Help: Winsync - NHow to replicate also AD Extended Attributes
by Caderize Caderize
Hi,
i'm struggling with this request made by my customer.
He has some AD users that needs to be replicated with D389, stardard attributes is ok but there are also some extended attributes to replicate.
Searching in documentation i was not able to find anything related.
Is there any way to do it?
Many Thanks
2 years, 4 months
Bind ACI
by Gary Waters
Hello,
I found recently users who dont have modern machines are binding
against our 389 machines without tls or ssl. I dont know if what I want
is reasonable, but I want people to still be able to do some simple
searches anonymously without ssl (I think that it is how some of the pam
modules I have seen work, where it searches for the dn, then binds), but
when a user binds with an actual user dn I want them to bind with
authmethod=ssl. I am worried the users binding without ssl, are
revealing their hash to anyone on the network.
What do you guys think? Is my worry accurate, and if it is, can you help
me articulate the aci's below?
aci: (version 3.0; acl "anonymous-read-search"; allow (read,search)
userdn="ldap://anyone" )
aci: (version 3.0; acl "force auth-method"; allow (read) authmethod =
"ssl")
I still want my accounts that have write permissions to be able to write
though as well, so should that be (read,write)?.
Thanks so much for your advise and help.
Regards,
Gary
2 years, 4 months
Help: Winsync Replica Unidirectorional fromWindows - Delete entries not working
by Caderize Caderize
Hello,
trying to delete an entry in AD configured winsync replication OneWay fromWindows.
The synced entry has not been deleted also in DS389.
This the error message:
DEBUG - clcache_initial_anchorcsn - anchor is now: 61b26119000100010000
[09/Dec/2021:21:04:03.381822400 +0100] - DEBUG - NSMMReplicationPlugin - changelog program - agmt="cn=AD2D389" (labdc1:636): CSN 61b26119000100010000 found, position set for replay
[09/Dec/2021:21:04:03.407178341 +0100] - DEBUG - agmt="cn=AD2D389" (labdc1:636) - clcache_get_next_change - load=1 rec=1 csn=61b26132000000010000
[09/Dec/2021:21:04:03.424657228 +0100] - DEBUG - NSMMReplicationPlugin - windows sync - windows_replay_update - agmt="cn=AD2D389" (labdc1:636) -Looking at delete operation local dn="uid=pluto.paperino,ou=Internal Users,ou=people,dc=lab,dc=com" (ours,user,not group)
[09/Dec/2021:21:04:03.441053065 +0100] - DEBUG - NSMMReplicationPlugin - windows sync - map_entry_dn_outbound - agmt="cn=AD2D389" (labdc1:636) - Looking for AD entry for DS dn="nsuniqueid=12789181-592b11ec-8a489caa-30ef94f6,uid=pluto.paperino,ou=Internal Users,ou=people,dc=lab,dc=com" guid="d86ea71b3b9e2249844770275958e84b"
[09/Dec/2021:21:04:03.457975212 +0100] - DEBUG - NSMMReplicationPlugin - windows sync - windows_search_entry_ext - Calling windows entry search request plugin
[09/Dec/2021:21:04:03.477204880 +0100] - DEBUG - NSMMReplicationPlugin - windows sync - windows_search_entry_ext - Received 2 messages, 1 entries, 0 references
[09/Dec/2021:21:04:03.492898116 +0100] - DEBUG - NSMMReplicationPlugin - windows sync - map_entry_dn_outbound - agmt="cn=AD2D389" (labdc1:636) - Return code 0 from search for AD entry dn="<GUID=d86ea71b3b9e2249844770275958e84b>" or dn="CN=Pluto Paperino,CN=D389Sync,DC=lab,DC=local"
[09/Dec/2021:21:04:03.509304473 +0100] - ERR - NSMMReplicationPlugin - windows sync - windows_replay_update - agmt="cn=AD2D389" (labdc1:636) - Failed map dn for delete operation dn="uid=pluto.paperino,ou=Internal Users,ou=people,dc=lab,dc=com" rc=-1 remote_dn = [(null)]
[09/Dec/2021:21:04:03.526216140 +0100] - DEBUG - agmt="cn=AD2D389" (labdc1:636) - clcache_adjust_anchorcsn - agmt="cn=AD2D389" (labdc1:636) - (cscb 0 - state 1) - csnPrevMax (61b26132000000010000) csnMax (61b26132000000010000) csnBuf (61b26132000000010000) csnConsumerMax (61b26132000000010000)
Any help would be appreciate...
The Winsync Agreement has been also configured with:
winSyncMoveAction: delete
In the scenario when a user is moved far from scope, it has been successfully deleted.
2 years, 4 months
issues migrating from RHEL6 to rhel7 (1.2 to 1.3)
by Casey Feskens
Hi all,
I'm running into some migration issues trying to get my hosts off of RHEL6.
I currently have a single supplier and multiple consumers and am trying to
add a new supplier on RHEL7. I was hoping to do so initially by just
setting up a replication agreement but have run into the ordering issue
described in:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
As a fallback option, I have tried dumping my existing supplier via
ns-slapd db2ldif -r, but when I import I am seeing a number of errors like:
[11/Dec/2021:12:49:03.523666969 -0800] - DEBUG - attr_get_value_cmp_fn -
Syntax [1.3.6.1.4.1.1466.115.121.1.12] for attribute [creatorsName] does
not support ordering
Initially I had syntax checking on, which was off in my 1.2 instance.
Syntax checking is now off but I am still seeing these errors. Any
suggestions as to what I should modify to be able to import my remaining
directory entries?
--
---------------------------------------------
Casey Feskens <cfeskens(a)willamette.edu>
Director of Infrastructure Services
Willamette Integrated Technology Services
Willamette University, Salem, OR
Phone: (503) 370-6950
---------------------------------------------
2 years, 4 months
Help - Missing nsAccount objectClass for WinSync users from AD
by Caderize Caderize
Hi to all,
hope someone can help me on this.
I am struggling with my last configuration step.
Summary:
I have configured D389 to sync One-Way from Active Directory.
Everything is working fine and AD users is correctly synchronized in a specific OU of D389.
Then i've configured PAM Pass Through in order to permit AD synced users in D389 to make login without exposing the User Password(Leave it empty, this will be a frontend for a web portal).
The result would be:
Web Portal login -> D389(AD synced users with no password)-> Pam PassThrough to AD that return back the login result.
The only thing that is not working is regarding nsAccount objectClass that it is not present in synced D389 users.
For example creating user with dsidm command will add nsAccount objectClass as expected and bind is successful.
During my test i've seen that if nsAccount is not present, PAM PT return an error while if present everything is working well.
So my question is:
How can i set this objectClass during Winsync(in automatic way) in order to "Activate" synced users or am i missing anything?
Many thanks for your help.
Regards
2 years, 4 months
access log - successful authentication
by Karandikar, Neel
Hello
Is there a simple way to tell that a user has been authenticated by looking at the access log?
/var/log/dirsrv/<slapd-instance>/access
something like "authentication successful" in the access log
I have been looking at the access log file and enabled the various logging levels, and although I can personally tell that a user has been authenticated, there is no message that I can search on if I need to audit the logs to see date/time/user for a successful auth.
Is there another log I should be looking at?
Thx
NeeL
2 years, 4 months
Recent commits in stable 389ds branches - discussion
by Ivanov Andrey (M.)
Hi,
I'd like to discuss several recent (since a couple of months) commits in stable branches of 389ds. I will be talking about 1.4.4 [ https://github.com/389ds/389-ds-base/tree/389-ds-base-1.4.4 | https://github.com/389ds/389-ds-base/tree/389-ds-base-1.4.4 ] since it's the one we are using in production, but i think it's the same for 1.4.3. These commits are welcome and go in the right direction, however the changes they produce are not something one expects when the server version changes in 4th digit (ex. 1.4.4.17 -> 1.4.4.18). Here they are:
1) Some database files [presumable memory-mapped files that are ok to be lost at reboot] that were previously in /var/lib/dirsrv/slapd-instance/db/ are now moved to /dev/shm/slapd-instance/. This modification seems to work fine (and should increase performance), however there is an error message at server startup when /dev/shm is empty (for example, after each OS reboot) when the server needs to create the files:
[03/Dec/2021:12:12:14.887200364 +0100] - ERR - bdb_version_write - Could not open file "/dev/shm/slapd-model/DBVERSION" for writing Netscape Portable Runtime -5950 (File not found.)
After the next 389ds restart this ERR message does not appear, but it appears after each OS reboot (since /dev/shm is cleaned up after each reboot).
2) UNIX socket of the server was moved to /run/slapd-instance.socket, a new keyword in .inf file for dscreate ("ldapi") has appeared.
Works fine, but it had an impact on our scripts that use ldapi socket path.
3) A new default plugin requirement, the plugin being written in Rust - probably its introduction is FIPS-related (Issue 3584 - Fix PBKDF2_SHA256 hashing in FIPS mode). See my comment https://github.com/389ds/389-ds-base/issues/5008#issuecomment-983759224. Rust becomes a requirement for building the server, which is fine, but then it should be enabled by default in "./configure". Without it the server does not compile the new plugin and complains about it when starting:
[01/Dec/2021:12:54:04.460194603 +0100] - ERR - symload_report_error - Could not open library "/Local/dirsrv/lib/dirsrv/plugins/libpwdchan-plugin.so" for plugin PBKDF2
...
Thank you and keep up the good work, we use 389ds in production since 2007 and we are quite happy with it :)
Regards,
Andrey
2 years, 4 months
el8 389ds replication to el7 389ds
by Lewis Robson
Hello all,
I have a main ldap database on an alma el8 server, this works okay and
we can replicate from 8 to 8 via the cockpit web manager.
We however, have a server that is on el7, we can install 389ds however
the commands and setup is different and it uses the 389 ds console, our
end goal is to replicate the stuff from the EL8 database to the el7
using master / slave.
is there any way to get the el8 version onto el7, and if not, how do i
go about replicating everything? I have set up so that tls is enabled
and can ping, telnet etc to the el7 server from the el8 however when i
try to replicate after entering in the details, i get errors such as:
authentication mechanism [SIMPLE]: error -1 (Can't contact LDAP server),
system error -5987 (Invalid function argument.), network error 0
(Unknown error, host "linux-el8:636") (same when trying to replicate
over non tls, port 389)
thanks
2 years, 4 months
rsearch cmd options
by Ghiurea, Isabella
Hi List,
I am using rsearch cmd with different number of threads and run time to asses DS performance over time , I run the cmd locally I would like to know how to cfg this cmd to use port 636 ? I tried cfg with cfg -p 636 but will not run.
Also I will like to learn if there are also 389-ds cmds available to run to measure server performance with the option to adjust the number of threads run parallel.
Here is my basic rsearch cmd :
. rsearch -h localhost -p 389 -D "cn=directory manager" -w xxx -s " ou=Users,ou=ds,dc=xxxx " -f "uid=49999" -v -T 10 -t 50
Thank you
2 years, 4 months
