I'm new to 389-ds and last week downloaded and installed the software.
I have a running instance of the server, and I've added TLS/SSL. I've configured a CentOS 7 client to be able to query
the server using TLS/SSL, and all appears working.
I've created users and groups on the 389-ds server successfully. For each user and group, I've enabled posix attributes and my client
can see the unix users and groups using the "getent password" or "getent group" commands.
Now, here's where I'm getting tripped up..........
I need to limit which users have access to which systems. I've been trying to do this via memberOf group limitations.
I found the following online resource (https://thornelabs.net/2013/01/28/aix-restrict-server-login-via-ldap-grou...)
which is close enough to CentOS that the initial commands worked.
I enabled the MemberOf plugin and changed the attributes per the link, and restarted the system.
I created a test group (that I didn't enable a posix GID) and tried to add a single user via:
Right click on group -- > click Properties --> then Members --> click Add --> Search for user --> click Add.
When I try to go this route (which worked before enabling the memberOf plugin) it worked. Now it seems I get the error:
"Cannot save to directory server.
netscape.ldap.LDAPException: error resiult(65): Object class violation"
And the messages file throws the error (/var/log/dirsrv/slapd-<instancename>/errors:
"Entry "uid=test,ou=People,dc=int,dc=com" -- attribute "memberOf" not allowed
[17/Feb/2016:11:22:58 -0700] memberof-plugin - memberof_postop_modify: failed to add dn (cn=testgroup,ou=Groups,dc=int,dc=com) to target. Error (65)"
So it seems my server isn't quite using the memberOf plugin properly, but I'm not sure what else to enable. I'll have to solve this issue before
I even try to filter login access via groups on my client system.
I should mention that if I go under the advanced tab for one of the groups I created, I can add the the attribute "uniquemember", but I'm not sure what I
should set the "value" to be.
I've tried creating new users to see if I could set their "uniquemember" attributes, but no luck. It seems that I don't have the ability to set this attribute
on individual users, only groups.
This might not be the right road to head down when trying to restrict access to servers via groups, so I'm open to any suggestions.
Any suggestions would be appreciated.
I've been looking through the archives for information, but I haven't stumbled on a solution to my problem.
I'm running ds-389 (389-ds-base-184.108.40.206) on a centos 7 box (CentOS Linux release 7.2.1511). I have a centos OS client configured using SSL/TLS
which queries the LDAP server. Per a previous thread, I configured the memeberOf plugin and all seems to be working properly.
I have a php script that will run on the client and change the LDAP password for the user. The problem is, the script looks for the SSHA has
of the password when an ldapsearch is issued.
However, when I issue a general ldapsearch (anonymously) I don't get the userpassword field. I read in your archives that I might have
to be the "directory manager" user in order to see the hashed password. I've been playing around with the ldapsearch syntax, but I can't
quite get it right.
Anyway, my question is, can I set a flag in 389-ds that will display the hashed userpassword? I think that will solve my problem with the php script returning an error that it can't retrieve the old password.
I'm looking to query ldap to get all uid's that have lastlogintime>90
days. I'm able to get lastlogintime using the command below. What is the
the syntax to get it to search all users with lastlogintime>90 days?
# ldapsearch -xLLL uid=testuser "(objectclass=*)" lastlogintime
I'm running 389 ds-1.2.2 on CentOS 6.
I have been trying to add a schema to 389-ds based on this blog article
The article was based around generic openldap, I used it only as a general guide.
The schema listed in the article called postfix-book scheme <http://www.postfix-buch.com/downloads.php>. is what I was interested in.
In the openldap scenario I saw they converted the schema to a ldif file which I did dry run and the notes on converting it worked but when I looked at
duplicating it under 389-ds I saw that all the base schema's were already ldif's and I did not see the source schema's that the conversion notes said I would need.
I did add the Objectclass from the postfix book schema manually and then the attributes but I could not seem to figure out how to link the object class I
created to the users. I can see that a user has "posixAccount, inetorgperson, organizationalPerson, person, top" as Object class's. I wanted to add my Object
class PostfixBookMailAccount so the attributes used by that object class would be available to all user accounts.
If I am going about this the wrong way please feel free to enlighten me.
IT Support Analyst
+1 403.289.2177 ext.289
+1 866 USERFUL (1-866-873-7385)
Suite 300, 736 8th Ave. SW
Calgary AB T2P 1H4
Managed Desktops Done Right.
Does anyone know the specific limitations on the allowed characters for
passwords in 389-ds? I use the windows passsync agent on my domain
controllers and occasionally come across this problem. I am thinking there
might be a unicode problem, but I am having a hard time nailing it down, or
finding documentation on it for that matter.
Example event from 389-ds:
[24/Apr/2017:07:39:15 +0000] conn=268899 op=2 MOD
dn="uid=xxx,ou=yyy,dc=a,dc=b,dc=c", invalid password syntax
389 Directory Server 220.127.116.11
The 389 Directory Server team is proud to announce 389-ds-base
Fedora packages are available from the Fedora 26 and Rawhide repositories.
The new packages and versions are:
Source tarballs are available for download at Download
Highlights in 18.104.22.168
* Security fix, Bug fixes, and enhancements
Installation and Upgrade
See Download <http://www.port389.org/docs/389ds/download.html> for
information about setting up your yum repositories.
To install, use *yum install 389-ds* yum install 389-ds After install
completes, run *setup-ds-admin.pl* to set up your directory
To upgrade, use *yum upgrade* yum upgrade After upgrade completes, run
*setup-ds-admin.pl -u* to update your directory server/admin
server/console information. setup-ds-admin.pl -u
<http://www.port389.org/docs/389ds/legacy/install-guide.html> for more
information about the initial installation, setup, and upgrade
See Source <http://www.port389.org/docs/389ds/development/source.html>
for information about source tarballs and SCM (git) access.
We are very interested in your feedback!
Please provide feedback and comments to the 389-users mailing list:
If you find a bug, or would like to see a new feature, file it in our
Pagure project: https://pagure.io/389-ds-base
* Bump verson to 22.214.171.124-1
* Ticket 49228 - Fix SSE4.2 detection.
* Ticket 49229 - Correct issues in latest commits
* Ticket 49226 - Memory leak in ldap-agent-bin
* Ticket 49214 - Implement htree concept
* Ticket 49119 - Cleanup configure.ac options and defines
* Ticket 49097 - whitespace fixes for pblock change
* Ticket 49097 - Pblock get/set cleanup
* Ticket 49222 - Resolve various test issues on rawhide
* Issue 48978 - Fix the emergency logging functions severity levels
* Issue 49227 - ldapsearch for nsslapd-errorlog-level returns
* Ticket 49041 - nss won’t start if sql db type set
* Ticket 49223 - Fix sds queue locking
* Issue 49204 - Fix 32bit arch build failures
* Issue 49204 - Need to update function declaration
* Ticket 49204 - Fix lower bounds on import autosize + On small VM,
autotune breaks the access of the suffixes
* Issue 49221 - During an upgrade the provided localhost name is ignored
* Issue 49220 - Remote crash via crafted LDAP messages (SECURITY FIX)
* Ticket 49184 - Overflow in memberof
* Ticket 48050 - Add account policy tests to plugins test suite
* Ticket 49207 - Supply docker POC build for DS.
* Issue 47662 - CLI args get removed
* Issue 49210 - Fix regression when checking is password min age
should be checked
* Ticket 48864 - Add cgroup memory limit detection to 389-ds
* Issue 48085 - Expand the repl acceptance test suite
* Ticket 49209 - Hang due to omitted replica lock release
* Ticket 48864 - Cleanup memory detection before we add cgroup support
* Ticket 48864 - Cleanup up broken format macros and imports
* Ticket 49153 - Remove vacuum lock on transaction cleanup
* Ticket 49200 - provide minimal dse.ldif for python installer
* Issue 49205 - Fix logconv.pl man page
* Issue 49177 - Fix pkg-config file
* Issue 49035 - dbmon.sh shows pages-in-use that exceeds the cache size
* Ticket 48432 - Linux capabilities on ns-slapd
* Ticket 49196 - Autotune generates crit messages
* Ticket 49194 - Lower default ioblock timeout
* Ticket 49193 - gcc7 warning fixes
* Issue 49039 - password min age should be ignored if password needs
to be reset
* Ticket 48989 - Re-implement lock counter
* Issue 49192 - Deleting suffix can hang server
* Issue 49156 - Modify token :assert: to :expectedresults:
* Ticket 48989 - missing return in counter
* Ticket 48989 - Improve counter overflow fix
* Ticket 49190 - Upgrade lfds to 7.1.1
* Ticket 49187 - Fix attribute definition
* Ticket 49185 - Fix memleak in compute init
I'd like to migrate from ODSEE and PSW to 389 directory server with windows sync.
From my understanding after reading the redhat 10/9 Directory Server documentation,
existing user's password from AD will not be synced to LDAP.
This of course is normal since passwords are already hashed in AD.
However in SUN/Oracle ODSEE+PSW they were doing this:
A special attributed was added to new synced users in LDAP. On user bind to the LDAP server,
the password was caught (by the LDAP server plugin) and a second bind was tested from the LDAP server itself to the AD server.
If the 2nd bind was successful the userPassword was updated on the LDAP server, the attribute was removed and the 1st bind was ok.
Since I have a large AD forest (30K users) I don't want to do password reset on these old users.
What is the common practice with 389 server for such scenario?
Sun also had another nice feature: Uni directional sync Windows->LDAP for user create/delete but
bi-directional attribute/password change. I guess this also not supported in 389 correct?
thanks in advance,
Does anyone know, can the CRYPT plugin for 389-ds be passed a “crypt-algorithm” parameter? I came across some documentation* from the related Oracle Unified Directory / OpenDS which looks like it would do exactly what I’m looking for, but I wasn’t sure whether that was also true of 389-ds.