Troubles with automated deployment of secure 389 server
by Nicolas Martin
Hello,
I've been trying to deploy a secure 389 server with TLS/SSL on the port 636.
If I do things manually, it works alright.
But using the scripts provided on the website, I run into some troubles.
BACKGROUND INFO:
Attached to this mail are the scripts and conf file I use. My setupssl.sh
is a modified version of the setupssl2.ssh meant for DS >= 1.1. I changed
the cipher suite and I changed the name of the admin cert from server-cert
to admin-cert for clarity (I changed manually the name of the certificate
in the admin console configuration file accordingly).
Reason behind the cipher suite change is that the one in the original
script prevents the script from running (AttributeType error) so I used a
cipher suite from a working, manually deployed LDAP server.
I use the packages provided with RHEL6U5. Here are the components version:
389-ds-base-1.2.11.15-34.el6_5.x86_64
389-ds-1.2.2-1.el6.noarch
389-ds-console-1.2.6-1.el6.noarch
389-adminutil-1.1.19-1.el6.x86_64
389-admin-console-1.1.8-1.el6.noarch
389-dsgw-1.1.11-1.el6.x86_64
389-admin-1.1.35-1.el6.x86_64
389-admin-console-doc-1.1.8-1.el6.noarch
389-ds-console-doc-1.2.6-1.el6.noarch
389-ds-base-libs-1.2.11.15-34.el6_5.x86_64
389-console-1.1.7-1.el6.noarch
openjdk version:
java-1.6.0-openjdk-1.6.0.0-6.1.13.4.el6_5.x86_64
PROBLEM DESCRIPTION:
Once the scripts are ran, I start 389-console using the https URL.
Authentication yields an error message: "Cannot connect..."
Console with debugging enabled shows this error message:
Unable to create ssl socket
org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8054)
You are attempting to import a cert with the same issuer/serial as an
existing cert, but that is not the same cert.
/var/log/dirsrv/admin-server/error has the following line:
[error] SSL Library Error: -12271 SSL client cannot verify your certificate
Certificates list from admin server:
admin-cert u,u,u
CA certificate CT,,
Certificates list from slapd-myserver7:
CA certificate CTu,u,u
admin-cert u,u,u
Server-Cert u,u,u
My certificates all have different serial numbers: 1000 for CA, 1001 for
Server-Cert, 1002 for admin-cert.
If I disable the security for the console by setting NSSEngine to Off, I
can log to the console with the normal http URL, but as soon as I access a
certificate-related tab (For example "Manage Certificates" or the
Encryption tab of the server), I get the following error message:
Unable to create ssl socket
org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-12263)
SSL received a record that exceeded the maximum permissible length.
Has anyone ever experienced these SSL errors ? Is there something I can
compare between my working, manually deployed LDAP servers and the one that
I try to deploy automatically ?
Thanks in advance.
Regards,
Nicolas Martin
9 years
changelog
by Denise Cosso
Hi,
How to modify the attribute nsslapd-encryptionalgorithm in Centos?
Thanks,
Denise
Stop Master servers and set nsslapd-encryptionalgorithm. The allowed value is AES or 3DES.
dn: cn=changelog5,cn=config
[...]
nsslapd-encryptionalgorithm: AES
--- Em ter, 4/6/13, Rich Megginson <rmeggins(a)redhat.com> escreveu:
De: Rich Megginson <rmeggins(a)redhat.com>
Assunto: Re: [389-users] changelog
Para: "Denise Cosso" <guanaes51(a)yahoo.com.br>
Data: Terça-feira, 4 de Junho de 2013, 16:34
On 06/04/2013 01:26 PM, Denise Cosso
wrote:
Hi, Rich
CentOS release 6.3 (Final)
389-ds-base-libs-1.2.10.2-20.el6_3.x86_64
389-ds-1.2.2-1.el6.noarch
389-dsgw-1.1.10-1.el6.x86_64
389-ds-console-1.2.6-1.el6.noarch
389-ds-console-doc-1.2.6-1.el6.noarch
389-ds-base-1.2.10.2-20.el6_3.x86_64
As far as replication goes - you will need to use a security layer
(SSL, TLS, or GSSAPI) to protect the clear text password on the wire
As far as encrypting it in the changelog - not sure
Denise
--- Em ter, 4/6/13, Rich Megginson <rmeggins(a)redhat.com>
escreveu:
De: Rich Megginson <rmeggins(a)redhat.com>
Assunto: Re: [389-users] changelog
Para: "General discussion list for the 389 Directory
server project."
<389-users(a)lists.fedoraproject.org>
Cc: "Denise Cosso" <guanaes51(a)yahoo.com.br>
Data: Terça-feira, 4 de Junho de 2013, 16:11
On
06/04/2013 12:39 PM, Denise Cosso wrote:
Hi,
Description of problem:
When a userPassword is changed in a server with changelog, the hashed password
is logged and also a cleartext pseudo-attribute version. It looks like this:
change::
replace: userPassword
userPassword: {SHA256}vqtiN2LHdrEUOJUKu+IBVqAVFsAlvFw+11kD/Q==
-
replace: unhashed#user#password
unhashed#user#password: secret12
This unhashed version is used in winsync where the cleartext version of the
password must be written to the AD.
Now if the DS is involved in replication with another DS, the change will be
replayed exactly as it is logged to the other DS replicas, including the
cleartext pseudo-attribute password.
What platform? What version of 389-ds-base are you
using?
thanks,
Denise
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
9 years
389 DS merged with AD?
by Gary Algier
Hello,
I am in search of a tool to solve a new directory server issue in relation
to Active Directory...
For a long time here at work, we have had LDAP as our authentication source
and nsswitch source for Solaris and Linux. First it was the Solaris DS,
later the 389 DS. When AD came along we started using the Active Directory
sync tool to sync passwords from the AD environment, but did not try to
store all the Posix attributes in AD. This has worked well.
Recently, our company was bought by another that is implementing AD as the
only allowed authentication source. We will be assimilated. However, they
can't/won't store all the other stuff we need such as the Ethernet
addresses, automount points, etc. They also won't sync passwords. It
looks like we will still need a "real" direstory server.
Does anyone have any ideas how to have two LDAP sources, one used for
authentication and possibly some user attributes, group membership, etc.
(AD) while using another (389?) for the rest of the stuff?
Is there some sort of frontend proxy that can merge the DITs from two
stores on the backend? I seem to remember reading that the later versions
of the Solaris DS could do something like this.
I don't even know what kind of tool I am asking for or I might be able to
search for it and answer my own question.
Any pointers would be appreciated.
Gary Algier
9 years
No results from nsContainer subtree search
by William
I ran the following search:
ldapsearch -H ldap://localhost -b
'cn=nsAccountInactivationTmp,dc=example' -s sub -Z -x -D 'cn=Directory
Manager' -W '(objectClass=*)' '*'
I was trying to locate the object:
'cn="cn=nsDisabledRole,dc=example",cn=nsAccountInactivationTmp,dc=example'
The search yielded no result, but the same search as:
ldapsearch -H ldap://localhost -b
'cn="cn=nsDisabledRole,dc=example",cn=nsAccountInactivationTmp,dc=example' -s base -Z -x -D 'cn=Directory Manager' -W '(objectClass=*)' '*'
Works and correctly shows the object. What's wrong with the first query?
Other subtree searches on nsContainers work correctly.
Sincerely,
--
William <william(a)firstyear.id.au>
9 years
Proxied Authorization Control (RFC 4370)
by Graham Leggett
Hi all,
Does 389DS support Proxied Authorization Control (RFC 4370)?
Some googling and manual reading suggests it doesn’t, but need to confirm if I am missing something?
Regards,
Graham
—
9 years
389ds + Java getAttributeSyntaxDefinition() == NameNotFoundException
by Graham Leggett
Hi all,
I have some Java code that is attempting to read the schema of returned LDAP attributes from a 389ds server in an effort to work out what object to parse the attribute as. This is being done generically, I don’t know the data types I will be getting in the search result.
String numericoid = at.getAttributeSyntaxDefinition()
.getAttributes("").get("numericoid").get()
.toString();
The above code is throwing a javax.naming.NameNotFoundException inside the getAttributeSyntaxDefinition() call:
javax.naming.NameNotFoundException: 1.3.6.1.4.1.1466.115.121.1.15{256}
at com.sun.jndi.toolkit.dir.HierMemDirCtx.doLookup(HierMemDirCtx.java:127)
at com.sun.jndi.toolkit.dir.HierMemDirCtx.doLookup(HierMemDirCtx.java:121)
at com.sun.jndi.toolkit.dir.HierMemDirCtx.lookup(HierMemDirCtx.java:95)
at com.sun.jndi.toolkit.dir.HierMemDirCtx.lookup(HierMemDirCtx.java:91)
at com.sun.jndi.ldap.LdapAttribute.getAttributeSyntaxDefinition(LdapAttribute.java:199)
The suspicious bit is the {256} at the end, which as I understand is a length limitation (?), and I suspect this extra bit is causing the syntax lookup to fail. 1.3.6.1.4.1.1466.115.121.1.15 is DirectoryString, and I would definitely expect that to be valid syntax.
Am I doing this correctly, or does 389DS and JDK8 not see eye to eye on the getAttributeSyntaxDefinition() call?
Can anyone confirm whether I am making any obvious mistakes?
Regards,
Graham
—
9 years
Retrieve list of groups that a user belongs to
by harry.devine@faa.gov
I know this is slightly off topic, but I thought that maybe someone on this list could be of some assistance. I need to get the list of groups that a particular user belongs to, similar to the linux command line program 'groups'. I would like to provide a user name to search, and have all groups that this user belongs to be returned. Is this possible in 389-ds? I have been Googling for days and most results that I come up with have to do with Windows Active Directory, or other custom LDAP implementations.
Thanks for any help!
Harry
Harry Devine
DOT/FAA/AJM-2413
Common ARTS Software Development
harry.devine(a)faa.gov
(609)485-4218
9 years
Issue changing user password
by harry.devine@faa.gov
I have a PHP script that uses the PHP LDAP functions to change a user's password. I've noticed that when the password gets changed, the passwordexpirationtime attribute gets reset to 19700101000000Z. Our policy is to change passwords 90 days. Is there some setting in 389-ds that I need to set to have this happen automatically? Or do I have to set the passwordexpirationtime attribute myself when changing the password?
Thanks,
Harry
Harry Devine
DOT/FAA/AJM-2413
Common ARTS Software Development
harry.devine(a)faa.gov
(609)485-4218
9 years
Large ACI performance
by William
Hi,
I'm trying to convert some ACI's written by a former worker from being
exclude lists into include lists. The issue is that often these were
done such as:
(targetattr != "userPassword")
So when we change these to include lists, these will often have 30 to 50
attributes in them. Will this incur a significant performance impact? If
so, is there a way to lessen this?
Sincerely,
--
William <william(a)firstyear.id.au>
9 years