Re: SSO and 389
by N R
Hi,
I've done some SAML SSO integrations and work regularly with FreeIPA.
SSO is usually handled via a protocol like SAML, OpenID or Shibboleth,
FreeIPA only serves as LDAP Identity database in these architectures.
Our deployments used a "proxy" to handle these authentications and link
them with LDAP, SimpleSAMLPHP.
The implementation also depends a lot on the way you want to do SSO,
centralized, federated, or cooperative.
I would recommend to take a look at simplesamlphp documentation as it
supports almost every SSO protocols and can easily be integrated to proxy
SSO web requests.
Regards,
Nicolas
Le lun. 10 janv. 2022 à 19:50, Jonathan Aquilina <jaquilina(a)eagleeyet.net>
a écrit :
> Good Evening,
>
>
>
> I am just wondering can 389 along side free ipa be used to offer SSO
> capabilities?
>
>
>
> Regards,
>
> Jonathan
> _______________________________________________
> 389-users mailing list -- 389-users(a)lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
1 year
Re: Replication Problem
by Mansoor Raeesi
That is problem with CentOS paste which expires pastes within 24 hours!
you may check through this link:
https://pastebin.ubuntu.com/p/ktN5HsBrNf/
Thanks
On 1/31/22 11:24, Thierry Bordaz wrote:
> Hi,
>
> It returns 404 "page not found"
>
> regards
> thierry
>
> On 1/30/22 7:58 AM, Mansoor Raeesi wrote:
>> Thanks for your kind reply, logging is enabled already and this is
>> output of log:
>>
>> https://paste.centos.org/view/a39010cd
>>
>>
>> On 1/26/22 12:14, Thierry Bordaz wrote:
>>> Hi,
>>>
>>> There are several possible cause why the replication agreement
>>> failed to complete the total update. I suggest you enable
>>> replication debug log on A and B
>>> (https://www.port389.org/docs/389ds/FAQ/faq.html#Troubleshooting),
>>> before retrying a total update. If it is the first time you are
>>> trying to init B, a common failure is that the RA fails to bind
>>> (credential are not properly set).
>>>
>>> Because of the size of the DB, another option is to init B via an
>>> offline import. (on A export DB in ldif format with replication
>>> data, send the ldif file to B, import the ldif file on B). This
>>> likely speed up the initialization of B but you will still need to
>>> fix the RA A->B.
>>>
>>> regards
>>> thierry
>>>
>>> On 1/26/22 6:41 AM, Mansoor Raeesi wrote:
>>>> Hi
>>>>
>>>> I've recently started 2 different instances on different servers
>>>> with 1.4.4.17 version of 389-ds. servers can see each other.
>>>>
>>>> server A has a database around 28GB & both servers are started in
>>>> Master mode. i've created an agreement on server A to be replicated
>>>> with server B on port 389 when i initialize the agreement, after a
>>>> while i'll receive this error in web console:
>>>>
>>>> ERR - NSMMReplicationPlugin - repl5_tot_run - Total update failed
>>>> for replica "agmt="cn=ServerA-to-ServerB" (ServerB:389)", error (-1)
>>>>
>>>> Looking forward for your kind help.
>>>> _______________________________________________
>>>> 389-users mailing list -- 389-users(a)lists.fedoraproject.org
>>>> To unsubscribe send an email to
>>>> 389-users-leave(a)lists.fedoraproject.org
>>>> Fedora Code of Conduct:
>>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>> List Guidelines:
>>>> https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>> List Archives:
>>>> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
>>>> Do not reply to spam on the list, report it:
>>>> https://pagure.io/fedora-infrastructure
>>>
>>
>
1 year, 1 month
Replication Problem
by Mansoor Raeesi
Hi
I've recently started 2 different instances on different servers with
1.4.4.17 version of 389-ds. servers can see each other.
server A has a database around 28GB & both servers are started in Master
mode. i've created an agreement on server A to be replicated with server
B on port 389 when i initialize the agreement, after a while i'll
receive this error in web console:
ERR - NSMMReplicationPlugin - repl5_tot_run - Total update failed for
replica "agmt="cn=ServerA-to-ServerB" (ServerB:389)", error (-1)
Looking forward for your kind help.
1 year, 1 month
Trying to deny any bind/query rights to Administration Domain suffix for user
by NATHAN TRUHAN
Hello,
Sorry for the long post:
I have an Oracle Linux 7.9 installation running 389 Directory Server 1.3.
It contains 3 suffixes. The first is the o=netscaperoot. The second is
the Administration Domain based on the FQN of the server: dc=prodapps,
dc=prodvcn, dc=oraclevcn, dc=com. The third is one that was manually
created to store users and groups from an AD migration which I will refer
to as dc=company,dc=com. Under this third suffix, I created 2 OUs to match
what I was retrieving out of AD, ou=MIGRATED, ou=US.
I created a user under the dc=company,dc=com called lsc. So its DN is
uid=lsc,dc=company,dc=com. This user has full control over the suffix in
that it can query, create, and remove objects, it is used with the
lsc-project tools to migrate and transform the AD content, which was
brought over successfully.
I am accessing this from SAP BusinessObjects also remapping from AD to
LDAP. And you specify a specific Bind DN and Base DN to utilize and that
is what it should use to query from.
However, what I see in the Ldap Query behavior from the application is this:
LDAP: LdapQueryForEntries: *QUERY* base: dc=company, dc=com, scope: 2,
filter: (uid=Test.User), attribute: dn objectclass
LDAP: LdapQueryForEntries: *QUERY* result: 0 took 0 ms
LDAP: LdapQueryForEntries() *QUERY* number of entries returned: 1
LDAP: LdapQueryForEntries: *QUERY* base: cn=test user, ou=migrated, ou=us,
dc=company, dc=com, scope: 0, filter: , attribute: uid CN objectclass
LDAP: LdapQueryForEntries: *QUERY* result: 0 took 0 ms
LDAP: LdapQueryForEntries() *QUERY* number of entries returned: 1
LDAP: LdapQueryForEntries: *QUERY* base: dc=company, dc=com, scope: 2,
filter: (cn=test user), attribute: description objectclass
LDAP: LdapQueryForEntries: *QUERY* result: 0 took 0 ms
LDAP: LdapQueryForEntries() *QUERY* number of entries returned: 1
GetParents from plugin for secLDAP:cn=test user, ou=migrated, ou=us,
dc=company, dc=com
LDAP: LdapQueryForAttribute: *QUERY* base: dc=com, scope: 0, filter:
(objectclass=*), attribute: dn
LDAP: LdapQueryForAttribute: *QUERY* result: 32 took 0 ms
LDAP: LdapQueryForAttribute: *QUERY* base: dc=company, dc=com, scope: 0,
filter: (objectclass=*), attribute: dn
LDAP: LdapQueryForAttribute: *QUERY* result: 0 took 0 ms
LDAP: LdapQueryForEntries: *QUERY* base: dc=company, dc=com, scope: 2,
filter: (&(objectclass=inetOrgPerson)(cn=test user)), attribute: dn
objectclass
LDAP: LdapQueryForEntries: *QUERY* result: 0 took 0 ms
LDAP: LdapQueryForEntries() *QUERY* number of entries returned: 1
LDAP: LdapQueryForEntries: *QUERY* base: dc=prodapps, dc=prodvcn,
dc=oraclevcn, dc=com, scope: 2, filter:
(&(objectclass=groupOfNames)(member=cn=test user, ou=migrated, ou=us,
dc=company, dc=com)), attribute: dn
LDAP: LdapQueryForEntries: *QUERY* result: 0 took 0 ms
LDAP: LdapQueryForEntries() *QUERY* number of entries returned: 0
Failed to add alias 'Test.User'. Reason: It is not a member in any of the
mapped groups.
Error encountered on Object (9388): Creation of the user Test.User cannot
complete because the user is not a member in any of the mapped groups.
In the above case, I am trying to add the user test.user (which is cn=test
user,ou=migrated,ou=us,dc=company,dc=com) and has a uid of test.user. The
system finds that without an issue.
However, the next part, I don't know how or why the bind user uid=lsc is
then changing the base dn to the Administration Domain and attempting the
search there for a group member. This base dn should have remained
dc=company, dc=com.
To get around this, I am trying to block access to the Administration
Domain suffix for the lsc user. I removed anonymous bind access, then
added this aci:
dn: dc=prodapps,dc=prodvcn,dc=oraclevcn,dc=com
changetype: modify
add: aci
aci: (target="ldap:///dc=prodapps,dc=prodvcn,dc=oraclevcn,dc=com")
(version 3.0; acl "Deny company dc user access to prodapps";
deny(all) userdn="ldap:///uid=*,dc=company,dc=com ||
ldap:///cn=*,dc=company,dc=com";)
After this, when using tools such as Apache Directory Studio, the lsc user
didn't see the Admin Domain if it went to retrieve the available DNs.
However, a ldapsearch still worked, it did a bind properly, just returned
no records like expected:
ldapsearch -x -LLL -h server -p 389 -D "uid=lsc,dc=company,dc=com" -b
"dc=prodapps, dc=prodvcn, dc=oraclevcn, dc=com" -W
"(&(objectclass=groupOfNames)(member=cn=test user, ou=migrated, ou=us,
dc=company, dc=com))"
Is there any way I can block a dn completely so it would fail to connect to
the search not just return 0 records? This way the application wouldn't be
able to retrieve it and move on to another DN.
Or what would be the detriment of 389 DS running with just the one Suffix
that is both the Administration Domain as well as the one used for
migration (which occurs only under the ou)? i.e. re-creating the
Administration Domain as dc=company,dc=com instead of the FQM domain of
dc=prodapps,dc=prodvcn,dc=oraclevcn,dc=com.
Thanks in advance, and sorry for the long post.
Nathan
1 year, 1 month
Re: how to export/import a single ldap user
by Rob Crittenden
Rob Murray wrote:
> Isabella
>
>
>
> Just do an ldapsearch send the output to a file, Edit the file and
> insert the line below after the dn: line in the ldi
It depends on what attributes are needed. If you need things like
userPassword that are normally not visible you should bind as the
Directory Manager.
In order to get the full entry, including operational attributes, you
probably need two searches. One for * (default) and one for +
(operational) and then combine the results. At least I don't know of a
way to get both at once.
rob
>
> changetype: add
>
>
>
> run ldapmodify against the server or on the server where the entry is to
> be added.
>
>
>
> man ldapadd
>
>
>
> Rob.
>
>
>
>
>
> *From:* Ghiurea, Isabella <Isabella.Ghiurea(a)nrc-cnrc.gc.ca>
> *Sent:* January 28, 2022 12:19 PM
> *To:* General discussion list for the 389 Directory server project.
> <389-users(a)lists.fedoraproject.org>
> *Subject:* [389-users] how to export/import a single ldap user
>
>
>
> ✉*External message:*Use caution.
>
> Hi
>
> I need to copy one user ldap from one server to another server, the
> users must be exported with all attributes entries .I checked db2ldif
> but I cannot seem to find an option for a single user, please suggest
> how to export and import a single user in a DS.
>
> Thank you
>
> Isabella
>
>
> _______________________________________________
> 389-users mailing list -- 389-users(a)lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
>
1 year, 1 month
how to export/import a single ldap user
by Ghiurea, Isabella
Hi
I need to copy one user ldap from one server to another server, the users must be exported with all attributes entries .I checked db2ldif but I cannot seem to find an option for a single user, please suggest how to export and import a single user in a DS.
Thank you
Isabella
1 year, 1 month
Running dscontainer as a non-root user
by Steve F
Hello!
Currently dscontainer will start, configure and run ds-389 as a root user. I am wondering if there is support to run as a non-root user?
It is as simple as chown'ing the files to a non privileged user, updating nsslapd-localuser to the correct user, then running dscontainer -r as the unprivileged user?
Or will this break some other functionality?
Cheers,
Steve
1 year, 1 month
ssh does not see my access.conf
by Dudas Tibor ABRAXAS
Hi,
I can resolve my netgroup user via getent and can login with her on my 389ds client via ssh.
What does not work, yet, is to exclude all other users.
The Config is:
getent netgroup sysadmin
sysadmin ( ,eve,)
cat /etc/security/access.conf
+:root:LOCAL
+:root:ALL
+:@sysadmin:ALL
-:ALL:ALL EXCEPT LOCAL
Cat /etc/pam.d/system-auth
…
account required pam_access.so accessfile=/etc/security/access.netgroup.conf
cat =/etc/security/access.netgroup.conf
+:root:LOCAL
+:root:ALL
+:@sysadmin:ALL
-:ALL:ALL EXCEPT LOCAL
The client logs say, when I try to login with user alice from my 389ds, not belonging to my netgroup sysadmin:
(Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [ou=groups,dc=example,dc=com]
(Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(gidNumber=1002)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][ou=groups, dc=example,dc=com].
(Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results.
(Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sysdb_search_group_by_gid] (0x0400): No such entry
(Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sysdb_delete_group] (0x0400): Error: 2 (No such file or directory)
(Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [dp_req_done] (0x0400): DP Request [Account #48]: Request handler finished [0]: Success
(Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [_dp_req_recv] (0x0400): DP Request [Account #48]: Receiving request data.
(Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [dp_req_reply_list_success] (0x0400): DP Request [Account #48]: Finished. Success.
The client does not even look for netgroups, but lets everyone pass. What did I miss?
Any help is appreciated.
Kind regards, Tibor
1 year, 1 month