ssh does not see my access.conf
by Dudas Tibor ABRAXAS
Hi,
I can resolve my netgroup user via getent and can login with her on my 389ds client via ssh.
What does not work, yet, is to exclude all other users.
The Config is:
getent netgroup sysadmin
sysadmin ( ,eve,)
cat /etc/security/access.conf
+:root:LOCAL
+:root:ALL
+:@sysadmin:ALL
-:ALL:ALL EXCEPT LOCAL
Cat /etc/pam.d/system-auth
…
account required pam_access.so accessfile=/etc/security/access.netgroup.conf
cat =/etc/security/access.netgroup.conf
+:root:LOCAL
+:root:ALL
+:@sysadmin:ALL
-:ALL:ALL EXCEPT LOCAL
The client logs say, when I try to login with user alice from my 389ds, not belonging to my netgroup sysadmin:
(Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [ou=groups,dc=example,dc=com]
(Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(gidNumber=1002)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][ou=groups, dc=example,dc=com].
(Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results.
(Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sysdb_search_group_by_gid] (0x0400): No such entry
(Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sysdb_delete_group] (0x0400): Error: 2 (No such file or directory)
(Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [dp_req_done] (0x0400): DP Request [Account #48]: Request handler finished [0]: Success
(Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [_dp_req_recv] (0x0400): DP Request [Account #48]: Receiving request data.
(Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [dp_req_reply_list_success] (0x0400): DP Request [Account #48]: Finished. Success.
The client does not even look for netgroups, but lets everyone pass. What did I miss?
Any help is appreciated.
Kind regards, Tibor
2 years, 2 months
getent netgroup <mynetgroup> yields no hits
by Dudas Tibor ABRAXAS
Hello
I would like to configure authentication and authorization via nisNetgroups in 389ds. With "getent" on the 389ds client I see my groups and my users. If I query the netgroup via "getent netgroup <my_netgroup>" I do not get any hit.
My netgroup you see below.
The log says:
tail -f /var/log/dirsrv/slapd-localhost/access
[29/Dec/2021:12:11:14.350690263 +0100] conn=851 op=13 SRCH base="ou=netgroup,dc=example,dc=com" scope=2 filter="(&(cn=qausers)(objectClass=nisNetgroup))" attrs="objectClass cn memberNisNetgroup nisNetgroupTriple modifyTimestamp [29/Dec/2021:12:11:14.351130562 +0100] conn=851 op=13 RESULT err=0 tag=101 nentries=0 wtime=0.000194950 optime=0.000443964 etime=0.000636159
The last entries mean:
err=0: no error
tag=101: it was a search
nentries=0: no hits for the search
But ldap search with the same parameters yields the netgroup:
ldapsearch -x -D "cn=Directory Manager" -W -H ldaps://server.example.com -b ou=netgroup,dc=example,dc=com "(&(cn=qausers)(objectClass=nisNetgroup))" objectClass cn memberNisNetgroup nisNetgroupTriple modifyTimestamp
dn: cn=qausers,ou=netgroup,dc=example,dc=com
objectClass: nisNetgroup
objectClass: top
cn: qausers
nisNetgroupTriple: (,alice,)
nisNetgroupTriple: (,eve,)
nisNetgroupTriple: (server.example.com,-,-)
nisNetgroupTriple: (server,-,-)
modifyTimestamp: 20211229105114Z
I replaced the real server name by server.example.com and deleted all quotes.
My nsswitch.conf contains
netgroup: files ldap sss
My sssd.conf contains:
ldap_netgroup_search_base = ou=netgroup,dc=example,dc=com
ldap_netgroup_object_class = nisNetgroup
ldap_netgroup_triple = nisNetgroupTriple
My 389ds-instance is created via
cat instance.inf
[general]
config_version = 2
[slapd]
root_password = my_pw
[backend-userroot]
sample_entries = yes
suffix = dc=example,dc=com
My client is configured via "authconfig-tui".
I already looked for special, normally unseen characters in the config files with "cat -vet /etc/sssd/sssd.conf" and "cat -vet /etc/nsswitch.conf", but did not find any.
Does it play a role, that the 389ds server and client see each other via entries in the /etc/hosts? I would assume "no", as getent can resolve both groups and users.
Can you help?
Best Regards, Tibor
--
Tibor Dudas
ICT-System-Ingenieur
Enterprise Applications
Abraxas Informatik AG
The Circle 68 | CH-8058 Zürich-Flughafen
Direkt +41 58 660 24 83
tibor.dudas(a)abraxas.ch | www.abraxas.ch
[cid:image001.png@01D806C8.7DEA42C0]<https://www.abraxas.ch/de/>
2 years, 3 months
report script
by Angel Bosch Mora
Hi,
sorry for this dumb question but I've been searching for it and I can't find it anywhere.
Where's the script that shows you a report of most searched objects and other performance related stuff?
I remember using it in my old installations to adjust some indexes but I've been playing lately with lot of different versions and I don't see it in /usr/lib/dirsrv/<instance>
Thanks for your time,
abosch
-- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari.
2 years, 3 months
Re: SSO and 389
by William Brown
> On 11 Jan 2022, at 04:49, Jonathan Aquilina <jaquilina(a)eagleeyet.net> wrote:
>
> Good Evening,
>
> I am just wondering can 389 along side free ipa be used to offer SSO capabilities?
>
That's a pretty open ended question. It depends what you mean by "along side" and "SSO".
So I think to understand what you are thinking here we need to know more about what you want to achieve in your environment.
But at a high level the answer is probably "no".
--
Sincerely,
William Brown
Senior Software Engineer, Identity and Access Management
SUSE Labs, Australia
2 years, 3 months
SSO and 389
by Jonathan Aquilina
Good Evening,
I am just wondering can 389 along side free ipa be used to offer SSO capabilities?
Regards,
Jonathan
2 years, 3 months
Upgrading Containerized ds-389
by Steve F
Hello,
I am in the process of building my own container containing ds-389, using this docker file as the initial guidance -> https://build.opensuse.org/package/view_file/home:firstyear/389-ds-contai... (and using /usr/lib/dirsrv/dscontainer to bootstrap the image and bring up the container)
I am having a think about the upgrade process for this instance. If I am storing the schema/relevant files on persistent storage, will /usr/lib/dirsrv/dscontainer be smart enough to upgrade the backend on startup if I have built a new container with a new version of ds-389? In the past, I beleive the installer RPM's were running perl/python scripts to perform backend updates.
I THINK it is, but I can't find anything definitive.
Any help is appriciated.
Cheers,
Steve
2 years, 3 months
Help to understand pre-hashed login
by Caderize Caderize
Hello everyone,
i am writing a small php application in order to manage D389 users.
Currently, in order to connect to it, i saved the admin password in clear text in a config.php file, just for test.
Now i would move these settings into mysql database and hash the password for secure reason, probably sha1 or sha256 with salt(will see).
The application should retrieve credentials from mysql db(which will be a salted hashed password "{SHA}xxxxxxxxxxxx") and try to connect to D389.
My question is: Does D389 can authenticate if i pass to it a pre-hashed password?
Is there any documentation or example to follow?
Hope this question will not be considered as stupid.
Many Thanks
2 years, 3 months
LDIF imports
by Joe Fletcher
Hi,
Is there something hard-coded into 389 v1.4 such that it can only import data from /var/lib/dirsrv/<instance>/ldif ?
I've been trying to initialize a new setup with an export we'd been using for 389 v1.3 but every time it failed with a "file not found" error until the ldif was copied to /var/lib/....etc.
Cheers
This email with all information contained herein or attached hereto may contain confidential and/or privileged information intended for the addressee(s) only. If you have received this email in error, please contact the sender and immediately delete this email in its entirety and any attachments thereto.
2 years, 3 months