389-users June 2022

389-users@lists.fedoraproject.org

8 participants
10 discussions

ERR - slapi_ldap_bind - Could not send bind request for id [(anon)] authentication mechanism [EXTERNAL]: error -1 (Can't contact LDAP server), system error 0 (no error), network error 0
by Graham Leggett 11 Dec '23

11 Dec '23

Hi all, We have a long standing 389ds master LDAP server that was found to be unable to contact it’s slaves. Most specifically, the slaves show nothing in their logs about any kind of connection, while the master is logging this: [12/Nov/2019:21:39:47.212715697 +0000] - ERR - slapi_ldap_bind - Could not send bind request for id [(anon)] authentication mechanism [EXTERNAL]: error -1 (Can't contact LDAP server), system error 0 (no error), network error 0 (Unknown error, host “ldap01:636”) Key is "system error 0 (no error)”, which leaves us stumped. The error is obviously “success”. Has anyone seen this kind of thing before? This is 389ds running on CentOS7 as follows: 389-ds-base-1.3.9.1-10.el7.x86_64 Regards, Graham —

3 9

Plugin development licensing
by DUVERT Vincent 09 May '23

09 May '23

Hello, I have a question regarding the licensing of developed 389-ds plugins. The FAQ (https://directory.fedoraproject.org/docs/389ds/FAQ/licensing.html#directory…) indicates that the Directory Server core code is licensed under a GPL + Exception license that allows non-GPL 389-ds plugins to link to 389-ds and to use specific header files. However, the LICENSE file in the current 389-ds-base source does not contain this exception. It was apparently removed by the following commit, when the license was changed to GPLv3+: https://pagure.io/389-ds-base/c/88cae401aee39a19ac6b07c3c36ee8daa07192e7 Does that means that the license exception does not apply to the current version of 389-ds? Regards, Vincent Duvert

2 2

389-ds opensuse container questions
by tdarby＠email.arizona.edu 22 Jun '22

22 Jun '22

Hi, My team is preparing to move to containerized 389-ds instances after years of running on two AWS EC2 instances in multi-master replication behind a AWS classic load balancer. All data is on separate EBS volumes. The 389-ds version is 1.3.9.0. I'm mainly curious about the right way to use the container, so questions: 1. Is the container considered production-ready? 2. I see that the container will create a new instance if it doesn't find one. How does it determine that an instance exists? 3. What setup config options are available to the container? I see mention of container.inf, but it's not clear what all I can put in that. For the install of our current directory, we need to make dse.ldif changes, ACI changes, schema changes and other things. I realize I can do all this after the container creates the bare instance, but I'm wondering how much the container install could do for me. 4. How big of a deal is it going to be moving from 1.3.9.0 to the latest version? Additionally, we were wondering if it's possible to have an AWS load balancer handle the TLS exchanges instead of the LDAP instances. In other words, install the certificate on the load balancer and have it talk unencrypted to the LDAP instances over port 389. Thanks, Tim

4 11

password upgrade on bind not work with crypt hash
by Alberto Crescente 09 Jun '22

09 Jun '22

Hello, I migrated from openldap to 389-ds and after the migration I've some accounts with {crypt} hash and others with {ssha} hash. The first time that a user login into a client the password hash should be updated to new {PBKDF2_SHA256}, this happen with {ssha} but non with {crypt}. Below the hash of password secret with the two algorithms used for tests: # CRYPT userPassword:: e2NyeXB0fXNhSFc5R2R4aWhrR1E= # SSHA userPassword:: e1NTSEF9Z1ZLOFdDOVl5RlQxZ01zUUhUR0NnVDNzU3Y1ellXeDA= Any ideas? Best regards, Alberto.

1 0

Re: another question: searches running into administrative limits
by Rainer Duffner 09 Jun '22

09 Jun '22

> Am 01.06.2022 um 18:24 schrieb David Ritenour <d.ritenour(a)martinfed.com>: > > Try setting the nslookthroughlimit to 5000 (or -1 for unlimited) on the entry you are binding with. > > Alternatively, you can set the nsslapd-lookthroughlimit to 5000 (or -1 for unlimited) in the cn=config,cn=ldbm database,cn=plugins,cn=config entry but doing so will remove the lookthroughlimit restriction for ANYONE searching the directory. > Hi, I did this and this seems to work. Thanks a lot! > In addition, I would avoid using a complex search with "objectClass=inetOrgPerson" if the filter "uid=926*" is sufficient. I have forwarded this suggestion… Again, thanks everybody for the support. Rainer

1 0

dsidm not work with imported openldap accounts
by Alberto Crescente 01 Jun '22

01 Jun '22

Hello, I would like to migrate my old openldap server to 389-ds (CentOS 8). I tried to upload the old users from the openldap server into 389-ds, but if I then try to use the dsidm command I get the following error message: "Error: No object exists given the filter criteria ... " # john, people, example.com dn: uid=john,ou=people,dc=example,dc=com objectClass: top objectClass: person objectClass: posixAccount objectClass: shadowAccount uid: john cn: John uidNumber: 5000 gidNumber: 5000 homeDirectory: /home/john shadowLastChange: 18170 loginShell: /bin/bash gecos: John Brown shadowExpire: 24444 sn: Brown Is it a schema problem? Does dsidm only work with accounts that have the schema of DS 1.4? In 389-ds there is an openldap_to_ds migration script, but it seems to me that it keeps the same schema for the account after migration, at this point it is better to recreate all the accounts with the new DS 1.4 schema starting from the openldap data? # john, people, example.com dn: uid=john,ou=people,dc=example,dc=com objectClass: top objectClass: nsPerson objectClass: nsAccount objectClass: nsOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: john cn: John Brown uidNumber: 5000 gidNumber: 5000 homeDirectory: /home/john shadowLastChange: 18170 loginShell: /bin/bash displayName: John Brown shadowExpire: 24444 Best regards, Alberto Crescente.

3 2

Re: another question: searches running into administrative limits
by Pierre Rogier 01 Jun '22

01 Jun '22

Hi Rainer, try: dsconf instanceName backend config set --idlistscanlimit 5000 Note: you must perform a full reindex or a reimport after changing this value FYI: Browsing (or VLV) index does not help unless you are also using VLV controls in the search request On Wed, Jun 1, 2022 at 6:24 PM David Ritenour <d.ritenour(a)martinfed.com> wrote: > > Try setting the nslookthroughlimit to 5000 (or -1 for unlimited) on the entry you are binding with. > > Alternatively, you can set the nsslapd-lookthroughlimit to 5000 (or -1 for unlimited) in the cn=config,cn=ldbm database,cn=plugins,cn=config entry but doing so will remove the lookthroughlimit restriction for ANYONE searching the directory. > > In addition, I would avoid using a complex search with "objectClass=inetOrgPerson" if the filter "uid=926*" is sufficient. > > David Ritenour > Senior Directory Engineer > 513 Madison Street SE > Huntsville, AL 35801 > > > > > -----Original Message----- > From: Rainer Duffner <rainer(a)ultra-secure.de> > Sent: Wednesday, June 1, 2022 11:45 AM > To: General discussion list for the 389 Directory server project. <389-users(a)lists.fedoraproject.org> > Subject: [389-users] another question: searches running into administrative limits > > ** WARNING: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. > > > Hi, > > > when searching for something like this: > > LDAPTLS_REQCERT=never ldapsearch -xLLL -H ldaps://127.0.0.1:636 -D "cn=bla,dc=users,dc=bla,dc=org,dc=da" -W -b 'dc=ble,dc=bla,dc=org,dc=da' -s sub -a always "(&(objectclass=inetOrgPerson)(uid=926*))" "uid" "objectClass" > > I get the "Administrative limit exceeded (11)“ error message. > > There are less than 5000 entries in that directory - and I’ve set the size-limit to 5000 subsequently (from the default 2000). > > I then created a Browsing Index on the „ble“ directory - but I still the the error message. > Also enabled SubString Indexes for the uid attribute. > > What else could there be? > > > Rainer > _______________________________________________ > 389-users mailing list -- 389-users(a)lists.fedoraproject.org To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject… > Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure > This email and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to which they are addressed. If you are not the intended recipient or the person responsible for delivering the email to the intended recipient, be advised that you have received this email and any such files in error and that any use, dissemination, forwarding, printing or copying of this email and/or any such files is strictly prohibited. If you have received this email in error please immediately notify hr(a)martinfed.com - (855) 212-1810 , and destroy the original message and any such files. > _______________________________________________ > 389-users mailing list -- 389-users(a)lists.fedoraproject.org > To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject… > Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure -- -- 389 Directory Server Development Team

2 1

another question: searches running into administrative limits
by Rainer Duffner 01 Jun '22

01 Jun '22

Hi, when searching for something like this: LDAPTLS_REQCERT=never ldapsearch -xLLL -H ldaps://127.0.0.1:636 -D "cn=bla,dc=users,dc=bla,dc=org,dc=da" -W -b 'dc=ble,dc=bla,dc=org,dc=da' -s sub -a always "(&(objectclass=inetOrgPerson)(uid=926*))" "uid" "objectClass" I get the "Administrative limit exceeded (11)“ error message. There are less than 5000 entries in that directory - and I’ve set the size-limit to 5000 subsequently (from the default 2000). I then created a Browsing Index on the „ble“ directory - but I still the the error message. Also enabled SubString Indexes for the uid attribute. What else could there be? Rainer

2 1

Re: How do display the actual ldap request sent by an app?
by Rainer Duffner 01 Jun '22

01 Jun '22

> Am 01.06.2022 um 12:37 schrieb David Ritenour <d.ritenour(a)martinfed.com>: > > Rainer, > > The directory's access log may provide you with the information you need to resolve the issue. Grep for the originating IP or bindDN, then grep for the connection number (conn=xxxxx) within the results. The output from the second grep should provide the entire sequence of events for that connection, including the connection, bind, operations, unbind, and the results for each including success and failure ldap error codes. The op=x field within the output indicates the operation order. > > Hope that helps. Thanks, it turns out that after rebooting (or restarting) the app-server (which is within the real of the customer and outside my control), it started to work again. So, in the end it was a typical much-ado-about-nothing situation. I am sorry for the noise. Regards Rainer

1 0

How do display the actual ldap request sent by an app?
by Rainer Duffner 01 Jun '22

01 Jun '22

Hi, as I mentioned in my other post, an app has „suddenly“ stopped to work with 389-server 1.3.10 correctly. The app tries to add a user, but the user is not added and no apparent error is logged. I tried adding a user manually with ldapmodify - but that still works, with the credentials of the user the app is using. I set nsslapd-errorlog-level: 128 but that slowed down the server too much because it still gets traffic from the load-balancer health-checks… Rainer

3 3

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-users June 2022