Problem browsing LDAP with Outlook
by Chris Bryant
When configuring Microsoft Outlook (not Outlook Express) to access an LDAP directory, there is an option to 'Enable Browsing (requires server support)'. If this option is chosen and the directory server supports it, then you should be able to open the LDAP address book and page up and down through the results. I have been unable to get this working properly with 389 DS.
When I try to browse from Outlook against the 389 DS directory, I am able to see the first page of results perfectly. However, if I move to the next page, only the first object returned will have any attributes included, and all of the rest of the objects in the page will have no attributes. I have a test perl script that duplicates this functionality as well.
I can get this to work properly with an older version of Netscape Directory Server, and I can get it working with OpenDS. Since 389 DS advertises support for the controls that are required for this to work, just like the other two servers, then I would expect it to work there also.
Has anyone out there gotten this to work with 389 DS? If so, can you share if there was anything special that you needed to do to get this to work? I'm trying to determine if this is a bug in the server, or if I'm just missing something in the configuration.
Thanks,
Chris
USA.NET
You Run Your Business. We'll Run Your Email.
This message is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information of USA.NET, Inc. Any unauthorized review, use, copying, disclosure, or distribution is prohibited. If you are not the intended recipient, please immediately contact the sender by reply email and delete all copies of the original message.
3 years, 3 months
Force Password Change
by John Trump
I have recently installed two 389-ds servers. I have replication configured
and it is working. I was able to import all of my users into DS. I expired
all of the passwords so users will be forced to set new passwords upon
logging in the first time. The problem I am having is when I log in to a
remote system via ssh I am forced to change my password. When I log in to
my local system, which is configured to use ldap, I am not forced to change
my password. Any suggestions or thoughts?
john
11 years, 1 month
how to properly change port number
by Sharuzzaman Ahmat Raslan
Hi,
Newbie to 389-ds and LDAP
I just installed 389-ds using CentOS 6 packages through yum. The package
install went well.
Then, after consulting documentation from port389.org, I run the command
setup-ds-admin.pl to configure
I put the web management port to 9999, but decided to use 9898
I change in console.conf to Listen 0.0.0.0:9898 and local.conf to
configuration.nsserverport: 9898
But, after restarting dirsrv-admin, the web management port is 9898, but
the link in the application is still pointing to port 9999
The question: What is the correct way to change the port number without
resorting to full reinstallation of the system?
Thanks.
--
Sharuzzaman Ahmat Raslan
11 years, 1 month
AD replication agreement with 2 different servers/domains
by Juan Asensio Sánchez
Hi
I am trying to configure the replication between 389DS an two
different servers and domains in Active Directory. The first
replication agreement works fine, and the second works fine too in the
initialization. But when I modify some user, the change is replicated
to the first server/domain, but not to the second ones. I think this
is due to the first agreement has created the objectGUID in AD, and
replicated to 389DS in the ntUniqueId attribute, but with the second
agreement, the second server domain has created a different objectGUID
but not replicated/overwrote the previous ntUniqueId created by the
first agreement (that then would break the first agreement). Is this
correct? Is there any way to solve/workaround this?
Regard and thanks in advance.
11 years, 1 month
Problem sync groups with Active Directory
by Juan Asensio Sánchez
Hi
Using 389DS 1.2.5 on CentOS 5.5 i385, I need to sync users and groups
from 389DS to Active Directory (Windows Server 2003). I the 389DS side
I have this:
dn: cn=ALERGIAS_gestion,ou=Groups,o=XXXX,dc=XXXX,dc=es
objectClass: groupOfNames
objectClass: groupOfUniqueNames
objectClass: ntGroup
objectClass: posixGroup
objectClass: sambaGroupMapping
objectClass: top
cn: ALERGIAS_gestion
gidNumber: 130541
ntUserDomainId: ALERGIAS_gestion
sambaGroupType: 2
sambaSID: S-1-5-21-2896031208-2582234988-3810615631-261845
description: Personal de D.GESTION de ALERGIAS del XXXX
displayName: Personal de D.GESTION de ALERGIAS del XXXXX
ntGroupCreateNewGroup: true
ntGroupDeleteGroup: true
ou: ou=ALERGIAS,ou=PERIFERICA,ou=D. GESTION,o=XXXX,dc=XXXX,dc=es
Base DS subtree in the replication agreement is o=XXXX,dc=XXXX,dc=es,
and Windows Subtree is "ou=XXXX,ou=LDAP,dc=pruebas,dc=local", so I had
to create manually the OUs
"ou=People,ou=XXXX,ou=LDAP,dc=pruebas,dc=local" and
"ou=Groups,ou=XXXX,ou=LDAP,dc=pruebas,dc=local" (user sync works
fine). When I try to sync data, doing a full re-syncronization from
the console, I get tjis werror when the server is going to sync the
group:
[18/Oct/2012:13:09:58 +0200] NSMMReplicationPlugin -
agmt="cn=XXXXX-LDAPPruebas-WinAD" (grsgscvant01f6:636):
windows_process_total_entry: Looking
dn="cn=ALERGIAS_gestion,ou=Groups,o=XXXXX,dc=XXXXX,dc=es" (ours)
[18/Oct/2012:13:09:58 +0200] NSMMReplicationPlugin -
agmt="cn=XXXXX-LDAPPruebas-WinAD" (grsgscvant01f6:636):
map_entry_dn_outbound: looking for AD entry for DS
dn="cn=ALERGIAS_gestion,ou=Groups,o=XXXXX,dc=XXXXX,dc=es"
guid="(null)"
[18/Oct/2012:13:09:58 +0200] NSMMReplicationPlugin -
agmt="cn=XXXXX-LDAPPruebas-WinAD" (grsgscvant01f6:636):
map_entry_dn_outbound: looking for AD entry for DS
dn="cn=ALERGIAS_gestion,ou=Groups,o=XXXXX,dc=XXXXX,dc=es"
username="ALERGIAS_gestion"
[18/Oct/2012:13:09:58 +0200] - Calling windows entry search request plugin
[18/Oct/2012:13:09:58 +0200] - windows_search_entry: recieved 1
messages, 0 entries, 0 references
[18/Oct/2012:13:09:58 +0200] NSMMReplicationPlugin -
agmt="cn=XXXXX-LDAPPruebas-WinAD" (grsgscvant01f6:636):
map_entry_dn_outbound: entry not found - rc 0
[18/Oct/2012:13:09:58 +0200] - Windows sync entry: Created new remote entry:
dn: cn=ALERGIAS_gestion,ou=Groups,ou=XXXXX,ou=LdapPeople,dc=pruebas,dc=local
objectClass: top
objectClass: group
sAMAccountName: ALERGIAS_gestion
ou: ou=ALERGIAS,ou=PERIFERICA,ou=D. GESTION,o=XXXXX,dc=XXXXX,dc=es
description: Personal de D.GESTION de ALERGIAS del XXXXX
[18/Oct/2012:13:09:58 +0200] - Attempting to add entry
cn=ALERGIAS_gestion,ou=Groups,ou=XXXXX,ou=LdapPeople,dc=pruebas,dc=local
to AD for local entry
cn=ALERGIAS_gestion,ou=Groups,o=XXXXX,dc=XXXXX,dc=es
[18/Oct/2012:13:09:58 +0200] NSMMReplicationPlugin -
agmt="cn=XXXXX-LDAPPruebas-WinAD" (grsgscvant01f6:636): Received
result code 65 (0000207D: UpdErr: DSID-03150F9C, problem 6002
(OBJ_CLASS_VIOLATION), data 0 ) for add operation
[18/Oct/2012:13:09:58 +0200] NSMMReplicationPlugin -
agmt="cn=XXXXX-LDAPPruebas-WinAD" (grsgscvant01f6:636):
windows_replay_update: Cannot replay add operation.
[18/Oct/2012:13:09:58 +0200] NSMMReplicationPlugin -
agmt="cn=XXXXX-LDAPPruebas-WinAD" (grsgscvant01f6:636): Beginning
linger on the connection
[18/Oct/2012:13:09:58 +0200] NSMMReplicationPlugin -
agmt="cn=XXXXX-LDAPPruebas-WinAD" (grsgscvant01f6:636):
windows_tot_run: failed to obtain data to send to the consumer; LDAP
error - 1
It looks like trying to create a group (objectClass group), but with
user attributes (sAMAccountName)... Any idea? Is the source group bad
created?
Regards and thanks in advance.
11 years, 1 month
ldap-agent
by Michael Mercier
Hello,
I am trying to configure ldap-agent with no luck. I have followed the instructions at:http://directory.fedoraproject.org/wiki/Howto:SNMPMonitoring
NOTE: This system is running 389 under FreeIPA on CentOS 6.3
[root@ipaserver ~]# rpm -qa|grep net-snmp
net-snmp-5.5-41.el6_3.1.x86_64
net-snmp-libs-5.5-41.el6_3.1.x86_64
[root@ipaserver ~]# rpm -qa|grep 389
389-ds-base-libs-1.2.10.2-20.el6_3.x86_64
389-ds-base-1.2.10.2-20.el6_3.x86_64
[root@ipaserver ~]# more /etc/dirsrv/config/ldap-agent.conf
# The agentx-master setting defines how to communicate
# with the SNMP master agent using the AgentX protocol.
# The default is to use a UNIX domain socket. If your
# master agent is listening on a tcp port for AgentX
# subagents, use a line like the following:
#
# agentx-master localhost:705
agentx-master /var/agentx/master
# The agent-logdir settings defines where the subagent
# will write it's logfile.
agent-logdir /var/log/dirsrv
# The server setting specifies a Directory Server
# instance that you want to monitor. You must use one
# server setting for each Directory Server instance. The
# subagent requires at least one server setting to be
# specified. The server setting
# should be set to the name of the Directory Server
# instance you would like to monitor. For example:
#
# server slapd-phonebook
#
# To monitor multiple Directory Server instances, add
# an additional server parameter for each instance:
#
server slapd-MPLS-LOCAL
server slapd-PKI-IPA
# server slapd-phonebook
# server slapd-example
# server slapd-directory
[root@ipaserver ~]# ldap-agent /etc/dirsrv/config/ldap-agent.conf
/usr/sbin/ldap-agent: line 56: 17263 Segmentation fault ${dir}/${COMMAND} "$@"
NOTE: -D provides the same output
snmpd.conf has been minimally modified...
[root@ipaserver snmp]# diff snmpd.conf snmpd.conf.orig
55,57c55,56
< #view systemview included .1.3.6.1.2.1.1
< #view systemview included .1.3.6.1.2.1.25.1.1
< view systemview included .1
---
> view systemview included .1.3.6.1.2.1.1
> view systemview included .1.3.6.1.2.1.25.1.1
97,98d95
< ## enable agentx for 389
< master agentx
Thanks,
Mike
11 years, 1 month
Re: [389-users] Problem sync groups with Active Directory
by Carsten Grzemba
AD 2003 use the mssfu30 scheme not the rfc scheme. Is the posix_winsync_plugin active? There is a config attribute to set for this old scheme.
Am 18.10.12, schrieb Juan Asensio Sánchez <okelet(a)gmail.com>:
> Hi
>
> Using 389DS 1.2.5 on CentOS 5.5 i385, I need to sync users and groups
> from 389DS to Active Directory (Windows Server 2003). I the 389DS side
> I have this:
>
> dn: cn=ALERGIAS_gestion,ou=Groups,o=XXXX,dc=XXXX,dc=es
> objectClass: groupOfNames
> objectClass: groupOfUniqueNames
> objectClass: ntGroup
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> objectClass: top
> cn: ALERGIAS_gestion
> gidNumber: 130541
> ntUserDomainId: ALERGIAS_gestion
> sambaGroupType: 2
> sambaSID: S-1-5-21-2896031208-2582234988-3810615631-261845
> description: Personal de D.GESTION de ALERGIAS del XXXX
> displayName: Personal de D.GESTION de ALERGIAS del XXXXX
> ntGroupCreateNewGroup: true
> ntGroupDeleteGroup: true
> ou: ou=ALERGIAS,ou=PERIFERICA,ou=D. GESTION,o=XXXX,dc=XXXX,dc=es
>
> Base DS subtree in the replication agreement is o=XXXX,dc=XXXX,dc=es,
> and Windows Subtree is "ou=XXXX,ou=LDAP,dc=pruebas,dc=local", so I had
> to create manually the OUs
> "ou=People,ou=XXXX,ou=LDAP,dc=pruebas,dc=local" and
> "ou=Groups,ou=XXXX,ou=LDAP,dc=pruebas,dc=local" (user sync works
> fine). When I try to sync data, doing a full re-syncronization from
> the console, I get tjis werror when the server is going to sync the
> group:
>
>
> [18/Oct/2012:13:09:58 +0200] NSMMReplicationPlugin -
> agmt="cn=XXXXX-LDAPPruebas-WinAD" (grsgscvant01f6:636):
> windows_process_total_entry: Looking
> dn="cn=ALERGIAS_gestion,ou=Groups,o=XXXXX,dc=XXXXX,dc=es" (ours)
> [18/Oct/2012:13:09:58 +0200] NSMMReplicationPlugin -
> agmt="cn=XXXXX-LDAPPruebas-WinAD" (grsgscvant01f6:636):
> map_entry_dn_outbound: looking for AD entry for DS
> dn="cn=ALERGIAS_gestion,ou=Groups,o=XXXXX,dc=XXXXX,dc=es"
> guid="(null)"
> [18/Oct/2012:13:09:58 +0200] NSMMReplicationPlugin -
> agmt="cn=XXXXX-LDAPPruebas-WinAD" (grsgscvant01f6:636):
> map_entry_dn_outbound: looking for AD entry for DS
> dn="cn=ALERGIAS_gestion,ou=Groups,o=XXXXX,dc=XXXXX,dc=es"
> username="ALERGIAS_gestion"
> [18/Oct/2012:13:09:58 +0200] - Calling windows entry search request plugin
> [18/Oct/2012:13:09:58 +0200] - windows_search_entry: recieved 1
> messages, 0 entries, 0 references
> [18/Oct/2012:13:09:58 +0200] NSMMReplicationPlugin -
> agmt="cn=XXXXX-LDAPPruebas-WinAD" (grsgscvant01f6:636):
> map_entry_dn_outbound: entry not found - rc 0
> [18/Oct/2012:13:09:58 +0200] - Windows sync entry: Created new remote entry:
> dn: cn=ALERGIAS_gestion,ou=Groups,ou=XXXXX,ou=LdapPeople,dc=pruebas,dc=local
> objectClass: top
> objectClass: group
> sAMAccountName: ALERGIAS_gestion
> ou: ou=ALERGIAS,ou=PERIFERICA,ou=D. GESTION,o=XXXXX,dc=XXXXX,dc=es
> description: Personal de D.GESTION de ALERGIAS del XXXXX
>
> [18/Oct/2012:13:09:58 +0200] - Attempting to add entry
> cn=ALERGIAS_gestion,ou=Groups,ou=XXXXX,ou=LdapPeople,dc=pruebas,dc=local
> to AD for local entry
> cn=ALERGIAS_gestion,ou=Groups,o=XXXXX,dc=XXXXX,dc=es
> [18/Oct/2012:13:09:58 +0200] NSMMReplicationPlugin -
> agmt="cn=XXXXX-LDAPPruebas-WinAD" (grsgscvant01f6:636): Received
> result code 65 (0000207D: UpdErr: DSID-03150F9C, problem 6002
> (OBJ_CLASS_VIOLATION), data 0 ) for add operation
> [18/Oct/2012:13:09:58 +0200] NSMMReplicationPlugin -
> agmt="cn=XXXXX-LDAPPruebas-WinAD" (grsgscvant01f6:636):
> windows_replay_update: Cannot replay add operation.
> [18/Oct/2012:13:09:58 +0200] NSMMReplicationPlugin -
> agmt="cn=XXXXX-LDAPPruebas-WinAD" (grsgscvant01f6:636): Beginning
> linger on the connection
> [18/Oct/2012:13:09:58 +0200] NSMMReplicationPlugin -
> agmt="cn=XXXXX-LDAPPruebas-WinAD" (grsgscvant01f6:636):
> windows_tot_run: failed to obtain data to send to the consumer; LDAP
> error - 1
>
> It looks like trying to create a group (objectClass group), but with
> user attributes (sAMAccountName)... Any idea? Is the source group bad
> created?
>
> Regards and thanks in advance.
> --
> 389 users mailing list
> 389-users(a)lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
--
Carsten Grzemba
11 years, 1 month
Test Email
by Chaudhari, Rohit K.
Hello users group,
This is a test email by me to see that any questions I have regarding 389 get out to the community correctly. Please send me a reply (I only need one) so I know I am able to correctly post here.
Thanks.
11 years, 1 month
ldappasswd
by upen
Hi,
On my system there are two ldappasswd commands. One is in /usr/bin
(provided by: openldap-clients-2.3) and another is in
/usr/lib64/mozldap/ldappasswd (provided by mozldap-tools-6.0.5) .
Could someone please help me understand why there are two? If I run
ldd against them, they are using different shared libraries.
#ldd `which ldappasswd `
linux-vdso.so.1 => (0x00007fff8ddc3000)
libldap-2.3.so.0 => /usr/lib64/libldap-2.3.so.0 (0x0000003356800000)
liblber-2.3.so.0 => /usr/lib64/liblber-2.3.so.0 (0x0000003355800000)
libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x0000003356400000)
libssl.so.6 => /lib64/libssl.so.6 (0x000000335b800000)
libcrypto.so.6 => /lib64/libcrypto.so.6 (0x0000003358800000)
libcrypt.so.1 => /lib64/libcrypt.so.1 (0x0000003355400000)
libresolv.so.2 => /lib64/libresolv.so.2 (0x0000003355c00000)
libc.so.6 => /lib64/libc.so.6 (0x0000003353400000)
libdl.so.2 => /lib64/libdl.so.2 (0x0000003353800000)
libgssapi_krb5.so.2 => /usr/lib64/libgssapi_krb5.so.2 (0x000000335b000000)
libkrb5.so.3 => /usr/lib64/libkrb5.so.3 (0x0000003359000000)
libcom_err.so.2 => /lib64/libcom_err.so.2 (0x0000003358400000)
libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3 (0x000000335a000000)
libz.so.1 => /lib64/libz.so.1 (0x0000003354400000)
/lib64/ld-linux-x86-64.so.2 (0x0000003353000000)
libkrb5support.so.0 => /usr/lib64/libkrb5support.so.0 (0x0000003359c00000)
libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x0000003359400000)
libselinux.so.1 => /lib64/libselinux.so.1 (0x0000003354c00000)
libsepol.so.1 => /lib64/libsepol.so.1 (0x0000003355000000)
# ldd /usr/lib64/mozldap/ldappasswd
linux-vdso.so.1 => (0x00007fffc8bfd000)
libssldap60.so => /usr/lib64/libssldap60.so (0x00002ad042453000)
libprldap60.so => /usr/lib64/libprldap60.so (0x0000003358000000)
libldap60.so => /usr/lib64/libldap60.so (0x000000335a400000)
libldif60.so => /usr/lib64/libldif60.so (0x000000335b000000)
libsvrcore.so.0 => /usr/lib64/libsvrcore.so.0 (0x0000003354800000)
libssl3.so => /usr/lib64/libssl3.so (0x000000335a800000)
libsmime3.so => /usr/lib64/libsmime3.so (0x0000003358c00000)
libnss3.so => /usr/lib64/libnss3.so (0x0000003357c00000)
libsoftokn3.so => /usr/lib64/libsoftokn3.so (0x00002ad042661000)
libplds4.so => /usr/lib64/libplds4.so (0x0000003357800000)
libplc4.so => /usr/lib64/libplc4.so (0x0000003357000000)
libnspr4.so => /usr/lib64/libnspr4.so (0x0000003357400000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x0000003353c00000)
libdl.so.2 => /lib64/libdl.so.2 (0x0000003353800000)
libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x0000003356400000)
libresolv.so.2 => /lib64/libresolv.so.2 (0x0000003355c00000)
libstdc++.so.6 => /usr/lib64/libstdc++.so.6 (0x0000003356800000)
libm.so.6 => /lib64/libm.so.6 (0x0000003354000000)
libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x0000003355800000)
libc.so.6 => /lib64/libc.so.6 (0x0000003353400000)
libnssutil3.so => /usr/lib64/libnssutil3.so (0x0000003356c00000)
libz.so.1 => /lib64/libz.so.1 (0x0000003354400000)
/lib64/ld-linux-x86-64.so.2 (0x0000003353000000)
libcrypt.so.1 => /lib64/libcrypt.so.1 (0x0000003355400000)
When should each be used? Do these separate purposes?
The OS is RHEL 5.7. running 389-ds-1.2.1-1.
Any help is appreciated. Thank you.
UG
11 years, 1 month
New Debian install
by Geordie
Good Day
I have been having a few issues trying to get this to work. On the
latest setup this is the out put received from /usr/sbin/setup-ds-admin
I have check the apache2 mpm prefork
with /etc/dirsrv/admin-serv/httpd.conf There was not much different. I
tried changing the values in /etc/dirsrv/admin-serv/httpd.conf but that
had little effect and produced the same errors.
I am not sure were to send Debian issues. If I am in the wrong spot,
please let me know.
OS Debian sid/testing
[12/10/10:20:40:47] - [Setup] Info Are you ready to set up your servers?
[12/10/10:20:40:48] - [Setup] Info yes
[12/10/10:20:40:48] - [Setup] Info Creating directory server . . .
[12/10/10:20:40:58] - [Setup] Info Your new DS instance 'SatelliteA40'
was successfully created. [12/10/10:20:40:58] - [Setup] Info Creating
the configuration directory server . . . [12/10/10:20:41:04] - [Setup]
Info Beginning Admin Server creation . . . [12/10/10:20:41:04] -
[Setup] Info Creating Admin Server files and directories . . .
[12/10/10:20:41:05] - [Setup] Info Updating adm.conf . . .
[12/10/10:20:41:05] - [Setup] Info Updating admpw . . .
[12/10/10:20:41:05] - [Setup] Info Registering admin server with the
configuration directory server . . . [12/10/10:20:41:07] - [Setup] Info
Updating adm.conf with information from configuration directory
server . . . [12/10/10:20:41:07] - [Setup] Info Updating the
configuration for the httpd engine . . . [12/10/10:20:41:07] - [Setup]
Info Starting admin server . . . [12/10/10:20:41:18] - [Setup] Info
output: [Wed Oct 10 20:41:07 2012] [notice] Not using a threaded
server. The Admin Server authorization ca$ [12/10/10:20:41:18] -
[Setup] Info output: WARNING: MaxClients of 64 exceeds ServerLimit
value of 1 servers, [12/10/10:20:41:18] - [Setup] Info output:
lowering MaxClients to 1. To increase, please see the ServerLimit
[12/10/10:20:41:18] - [Setup] Info output: directive.
[12/10/10:20:41:18] - [Setup] Info output: Syntax error on line 105
of /etc/dirsrv/admin-serv/httpd.conf: [12/10/10:20:41:18] - [Setup]
Info output: Invalid command 'MinSpareThreads', perhaps misspelled or
defined by a module not included in the se$ [12/10/10:20:41:18] -
[Setup] Info output: httpd (pid 2779) already running
[12/10/10:20:41:18] - [Setup] Info output: Server failed to start !!!
Please check errors log for problems [12/10/10:20:41:18] - [Setup]
Fatal Failed to create and configure the admin server
[12/10/10:20:41:18] - [Setup] Fatal Exiting . . . Log file is
'/tmp/setup54sYOQ.log'
apt-cache policy 389-ds
389-ds:
Installed: 1.2.11.15-1
Candidate: 1.2.11.15-1
Version table:
*** 1.2.11.15-1 0
500 http://debian.yorku.ca/debian/ unstable/main i386 Packages
100 /var/lib/dpkg/status
apt-cache policy apache2-mpm-prefork
apache2-mpm-prefork:
Installed: 2.2.22-11
Candidate: 2.2.22-11
Version table:
*** 2.2.22-11 0
500 http://debian.yorku.ca/debian/ unstable/main i386 Packages
100 /var/lib/dpkg/status
11 years, 1 month
