September 2020 - 389-users - Fedora Mailing-Lists

Anyway to incorporate haveibeenpwned.com db into password policy?

by Bryan K. Walton

We are running 389ds with CentOS 8. Can anybody confirm if there is a way to check passwords against the haveibeenpwned.com database when users are changing passwords? Thanks, Bryan

3 years, 6 months

3
3
0 / 0

A plugin to record modification timestamp and modifiers DN for specific attribute

by Jan Tomasek

Hello, I have one historical plug-in (from times of SunOne Directory), it was in past ported for 1.2 version of 389 DS. But it fails to work with 1.4. It is a bit more complicated than the one I was seeking help before, but maybe it is possible to replace it with some standard plug-in. However, I didn't find any suitable. :( We are using attribute named entryStatus with several possible values like prepared, active, marked, dead - those are used for keeping status of user entry. I need to keep track when and by whom was entryStatus attribute modified. For those informations, we have two attributes entryStatusTimestamp and entryStatusModifier attributes. And every time entryStatus is changed, our plugin changes automatically those two attributes. Is there any standard, or maybe some contributed plugin how I can achieve this? Thanks -- ----------------------- Jan Tomasek aka Semik http://www.tomasek.cz/

3 years, 7 months

2
5
0 / 0

How do I connect to 389-server via ldapsearch?

by rainer＠ultra-secure.de

Hi, I've installed the latest version on CentOS 8 https://directory.fedoraproject.org/docs/389ds/howto/quickstart.html [root@radius-389-test ~]# rpm -qa |grep 389 |sort 389-ds-base-1.4.2.16-1.module_el8+9435+e6daf39f.x86_64 389-ds-base-libs-1.4.2.16-1.module_el8+9435+e6daf39f.x86_64 cockpit-389-ds-1.4.2.16-1.module_el8+9435+e6daf39f.noarch python3-lib389-1.4.2.16-1.module_el8+9435+e6daf39f.noarch I can connect via dsidm: [root@radius-389-test ~]# dsidm radius-389-test user list demo_user [root@radius-389-test ~]# dsidm radius-389-test user get demo_user dn: uid=demo_user,ou=people,dc=radius,dc=example,dc=org cn: Demo User displayName: Demo User gidNumber: 99998 homeDirectory: /var/empty legalName: Demo User Name loginShell: /bin/false objectClass: top objectClass: nsPerson objectClass: nsAccount objectClass: nsOrgPerson objectClass: posixAccount uid: demo_user uidNumber: 99998 However, I can't seem to connect to the server via ldapsearch or with Apache Directory Studio. [root@radius-389-test ~]# ldapsearch -v -H "ldapi://%%2fvar%%2frun%%2fslapd-radius-389-test.socket" -b "ou=people,dc=radius,example,dc=org" -D "cn=Directory Manager" -x -W uid=demo_user ldap_initialize( ldapi:///??base ) Enter LDAP Password: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) [root@radius-389-test ~]# ldapsearch -v -H "ldap://127.0.0.1" -b "ou=people,dc=radius,example,dc=org" -D "cn=Directory Manager" -x -W uid=demo_userldap_initialize( ldap://127.0.0.1:389/??base ) Enter LDAP Password: ldap_bind: Invalid credentials (49) additional info: Invalid credentials This is the inf-file: [general] full_machine_name = radius-389-test.example.org [slapd] instance_name = radius-389-test root_password = random [backend-userroot] create_suffix_entry = True sample_entries = yes suffix = dc=radius,dc=example,dc=org What am I doing wrong?

3 years, 7 months

2
4
0 / 0

LDAPS only plugin & how to disable LDAP protocol at all

by Jan Tomasek

Hello, in past, I've created a simple plug-in for disabling authenticated binds over non-encrypted lines. But still allowing anonymous binds over LDAP. I did know about nsslapd-require-secure-binds but if recall correctly it is including SASL authenticated binds which I believe protects only user password and not transferred data. I published plug-in here: https://github.com/CESNET/389ds-plugin-ldapsonly but it is maybe obsoleted today. Today I think is TLS a must. Is it possible to disable 389 port at all? Or instruct 389 DS to bind port 389 on localhost? -- ----------------------- Jan Tomasek aka Semik http://www.tomasek.cz/

3 years, 7 months

2
1
0 / 0

Re-initialization Failure: Bulk Import Abandoned, Thread Monitoring Returned -23

by Fong, Trevor

Hi Everyone, I'm having an issue re-initializing our secondary muti-master replicated 389 DS provider node via 389-Console > replication agreement > "Initialize Consumer". It eventually aborts the update with an error "import userRoot: Thread monitoring returned: -23" Would anyone know how to fix it? Or what the issue may be? What we could try? Thanks in advance, Trev We're running 389-Directory/1.3.10.1 B2020.167.146 Here's that the error log says on the node receiving re-initialization: [17/Sep/2020:15:21:07.489737002 -0700] - NOTICE - NSMMReplicationPlugin - multimaster_be_state_change - Replica dc=<redacted> is going offline; disabling replication [17/Sep/2020:15:21:07.514586270 -0700] - INFO - dblayer_instance_start - Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [17/Sep/2020:15:21:27.554375232 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries -- average rate 0.1/sec, recent rate 0.0/sec, hit ratio 0% [17/Sep/2020:15:21:47.593876983 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries -- average rate 0.0/sec, recent rate 0.0/sec, hit ratio 0% [17/Sep/2020:15:22:07.630801176 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries -- average rate 0.0/sec, recent rate 0.0/sec, hit ratio 0% [17/Sep/2020:15:22:27.667537260 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries -- average rate 0.0/sec, recent rate 0.0/sec, hit ratio 0% [17/Sep/2020:15:22:47.704917493 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries -- average rate 0.0/sec, recent rate 0.0/sec, hit ratio 0% [17/Sep/2020:15:23:07.746084506 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries -- average rate 0.0/sec, recent rate 0.0/sec, hit ratio 0% [17/Sep/2020:15:23:27.785902082 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries -- average rate 0.0/sec, recent rate 0.0/sec, hit ratio 0% [17/Sep/2020:15:23:47.830564570 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries -- average rate 0.0/sec, recent rate 0.0/sec, hit ratio 0% [17/Sep/2020:15:24:07.868457613 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries -- average rate 0.0/sec, recent rate 0.0/sec, hit ratio 0% [17/Sep/2020:15:24:27.907239617 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries -- average rate 0.0/sec, recent rate 0.0/sec, hit ratio 0% [17/Sep/2020:15:24:47.948025735 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries -- average rate 0.0/sec, recent rate 0.0/sec, hit ratio 0% [17/Sep/2020:15:25:07.986469285 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries -- average rate 0.0/sec, recent rate 0.0/sec, hit ratio 0% [17/Sep/2020:15:25:28.022970040 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries -- average rate 0.0/sec, recent rate 0.0/sec, hit ratio 0% [17/Sep/2020:15:25:48.055641123 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries -- average rate 0.0/sec, recent rate 0.0/sec, hit ratio 0% [17/Sep/2020:15:26:08.091707793 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries -- average rate 0.0/sec, recent rate 0.0/sec, hit ratio 0% [17/Sep/2020:15:26:08.093192417 -0700] - INFO - import_throw_in_towel - import userRoot: Decided to end this pass because the progress rate has dropped below the 50% threshold. [17/Sep/2020:15:26:08.094010231 -0700] - INFO - import_monitor_threads - import userRoot: Ending pass number 1 ... [17/Sep/2020:15:26:08.195022638 -0700] - INFO - import_monitor_threads - import userRoot: Foreman is done; waiting for workers to finish... [17/Sep/2020:15:26:08.196221021 -0700] - INFO - import_monitor_threads - import userRoot: Workers finished; cleaning up... [17/Sep/2020:15:26:08.397372463 -0700] - INFO - import_monitor_threads - import userRoot: Workers cleaned up. [17/Sep/2020:15:26:08.398525016 -0700] - INFO - import_sweep_after_pass - import userRoot: Sweeping files for merging later... [17/Sep/2020:15:26:08.409694998 -0700] - INFO - dblayer_instance_start - Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [17/Sep/2020:15:26:08.411165210 -0700] - INFO - import_sweep_after_pass - import userRoot: Sweep done. [17/Sep/2020:15:26:08.412153776 -0700] - INFO - import_main_offline - import userRoot: Beginning pass number 2 [17/Sep/2020:15:26:28.444537073 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries (pass 2) -- average rate 214748364.8/sec, recent rate 0.0/sec, hit ratio 0% [17/Sep/2020:15:26:48.487800198 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries (pass 2) -- average rate 107374182.4/sec, recent rate 0.0/sec, hit ratio 0% [17/Sep/2020:15:27:08.524672179 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries (pass 2) -- average rate 71582788.2/sec, recent rate 0.0/sec, hit ratio 0% [17/Sep/2020:15:27:28.560669386 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries (pass 2) -- average rate 53687091.2/sec, recent rate 0.0/sec, hit ratio 0% [17/Sep/2020:15:27:48.598581175 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries (pass 2) -- average rate 42949673.0/sec, recent rate 0.0/sec, hit ratio 0% [17/Sep/2020:15:28:08.637175249 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries (pass 2) -- average rate 35791394.1/sec, recent rate 0.0/sec, hit ratio 0% [17/Sep/2020:15:28:28.674637440 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries (pass 2) -- average rate 30678337.8/sec, recent rate 0.0/sec, hit ratio 0% [17/Sep/2020:15:28:48.713863865 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries (pass 2) -- average rate 26843545.6/sec, recent rate 0.0/sec, hit ratio 0% [17/Sep/2020:15:29:08.750649257 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries (pass 2) -- average rate 23860929.4/sec, recent rate 0.0/sec, hit ratio 0% [17/Sep/2020:15:29:28.788308057 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries (pass 2) -- average rate 21474836.5/sec, recent rate 0.0/sec, hit ratio 0% [17/Sep/2020:15:29:48.824483405 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries (pass 2) -- average rate 19522578.6/sec, recent rate 0.0/sec, hit ratio 0% [17/Sep/2020:15:30:08.861454259 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries (pass 2) -- average rate 17895697.1/sec, recent rate 0.0/sec, hit ratio 0% [17/Sep/2020:15:30:28.898478351 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries (pass 2) -- average rate 16519105.0/sec, recent rate 0.0/sec, hit ratio 0% [17/Sep/2020:15:30:48.934493905 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries (pass 2) -- average rate 15339168.9/sec, recent rate 0.0/sec, hit ratio 0% [17/Sep/2020:15:31:08.974176434 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries (pass 2) -- average rate 14316557.7/sec, recent rate 0.0/sec, hit ratio 0% [17/Sep/2020:15:31:29.026523856 -0700] - INFO - import_monitor_threads - import userRoot: Processed 1 entries (pass 2) -- average rate 13379960.4/sec, recent rate 0.0/sec, hit ratio 0% [17/Sep/2020:15:31:29.027647083 -0700] - INFO - import_throw_in_towel - import userRoot: Decided to end this pass because the progress rate has dropped below the 50% threshold. [17/Sep/2020:15:31:29.028635146 -0700] - INFO - import_monitor_threads - import userRoot: Ending pass number 2 ... [17/Sep/2020:15:31:29.129868576 -0700] - INFO - import_monitor_threads - import userRoot: Foreman is done; waiting for workers to finish... [17/Sep/2020:15:31:29.131344494 -0700] - INFO - import_monitor_threads - import userRoot: Workers finished; cleaning up... [17/Sep/2020:15:31:29.333383134 -0700] - INFO - import_monitor_threads - import userRoot: Workers cleaned up. [17/Sep/2020:15:31:29.334756063 -0700] - INFO - import_sweep_after_pass - import userRoot: Sweeping files for merging later... [17/Sep/2020:15:31:29.346472780 -0700] - INFO - dblayer_instance_start - Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [17/Sep/2020:15:31:29.348439407 -0700] - INFO - import_sweep_after_pass - import userRoot: Sweep done. [17/Sep/2020:15:31:29.349300174 -0700] - INFO - import_main_offline - import userRoot: Beginning pass number 3 [17/Sep/2020:15:31:36.933419931 -0700] - ERR - factory_destructor - ERROR bulk import abandoned [17/Sep/2020:15:31:36.967711128 -0700] - ERR - import_run_pass - import userRoot: Thread monitoring returned: -23 [17/Sep/2020:15:31:36.970482988 -0700] - ERR - import_main_offline - import userRoot: Aborting all Import threads... [17/Sep/2020:15:31:44.285307200 -0700] - ERR - import_main_offline - import userRoot: Import threads aborted. [17/Sep/2020:15:31:44.286444487 -0700] - INFO - import_main_offline - import userRoot: Closing files... [17/Sep/2020:15:31:44.288138525 -0700] - ERR - import_main_offline - import userRoot: Import failed. [17/Sep/2020:15:31:44.289342372 -0700] - ERR - process_bulk_import_op - NULL target sdn [17/Sep/2020:15:31:44.312329369 -0700] - ERR - NSMMReplicationPlugin - replica_replace_ruv_tombstone - Failed to update replication update vector for replica dc=<redacted>: LDAP error - 1 [17/Sep/2020:15:31:47.320263729 -0700] - ERR - NSMMReplicationPlugin - replica_replace_ruv_tombstone - Failed to update replication update vector for replica dc=<redacted>: LDAP error - 1 [17/Sep/2020:15:31:50.325999803 -0700] - ERR - NSMMReplicationPlugin - replica_replace_ruv_tombstone - Failed to update replication update vector for replica dc=<redacted>: LDAP error - 1 Trevor Fong Senior Programmer Analyst, Identity and Access Management Cybersecurity | CISO Office The University of British Columbia | Musqueam Traditional Territory 413 - 6356 Agricultural Road | Vancouver BC | V6T 1Z2 Canada Phone 604 827 5247 Privacy Matters @ UBC

3 years, 7 months

3
10
0 / 0

We've moved to github, make sure you are watching...

by Mark Reynolds

https://github.com/389ds/389-ds-base/ All developers, and any other interested individuals, should make sure to "watch" this repo. We moved off of Pagure and onto github, but the Pagure subscribers were not migrated. So if you want to keep an eye on what's happening make sure to watch this project! -- 389 Directory Server Development Team

3 years, 7 months

1
0
0 / 0

Question Regarding Intermediate Cert Install in RHEL/CentOS 8

by Bryan K. Walton

We have two CentOS 8 directory servers running 389ds. They are setup with one as a master and the other as a consumer. Both of these servers use a wildcard GoDaddy SSL cert. The cert has two intermediate certs, and the root cert. Initially, I had both intermediates and the root cert chained in a CA cert file and I used the cockpit web interface to upload the chained file, to both directory servers. When I did this, I was able to connect to both directory servers with Apache Directory Studio. However, replication was not working. openssl s_client -connect showed that each directory server was only presenting the server cert and the first intermediate. Still, openssl reported that everything was "OK". But again, replication wasn't working. During replication, the master was reporting this in the debug logs: (error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get issuer certificate)) In an effort to fix this, I uninstalled the chained intermediate/root cert file. I then installed both intermediates, individually, and the the root cert individually. Sure enough, openssl s_client -connect now showed the full chain (server cert -> intermediate 1 -> intermediate 2 -> root CA cert). And replication started working! However, now, when I try to connect to either directory server with Apache Directory Studio, I get the following error: Error while opening connection - ERR_04120_TLS_HANDSHAKE_ERROR The TLS handshake failed, reason: Failed to verify certification path: Algorithm constraints check failed on signature algorithm: SHA1withRSA org.apache.directory.api.ldap.model.exception.LdapTlsHandshakeException: ERR_04120_TLS_HANDSHAKE_ERROR The TLS handshake failed, reason: Failed to verify certification path: Algorithm constraints check failed on signature algorithm: SHA1withRSA Can anybody assist with telling me either what this error means or what is the proper way to be installing the intermediate certs into 389ds in RHEL/CentOS 8, so that both replication and Apache Directory Studio will work? Thanks! Bryan -- Bryan K. Walton 319-337-3877 Linux Systems Administrator Leepfrog Technologies, Inc

3 years, 7 months

3
4
0 / 0

389-ds-base repository has migrated to GitHub

by Simon Pichugin

Hi team, so the migration to GitHub was successfully completed! 389 Directory Server repo is now available on: https://github.com/389ds/389-ds-base <https://github.com/389ds/389-ds-base/issues/4317> The issue tracker is here: https://github.com/389ds/389-ds-base/issues Pull-requests are accepted here: https://github.com/389ds/389-ds-base/pulls The old Pagure repo is now closed and read-only. All Bugzillas are updated with the new links and Devel Whiteboard numbers. Commit email notifications still go to: 389-commits(a)lists.fedoraproject.org If you have any questions, please let me know here or on IRC - #dirsec or PM to spichugi. I've sent 389ds organization invitations to all active developers. Please, check your mailboxes. Sincerely, Simon

3 years, 7 months

1
0
0 / 0

Issue Configuring admin-serv on CentOS 7

by Paul Whitney

Hi, I am running into an issue where I am trying to set up a DS master on CentOS 7. When I run setup-ds-admin.pl, I am able to successfully create the slapd-config instance. But the admin-serv fails to bind to the config. The error is like this "Sat Jan 02 21:32:12.629960 2016] [:warn] [pid 1497:tid $THREAD] NSSSessionCacheTimeout is deprecated. Ignoring. [Sat Jan 02 21:32:12.630027 2016] [:crit] [pid 1497:tid $THREAD] do_admserv_post_config(): unable to create AdmldapInfo AH00016: Configuration Failed" I found this post at https://lists.fedoraproject.org/archives/list/389users@lists.fedorapro... this is not an upgrade for me. Just trying to create the config and admin-serv. I have the following installed: 389-ds-base-1.3.10.1-14.el7_8.x86_64 389-ds-base-libs-1.3.10.1-14.el7_8.x86_64 389-admin-1.1.46-1.el7.x86_64 389-adminutil-1.1.22-2.el7.x86_64 I dont believe it is the packages installed, but something missing. When I do install initially, the 389-admin packages, /var/log/dirsrv/admin-serv does not get created. i end up creating it along with the error and access file, then run restorecon -r on the directory. The server I am working is actually a clone of a working directory server, even more puzzling. Any suggestions to get past this is greatly appreciated. Paul M. Whitney E-mail: paul.whitney(a)mac.com Cell: 410.493.9448 Sent from my browser.

3 years, 7 months

2
4
0 / 0

Plugin-in Guide for 1.4.0

by Jan Tomasek

Hi, I'm migrating 389DS from 1.2.11 to 1.4.0.11 on Debian Buster. I have two plug-ins which I would like to use with new server, they compile ok. But server crashes when they are about to be used. What is actual documentation? I've found https://access.redhat.com/documentation/en-us/red_hat_directory_server/10... But I'm not sure it this is latest for plugins. For server itself it is not, it speaks about obsoleted Admin Console. Thanks -- ----------------------- Jan Tomasek aka Semik http://www.tomasek.cz/

3 years, 7 months

3
6
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-users September 2020