sasl_io_start_packet: failed - read only 3 bytes of 4
by Edward Z. Yang
Hello all,
We're running into this error message on a full update between two
dirsrvs of version:
389 Project
389-Directory/1.2.6 B2010.238.2133
The error message is:
[26/Sep/2010:15:03:35 -0400] - sasl_io_start_packet: failed - read only 3
bytes of sasl packet length on connection 4
According to the source code:
/*
* NOTE: A better way to do this would be to read the bytes and add them to·
* sp->encrypted_buffer - if offset < 4, tell caller we didn't read enough
* bytes yet - if offset >= 4, decode the length and proceed. However, it
* is highly unlikely that a request to read 4 bytes will return < 4 bytes,
* perhaps only in error conditions, in which case the ret < 0 case above
* will run
*/
Uh. Maybe our network is strange, maybe we've run into a different error
condition, but this seems quite poor...
Cheers,
Edward
13 years, 7 months
Re: [389-users] 389 DS 1.2.6. and certificates
by Rob Crittenden
Reinhard Nappert wrote:
> No, this is fine.
>
> Before I restart the server certutil is fine, afterwards, it is not ......
Are both dirsrv and certutil using the same NSS library?
rob
>
> -----Original Message-----
> From: Rob Crittenden [mailto:rcritten@redhat.com]
> Sent: Tuesday, September 28, 2010 3:13 PM
> To: General discussion list for the 389 Directory server project.
> Cc: Reinhard Nappert
> Subject: Re: [389-users] 389 DS 1.2.6. and certificates
>
> Reinhard Nappert wrote:
>> I have the same permissions.
>>
>> CTu,u,u works with my previous servers. Since I did a certutil -L -d .... before the restart, I know that the database was fine before I restarted the server.
>>
>
> Could this be pin related? Do you have a different password set on the database than the 389-ds instance is expecting?
>
> rob
>
>> -Reinhard
>>
>> -----Original Message-----
>> From: 389-users-bounces(a)lists.fedoraproject.org
>> [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of
>> Gerrard Geldenhuis
>> Sent: Tuesday, September 28, 2010 2:47 PM
>> To: General discussion list for the 389 Directory server project.
>> Subject: Re: [389-users] 389 DS 1.2.6. and certificates
>>
>> Hi
>>
>> I have seen similar problems... in my case the database became corrupt if I changed it while dirsrv were running.
>>
>> Also check permissions:
>>
>> -rw------- 1 nobody root 65536 Aug 12 12:18 cert8.db
>> -rw------- 1 nobody root 16384 Aug 12 12:18 key3.db
>> -rw------- 1 nobody root 16384 Sep 28 17:08 secmod.db
>>
>> and my CA only have CT,,
>>
>> Not sure that would make a difference but worth checking.
>>
>> Regards
>>
>> ________________________________________
>> From: 389-users-bounces(a)lists.fedoraproject.org
>> [389-users-bounces(a)lists.fedoraproject.org] on behalf of Reinhard
>> Nappert [rnappert(a)juniper.net]
>> Sent: 28 September 2010 16:24
>> To: General discussion list for the 389 Directory server project.
>> Subject: Re: [389-users] 389 DS 1.2.6. and certificates
>>
>> Yes, I built it myself on 4.4.
>>
>> No, it does not make a difference when I change the files to read
>> only, before I restart the server
>>
>>
>>
>> -----Original Message-----
>> From: 389-users-bounces(a)lists.fedoraproject.org
>> [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of Rich
>> Megginson
>> Sent: Tuesday, September 28, 2010 11:05 AM
>> To: General discussion list for the 389 Directory server project.
>> Subject: Re: [389-users] 389 DS 1.2.6. and certificates
>>
>> Reinhard Nappert wrote:
>>> Hi,
>>> I built and installed the 389 Directory Server 1.2.6 on CentOS 4.4.
>> Do you mean 5.5? Or did you build it yourself?
>>> The server works fine.
>>> Then, I generated the certs (using certutil) and imported them in the
>>> cert-store. The certs are generated basically generated by the
>>> setupssl2.sh script. When I list the certs afterwards, everything
>>> looks fine:
>>>
>>> certutil -L -d /etc/dirsrv/<dir-instance>
>>> CA certificate CTu,u,u
>>> <hostname> u,u,u
>>> However, when I restart the server, I get the following error and the
>>> server does not come up anymore:
>>> [28/Sep/2010:10:45:40 -0400] - SSL alert: Security Initialization:
>>> NSS initialization failed (Netscape Portable Runtime error -8174 -
>>> security library: bad database.): certdir: /etc/dirsrv/<dir-instance>
>>>
>>> Not surprisingly, the certutil -L -d .... comes up with the same error:
>>> certutil: function failed: security library: bad database.
>>>
>>> Any idea, what goes wrong there?
>> Not sure. After running the script to generate the certs, can you change the cert8.db, key3.db, and secmod.db files to be read only (mode 0400), before starting the directory server? Does that help?
>>>
>>> Thanks,
>>> -Reinhard
>>>
>>> ---------------------------------------------------------------------
>>> -
>>> --
>>>
>>> --
>>> 389 users mailing list
>>> 389-users(a)lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>> --
>> 389 users mailing list
>> 389-users(a)lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>> --
>> 389 users mailing list
>> 389-users(a)lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>> ______________________________________________________________________
>> __ In order to protect our email recipients, Betfair Group use SkyScan
>> from MessageLabs to scan all Incoming and Outgoing mail for viruses.
>>
>> ______________________________________________________________________
>> __
>> --
>> 389 users mailing list
>> 389-users(a)lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>> --
>> 389 users mailing list
>> 389-users(a)lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
13 years, 7 months
389 DS 1.2.6. and certificates
by Reinhard Nappert
Hi,
I built and installed the 389 Directory Server 1.2.6 on CentOS 4.4. The server works fine.
Then, I generated the certs (using certutil) and imported them in the cert-store. The certs are generated basically generated by the setupssl2.sh script. When I list the certs afterwards, everything looks fine:
certutil -L -d /etc/dirsrv/<dir-instance>
CA certificate CTu,u,u
<hostname> u,u,u
However, when I restart the server, I get the following error and the server does not come up anymore:
[28/Sep/2010:10:45:40 -0400] - SSL alert: Security Initialization: NSS initialization failed (Netscape Portable Runtime error -8174 - security library: bad database.): certdir: /etc/dirsrv/<dir-instance>
Not surprisingly, the certutil -L -d .... comes up with the same error:
certutil: function failed: security library: bad database.
Any idea, what goes wrong there?
Thanks,
-Reinhard
13 years, 7 months
ldappasswd and shadowLastChange attribute
by James Smallacombe
I finally figured out a working shell script to make LDAP user password
changes using mozldap/ldappasswd. Unfortunately, I just discovered that
changing the password using this does not update the "shadowLastChange"
attribute, so users with expired passwords are still not able to log in,
even after an admin has reset their password in this manner.
Since we are migrating from traditional shadow passwords to LDAP, the
attribute we need to get updated by this is "shadowLastChange"
I attempted to work around this in /etc/ldap.conf by adding this:
nss_map_attribute shadowLastChange pwdLastSet
But to no avail. In addition, the "change ldap password" plugin also does
not update this, although webmin users and groups module does.
What am I missing? Thanks in Advance!
James Smallacombe PlantageNet, Inc. CEO and Janitor
up(a)3.am http://3.am
=========================================================================
13 years, 7 months
Not allowed to change password once it has expired
by Gerrard Geldenhuis
Hi
I am in the midsts of debugging this but am hoping anyone can shed some light on the issue or point me in the right direction.
A certain combination of changes to the global password policy seems to break the abbility to change a user's password.
user1(a)client01.example's password:
You are required to change your LDAP password immediately.
Last login: Mon Sep 27 16:06:18 2010 from 10.5.11.115
Connection to client01.example closed.
When it works it looks like:
ssh client01 -l user1
user1@client01's password:
You are required to change your LDAP password immediately.
Creating directory '/home/user1'.
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user user1
Enter login(LDAP) password:
Connection to client01 closed.
Settings that we have toggled in the global password policy is:
Enable fine-grained password policy
User must change password after reset
Allow changes in x days
We don't change anything on the client so I am 99% sure its not a a pam misconfiguration.
Best Regards
________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.
________________________________________________________________________
13 years, 7 months
how to get password expiration warnings and password policy
by Ondrej Ivanič
Hi,
Is there any way how to query user's password policy related
attributes? I'm interested in password expiration date in order to
show warning message.
PHP has ldap_parse_result(link, result, ...) function but there is no
result from ldap_bind() (which calls ldap_bind_s()) function (except
simple true/false).
When I set password policy for server I can query cn=config and get
password policy definition. When I set password policy for subtree I
can't find any password policy related attributes.
I tried to search using baseDN which is in 'pwdpolicysubentry' (
'cn="cn=nsPwTemplateEntry,dc=example",cn=nsPwPolicyContainer,dc=example'
) but nothing is there:
dn: cn="cn=nsPwTemplateEntry,dc=example",cn=nsPwPolicyContainer,dc=ex
ample
objectClass: extensibleObject
objectClass: costemplate
objectClass: ldapsubentry
objectClass: top
cosPriority: 1
cn: "cn=nsPwTemplateEntry,dc=example"
Thanks,
--
Ondrej Ivanic
(ondrej.ivanic(a)gmail.com)
13 years, 7 months
Local Password Policy Replicated?
by Gerrard Geldenhuis
Hi
The documentation is not very clear on this...
13.1.5 in the latest Admin Guide mentions how password policy is treated in a replicated environment but it does not distinguish or confirm that the behaviour for global and local password policies is treated in the same way with regards to replication.
Does local password policy settings get replicated?
I would assume yes because it is writes:
dn: cn=cn=nsPwPolicyEntry\,uid=jdoe\,ou=people\,dc=example\,dc=com,
cn=nsPwPolicyContainer,ou=people,dc=example,dc=com
objectclass: top
objectclass: extensibleObject
objectclass: ldapsubentry
objectclass: passwordpolicy
according to the documentation.
( after typing this email I am doubting my assumption )
Can I thus change password policy for a subtree only once or should I be changing it on all servers regardless?
The reason that prompted me for this question is that I am using a "autheticator" user to bind to ldap rather than bind anonymous. This user is in my company tree and also falls under the global password policy which it should not. If someone with malicious intent wanted to break the system they could just use that user with the wrong password 5 times to lock the account. That is an obvious flaw which is why I need to change password policy for this users and/or group of users.
Best Regards
________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.
________________________________________________________________________
13 years, 7 months
Replication initialization keeps getting wedged
by Edward Z. Yang
Hello all,
I'm trying to recover a 5-master setup by reinitializing some
of the masters off of other masters. However, when I initiate
a full update using
nsDS5BeginReplicaRefresh: start
I see the following line in the target:
[23/Sep/2010:17:57:30 -0400] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=scripts,dc=mit,dc=edu is going offline; disabling replication
but then the source writes out:
[23/Sep/2010:17:59:29 -0400] NSMMReplicationPlugin - agmt="cn="GSSAPI Replication to cats-whiskers.mit.edu"" (cats-whiskers:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later.
and now the target is stuck non-replicating. What's going on and how
do I recover?
Edward
13 years, 7 months
SSHA and friends
by Gerrard Geldenhuis
Hi
This is probably OT but I am not having much luck with google. How can I create SSHA512 strings? I have been using either a php script or slappasswd to create SSHA password but not sure how to do SSHA512. openssl can create the SHA512 digest but I am not sure how to add the random seed bit. My question probably illuminate my lack of understanding of the subject.
Best Regards
________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.
________________________________________________________________________
13 years, 7 months
Password Expiry Notifications
by James Smallacombe
I turned on password expiring, set the aging for 90 days and warning for
14 days like this (CentOS Directory Server):
passwordMaxAge: 7776000
passwordExp: on
passwordWarning: 1209600
Stupid question: How does this warning get passed on to the user? Is
there a function to email the warning (and presumably customized
instructions on how to reset it) to the user?
TIA,
James Smallacombe PlantageNet, Inc. CEO and Janitor
up(a)3.am http://3.am
=========================================================================
13 years, 7 months