Enforcement of password policy dependend on presence of {password encryption type}?
by Gerrard Geldenhuis
Hi
Problem Statement:
If I have the following ldif executed by Directory Manager:
dn: uid=jsmith,ou=People,dc=mycompany
changetype: modify
replace: userPassword
userPassword: 5A80f5A80FFE3A51BA71A0014F88F0204995334D9849DC02E1A7E06dd171
This will get transmitted in clear text (via ssl, if enabled) to the server if done remotely and will be subject to any password policy set.
If however the ldif looks like:
dn: uid=smith,ou=People,dc=mycompany
changetype: modify
replace: userPassword
userPassword: {SSHA}Jvze3knNF165Msadf1vfLJTuhKm9wHoRt
It is not subject to the password policy and stil gets changed.
doing a ldapsearch will show the following:
# jsmith, People, mycompany
dn: uid=jsmith,ou=People,dc=mycompany
uid: jsmith
cn: John Smith
userPassword:: e1NTSEF9SnZ6ZTNrbk5GMTY1TU10MXZ5TEoyVHVoS205d0hvUnQ=
Questions:
Is the difference in behaviour when using a clear text password as opposed to a {SSHA} password intentional? Granted that it gets executed as Directory Manager.
Is there any way apart from looking at :
dn: cn=config
passwordStorageScheme: ssha
to determine what the encryption will be. Or put differently how can I be sure that the string I am seeing has been properly encrypted according the set standard?
Best Regards
________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.
________________________________________________________________________
13 years, 7 months
Rolling back a multi-master db
by Gerrard Geldenhuis
Hi
A simple question... is there any way to "roll back" a multimaster database setup? Assuming you only take backup of one of the masters and then roll that master back, it will receive updates from the other masters because it is an older version.
You could stop all replication agreements and then initialize all consumers again, any other ideas thoughts?
Regards
________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.
________________________________________________________________________
13 years, 7 months
possibe selinux issue on 1.2.6
by Smlacc1
Hi There,
I just installed 1.2.6 from the epel repository onto a freshly
installed and updated RHEL 5.5.
When I use "service dirsrv-admin start", it starts, but then refuses
to receive connections. the /var/log/dirsrv/admin-serv/error log
shows the process in an endless segfault/startup loop.
If i stop the service and then run "start-ds-admin", it works fine -
no segfaults and I can log into the 389-console fine.
I also tried disabling selinux, and when I do that, i can then run
"service dirsrv-admin start" and it comes up fine. So the issue seems
linked to selinux and the init startup script. I can use the
start-ds-admin to get it going, but if the server ever reboots it int
going to come back up properly.
Selinux is on enforcing targeted if that helps.
Thanks,
Smlacc.
13 years, 7 months
How to force a user to change his/her password in a Multi master environment
by Gerrard Geldenhuis
Hi,
Is there a way of forcing a single user to change his/her password in a multi-master environment.
The only way it seems possible is to enable per user password policy and then set the passwordMustChange flag. However since password policy is not replicated that does not seem like a very good solution.
The documentation makes mention when reading about the passwordMustChange flag that if it is set globally and the password is reset by the Directory Manager then the user will be prompted to change his/her password on first login. What does this "reset" actually mean, what values gets changed? I have not seen a way to reset a password for a user in the 389-concole and can thus could not deduce what the possible ldif modifications would be.
If the answers to this is in the documentation please then point me in the general direction but I have not found any answers to the above questions in the documentation yet.
Best Regards
________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.
________________________________________________________________________
13 years, 7 months
Connections not closing
by Jim Tyrrell
Hi,
I have an issue with our Fedora Consumers running 1.2.0 on Fedora 10 in
that they don't seem to be closing old connections and so the open
connections are building up until performance is impacted and eventually
we run out of file handles.
Looking at one consumer netstat is showing 711 Established connections
to port 389 from a Radius server, and the console is also reporting over
700 "Open Connections". Yet on the Radius server I see 3 Established
connections which is what I would expect. It seems each time the Radius
server restarts (which it does often to pickup config changes) then the
old connections timeout on the Radius server but remain Established on
the Fedora side. We do see the same behaviour from other services such
as mail and web servers but Radius is the worst due to it restarting
regularly.
On the console I have currently configured an Idle Timeout of 300
seconds and added timeout config to the Fedora OS:
tcp_keepalive_time = 600
tcp_keepalive_intvl = 75
tcp_keepalive_probes = 9
Why are these connections not timing out after the Idle time? At the
moment I am having to regularly restart the directory service in order
to clear the connections down.
Thanks.
Jim.
13 years, 7 months
Configuration Directory Server
by Jason Forde
Hello,
I am at the early stages of building and testing a 2 Master directory server
setup trying to work out what to do with the configuration directory server.
I initially had it setup on one server1 with server2 using this, but then if
server1 goes down the console access for server2 is broken. I have been
trying to replicate the netscaperoot with little success (probably down to
my confusion on what to put in the 'server2.inf' and ldif files) and
wondered do I really have to replicate netscaperoot? What would be the
implication of each master having their own netscaperoot and not
replicating?
Its quite a basic setup and we have 2 existing masters elsewhere setup like
this, so if I don't need to do this I'd like to keep it simple and have 2
seperate netscaperoots - even if it meant having to update 2 seperate
servers, though I dont believe we have had to do this on the other
deployment yet.
Pointers appreciated.
J
13 years, 7 months
Netscape / 389 Multi-Master
by Jim Tyrrell
Hi,
I have an old Netscape 6.0 setup which consists of 3 Masters in a
multi-master setup which replicate down to various hubs and consumers.
I was planning on building an exact replacement with 389 consisting of 3
Multi Masters and the various hubs etc and then settting up one of the
389 masters to replicate back and forth with one of the Netscape
masters. The thinking being that having just one path between Netscape
and 389 would keep it simple and make it easy to track changes.
Now I read the limit for Multi-Master is 4 servers. In the above does
that class as 6 Masters, or is the limit per server in which case each
server only talks to 2 other Masters, apart from the 389->Netscape
gateway Masters which would talk to 3 other Masters?
I dont need to have every Master replicate to every other Master do I?
This is just while we migrate from ancient Netscape servers to 389, one
complete the Netscapes will be turned off and the replication agreements
removed on the 389 servers.
Thanks.
Jim.
13 years, 7 months
Manual and automatic catch up of replication
by Gerrard Geldenhuis
Hi
I have been doing some testing to see how a database(netscapedb) will catch up with replicated changes when the server has been shutdown and/or broken.
My test is very basic:
Shutdown master2
Add an entry to netscapedb on master1
Bring up master2
Tail error log for replication messages and check console on master2 for presence of data.
I know this is imprecise but my observation has been so far that if master2 was down for a short period of time it will automatically catch up but if it were down for a longer period of time (more than an hour) and I bring it up, new updates are not automatically send. I have to click on send updates in the 389-console for the latest changes to be reflected.
Is there more definitive rules that govern when a database will be updated automatically and when the process becomes manual?
Best Regards
________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.
________________________________________________________________________
13 years, 7 months
Recovery Strategy
by Gerrard Geldenhuis
Hi
As far as I can see the documentation does not make mention of backups other than the userdb, netscapedb and dse.ldif.
With regards to the certificate databases and admin server configuration is there any specific strategies, recommendations or readmade scripts?
I am looking at scenarios where we would lose a server completely. I have considered two possible ways of recovering and would appreciate any thoughts ,recommendations or warnings of peril.
Backup the following files:
tar :
/etc/dirsrv/slapd-<instance>/dse.ldif
/etc/dirsrv/slapd-<instance>/pin.txt
/etc/dirsrv/slapd-<instance>/*.db
/etc/dirsrv/admin-serv/*
/var/lib/dirsrv/slapd-ie1auth002/bak/*
Recovery method #1:
yum install 389-ds -y
untar all files and create directories.
use bak2db to restore databases
service dirsrv start
Recovery method #2:
Summary: Install software and "build from scratch"
Gory detail:
yum install 389-ds -y
setup-ds.pl -f settings.file -s
Copy *.db files back
enable-changelog
create netscape root suffix
enable master replica for netscape root
re-initiate from other master
register-ds-admin -f setingsfile -s -u
There would be two ways of getting data back either be re-populating from other databases or by restoring the backed up data using bak2db.
I have not yet tested these methods so there might be omissions in the steps above.
Best Regards
________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.
________________________________________________________________________
13 years, 7 months
Standalone DSGW server
by Jacek Nykis
Hi,
I am in process of setting up a GUI to manage our LDAP data. Due to security
policies I am no allowed to run webserver on any of directory servers so I
want to set up dedicated management server for this task.
I was testing 389-dsgw but it seems that it requires admin server to be on the
same host and then admin server setup requires directory server.
Does anybody know if there is any way to set up dedicated dsgw host to manage
389 directory server environment? It would be nice if I could have standalone
admin server with low privileges and dsgw on top of it.
--
Jacek Nykis
IS Unix Frontend Engineer
Fax: +44 (0) 20 8834 8001
Yahoo! Messenger: nykisj
Betfair Limited | Winslow Road | Hammersmith Embankment | London | W6 9HP
Company No. 5140986
The information in this e-mail and any attachment is confidential and is
intended only for the named recipient(s). The e-mail may not be disclosed or
used by any person other than the addressee, nor may it be copied in any way.
If you are not a named recipient please notify the sender immediately and
delete any copies of this message. Any unauthorized copying, disclosure or
distribution of the material in this e-mail is strictly forbidden. Any view or
opinions presented are solely those of the author and do not necessarily
represent those of the company. Betfair (r) and the BETFAIR LOGO are
registered trade marks of The Sporting Exchange Limited.
________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.
________________________________________________________________________
13 years, 7 months
