389-users May 2022

389-users@lists.fedoraproject.org

12 participants
12 discussions

ERR - slapi_ldap_bind - Could not send bind request for id [(anon)] authentication mechanism [EXTERNAL]: error -1 (Can't contact LDAP server), system error 0 (no error), network error 0
by Graham Leggett 11 Dec '23

11 Dec '23

Hi all, We have a long standing 389ds master LDAP server that was found to be unable to contact it’s slaves. Most specifically, the slaves show nothing in their logs about any kind of connection, while the master is logging this: [12/Nov/2019:21:39:47.212715697 +0000] - ERR - slapi_ldap_bind - Could not send bind request for id [(anon)] authentication mechanism [EXTERNAL]: error -1 (Can't contact LDAP server), system error 0 (no error), network error 0 (Unknown error, host “ldap01:636”) Key is "system error 0 (no error)”, which leaves us stumped. The error is obviously “success”. Has anyone seen this kind of thing before? This is 389ds running on CentOS7 as follows: 389-ds-base-1.3.9.1-10.el7.x86_64 Regards, Graham —

3 9

Plugin development licensing
by DUVERT Vincent 09 May '23

09 May '23

Hello, I have a question regarding the licensing of developed 389-ds plugins. The FAQ (https://directory.fedoraproject.org/docs/389ds/FAQ/licensing.html#directory…) indicates that the Directory Server core code is licensed under a GPL + Exception license that allows non-GPL 389-ds plugins to link to 389-ds and to use specific header files. However, the LICENSE file in the current 389-ds-base source does not contain this exception. It was apparently removed by the following commit, when the license was changed to GPLv3+: https://pagure.io/389-ds-base/c/88cae401aee39a19ac6b07c3c36ee8daa07192e7 Does that means that the license exception does not apply to the current version of 389-ds? Regards, Vincent Duvert

2 2

389-ds opensuse container questions
by tdarby＠email.arizona.edu 23 Jun '22

23 Jun '22

Hi, My team is preparing to move to containerized 389-ds instances after years of running on two AWS EC2 instances in multi-master replication behind a AWS classic load balancer. All data is on separate EBS volumes. The 389-ds version is 1.3.9.0. I'm mainly curious about the right way to use the container, so questions: 1. Is the container considered production-ready? 2. I see that the container will create a new instance if it doesn't find one. How does it determine that an instance exists? 3. What setup config options are available to the container? I see mention of container.inf, but it's not clear what all I can put in that. For the install of our current directory, we need to make dse.ldif changes, ACI changes, schema changes and other things. I realize I can do all this after the container creates the bare instance, but I'm wondering how much the container install could do for me. 4. How big of a deal is it going to be moving from 1.3.9.0 to the latest version? Additionally, we were wondering if it's possible to have an AWS load balancer handle the TLS exchanges instead of the LDAP instances. In other words, install the certificate on the load balancer and have it talk unencrypted to the LDAP instances over port 389. Thanks, Tim

4 11

Problem with 389-console in 389-server 389-server 1.3.10
by rainer＠ultra-secure.de 30 May '22

30 May '22

Hi, some things like replication are easier to check in the console, so I wanted to start it (using vnc, connecting to localhost). However, I get this in the logs: [Mon May 30 14:18:13.142469 2022] [:crit] [pid 19008:tid 140048162359424] sslinit: NSS is required to use LDAPS, but security initialization failed [-8015:The certificate/key database is in an old, unsupported format or failed to open.]. [Mon May 30 14:18:15.138593 2022] [:crit] [pid 19011:tid 140048162359424] sslinit: NSS is required to use LDAPS, but security initialization failed [-8015:The certificate/key database is in an old, unsupported format or failed to open.]. [Mon May 30 14:18:17.141229 2022] [:crit] [pid 19016:tid 140048162359424] sslinit: NSS is required to use LDAPS, but security initialization failed [-8015:The certificate/key database is in an old, unsupported format or failed to open.]. Versions: 389-admin-1.1.46-4.el7.x86_64 389-admin-console-1.1.12-1.el7.noarch 389-admin-console-doc-1.1.12-1.el7.noarch 389-adminutil-1.1.22-2.el7.x86_64 389-console-1.1.19-6.el7.noarch 389-ds-base-1.3.10.2-15.el7_9.x86_64 389-ds-base-libs-1.3.10.2-15.el7_9.x86_64 389-ds-base-snmp-1.3.10.2-15.el7_9.x86_64 389-ds-console-1.2.16-1.el7.noarch 389-ds-console-doc-1.2.16-1.el7.noarch This seems to some sort of generic error, so I'm not sure how to proceed.. Any ideas? Best Regards Rainer

1 1

Log rotation options with 1.4.4
by John Thurston 28 May '22

28 May '22

I have an instance of 389-Directory running 1.4.4 on CentOS, for which we keep an audit log. We've established size-based log rotation. To reduce the likelihood of the audit log being accidentally altered, I'd like to mark it as 'append only', using 'chattr': chattr +a audit.log This works great, until rotation time. Since "rename" is not "append", any effort to mv the file out of the way fails. Is there a pre/post-rotation mechanism through which I could: disable the append-only restriction let the log rotation happen re-enable append-only on the new log file -- -- Do things because you should, not just because you can. John Thurston 907-465-8591 John.Thurston(a)alaska.gov Department of Administration State of Alaska

1 0

389 scalability
by Morgan Jones 20 May '22

20 May '22

Hello Everyone, We are merging our student directory (about 200,000 entries) into our existing employee directory (about 25,000 entries). They're a pair of multi-master replicas on virtual hardware that can easily be expanded if needed though hardware performance hasn't been an issue. Does this justify creating separate database for students? Aside from basic tuning are here any big pitfalls we should look out for? We're still on CentOS 7 for the time being: [root@prdds21 morgan]# rpm -qa|grep 389 389-admin-1.1.46-4.el7.x86_64 389-console-1.1.19-6.el7.noarch 389-dsgw-1.1.11-5.el7.x86_64 389-admin-console-1.1.12-1.el7.noarch 389-ds-1.2.2-6.el7.noarch 389-ds-base-libs-1.3.10.2-13.el7_9.x86_64 389-ds-base-1.3.10.2-13.el7_9.x86_64 389-adminutil-1.1.22-2.el7.x86_64 389-admin-console-doc-1.1.12-1.el7.noarch 389-ds-console-doc-1.2.16-1.el7.noarch 389-ds-console-1.2.16-1.el7.noarch [root@prdds21 morgan]# thank you, -morgan

5 5

389ds External LDAP Authentication
by parimala nitesh 18 May '22

18 May '22

Hi 389DS team, I'm new to 389ds. I've a question. I've a Server1 with 389ds installed. I've external LDAP(this can be 389ds or Openldap) on different server2. Is there a way to integrate 389ds LDAP to external LDAP (Basically all the users of external LDAP should also be authenticated via 389ds LDAP on server1 also)? How can I achieve it? Can you share any documentation relating to this? Can someone help me in this? Thanks in advance Regards Nitesh

3 13

Migrating passwd, group, & shadow to 389-ds
by Felipe Gasper 12 May '22

12 May '22

Hello, I’m planning a migration of Linux account data from /etc/ files to 389-ds (or OpenLDAP/slapd, but for now I’m leaning toward 389-ds). I have a few questions that I hoped folks here might help with? - What kinds of automation tools do folks use for creating/updating/removing dirsrv entries? I’m assuming there is something that abstracts over all of the actual schema details? - What tools have folks used for migration of existing account data? I see a package of Perl scripts that some distros provide; is that about it? - When creating a new posixAccount & posixGroup, how are UIDs and GIDs to be chosen? If I have 10,000 users, do I have to grab all 10,000 posixAccount and posixGroup entries to determine which is the next unused UID & GID, or is there some cleaner solution? - Are there tools to facilitate race safety if, e.g., two concurrent queries try to create an account at the same time? - I see that OpenLDAP/slapd can embed a Perl interpreter or exec arbitrary commands to fulfill queries. Can 389-ds do something similar to implement dynamic query results? Thank you in advance! cheers, -Felipe Gasper

2 1

Absolute True and False Filters
by Mike Mercier 12 May '22

12 May '22

Hello, I am attempting to use the Microsoft ECMA Connector (Azure AD Connect) to synchronize user information from Azure AD to 389DS. Microsoft does claim 389DS is supported, see: https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/on… While configuring the ECMA connector wizard, the 'Global' page displays the following message: Mandatory Features Not Found: [1.3.1.4.1.4203.1.5.3] True/False Filters I believe the below command displays what is supported? [root@localhost ~]# ldapsearch -H ldap://localhost -x -s base -b "" + I do not see the specific OID from above listed in the output. Is the feature supported by 389DS? Is there a plugin available that will add support? Anyone have any experience trying to sync information between 389DS and Azure AD? Thanks, Mike

2 1

Build issues on Ubuntu
by Felipe Gasper 10 May '22

10 May '22

Hello, I’m trying to build the latest 389 release on Ubuntu 20.04 using OS packages. I think I’ve found a couple issues: 1) (trivial) The configure script doesn’t check for liblmdb’s existence. 2) (fatal) The build fails, thus: ----- make[1]: Entering directory '/home/ubuntu/code/389-ds-base-389-ds-base-2.1.1' /bin/bash ./libtool --tag=CC --mode=link gcc -g -O2 -lcrack -o dbscan ldap/servers/slapd/tools/dbscan-dbscan.o -lplds4 -lplc4 -lnspr4 libback-ldbm.la libtool: link: gcc -g -O2 -o .libs/dbscan ldap/servers/slapd/tools/dbscan-dbscan.o -lcrack -lplds4 -lplc4 -lnspr4 ./.libs/libback-ldbm.so -Wl,-rpath -Wl,/opt/dirsrv/lib/dirsrv/plugins /usr/bin/ld: ldap/servers/slapd/tools/dbscan-dbscan.o: undefined reference to symbol 'slapi_ch_realloc' /usr/bin/ld: /home/ubuntu/code/389-ds-base-389-ds-base-2.1.1/.libs/libslapd.so.0: error adding symbols: DSO missing from command line collect2: error: ld returned 1 exit status ----- slapi_ch_realloc() comes from 389 itself, so I would _think_ this to be an internal error, rather than a problem caused by system libraries? Thank you in advance! cheers, -Felipe Gasper

2 3

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-users May 2022