Problem browsing LDAP with Outlook
by Chris Bryant
When configuring Microsoft Outlook (not Outlook Express) to access an LDAP directory, there is an option to 'Enable Browsing (requires server support)'. If this option is chosen and the directory server supports it, then you should be able to open the LDAP address book and page up and down through the results. I have been unable to get this working properly with 389 DS.
When I try to browse from Outlook against the 389 DS directory, I am able to see the first page of results perfectly. However, if I move to the next page, only the first object returned will have any attributes included, and all of the rest of the objects in the page will have no attributes. I have a test perl script that duplicates this functionality as well.
I can get this to work properly with an older version of Netscape Directory Server, and I can get it working with OpenDS. Since 389 DS advertises support for the controls that are required for this to work, just like the other two servers, then I would expect it to work there also.
Has anyone out there gotten this to work with 389 DS? If so, can you share if there was anything special that you needed to do to get this to work? I'm trying to determine if this is a bug in the server, or if I'm just missing something in the configuration.
Thanks,
Chris
USA.NET
You Run Your Business. We'll Run Your Email.
This message is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information of USA.NET, Inc. Any unauthorized review, use, copying, disclosure, or distribution is prohibited. If you are not the intended recipient, please immediately contact the sender by reply email and delete all copies of the original message.
3 years, 8 months
MemberOf group restrictions to a client system (server and client running CentOS 7)
by Janet Houser
Hi,
I'm new to 389-ds and last week downloaded and installed the software.
I have a running instance of the server, and I've added TLS/SSL. I've configured a CentOS 7 client to be able to query
the server using TLS/SSL, and all appears working.
I've created users and groups on the 389-ds server successfully. For each user and group, I've enabled posix attributes and my client
can see the unix users and groups using the "getent password" or "getent group" commands.
Now, here's where I'm getting tripped up..........
I need to limit which users have access to which systems. I've been trying to do this via memberOf group limitations.
I found the following online resource (https://thornelabs.net/2013/01/28/aix-restrict-server-login-via-ldap-grou...)
which is close enough to CentOS that the initial commands worked.
I enabled the MemberOf plugin and changed the attributes per the link, and restarted the system.
I created a test group (that I didn't enable a posix GID) and tried to add a single user via:
Right click on group -- > click Properties --> then Members --> click Add --> Search for user --> click Add.
When I try to go this route (which worked before enabling the memberOf plugin) it worked. Now it seems I get the error:
"Cannot save to directory server.
netscape.ldap.LDAPException: error resiult(65): Object class violation"
And the messages file throws the error (/var/log/dirsrv/slapd-<instancename>/errors:
"Entry "uid=test,ou=People,dc=int,dc=com" -- attribute "memberOf" not allowed
[17/Feb/2016:11:22:58 -0700] memberof-plugin - memberof_postop_modify: failed to add dn (cn=testgroup,ou=Groups,dc=int,dc=com) to target. Error (65)"
So it seems my server isn't quite using the memberOf plugin properly, but I'm not sure what else to enable. I'll have to solve this issue before
I even try to filter login access via groups on my client system.
I should mention that if I go under the advanced tab for one of the groups I created, I can add the the attribute "uniquemember", but I'm not sure what I
should set the "value" to be.
I've tried creating new users to see if I could set their "uniquemember" attributes, but no luck. It seems that I don't have the ability to set this attribute
on individual users, only groups.
This might not be the right road to head down when trying to restrict access to servers via groups, so I'm open to any suggestions.
Any suggestions would be appreciated.
3 years, 9 months
Re: FIPS 140-2 and dirsrv-admin
by William Brown
If memory serves correctly ... there are some un-resolved issues between dirsrv-admin + fips. I remember discussing this with Mark as something that may fall into the "fix when someone runs into it" because that combination we thought would be rare.
But I'm not sure that this issue here is a fips one? I've seen another issue lately where the dirsrv-admin used a different pin.txt to the dirsrvinstances, but I'm not sure of the details.
Are there fresh installs of ds? Or upgrades?
> On 28 Aug 2019, at 05:51, Paul Whitney <paul.whitney(a)chesapeake-it.com> wrote:
>
> Hi guys,
>
> I have SSL enabled both slapd instances and dirsrv-admin on FIPS enabled CentOS 7. The instances seem to start up no problem. However, the admin console (dirsrv-admin) is complaining the password credentials are not valid for the NSS FIPS 140-2 DB even through the exact same credentials are presented to the SLAPD instances. I am using a pin.txt file in the correct format for both SLAPD and DIRSRV-ADMIN.
>
> Are there compatibility issues with FIPS and 389-DS admin-serv?
>
> Paul M. Whitney
> _______________________________________________
> 389-users mailing list -- 389-users(a)lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
—
Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server
SUSE Labs
4 years, 7 months
BIND (DNS)
by Fernando Fuentes
Is there a plugin or a default schema for BIND (named) on Fedora389? Or
do I have to import the included schema with bind9?
Thanks!
Regards,
-
4 years, 8 months
Windows Sync Agreement issue
by DaV
Hi all,
I'm using a new 389 directory server on CentOS 7.6 with 389-ds-base.x86_64 (1.3.8.4-15.el7), and I want to sync user and password from Windows 2016 to 389ds one way.
The Synchronization Agreement like this:
DS Host: 389ds:389
Windows Host: dc01.example.com:389
DS Subtree: ou=Users,dc=example,dc=com
Windows Subtree: OU=Accounts, DC=example,DC=com
Replicated subtree: dc=example,dc=com
Here is my question:
The sync agreement can only sync top-level OU=Accounts, DC=example, DC=com from Win2016 to 389ds server.
In fact, I have
ou=ou1,ou=accounts,dc=example,dc=com
ou=ou2,ou=accounts,dc=example,dc=com
on Win2016 server.
I want the sync agreement can sync not only the top-level but also the child ou.
This is the error log for your reference. Thanks!
> [20/Aug/2019:07:58:40.307031692 +0800] - ERR - NSMMReplicationPlugin - windows sync - windows_tot_run - Beginning total update of replica "agmt="cn=389ds" (tc-dc-2:389)".
> [20/Aug/2019:07:58:40.309113230 +0800] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests
> [20/Aug/2019:08:34:21.730939271 +0800] - WARN - NSMMReplicationPlugin - windows sync - windows_inc_run - agmt="cn=389ds" (tc-dc-2:389): Replica has no update vector. It has never been initialized.
> [20/Aug/2019:08:34:21.733526550 +0800] - WARN - NSMMReplicationPlugin - windows sync - windows_inc_run - agmt="cn=389ds" (tc-dc-2:389): Replica has no update vector. It has never been initialized.
> [20/Aug/2019:08:34:24.735819391 +0800] - WARN - NSMMReplicationPlugin - windows sync - windows_inc_run - agmt="cn=389ds" (tc-dc-2:389): Replica has no update vector. It has never been initialized.
> [20/Aug/2019:08:34:27.738228528 +0800] - WARN - NSMMReplicationPlugin - windows sync - windows_inc_run - agmt="cn=389ds" (tc-dc-2:389): Replica has no update vector. It has never been initialized.
> [20/Aug/2019:08:34:30.873896680 +0800] - ERR - NSMMReplicationPlugin - windows sync - windows_tot_run - Beginning total update of replica "agmt="cn=389ds" (tc-dc-2:389)".
> [20/Aug/2019:08:34:33.170822223 +0800] - ERR - NSMMReplicationPlugin - windows sync - windows_tot_run - Finished total update of replica "agmt="cn=389ds" (tc-dc-2:389)". Sent 5 entries.
> [20/Aug/2019:08:34:33.186359842 +0800] - ERR - NSMMReplicationPlugin - windows sync - bind_and_check_pwp - agmt="cn=389ds" (tc-dc-2:389): Replication bind with SIMPLE auth resumed
> [20/Aug/2019:08:47:30.032935119 +0800] - ERR - NSMMReplicationPlugin - windows sync - windows_tot_run - Beginning total update of replica "agmt="cn=389ds" (tc-dc-2:389)".
> [20/Aug/2019:08:47:31.035850854 +0800] - ERR - NSMMReplicationPlugin - windows sync - windows_tot_run - Finished total update of replica "agmt="cn=389ds" (tc-dc-2:389)". Sent 5 entries.
> [20/Aug/2019:08:47:31.051614890 +0800] - ERR - NSMMReplicationPlugin - windows sync - bind_and_check_pwp - agmt="cn=389ds" (tc-dc-2:389): Replication bind with SIMPLE auth resumed
> [20/Aug/2019:08:50:59.533268105 +0800] - WARN - NSMMReplicationPlugin - prot_stop - Incremental protocol for replica "agmt="cn=389ds" (tc-dc-2:389)" did not shut down properly.
> [20/Aug/2019:09:01:00.155477769 +0800] - WARN - NSMMReplicationPlugin - prot_stop - Total protocol for replica "agmt="cn=389ds" (tc-dc-2:389)" did not shut down properly.
Sincerely,
--
DaV
4 years, 8 months
Blog series about 389 DS + thanks
by Nicolas Kovacs
Hi,
Over the last couple of weeks, I've experimented quite a lot with 389
Directory Server. I've had good help on this list, so I wanted to thank
you guys.
I've started to write a series of blog articles about 389 DS, and I've
added two honorable mentions for Marc Muehlfeld and William Brown, who
have provided precious information.
https://www.microlinux.fr/389-ds-centos-7/
Cheers from the sunny South of France,
Niki Kovacs
--
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Mail : info(a)microlinux.fr
Tél. : 04 66 63 10 32
Mob. : 06 51 80 12 12
4 years, 8 months
FIPS 140-2 and dirsrv-admin
by Paul Whitney
Hi guys,
I have SSL enabled both slapd instances and dirsrv-admin on FIPS enabled CentOS 7. The instances seem to start up no problem. However, the admin console (dirsrv-admin) is complaining the password credentials are not valid for the NSS FIPS 140-2 DB even through the exact same credentials are presented to the SLAPD instances. I am using a pin.txt file in the correct format for both SLAPD and DIRSRV-ADMIN.
Are there compatibility issues with FIPS and 389-DS admin-serv?
Paul M. Whitney
4 years, 8 months
LDAp password error
by Fernando Fuentes
Hello All,
I am using a web ui to add end delete users. When I reset or try to add
a password I get:
LDAP error, server says: Constraint violation - invalid password syntax
- passwords with storage scheme are not allowed
What do I need to turn on to be able to use the web ui to edit passwords?
Thanks again!
(Using LAM web ui)
Regards.
4 years, 8 months
Setup a Linux client for authentication against 389 DS + TLS
by Nicolas Kovacs
Hi,
So I finally managed to get a 389 Directory Server up and running on a
spare CentOS 7 server. I can open the console even on a remote desktop
(using ssh -X), connect to my LDAP database, create a handful of users,
and I even managed to setup TLS.
The next step is getting a Linux client to authenticate using the
credentials stored on my servers.
Normally I'm running OpenSUSE Leap 15.1 KDE on all my desktop clients,
but for the sake of experimenting, information about any distribution is
welcome.
So far I've been using a bone-headed NIS/NFS setup, which I intend to
replace with 389 DS and secure connections.
I tried to connect my OpenSUSE clients to my 389 DS where I had the odd
fleeting success and many failures. You know that feeling when you spent
a whole weekend on a configuration and things still don't work?
I'd like to get a firm grasp on how to connect my Linux clients to the
389 DS. So ideally I'd be glad to find some detailed documentation about
that. Even if it's based on a different distribution.
Cheers,
Niki
--
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Mail : info(a)microlinux.fr
Tél. : 04 66 63 10 32
Mob. : 06 51 80 12 12
4 years, 8 months