Contributing to the wiki
by Gerrard Geldenhuis
Hi
I would like to add a few notes to the wiki, is there a special page where I should be creating an account?
This page http://directory.fedoraproject.org/wiki/Special:Userlogin says: We are not ready to accept contributions at this time. Is that still true, I am happy to just send a few notes via the mailing list for you to incorporate if you don't want to allow any direct edits.
Best Regards
________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.
________________________________________________________________________
13 years, 5 months
access control
by Mike Li
I am using the latest 389 DS (1.1), on Linux. Searching the entries works
but cannot do add/modify, ldap_add_s() and ldap_modify_s() APIs return:
Insufficient access.
How do I give the write access to a login (identified by a login DN and
passwd) ? Searched everywhere but cannot find any help at all.
Thanks.
13 years, 5 months
Getting started with 389 DS
by harry.devine@faa.gov
I just installed 389 DS on a laptop running CentOS 5.4 to start getting
familiar with it. I got it installed correctly (answered all of the
questions in the setup-ds-admin.pl script, verified that the dirsrv and
dirsrv-admin services are running), but when I run the 389-console, I
can't log in. I'm entering the username and password that I used in the
setup script, but I keep getting "Cannot login because of an incorrect
User ID, incorrect password, or Directory problem.
java.io.InterruptedIOException: HTTP response timeout".
What am I doing wrong? I'm trying to follow the docs at
http://directory.fedoraproject.org/wiki/Documentation but they seem to
jump all over the place. I did find a tutorial at
http://www.linuxmail.info/389-directory-server-setup-howto-centos-5/, but
I'm stuck at the first step under "Administering 389 Directory Server". Do
I have to reinstall the 389 DS? Is there a place that I can clear
out/reset the admin password to get in?
Thanks,
Harry
Harry Devine
Common ARTS Software Development
AJT-144
(609)485-4218
Harry.Devine(a)faa.gov
13 years, 5 months
Chaining woes again v2 - solutions
by Gerrard Geldenhuis
Hi
Just a quick follow-up regarding this thread.
We discovered the real problem.... encryption of the password.
We have the following line in the ldif file to
nsmultiplexorcredentials: {SSHA}VItDJ0gykk1q8rzsJmIkkj64mAW1kkaZY
We got one server working with chaining and the other not. The difference turned out to be how the password was stored and on the one box we changed the password via the console to make sure it was correct.
We have noted asmall inconsistencies which we would like to verify
On our production system the entry in dse.ldif looks like follows:
nsmultiplexorcredentials:: e0RFU31ZczJMghghdtZkpTakl5Y29OYVIwc0NUdnpMVmFUU1JDd1
hZNfsadfasdfsaZY143NkduYmJRenBK33sdfsadffdssiRUpvDlvQjRvUWR4ai9uZ2lWbzJQejduWj
NMcHE4UWR4Sw==
and on our test system it looks like follows:
nsmultiplexorcredentials: {DES}slo6RKJHfEqtcfbpLWHdgQ==
Apart from the length which is due to use using a much longer password in production why does the test system use a {DES} and the production system does not. In both cases we used the 389-console to make the changes.
The version differences is: (test on the left, prod on the right)
389-admin-1.1.11-1.el5 | 389-admin-1.1.11-0.6.rc2.el5
389-admin-console-1.1.5-1.el5 | 389-admin-console-1.1.5-1.el5
389-admin-console-doc-1.1.5-1.el5 | 389-admin-console-doc-1.1.5-1.el5
389-adminutil-1.1.8-4.el5 | 389-adminutil-1.1.8-4.el5
389-console-1.1.4-1.el5 | 389-console-1.1.4-1.el5
389-ds-1.2.1-1.el5 | 389-ds-1.2.1-1.el5
389-ds-base-1.2.6.1-1.el5 | 389-ds-base-1.2.6-0.11.rc7.el5
389-ds-console-1.2.3-1.el5 | 389-ds-console-1.2.3-1.el5
389-ds-console-doc-1.2.3-1.el5 | 389-ds-console-doc-1.2.3-1.el5
389-dsgw-1.1.5-1.el5 | 389-dsgw-1.1.5-1.el5
On the client when we tried to do a password change the error we would see was operations error which is not very usefull. We did not see authentication issues on the consumer server with chaining setup nor on the provider server. I can double check it again, could you recommend a specific log level that would catch it. If I don't see the error message I will raise it as an enhancement request in bugzilla for the some more informative error messages for this particular problem. I will also add some relevant notes to the 389 wiki.
Lastly I have been "reprimanded" for this on the list before and have paid the prices as explained above, but just to be perfectly clear and for the sake of writing a small bit on the wiki regarding this issue what is the policy regarding putting passwords in ldif files?
For system settings like chaining should the password always be in clear text in the ldif file?
Can/should you use pre-encrypted DES strings for passwords for system settings.
Does the password encryption setting in the 389-console only apply to user passwords?
Is all system passwords encrypted to DES by default?
Can the system default if there is one by change to SSHA or whatever?
Best Regards
________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.
________________________________________________________________________
13 years, 6 months
Synchronizing Account Inactivation with Account Disabling
by Glenn
We are still using Fedora Directory Server 1.0.4 and synchronizing with
Active Directory. Our procedure for removing accounts includes a waiting
period when the AD account is disabled. Disabling the AD account does not
inactivate the corresponding FD account. The folks that do account
maintenance do not have access to the FD java console, so rather than
inactivating the FD account, they delete it using DSGW. Unfortunately, this
also deletes the disabled AD account.
Is there a way to make sync inactivate the FD account when the AD account is
disabled?
As an alternative, can we make account activation/inactivation available to
our account people via DSGW? Some particulars would be appreciated.
I know that setting the "ntuserdeleteaccount" attribute to "false" will
prevent the AD account from being removed when the FD account is removed.
But new accounts created in AD are duplicated by sync in FD with the
attribute set to "true". If anyone could suggest a way to make this default
to "false," that would be an improvement.
Thanks. -G.
13 years, 6 months
Re: [389-users] Debian packaging
by Angel Bosch Mora
----- Missatge original -----
> Hi everyone,
>
> I am the person behind the current FDS Packaging efforts for Debian.
i think you should respect the name change in docs:
http://wiki.debian.org/Teams/DebianFDSPackaging
changing FDS to 389 is supposed to help people not to confuse the link between those two products.
great work, anyway :)
abosch
13 years, 6 months
Re: [389-users] Debian packaging and Ubuntu issues
by Roberto Polli
On Thursday 21 October 2010 12:12:52 Roberto Polli wrote:
> W: Impossibile trovare il pacchetto mozilla-ldap-sdk
> Trying to download tarball using uscan
> uscan warning: In debian/watch no matching hrefs for version 6.0.6+dfsg in
> watch line
> http://ftp.mozilla.org/pub/mozilla.org/directory/c-
> sdk/releases/v(.*)/src/mozldap-(.*)\.tar\.gz
> Couldn't find a tarball
manually downloaded from
http://acksyn.org/ubuntu/pool/main/m/mozilla-ldap-sdk/
Peace,
R.
--
Roberto Polli - Project Manager
Babel S.r.l. - http://www.babel.it
T: +39.06.91801075 M: +39.340.6522736 F: +39.06.91612446
P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma)
CONFIDENZIALE: Questo messaggio ed i suoi allegati sono di carattere
confidenziale per i destinatari in indirizzo.
E' vietato l'inoltro non autorizzato a destinatari diversi da quelli indicati
nel messaggio originale.
Se ricevuto per errore, l'uso del contenuto e' proibito; si prega di
comunicarlo al mittente e cancellarlo immediatamente.
13 years, 6 months
difficulties upgrading from 1.2.5 to 1.2.6.1-2
by Barry Sitompul
Hi Guys,
I'm having problems upgrading from 1.2.5
Here's what I did:
# yum upgrade 389-ds-base
-runs fine
# setup-ds-admin.pl -u
-error encountered:
The server 'ldap://myldapserver.com:389/o=NetscapeRoot' is not
reachable. Error: unknown error
It turns out that the 389-DS is not running because of these errors in
its error log:
389-Directory/1.2.6.1 B2010.272.2313
myldapserver.com:389 (/etc/dirsrv/slapd-myldapserver)
[20/Oct/2010:14:35:41 +1000] - 389-Directory/1.2.6.1 B2010.272.2313
starting up
[20/Oct/2010:14:35:42 +1000] - Detected Disorderly Shutdown last time
Directory Server was running, recovering
database.
[20/Oct/2010:14:35:42 +1000] - nsslapd-subtree-rename-switch is on,
while the instance userRoot is in the DN format. Please run dn2rdn to
convert the database format.
[20/Oct/2010:14:35:42 +1000] - nsslapd-subtree-rename-switch is on,
while the instance Root1 is in the DN format. Please run dn2rdn to
convert the database format.
[20/Oct/2010:14:35:42 +1000] - nsslapd-subtree-rename-switch is on,
while the instance Root2 is in the DN format. Please run dn2rdn to
convert the database format.
[20/Oct/2010:14:35:42 +1000] - nsslapd-subtree-rename-switch is on,
while the instance Root3 is in the DN format. Please run dn2rdn to
convert the database format.
[20/Oct/2010:14:35:42 +1000] - nsslapd-subtree-rename-switch is on,
while the instance NetscapeRoot is in the DN format. Please run dn2rdn
to convert the database format.
[20/Oct/2010:14:35:42 +1000] - nsslapd-subtree-rename-switch is on,
while the instance Root4 is in the DN format. Please run dn2rdn to
convert the database format.
[20/Oct/2010:14:35:42 +1000] - start: Failed to start databases,
err=-1 Unknown error: -1
[20/Oct/2010:14:35:42 +1000] - Failed to start database plugin ldbm
database
[20/Oct/2010:14:35:42 +1000] - WARNING: ldbm instance userRoot already
exists
[20/Oct/2010:14:35:42 +1000] - WARNING: ldbm instance Root1 already
exists
[20/Oct/2010:14:35:42 +1000] - WARNING: ldbm instance Root2 already
exists
[20/Oct/2010:14:35:42 +1000] - WARNING: ldbm instance Root3 already
exists
[20/Oct/2010:14:35:42 +1000] - WARNING: ldbm instance NetscapeRoot
already exists
[20/Oct/2010:14:35:42 +1000] - WARNING: ldbm instance Root4 already
exists
[20/Oct/2010:14:35:42 +1000] binder-based resource limits -
nsLookThroughLimit: parameter error (slapi_reslimit_register() already
registered)
[20/Oct/2010:14:35:42 +1000] - start: Resource limit registration failed
[20/Oct/2010:14:35:42 +1000] - Failed to start database plugin ldbm
database
[20/Oct/2010:14:35:42 +1000] - Error: Failed to resolve plugin
dependencies
[20/Oct/2010:14:35:42 +1000] - Error: preoperation plugin 7-bit check
is not started
[20/Oct/2010:14:35:42 +1000] - Error: accesscontrol plugin ACL Plugin
is not started
[20/Oct/2010:14:35:42 +1000] - Error: preoperation plugin ACL
preoperation is not started
[20/Oct/2010:14:35:42 +1000] - Error: object plugin Class of Service
is not started
[20/Oct/2010:14:35:42 +1000] - Error: preoperation plugin deref is not
started
[20/Oct/2010:14:35:42 +1000] - Error: preoperation plugin HTTP Client
is not started
[20/Oct/2010:14:35:42 +1000] - Error: database plugin ldbm database is
not started
[20/Oct/2010:14:35:42 +1000] - Error: object plugin Legacy Replication
Plugin is not started
[20/Oct/2010:14:35:42 +1000] - Error: preoperation plugin Linked
Attributes is not started
[20/Oct/2010:14:35:42 +1000] - Error: object plugin Multimaster
Replication Plugin is not started
[20/Oct/2010:14:35:42 +1000] - Error: object plugin Roles Plugin is
not started
[20/Oct/2010:14:35:42 +1000] - Error: preoperation plugin Simple
Kerberos 5 Auth is not started
[20/Oct/2010:14:35:42 +1000] - Error: object plugin Views is not started
- I wanted to do the dn2rdn or just switch off the subtree-rename-
switch, so...
- I looked at the instance's dse.ldif and I can't find the:
dn: cn=config,cn=ldbm database,cn=plugins,cn=config
[...]
nsslapd-subtree-rename-switch: on
- But nsslapd-subtree-rename-switch exists is in this file: /usr/
share/dirsrv/data/template-dse.ldif. I tried changing the value to
'off' but I still got the same errors.
- I also can't find the the dn2rdn tool in the slapd instance
directory. I did a locate and only found it here: /usr/share/dirsrv/
script-templates/template-dn2rdn
-So I got really confused and thought maybe I should do this:
# setup-ds.pl -u -d
=
=
=
=
=
=
========================================================================
This program will update the 389 Directory Server.
It is recommended that you have "root" privilege to perform the update.
Tips for using this program:
- Press "Enter" to choose the default and go to the next screen
- Type "Control-B" or the word "back" then "Enter" to go back to
the previous screen
- Type "Control-C" to cancel the update
Would you like to continue with update? [yes]:
=
=
=
=
=
=
========================================================================
The update process can work in one of two modes:
- Online: The changes are made to the running directory servers
using LDAP.
The operations must be performed as an administrative user.
You must provide the name and password, for each instance
if there is more than one instance of directory server.
Some operations may require a directory server restart to
take
effect. The update script will notify you if you need to
restart
the server.
- Offline: The changes are made to the server configuration files.
The
servers MUST FIRST BE SHUTDOWN BY YOU. The script will
not
shutdown the servers for you. You MUST shutdown the
servers in order to use this mode. A username and
password
are not required to use Offline mode. If the servers
are not
shutdown, CHANGES WILL BE LOST.
To summarize:
Online - servers remain running - you must provide admin name and
password
for each server - servers may need to be restarted
Offline - servers must be shutdown - no username or password required
Which update mode do you want to use? [quit]: offline
+Running stage pre update /usr/share/dirsrv/updates/
50addchainingsaslpwroles.ldif
+Running stage pre update /usr/share/dirsrv/updates/
50bitstringsyntaxplugin.ldif
+Running stage pre update /usr/share/dirsrv/updates/
50deliverymethodsyntaxplugin.ldif
+Running stage pre update /usr/share/dirsrv/updates/50derefplugin.ldif
+Running stage pre update /usr/share/dirsrv/updates/
50disableurisyntaxplugin.ldif
+Running stage pre update /usr/share/dirsrv/updates/
50enhancedguidesyntaxplugin.ldif
+Running stage pre update /usr/share/dirsrv/updates/50entryusnindex.ldif
+Running stage pre update /usr/share/dirsrv/updates/
50faxnumbersyntaxplugin.ldif
+Running stage pre update /usr/share/dirsrv/updates/
50faxsyntaxplugin.ldif
+Running stage pre update /usr/share/dirsrv/updates/
50guidesyntaxplugin.ldif
+Running stage pre update /usr/share/dirsrv/updates/
50linkedattrsplugin.ldif
+Running stage pre update /usr/share/dirsrv/updates/50memberofindex.ldif
+Running stage pre update /usr/share/dirsrv/updates/
50memberofplugin.ldif
+Running stage pre update /usr/share/dirsrv/updates/
50nameuidsyntaxplugin.ldif
+Running stage pre update /usr/share/dirsrv/updates/
50numericstringsyntaxplugin.ldif
+Running stage pre update /usr/share/dirsrv/updates/
50printablestringsyntaxplugin.ldif
+Running stage pre update /usr/share/dirsrv/updates/
50retroclprecedence.ldif
+Running stage pre update /usr/share/dirsrv/updates/
50schemareloadplugin.ldif
+Running stage pre update /usr/share/dirsrv/updates/
50smd5pwdstorageplugin.ldif
+Running stage pre update /usr/share/dirsrv/updates/
50syntaxvalidplugin.ldif
+Running stage pre update /usr/share/dirsrv/updates/
50teletexterminalidsyntaxplugin.ldif
+Running stage pre update /usr/share/dirsrv/updates/
50telexnumbersyntaxplugin.ldif
+Running stage pre update /usr/share/dirsrv/updates/50usnplugin.ldif
Could not open the script template file '1/bak2db'. Error: No such
file or directory
Error: could not update the directory server.
Exiting . . .
- What is that '1/bak2db' script template file and why can't the setup-
ds.pl find it ?
I see on the http://directory.fedoraproject.org/wiki/Release_Notes
stating that there is no problem upgrading from 1.2.5..Am I doing
something completely wrong here?
Any help is much appreciated!
Thanks!
Bazza
13 years, 6 months
Safeguarding against to many established connections
by Gerrard Geldenhuis
Hi
We have recently seen an issue were a single client opened up more than 800 established connections to our directory server. The client did have the proper settings configured and should have closed connections but it did'nt. Is there a way to limit the amount of connections per client or close connections from the server side after a certain period? Without just making the amount of connections ridicuosly high on the directory server how can you safeguard against rogue clients.
Our client setting is as follows:
idle_timelimit 5
timelimit 10
bind_timelimit 5
We were unable to log into client and it had file system issues so we could not do any further analyses there.
I suspect that solutions to this problem probably falls outside of what can be configured in 389?
Regards
________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.
________________________________________________________________________
13 years, 6 months
Greedy PAM
by Gerrard Geldenhuis
Hi
Not strictly a 389 question but maybe 389 offers a solution.
I have a tree structure as follows:
dc=company
ou=people,dc=company
ou=groups,dc=company
On my client the I have the following searchbase in /etc/ldap.conf
dc=company
If I login as user gerrard and look at the network traffic then every possible user is send to the client. This is not a problem yet but would be a problem on a slow link or with lots of users.
Changing the base to ou=people,dc=company works in that the search results returned is way smaller, but breaks everything else because group membership is not in that base.
Is there a way to dynamically have search basis when queries for certain data is done. How do you configure clients to be more selective when doing searches against a ldap directory.
Regards
________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.
________________________________________________________________________
13 years, 6 months
