389-users January 2022

389-users@lists.fedoraproject.org

20 participants
21 discussions

ERR - slapi_ldap_bind - Could not send bind request for id [(anon)] authentication mechanism [EXTERNAL]: error -1 (Can't contact LDAP server), system error 0 (no error), network error 0
by Graham Leggett 11 Dec '23

11 Dec '23

Hi all, We have a long standing 389ds master LDAP server that was found to be unable to contact it’s slaves. Most specifically, the slaves show nothing in their logs about any kind of connection, while the master is logging this: [12/Nov/2019:21:39:47.212715697 +0000] - ERR - slapi_ldap_bind - Could not send bind request for id [(anon)] authentication mechanism [EXTERNAL]: error -1 (Can't contact LDAP server), system error 0 (no error), network error 0 (Unknown error, host “ldap01:636”) Key is "system error 0 (no error)”, which leaves us stumped. The error is obviously “success”. Has anyone seen this kind of thing before? This is 389ds running on CentOS7 as follows: 389-ds-base-1.3.9.1-10.el7.x86_64 Regards, Graham —

3 9

Plugin development licensing
by DUVERT Vincent 09 May '23

09 May '23

Hello, I have a question regarding the licensing of developed 389-ds plugins. The FAQ (https://directory.fedoraproject.org/docs/389ds/FAQ/licensing.html#directory…) indicates that the Directory Server core code is licensed under a GPL + Exception license that allows non-GPL 389-ds plugins to link to 389-ds and to use specific header files. However, the LICENSE file in the current 389-ds-base source does not contain this exception. It was apparently removed by the following commit, when the license was changed to GPLv3+: https://pagure.io/389-ds-base/c/88cae401aee39a19ac6b07c3c36ee8daa07192e7 Does that means that the license exception does not apply to the current version of 389-ds? Regards, Vincent Duvert

2 2

Re: SSO and 389
by N R 12 Mar '22

12 Mar '22

Hi, I've done some SAML SSO integrations and work regularly with FreeIPA. SSO is usually handled via a protocol like SAML, OpenID or Shibboleth, FreeIPA only serves as LDAP Identity database in these architectures. Our deployments used a "proxy" to handle these authentications and link them with LDAP, SimpleSAMLPHP. The implementation also depends a lot on the way you want to do SSO, centralized, federated, or cooperative. I would recommend to take a look at simplesamlphp documentation as it supports almost every SSO protocols and can easily be integrated to proxy SSO web requests. Regards, Nicolas Le lun. 10 janv. 2022 à 19:50, Jonathan Aquilina <jaquilina(a)eagleeyet.net> a écrit : > Good Evening, > > > > I am just wondering can 389 along side free ipa be used to offer SSO > capabilities? > > > > Regards, > > Jonathan > _______________________________________________ > 389-users mailing list -- 389-users(a)lists.fedoraproject.org > To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject… > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >

2 1

Re: Replication Problem
by Mansoor Raeesi 31 Jan '22

31 Jan '22

That is problem with CentOS paste which expires pastes within 24 hours! you may check through this link: https://pastebin.ubuntu.com/p/ktN5HsBrNf/ Thanks On 1/31/22 11:24, Thierry Bordaz wrote: > Hi, > > It returns 404 "page not found" > > regards > thierry > > On 1/30/22 7:58 AM, Mansoor Raeesi wrote: >> Thanks for your kind reply, logging is enabled already and this is >> output of log: >> >> https://paste.centos.org/view/a39010cd >> >> >> On 1/26/22 12:14, Thierry Bordaz wrote: >>> Hi, >>> >>> There are several possible cause why the replication agreement >>> failed to complete the total update. I suggest you enable >>> replication debug log on A and B >>> (https://www.port389.org/docs/389ds/FAQ/faq.html#Troubleshooting) >>> before retrying a total update. If it is the first time you are >>> trying to init B, a common failure is that the RA fails to bind >>> (credential are not properly set). >>> >>> Because of the size of the DB, another option is to init B via an >>> offline import. (on A export DB in ldif format with replication >>> data, send the ldif file to B, import the ldif file on B). This >>> likely speed up the initialization of B but you will still need to >>> fix the RA A->B. >>> >>> regards >>> thierry >>> >>> On 1/26/22 6:41 AM, Mansoor Raeesi wrote: >>>> Hi >>>> >>>> I've recently started 2 different instances on different servers >>>> with 1.4.4.17 version of 389-ds. servers can see each other. >>>> >>>> server A has a database around 28GB & both servers are started in >>>> Master mode. i've created an agreement on server A to be replicated >>>> with server B on port 389 when i initialize the agreement, after a >>>> while i'll receive this error in web console: >>>> >>>> ERR - NSMMReplicationPlugin - repl5_tot_run - Total update failed >>>> for replica "agmt="cn=ServerA-to-ServerB" (ServerB:389)", error (-1) >>>> >>>> Looking forward for your kind help. >>>> _______________________________________________ >>>> 389-users mailing list -- 389-users(a)lists.fedoraproject.org >>>> To unsubscribe send an email to >>>> 389-users-leave(a)lists.fedoraproject.org >>>> Fedora Code of Conduct: >>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>> List Guidelines: >>>> https://fedoraproject.org/wiki/Mailing_list_guidelines >>>> List Archives: >>>> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject… >>>> Do not reply to spam on the list, report it: >>>> https://pagure.io/fedora-infrastructure >>> >> >

3 2

Replication Problem
by Mansoor Raeesi 30 Jan '22

30 Jan '22

Hi I've recently started 2 different instances on different servers with 1.4.4.17 version of 389-ds. servers can see each other. server A has a database around 28GB & both servers are started in Master mode. i've created an agreement on server A to be replicated with server B on port 389 when i initialize the agreement, after a while i'll receive this error in web console: ERR - NSMMReplicationPlugin - repl5_tot_run - Total update failed for replica "agmt="cn=ServerA-to-ServerB" (ServerB:389)", error (-1) Looking forward for your kind help.

2 2

Trying to deny any bind/query rights to Administration Domain suffix for user
by NATHAN TRUHAN 28 Jan '22

28 Jan '22

Hello, Sorry for the long post: I have an Oracle Linux 7.9 installation running 389 Directory Server 1.3. It contains 3 suffixes. The first is the o=netscaperoot. The second is the Administration Domain based on the FQN of the server: dc=prodapps, dc=prodvcn, dc=oraclevcn, dc=com. The third is one that was manually created to store users and groups from an AD migration which I will refer to as dc=company,dc=com. Under this third suffix, I created 2 OUs to match what I was retrieving out of AD, ou=MIGRATED, ou=US. I created a user under the dc=company,dc=com called lsc. So its DN is uid=lsc,dc=company,dc=com. This user has full control over the suffix in that it can query, create, and remove objects, it is used with the lsc-project tools to migrate and transform the AD content, which was brought over successfully. I am accessing this from SAP BusinessObjects also remapping from AD to LDAP. And you specify a specific Bind DN and Base DN to utilize and that is what it should use to query from. However, what I see in the Ldap Query behavior from the application is this: LDAP: LdapQueryForEntries: *QUERY* base: dc=company, dc=com, scope: 2, filter: (uid=Test.User), attribute: dn objectclass LDAP: LdapQueryForEntries: *QUERY* result: 0 took 0 ms LDAP: LdapQueryForEntries() *QUERY* number of entries returned: 1 LDAP: LdapQueryForEntries: *QUERY* base: cn=test user, ou=migrated, ou=us, dc=company, dc=com, scope: 0, filter: , attribute: uid CN objectclass LDAP: LdapQueryForEntries: *QUERY* result: 0 took 0 ms LDAP: LdapQueryForEntries() *QUERY* number of entries returned: 1 LDAP: LdapQueryForEntries: *QUERY* base: dc=company, dc=com, scope: 2, filter: (cn=test user), attribute: description objectclass LDAP: LdapQueryForEntries: *QUERY* result: 0 took 0 ms LDAP: LdapQueryForEntries() *QUERY* number of entries returned: 1 GetParents from plugin for secLDAP:cn=test user, ou=migrated, ou=us, dc=company, dc=com LDAP: LdapQueryForAttribute: *QUERY* base: dc=com, scope: 0, filter: (objectclass=*), attribute: dn LDAP: LdapQueryForAttribute: *QUERY* result: 32 took 0 ms LDAP: LdapQueryForAttribute: *QUERY* base: dc=company, dc=com, scope: 0, filter: (objectclass=*), attribute: dn LDAP: LdapQueryForAttribute: *QUERY* result: 0 took 0 ms LDAP: LdapQueryForEntries: *QUERY* base: dc=company, dc=com, scope: 2, filter: (&(objectclass=inetOrgPerson)(cn=test user)), attribute: dn objectclass LDAP: LdapQueryForEntries: *QUERY* result: 0 took 0 ms LDAP: LdapQueryForEntries() *QUERY* number of entries returned: 1 LDAP: LdapQueryForEntries: *QUERY* base: dc=prodapps, dc=prodvcn, dc=oraclevcn, dc=com, scope: 2, filter: (&(objectclass=groupOfNames)(member=cn=test user, ou=migrated, ou=us, dc=company, dc=com)), attribute: dn LDAP: LdapQueryForEntries: *QUERY* result: 0 took 0 ms LDAP: LdapQueryForEntries() *QUERY* number of entries returned: 0 Failed to add alias 'Test.User'. Reason: It is not a member in any of the mapped groups. Error encountered on Object (9388): Creation of the user Test.User cannot complete because the user is not a member in any of the mapped groups. In the above case, I am trying to add the user test.user (which is cn=test user,ou=migrated,ou=us,dc=company,dc=com) and has a uid of test.user. The system finds that without an issue. However, the next part, I don't know how or why the bind user uid=lsc is then changing the base dn to the Administration Domain and attempting the search there for a group member. This base dn should have remained dc=company, dc=com. To get around this, I am trying to block access to the Administration Domain suffix for the lsc user. I removed anonymous bind access, then added this aci: dn: dc=prodapps,dc=prodvcn,dc=oraclevcn,dc=com changetype: modify add: aci aci: (target="ldap:///dc=prodapps,dc=prodvcn,dc=oraclevcn,dc=com") (version 3.0; acl "Deny company dc user access to prodapps"; deny(all) userdn="ldap:///uid=*,dc=company,dc=com || ldap:///cn=*,dc=company,dc=com";) After this, when using tools such as Apache Directory Studio, the lsc user didn't see the Admin Domain if it went to retrieve the available DNs. However, a ldapsearch still worked, it did a bind properly, just returned no records like expected: ldapsearch -x -LLL -h server -p 389 -D "uid=lsc,dc=company,dc=com" -b "dc=prodapps, dc=prodvcn, dc=oraclevcn, dc=com" -W "(&(objectclass=groupOfNames)(member=cn=test user, ou=migrated, ou=us, dc=company, dc=com))" Is there any way I can block a dn completely so it would fail to connect to the search not just return 0 records? This way the application wouldn't be able to retrieve it and move on to another DN. Or what would be the detriment of 389 DS running with just the one Suffix that is both the Administration Domain as well as the one used for migration (which occurs only under the ou)? i.e. re-creating the Administration Domain as dc=company,dc=com instead of the FQM domain of dc=prodapps,dc=prodvcn,dc=oraclevcn,dc=com. Thanks in advance, and sorry for the long post. Nathan

2 1

Re: how to export/import a single ldap user
by Rob Crittenden 28 Jan '22

28 Jan '22

Rob Murray wrote: > Isabella > > > > Just do an ldapsearch send the output to a file, Edit the file and > insert the line below after the dn: line in the ldi It depends on what attributes are needed. If you need things like userPassword that are normally not visible you should bind as the Directory Manager. In order to get the full entry, including operational attributes, you probably need two searches. One for * (default) and one for + (operational) and then combine the results. At least I don't know of a way to get both at once. rob > > changetype: add > > > > run ldapmodify against the server or on the server where the entry is to > be added. > > > > man ldapadd > > > > Rob. > > > > > > *From:* Ghiurea, Isabella <Isabella.Ghiurea(a)nrc-cnrc.gc.ca> > *Sent:* January 28, 2022 12:19 PM > *To:* General discussion list for the 389 Directory server project. > <389-users(a)lists.fedoraproject.org> > *Subject:* [389-users] how to export/import a single ldap user > > > > ✉*External message:*Use caution. > > Hi > > I need to copy one user ldap from one server to another server, the > users must be exported with all attributes entries .I checked db2ldif > but I cannot seem to find an option for a single user, please suggest > how to export and import a single user in a DS. > > Thank you > > Isabella > > > _______________________________________________ > 389-users mailing list -- 389-users(a)lists.fedoraproject.org > To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject… > Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure >

2 1

Announcing 389 Directory Server 2.0.14
by Mark Reynolds 28 Jan '22

28 Jan '22

389 Directory Server 2.0.14 The 389 Directory Server team is proud to announce 389-ds-base version 2.0.14 Fedora packages are available on Fedora 34, and 35 Fedora 35: https://koji.fedoraproject.org/koji/taskinfo?taskID=82032930 <https://koji.fedoraproject.org/koji/taskinfo?taskID=82032930>- Koji https://bodhi.fedoraproject.org/updates/FEDORA-2022-5aee32fbab <https://bodhi.fedoraproject.org/updates/FEDORA-2022-5aee32fbab>- Bodhi Fedora 34: https://koji.fedoraproject.org/koji/taskinfo?taskID=82034969 <https://koji.fedoraproject.org/koji/taskinfo?taskID=82034969>- Koji https://bodhi.fedoraproject.org/updates/FEDORA-2022-081d784a9c <https://bodhi.fedoraproject.org/updates/FEDORA-2022-081d784a9c>- Bodhi The new packages and versions are: * 389-ds-base-2.0.14-1 Source tarballs are available for download atDownload 389-ds-base Source <https://github.com/389ds/389-ds-base/archive/389-ds-base-2.0.14.tar.gz> Highlights in 2.0.14 * Bug fixes Installation and Upgrade SeeDownload <https://www.port389.org/docs/389ds/download.html>for information about setting up your yum repositories. To install the server use*dnf install 389-ds-base* To install the CockpitUIplugin use*dnf install cockpit-389-ds* After rpm install completes, run*dscreate interactive* For upgrades, simply install the package. There are no further steps required. There are no upgrade steps besides installing the new rpms SeeInstall_Guide <https://www.port389.org/docs/389ds/howto/howto-install-389.html>for more information about the initial installation and setup SeeSource <https://www.port389.org/docs/389ds/development/source.html>for information about source tarballs andSCM(git) access. Feedback We are very interested in your feedback! Please provide feedback and comments to the 389-users mailing list:https://lists.fedoraproject.org/admin/lists/389-users.lists.fedoraproj… If you find a bug, or would like to see a new feature, file it in our GitHub project:https://github.com/389ds/389-ds-base * Bump version to 2.0.14 * Issue 5127 - ds_selinux_restorecon.sh: always exit 0 * Issue 5037 - in OpenQAchangelog trimming can crash the server (#5070) * Issue 4992 -BUG- slapd.socket container fix (#4993) * Issue 5079 -BUG- multiple ways to specific primary (#5087) * Issue 5080 -BUG- multiple index types not handled in openldap migration (#5094) * Issue 5135 -UI- Disk monitoring threshold does update properly * Issue 5129 -BUG- Incorrect fn signature in add_index (#5130) -- Directory Server Development Team

1 0

how to export/import a single ldap user
by Ghiurea, Isabella 28 Jan '22

28 Jan '22

Hi I need to copy one user ldap from one server to another server, the users must be exported with all attributes entries .I checked db2ldif but I cannot seem to find an option for a single user, please suggest how to export and import a single user in a DS. Thank you Isabella

2 1

Running dscontainer as a non-root user
by Steve F 27 Jan '22

27 Jan '22

Hello! Currently dscontainer will start, configure and run ds-389 as a root user. I am wondering if there is support to run as a non-root user? It is as simple as chown'ing the files to a non privileged user, updating nsslapd-localuser to the correct user, then running dscontainer -r as the unprivileged user? Or will this break some other functionality? Cheers, Steve

4 15

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-users January 2022