January 2022 - 389-users - Fedora Mailing-Lists

by N R

Hi, I've done some SAML SSO integrations and work regularly with FreeIPA. SSO is usually handled via a protocol like SAML, OpenID or Shibboleth, FreeIPA only serves as LDAP Identity database in these architectures. Our deployments used a "proxy" to handle these authentications and link them with LDAP, SimpleSAMLPHP. The implementation also depends a lot on the way you want to do SSO, centralized, federated, or cooperative. I would recommend to take a look at simplesamlphp documentation as it supports almost every SSO protocols and can easily be integrated to proxy SSO web requests. Regards, Nicolas Le lun. 10 janv. 2022 à 19:50, Jonathan Aquilina <jaquilina(a)eagleeyet.net> a écrit : > Good Evening, > > > > I am just wondering can 389 along side free ipa be used to offer SSO > capabilities? > > > > Regards, > > Jonathan > _______________________________________________ > 389-users mailing list -- 389-users(a)lists.fedoraproject.org > To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje... > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >

1 year

2
1
0 / 0

Re: Replication Problem

by Mansoor Raeesi

That is problem with CentOS paste which expires pastes within 24 hours! you may check through this link: https://pastebin.ubuntu.com/p/ktN5HsBrNf/ Thanks On 1/31/22 11:24, Thierry Bordaz wrote: > Hi, > > It returns 404 "page not found" > > regards > thierry > > On 1/30/22 7:58 AM, Mansoor Raeesi wrote: >> Thanks for your kind reply, logging is enabled already and this is >> output of log: >> >> https://paste.centos.org/view/a39010cd >> >> >> On 1/26/22 12:14, Thierry Bordaz wrote: >>> Hi, >>> >>> There are several possible cause why the replication agreement >>> failed to complete the total update. I suggest you enable >>> replication debug log on A and B >>> (https://www.port389.org/docs/389ds/FAQ/faq.html#Troubleshooting), >>> before retrying a total update. If it is the first time you are >>> trying to init B, a common failure is that the RA fails to bind >>> (credential are not properly set). >>> >>> Because of the size of the DB, another option is to init B via an >>> offline import. (on A export DB in ldif format with replication >>> data, send the ldif file to B, import the ldif file on B). This >>> likely speed up the initialization of B but you will still need to >>> fix the RA A->B. >>> >>> regards >>> thierry >>> >>> On 1/26/22 6:41 AM, Mansoor Raeesi wrote: >>>> Hi >>>> >>>> I've recently started 2 different instances on different servers >>>> with 1.4.4.17 version of 389-ds. servers can see each other. >>>> >>>> server A has a database around 28GB & both servers are started in >>>> Master mode. i've created an agreement on server A to be replicated >>>> with server B on port 389 when i initialize the agreement, after a >>>> while i'll receive this error in web console: >>>> >>>> ERR - NSMMReplicationPlugin - repl5_tot_run - Total update failed >>>> for replica "agmt="cn=ServerA-to-ServerB" (ServerB:389)", error (-1) >>>> >>>> Looking forward for your kind help. >>>> _______________________________________________ >>>> 389-users mailing list -- 389-users(a)lists.fedoraproject.org >>>> To unsubscribe send an email to >>>> 389-users-leave(a)lists.fedoraproject.org >>>> Fedora Code of Conduct: >>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>> List Guidelines: >>>> https://fedoraproject.org/wiki/Mailing_list_guidelines >>>> List Archives: >>>> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje... >>>> Do not reply to spam on the list, report it: >>>> https://pagure.io/fedora-infrastructure >>> >> >

1 year, 1 month

3
2
0 / 0

Replication Problem

by Mansoor Raeesi

Hi I've recently started 2 different instances on different servers with 1.4.4.17 version of 389-ds. servers can see each other. server A has a database around 28GB & both servers are started in Master mode. i've created an agreement on server A to be replicated with server B on port 389 when i initialize the agreement, after a while i'll receive this error in web console: ERR - NSMMReplicationPlugin - repl5_tot_run - Total update failed for replica "agmt="cn=ServerA-to-ServerB" (ServerB:389)", error (-1) Looking forward for your kind help.

1 year, 1 month

2
2
0 / 0

Trying to deny any bind/query rights to Administration Domain suffix for user

by NATHAN TRUHAN

Hello, Sorry for the long post: I have an Oracle Linux 7.9 installation running 389 Directory Server 1.3. It contains 3 suffixes. The first is the o=netscaperoot. The second is the Administration Domain based on the FQN of the server: dc=prodapps, dc=prodvcn, dc=oraclevcn, dc=com. The third is one that was manually created to store users and groups from an AD migration which I will refer to as dc=company,dc=com. Under this third suffix, I created 2 OUs to match what I was retrieving out of AD, ou=MIGRATED, ou=US. I created a user under the dc=company,dc=com called lsc. So its DN is uid=lsc,dc=company,dc=com. This user has full control over the suffix in that it can query, create, and remove objects, it is used with the lsc-project tools to migrate and transform the AD content, which was brought over successfully. I am accessing this from SAP BusinessObjects also remapping from AD to LDAP. And you specify a specific Bind DN and Base DN to utilize and that is what it should use to query from. However, what I see in the Ldap Query behavior from the application is this: LDAP: LdapQueryForEntries: *QUERY* base: dc=company, dc=com, scope: 2, filter: (uid=Test.User), attribute: dn objectclass LDAP: LdapQueryForEntries: *QUERY* result: 0 took 0 ms LDAP: LdapQueryForEntries() *QUERY* number of entries returned: 1 LDAP: LdapQueryForEntries: *QUERY* base: cn=test user, ou=migrated, ou=us, dc=company, dc=com, scope: 0, filter: , attribute: uid CN objectclass LDAP: LdapQueryForEntries: *QUERY* result: 0 took 0 ms LDAP: LdapQueryForEntries() *QUERY* number of entries returned: 1 LDAP: LdapQueryForEntries: *QUERY* base: dc=company, dc=com, scope: 2, filter: (cn=test user), attribute: description objectclass LDAP: LdapQueryForEntries: *QUERY* result: 0 took 0 ms LDAP: LdapQueryForEntries() *QUERY* number of entries returned: 1 GetParents from plugin for secLDAP:cn=test user, ou=migrated, ou=us, dc=company, dc=com LDAP: LdapQueryForAttribute: *QUERY* base: dc=com, scope: 0, filter: (objectclass=*), attribute: dn LDAP: LdapQueryForAttribute: *QUERY* result: 32 took 0 ms LDAP: LdapQueryForAttribute: *QUERY* base: dc=company, dc=com, scope: 0, filter: (objectclass=*), attribute: dn LDAP: LdapQueryForAttribute: *QUERY* result: 0 took 0 ms LDAP: LdapQueryForEntries: *QUERY* base: dc=company, dc=com, scope: 2, filter: (&(objectclass=inetOrgPerson)(cn=test user)), attribute: dn objectclass LDAP: LdapQueryForEntries: *QUERY* result: 0 took 0 ms LDAP: LdapQueryForEntries() *QUERY* number of entries returned: 1 LDAP: LdapQueryForEntries: *QUERY* base: dc=prodapps, dc=prodvcn, dc=oraclevcn, dc=com, scope: 2, filter: (&(objectclass=groupOfNames)(member=cn=test user, ou=migrated, ou=us, dc=company, dc=com)), attribute: dn LDAP: LdapQueryForEntries: *QUERY* result: 0 took 0 ms LDAP: LdapQueryForEntries() *QUERY* number of entries returned: 0 Failed to add alias 'Test.User'. Reason: It is not a member in any of the mapped groups. Error encountered on Object (9388): Creation of the user Test.User cannot complete because the user is not a member in any of the mapped groups. In the above case, I am trying to add the user test.user (which is cn=test user,ou=migrated,ou=us,dc=company,dc=com) and has a uid of test.user. The system finds that without an issue. However, the next part, I don't know how or why the bind user uid=lsc is then changing the base dn to the Administration Domain and attempting the search there for a group member. This base dn should have remained dc=company, dc=com. To get around this, I am trying to block access to the Administration Domain suffix for the lsc user. I removed anonymous bind access, then added this aci: dn: dc=prodapps,dc=prodvcn,dc=oraclevcn,dc=com changetype: modify add: aci aci: (target="ldap:///dc=prodapps,dc=prodvcn,dc=oraclevcn,dc=com") (version 3.0; acl "Deny company dc user access to prodapps"; deny(all) userdn="ldap:///uid=*,dc=company,dc=com || ldap:///cn=*,dc=company,dc=com";) After this, when using tools such as Apache Directory Studio, the lsc user didn't see the Admin Domain if it went to retrieve the available DNs. However, a ldapsearch still worked, it did a bind properly, just returned no records like expected: ldapsearch -x -LLL -h server -p 389 -D "uid=lsc,dc=company,dc=com" -b "dc=prodapps, dc=prodvcn, dc=oraclevcn, dc=com" -W "(&(objectclass=groupOfNames)(member=cn=test user, ou=migrated, ou=us, dc=company, dc=com))" Is there any way I can block a dn completely so it would fail to connect to the search not just return 0 records? This way the application wouldn't be able to retrieve it and move on to another DN. Or what would be the detriment of 389 DS running with just the one Suffix that is both the Administration Domain as well as the one used for migration (which occurs only under the ou)? i.e. re-creating the Administration Domain as dc=company,dc=com instead of the FQM domain of dc=prodapps,dc=prodvcn,dc=oraclevcn,dc=com. Thanks in advance, and sorry for the long post. Nathan

1 year, 1 month

2
1
0 / 0

Re: how to export/import a single ldap user

by Rob Crittenden

Rob Murray wrote: > Isabella > > > > Just do an ldapsearch send the output to a file, Edit the file and > insert the line below after the dn: line in the ldi It depends on what attributes are needed. If you need things like userPassword that are normally not visible you should bind as the Directory Manager. In order to get the full entry, including operational attributes, you probably need two searches. One for * (default) and one for + (operational) and then combine the results. At least I don't know of a way to get both at once. rob > > changetype: add > > > > run ldapmodify against the server or on the server where the entry is to > be added. > > > > man ldapadd > > > > Rob. > > > > > > *From:* Ghiurea, Isabella <Isabella.Ghiurea(a)nrc-cnrc.gc.ca> > *Sent:* January 28, 2022 12:19 PM > *To:* General discussion list for the 389 Directory server project. > <389-users(a)lists.fedoraproject.org> > *Subject:* [389-users] how to export/import a single ldap user > > > > ✉*External message:*Use caution. > > Hi > > I need to copy one user ldap from one server to another server, the > users must be exported with all attributes entries .I checked db2ldif > but I cannot seem to find an option for a single user, please suggest > how to export and import a single user in a DS. > > Thank you > > Isabella > > > _______________________________________________ > 389-users mailing list -- 389-users(a)lists.fedoraproject.org > To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje... > Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure >

1 year, 1 month

2
1
0 / 0

Announcing 389 Directory Server 2.0.14

by Mark Reynolds

389 Directory Server 2.0.14 The 389 Directory Server team is proud to announce 389-ds-base version 2.0.14 Fedora packages are available on Fedora 34, and 35 Fedora 35: https://koji.fedoraproject.org/koji/taskinfo?taskID=82032930 <https://koji.fedoraproject.org/koji/taskinfo?taskID=82032930>- Koji https://bodhi.fedoraproject.org/updates/FEDORA-2022-5aee32fbab <https://bodhi.fedoraproject.org/updates/FEDORA-2022-5aee32fbab>- Bodhi Fedora 34: https://koji.fedoraproject.org/koji/taskinfo?taskID=82034969 <https://koji.fedoraproject.org/koji/taskinfo?taskID=82034969>- Koji https://bodhi.fedoraproject.org/updates/FEDORA-2022-081d784a9c <https://bodhi.fedoraproject.org/updates/FEDORA-2022-081d784a9c>- Bodhi The new packages and versions are: * 389-ds-base-2.0.14-1 Source tarballs are available for download atDownload 389-ds-base Source <https://github.com/389ds/389-ds-base/archive/389-ds-base-2.0.14.tar.gz> Highlights in 2.0.14 * Bug fixes Installation and Upgrade SeeDownload <https://www.port389.org/docs/389ds/download.html>for information about setting up your yum repositories. To install the server use*dnf install 389-ds-base* To install the CockpitUIplugin use*dnf install cockpit-389-ds* After rpm install completes, run*dscreate interactive* For upgrades, simply install the package. There are no further steps required. There are no upgrade steps besides installing the new rpms SeeInstall_Guide <https://www.port389.org/docs/389ds/howto/howto-install-389.html>for more information about the initial installation and setup SeeSource <https://www.port389.org/docs/389ds/development/source.html>for information about source tarballs andSCM(git) access. Feedback We are very interested in your feedback! Please provide feedback and comments to the 389-users mailing list:https://lists.fedoraproject.org/admin/lists/389-users.lists.fedorapr... If you find a bug, or would like to see a new feature, file it in our GitHub project:https://github.com/389ds/389-ds-base * Bump version to 2.0.14 * Issue 5127 - ds_selinux_restorecon.sh: always exit 0 * Issue 5037 - in OpenQAchangelog trimming can crash the server (#5070) * Issue 4992 -BUG- slapd.socket container fix (#4993) * Issue 5079 -BUG- multiple ways to specific primary (#5087) * Issue 5080 -BUG- multiple index types not handled in openldap migration (#5094) * Issue 5135 -UI- Disk monitoring threshold does update properly * Issue 5129 -BUG- Incorrect fn signature in add_index (#5130) -- Directory Server Development Team

1 year, 1 month

1
0
0 / 0

how to export/import a single ldap user

by Ghiurea, Isabella

Hi I need to copy one user ldap from one server to another server, the users must be exported with all attributes entries .I checked db2ldif but I cannot seem to find an option for a single user, please suggest how to export and import a single user in a DS. Thank you Isabella

1 year, 1 month

2
1
0 / 0

Running dscontainer as a non-root user

by Steve F

Hello! Currently dscontainer will start, configure and run ds-389 as a root user. I am wondering if there is support to run as a non-root user? It is as simple as chown'ing the files to a non privileged user, updating nsslapd-localuser to the correct user, then running dscontainer -r as the unprivileged user? Or will this break some other functionality? Cheers, Steve

1 year, 1 month

4
15
0 / 0

ssh does not see my access.conf

by Dudas Tibor ABRAXAS

Hi, I can resolve my netgroup user via getent and can login with her on my 389ds client via ssh. What does not work, yet, is to exclude all other users. The Config is: getent netgroup sysadmin sysadmin ( ,eve,) cat /etc/security/access.conf +:root:LOCAL +:root:ALL +:@sysadmin:ALL -:ALL:ALL EXCEPT LOCAL Cat /etc/pam.d/system-auth … account required pam_access.so accessfile=/etc/security/access.netgroup.conf cat =/etc/security/access.netgroup.conf +:root:LOCAL +:root:ALL +:@sysadmin:ALL -:ALL:ALL EXCEPT LOCAL The client logs say, when I try to login with user alice from my 389ds, not belonging to my netgroup sysadmin: (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [ou=groups,dc=example,dc=com] (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(gidNumber=1002)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][ou=groups, dc=example,dc=com]. (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sysdb_search_group_by_gid] (0x0400): No such entry (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sysdb_delete_group] (0x0400): Error: 2 (No such file or directory) (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [dp_req_done] (0x0400): DP Request [Account #48]: Request handler finished [0]: Success (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [_dp_req_recv] (0x0400): DP Request [Account #48]: Receiving request data. (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [dp_req_reply_list_success] (0x0400): DP Request [Account #48]: Finished. Success. The client does not even look for netgroups, but lets everyone pass. What did I miss? Any help is appreciated. Kind regards, Tibor

1 year, 1 month

2
3
0 / 0

Announcing 389 Directory Server 2.0.13

by Mark Reynolds

389 Directory Server 2.0.13 The 389 Directory Server team is proud to announce 389-ds-base version 2.0.13 Fedora packages are available on Fedora 34, 35, and Rawhide Rawhide: https://koji.fedoraproject.org/koji/taskinfo?taskID=81773299 <https://koji.fedoraproject.org/koji/taskinfo?taskID=81773299> - Koji Fedora 35: https://koji.fedoraproject.org/koji/taskinfo?taskID=81773041 <https://koji.fedoraproject.org/koji/taskinfo?taskID=81773041> - Koji https://bodhi.fedoraproject.org/updates/FEDORA-2022-7f62add497 <https://bodhi.fedoraproject.org/updates/FEDORA-2022-7f62add497> - Bodhi Fedora 34: https://koji.fedoraproject.org/koji/taskinfo?taskID=81773433 <https://koji.fedoraproject.org/koji/taskinfo?taskID=81773433> - Koji https://bodhi.fedoraproject.org/updates/FEDORA-2022-90be8dbcb6 <https://bodhi.fedoraproject.org/updates/FEDORA-2022-90be8dbcb6> - Bodhi The new packages and versions are: * 389-ds-base-2.0.13-1 Source tarballs are available for download at Download 389-ds-base Source <https://github.com/389ds/389-ds-base/archive/389-ds-base-2.0.13.tar.gz> Highlights in 2.0.13 * Bug and Security fixes * Cockpit UI - LDAP Editor completed features: search/add/edit/delete/rename & ACI editor Installation and Upgrade See Download <https://www.port389.org/docs/389ds/download.html> for information about setting up your yum repositories. To install the server use *dnf install 389-ds-base* To install the Cockpit UI plugin use *dnf install cockpit-389-ds* After rpm install completes, run *dscreate interactive* For upgrades, simply install the package. There are no further steps required. There are no upgrade steps besides installing the new rpms See Install_Guide <https://www.port389.org/docs/389ds/howto/howto-install-389.html> for more information about the initial installation and setup See Source <https://www.port389.org/docs/389ds/development/source.html> for information about source tarballs and SCM (git) access. Feedback We are very interested in your feedback! Please provide feedback and comments to the 389-users mailing list: https://lists.fedoraproject.org/admin/lists/389-users.lists.fedoraproject... If you find a bug, or would like to see a new feature, file it in our GitHub project: https://github.com/389ds/389-ds-base * Bump version to 2.0.13 * Issue 5132 - Update Rust crate lru to fix - CVE-2021-45720 * Issue 3555 - UI - fix audit issue with npm nanoid * Issue 4299 - UI - Add ACI editing features * Issue 4299 - UI - LDAP editor - add “edit” and “rename” functionality * Issue 5127 - run restorecon on /dev/shm at server startup * Issue 5124 - dscontainer fails to create an instance * Issue 4312 - fix compiler warnings * Issue 5115 - AttributeError: type object ‘build_manpages’ has no attribute ‘build_manpages’ * Issue 4312 - performance search rate: contention on global monitoring counters (#4940) * Issue 5105 - During a bind, if the target entry is not reachable the operation may complete without sending result (#5107) * Issue 5095 - sync-repl with openldap may send truncated syncUUID (#5099) * Issue 3584 - Add is_fips check to password tests (#5100) * Issue 5074 - retro changelog cli updates (#5075) * Issue 4994 - Revert retrocl dependency workaround (#4995) -- Directory Server Development Team

1 year, 1 month

3
3
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-users January 2022