Problem browsing LDAP with Outlook
by Chris Bryant
When configuring Microsoft Outlook (not Outlook Express) to access an LDAP directory, there is an option to 'Enable Browsing (requires server support)'. If this option is chosen and the directory server supports it, then you should be able to open the LDAP address book and page up and down through the results. I have been unable to get this working properly with 389 DS.
When I try to browse from Outlook against the 389 DS directory, I am able to see the first page of results perfectly. However, if I move to the next page, only the first object returned will have any attributes included, and all of the rest of the objects in the page will have no attributes. I have a test perl script that duplicates this functionality as well.
I can get this to work properly with an older version of Netscape Directory Server, and I can get it working with OpenDS. Since 389 DS advertises support for the controls that are required for this to work, just like the other two servers, then I would expect it to work there also.
Has anyone out there gotten this to work with 389 DS? If so, can you share if there was anything special that you needed to do to get this to work? I'm trying to determine if this is a bug in the server, or if I'm just missing something in the configuration.
Thanks,
Chris
USA.NET
You Run Your Business. We'll Run Your Email.
This message is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information of USA.NET, Inc. Any unauthorized review, use, copying, disclosure, or distribution is prohibited. If you are not the intended recipient, please immediately contact the sender by reply email and delete all copies of the original message.
3 years, 3 months
Strange problem with 389 console
by Brian Bresina
Account activation and inactivation no longer seems to be working with my 389 console
system. Unfortunately, there are several people with admin rights to the ldap servers so I
am unsure if someone might have messed the server up. Currently, I can select inactivate
for an account and I will get back a box showing no errors. If I look at the account
however, only the nsmangeddisalble role and nsdisabled roles have been set. The
nsaccountlock is never added to the account. Also, if you right click on the account the
activate is always greyed out. I can manually add the nsaccountlock attribute and set it
to true. If I do this, the activate will appear when I right click on the account but when
I activate it only the roles will be removed, the nsaccountlock attribute is still in
place. Also I have noticed that there are two entries for some of the attributes if I go
to add them to an account, nsaccount lock is one of them. Sadly, this is running in a
production system, so I really need to have a way for other SAs to lock out accounts for
users that are no longer on the system with having them added attributes for each account.
Anyone know what might be going on here? Thanks.
--
"I am not completely worthless, I can always serve as a bad example."
11 years, 8 months
Possible problems on 1.2.10-0.6.a6.fc15.x86_64
by Edward Z. Yang
Hello folks,
We recently updated our dirsrv instances to 1.2.10-0.6.a6.fc15.x86_64,
and had it crash repeatedly one of our more loaded servers. We haven't
debugged in depth but were curious whether or not anyone else had seen
this problem. There were no error logs, but we weren't add loglevel
debug.
Edward
11 years, 8 months
CMP operations against pwdPolicySubentry hanging
by Iain Morgan
Hello,
On a fairly frequent basis, one of my 389 DS servers hangs after certain
CMP operations. Once this happens, the server cannot be shutdown
gracefully. This has been going on for several weeks, and I have not yet
found a solution.
My setup consists of two systems running RHEL 6.2 with 389 DS 1.2.9.16.
Multimaster replication is enabled between the two servers, but the
client systems (currently just two test systems) preferrentially use the
same server, ServerA. The second server, ServerB, is the one which is
experiencing the problem.
We are using class-of-service entries to to set the values for the
shadowMax, shadowMin, and shadowWarning attributes. And we are
conditionally setting a pwdPolicySubentry attribute for some entries in
the same manner.
If I execute an ldapcompare command, such as the following:
# ldapcompare uid=imorgan,ou=People,dc=example,dc=com \
pwdpolicysubentry:"cn=Special Policy,ou=Policies,dc=example,dc=com"
the command will occassionally hang. Most of the time, the command
succeeds and indicates that the attribute is not defined for that entry.
However, once or twice a day it will simply hang.
The access log shows that the CMP request was received, but no result is
logged. After this occurs, the server will not shut down gracefully. The
init script fails to shut down the server and I end up having to send a
SIGKILL to ns-slapd.
The error log does not report any issues.
CMP operations against other attributes, such as loginShell, do not seem
to exhibit this problem. Also, the problem does not occur on ServerA;
only on ServerB. Once the CMP operation has hung, comparisons against
other attributes, even shadowMax, continue to work.
As noted above, most of the time the CMP operation returns normally.
However, if I reinitialize ServerB from ServerA, the problem occurs with
the first CMP operation against ServerB.
Both servers have the same set of RPMs and the dse.ldif on both systems
do not have any significant differences.
Has anyone seen a similar issue? Any suggestions on how to debug of fix
this?
A somewhat simplified and redacted version of the class-of-service
configuration is listed below.
Thanks
--
Iain Morgan
dn: cn=Account Templates,ou=People,dc=example,dc=com
objectClass: top
objectClass: nsContainer
cn: Account Templates
dn: cn="cn=User Account,ou=People,dc=example,dc=com",
cn=Account Templates,ou=People,dc=example,dc=com
objectClass: top
objectClass: ldapSubEntry
objectClass: extensibleObject
objectClass: cosTemplate
cn: cn=User Account,ou=People,dc=example,dc=com
cosPriority: 10
shadowMin: 1
shadowMax: 60
shadowWarning: 7
dn: cn=User Account CoS,ou=People,dc=example,dc=com
objectClass: top
objectClass: ldapSubentry
objectClass: cosSuperDefinition
objectClass: cosPointerDefinition
cn: User Account CoS
cosTemplateDN: cn="cn=User Account,ou=People,dc=example,dc=com",
cn=Account Templates,ou=People,dc=example,dc=com
cosAttribute: shadowMin default
cosAttribute: shadowMax default
cosAttribute: shadowWarning default
dn: cn="cn=Special Account,ou=People,dc=example,dc=com",
cn=Account Templates,ou=People,dc=example,dc=com
objectClass: top
objectClass: ldapSubEntry
objectClass: extensibleObject
objectClass: cosTemplate
cn: cn=Special Account,ou=People,dc=example,dc=com
cosPriority: 5
pwdPolicySubentry: cn=Special Policy,ou=Policies,dc=example,dc=com
shadowMin: 1
shadowMax: 60
shadowWarning: 7
dn: cn=Special Account,ou=People,dc=example,dc=com
objectClass: top
objectClass: ldapSubentry
objectClass: nsRoleDefinition
objectClass: nsComplexRoleDefinition
objectClass: nsFilteredRoleDefinition
cn: Special Account
nsRoleFilter: (&(objectClass=shadowAccount)(gidNumber=1000))
dn: cn=Account CoS,ou=People,dc=example,dc=com
objectClass: top
objectClass: ldapSubentry
objectClass: cosSuperDefinition
objectClass: cosClassicDefinition
cn: Account CoS
cosTemplateDN: cn=Account Templates,ou=People,dc=example,dc=com
cosSpecifier: nsRole
cosAttribute: pwdPolicySubentry default operational
cosAttribute: shadowMin default
cosAttribute: shadowMax default
cosAttribute: shadowWarning default
--
Iain Morgan
11 years, 8 months
Setting limits per DN
by Michael Gettes
My global time limit is 3600. global idle timeout is 0. global size limit
is 500. global lookthroughlimit is 5000.
on my DN I have established nsidletimeout, nssizelimit, nslookthroughlimit
and nstimelimit as -1.
i verify in the logs i am properly binding as my DN.
i am getting the following result:
RESULT err=3 tag=101 nentries=101 etime=121 notes=U
what am i missing? i am hoping it's something stupid. Yes, I am trying to
perform a search resulting in scanning the directory intentionally.
/mrg
11 years, 9 months
EL5 Install instructions broken?
by Michael Gettes
Hi All,
I am following the instructions on http://port389.org/wiki/Download for EL5
(towards the bottom) and it would appear the URLs are bad. There appears
to be no port389.org/yum/blah. I need to use EL5 - going to EL6 not yet an
option. Has anyone gotten this to work? Pointers appreciated.
# yum install 389-ds
Loaded plugins: katello, product-id, rhnplugin, security,
subscription-manager
Updating certificate-based repositories.
Unable to read consumer identity
http://port389.org/yum/dirsrv/fedora/6/x86_64/RPMS/repodata/repomd.xml:
[Errno 14] HTTP Error 404: Not Found
Trying other mirror.
Error: Cannot retrieve repository metadata (repomd.xml) for repository:
dirsrv. Please verify its path and try again
Thanks
/mrg
11 years, 9 months
ACL Console
by Argentin Andrea Luigi
Hello,
can someone help me please about that?
Thanks
________________________________
Hello All,
I would like to profile ACLs in order to let some users manage their own OU via Console.
Example:
-OUone | USERone, USERtwo, USERthree
-OUtwo | USERfour, USERfive
-OUthree | USERsix, USERseven, USEReight
In every OU I have many users, but I would like to give console access to one user x OU and let them manage their own OU without list and manage the other OUs.
USERone can add or remove users ONLY for OUone
USERfour can add or remove users ONLY for OUtwo
USERsix can add or remove users ONLY for OUthree
Thanks!!
Andrea
________________________________
--
The information transmitted is intended for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer.
11 years, 9 months
389-console
by Ldap Tester
I have been running 2 masters for a number of years now. The packages I
have installed currently are:
389-admin-1.1.23-1.fc16.x86_64
389-admin-console-1.1.8-2.fc16.noarch
389-admin-console-doc-1.1.8-2.fc16.noarch
389-adminutil-1.1.14-1.fc16.x86_64
389-console-1.1.7-1.fc16.noarch
389-ds-1.2.2-1.fc15.noarch
389-ds-base-1.2.10.2-1.fc16.x86_64
389-ds-base-devel-1.2.10.2-1.fc16.x86_64
389-ds-base-libs-1.2.10.2-1.fc16.x86_64
389-ds-console-1.2.6-1.fc16.noarch
389-ds-console-doc-1.2.6-1.fc16.noarch
389-dsgw-1.1.7-2.fc16.x86_64
The directory service itself has been and is now running fine on both
masters. I haven't used 389-console in some time (like seven months). I
am able to run 389-console just fine now on one of the masters, but I have
a problem on the other master. When I log in I get the error:
Cannot connect to the directory server:
netscape.ldap.LDAPException: error result (32): No such object
I know it's not a password problem. I am very sure of the password, and in
fact, if I type in something else for the password, I get a different
message:
Cannot logon because of an incorrect User ID,
Incorrect password or Directory problem.
HttpException:
Response: HTTP/1.1 401 Authorization Required
Status: 401
URL: http://XXXX.org:PPPPP/admin-serv/authenticate
I also note that when I do "service dirsrv-admin start", in
/var/log/dirsrv/admin-serv/error, I see the unnerving message:
[crit] populate_tasks_from_server(): Unable to search [cn=admin-serv-XXXX,
cn=389 Administration Server, cn=Server Group, cn=XXXX.org, ou=org,
o=NetscapeRoot] for LDAPConnection [XXXX.org:389]
What can I do to run 389-console again?
11 years, 9 months
htmladmin segfaults
by Timo Aaltonen
Hi
I'm testing 389 on Ubuntu, but currently being blocked by the admin
server cgi-bin/htmladmin segfaulting after logging in as admin from the
web gui:
[89394.801974] htmladmin[18156]: segfault at 35 ip 0000000000403a26 sp
00007fffaca24840 error 4 in htmladmin[400000+7000]
I'm running the latest versions on the current development release. How
to debug the segfault? Is it possible to give arguments to the binary
from the commandline?
--
t
11 years, 9 months
