Problem browsing LDAP with Outlook
by Chris Bryant
When configuring Microsoft Outlook (not Outlook Express) to access an LDAP directory, there is an option to 'Enable Browsing (requires server support)'. If this option is chosen and the directory server supports it, then you should be able to open the LDAP address book and page up and down through the results. I have been unable to get this working properly with 389 DS.
When I try to browse from Outlook against the 389 DS directory, I am able to see the first page of results perfectly. However, if I move to the next page, only the first object returned will have any attributes included, and all of the rest of the objects in the page will have no attributes. I have a test perl script that duplicates this functionality as well.
I can get this to work properly with an older version of Netscape Directory Server, and I can get it working with OpenDS. Since 389 DS advertises support for the controls that are required for this to work, just like the other two servers, then I would expect it to work there also.
Has anyone out there gotten this to work with 389 DS? If so, can you share if there was anything special that you needed to do to get this to work? I'm trying to determine if this is a bug in the server, or if I'm just missing something in the configuration.
Thanks,
Chris
USA.NET
You Run Your Business. We'll Run Your Email.
This message is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information of USA.NET, Inc. Any unauthorized review, use, copying, disclosure, or distribution is prohibited. If you are not the intended recipient, please immediately contact the sender by reply email and delete all copies of the original message.
3 years, 1 month
MemberOf group restrictions to a client system (server and client running CentOS 7)
by Janet Houser
Hi,
I'm new to 389-ds and last week downloaded and installed the software.
I have a running instance of the server, and I've added TLS/SSL. I've configured a CentOS 7 client to be able to query
the server using TLS/SSL, and all appears working.
I've created users and groups on the 389-ds server successfully. For each user and group, I've enabled posix attributes and my client
can see the unix users and groups using the "getent password" or "getent group" commands.
Now, here's where I'm getting tripped up..........
I need to limit which users have access to which systems. I've been trying to do this via memberOf group limitations.
I found the following online resource (https://thornelabs.net/2013/01/28/aix-restrict-server-login-via-ldap-grou...)
which is close enough to CentOS that the initial commands worked.
I enabled the MemberOf plugin and changed the attributes per the link, and restarted the system.
I created a test group (that I didn't enable a posix GID) and tried to add a single user via:
Right click on group -- > click Properties --> then Members --> click Add --> Search for user --> click Add.
When I try to go this route (which worked before enabling the memberOf plugin) it worked. Now it seems I get the error:
"Cannot save to directory server.
netscape.ldap.LDAPException: error resiult(65): Object class violation"
And the messages file throws the error (/var/log/dirsrv/slapd-<instancename>/errors:
"Entry "uid=test,ou=People,dc=int,dc=com" -- attribute "memberOf" not allowed
[17/Feb/2016:11:22:58 -0700] memberof-plugin - memberof_postop_modify: failed to add dn (cn=testgroup,ou=Groups,dc=int,dc=com) to target. Error (65)"
So it seems my server isn't quite using the memberOf plugin properly, but I'm not sure what else to enable. I'll have to solve this issue before
I even try to filter login access via groups on my client system.
I should mention that if I go under the advanced tab for one of the groups I created, I can add the the attribute "uniquemember", but I'm not sure what I
should set the "value" to be.
I've tried creating new users to see if I could set their "uniquemember" attributes, but no luck. It seems that I don't have the ability to set this attribute
on individual users, only groups.
This might not be the right road to head down when trying to restrict access to servers via groups, so I'm open to any suggestions.
Any suggestions would be appreciated.
3 years, 1 month
ldapsearch doesn't return the userpassword field
by Janet Houser
Hi,
I've been looking through the archives for information, but I haven't stumbled on a solution to my problem.
I'm running ds-389 (389-ds-base-1.3.4.0) on a centos 7 box (CentOS Linux release 7.2.1511). I have a centos OS client configured using SSL/TLS
which queries the LDAP server. Per a previous thread, I configured the memeberOf plugin and all seems to be working properly.
I have a php script that will run on the client and change the LDAP password for the user. The problem is, the script looks for the SSHA has
of the password when an ldapsearch is issued.
However, when I issue a general ldapsearch (anonymously) I don't get the userpassword field. I read in your archives that I might have
to be the "directory manager" user in order to see the hashed password. I've been playing around with the ldapsearch syntax, but I can't
quite get it right.
Anyway, my question is, can I set a flag in 389-ds that will display the hashed userpassword? I think that will solve my problem with the php script returning an error that it can't retrieve the old password.
Thanks,
5 years, 4 months
Re: monitoring
by Sergei Gerasenko
> What is an "error" in your data?
The “error” graph graphs the “errors” attribute from cn=snmp,cn=monitor. I don’t know what conditions actually increment that value.
5 years, 8 months
rest389
by carne_de_passaro
Hello guys,
how can I install and test the rest389 on my 389ds servers?
Is there any rpm package? Or how can I build, and with what version of
389ds is it compatible?
Thanks.
Danilo
5 years, 8 months
AIX 7.1, anyone?
by Jeffrey Westgate
Has anyone successfully used 389 as the DS for IBM AIX 7.x servers? If so, would you be willing to email me directly and explain what you did to make it work?
--
Jeff
5 years, 9 months
389 PassSync 1.1.7 and WIndows Server 2012R2
by Geoff Hardin
We are implementing PassSync 1.1.7 in a Windows Server 2012R2 domain and I am not seeing any indication the passsync.log file that passwords are being sent to the 389 DS. I have confirmed that the PassSync service starts without an error on the two Active Directory domain controllers, and the OU structure and user accounts have synced between Windows and 389. At this point, it just not sending password changes to the 389 DS. I was wondering if there was documentation that described any required security settings within the Windows domain? I am afraid that we have enabled some security setting in a GPO.
Geoff Hardin
geoff.hardin(a)raytheon.com
5 years, 9 months
BER Size
by Sergei Gerasenko
Hi,
I just discovered that I have a mismatch of BER sizes (nsslapd-maxbersize) between some of my masters. On the masters that we consider the authorative ones, the BER size is (cough, cough) 209M while in the rest of the environment is the default 2M. I do see occasional errors on the 2M masters complaining and suggesting to increase the BER size. A couple of questions:
1. If the BER size of the supplier exceeds that of the consumer, will it be automatically split into smaller chunks or will the update just fail without any retries?
2. Should I match the BER size accross the environment? I think it’s obvious, but still asking just in case.
Thanks!
Sergei
5 years, 9 months
[ATTENTION]: New command line tools
by William Brown
Hi all,
Since today is the day for announcements from the project ... we have
new command line tools! These will be shipped in F28, and our perl
tools will be removed in F29.
We have been hard at work on new cli tools for the project to replace
our perl scripts. Our tools are all based on the lib389 python
framework. We have three tools that we will ship:
dsctl
dsconf
dsidm
Each tool has a different responsibility.
-----
dsctl
-----
This tool will administer all local aspects of a system. It will
generally require root/dirsrv permissions. It's used for
starting/stopping the server, running local tasks like db2index,
db2ldif, ldif2db and others.
------
dsconf
------
This tool administers an "online" instance. It's the tool that needs
cn=Directory Manager permissions, so it's focused on cn=config and
changes. Examples are configuring plugins, creating backends, adding
indexes, and checks for server configuration sanity.
-----
dsidm
-----
This tool manages the content of a backend - and can even be used for
self service. This will populate sample data into a backend, it can
manage users, groups, ous, and more. Power users could even use it to
self enroll ssh keys or change their details in some organisations.
Each tool will come with extensive help options, and as we get closer,
we'll write more to help explain the new tools.
If you are interested in using these tools or contributing, please
contact us for more information,
Thanks!
--
Sincerely,
William Brown
Software Engineer
Red Hat, Australia/Brisbane
5 years, 9 months
