost 800% on one of the servers (the machines have 8 CPUs) and authentications become very slow. This continues for the remaining runtime of the load test. When running the test again, 389 DS again behaves normally for the first few minutes, then CPU usage jumps to 800%. When changing the password hash back to SSHA512, everything is fine again. To me this looks like a bug in 389 DS. Please let me know what information to provide so you can investigate. Thanks, Marian

2 7

Re: repl-monitor
by Sergei Gerasenko 30 Oct '17

30 Oct '17

Hi Mark, >> The replication is working. I wrote a script that makes a change on each member of the topology and verifies that it got to all the other members. So, it appears that all is good. > > Yup, the monitor output looks good Cool! > Okay, so FreeIPA uses fractional replication and stripped attributes. In a freeipa deployment not all updates are replicated, and this is probably why the maxcsn's tend to drift (until you do an update that is replicated). For example, in FreeIPA each kerberos login updates the database (and its RUV), but these updates not replicated via the fractional replication configuration - so the agmt maxcsn will not be incremented for such operations. > Anyway it all looks correct to me. That’s VERY useful information. Thanks a ton. What are other examples of the events that could increment the local RUV? I think I found a small bug in the repl-monitor script, which however doesn’t affect its operation (miraculously). Is there a place to submit a patch for that? Thanks again, Sergei

2 7

Re: repl-monitor
by Sergei Gerasenko 30 Oct '17

30 Oct '17

After looking at the code for a couple of days, I finally see how the difference is calculated: Delta = Max Consumer CSN - Max Agreement CSN Thus, instead of the max CSN of the RUV, the agreement's maxcsn is used? My question now is: what’s the difference between the maxcsn of the agreement and the maxcsn in the RUV? Thanks! Sergei > On Oct 29, 2017, at 10:36 AM, Sergei Gerasenko <gerases(a)gmail.com> wrote: > > Hi, > > I’m using the repl-monitor script and I’m not sure the output I’m getting is right. If you look at the attached image, you will see that the supplier replica (122) is at "10/28/2017 23:37:06”. The supplier column correctly lists the supplier. But the Supplier Max CSN column doesn’t use the max CSN in the master header (10/28/2017 23:37:06). Instead it uses the Max CSN of the supplier local to the consumer? > > According to the screenshot, the lag is 0 secs. But the lag is actually 10/28/2017 23:37:06 minus 10/27/2017 21:54:14? > > Thanks, > Sergei > > <Screen Shot 2017-10-29 at 10.26.42 AM.png>

2 3

Re: Recovering a Hub
by Paul Whitney 25 Oct '17

25 Oct '17

I took your advice and looked up the versions of 389-ds-base. On the servers we are having problems with, they are running version 1.3.6.1-19 and the servers replicating to them are running an older version of 389-ds-base: 1.3.5.10-21. Would this cause the service to go awry if they are not all on the same version? Paul M. Whitney E-mail: paul.whitney(a)mac.com Sent from my browser. On Oct 19, 2017, at 12:45 PM, Marc Sauton <msauton(a)redhat.com> wrote: Those 2 methods should work fine, and are the right way to proceed, but you may need to review the exact errors on why the re-init and import failed. Also check for the 389-ds-base versions on each node. M. On Thu, Oct 19, 2017 at 10:03 AM, Paul Whitney <paul.whitney(a)mac.com> wrote: Hi, not sure what happened to our DS server, but I need to clone the userRoot and groupRoot database from a working server to this one bad one. What is the preferred/recommended method for this: I tried simple reinit, that failed. I tried export/import from LDIF file and that failed. Will db2bak then bak2db work? Thanks, Paul M. Whitney E-mail: paul.whitney(a)mac.com Sent from my browser. _______________________________________________ 389-users mailing list -- 389-users(a)lists.fedoraproject.org To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org _______________________________________________ 389-users mailing list -- 389-users(a)lists.fedoraproject.org To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org

2 3

Using .ldif to add user to a group
by Janet Houser 25 Oct '17

25 Oct '17

Hi Folks, I have DS-389 (vs 1.3.5.10) running on a CentOS 7 VM. I've been able to add a user via the command line using the user.ldif file with the contents: # jdoe, People dn: uid=jdoe,ou=People,dc=example,dc=com mail: jdoe(a)example.com uid: jdoe givenName: John objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: posixAccount objectClass: inetuser sn: Doe cn: John Doe uidNumber: 52001 gidNumber: 52001 homeDirectory: /home/jdoe loginShell: /bin/bash gecos: jdoe userPassword: I_Hate_Han_Solo using the command: ldapadd -x -D "cn=admin" -W -f user.ldif However, I've had no luck add this user to an existing group (e.g. chewy). Does anyone have an example ldif file the works for adding a new user entry to an existing group? Thanks,

2 2

1.3.6 dirsrv crash: ERR - valueset_value_syntax_cmp - slapi_attr_values2keys_sv failed for type lastUpdated
by tdarby＠email.arizona.edu 21 Oct '17

21 Oct '17

OS: CentOS Linux release 7.4.1708 (Core) dirsrv: 1.3.6.1 B2017.249.1616 I've had two of these running in multi-master replication for a week now with no issues, but last night they both crashed at the same time and there were a lot of these just before they died: [06/Oct/2017:22:30:41.990009449 -0700] - ERR - valueset_value_syntax_cmp - slapi_attr_values2keys_sv failed for type lastUpdated [06/Oct/2017:22:30:41.991965822 -0700] - ERR - valueset_value_syntax_cmp - slapi_attr_values2keys_sv failed for type lastUpdated [06/Oct/2017:22:30:41.993908534 -0700] - ERR - valueset_value_syntax_cmp - slapi_attr_values2keys_sv failed for type lastUpdated When I try to start either server now, I get the usual recovery messages and then a bunch of these errors and a crash. I've checked as many things as I can think of, including dse.ldif, which is fine. Unrelated probably, but annoying, my error logs are also filling up with lots of these: [06/Oct/2017:21:51:16.987020789 -0700] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://ldap2.arizona.edu:389/dc%3Deds%2Cdc%3Darizona%2Cdc%3Dedu) failed.

4 18

Recovering a Hub
by Paul Whitney 19 Oct '17

19 Oct '17

Hi, not sure what happened to our DS server, but I need to clone the userRoot and groupRoot database from a working server to this one bad one. What is the preferred/recommended method for this: I tried simple reinit, that failed. I tried export/import from LDIF file and that failed. Will db2bak then bak2db work? Thanks, Paul M. Whitney E-mail: paul.whitney(a)mac.com Sent from my browser.

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-users October 2017