389-users November 2018

389-users@lists.fedoraproject.org

14 participants
17 discussions

Problem browsing LDAP with Outlook
by Chris Bryant 26 Aug '20

26 Aug '20

When configuring Microsoft Outlook (not Outlook Express) to access an LDAP directory, there is an option to 'Enable Browsing (requires server support)'. If this option is chosen and the directory server supports it, then you should be able to open the LDAP address book and page up and down through the results. I have been unable to get this working properly with 389 DS. When I try to browse from Outlook against the 389 DS directory, I am able to see the first page of results perfectly. However, if I move to the next page, only the first object returned will have any attributes included, and all of the rest of the objects in the page will have no attributes. I have a test perl script that duplicates this functionality as well. I can get this to work properly with an older version of Netscape Directory Server, and I can get it working with OpenDS. Since 389 DS advertises support for the controls that are required for this to work, just like the other two servers, then I would expect it to work there also. Has anyone out there gotten this to work with 389 DS? If so, can you share if there was anything special that you needed to do to get this to work? I'm trying to determine if this is a bug in the server, or if I'm just missing something in the configuration. Thanks, Chris USA.NET You Run Your Business. We'll Run Your Email. This message is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information of USA.NET, Inc. Any unauthorized review, use, copying, disclosure, or distribution is prohibited. If you are not the intended recipient, please immediately contact the sender by reply email and delete all copies of the original message.

3 2

MemberOf group restrictions to a client system (server and client running CentOS 7)
by Janet Houser 06 Aug '20

06 Aug '20

Hi, I'm new to 389-ds and last week downloaded and installed the software. I have a running instance of the server, and I've added TLS/SSL. I've configured a CentOS 7 client to be able to query the server using TLS/SSL, and all appears working. I've created users and groups on the 389-ds server successfully. For each user and group, I've enabled posix attributes and my client can see the unix users and groups using the "getent password" or "getent group" commands. Now, here's where I'm getting tripped up.......... I need to limit which users have access to which systems. I've been trying to do this via memberOf group limitations. I found the following online resource (https://thornelabs.net/2013/01/28/aix-restrict-server-login-via-ldap-groups…) which is close enough to CentOS that the initial commands worked. I enabled the MemberOf plugin and changed the attributes per the link, and restarted the system. I created a test group (that I didn't enable a posix GID) and tried to add a single user via: Right click on group -- > click Properties --> then Members --> click Add --> Search for user --> click Add. When I try to go this route (which worked before enabling the memberOf plugin) it worked. Now it seems I get the error: "Cannot save to directory server. netscape.ldap.LDAPException: error resiult(65): Object class violation" And the messages file throws the error (/var/log/dirsrv/slapd-<instancename>/errors: "Entry "uid=test,ou=People,dc=int,dc=com" -- attribute "memberOf" not allowed [17/Feb/2016:11:22:58 -0700] memberof-plugin - memberof_postop_modify: failed to add dn (cn=testgroup,ou=Groups,dc=int,dc=com) to target. Error (65)" So it seems my server isn't quite using the memberOf plugin properly, but I'm not sure what else to enable. I'll have to solve this issue before I even try to filter login access via groups on my client system. I should mention that if I go under the advanced tab for one of the groups I created, I can add the the attribute "uniquemember", but I'm not sure what I should set the "value" to be. I've tried creating new users to see if I could set their "uniquemember" attributes, but no luck. It seems that I don't have the ability to set this attribute on individual users, only groups. This might not be the right road to head down when trying to restrict access to servers via groups, so I'm open to any suggestions. Any suggestions would be appreciated.

6 19

tls encryption and key changes: symmetric key failed to unwrap
by Jan Kowalsky 04 Feb '19

04 Feb '19

Hi all, we have the following situation: An 389ds with tls/ssl configured whith an certificate from letsencrypt. Since letsencrypt is short-dated we have an automated update routine for regenerating the cert8.db. Now we have this sort of errors in changelog. [01/Jun/2018:11:46:40 +0200] attrcrypt - attrcrypt_unwrap_key: failed to unwrap key for cipher AES [01/Jun/2018:11:46:40 +0200] attrcrypt - attrcrypt_cipher_init: symmetric key failed to unwrap with the private key; Cert might have been renewed since the key is wrapped. To recover the encrypted contents, keep the wrapped symmetric key value. [01/Jun/2018:11:46:40 +0200] attrcrypt - attrcrypt_unwrap_key: failed to unwrap key for cipher 3DES [01/Jun/2018:11:46:40 +0200] attrcrypt - attrcrypt_cipher_init: symmetric key failed to unwrap with the private key; Cert might have been renewed since the key is wrapped. To recover the encrypted contents, keep the wrapped symmetric key value. [01/Jun/2018:11:46:40 +0200] attrcrypt - All prepared ciphers are not available. Please disable attribute encryption. I never used attribute encryption and we don't need it at the moment. But as far as I understand, it's based on the server private key. This is the one we change every 60 days. The best idea seems to disable attribute encryption (which doesn't make much sense if the private key isn't password protected anyway). Or is there any other way to deal with key changes? Thanks and regards Jan

4 5

PassSync Replication from AD RODC to 389 DS
by Abhisheyk Deb 30 Dec '18

30 Dec '18

I have the following structure AD RWDC(Read Write), AD RODC(Read Only), and a 389 DS instance. PassSync will be installed on the AD RODC and the 389 DS instance will sync with it. If the users are created on the AD RWDC and synced with the RODC, can PassSync still intercept passwords in cleartext format, and push them to 389 DS?

2 3

Limiting access to same ou
by Alistair Cunningham 02 Dec '18

02 Dec '18

Is there an elegant way to limit simpleSecurityObject users to reading and searching within their own ou? Perhaps using an ACL based on a regular expression? Some background: I'm adding LDAP support to Enswitch, which is a soft-switch for multi-tenant hosted telephone services. An Enswitch system has many tenants, each of which is typically a small company. Each tenant is completely independent and for privacy reasons must not be able to see any other tenant on the system. Each tenant has people and telephones. The telephones are physical VoIP telephones that sit on the users' desks, and they have LDAP clients built-in that allow the telephone to search for people within their tenant. Each telephone and each person has a corresponding entry in Enswitch. These are stored in a MySQL database, and pushed to the LDAP server by the Enswitch code. This part is done and working. I'm storing each tenant as a separate ou below the LDAP base, and within the tenant storing each person as a inetOrgPerson and each telephone as a simpleSecurityObject. I have anonymous access to LDAP disabled. This allows the telephones to connect to the LDAP server with their username and password and search for people. The only part missing is limiting the telephone lines to searching within their own tenant (i.e. the same ou). Any suggestions on how to do this? If this is not feasible using the ou method, I'm willing to consider other methods such as groups. -- Alistair Cunningham +1 888 468 3111 +44 20 799 39 799 https://enswitch.com/

4 21

cn or uid preferred in DNs?
by Alistair Cunningham 29 Nov '18

29 Nov '18

Is it best practice to use "cn=<username>,ou=..." or "uid=<username>,ou=..." in DNs? What are the advantages and disadvantages of each? -- Alistair Cunningham +1 888 468 3111 +44 20 799 39 799 https://enswitch.com/

2 2

Allow filters through PTA Plugin
by LHEUREUX Bernard 28 Nov '18

28 Nov '18

Hi all, I'm pretty new in the usage of 389-DS and I would like to know if some of you could help me achieve a feature that would: Have a 389-Directory server in front of AD Domain Controllers acting as "ldap proxy" to protect access to the DC but allowing to authenticate users with their LDAP AD account AND allowing to retrieve the list of Groups members (via filters) of the AD through PTA ? Is that possible and how could achieve this ? Thanks for your help Bernard Lheureux. Ce message transmis par voie électronique ainsi que toutes ses annexes contiennent des informations qui peuvent être confidentielles ou protégées. Ces informations sont uniquement destinées à l’usage des personnes ou des entités précisées dans les champs ‘A’, ‘Cc’ et ‘Cci’. Si vous n’êtes pas l’un de ces destinataires, soyez conscient que toute forme, partielle ou complète, de divulgation, copie, distribution ou utilisation de ces informations est strictement interdite. Si vous avez reçu ce message par erreur, veuillez nous en informer par téléphone ou par message électronique et détruire les informations immédiatement. Ce message n’engage que son signataire et aucunement son employeur.

4 7

User cannot change it's own password
by wodel youchi 24 Nov '18

24 Nov '18

Hi, I am using 389-ds-base-1.3.7.5-28.el7_5.x86_64 on CentOS7 All is up to date. I configured a password policy, and I checked User may change password, but when I try [root@idm01 ~]# ldappasswd -p 389 -h idm01.example.com -ZZ -x -D "uid=jane.doe,ou=people,dc=example,dc=com" -W -a oldpass -s newpass I get : *Result: Server is unwilling to perform (53)Additional info: User is not allowed to change password* any idea? Regards.

2 2

Problem with replication over SSL
by Olivier JUDITH 22 Nov '18

22 Nov '18

Hi, I'm running two instances with master/master replication with SSL . It worked fine so far then recently i noticed errors like this : [21/Nov/2018:10:22:34.754594972 +0100] - DEBUG - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=ReplicationAgreement" (ldap02srv:636) - Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) (error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get certificate CRL)). I also have noticed that some attributes replication does not work correctly. I have checked my certificate and i have no CRL defined in server's certificate. Does someone can help ?

2 2

Auto add attributes when entries are created
by Olivier JUDITH 22 Nov '18

22 Nov '18

Hi , I would like to add 2 new attributes to every new created entries in my 389 servers . In these attributes i would to add calculated values for initial users information . Is it possible to do that without developping a new plugin ? In case i have to write a new pluggins which languages 389 supports Does something like triggers in BDD exist in 389 ?

2 5

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-users November 2018