autosizing the cache
by Sergei Gerasenko
Hello,
My cn=userRoot,cn=ldbm database,cn=plugins,cn=config is currently:
...
nsslapd-cachesize: -1
nsslapd-cachememsize: 1543503872
nsslapd-readonly: off
nsslapd-require-index: off
nsslapd-dncachememsize: 500000000
…
But cn=config,cn=ldbm database,cn=plugins,cn=config has these settings:
...
nsslapd-cache-autosize: 10
nsslapd-cache-autosize-split: 40
…
Do I understand correctly that if I remove nsslapd-cachememsize and nsslapd-dncachememsize from cn=userRoot, the caches will be auto sized? In other words, they are preventing the autosizing?
Thanks!
Sergei
6 years, 1 month
subtree level password policy enabled with a few user level pwdPolicysubentry exceptions
by albert.luo@uwindsor.ca
Hi,
Fine-grained subtree password policy enabled for ou=people,dc=example,dc=com. The same password policy is applied to all users under ou=people,dc=example,dc=com. I need to apply a different password policy to a few users, what is the best way to do it?
The following is my failed attempts.
using Admin Console, I created "Fine-grained user policy" for uid=exception1,ou=people,dc=example,dc=com. A new policy entry for uid=exception1 was created under "cn=nspwpolicycontainer,ou=people,dc=example,dc=com". audit log has the message: pwdPolicysubentry attribute of "uid=exception1,ou=people,dc=example,dc=com" is successfully replaced with the DN of the new user policy entry. After refreshing the entry "uid=exception1,ou=people,dc=example,dc=com", pwdPolicysubentry attribute is NOT actually changed, it is still the DN of the subtree policy.
6 years, 1 month
Re: Cannot login to admin server after last update
by Mark Reynolds
On 03/15/2018 04:11 PM, Julian Kippels wrote:
> Am Thu, 15 Mar 2018 12:00:06 -0400
> schrieb Mark Reynolds <mreynolds(a)redhat.com>:
>
>> On 03/15/2018 11:36 AM, Julian Kippels wrote:
>>> Hi,
>>>
>>> since the last update (using RHEL 7, updated from 389-ds-1.3.6.1-21
>>> to 389-ds-1.3.6.1-28) I cannot login as user admin in the
>>> administration console anymore.
>>>
>>> Looking at the logs I see this error message popping up every time I
>>> try to log in since then:
>>>
>>> [Thu Mar 15 13:09:35.046721 2018] [:crit] [pid 12027:tid
>>> 140250663868160] buildUGInfo(): unable to initialize TLS connection
>>> to LDAP host ldap-master.rz.uni-duesseldorf.de port 389: 4
>>>
>>> What I find confusing, nowhere have I ever configured any encrypted
>>> connections, because the whole setup is tucked away in a private
>>> vlan with no access to the internet. How come the admin server
>>> suddenly wants to use TLS? And how can I disable this and get back
>>> the old behaviour?
>> This is odd since you did not update the admin server (in fact there
>> have not been any admin server updates in some time).
>>
>> What error is the console login page reporting?
> "Cannot connect to the directory server:
> netscape.ldap.LDAPException: error result (49): Invalid credentials"
Okay, so the problem appears that you are not providing a bind DN in the
console login page. What user ID are you using to log into the console?
[15/Mar/2018:13:09:35.051526124 +0100] conn=286293 op=0 BIND dn="(anon)" method=128 version=3
[15/Mar/2018:13:09:35.051658717 +0100] conn=286293 op=0 RESULT err=49 tag=97 nentries=0 etime=0 - No suffix for bind dn found
Or you might be using a "user" name, like "admin", and not a DN
(uid=admin,...,o=netscaperoot) and it's not finding the user. You did
not provide enough of the access log to confirm.
What if you try to log in as "cn=directory manager", does it work?
Regards,
Mark
>
>> What is the administrative url in the login page, is it http:// or
>> https://?
> It's http://ldap-master.rz.uni-duesseldorf.de:9830
>
>> What is in admin server config files:
>>
>> /etc/dirsrv/admin-serv/adm.conf
>> /etc/dirsrv/admin-serv/console.conf
>>
> adm.conf:
> AdminDomain: rz.uni-duesseldorf.de
> sysuser: nobody
> isie: cn=389 Administration Server,cn=Server Group,cn=ldap-master.rz.uni-duesseldorf.de,ou=rz.uni-duesseldorf.de,o=NetscapeRoot
> SuiteSpotGroup: nobody
> sysgroup: nobody
> userdn: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot
> ldapStart: /usr/lib64/dirsrv/slapd-ldap-master/start-slapd
> ldapurl: ldap://ldap-master.rz.uni-duesseldorf.de:389/o=NetscapeRoot
> SuiteSpotUserID: nobody
> sie: cn=admin-serv-ldap-master,cn=389 Administration Server,cn=Server
> Group,cn=ldap-master.rz.uni-duesseldorf.de,ou=rz.uni-duesseldorf.de,o=NetscapeRoot
>
> console.conf (stripped of comments):
> <IfModule !mpm_winnt.c>
> <IfModule !mpm_netware.c>
> User nobody
> Group nobody
> </IfModule>
> </IfModule>
> <IfModule !mpm_netware.c>
> PidFile /var/run/dirsrv/admin-serv.pid
> </IfModule>
> HostnameLookups off
> CustomLog /var/log/dirsrv/admin-serv/access common
> ErrorLog /var/log/dirsrv/admin-serv/error
> Listen 0.0.0.0:9830
> NSSEngine off
> NSSNickname server-cert
> NSSCertificateDatabase /etc/dirsrv/admin-serv
> NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
> NSSProtocol TLSv1.1
> NSSVerifyClient none
>
>> Can you run the console is debug mode, reproduce error, and send the
>> output?:
>>
>> 389-console -D 9
>>
> # 389-console -D 9
> java.util.prefs.userRoot=/home/julkip/.389-console
> java.runtime.name=OpenJDK Runtime Environment
> sun.boot.library.path=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/amd64
> java.vm.version=25.151-b12
> java.vm.vendor=Oracle Corporation
> java.vendor.url=http://java.oracle.com/
> path.separator=:
> java.vm.name=OpenJDK 64-Bit Server VM
> file.encoding.pkg=sun.io
> user.country=DE
> sun.java.launcher=SUN_STANDARD
> sun.os.patch.level=unknown
> java.vm.specification.name=Java Virtual Machine Specification
> user.dir=/home/julkip
> java.runtime.version=1.8.0_151-b12
> java.awt.graphicsenv=sun.awt.X11GraphicsEnvironment
> java.endorsed.dirs=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/endorsed
> os.arch=amd64
> java.io.tmpdir=/tmp
> line.separator=
>
> java.vm.specification.vendor=Oracle Corporation
> os.name=Linux
> sun.jnu.encoding=UTF-8
> java.library.path=/usr/lib64/nx/X11/Xinerama:/usr/lib64/nx/X11:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
> java.specification.name=Java Platform API Specification
> java.class.version=52.0
> sun.management.compiler=HotSpot 64-Bit Tiered Compilers
> os.version=3.10.0-514.21.2.el7.x86_64
> user.home=/home/julkip
> user.timezone=Europe/Berlin
> java.awt.printerjob=sun.print.PSPrinterJob
> file.encoding=UTF-8
> java.specification.version=1.8
> java.class.path=/usr/lib/java/jss4.jar:/usr/share/java/ldapjdk.jar:/usr/share/java/idm-console-base.jar:/usr/share/java/idm-console-mcc.jar:/usr/share/java/idm-console-mcc_en.jar:/usr/share/java/idm-console-nmclf.jar:/usr/share/java/idm-console-nmclf_en.jar:/usr/share/java/389-console_en.jar
> user.name=julkip
> java.vm.specification.version=1.8
> sun.java.command=com.netscape.management.client.console.Console -D 9
> java.home=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre
> sun.arch.data.model=64
> java.util.prefs.systemRoot=/home/julkip/.389-console
> user.language=de
> java.specification.vendor=Oracle Corporation
> awt.toolkit=sun.awt.X11.XToolkit
> java.vm.info=mixed mode
> java.version=1.8.0_151
> java.ext.dirs=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/ext:/usr/java/packages/lib/ext
> sun.boot.class.path=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/resources.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/rt.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/sunrsasign.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/jsse.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/jce.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/charsets.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/jfr.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/classes
> java.vendor=Oracle Corporation
> file.separator=/
> java.vendor.url.bug=http://bugreport.sun.com/bugreport/
> sun.io.unicode.encoding=UnicodeLittle
> sun.cpu.endian=little
> sun.cpu.isalist=
> 389-Management-Console/1.1.17 B2017.257.1933
> RemoteImage: NOT found in cache loader1975012498:com/netscape/management/nmclf/icons/Error.gif
> RemoteImage: Create RemoteImage cache for loader1975012498
> RemoteImage: NOT found in cache loader1975012498:com/netscape/management/nmclf/icons/Inform.gif
> RemoteImage: NOT found in cache loader1975012498:com/netscape/management/nmclf/icons/Warn.gif
> RemoteImage: NOT found in cache loader1975012498:com/netscape/management/nmclf/icons/Question.gif
> ResourceSet: NOT found in cache loader1975012498:com.netscape.management.client.components.components
> RemoteImage: NOT found in cache loader1975012498:com/netscape/management/client/theme/images/logo16.gif
> RemoteImage: NOT found in cache loader1975012498:com/netscape/management/client/theme/images/login.gif
> ResourceSet: NOT found in cache loader1975012498:com.netscape.management.client.util.default
> ResourceSet: found in cache
> loader1975012498:com.netscape.management.client.util.default
> JButtonFactory: button width = 54
> JButtonFactory: button height = 19
> JButtonFactory: button width = 54
> JButtonFactory: button height = 19
> JButtonFactory: button width = 90
> JButtonFactory: button height = 19
> JButtonFactory: button width = 90
> JButtonFactory: button height = 19
> JButtonFactory: button width = 72
> JButtonFactory: button height = 19
> JButtonFactory: button width = 72
> JButtonFactory: button height = 19
> JButtonFactory: button width = 54
> JButtonFactory: button height = 19
> JButtonFactory: button width = 90
> JButtonFactory: button width = 72
> CommManager> New CommRecord (http://ldap-master.rz.uni-duesseldorf.de:9830/admin-serv/authenticate)
> ResourceSet: found in cache loader1975012498:com.netscape.management.client.theme.theme
> http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] open> Ready
> http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] accept> http://ldap-master.rz.uni-duesseldorf.de:9830/admin-serv/authenticate
> http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> GET \
> http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> /admin-serv/authenticate \
> http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> HTTP/1.0
> http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> Host: ldap-master.rz.uni-duesseldorf.de:9830
> http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> Connection: Keep-Alive
> http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> User-Agent: 389-Management-Console/1.1.17
> http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> Accept-Language: en
> http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> Authorization: Basic \
> http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> YWRtaW46dHk2YW0xQCd3bUN+VzEjImdjWEAmcnlTIihOdS4tdiM= \
> http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send>
> http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send>
> http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] recv> HTTP/1.1 200 OK
> http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] recv> Date: Thu, 15 Mar 2018 20:04:09 GMT
> http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] recv> Server: Apache/2.4
> HttpChannel.invoke: admin version = 2.4
> http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] recv> Admin-Server: 389-Administrator/1.1.46
> HttpChannel.invoke: admin version = 1.1.46
> http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] recv> Content-Length: 323
> http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] recv> Connection: close
> http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] recv> Content-Type: text/html
> http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] recv>
> http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] recv> Reading 323 bytes...
> http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] recv> 323 bytes read
> Console.replyHandler: adminVersion = 1.1.46
> JButtonFactory: button width = 54
> JButtonFactory: button height = 19
> JButtonFactory: button width = 54
> JButtonFactory: button height = 19
> JButtonFactory: button width = 54
> JButtonFactory: button height = 19
> JButtonFactory: button width = 54
> JButtonFactory: button height = 19
> http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] close> Closed
> JButtonFactory: button width = 54
> JButtonFactory: button height = 19
> JButtonFactory: button width = 54
> JButtonFactory: button height = 19
> JButtonFactory: button width = 90
> JButtonFactory: button height = 19
> JButtonFactory: button width = 90
> JButtonFactory: button height = 19
> JButtonFactory: button width = 72
> JButtonFactory: button height = 19
> JButtonFactory: button width = 72
> JButtonFactory: button height = 19
> JButtonFactory: button width = 54
> JButtonFactory: button height = 19
> JButtonFactory: button width = 90
> JButtonFactory: button width = 72
>
>> What is in the DS accesslog? /var/log/dirsv/slapd-YOUR_INSTANCE/access
> Access log says:
>
> [15/Mar/2018:13:09:35.048757333 +0100] conn=286293 fd=179 slot=179 connection from 192.168.25.114 to 192.168.25.200
> [15/Mar/2018:13:09:35.051526124 +0100] conn=286293 op=0 BIND dn="(anon)" method=128 version=3
> [15/Mar/2018:13:09:35.051658717 +0100] conn=286293 op=0 RESULT err=49 tag=97 nentries=0 etime=0 - No suffix for bind dn found
>
>> What is in the DS errors log?
> Error log is empty
>
>> Thanks,
>> Mark
>>> Thanks in advance
>>> Julian
>>> _______________________________________________
>>> 389-users mailing list -- 389-users(a)lists.fedoraproject.org
>>> To unsubscribe send an email to
>>> 389-users-leave(a)lists.fedoraproject.org
6 years, 1 month
Cannot login to admin server after last update
by Julian Kippels
Hi,
since the last update (using RHEL 7, updated from 389-ds-1.3.6.1-21 to
389-ds-1.3.6.1-28) I cannot login as user admin in the administration
console anymore.
Looking at the logs I see this error message popping up every time I
try to log in since then:
[Thu Mar 15 13:09:35.046721 2018] [:crit] [pid 12027:tid 140250663868160] buildUGInfo(): unable to initialize TLS connection to LDAP host ldap-master.rz.uni-duesseldorf.de port 389: 4
What I find confusing, nowhere have I ever configured any encrypted
connections, because the whole setup is tucked away in a private vlan with
no access to the internet. How come the admin server suddenly wants
to use TLS? And how can I disable this and get back the old behaviour?
Thanks in advance
Julian
6 years, 1 month
Admin Gateway over https
by Eric Wheeler
How does one properly configure the Directory Server Gateway to run over https? Is such a setup necessary for secure connections if ldaps over 636 is active? I edited dsgw-httpd.conf until I was able to connect to the gateway via https, but the setup was pretty buggy. Afterwards, I came across a page in the documentation stating this file shouldn’t be touched.
My goal is to use the DS Gateway to edit the directory using secure connections without resorting to other tools such as phpLDAPadmin which I’ve read is really designed for OpenLDAP.
6 years, 1 month
repl-monitor.pl
by Sergei Gerasenko
Hi all,
I think this is more a question for Mark since he wrote repl-monitor :)
I built a new node and promoted it to be a domain/ca replica. Everything seems to be working fine *except* repl-monitor.pl has ?:??:?? in the lag column for the CA segment from the pre-existing CA master to the new node.
Is that normal? The Max CSN is also “Unavailable” in the next column.
Any ideas?
Thanks,
Sergei
6 years, 1 month
How to containerize 389DS using Docker in production systems
by Alberto García Sola
Reading the documentation I find little or none information regarding
containers and Docker, but I've found a few comments in the changelog
regarding Docker. I plan to use them in a highly scalable and elastic
environment.
I wonder, what's the best way to containerize 389DS using Docker to use
in production systems?
Any considerations regarding storage (beyond being persistent)?
Any experiences using Docker and 389DS in production systems?
Regards,
Alberto.
6 years, 1 month
help building test-plugin
by Harvey, Robert
I'm hoping that someone can help me find out why my pre-bind plugin clauses
ns-slapd to crash when the slapi_search_internal_get_entry function is
called. What I'm seeing is that after starting ns-slapd, the plugin will
crash slapd consistently or it will work consistently. This is with the
same plugin in place and with the same user. So after some restarts the
plugin crashes the slapd and after other starts I can bind and unbind with
the same account dozens of times successfully.
This what I have installed:
[root@njbbldapp21 ~]# rpm -qa | grep 389
389-ds-base-libs-1.3.6.1-26.el7_4.x86_64
389-dsgw-1.1.11-5.el7.x86_64
389-console-1.1.18-1.el7.noarch
389-adminutil-1.1.21-2.el7.x86_64
389-admin-console-1.1.12-1.el7.noarch
389-ds-console-1.2.16-1.el7.noarch
389-ds-console-doc-1.2.16-1.el7.noarch
389-ds-1.2.2-6.el7.noarch
389-ds-base-1.3.6.1-26.el7_4.x86_64
389-ds-base-devel-1.3.6.1-26.el7_4.x86_64
389-admin-console-doc-1.1.12-1.el7.noarch
389-admin-1.1.46-1.el7.x86_64
Here's my Makefile:
CC = gcc
LD = ld
INCLUDE_FLAGS = -I /usr/lib64/dirsrv/plugins -I
/opt/adminhome/aharvero/slap/389-ds-base-1.4.0.5/ldap/servers/slapd -I
/usr/include/nspr4 -I
/opt/adminhome/aharvero/slap/389-ds-base-1.4.0.5/ldap/include
#CFLAGS = $(INCLUDE_FLAGS) -D_REENTRANT -fPIC -z defs -shared
CFLAGS = $(INCLUDE_FLAGS) -D_REENTRANT -fPIC -z defs -shared -lsladpd
-ltcmalloc -lldap_r -llber -lsasl2 -l svrcore -lssl3 -l nss3 -lkrb5 -l
k5crypto -lcom_err -lpcre -lpthread -lsystemd -l plc4 -l plds4 -lc
#LDFLAGS = -G
LDFLAGS = -G -fPIC -z defs -shared -lc -l:libplc4.so -l:libslapd.so.0.1.0
-l:libldap_r-2.4.so.2 -l:liblber-2.4.so.2 -L /usr/lib64/dirsrv -L /lib64
OBJS = mybind.o
all: libmybind-plugin.so
libmybind-plugin.so: $(OBJS)
$(LD) $(LDFLAGS) -o $@ $(OBJS)
.c.o:
$(CC) $(CFLAGS) -c $<
clean:
-rm -f $(OBJS) libmybind-plugin.so
Here's the plugin:
$ cat mybind.c
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
/************************************************************
mybind.c
This source file provides an example of a pre-operation plug-in
function that handles authentication.
dn: cn=mybind,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: mybind
nsslapd-pluginPath: libmybind-plugin
nsslapd-pluginInitfunc: mybind_init
nsslapd-pluginType: preoperation
nsslapd-pluginEnabled: on
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: mybind
************************************************************/
/* #include <stddef.h> */
#include <stdio.h>
#include <string.h>
#include "slapi-plugin.h"
#define VENDOR "myco"
#define DS_PACKAGE_VERSION "1.1.1.1"
#define MYPLUGINID "mybind"
#define CALLBACK_OK 0
#define CALLBACK_ERR -1
static void *plugin_id = NULL;
#include "slapi-private.h"
#include <plstr.h>
static Slapi_PluginDesc bindpdesc = { MYPLUGINID, VENDOR,
DS_PACKAGE_VERSION,
"mybind control plugin" };
/* Pre-operation plug-in function */
int
test_bind(Slapi_PBlock *pb)
{
char *dn , *attrs[2] = {SLAPI_USERPWD_ATTR, NULL};
const char *mydn;
int method, rc = LDAP_SUCCESS;
struct berval *credentials;
struct berval **pwvals;
Slapi_DN *sdn = NULL;
Slapi_Entry *e = NULL;
Slapi_Attr *attr = NULL;
Slapi_Value *sv_creds = NULL;
/* Log a message to the server error log. */
slapi_log_error(SLAPI_LOG_PLUGIN, MYPLUGINID ,
"Pre-operation bind function called.\n");
/* Gets parameters available when processing an LDAP bind
operation. */
if (slapi_pblock_get(pb, SLAPI_BIND_TARGET, &dn) != 0 ||
slapi_pblock_get(pb, SLAPI_BIND_METHOD, &method) != 0 ||
slapi_pblock_get(pb, SLAPI_BIND_CREDENTIALS, &credentials) != 0) {
slapi_log_error(SLAPI_LOG_PLUGIN, MYPLUGINID,
"Could not get parameters for bind operation\n");
slapi_send_ldap_result(pb, LDAP_OPERATIONS_ERROR,
NULL, NULL, 0, NULL);
return (1);
}
/* The plugin wouldn't get called for anonymous binds but let's check */
if (dn == NULL) {
return 0;
}
slapi_log_error(SLAPI_LOG_PLUGIN, MYPLUGINID,
"Authenticated: %s\n", dn);
slapi_log_error(SLAPI_LOG_PLUGIN, MYPLUGINID,
"Method: %d\n", method);
sv_creds = slapi_value_new_berval(credentials); /* wrap in
Slapi_Value* */
slapi_log_error(SLAPI_LOG_PLUGIN, MYPLUGINID,
"Method: : LDAP_AUTH_SIMPLE\n");
sdn = slapi_sdn_new_dn_byref(dn);
slapi_log_error(SLAPI_LOG_PLUGIN, MYPLUGINID, "before search \n");
/* Half the time this will crash slapd !!!!! */
rc = slapi_search_internal_get_entry(sdn, attrs, &e, plugin_id);
slapi_log_error(SLAPI_LOG_PLUGIN, MYPLUGINID, "after search \n");
if ( sdn != NULL )
{
slapi_sdn_free(&sdn);
}
if (rc != LDAP_SUCCESS) {
slapi_log_error(SLAPI_LOG_PLUGIN, MYPLUGINID,
"Could not find entry %s (error %d)\n",
dn, rc);
return 0;
}
slapi_log_error(SLAPI_LOG_PLUGIN, MYPLUGINID,
"Found entry %s (error %d)\n",
dn, rc);
return 0;
return (1);
}
/* Pre-operation plug-in function */
int
test_search(Slapi_PBlock *pb)
{
char *reqdn;
/* Log a message to the server error log. */
slapi_log_error(SLAPI_LOG_PLUGIN, MYPLUGINID,
"Pre-operation search function called.\n");
/* Get requestor of search operation. This is not critical
to performing the search (this plug-in just serves as
confirmation that the bind plug-in works), so return 0
if this fails. */
if (slapi_pblock_get(pb, SLAPI_REQUESTOR_DN, &reqdn) != 0) {
slapi_log_error(SLAPI_LOG_PLUGIN, MYPLUGINID,
"Could not get requestor parameter for search
operation\n");
return (0);
}
/* Indicate who is requesting the search */
if (reqdn != NULL && *reqdn != '\0') {
slapi_log_error(SLAPI_LOG_PLUGIN, MYPLUGINID,
"Search requested by %s\n", reqdn);
} else {
slapi_log_error(SLAPI_LOG_PLUGIN, MYPLUGINID,
"Search requested by anonymous client\n");
}
return (0);
}
/* Initialization function */
int
mybind_init(Slapi_PBlock *pb)
{
slapi_log_error(SLAPI_LOG_PLUGIN, MYPLUGINID , "mybind running mybind
init function.\n");
int enabled;
slapi_pblock_get(pb, SLAPI_PLUGIN_ENABLED, &enabled);
if (slapi_pblock_get(pb, SLAPI_PLUGIN_IDENTITY, &plugin_id) != 0) {
slapi_log_error(SLAPI_LOG_ERR, MYPLUGINID ,
"mybind_init - Failed to get plugin identity\n");
return (CALLBACK_ERR);
}
PR_ASSERT(plugin_id);
slapi_log_error(SLAPI_LOG_PLUGIN, MYPLUGINID,
"init function Plugin ID: %s\n", plugin_id);
if ( slapi_pblock_set(pb, SLAPI_PLUGIN_VERSION,
SLAPI_PLUGIN_VERSION_03) != 0 ||
slapi_pblock_set(pb, SLAPI_PLUGIN_DESCRIPTION,
(void *)&bindpdesc) != 0 ||
slapi_pblock_set(pb, SLAPI_PLUGIN_PRE_BIND_FN,
(void *)test_bind) != 0 )
{
slapi_log_error(SLAPI_LOG_PLUGIN, MYPLUGINID,
"Failed to set version and functions in the init
function\n");
return (CALLBACK_ERR);
}
slapi_log_error(SLAPI_LOG_PLUGIN, MYPLUGINID,
"Registration set was good in the init function\n");
slapi_log_error(SLAPI_LOG_PLUGIN, MYPLUGINID , "end of mybind init
function.\n");
return (0);
}
6 years, 1 month
=?utf-8?q?=5B389-users=5D?=(re)enabling a password policy
by Kirk MacDonald
Hello,
Looking for some guidance with password policies.
About a year ago I migrated a very old instance of Red Hat Directory server to 389-ds version 1.3.5.10. I did this with a db export and import. I did not enable the password policy which was active on the old Red Hat Directory instance.
It has come time to (re)enable a password policy on the 389-ds instance and I am hoping for some guidance on how to proceed. The policy would be one of syntax and expiration requirements. All the applicable users appear to have the require attributes (passwordexpirationtime, passwordexpwarned, passwordgracetimeuser, passwordhistory, passwordretrycount, retrycoutresettime)
Questions:
1. All the users on which the password policy should apply are under ou=People,dc=sub,dc=domain,dc=tld
o It should therefore be safe to apply the password policy here for subtree?
2. What is the best way to set individual users who should be exempt from the policy?
3. Some of the users who should be exempt are within nsPwPolicyContainer under ou=People. Does this relate to question #2?
4. Given that there has been a long time passed where the password policy has not been active, it probably makes sense to set applicable user’s passwordexpirationtime attribute to sometime in the future so there isn’t a flood of “password lockout” complaints?
[cid:EL-logo_7ba48a57-966c-4a07-b478-7857c99d9581.png] Kirk MacDonald | System Analyst II
Eastlink | Internet
Kirk.MacDonald(a)corp.eastlink.ca T: 902.406.4969
6 years, 1 month