Problem browsing LDAP with Outlook
by Chris Bryant
When configuring Microsoft Outlook (not Outlook Express) to access an LDAP directory, there is an option to 'Enable Browsing (requires server support)'. If this option is chosen and the directory server supports it, then you should be able to open the LDAP address book and page up and down through the results. I have been unable to get this working properly with 389 DS.
When I try to browse from Outlook against the 389 DS directory, I am able to see the first page of results perfectly. However, if I move to the next page, only the first object returned will have any attributes included, and all of the rest of the objects in the page will have no attributes. I have a test perl script that duplicates this functionality as well.
I can get this to work properly with an older version of Netscape Directory Server, and I can get it working with OpenDS. Since 389 DS advertises support for the controls that are required for this to work, just like the other two servers, then I would expect it to work there also.
Has anyone out there gotten this to work with 389 DS? If so, can you share if there was anything special that you needed to do to get this to work? I'm trying to determine if this is a bug in the server, or if I'm just missing something in the configuration.
Thanks,
Chris
USA.NET
You Run Your Business. We'll Run Your Email.
This message is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information of USA.NET, Inc. Any unauthorized review, use, copying, disclosure, or distribution is prohibited. If you are not the intended recipient, please immediately contact the sender by reply email and delete all copies of the original message.
3 years
Re: [389-users] get base dn from ldapsearch
by Angel Bosch Mora
> Maybe I am understanding this wrong but could you not just check in
> the config what the search base is set to on the client side? What is
> the problem you are trying to solve?
>
yes, you're right. i can just take a look at ldap.conf but there's several places to look:
- debian/ubuntu uses /etc/ldap/ldap.conf
- RHEL/CentOS uses /etc/openldap/ldap.conf
- custom compilations can use any path. ex: /usr/local/ldap/ldap.conf
- windows openldap uses... i don't really know :P
so what im trying to do is resolving configured base without knowing anything about the client.
for example, this command gives me the server even if i dont know anything about the conf:
ldapsearch -d1 -x -LLL "(uid=example)" uid 2>&1 | grep ldap_connect_to_host
im just a little bit surprised that i can't find any debuglevel that gives me the BASE
abosch
12 years, 2 months
retrieving x509 certificates using java
by Luke Schierer
We have a java application that is attempting to pull the userCertificate
attribute from our 389ds ldap server. Looking at the ldap logs, I see its
request, and it looks like it should be working, except for one oddity, it
is asking for the attribute "usercertificate;binary". By attaching
eclipse to the application, we have determined that the general flow of
the code is
<get certificate from client and put it into myCert>
LDAPCertStoreParameters loCertStoreParams = new
LDAPCertStoreParameters(<ldap_host>,<ldap_port>);
CertStore loCertStore = CertStore.getInstance("LDAP", loCertStoreParams,
"Sun");
x509CertSelector loTargetConstraints = new X509CertSelector();
lsSubjectDN = CSFGlobalPKIUtil.getSubjectDNFromCertificate(myCert);
//we have verified that everything works fine as far as this point.
loTargetConstraints.setSubject(lsSubjectDN);
Collection loCol = loCertStore.getCertificates(loTargetConstraints);
Once the gall to getCertificates is made, a query is built and sent to the
LDAP server using java internal classes, we believe it is ultimately the
X509CertStoreLDAP class. We do not have the source to debug this part of
the code, but at some point, without visible interaction in the source
code we do have, it choses to ask for "usercertificate;binary" instead of
just "usercertificate".
Should the 389ds be able to understand "usercertificate;binary", and is
this a misconfiguration on my part in the directory server, or is that not
something I should be expecting the directory to understand?
As a point of further information, when I try to replicate the behavior
using ldapsearch, I also fail to retrieve a certificate when I request
"usercertificate;binary" but succeed when I request only
"usercertificate".
Any help would be greatly appreciated.
Thanks!!
Luke
12 years, 5 months
Announcing 389 Directory Server version 1.2.8 Release Candidate 2
by Rich Megginson
The 389 Project team is pleased to announce the release of
389-ds-base-1.2.8 Release Candidate 2. This release has fixes for bugs
found in 1.2.8 testing and bugs from earlier releases.
Installation
yum install --enablerepo=updates-testing 389-ds
# or for EPEL
yum install --enablerepo=epel-testing 389-ds
setup-ds-admin.pl
Upgrade
yum upgrade --enablerepo=updates-testing 389-ds-base
idm-console-framework 389-admin 389-ds-console 389-admin-console
# or for EPEL
yum upgrade --enablerepo=epel-testing 389-ds-base
idm-console-framework 389-admin 389-ds-console 389-admin-console
setup-ds-admin.pl -u
How to Give Feedback
The best way to provide feedback is via the Fedora Update system. Each
update is broken down by package and platform. For example, if you are
using Fedora 13, and you have successfully installed or upgraded all of
the packages, and the console and etc. works, then go to the links below
for Fedora 13 and provide feedback.
* EL-5 -
https://admin.fedoraproject.org/updates/389-ds-base-1.2.8-0.7.rc2.el5
* Fedora 13 -
https://admin.fedoraproject.org/updates/389-ds-base-1.2.8-0.7.rc2.fc13
* Fedora 14 -
https://admin.fedoraproject.org/updates/389-ds-base-1.2.8-0.7.rc2.fc14
* Fedora 15 -
https://admin.fedoraproject.org/updates/389-ds-base-1.2.8-0.8.rc2.fc15
scroll down to the bottom of the page, and click on the Add a comment >>
link
* select one of the Works for me or Does not work radio buttons, add
text, and click on the Add Comment button
If you are using a build on another platform, just send us an email to
389-users(a)lists.fedoraproject.org
Reporting Bugs
If you find a bug, or would like to see a new feature, you can enter it
here - https://bugzilla.redhat.com/enter_bug.cgi?product=389
More Information
* Release Notes - http://port389.org/wiki/Release_Notes
* Install_Guide - http://port389.org/wiki/Install_Guide
* Download - http://port389.org/wiki/Download
12 years, 5 months
ldap browser hangs entire server
by Quint Van Deman
Hello--
I'm seeing some odd behaviour in a 389ds installation, and I'd like to
know if others have as well.
Here's what I know:
1. The server is configured never to drop connections due to idle
timeout (set to 0 in console)
2. The server is under very light load (development)
3. Once in a while, one of the connections will close with an error
code of T2 (e.g. [25/Mar/2011:11:07:32 -0400] conn=19 op=-1 fd=67
closed - T2)
4. After a single T2 occurs, all future attempts to the directory are
unsuccessful. The process is still running, but completely
unresponsive.
5. If I dig into the logs a bit further I discover that connection 19
was a software developer using a windows based ldap browser.
6. I also notice that while most other connections follow a logical
order of BIND, SRCH, RESULT, UNBIND, this particular connection does a
BIND & leaves it open.
7. I also notice that the despite the idle timeout setting above, the
last RESULT from this connection comes exactly an hour before the T2.
[25/Mar/2011:10:07:26 -0400] conn=19 op=48 SRCH
base="cn=XXXX,ou=PeopleTest,dc=dev,dc=XXX,dc=edu" scope=0
filter="(objectClass=*)" attrs="* createTimestamp creatorsName
entryflags federationboundary localentryid modifiersName
modifyTimestamp structuralObjectClass subordinatecount
subschemaSubentry aci"
[25/Mar/2011:10:07:26 -0400] conn=19 op=48 RESULT err=0 tag=101
nentries=1 etime=0 notes=U,P
[25/Mar/2011:10:07:31 -0400] conn=19 op=50 SRCH
base="cn=XXXX,ou=PeopleTest,dc=dev,dc=XXX,dc=edu" scope=0
filter="(objectClass=*)" attrs="* createTimestamp creatorsName
entryflags federationboundary localentryid modifiersName
modifyTimestamp structuralObjectClass subordinatecount
subschemaSubentry aci"
[25/Mar/2011:10:07:31 -0400] conn=19 op=50 RESULT err=0 tag=101
nentries=1 etime=0 notes=U,P
[25/Mar/2011:11:07:32 -0400] conn=19 op=-1 fd=67 closed - T2
I found this bug that seems similar, but I don't see any mention of
some of the specific criteria that leads my instance to hang:
https://bugzilla.redhat.com/show_bug.cgi?id=668619
If anyone has any advice I'd be interested. In the meantime it looks
like I'm due to sign up for a bugzilla account.
Thanks,
Quint
12 years, 6 months
high-rate queries
by Karoly Czovek
Hi All,
Is there any reason, workaround for the 389DS about high-rate queries?
Acting as LDAP server for one exim and 5 postfix servers, and for 6 courier-imap servers, libnss-pam
After a time, my clients cannot connect to the 389DS, ldap queries coming back with temporary lookup faulure.
The 389DS has 2 cores with 2GB of ram, related settigns are the following:
# Open file descriptors
* - nofile 28192
# sysctl parameters
net.ipv4.tcp_keepalive_time = 120
net.ipv4.tcp_keepalive_intvl = 5
net.ipv4.tcp_keepalive_probes = 2
After I restarting the service, everything is going fine for a while.
OS: Centos 5.5
Any recommendations?
--
Karoly CZOVEK
Global Systems Administrator
MoveOne IT Department
Eastern Europe - Balkans - CIS& Central Asia - Middle East& Africa -
Asia Pacific
phone: +36 1 266 0181 - ext.6710
mobile: +36 70 708 9953
skype: mo_karoly.czovek
email: karoly.czovek(a)moveoneinc.com
web: http://www.moveoneinc.com
12 years, 6 months
Error in Replication
by Kamal Batra
Hi,
I am trying to replicate Windows 2K3 Ad to 389DS server, following things
have been done.
1. Pass sync utility on AD
2. Install CA Certificate, export the same to import it on the 389DS
server.
certutil command gives me the following output
CA certificate CTu,u,u
server-cert u,u,u
Server-Cert u,u,u
psync2 CT,C,C
3. Replication agreement is also in place.
While I getting following errors:
1. When the password is changed on the windows AD, it tries to connect
to the 389ds server and following is the error on 389ds Server
[25/Mar/2011:02:22:33 +051800] conn=25 fd=64 slot=64 SSL connection from
10.100.109.159 to 10.100.109.157
[25/Mar/2011:02:22:33 +051800] conn=25 op=-1 fd=64 closed - SSL peer cannot
verify your certificate.
2. When 389Ds tries to replicate to Windows Server, it provides the
following error
[25/Mar/2011:16:16:50 +051800] slapi_ldap_bind - Error: could not send bind
request for id [cn=Syncing 389DS,cn=Users,dc=ggdk,dc=com] mech [SIMPLE]:
error 81 (Can't contact LDAP server) -8179 (Peer's Certificate issuer is not
recognized.) 11 (Resource temporarily unavailable)
Please provide help me in solving the issues.
Regards,
Kamal Batra
+919810795008
12 years, 6 months
epic failure configuring single-master replication
by Jon Detert
I'm trying to setup/configure single-master replication between 2
brand-new centos-ds (aka 'dirsrv') v8.1 servers. Centos directory
server is derived from '389 directory server'. I can't find any
community support for it beyond this list. Please pardon the centos
intrusion on your list.
I'm following the directions at
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.1/html/Admin...
.
I'm on the last step, which is to tell the supplier (i.e. the 'single
master' in my environment) to replicate itself to the consumer, which,
according to the guide I'm following, had already been prepped for
this.
However, the gui console said "The consumer initialization has
unsuccessfully completed. The error received by the replica is: '6
Replication error acquiring replica: no such replica.' The supplier's
error log (/var/log/dirsrv/slapd-instance/error) said these 2 things
several times:
NSMMReplicationPlugin - agmt="cn=DivideAndConquer" (mkeds3:389):
Unable to acquire replica: there is no replicated area
"dc=infinityhealthcare,dc=com" on the consumer server. Replication is
aborting.
NSMMReplicationPlugin - agmt="cn=DivideAndConquer" (mkeds3:389):
Incremental update failed and requires administrator action
The same log on the consumer (mkeds3), says this:
NSMMReplicationPlugin - conn=12 op=3 replica="unknown": Unable to
acquire replica: error: no such replica
All evidence suggests the consumer doesn't have, but need, a replica
place for my suffix dc=infinity... However, I followed the directions
at http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.1/html/Admin...
, without error. Is there a missing step I didn't do?
Thanks,
Jon
12 years, 6 months
Error in instaling Admin-Console
by Kamal Batra
Hi,
Please help me in installing the admin-console, while trying so , I am
getting following error:-
Are you ready to set up your servers? [yes]:
Creating directory server . . .
Your new DS instance 'psync' was successfully created.
Creating the configuration directory server . . .
Beginning Admin Server reconfiguration . . .
Creating Admin Server files and directories . . .
Updating adm.conf . . .
Updating admpw . . .
Registering admin server with the configuration directory server . . .
Updating adm.conf with information from configuration directory server . . .
Updating the configuration for the httpd engine . . .
Error updating console.conf:
Content-type: text/html
NMC_Status: 1
NMC_ErrType:
NMC_ErrInfo: Cannot open file for reading
Could not update the httpd engine configuration.
Could not reconfigure the admin server.
Exiting . . .
Log file is '/tmp/setup6NRmTT.log'
Regards,
Kamal Batra
Disclaimer :-
The information in this e-mail and any attachments is confidential and may be
legally privileged. It is intended solely for the addressee or addressees. If you are
not an intended recipient, please delete the message and any attachments and
notify the sender of misdelivery. Any use or disclosure of the contents of either is
unauthorised and may be unlawful. All liability for viruses is excluded to the fullest
extent permitted by law. Any views expressed in this message are those of the
individual sender, except where the sender states them, with requisite authority, to
be those of the specific TIMES GROUP company.
12 years, 6 months
problem creating replica on supplier
by Jon Detert
I'm trying to setup a supplier for single-master replication.
I'm actually using Centos Directory Server v8.1 (which is probably
equivalent to something like 389 dir serv v 1.2.4).
I created the changelog entry successfully.
The next step, according to this doc:
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.1/html/Admin...
is to create the supplier replica entry. However, creation fails with
error 32, and the message 'No such object'. If I run the slapd with
debug level 3, I see the bind, and the fact that it is attempting an
add, and then it says:
[22/Mar/2011:10:08:31 -0500] - Calling plugin 'Legacy replication
preoperation plugin' #3 type 407
[22/Mar/2011:10:08:31 -0500] - Calling plugin 'Multimaster replication
preoperation plugin' #4 type 407
[22/Mar/2011:10:08:31 -0500] - => send_ldap_result 32::
[22/Mar/2011:10:08:31 -0500] - add_pb
[22/Mar/2011:10:08:31 -0500] - <= send_ldap_result
[22/Mar/2011:10:08:31 -0500] - get_pb
[22/Mar/2011:10:08:31 -0500] - dse_add: parent does not exist
[22/Mar/2011:10:08:31 -0500] - do_unbind
What object doesn't exist? Evidently, a parent object. My
assumption, based on the ldif data fed to ldapmodify, is either:
a) I don't have the objectclass 'nsds5replica', or
b) the dn: cn="dc=example,dc=com",cn=mapping tree,cn=config doesn't exist.
However, if I query cn=mapping tree,cn=config for any/all objects, I
see dn: cn="dc=example,dc=com",cn=mapping tree,cn=config. That
suggests the problem isn't b). How do I determine if objectclass
'nsds5replica' exists? I see it is in a schema file named
'00core.ldif', so why wouldn't it exist?
Any other ideas?
Thanks,
Jon
12 years, 6 months
