A plugin to record modification timestamp and modifiers DN for specific attribute
by Jan Tomasek
Hello,
I have one historical plug-in (from times of SunOne Directory), it was
in past ported for 1.2 version of 389 DS. But it fails to work with 1.4.
It is a bit more complicated than the one I was seeking help before, but
maybe it is possible to replace it with some standard plug-in. However,
I didn't find any suitable. :(
We are using attribute named entryStatus with several possible values
like prepared, active, marked, dead - those are used for keeping status
of user entry.
I need to keep track when and by whom was entryStatus attribute
modified. For those informations, we have two attributes
entryStatusTimestamp and entryStatusModifier attributes. And every time
entryStatus is changed, our plugin changes automatically those two
attributes.
Is there any standard, or maybe some contributed plugin how I can
achieve this?
Thanks
--
-----------------------
Jan Tomasek aka Semik
http://www.tomasek.cz/
3 years, 7 months
How do I connect to 389-server via ldapsearch?
by rainer@ultra-secure.de
Hi,
I've installed the latest version on CentOS 8
https://directory.fedoraproject.org/docs/389ds/howto/quickstart.html
[root@radius-389-test ~]# rpm -qa |grep 389 |sort
389-ds-base-1.4.2.16-1.module_el8+9435+e6daf39f.x86_64
389-ds-base-libs-1.4.2.16-1.module_el8+9435+e6daf39f.x86_64
cockpit-389-ds-1.4.2.16-1.module_el8+9435+e6daf39f.noarch
python3-lib389-1.4.2.16-1.module_el8+9435+e6daf39f.noarch
I can connect via dsidm:
[root@radius-389-test ~]# dsidm radius-389-test user list
demo_user
[root@radius-389-test ~]# dsidm radius-389-test user get demo_user
dn: uid=demo_user,ou=people,dc=radius,dc=example,dc=org
cn: Demo User
displayName: Demo User
gidNumber: 99998
homeDirectory: /var/empty
legalName: Demo User Name
loginShell: /bin/false
objectClass: top
objectClass: nsPerson
objectClass: nsAccount
objectClass: nsOrgPerson
objectClass: posixAccount
uid: demo_user
uidNumber: 99998
However, I can't seem to connect to the server via ldapsearch or with
Apache Directory Studio.
[root@radius-389-test ~]# ldapsearch -v -H
"ldapi://%%2fvar%%2frun%%2fslapd-radius-389-test.socket" -b
"ou=people,dc=radius,example,dc=org" -D "cn=Directory Manager" -x -W
uid=demo_user
ldap_initialize( ldapi:///??base )
Enter LDAP Password:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
[root@radius-389-test ~]# ldapsearch -v -H "ldap://127.0.0.1" -b
"ou=people,dc=radius,example,dc=org" -D "cn=Directory Manager" -x -W
uid=demo_userldap_initialize( ldap://127.0.0.1:389/??base )
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
additional info: Invalid credentials
This is the inf-file:
[general]
full_machine_name = radius-389-test.example.org
[slapd]
instance_name = radius-389-test
root_password = random
[backend-userroot]
create_suffix_entry = True
sample_entries = yes
suffix = dc=radius,dc=example,dc=org
What am I doing wrong?
3 years, 7 months
LDAPS only plugin & how to disable LDAP protocol at all
by Jan Tomasek
Hello,
in past, I've created a simple plug-in for disabling authenticated binds
over non-encrypted lines. But still allowing anonymous binds over LDAP.
I did know about nsslapd-require-secure-binds but if recall correctly it
is including SASL authenticated binds which I believe protects only user
password and not transferred data.
I published plug-in here:
https://github.com/CESNET/389ds-plugin-ldapsonly
but it is maybe obsoleted today.
Today I think is TLS a must. Is it possible to disable 389 port at all?
Or instruct 389 DS to bind port 389 on localhost?
--
-----------------------
Jan Tomasek aka Semik
http://www.tomasek.cz/
3 years, 7 months
Re-initialization Failure: Bulk Import Abandoned, Thread Monitoring Returned -23
by Fong, Trevor
Hi Everyone,
I'm having an issue re-initializing our secondary muti-master replicated 389 DS provider node via 389-Console > replication agreement > "Initialize Consumer".
It eventually aborts the update with an error "import userRoot: Thread monitoring returned: -23"
Would anyone know how to fix it? Or what the issue may be? What we could try?
Thanks in advance,
Trev
We're running 389-Directory/1.3.10.1 B2020.167.146
Here's that the error log says on the node receiving re-initialization:
[17/Sep/2020:15:21:07.489737002 -0700] - NOTICE - NSMMReplicationPlugin - multimaster_be_state_change - Replica dc=<redacted> is going offline; disabling replication
[17/Sep/2020:15:21:07.514586270 -0700] - INFO - dblayer_instance_start - Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database
[17/Sep/2020:15:21:27.554375232 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries -- average rate 0.1/sec, recent rate 0.0/sec, hit ratio 0%
[17/Sep/2020:15:21:47.593876983 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries -- average rate 0.0/sec, recent rate 0.0/sec, hit ratio 0%
[17/Sep/2020:15:22:07.630801176 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries -- average rate 0.0/sec, recent rate 0.0/sec, hit ratio 0%
[17/Sep/2020:15:22:27.667537260 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries -- average rate 0.0/sec, recent rate 0.0/sec, hit ratio 0%
[17/Sep/2020:15:22:47.704917493 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries -- average rate 0.0/sec, recent rate 0.0/sec, hit ratio 0%
[17/Sep/2020:15:23:07.746084506 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries -- average rate 0.0/sec, recent rate 0.0/sec, hit ratio 0%
[17/Sep/2020:15:23:27.785902082 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries -- average rate 0.0/sec, recent rate 0.0/sec, hit ratio 0%
[17/Sep/2020:15:23:47.830564570 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries -- average rate 0.0/sec, recent rate 0.0/sec, hit ratio 0%
[17/Sep/2020:15:24:07.868457613 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries -- average rate 0.0/sec, recent rate 0.0/sec, hit ratio 0%
[17/Sep/2020:15:24:27.907239617 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries -- average rate 0.0/sec, recent rate 0.0/sec, hit ratio 0%
[17/Sep/2020:15:24:47.948025735 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries -- average rate 0.0/sec, recent rate 0.0/sec, hit ratio 0%
[17/Sep/2020:15:25:07.986469285 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries -- average rate 0.0/sec, recent rate 0.0/sec, hit ratio 0%
[17/Sep/2020:15:25:28.022970040 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries -- average rate 0.0/sec, recent rate 0.0/sec, hit ratio 0%
[17/Sep/2020:15:25:48.055641123 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries -- average rate 0.0/sec, recent rate 0.0/sec, hit ratio 0%
[17/Sep/2020:15:26:08.091707793 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries -- average rate 0.0/sec, recent rate 0.0/sec, hit ratio 0%
[17/Sep/2020:15:26:08.093192417 -0700] - INFO - import_throw_in_towel - import userRoot: Decided to end this pass because the progress rate has dropped below the 50% threshold.
[17/Sep/2020:15:26:08.094010231 -0700] - INFO - import_monitor_threads - import userRoot: Ending pass number 1 ...
[17/Sep/2020:15:26:08.195022638 -0700] - INFO - import_monitor_threads - import userRoot: Foreman is done; waiting for workers to finish...
[17/Sep/2020:15:26:08.196221021 -0700] - INFO - import_monitor_threads - import userRoot: Workers finished; cleaning up...
[17/Sep/2020:15:26:08.397372463 -0700] - INFO - import_monitor_threads - import userRoot: Workers cleaned up.
[17/Sep/2020:15:26:08.398525016 -0700] - INFO - import_sweep_after_pass - import userRoot: Sweeping files for merging later...
[17/Sep/2020:15:26:08.409694998 -0700] - INFO - dblayer_instance_start - Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database
[17/Sep/2020:15:26:08.411165210 -0700] - INFO - import_sweep_after_pass - import userRoot: Sweep done.
[17/Sep/2020:15:26:08.412153776 -0700] - INFO - import_main_offline - import userRoot: Beginning pass number 2
[17/Sep/2020:15:26:28.444537073 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries (pass 2) -- average rate 214748364.8/sec, recent rate 0.0/sec, hit ratio 0%
[17/Sep/2020:15:26:48.487800198 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries (pass 2) -- average rate 107374182.4/sec, recent rate 0.0/sec, hit ratio 0%
[17/Sep/2020:15:27:08.524672179 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries (pass 2) -- average rate 71582788.2/sec, recent rate 0.0/sec, hit ratio 0%
[17/Sep/2020:15:27:28.560669386 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries (pass 2) -- average rate 53687091.2/sec, recent rate 0.0/sec, hit ratio 0%
[17/Sep/2020:15:27:48.598581175 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries (pass 2) -- average rate 42949673.0/sec, recent rate 0.0/sec, hit ratio 0%
[17/Sep/2020:15:28:08.637175249 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries (pass 2) -- average rate 35791394.1/sec, recent rate 0.0/sec, hit ratio 0%
[17/Sep/2020:15:28:28.674637440 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries (pass 2) -- average rate 30678337.8/sec, recent rate 0.0/sec, hit ratio 0%
[17/Sep/2020:15:28:48.713863865 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries (pass 2) -- average rate 26843545.6/sec, recent rate 0.0/sec, hit ratio 0%
[17/Sep/2020:15:29:08.750649257 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries (pass 2) -- average rate 23860929.4/sec, recent rate 0.0/sec, hit ratio 0%
[17/Sep/2020:15:29:28.788308057 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries (pass 2) -- average rate 21474836.5/sec, recent rate 0.0/sec, hit ratio 0%
[17/Sep/2020:15:29:48.824483405 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries (pass 2) -- average rate 19522578.6/sec, recent rate 0.0/sec, hit ratio 0%
[17/Sep/2020:15:30:08.861454259 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries (pass 2) -- average rate 17895697.1/sec, recent rate 0.0/sec, hit ratio 0%
[17/Sep/2020:15:30:28.898478351 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries (pass 2) -- average rate 16519105.0/sec, recent rate 0.0/sec, hit ratio 0%
[17/Sep/2020:15:30:48.934493905 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries (pass 2) -- average rate 15339168.9/sec, recent rate 0.0/sec, hit ratio 0%
[17/Sep/2020:15:31:08.974176434 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries (pass 2) -- average rate 14316557.7/sec, recent rate 0.0/sec, hit ratio 0%
[17/Sep/2020:15:31:29.026523856 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries (pass 2) -- average rate 13379960.4/sec, recent rate 0.0/sec, hit ratio 0%
[17/Sep/2020:15:31:29.027647083 -0700] - INFO - import_throw_in_towel - import userRoot: Decided to end this pass because the progress rate has dropped below the 50% threshold.
[17/Sep/2020:15:31:29.028635146 -0700] - INFO - import_monitor_threads - import userRoot: Ending pass number 2 ...
[17/Sep/2020:15:31:29.129868576 -0700] - INFO - import_monitor_threads - import userRoot: Foreman is done; waiting for workers to finish...
[17/Sep/2020:15:31:29.131344494 -0700] - INFO - import_monitor_threads - import userRoot: Workers finished; cleaning up...
[17/Sep/2020:15:31:29.333383134 -0700] - INFO - import_monitor_threads - import userRoot: Workers cleaned up.
[17/Sep/2020:15:31:29.334756063 -0700] - INFO - import_sweep_after_pass - import userRoot: Sweeping files for merging later...
[17/Sep/2020:15:31:29.346472780 -0700] - INFO - dblayer_instance_start - Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database
[17/Sep/2020:15:31:29.348439407 -0700] - INFO - import_sweep_after_pass - import userRoot: Sweep done.
[17/Sep/2020:15:31:29.349300174 -0700] - INFO - import_main_offline - import userRoot: Beginning pass number 3
[17/Sep/2020:15:31:36.933419931 -0700] - ERR - factory_destructor - ERROR bulk import abandoned
[17/Sep/2020:15:31:36.967711128 -0700] - ERR - import_run_pass - import userRoot: Thread monitoring returned: -23
[17/Sep/2020:15:31:36.970482988 -0700] - ERR - import_main_offline - import userRoot: Aborting all Import threads...
[17/Sep/2020:15:31:44.285307200 -0700] - ERR - import_main_offline - import userRoot: Import threads aborted.
[17/Sep/2020:15:31:44.286444487 -0700] - INFO - import_main_offline - import userRoot: Closing files...
[17/Sep/2020:15:31:44.288138525 -0700] - ERR - import_main_offline - import userRoot: Import failed.
[17/Sep/2020:15:31:44.289342372 -0700] - ERR - process_bulk_import_op - NULL target sdn
[17/Sep/2020:15:31:44.312329369 -0700] - ERR - NSMMReplicationPlugin - replica_replace_ruv_tombstone - Failed to update replication update vector for replica dc=<redacted>: LDAP error - 1
[17/Sep/2020:15:31:47.320263729 -0700] - ERR - NSMMReplicationPlugin - replica_replace_ruv_tombstone - Failed to update replication update vector for replica dc=<redacted>: LDAP error - 1
[17/Sep/2020:15:31:50.325999803 -0700] - ERR - NSMMReplicationPlugin - replica_replace_ruv_tombstone - Failed to update replication update vector for replica dc=<redacted>: LDAP error - 1
Trevor Fong
Senior Programmer Analyst, Identity and Access Management
Cybersecurity | CISO Office
The University of British Columbia | Musqueam Traditional Territory
413 - 6356 Agricultural Road | Vancouver BC | V6T 1Z2 Canada
Phone 604 827 5247
Privacy Matters @ UBC
3 years, 7 months
Question Regarding Intermediate Cert Install in RHEL/CentOS 8
by Bryan K. Walton
We have two CentOS 8 directory servers running 389ds. They are setup
with one as a master and the other as a consumer. Both of these servers
use a wildcard GoDaddy SSL cert. The cert has two intermediate certs,
and the root cert.
Initially, I had both intermediates and the root cert chained in a CA
cert file and I used the cockpit web interface to upload the chained
file, to both directory servers.
When I did this, I was able to connect to both directory servers with
Apache Directory Studio. However, replication was not working.
openssl s_client -connect showed that each directory server was only
presenting the server cert and the first intermediate. Still, openssl
reported that everything was "OK". But again, replication wasn't working.
During replication, the master was reporting this in the debug logs:
(error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get issuer certificate))
In an effort to fix this, I uninstalled the chained intermediate/root
cert file. I then installed both intermediates, individually, and the
the root cert individually. Sure enough, openssl s_client -connect now
showed the full chain (server cert -> intermediate 1 -> intermediate 2
-> root CA cert). And replication started working!
However, now, when I try to connect to either directory server with
Apache Directory Studio, I get the following error:
Error while opening connection
- ERR_04120_TLS_HANDSHAKE_ERROR The TLS handshake failed, reason: Failed to verify certification path: Algorithm constraints check failed on signature algorithm: SHA1withRSA
org.apache.directory.api.ldap.model.exception.LdapTlsHandshakeException: ERR_04120_TLS_HANDSHAKE_ERROR The TLS handshake failed, reason: Failed to verify certification path: Algorithm constraints check failed on signature algorithm: SHA1withRSA
Can anybody assist with telling me either what this error means or what
is the proper way to be installing the intermediate certs into 389ds in
RHEL/CentOS 8, so that both replication and Apache Directory Studio will
work?
Thanks!
Bryan
--
Bryan K. Walton 319-337-3877
Linux Systems Administrator Leepfrog Technologies, Inc
3 years, 7 months
Issue Configuring admin-serv on CentOS 7
by Paul Whitney
Hi,
I am running into an issue where I am trying to set up a DS master on CentOS 7.
When I run setup-ds-admin.pl, I am able to successfully create the slapd-config instance. But the admin-serv fails to bind to the config. The error is like this
"Sat Jan 02 21:32:12.629960 2016] [:warn] [pid 1497:tid $THREAD] NSSSessionCacheTimeout is
deprecated. Ignoring.
[Sat Jan 02 21:32:12.630027 2016] [:crit] [pid 1497:tid $THREAD] do_admserv_post_config(): unable to create AdmldapInfo
AH00016: Configuration Failed"
I found this post at https://lists.fedoraproject.org/archives/list/389users@lists.fedorapro... this is not an upgrade for me. Just trying to create the config and admin-serv.
I have the following installed:
389-ds-base-1.3.10.1-14.el7_8.x86_64
389-ds-base-libs-1.3.10.1-14.el7_8.x86_64
389-admin-1.1.46-1.el7.x86_64
389-adminutil-1.1.22-2.el7.x86_64
I dont believe it is the packages installed, but something missing. When I do install initially, the 389-admin packages, /var/log/dirsrv/admin-serv does not get created. i end up creating it along with the error and access file, then run restorecon -r on the directory.
The server I am working is actually a clone of a working directory server, even more puzzling.
Any suggestions to get past this is greatly appreciated.
Paul M. Whitney
E-mail: paul.whitney(a)mac.com
Cell: 410.493.9448
Sent from my browser.
3 years, 7 months