Problem browsing LDAP with Outlook
by Chris Bryant
When configuring Microsoft Outlook (not Outlook Express) to access an LDAP directory, there is an option to 'Enable Browsing (requires server support)'. If this option is chosen and the directory server supports it, then you should be able to open the LDAP address book and page up and down through the results. I have been unable to get this working properly with 389 DS.
When I try to browse from Outlook against the 389 DS directory, I am able to see the first page of results perfectly. However, if I move to the next page, only the first object returned will have any attributes included, and all of the rest of the objects in the page will have no attributes. I have a test perl script that duplicates this functionality as well.
I can get this to work properly with an older version of Netscape Directory Server, and I can get it working with OpenDS. Since 389 DS advertises support for the controls that are required for this to work, just like the other two servers, then I would expect it to work there also.
Has anyone out there gotten this to work with 389 DS? If so, can you share if there was anything special that you needed to do to get this to work? I'm trying to determine if this is a bug in the server, or if I'm just missing something in the configuration.
Thanks,
Chris
USA.NET
You Run Your Business. We'll Run Your Email.
This message is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information of USA.NET, Inc. Any unauthorized review, use, copying, disclosure, or distribution is prohibited. If you are not the intended recipient, please immediately contact the sender by reply email and delete all copies of the original message.
3 years, 6 months
MemberOf group restrictions to a client system (server and client running CentOS 7)
by Janet Houser
Hi,
I'm new to 389-ds and last week downloaded and installed the software.
I have a running instance of the server, and I've added TLS/SSL. I've configured a CentOS 7 client to be able to query
the server using TLS/SSL, and all appears working.
I've created users and groups on the 389-ds server successfully. For each user and group, I've enabled posix attributes and my client
can see the unix users and groups using the "getent password" or "getent group" commands.
Now, here's where I'm getting tripped up..........
I need to limit which users have access to which systems. I've been trying to do this via memberOf group limitations.
I found the following online resource (https://thornelabs.net/2013/01/28/aix-restrict-server-login-via-ldap-grou...)
which is close enough to CentOS that the initial commands worked.
I enabled the MemberOf plugin and changed the attributes per the link, and restarted the system.
I created a test group (that I didn't enable a posix GID) and tried to add a single user via:
Right click on group -- > click Properties --> then Members --> click Add --> Search for user --> click Add.
When I try to go this route (which worked before enabling the memberOf plugin) it worked. Now it seems I get the error:
"Cannot save to directory server.
netscape.ldap.LDAPException: error resiult(65): Object class violation"
And the messages file throws the error (/var/log/dirsrv/slapd-<instancename>/errors:
"Entry "uid=test,ou=People,dc=int,dc=com" -- attribute "memberOf" not allowed
[17/Feb/2016:11:22:58 -0700] memberof-plugin - memberof_postop_modify: failed to add dn (cn=testgroup,ou=Groups,dc=int,dc=com) to target. Error (65)"
So it seems my server isn't quite using the memberOf plugin properly, but I'm not sure what else to enable. I'll have to solve this issue before
I even try to filter login access via groups on my client system.
I should mention that if I go under the advanced tab for one of the groups I created, I can add the the attribute "uniquemember", but I'm not sure what I
should set the "value" to be.
I've tried creating new users to see if I could set their "uniquemember" attributes, but no luck. It seems that I don't have the ability to set this attribute
on individual users, only groups.
This might not be the right road to head down when trying to restrict access to servers via groups, so I'm open to any suggestions.
Any suggestions would be appreciated.
3 years, 7 months
error moving an user
by Alberto Viana
Hey Guys,
389 version: 389-Directory/1.3.7.4.20170912git26a9426 B2017.255.1330
I'm trying to move one of my users to another OU and I see this kind of
error:
Error while moving entry
- [LDAP: error code 1 - Operations Error]
java.lang.Exception: [LDAP: error code 1 - Operations Error]
at
In the log I see:
[20/Mar/2018:14:12:27.172553808 -0300] - ERR - ldbm_back_modrdn -
SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN plugin returned error but did not set
SLAPI_RESULT_CODE
I thought that was related to my windows replication, but I disabled it and
I'm still getting the error.
Any clues?
5 years, 5 months
ldapsearch performance problem
by Jan Kowalsky
Hi all,
while moving 389ds server to another machine (and another version) I
realize performance issues during ldapsearch.
Normaly a query ist quite quick (about 20ms - but sometimes(like every
five seconds) it hangs for one ore even several seconds).
I test this with:
time ldapsearch -h localhost ...
Since the new server should be a log faster (cpu, io) I'm wondering
about what can cause this.
There is a replication with three servers and suppier-supplier config
among each. We have about 50 databases but each only maximum with a few
hundred records. Most of them smaller.
I looked for cache configuration - but these are similar to the old
server and I get entrycachehitratio about 99%.
Any idea for further debugging?
Regards
Jan
5 years, 9 months
389 and Active Directory 2016
by JESSE LUNT
Hello,
Does 389 synchronize with Active Directory 2016? I have found
documentation saying 2003,2008, and 2012 are supported.
-Jesse
--
Jesse Lunt
Director of Network and User Services
Office of Information Services
North Shore Community College
(978)-762-4014
5 years, 9 months
replicating specific attributes from AD to DS
by Paulo Cast
hi guys,
just wondering how to get specific attributes from AD
(cn=users,dc=domain,dc=com) replicated to DS (389-ds-base-1.3.8.1-1.fc27).
I already have the Windos Sync Agreement working so far but I can't get
few extra attributes like EmployeeID, EmployeeNumber, etc. Or nor can get
the password policy replicated. Any ideas in how to do it?
thx,
sergio
5 years, 9 months
Announcing 389 Directory Server 1.3.8.2
by Mark Reynolds
389 Directory Server 1.3.8.2
The 389 Directory Server team is proud to announce 389-ds-base
version 1.3.8.2
Fedora packages are available on Fedora 27.
https://koji.fedoraproject.org/koji/taskinfo?taskID=27171470
<https://koji.fedoraproject.org/koji/taskinfo?taskID=27171470>
https://bodhi.fedoraproject.org/updates/FEDORA-2018-f440642085
<https://bodhi.fedoraproject.org/updates/FEDORA-2018-f440642085>
The new packages and versions are:
* 389-ds-base-1.3.8.2-1
Source tarballs are available for download at Download
389-ds-base Source
<https://releases.pagure.org/389-ds-base/389-ds-base-1.3.8.2.tar.bz2>
Highlights in 1.3.8.2
* Security and bug fixes
Installation and Upgrade
See Download <http://www.port389.org/docs/389ds/download.html> for
information about setting up your yum repositories.
To install, use *yum install 389-ds* yum install 389-ds After install
completes, run *setup-ds-admin.pl* if you have 389-admin installed,
otherwise please run *setup-ds.pl* to set up your directory server.
To upgrade, use *yum upgrade* yum upgrade After upgrade completes, run
*setup-ds-admin.pl -u* if you have 389-admin installed, otherwise please
run *setup-ds.pl* to update your directory server/admin
server/console information.
See Install_Guide
<http://www.port389.org/docs/389ds/legacy/install-guide.html> for more
information about the initial installation, setup, and upgrade
See Source <http://www.port389.org/docs/389ds/development/source.html>
for information about source tarballs and SCM (git) access.
Feedback
We are very interested in your feedback!
Please provide feedback and comments to the 389-users mailing list:
https://lists.fedoraproject.org/admin/lists/389-users.lists.fedoraproject...
If you find a bug, or would like to see a new feature, file it in our
Pagure project: https://pagure.io/389-ds-base
* Bump version to 1.3.8.2
* Ticket 48184 - clean up and delete connections at shutdown (2nd try)
* Ticket 49696 - replicated operations should be serialized
* Ticket 49671 - Readonly replicas should not write internal ops
to changelog
* Ticket 49665 - Upgrade script doesn’t enable CRYPT password
storage plug-in
* Ticket 49665 - Upgrade script doesn’t enable PBKDF2 password
storage plug-in
5 years, 10 months
Replication Delay
by Fong, Trevor
Hi Everyone,
I’ve set up a new 389 DS cluster (389-Directory/1.3.6.1 B2018.016.1710) and have set up a replication agreement from our old cluster (389-Directory/1.2.11.15 B2014.300.2010) to a master node in the new cluster. Problem is that updates in the old cluster take up to 15 mins to make it into the new cluster. We need it to be near instantaneous, like it normally is. Any ideas what I can check?
Thanks a lot,
Trev
_________________________________________________
Trevor Fong
Senior Programmer Analyst
Information Technology | Engage. Envision. Enable.
The University of British Columbia
trevor.fong(a)ubc.ca<mailto:trevor.fong@ubc.ca> | 1-604-827-5247<tel:604-827-5247> | it.ubc.ca<http://it.ubc.ca>
5 years, 10 months
PBKDF2_SHA256 not available as Password Storage Scheme
by murmansk@hotmail.com
I'm trying to change our Password Storage Scheme to PBKDF2_SHA256 using the 389 Console, but the scheme is not present in the list.
When using ldapsearch in "cn=Password Storage Schemes,cn=plugins,cn=config" this is the result:
dn: cn=Password Storage Schemes,cn=plugins,cn=config
dn: cn=AES,cn=Password Storage Schemes,cn=plugins,cn=config
dn: cn=CLEAR,cn=Password Storage Schemes,cn=plugins,cn=config
dn: cn=CRYPT,cn=Password Storage Schemes,cn=plugins,cn=config
dn: cn=DES,cn=Password Storage Schemes,cn=plugins,cn=config
dn: cn=MD5,cn=Password Storage Schemes,cn=plugins,cn=config
dn: cn=NS-MTA-MD5,cn=Password Storage Schemes,cn=plugins,cn=config
dn: cn=SHA,cn=Password Storage Schemes,cn=plugins,cn=config
dn: cn=SHA256,cn=Password Storage Schemes,cn=plugins,cn=config
dn: cn=SHA384,cn=Password Storage Schemes,cn=plugins,cn=config
dn: cn=SHA512,cn=Password Storage Schemes,cn=plugins,cn=config
dn: cn=SMD5,cn=Password Storage Schemes,cn=plugins,cn=config
dn: cn=SSHA,cn=Password Storage Schemes,cn=plugins,cn=config
dn: cn=SSHA256,cn=Password Storage Schemes,cn=plugins,cn=config
dn: cn=SSHA384,cn=Password Storage Schemes,cn=plugins,cn=config
dn: cn=SSHA512,cn=Password Storage Schemes,cn=plugins,cn=config
This are the versions of the packages that I have installed:
# yum list installed | grep 389
389-admin.x86_64 1.1.46-1.el7 @epel
389-admin-console.noarch 1.1.12-1.el7 @epel
389-adminutil.x86_64 1.1.21-2.el7 @epel
389-ds-base.x86_64 1.3.7.5-19.el7_5 @rhel_server7
389-ds-base-libs.x86_64 1.3.7.5-19.el7_5 @rhel_server7
389-ds-base-snmp.x86_64 1.3.7.5-19.el7_5 @rhel_server7
389-ds-console.noarch 1.2.16-1.el7 @epel
Do I have to do something to enable/install the PBKDF2_SHA256 password storage scheme?
5 years, 10 months
Yum update disabled ability for user's to update password
by Janet Houser
Hi,
I don't post often so it seems I attached this to an old thread. Sorry
folks.
I'm using ds-389 (Version 1.3.4.0; Build number 2015.343.1254) on a
CentOS 7 Server (release 7.4.1708). A week ago I performed a "yum
update" on my system
and now I'm finding that I can't update (or set) user passwords using
the "passwd" or "ldappasswd" commands when the "Password Syntax" (i.e.
Check password syntax)
policies are enabled.
I can authenticate fine to a server which is slaved into the ds-389
server, but issuing the command "passwd" gives the following error:
--$ passwd
Changing password for user jdow.
(current) LDAP Password:
New password:
Retype new password:
password change failed: Constraint violation
passwd: Authentication token manipulation error
Likewise, I use to be able to run the following command to update a
user's password from a server:
ldappasswd -h themaster -p 389 -ZZ -D "cn=Directory Manager" -w
AdminsPassword -s 'UserPassword' "uid=jdoe,ou=People,dc=mydomain,dc=edu"
This command now fails with the erro
Result: Constraint violation (19
Additional info: Failed to update password
I had a password policy enabled on my domain subtree but I removed it.
I then went under "Configuration --> Data" and tried to configure a global
password policy instead. Each result in the same errors shown above
whenever I try to enable "Check password syntax".
There's not a great deal of info in /var/log/dirsrv, but in the access
file I see the following when I run the ldappasswd command:
[14/May/2018:10:37:03.173038139 -0600] conn=104 fd=110 slot=110
connection from 172.18.194.60 to 172.18.194.4
[14/May/2018:10:37:03.173283856 -0600] conn=104 op=0 EXT
oid="1.3.6.1.4.1.1466.20037" name="start_tls_plugin"
[14/May/2018:10:37:03.173454544 -0600] conn=104 op=0 RESULT err=0
tag=120 nentries=0 etime=0
[14/May/2018:10:37:03.267493753 -0600] conn=104 TLS1.2 256-bit AES
[14/May/2018:10:37:03.267938436 -0600] conn=104 op=1 BIND
dn="cn=Directory Manager" method=128 version=3
[14/May/2018:10:37:03.268224050 -0600] conn=104 op=1 RESULT err=0 tag=97
nentries=0 etime=0 dn="cn=directory manager"
[14/May/2018:10:37:03.268672168 -0600] conn=104 op=2 EXT
oid="1.3.6.1.4.1.4203.1.11.1" name="passwd_modify_plugin"
[14/May/2018:10:37:03.269346086 -0600] conn=104 op=2 RESULT err=19
tag=120 nentries=0 etime=0
[14/May/2018:10:37:03.269832211 -0600] conn=104 op=3 UNBIND
[14/May/2018:10:37:03.269850488 -0600] conn=104 op=3 fd=110 closed - U1
Which looks like it must be failing when the passwd_modify_plugin is run.
I noticed in /etc/dirsrv/slapd-myserver that there were new schema ldif
files added during the yum update and I'm wondering if one is stepping
on my password
policy.
I'm going to try to remove them from the directory (and store them
elsewhere) to see if the issue disappears, but I'd rather not use a
hammer to fix a problem.
(update: Removing the new .ldif files made no difference in the behavior)
I'm grateful for any suggestions.
Thanks,
5 years, 10 months