I'm new to 389-ds and last week downloaded and installed the software.
I have a running instance of the server, and I've added TLS/SSL. I've configured a CentOS 7 client to be able to query
the server using TLS/SSL, and all appears working.
I've created users and groups on the 389-ds server successfully. For each user and group, I've enabled posix attributes and my client
can see the unix users and groups using the "getent password" or "getent group" commands.
Now, here's where I'm getting tripped up..........
I need to limit which users have access to which systems. I've been trying to do this via memberOf group limitations.
I found the following online resource (https://thornelabs.net/2013/01/28/aix-restrict-server-login-via-ldap-grou...)
which is close enough to CentOS that the initial commands worked.
I enabled the MemberOf plugin and changed the attributes per the link, and restarted the system.
I created a test group (that I didn't enable a posix GID) and tried to add a single user via:
Right click on group -- > click Properties --> then Members --> click Add --> Search for user --> click Add.
When I try to go this route (which worked before enabling the memberOf plugin) it worked. Now it seems I get the error:
"Cannot save to directory server.
netscape.ldap.LDAPException: error resiult(65): Object class violation"
And the messages file throws the error (/var/log/dirsrv/slapd-<instancename>/errors:
"Entry "uid=test,ou=People,dc=int,dc=com" -- attribute "memberOf" not allowed
[17/Feb/2016:11:22:58 -0700] memberof-plugin - memberof_postop_modify: failed to add dn (cn=testgroup,ou=Groups,dc=int,dc=com) to target. Error (65)"
So it seems my server isn't quite using the memberOf plugin properly, but I'm not sure what else to enable. I'll have to solve this issue before
I even try to filter login access via groups on my client system.
I should mention that if I go under the advanced tab for one of the groups I created, I can add the the attribute "uniquemember", but I'm not sure what I
should set the "value" to be.
I've tried creating new users to see if I could set their "uniquemember" attributes, but no luck. It seems that I don't have the ability to set this attribute
on individual users, only groups.
This might not be the right road to head down when trying to restrict access to servers via groups, so I'm open to any suggestions.
Any suggestions would be appreciated.
I've been looking through the archives for information, but I haven't stumbled on a solution to my problem.
I'm running ds-389 (389-ds-base-126.96.36.199) on a centos 7 box (CentOS Linux release 7.2.1511). I have a centos OS client configured using SSL/TLS
which queries the LDAP server. Per a previous thread, I configured the memeberOf plugin and all seems to be working properly.
I have a php script that will run on the client and change the LDAP password for the user. The problem is, the script looks for the SSHA has
of the password when an ldapsearch is issued.
However, when I issue a general ldapsearch (anonymously) I don't get the userpassword field. I read in your archives that I might have
to be the "directory manager" user in order to see the hashed password. I've been playing around with the ldapsearch syntax, but I can't
quite get it right.
Anyway, my question is, can I set a flag in 389-ds that will display the hashed userpassword? I think that will solve my problem with the php script returning an error that it can't retrieve the old password.
I am doing some experiements with account lockout password policy. The account is locked out after many wrong password tries.
If bind with correct password, the result is
#<OpenStruct extended_response=nil, code=19, error_message="Exceed password retry limit. Please try later.", matched_dn="", message="Constraint Violation">
if bind with wrong password, the result is
#<OpenStruct extended_response=nil, code=49, error_message="", matched_dn="", message="Invalid Credentials">
So attacker can still continue to try/guess different passwords until he get the result of : code=19, error_message="Exceed password retry limit. Please try later.".
My organization has made extensive use of the Directory Server (Web)
Gateway (DSGW) for 20 years. I've yet to come across any suitable
alternative (suggestions welcome if you're familiar with its functionality).
We are at least a decade behind with updates, having been tied to the
Oracle fork of directory and mail server products until recently. I am
now experimenting with potential conversion to 389-DS or RHDS including
the updated DSGW, and I may have encountered a bug.
Is the DSGW still used and supported?
The specific problem appears to be the edit command
(/usr/lib64/dirsrv/dsgw-cgi-bin/edit) failing to handle "syntax=mls" as
encountered in a template file
(/usr/share/dirsrv/dsgw/config/display-orgperson.html). The problem
occurs if the attribute involved exists in the entry being edited,
whether its value contains multiple lines or not.
The symptom: The multi-line data is displayed cleanly using the search
or csearch commands, but upon clicking the Edit button to enter edit
mode, the web form is truncated. Bottom half blank, from one cell above
whatever cell contains "syntax=mls". In the distributed template file
the trigger line is:
<!-- DS_ATTRIBUTE "attr=postalAddress" "syntax=mls" "type=TEXTAREA"
"cols=>40" "rows=>4" -->
The test environment:
# uname -a
Linux /host.domain/3.10.0-514.16.1.el7.x86_64 #1 SMP Wed Apr 12 15:04:24
UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
# yum list | grep 389
389-admin.x86_64 1.1.46-1.el7 @epel
389-admin-console.noarch 1.1.12-1.el7 @epel
389-admin-console-doc.noarch 1.1.12-1.el7 @epel
389-adminutil.x86_64 1.1.21-2.el7 @epel
389-console.noarch 1.1.18-1.el7 @epel
389-ds.noarch 1.2.2-6.el7 @epel
389-ds-base.x86_64 188.8.131.52-20.el7_3 @updates
389-ds-base-libs.x86_64 184.108.40.206-20.el7_3 @updates
389-ds-console.noarch 1.2.16-1.el7 @epel
389-ds-console-doc.noarch 1.2.16-1.el7 @epel
389-dsgw.x86_64 1.1.11-5.el7 @epel
389-adminutil-devel.x86_64 1.1.21-2.el7 epel
389-ds-base-devel.x86_64 220.127.116.11-20.el7_3 updates
389-ds-base-snmp.x86_64 18.104.22.168-20.el7_3 updates
pcp-pmda-ds389.x86_64 3.11.3-4.el7 base
pcp-pmda-ds389log.x86_64 3.11.3-4.el7 base
I have a replication setup (389 and AD):
We are implementing password police on both side (and password expiration).
When the account has expired on AD side (It means that on AD side I have
the flag "user must change password" set on an user) , when I try to change
password on 389 side, I see the following error:
[03/Jul/2017:10:47:07 -0300] NSMMReplicationPlugin - windows sync -
agmt="cn=AD - GTI-DF-DC01" (gti-df-dc01:636): AD entry CN=Teste
Marcelo,OU,test,DC=my,DC=domain set "user must change password at next
And the password is not changed on AD side.
I thought that could be something about permission on my replication login,
so I made a script in perl to change password directly on my AD, and with
this script (using the same login that I uses on my replication) the
password is changed.
Can you detail me a little bit better how replication occurs? Or point me
why when this flag is set the replication plugin is not be able to change
the password on AD side?
My first guess is:
The replication plugin try to bind this user first (to check if the user
already has this password) and when receives this error (user must change
password), so it does not try to change the password.
Please suggest me to reslove this issue.
we are trying to integrate 389 ldap to cyberoam, while doing test connection we are facing below issue.
[05/Jul/2017:05:38:01.814000145 -0400] conn=19 op=0 BIND dn="Directory Manager,dc=text,dc=in" authzid="(null)", invalid bind dn
I have 2 pairs of DS's in multimaster fractional replication with
memberof plugging excluded from replication , (DS1 <----->DS2 )
second pair same fractional multimaster rep config ( DS3<---->DS4)
I want to import with ldif2db a copy of DS content from first pairs to
second pair, what are implication for exiting replication system , any
extra meta -data needs to be clearup after import, what will be the
steps order to avoid to have to rebuild the second replication ?
I have two 389 servers configured for multimaster replication. I noticed these possibly related messages in the errors logs:
[12/Jul/2017:07:50:44 -0700] - database index is corrupt; key *zon has a data item with the wrong size (5)
[12/Jul/2017:07:55:48 -0700] - idl_new.c BAD 59, err=-30999 DB_BUFFER_SMALL: User memory too small for return value
[12/Jul/2017:07:55:48 -0700] - database index operation failed BAD 1050, err=-30999 DB_BUFFER_SMALL: User memory too small for
How can I determine what index this is referring to and how do I repair it?
389-Directory/22.214.171.124 B2015.345.187 (389-ds-base-126.96.36.199-69.el6_7.x86_64 is the RPM) on RHEL 6.9
As far as I can see (with a little research on some tickets) lib nunc-stans
is now enabled by default in 389 (389-ds-base) and I'm trying to compiling
it on ubuntu 16.04 and was getting the following error:
/.libs/libnunc-stans.so: undefined reference to `event_add'
./.libs/libnunc-stans.so: undefined reference to `event_base_loop'
./.libs/libnunc-stans.so: undefined reference to `event_set_log_callback'
./.libs/libnunc-stans.so: undefined reference to `event_base_free'
./.libs/libnunc-stans.so: undefined reference to `event_assign'
./.libs/libnunc-stans.so: undefined reference to `event_set_mem_functions'
./.libs/libnunc-stans.so: undefined reference to `event_base_new'
./.libs/libnunc-stans.so: undefined reference to `event_del'
collect2: error: ld returned 1 exit status
Nunc-stans depends on libevent-dev (at least on ubuntu):
gcc -g -O2 -o .libs/ns-slapd ldap/servers/slapd/ns_slapd-abandon.o
./.libs/libnunc-stans.so ./.libs/libslapd.so ./.libs/libldaputil.so
-lldap_r -llber -lssl3 -lnss3 -ldl -lplc4 -lplds4 -lnspr4 -lsasl2
-L/usr/lib/x86_64-linux-gnu/ -lsvrcore -lpthread -Wl,-rpath
Seems to be missing the libevent(-levent), my workaround was to add it
I'm not sure if is an expected behavior, but anyway I just want to share my