Problem browsing LDAP with Outlook
by Chris Bryant
When configuring Microsoft Outlook (not Outlook Express) to access an LDAP directory, there is an option to 'Enable Browsing (requires server support)'. If this option is chosen and the directory server supports it, then you should be able to open the LDAP address book and page up and down through the results. I have been unable to get this working properly with 389 DS.
When I try to browse from Outlook against the 389 DS directory, I am able to see the first page of results perfectly. However, if I move to the next page, only the first object returned will have any attributes included, and all of the rest of the objects in the page will have no attributes. I have a test perl script that duplicates this functionality as well.
I can get this to work properly with an older version of Netscape Directory Server, and I can get it working with OpenDS. Since 389 DS advertises support for the controls that are required for this to work, just like the other two servers, then I would expect it to work there also.
Has anyone out there gotten this to work with 389 DS? If so, can you share if there was anything special that you needed to do to get this to work? I'm trying to determine if this is a bug in the server, or if I'm just missing something in the configuration.
Thanks,
Chris
USA.NET
You Run Your Business. We'll Run Your Email.
This message is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information of USA.NET, Inc. Any unauthorized review, use, copying, disclosure, or distribution is prohibited. If you are not the intended recipient, please immediately contact the sender by reply email and delete all copies of the original message.
3 years, 1 month
PasswordExpWarned moves PasswordExpirationTime
by Legatus
When a use hits the PasswordWarnTime and flips the PasswordExpWarned, the
date of PasswordExpirationTime advances to 10 days from now. The warn time
for the subtree is 7. Can any explain what is doing this, so I can turn it
off.
--
JD Runyan
13 years, 6 months
Re: [389-users] Documentation for pam pass
by Prashanth Sundaram
Hi,
Here¹s how my PAM PTA looks like. But id on;t think it is of much use.
dn: cn=PAM Pass Through Auth,cn=plugins,cn=config
nsslapd-pluginEnabled: on
pamSecure: FALSE
pamExcludeSuffix: o=NetscapeRoot
pamExcludeSuffix: cn=config
I don¹t think the PTA will work against some other attribute which has same
value as uid¹. You may have to hack the filters under the hood to be able
to achieve that.
My first guess:
If you use PAM-PTA, you still need some PAM module to specify the stack to
be used for PTA. So you need ldapserver01¹ file enabled and there you
define the translation of uid attribute to new attribute. I don¹t know if
this is do-able.
Can you post some logs, which will tell where the block is. How are you
specifying the master ldap server(server to authenticate)?
-Prashanth
----------------------------
Hey thanks man.
I have PAM PTA with krb working fine as well..
However..I am trying to pass through to another LDAP server, how can i
go about doing that? The base of the tree on the other LDAP server is
different i want to use it to authenticate the accounts. The other
tree has the equivalent of the uid attribute in a different attribute.
I think my service file (ldapserver) is off. Anyone have PAM PTA to
another LDAP server working? An example perhaps?
I am getting operations errors trying to use PAM PTA. I know the
passwords are correct so I am doing something incorrectly.
pam_passthru-plugin - => pam_passthru_bindpreop
pam_passthru-plugin - pam msg [0] = 1 Password:
pam_passthru-plugin - Error from PAM during pam_authenticate (6:
Permission denied)
pam_passthru-plugin - Unknown PAM error [Permission denied] for user
id [test_user], bind DN [uid=test_user,dc=example,dc=com]
pam_passthru-plugin - <= handled (error 1 - Operations error)
Thanks again
13 years, 6 months
Unintended cert mapping happening
by John A. Sullivan III
Hello, all. We are experiencing a weird problem and have not been able
to fix it. We have just renamed the top level of our tree from
dc=old,dc=biz to dc=new,dc=com. All went very well (well, very well
until we also changed the certificates and keys to be from the new
Certificate Authority - but we have that sorted now, too) except one
remaining error.
Our Zimbra (6.0.5) mail server authenticates users against our CentOS
8.1 Directory Server. It is working but, every time a user tries to
authenticate, we generate an error:
slapi_search_internal ("CN=zimbra.new.com, OU=MailServers, DC=new, DC=com", subtree, objectclass=*) err 32
and in the access log we see:
conn=174 SSL 128-bit RC4; client CN=zimbra.new.com,OU=MailServers,DC=new,DC=com; issuer CN=newca.new.com,OU=PKI,DC=new,DC=com
conn=173 SSL failed to map client certificate to LDAP DN (No such object)
We then see the directory search user (we do not allow anonymous access)
correctly bind and authenticate.
It is as if the directory server is accidentally trying to do cert
mapping and authenticate the mail server whenever it tries to establish
an ldaps connection. As far as I understand, one needs to tell
Directory Server to do this by adding a usercertificate attribute to the
user we want to authenticate via X.509 cert. I've searched the entire
database dump and nothing has that attribute. certmap.conf has been
unchanged and is all commented out except for:
certmap default default
What is causing this and how do I fix it?
Our migration procedure was to stop dirsrv, dump the userRoot and
NetscapeRoot databases, make all the substitutions via sed in dse.ldif
(and .bak and .startOK), make all the substitutions via sed in the
database dumps, and then import the revised ldif files. Thanks - John
13 years, 6 months
Tombstones not deleting
by Jim Tyrrell
I have noticed on my Fedora consumers there appear to be quite a few
tombstones going back months even thought the Purge delay is set to a week:
ldapsearch -x -b "cn=mapping tree,cn=config" -D "cn=Directory Manager"
-W cn=replica nsds5ReplicaPurgeDelay
# replica, o=blah.com, mapping tree, config
dn: cn=replica,cn="o=blah.com",cn=mapping tree, cn=config
nsds5ReplicaPurgeDelay: 604800
--- example tombstone ---
# ad82a101-1dd111b2-80a3f995-55bd0000, bob(a)zzz.com, Blah, blah.com
dn: nsuniqueid=ad82a101-1dd111b2-80a3f995-55bd0000,
uid=bob(a)zzz.com,ou=Blah, o=blah.com
objectClass: blahPerson
objectClass: nsTombstone
uid: bob(a)zzz.com
nsParentUniqueId: ccd21704-1dd111b2-80a6a51e-7dae0000
modifyTimestamp: 20090713210513Z
There seems to be hundreds of these dating back 6 months to when the
server was built. Why are these old entries not being purged?
Thanks.
Jim.
13 years, 6 months
How to rename DIT?
by John A. Sullivan III
Hello, all. We've recently undergone a corporate name and domain
change, let's say from oldname.biz to newname.com. Consequently, we
need to rename the top level of our LDAP structure. We installed CentOS
Directory Server 8.1 into dc=oldname,dc=biz and now need that entire
structure to have dc=newname,dc=com at the top. Everything else stays
the same.
I realize I'll need to edit all my ACIs and repoint all my LDAP clients,
but is there an easy way to rename the tree? I'd hate to try to move all
the elements (especially since I believe we can only move leaves) and
worse yet have to recreate the entire tree :-((((
I assume it is not as simple as going to the top level object in the
directory, going to advanced properties and changing the entrydn.
Thanks - John
13 years, 6 months
Netscape 6.2 & 389 Directory server replication
by Nick Brown
Hi,
I have been given a bunch of old Netscape 6.2 servers that need
replacing with 389 Directory server, is it possible to have a Netscape
6.2 master and a 389 Directory server replicating between each other?
The current setup consists of 2 Netscape Multimasters and 7 slaves, I
think the easiest solution would be to build 2 389 Masters with 389
slaves and have at least one of each Masters replicating between each
other. Then to move the applications to the new platform the clients
just need to change the IP they are talking to, then we always have the
option of moving back if there are any problems.
Does this sound like a sensible way to do it? The Netscape boxes are
actually critical production boxes so we can afford very little downtime
if any, and if we have the 2 setups replicating to each other the
rollback plan is easy - otherwise we will need to somehow log all
changes and manually apply those either way to keep everything in sync
when we cutover and rollback.
I'm rather new to LDAP so its a steep learning curve!
Thanks in advance for any pointers.
Nick.
13 years, 6 months
