I'm trying to setup a replication with a certificate based authentication between supplier and consumer. The certificates in the certdb at /etc/dirsrv/slapd-XXX contain the very same CA with which the respective server certificates in the certdbs have been signed. The certificates all have the 'u' flag, and the CA has the C and T flag.
The replication (on the supplier) has been setup such that TLS and certificate based authentication is used, see extract from the replication agreement object:
Trying to initialize the consumer raises this error in the error-log of the supplier (the host sending the starttls connection request):
Replication bind with EXTERNAL auth failed: LDAP error 48 (Inappropriate authentication) (missing client certificate)
The certificate that the server should have sent can, however, be used with the ldap commandline tools as ldapsearch. In this case a wireshark trace clearly shows that the client sends the certificate during the TLS handshake, while in the above case it doesn't.
The TLS handshake defines that the client has to send an "empty certificate" if it does not have a certificate that has been issued by a CA offered by the server during the handshake. I can't see a reason for the client to think the condition isn't met. The certificate with which the server (supplier) is setup is the only one available.
Is it possible that the server does not know which certificate it has to use for authentication with the consumer server? And if so, how do I make the server know?
The 389-ds in use is the version 188.8.131.52~git0.5ac5a8aad. The problem was the same with 184.108.40.206.
We have a long standing 389ds master LDAP server that was found to be unable to contact it’s slaves. Most specifically, the slaves show nothing in their logs about any kind of connection, while the master is logging this:
[12/Nov/2019:21:39:47.212715697 +0000] - ERR - slapi_ldap_bind - Could not send bind request for id [(anon)] authentication mechanism [EXTERNAL]: error -1 (Can't contact LDAP server), system error 0 (no error), network error 0 (Unknown error, host “ldap01:636”)
Key is "system error 0 (no error)”, which leaves us stumped. The error is obviously “success”.
Has anyone seen this kind of thing before?
This is 389ds running on CentOS7 as follows:
When configuring Microsoft Outlook (not Outlook Express) to access an LDAP directory, there is an option to 'Enable Browsing (requires server support)'. If this option is chosen and the directory server supports it, then you should be able to open the LDAP address book and page up and down through the results. I have been unable to get this working properly with 389 DS.
When I try to browse from Outlook against the 389 DS directory, I am able to see the first page of results perfectly. However, if I move to the next page, only the first object returned will have any attributes included, and all of the rest of the objects in the page will have no attributes. I have a test perl script that duplicates this functionality as well.
I can get this to work properly with an older version of Netscape Directory Server, and I can get it working with OpenDS. Since 389 DS advertises support for the controls that are required for this to work, just like the other two servers, then I would expect it to work there also.
Has anyone out there gotten this to work with 389 DS? If so, can you share if there was anything special that you needed to do to get this to work? I'm trying to determine if this is a bug in the server, or if I'm just missing something in the configuration.
You Run Your Business. We'll Run Your Email.
This message is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information of USA.NET, Inc. Any unauthorized review, use, copying, disclosure, or distribution is prohibited. If you are not the intended recipient, please immediately contact the sender by reply email and delete all copies of the original message.
I'm new to 389-ds and last week downloaded and installed the software.
I have a running instance of the server, and I've added TLS/SSL. I've configured a CentOS 7 client to be able to query
the server using TLS/SSL, and all appears working.
I've created users and groups on the 389-ds server successfully. For each user and group, I've enabled posix attributes and my client
can see the unix users and groups using the "getent password" or "getent group" commands.
Now, here's where I'm getting tripped up..........
I need to limit which users have access to which systems. I've been trying to do this via memberOf group limitations.
I found the following online resource (https://thornelabs.net/2013/01/28/aix-restrict-server-login-via-ldap-grou...)
which is close enough to CentOS that the initial commands worked.
I enabled the MemberOf plugin and changed the attributes per the link, and restarted the system.
I created a test group (that I didn't enable a posix GID) and tried to add a single user via:
Right click on group -- > click Properties --> then Members --> click Add --> Search for user --> click Add.
When I try to go this route (which worked before enabling the memberOf plugin) it worked. Now it seems I get the error:
"Cannot save to directory server.
netscape.ldap.LDAPException: error resiult(65): Object class violation"
And the messages file throws the error (/var/log/dirsrv/slapd-<instancename>/errors:
"Entry "uid=test,ou=People,dc=int,dc=com" -- attribute "memberOf" not allowed
[17/Feb/2016:11:22:58 -0700] memberof-plugin - memberof_postop_modify: failed to add dn (cn=testgroup,ou=Groups,dc=int,dc=com) to target. Error (65)"
So it seems my server isn't quite using the memberOf plugin properly, but I'm not sure what else to enable. I'll have to solve this issue before
I even try to filter login access via groups on my client system.
I should mention that if I go under the advanced tab for one of the groups I created, I can add the the attribute "uniquemember", but I'm not sure what I
should set the "value" to be.
I've tried creating new users to see if I could set their "uniquemember" attributes, but no luck. It seems that I don't have the ability to set this attribute
on individual users, only groups.
This might not be the right road to head down when trying to restrict access to servers via groups, so I'm open to any suggestions.
Any suggestions would be appreciated.
First off, apologies for double posting to here and ipa mailing list, but we are getting a bit uneasy, and also the issue seems to come from the code in 389-ds directly, so this seems more appropriate.
We are using ipa-server ipa-server-4.6.5-11.el7.centos.3.x86_64 with 389-ds-base-220.127.116.11-10.el7.x86_64 on CentOS 7.7.
Since couple days some of our replicas are coming with "csngen_new_csn - Sequence rollover; local offset updated." messages in the slapd erorr logs.
We use the python "ipa_check_consistency" and replication seems to be fine.
We checked all replicas, and they are all in time sync with ntp (updated) with no visible offset.
is this anything to worry about, and how can we make those messages to stop appearing?
We're running a cluster of VM's running 389-Directory/18.104.22.168 B2019.164.1418 on RHEL7.7.
Some are providers, which replicate to a bunch of hubs (which provide authentication services), which replicate in turn to a bunch of consumers (which provide support for longer running queries).
Of late, we've a few clients have noted timed out connections.
When we look in our logs we see things like:
[23/Dec/2019:00:21:50.760643645 -0800] conn=7827580 fd=469 slot=469 SSL connection from <their IP> to <our IP>
[23/Dec/2019:00:21:50.764149645 -0800] conn=7827580 TLS1.2 256-bit AES-GCM
<no other transactions on conn=7827580, until the client times out the connection>
[23/Dec/2019:00:22:05.763868515 -0800] conn=7827580 op=-1 fd=469 closed - Encountered end of file.
Others connections are made and operate just fine between the opening and closing of the timed-out connection.
Would anyone know what this could be/what we could check?
OK, the install and initial configuration went perfectly and based on
the ldapsearch command all looks good.
But, now what? How do I get information about my environment into the
server? Once I get the data into the server, how do I use it on my clients?
I compiled my 389 with selinux enabled (--with-selinux):
configure:21564: checking for --with-selinux
configure:21575: result: yes
but If I ran dscreate interactive, shows me:
selinux is disabled, will not relabel ports or files.
The selinux is enabled on the system
# ns-slapd -v
What am I missing? Could not found any related doc at 389 or rhds pages.
I'm trying to config and enable uniqueness attribute plugin:
~# dsconf RNP plugin attr-uniq add "uid-test" --attr-name uid
Successfully created the cn=uid-test,cn=plugins,cn=config
if I try to enable it:
~# dsconf RNP plugin attr-uniq enable uid-test
Error: 'Namespace' object has no attribute 'plugin_cls'
Researching on google seems to be a python3 argparse bug (
https://bugs.python.org/issue16308), but I'm not sure.
My python version:
The workaround was use the "enable" option:
~# dsconf plugin attr-uniq add "uid-test" --enabled on --attr-name uid
~# dsconf RNP plugin attr-uniq show uid-test
nsslapd-pluginDescription: Enforce unique attribute values
nsslapd-pluginVendor: 389 Project
But the problem seems to be in other dsconf functions too and is really
Should I file a ticket?
In the old 389-console was possible to manage remote instances
(installations in different machines) and what about in new UI? Should I
install a cockpit plugin to each 389 machine in my environment?
Any docs about it?