July 2009 - 389-users - Fedora Mailing-Lists

attribute "sambaPasswordHistory" not allowed

by muzzol

hi, im trying to manage ldap users with webmin module. when i change the password i get this error in /var/log/dirsrv/slapd-ds01/errors file: [28/Jul/2009:09:35:46 +0200] - Entry "uid=pepet8,ou=Users,dc=example.com,dc=global" -- attribute "sambaPasswordHistory" not allowed any hints debugging this issue? thanks, muzzol -- ======================== ^ ^ O O (_ _) muzzol(a)muzzol.com ======================== jabber id: muzzol(a)jabber.dk ======================== No atribueixis qualitats humanes als ordinadors. No els hi agrada. ======================== "El gobierno español sólo habla con terroristas, homosexuales y catalanes, a ver cuando se decide a hablar con gente normal" Jiménez Losantos ======================== <echelon spamming> bomb terrorism bush aznar teletubbies </echelon spamming>

14 years, 8 months

3
2
0 / 0

Krb5kdc startup instance

by John Robert Mendoza

Hi, After installing an IPA server on a machine, I have found out that after each bootup the kdc instance does not initialize at startup. I have to manually start it up using #service krb5kdc start. Is this normal or have I missed any options during my installation. Thanks John Robert Mendoza Open emails faster. Yahoo! recommends that you upgrade your browser to the new Internet Explorer 8 optimized for Yahoo! Get it here! http://downloads.yahoo.com/sg/internetexplorer/

14 years, 8 months

3
5
0 / 0

Re: anonymous access (Techie)

by Howard Chu

> Date: Tue, 28 Jul 2009 07:20:01 -0700 > From: Techie<techchavez(a)gmail.com> > On Tue, Jul 28, 2009 at 2:13 AM, John A. Sullivan > III<jsullivan(a)opensourcedevel.com> wrote: >> On Mon, 2009-07-27 at 23:29 -0700, Techie wrote: >>> Hello, >>> I am trying to altogether eliminate anonymous access to my directory. >>> However in doing this my authentication fails unless....I add a binddn >>> and bindpw to the ldap.conf on the clients. >>> As I understand it "bindpw" is inappropriate according to the OpenLDAP >>> architects. I don't know which conversation you're referring to, but certainly bindpw is not valid in the OpenLDAP ldap.conf. It may be valid in PADL's ldap.conf, but that's a different story. (As for why two completely different config files have the same name, well, we blame PADL for usurping the name and sowing endless confusion. Newer distros have started using different names like "nssldap.conf" to cut down on the confusion.) >>> So my situation right now looks like this. I have a ldap.conf >>> populated with a binddn and bindpw entry. >>> This allows me to remove anonymous access and authenticate to the >>> directory with ldap user credentials. >>> This is what I want, I just do not want to store a username and pass >>> in the ldap.conf file. >>> However if I remove this binddn and bindpw entry, and I disallow >>> anonymous access, I am unable to authenticate against the directory >>> using ldap user credentials. Even though upon attempting to login i am >>> supplying valid LDAP user credentials it cannot find the user because >>> it initially binds as "nobody" or 'dn="" in the access log and is >>> unable to locate attributes do to the lack of anonymous access. >>> Is there a way to have LDAP use the credential of the user logging in >>> to bind to the directory initially. >>> What are my options? >>> I can force SASL GSSAPI but it it not ideal in my situation. You can also use SASL DIGEST-MD5, which doesn't require any special infrastructure for deployment. Of course, here you're talking about the login which is handled by pam_ldap; you'll still need a set of service credentials that nss_ldap can use for its own queries. >> <snip> >> As far as I know (and that's not very far), that's the way it is. How >> else would the client be able to query the directory. We made sure we >> did not use a sensitive password and also ensured the ldap.conf file was >> NOT world readable. We also had to implement some custom ACIs to >> replace anonymous access and, I'm surprised how many applications simply >> assume anonymous access; we had to do a bit of dancing on a per >> application basis to make them work. Hope this helps - John >> -- >> John A. Sullivan III >> Open Source Development Corporation >> +1 207-985-7880 >> jsullivan(a)opensourcedevel.com >> >> http://www.spiritualoutreach.com >> Making Christianity intelligible to secular society > John, > It does help, thank you. Currently I use an account for the binddn > that has only read access to a subset of attributes. not much damage > can be done. I will keep searching and see what I find. That's really the best approach - use a dedicated account for nss queries and limit its privileges... -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

14 years, 8 months

2
1
0 / 0

anonymous access

by Techie

Hello, I am trying to altogether eliminate anonymous access to my directory. However in doing this my authentication fails unless....I add a binddn and bindpw to the ldap.conf on the clients. As I understand it "bindpw" is inappropriate according to the OpenLDAP architects. So my situation right now looks like this. I have a ldap.conf populated with a binddn and bindpw entry. This allows me to remove anonymous access and authenticate to the directory with ldap user credentials. This is what I want, I just do not want to store a username and pass in the ldap.conf file. However if I remove this binddn and bindpw entry, and I disallow anonymous access, I am unable to authenticate against the directory using ldap user credentials. Even though upon attempting to login i am supplying valid LDAP user credentials it cannot find the user because it initially binds as "nobody" or 'dn="" in the access log and is unable to locate attributes do to the lack of anonymous access. Is there a way to have LDAP use the credential of the user logging in to bind to the directory initially. What are my options? I can force SASL GSSAPI but it it not ideal in my situation. Thank you

14 years, 8 months

3
4
0 / 0

Diferences

by Alejandro Rodriguez Luna

Somebody could tell me the differences between 389 directory server 1.2.0 and redhat directory serevr 8.1? ---------------------------------- Alejandro Rodriguez Luna Web: http://www.alexluna.org E-mail: el_alexluna(a)yahoo.com.mx ---------------------------------- ¡Obtén la mejor experiencia en la web! Descarga gratis el nuevo Internet Explorer 8. http://downloads.yahoo.com/ieak8/?l=mx

14 years, 8 months

1
0
0 / 0

Password policy: Dictionary of unauthorized tokens

by Randall Wood

The RedHat/FDS documentation suggests that FDS can use a dictionary of unauthorized tokens in a password policy, although it does not seem configurable. Is there a dictionary that FDS uses, and is it possible to add words to it if so desired? -- Randall Wood Secure Systems Engineer Trusted Computer Solutions 2350 Corporate Park Drive, Suite 500 Herndon, Virginia 20170 Tel (703) 537-4382 | Fax (703) 318-5041 rwood(a)trustedcs.com http://www.trustedcs.com

14 years, 9 months

3
2
0 / 0

registered with an admin server behind a firewall

by Joel Heenan

I'm using Directory Server 8.1 on CentOS. I have multi-mastered servers setup in our administrative network secured and locked away working well. I have consumers setup out in other network zones and am planning to setup replication out to these servers. I wanted to keep the console as a single administration point for all the servers but I can't work out how I can register the consumers with the console given that they have no network access. Is the access needed once you have registered them? If not I could punch a quick ssh tunnel or something which would allow them to register. Thanks Joel

14 years, 9 months

2
4
0 / 0

Auto-reply: Fedora-directory-users Digest, Vol 50, Issue 28

by Kevin McCarthy

This is an automatic reply for kevin.mccarthy(a)teligent.co.uk ======================================================================= I am now out of the office until Monday 3rd August

14 years, 9 months

1
0
0 / 0

Re: [389-users] ACI Confusion (New to 389 Came from OL):

by Robert Ludvik

Anthony, thank you for this. I was lost in this ACIs, too. I'll try this in my Egw installation. Will you let people at EGW know about this link, too? Maybe they can help to improve and include this in the README. At least they should be interested in this ... (egroupware-users(a)lists.sourceforge.net or egroupware-developers(a)lists.sourceforge.net). Regards Robert I have gotten much closer. I think I'll need to tighten them up a bit (parents/children/etc), but here's where I got so far... http://messinet.com/trac/egw/browser/README.389DS Thanks for your help. If you think of anything else, let me know. I surely wouldn't call this solved. -A -- Anthony - http://messinet.com - http://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E

14 years, 9 months

2
1
0 / 0

ACI Confusion (New to 389 Came from OL):

by Anthony Joseph Messina

Hello, firstly, thanks for 389! I have just migrated my small domain from OL to 389 DS including some basic replication and have found it to be a solid, reliable and quick system. I am however having a lot of confusion with ACIs. I am trying to create ACIs with the same specificity that I had with OL and eGroupWare (http://egroupware.org), but can't seem to get one of them figured out. This is what I'm trying to accomplish (in OL format): access to dn.regex="^ou=personal,ou=contacts,ou=([^,]+),o=eGroupWare,dc=messinet,dc=com$" attrs=children by dn.exact="uid=egwadmin,o=eGroupWare,dc=messinet,dc=com" write by * none access to dn.regex="^cn=([^,]+),ou=personal,ou=contacts,ou=([^,]+),o=eGroupWare,dc=messinet,dc=com$" attrs=entry by dn.exact="uid=egwadmin,o=eGroupWare,dc=messinet,dc=com" write by dn.exact,expand="uid=$1,ou=accounts,ou=$2,o=eGroupWare,dc=messinet,dc=com" read by * none access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,ou=([^,]+),o=eGroupWare,dc=messinet,dc=com$" by dn.exact="uid=egwadmin,o=eGroupWare,dc=messinet,dc=com" write by dn.exact,expand="uid=$1,ou=accounts,ou=$2,o=eGroupWare,dc=messinet,dc=com" write by * none I have tried using the following in 389 DS to no avail. On the ou=messinet.com,ou=eGW,dc=messinet,dc=com entry... (targetattr = "*") (target = "ldap:///cn=($dn),ou=personal,ou=contacts,ou=messinet.com,ou=eGW,dc=messinet,dc=com") (version 3.0;acl "eGW personal addressbook access";allow (read,compare,search,write,delete,add)(userdn = "ldap:///uid=($dn),ou=accounts,ou=messinet.com,ou=eGW,dc=messinet,dc=com");) I need to have the uid of the binding user be matched to the cn of the tree root for personal contacts. How would I allow access by the bind user of: "uid=example_user,ou=accounts,ou=messinet.com,ou=eGW,dc=messinet,dc=com" to the entry and subentries of: cn=example_user,ou=personal,ou=contacts,ou=messinet.com,ou=eGW,dc=messinet,dc=com" References to the suggested ACLs (for OL) are here: http://svn.egroupware.org/egroupware/trunk/addressbook/doc/README http://svn.egroupware.org/egroupware/trunk/addressbook/doc/acl_addressboo... http://svn.egroupware.org/egroupware/trunk/phpgwapi/doc/ldap/acl_egw_addr... Thank you very much in advance for your assistance. -- Anthony - http://messinet.com - http://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E

14 years, 9 months

2
4
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-users July 2009