Problem browsing LDAP with Outlook
by Chris Bryant
When configuring Microsoft Outlook (not Outlook Express) to access an LDAP directory, there is an option to 'Enable Browsing (requires server support)'. If this option is chosen and the directory server supports it, then you should be able to open the LDAP address book and page up and down through the results. I have been unable to get this working properly with 389 DS.
When I try to browse from Outlook against the 389 DS directory, I am able to see the first page of results perfectly. However, if I move to the next page, only the first object returned will have any attributes included, and all of the rest of the objects in the page will have no attributes. I have a test perl script that duplicates this functionality as well.
I can get this to work properly with an older version of Netscape Directory Server, and I can get it working with OpenDS. Since 389 DS advertises support for the controls that are required for this to work, just like the other two servers, then I would expect it to work there also.
Has anyone out there gotten this to work with 389 DS? If so, can you share if there was anything special that you needed to do to get this to work? I'm trying to determine if this is a bug in the server, or if I'm just missing something in the configuration.
Thanks,
Chris
USA.NET
You Run Your Business. We'll Run Your Email.
This message is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information of USA.NET, Inc. Any unauthorized review, use, copying, disclosure, or distribution is prohibited. If you are not the intended recipient, please immediately contact the sender by reply email and delete all copies of the original message.
2 years, 9 months
Re: [389-users] Replication trouble when promoting dedicated Consumer to Multiple master [SOLVED]
by Roland Schwingel
Hi.....
Finally I got it I don't know whether I did it the fully correct way, but
it works now.
I found that this mysterious replica id 3 was stored in dse.ldif of my
server-b:
To recap my scenario:
server A < ----- server B <-----> server
C -----> server D
(dedicated Consumer) (multiple Master replica ID:1) (multiple
Master replica ID:2) (Dedicated Consumer)
I wanted to promote my server D to become a multiple master - but it did
not work.
What did I do to get it going:
1. Removed all replication agreements to/from server D.
2. Stopped all LDAP services on all servers (I was a little desperate)
3. Found replica id 3 in dse.ldif of server B(?) - nowhere else (why B and
not C?)
4. Removed these bogus entries.
5. Restarted all LDAP services on all machines.
6. ldapsearch on server C still revealed the bogus replica id 3 (Where the
heck is that cached?).
7. Reinitialized consumer server C from server B and restarted ldap on
server C.
8. ldapsearch was clean by then.
9. removed my suffix on server D and removed changelog.
10. recreated suffix on server D and made server D a dedicated consumer
11. on server C created replication agreement to server D
12. initialized server D from server C.
13, Enabled changelog on server D
14. Changed server D to be Multiple Master with replica id 3
15, Created replication aggreement to server C from server D.
16. Worked. Restarted LDAP on server D and C.
17. Still works and replicates to all other machines along the path.
18. I need vacation....
Holy Moly!
Roland
__________________
Hi Reinhard,
Thanks for your reply!!
389-users-bounces(a)lists.fedoraproject.org wrote on 14.07.2011 16:25:10:
> From: Reinhard Nappert <rnappert(a)juniper.net>
> To: "General discussion list for the 389 Directory server project."
> <389-users(a)lists.fedoraproject.org>
> Date: 14.07.2011 16:28
> Subject: Re: [389-users] Replication trouble when promoting
> dedicated Consumer to Multiple master
> Sent by: 389-users-bounces(a)lists.fedoraproject.org
>
> Do a ldapsearch -b 'nsuniqueid=ffffffff-ffffffff-ffffffff-
> ffffffff,dc=mydomain,dc=com' -D <directory manager> -w <password> -s
> base objectclass=nstombstone
>
> This gives you all the configured (history) of replication ids. The
> following is the output in my setup.
>
> dn: nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff,o=base
> objectClass: top
> objectClass: nsTombstone
> objectClass: extensibleobject
> nsds50ruv: {replicageneration} 4df7a107000000010000
> nsds50ruv: {replica 1 ldap://yale:389} 4df7a396000000010000
4e19ad950000000100
> 00
> nsds50ruv: {replica 3 ldap://norquay:389} 4df7a39d000000030000
4e1605650000000
> 30000
> nsds50ruv: {replica 4 ldap://mustrum:389} 4df7a3a0000000040000
4dfb93650000000
> 40000
> nsds50ruv: {replica 2 ldap://louise:389} 4df7a39a000000020000
4e171a0700000002
> 0000
> o: base
> nsruvReplicaLastModified: {replica 1 ldap://yale:389} 00000000
> nsruvReplicaLastModified: {replica 3 ldap://norquay:389} 00000000
> nsruvReplicaLastModified: {replica 4 ldap://mustrum:389} 00000000
> nsruvReplicaLastModified: {replica 2 ldap://louise:389} 00000000
> /\
> |
> replication-id
>
I issued that command on my server Server C. I get the following results:
# extended LDIF
#
# LDAPv3
# base <nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff,dc=mydomain,dc=com>
with scope baseObject
# filter: objectclass=nstombstone
# requesting: ALL
#
# ffffffff-ffffffff-ffffffff-ffffffff, mydomain.com
dn: nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff, dc=mydomain,dc=com
objectClass: top
objectClass: nsTombstone
objectClass: extensibleobject
nsds50ruv: {replicageneration} 4bf162c6000000010000
nsds50ruv: {replica 2 ldap://server-c.mydomain.com:389} 4cd3fa1e00000002
0000 4e1ef45b000000020000
nsds50ruv: {replica 3 ldap://server-d.mydomain.de:389}
nsds50ruv: {replica 1 ldap://server-b.mydomain.de:389} 4bf16732000000010
000 4e1ffa3e000000010000
dc: mydomain
nsruvReplicaLastModified: {replica 2 ldap://server-c.mydomain.com:389} 4
e1ef445
nsruvReplicaLastModified: {replica 3 ldap://server-d.mydomain.de:389}
00000000
nsruvReplicaLastModified: {replica 1 ldap://server-b.mydomain.de:389} 4e
1ffa26
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
When I look at it I see that replica id 3 is assigned to my server-d
(which should get that replica id). I started over deleted my server-d
assigned it replica id 4 but nothing changes.
I also cannot get rid of the informations for server-d in that nsuniqueid
how can I do that?
Thanks,
Roland
11 years, 5 months
Views, Filtered roles and CoS
by Colin Panisset
I have a pretty flat DIT, with all users currently under
ou=people,dc=example,dc=com; these user objects also have posixAccount
attributes, of which loginShell is one.
What I'm trying to achieve is to be able to set a "default" loginShell
to be a restricted shell (/bin/rbash) for developers, but allow that to
be a non-restricted shell on systems which are development hosts.
As an example, on a production host I'd like:
$ ldapsearch -x "(uid=devuser)" uid loginshell
to return:
dn: cn=Dev User,ou=People,dc=example,dc=com
loginShell: /bin/rbash
uid: devuser
while on a development host, I'd like the same search to return
dn: cn=Dev User,ou=People,dc=example,dc=com
loginShell: /bin/bash
uid: devuser
I thought I might be able to achieve this by creating a view called
ou=Developers,dc=example,dc=com and using that as a base DN on the
development boxes, then applying a CoS within the view to override the
loginShell attribute, but then the CoS ends up being applied to the
original entry too.
Is there any way that I could:
- have a CoS apply based on client system attributes, like IP
address/hostname?
- have a CoS which applies to a view that *doesn't* affect the original
object?
- perhaps make use of cosPriority through two different views, so as to
have ou=Development,... and ou=Production,... (but that would be
answered by the previous option anyway)?
Is there some other clever way to achieve what I'd like? I'd really like
to avoid maintaining 2 separate DITs for the same set of users.
-- C.
11 years, 8 months
passsync - ldap error in queryusername
by Aaron Hagopian
Recently this message started to show up on our windows domain controller in
the passsync log file:
...
09/29/11 14:38:50: Ldap error in QueryUsername
1: Operations error
09/29/11 14:39:54: Ldap error in QueryUsername
1: Operations error
09/29/11 14:42:02: Ldap error in QueryUsername
1: Operations error
09/29/11 14:46:18: Ldap error in QueryUsername
1: Operations error
...
Happen fairly sporadically but password changes from this machine are also
being abandoned while on others no issues. This is our only 2008 domain
controller as the moment but it was working on this machine and another 2008
DC (that was de-commissioned) previously.
Thanks,
Aaron Hagopian
11 years, 8 months
Password expiration policy problem
by David Hoskinson
I have configured our directory server to have a global password policy in the directory server, under Data-> Passwords. The policy we have elected to use the password expires in 45 days. For the last 15 days it has been warning me to change it. I have on several occasions changed it by typing password in a terminal window and changing it. This has been successful and new password is active. However the next time I login the count down has not been reset. I was wondering what would happen when it got to 0 so I let that happen today. As expected it prompted me to change my password and reset it. However when I log back in I am still at 0 and hence cannot login to the machine. I looked at the passwordexpirationtime on my account and it reads 20111113112125Z as I believe it should since it was reset today. Still can't login, and account says I am at 0 days...
Thanks for any help...
David Hoskinson | DATATRAK International
Systems Engineer
Mayfield Heights, Ohio, USA
+1.440.443.0082 x 124 (p) | +1.216.280.5457 (m)
david.hoskinson(a)datatrak.net<mailto:david.hoskinson@datatrak.net> | www.datatrak.net<http://www.datatrak.net/>
11 years, 8 months
Building on OSX
by Mike Conigliaro
Hey everyone, I'm trying to create homebrew formulas for getting 389
built on OSX. I've successfully built all the dependencies, but I'm
getting stuck on ds-base. Has anyone actually done this before? Judging
by some of the things I've seen in the source, I'm guessing no, but I'm
hoping someone here might be of some assistance.
- Mike
11 years, 8 months
Re: [389-users] Problem with samba and 389 Directory server with LDAPS
by Angel Bosch Mora
you have two server certificates with almost same name. be carefull about that.
you can inspect details with
certutil -d /etc/dirsrv/slapd-xxx01 -L -n "server-cert"
and
certutil -d /etc/dirsrv/slapd-xxx01 -L -n "Server-cert"
or use it with a simple pipe to check Alt Names:
certutil -d /etc/dirsrv/slapd-xxx01 -L -n "Server-cert" | grep DNS
----- Missatge original -----
[root@xxx ZDRIVE]# certutil -d /etc/dirsrv/slapd-xxx01 -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
CA certificate CTu,u,u
server-cert u,u,u
Server-Cert u,u,u
Thanks Rich….
From: Rich Megginson [mailto:rmeggins@redhat.com]
Sent: Wednesday, September 28, 2011 9:24 AM
To: General discussion list for the 389 Directory server project.
Cc: David Hoskinson
Subject: Re: [389-users] Problem with samba and 389 Directory server with LDAPS
On 09/28/2011 06:47 AM, David Hoskinson wrote:
I do not have a server.crt.. I created my certs using the following page on the 389 documentation
http://directory.fedoraproject.org/wiki/Howto:SSL
which creates a cert8.db and key3.db
in the past I could do certutil –L something and it would show the cert information but can’t seem to find that command anymore.
certutil -d /etc/dirsrv/slapd-instance -L
I can authenticate from localhost and any of the client machines even the samba server just fine… I just can’t seem to get samba service to connect. If I have setup things incorrectly I appreciate the help.
From: 389-users-bounces(a)lists.fedoraproject.org [ mailto:389-users-bounces@lists.fedoraproject.org ] On Behalf Of Angel Bosch Mora
Sent: Wednesday, September 28, 2011 7:52 AM
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Problem with samba and 389 Directory server with LDAPS
are you sure your certificate is created with your FQDN in it?
i've had LOT of problems until i've created correctly my certs.
you can check it with
openssl x509 -noout -text -in server.crt
and i recommend that you include your FQDN as Alternative Name even if is your hostname, that trick saved me lot of headaches. i always create my certs with two alternate names, the FQDN itself and also ldap.<mydomain>
this way you don't have any problems with loadbalancing and such.
to create a petition cert with alternate names you can run (one line)
certutil -R -s "CN=myserver.example.com,OU=example,O=example,L=example,ST=example,C=example" -o example.csr -d . -a -8 myserver.example.com,ldap.example.com
[2011/09/28 11:23:13, 2] lib/smbldap.c:smbldap_open_connection(786)
smbldap_open_connection: connection opened
[2011/09/28 11:23:13, 10] lib/smbldap.c:smbldap_connect_system(951)
ldap_connect_system: Binding to ldap server ldaps://adm301.stag.cle.us as "cn=Directory Manager"
[2011/09/28 11:23:13, 2] lib/smbldap.c:smbldap_connect_system(982)
failed to bind to server ldaps://”FQDN of server”.stag.cle.us with dn="cn=Directory Manager" Error: Can't contact LDAP server
(unknown)
And yes I can resolve the hostname which I have sanitized.
Thanks for the tip, but that doesn’t seem to help, still have same result. This was just working on another machine but I had to put that one back to the way it was, and must have missed something. Any more thoughts?
From: 389-users-bounces(a)lists.fedoraproject.org [ mailto:389-users-bounces@lists.fedoraproject.org ] On Behalf Of Angel Bosch Mora
Sent: Wednesday, September 28, 2011 3:39 AM
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Problem with samba and 389 Directory server with LDAPS
you have to use FQDN when connecting securely. and you have to use the exact name used in the certificate.
I am getting the following message in the /var/log/samba/smbd.log file when I start up samba and try to connect as a user.
[2011/09/27 14:23:33, 1] lib/smbldap.c:another_ldap_try(1153)
Connection to LDAP server failed for the 15 try!
[2011/09/27 14:23:34, 10] lib/smbldap.c:smb_ldap_setup_conn(630)
smb_ldap_setup_connection: ldaps://192.168.3.79
[2011/09/27 14:23:34, 2] lib/smbldap.c:smbldap_open_connection(786)
smbldap_open_connection: connection opened
[2011/09/27 14:23:34, 10] lib/smbldap.c:smbldap_connect_system(951)
ldap_connect_system: Binding to ldap server ldaps://192.168.x.x as "cn=directory manager,dc=stag,dc=cle,dc=us"
[2011/09/27 14:23:34, 2] lib/smbldap.c:smbldap_connect_system(982)
failed to bind to server ldaps://192.168.x.x with dn="cn=directory manager,dc=stag,dc=cle,dc=us" Error: Can't contact LDAP server
(unknown)
Relevant part of the smb.conf
passdb backend = ldapsam: ldaps://192.168.x.x
ldap suffix = dc=stag,dc=cle,dc=us
ldap machine suffix = ou=people
ldap user suffix = ou=people
ldap group suffix = ou=groups
ldap passwd sync = yes
ldap admin dn = cn=directory manager,dc=stag,dc=cle,dc=us
obey pam restrictions = yes
I was able to run smbpasswd –w to add the dn admin password to the secrets.tdb but am unable to add additional users as well, again getting a cannot contact ldap server message. I had this working on another machine, but that machine was needed for another purpose and lost the setup. I know I must be missing something simple and am checking the HOWTO for samba on the 389-Directory Server site.
David Hoskinson | DATATRAK International
Systems Engineer
Mayfield Heights, Ohio, USA
+1.440.443.0082 x 124 (p) | +1.216.280.5457 (m)
david.hoskinson(a)datatrak.net | www.datatrak.net
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users(a)lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
11 years, 8 months
get informed about replication broken
by Karoly Czovek
Is there any way, to get informed about one of the replications failed?
SNNP trap to the monitoring server, etc?
--
Karoly CZOVEK
Global Systems Administrator
MoveOne IT Department
Eastern Europe - Balkans - CIS& Central Asia - Middle East& Africa -
Asia Pacific
phone: +36 1 266 0181 - ext.6710
mobile: +36 70 708 9953
skype: mo_karoly.czovek
email: karoly.czovek(a)moveoneinc.com
web: http://www.moveoneinc.com
11 years, 8 months
Problem with samba and 389 Directory server with LDAPS
by David Hoskinson
I am getting the following message in the /var/log/samba/smbd.log file when I start up samba and try to connect as a user.
[2011/09/27 14:23:33, 1] lib/smbldap.c:another_ldap_try(1153)
Connection to LDAP server failed for the 15 try!
[2011/09/27 14:23:34, 10] lib/smbldap.c:smb_ldap_setup_conn(630)
smb_ldap_setup_connection: ldaps://192.168.3.79
[2011/09/27 14:23:34, 2] lib/smbldap.c:smbldap_open_connection(786)
smbldap_open_connection: connection opened
[2011/09/27 14:23:34, 10] lib/smbldap.c:smbldap_connect_system(951)
ldap_connect_system: Binding to ldap server ldaps://192.168.x.x as "cn=directory manager,dc=stag,dc=cle,dc=us"
[2011/09/27 14:23:34, 2] lib/smbldap.c:smbldap_connect_system(982)
failed to bind to server ldaps://192.168.x.x with dn="cn=directory manager,dc=stag,dc=cle,dc=us" Error: Can't contact LDAP server
(unknown)
Relevant part of the smb.conf
passdb backend = ldapsam:ldaps://192.168.x.x
ldap suffix = dc=stag,dc=cle,dc=us
ldap machine suffix = ou=people
ldap user suffix = ou=people
ldap group suffix = ou=groups
ldap passwd sync = yes
ldap admin dn = cn=directory manager,dc=stag,dc=cle,dc=us
obey pam restrictions = yes
I was able to run smbpasswd -w to add the dn admin password to the secrets.tdb but am unable to add additional users as well, again getting a cannot contact ldap server message. I had this working on another machine, but that machine was needed for another purpose and lost the setup. I know I must be missing something simple and am checking the HOWTO for samba on the 389-Directory Server site.
David Hoskinson | DATATRAK International
Systems Engineer
Mayfield Heights, Ohio, USA
+1.440.443.0082 x 124 (p) | +1.216.280.5457 (m)
david.hoskinson(a)datatrak.net<mailto:david.hoskinson@datatrak.net> | www.datatrak.net<http://www.datatrak.net/>
11 years, 8 months
Quick Upgrade question
by Reinhard Nappert
Hi,
I was wondering if the following was observed somewhere else.
I am upgrading 1.1.2 to 1.2.8.3 and I see the following message, when the upgrade of the dn is done:
[27/Sep/2011:07:57:22 +0000] - upgradedn NetscapeRoot: Index buffering is disabled./lib/dirsrv/slapd-ds/upgradednformat: line 59: 9661 Terminated ./ns-slapd upgradednformat -D /etc/dirsrv/slapd-ds -a $dir -n $be -N
This happened for all of my databases.
The server is up and running, but I was wondering what kind of impact this could have. More importantly, any idea why this happened.
Thanks,
-Reinhard
11 years, 8 months
