January 2022 - 389-users - Fedora Mailing-Lists

by Dudas Tibor ABRAXAS

Hi, I can resolve my netgroup user via getent and can login with her on my 389ds client via ssh. What does not work, yet, is to exclude all other users. The Config is: getent netgroup sysadmin sysadmin ( ,eve,) cat /etc/security/access.conf +:root:LOCAL +:root:ALL +:@sysadmin:ALL -:ALL:ALL EXCEPT LOCAL Cat /etc/pam.d/system-auth … account required pam_access.so accessfile=/etc/security/access.netgroup.conf cat =/etc/security/access.netgroup.conf +:root:LOCAL +:root:ALL +:@sysadmin:ALL -:ALL:ALL EXCEPT LOCAL The client logs say, when I try to login with user alice from my 389ds, not belonging to my netgroup sysadmin: (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [ou=groups,dc=example,dc=com] (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(gidNumber=1002)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][ou=groups, dc=example,dc=com]. (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sysdb_search_group_by_gid] (0x0400): No such entry (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sysdb_delete_group] (0x0400): Error: 2 (No such file or directory) (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [dp_req_done] (0x0400): DP Request [Account #48]: Request handler finished [0]: Success (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [_dp_req_recv] (0x0400): DP Request [Account #48]: Receiving request data. (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [dp_req_reply_list_success] (0x0400): DP Request [Account #48]: Finished. Success. The client does not even look for netgroups, but lets everyone pass. What did I miss? Any help is appreciated. Kind regards, Tibor

2 years, 2 months

2
3
0 / 0

Announcing 389 Directory Server 2.0.13

by Mark Reynolds

389 Directory Server 2.0.13 The 389 Directory Server team is proud to announce 389-ds-base version 2.0.13 Fedora packages are available on Fedora 34, 35, and Rawhide Rawhide: https://koji.fedoraproject.org/koji/taskinfo?taskID=81773299 <https://koji.fedoraproject.org/koji/taskinfo?taskID=81773299> - Koji Fedora 35: https://koji.fedoraproject.org/koji/taskinfo?taskID=81773041 <https://koji.fedoraproject.org/koji/taskinfo?taskID=81773041> - Koji https://bodhi.fedoraproject.org/updates/FEDORA-2022-7f62add497 <https://bodhi.fedoraproject.org/updates/FEDORA-2022-7f62add497> - Bodhi Fedora 34: https://koji.fedoraproject.org/koji/taskinfo?taskID=81773433 <https://koji.fedoraproject.org/koji/taskinfo?taskID=81773433> - Koji https://bodhi.fedoraproject.org/updates/FEDORA-2022-90be8dbcb6 <https://bodhi.fedoraproject.org/updates/FEDORA-2022-90be8dbcb6> - Bodhi The new packages and versions are: * 389-ds-base-2.0.13-1 Source tarballs are available for download at Download 389-ds-base Source <https://github.com/389ds/389-ds-base/archive/389-ds-base-2.0.13.tar.gz> Highlights in 2.0.13 * Bug and Security fixes * Cockpit UI - LDAP Editor completed features: search/add/edit/delete/rename & ACI editor Installation and Upgrade See Download <https://www.port389.org/docs/389ds/download.html> for information about setting up your yum repositories. To install the server use *dnf install 389-ds-base* To install the Cockpit UI plugin use *dnf install cockpit-389-ds* After rpm install completes, run *dscreate interactive* For upgrades, simply install the package. There are no further steps required. There are no upgrade steps besides installing the new rpms See Install_Guide <https://www.port389.org/docs/389ds/howto/howto-install-389.html> for more information about the initial installation and setup See Source <https://www.port389.org/docs/389ds/development/source.html> for information about source tarballs and SCM (git) access. Feedback We are very interested in your feedback! Please provide feedback and comments to the 389-users mailing list: https://lists.fedoraproject.org/admin/lists/389-users.lists.fedoraproject... If you find a bug, or would like to see a new feature, file it in our GitHub project: https://github.com/389ds/389-ds-base * Bump version to 2.0.13 * Issue 5132 - Update Rust crate lru to fix - CVE-2021-45720 * Issue 3555 - UI - fix audit issue with npm nanoid * Issue 4299 - UI - Add ACI editing features * Issue 4299 - UI - LDAP editor - add “edit” and “rename” functionality * Issue 5127 - run restorecon on /dev/shm at server startup * Issue 5124 - dscontainer fails to create an instance * Issue 4312 - fix compiler warnings * Issue 5115 - AttributeError: type object ‘build_manpages’ has no attribute ‘build_manpages’ * Issue 4312 - performance search rate: contention on global monitoring counters (#4940) * Issue 5105 - During a bind, if the target entry is not reachable the operation may complete without sending result (#5107) * Issue 5095 - sync-repl with openldap may send truncated syncUUID (#5099) * Issue 3584 - Add is_fips check to password tests (#5100) * Issue 5074 - retro changelog cli updates (#5075) * Issue 4994 - Revert retrocl dependency workaround (#4995) -- Directory Server Development Team

2 years, 2 months

3
3
0 / 0

nsslapd-logging-backend

by Xinhuan Zheng

We set up a few 389 Directory Server instances and set up replication among them. Each instance has its own internal logs. We need to centralize all the logs to one place by using syslog-ng. I learned a new configuration nsslapd-logging-backend - https://directory.fedoraproject.org/docs/389ds/design/logging-multiple-ba.... According to RedHat documentation - https://access.redhat.com/solutions/3060901, the configuration is started in Redhat Enterprise Linux 7: 389-ds-base-1.3.5.10-11.el7. Is it started in CentOS 7 also? Xinhuan

2 years, 3 months

2
1
0 / 0

getent netgroup <mynetgroup> yields no hits

by Dudas Tibor ABRAXAS

Hello I would like to configure authentication and authorization via nisNetgroups in 389ds. With "getent" on the 389ds client I see my groups and my users. If I query the netgroup via "getent netgroup <my_netgroup>" I do not get any hit. My netgroup you see below. The log says: tail -f /var/log/dirsrv/slapd-localhost/access [29/Dec/2021:12:11:14.350690263 +0100] conn=851 op=13 SRCH base="ou=netgroup,dc=example,dc=com" scope=2 filter="(&(cn=qausers)(objectClass=nisNetgroup))" attrs="objectClass cn memberNisNetgroup nisNetgroupTriple modifyTimestamp [29/Dec/2021:12:11:14.351130562 +0100] conn=851 op=13 RESULT err=0 tag=101 nentries=0 wtime=0.000194950 optime=0.000443964 etime=0.000636159 The last entries mean: err=0: no error tag=101: it was a search nentries=0: no hits for the search But ldap search with the same parameters yields the netgroup: ldapsearch -x -D "cn=Directory Manager" -W -H ldaps://server.example.com -b ou=netgroup,dc=example,dc=com "(&(cn=qausers)(objectClass=nisNetgroup))" objectClass cn memberNisNetgroup nisNetgroupTriple modifyTimestamp dn: cn=qausers,ou=netgroup,dc=example,dc=com objectClass: nisNetgroup objectClass: top cn: qausers nisNetgroupTriple: (,alice,) nisNetgroupTriple: (,eve,) nisNetgroupTriple: (server.example.com,-,-) nisNetgroupTriple: (server,-,-) modifyTimestamp: 20211229105114Z I replaced the real server name by server.example.com and deleted all quotes. My nsswitch.conf contains netgroup: files ldap sss My sssd.conf contains: ldap_netgroup_search_base = ou=netgroup,dc=example,dc=com ldap_netgroup_object_class = nisNetgroup ldap_netgroup_triple = nisNetgroupTriple My 389ds-instance is created via cat instance.inf [general] config_version = 2 [slapd] root_password = my_pw [backend-userroot] sample_entries = yes suffix = dc=example,dc=com My client is configured via "authconfig-tui". I already looked for special, normally unseen characters in the config files with "cat -vet /etc/sssd/sssd.conf" and "cat -vet /etc/nsswitch.conf", but did not find any. Does it play a role, that the 389ds server and client see each other via entries in the /etc/hosts? I would assume "no", as getent can resolve both groups and users. Can you help? Best Regards, Tibor -- Tibor Dudas ICT-System-Ingenieur Enterprise Applications Abraxas Informatik AG The Circle 68 | CH-8058 Zürich-Flughafen Direkt +41 58 660 24 83 tibor.dudas(a)abraxas.ch | www.abraxas.ch [cid:image001.png@01D806C8.7DEA42C0]<https://www.abraxas.ch/de/>

2 years, 3 months

2
2
0 / 0

report script

by Angel Bosch Mora

Hi, sorry for this dumb question but I've been searching for it and I can't find it anywhere. Where's the script that shows you a report of most searched objects and other performance related stuff? I remember using it in my old installations to adjust some indexes but I've been playing lately with lot of different versions and I don't see it in /usr/lib/dirsrv/<instance> Thanks for your time, abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari.

2 years, 3 months

2
2
0 / 0

Re: SSO and 389

by William Brown

> On 11 Jan 2022, at 04:49, Jonathan Aquilina <jaquilina(a)eagleeyet.net> wrote: > > Good Evening, > > I am just wondering can 389 along side free ipa be used to offer SSO capabilities? > That's a pretty open ended question. It depends what you mean by "along side" and "SSO". So I think to understand what you are thinking here we need to know more about what you want to achieve in your environment. But at a high level the answer is probably "no". -- Sincerely, William Brown Senior Software Engineer, Identity and Access Management SUSE Labs, Australia

2 years, 3 months

1
0
0 / 0

SSO and 389

by Jonathan Aquilina

Good Evening, I am just wondering can 389 along side free ipa be used to offer SSO capabilities? Regards, Jonathan

2 years, 3 months

1
0
0 / 0

Upgrading Containerized ds-389

by Steve F

Hello, I am in the process of building my own container containing ds-389, using this docker file as the initial guidance -> https://build.opensuse.org/package/view_file/home:firstyear/389-ds-contai... (and using /usr/lib/dirsrv/dscontainer to bootstrap the image and bring up the container) I am having a think about the upgrade process for this instance. If I am storing the schema/relevant files on persistent storage, will /usr/lib/dirsrv/dscontainer be smart enough to upgrade the backend on startup if I have built a new container with a new version of ds-389? In the past, I beleive the installer RPM's were running perl/python scripts to perform backend updates. I THINK it is, but I can't find anything definitive. Any help is appriciated. Cheers, Steve

2 years, 3 months

3
2
0 / 0

Help to understand pre-hashed login

by Caderize Caderize

Hello everyone, i am writing a small php application in order to manage D389 users. Currently, in order to connect to it, i saved the admin password in clear text in a config.php file, just for test. Now i would move these settings into mysql database and hash the password for secure reason, probably sha1 or sha256 with salt(will see). The application should retrieve credentials from mysql db(which will be a salted hashed password "{SHA}xxxxxxxxxxxx") and try to connect to D389. My question is: Does D389 can authenticate if i pass to it a pre-hashed password? Is there any documentation or example to follow? Hope this question will not be considered as stupid. Many Thanks

2 years, 3 months

3
2
0 / 0

LDIF imports

by Joe Fletcher

Hi, Is there something hard-coded into 389 v1.4 such that it can only import data from /var/lib/dirsrv/<instance>/ldif ? I've been trying to initialize a new setup with an export we'd been using for 389 v1.3 but every time it failed with a "file not found" error until the ldif was copied to /var/lib/....etc. Cheers This email with all information contained herein or attached hereto may contain confidential and/or privileged information intended for the addressee(s) only. If you have received this email in error, please contact the sender and immediately delete this email in its entirety and any attachments thereto.

2 years, 3 months

2
2
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-users January 2022