Problem browsing LDAP with Outlook
by Chris Bryant
When configuring Microsoft Outlook (not Outlook Express) to access an LDAP directory, there is an option to 'Enable Browsing (requires server support)'. If this option is chosen and the directory server supports it, then you should be able to open the LDAP address book and page up and down through the results. I have been unable to get this working properly with 389 DS.
When I try to browse from Outlook against the 389 DS directory, I am able to see the first page of results perfectly. However, if I move to the next page, only the first object returned will have any attributes included, and all of the rest of the objects in the page will have no attributes. I have a test perl script that duplicates this functionality as well.
I can get this to work properly with an older version of Netscape Directory Server, and I can get it working with OpenDS. Since 389 DS advertises support for the controls that are required for this to work, just like the other two servers, then I would expect it to work there also.
Has anyone out there gotten this to work with 389 DS? If so, can you share if there was anything special that you needed to do to get this to work? I'm trying to determine if this is a bug in the server, or if I'm just missing something in the configuration.
Thanks,
Chris
USA.NET
You Run Your Business. We'll Run Your Email.
This message is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information of USA.NET, Inc. Any unauthorized review, use, copying, disclosure, or distribution is prohibited. If you are not the intended recipient, please immediately contact the sender by reply email and delete all copies of the original message.
3 years, 3 months
389 vs Sun DS ldapmodify performance
by Russell Beall
Does anybody have a pointer to any performance comparisons between Sun DS and 389?
I was extremely happy with the performance boost using 389 on a Linux VM which is 5-8 times faster for ldapsearch operations than the older Sun machines with Sun DS 6.3.
In testing one of our most important use cases just now, I find that the ldapmodify speed is many many times slower. This doesn't make much sense, so I think I'm doing something wrong or having something misconfigured.
Earlier I improved the write performance by using large db cache sizes and moving the nsslapd-db-home-directory to tmpfs. Now most modify operations have very little I/O wait except when occasionally flushing the index files and such, and yet, there is a CPU pegged for very long periods of time, orders of magnitude higher than on Sun DS.
Is there any documentation on ldapmodify performance that I could review? Google searching seems eerily silent on the issue… (which also leads me to believe I have something misconfigured if nobody has been asking about the issue…)
The particular use case I am working with involves replacing large quantities of uniqueMember values on entries in ou=groups.
Thanks,
Russ.
==============================
Russell Beall
Programmer Analyst IV
Enterprise Identity Management
University of Southern California
beall(a)usc.edu
==============================
11 years, 6 months
Several questions
by Moisés Barba Pérez
Hi,
I have several questions about syntax and attributes, hope you can help me.
- Why the attribute mail in DS is case sensitive?? Is there any problem
changing it to non case sensitive? If there is no problem, how can I modify
it?
- I have a problem whit the syntax of the nsViewFilter attribute, the value
of the attribute is: (ou=*ou=D. PERIÓDICO,o=xxxxx,dc=xxxx,dc=xxxx). I guess
the problem is the character "Ó" but if it is possible to create the ou
with special characters, should be possible create a nsViewFilter with
special characters to??? (389DS 1.2.5)
- I have read about the attribute nsslapd-allidsthreshold and its use in
older versions. I have 389DS 1.2.5, have I to use it or it is deprecated???
I have search this parameters in my ldap servers and someones have it, and
others don't, maybe this behaviour is because of actualizations of the DS
but I would like to know if in 1.2.5 is needed or if i can delete it.
Thank you in advance.
Moses.
11 years, 7 months
Uniqueness Attribute for specific objects in a specific subtree
by John A. Sullivan III
Hello, all. We would like to enforce unique cn for groupofuniquenames
only and only under a specific part of the DIT.
I'll illustrate with:
O=Internal,DC=mycompany,DC=com
O=External,DC=mycompany,DC=com
So we want to enforce unique CNs on groups under Internal but not under
External and only CNs on groups (because our current DN based uniqueness
constraint on CN means we can't create multiple password policy
nscontainer objects under Internal).
If we configure set nsslapd-pluginarg1 to
"O=Internal,DC=mycompany,DC=com", we enforce uniqueness in that
container but for all objects.
Although we haven't tried it (lest we create a bigger problem than we
already have!), I believe it we set nsslapd-pluginarg1 to
markerObjectClass=O and nsslapd-pluginarg2 to
requiredObjectClass=groupofuniquenames, it will enforce CN uniqueness on
groups but will do so both in Internal AND External. Is that correct?
So is it possible to combine them somehow to achieve what we want?
Thanks - John
11 years, 7 months
IP clause in ACI attributes
by Iain Morgan
Hello,
I'm attempting to use an IP clause in an ACI attribute to restrict
privileges for a particular DN to connections from a particular host.
The ACI attribute is successfully added by ldapmodify, but does not
work. As a workaround, I had to use a DNS clause instead, but this is
not desirable from either a performance or a security perspective.
The access log shows the connection coming from the expected IPv4
address, but when I enabled the appropriate debugging level I found that
the server was complaining about an IPv6 address.
It looks like the server is getting an address in the v4-in-v6 format
and since the ACLs do not support IPv6, the particular ACL fails.
Unfortunately, I seem to be at a loss to force the system to return IPv4
addresses. Any suggestions?
The system is running RHEL 6 with 389 DS 1.2.10.4.
/etc/modprobe.d/ipv6.conf has already been configured to disable IPv6
support.
Thanks
--
Iain Morgan
11 years, 7 months
how to keep in sync centos-ds in a dr scenario
by Maurizio Marini
I have a disaster recovery scenario:
on a remote location I have the same servers with the same hostnames and the
same ip's, exactly all the same.
Nightly I use rsync to keep all the servers in sync.
One of this server is a CentOS5 with centos-ds and samba as pdc.
I cannot use replica between current and dr, as the 2 server have the same ip
and hostname.
I am using ldap2db to import the nightly ldif backup.
/usr/lib/dirsrv/slapd-centos-ds/ldif2db -n userRoot -i /tmp/backup-yyddmm.ldif
It seems work, it's dirty but does work.
Do u see any side-effects? Have u some suggestion?
-m
11 years, 7 months
management console authentication error
by Mark Reynolds
Hi Herb,
I wanted to see the logs from the server that wasn't working. According
to these logs everything is fine. So, you can log into the console for
master A, but not master B. Most likely there is no configuration
instance/admin server setup. There are a few options. One, you could
register master B in the Master A console(using Create New
Administration Domain feature), and just use that console to manage both
servers. Two, setup a new config instance on the master B machine, and
use a separate console.
Option one is definitely the best option. You can still use the console
GUI on master B if you want to, but point it to the master A in the
administration URL.
Here are some links to some useful document on on this:
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.0/html/Insta...
http://www.google.com/url?sa=t&rct=j&q=red%20hat%20directory%20server%20r...
Let me know if you have any questions.
Mark
On 04/23/2012 07:48 PM, Herb Burnswell wrote:
> Hey Mark,
>
> Well, to back up a bit, of the dual masters' (A & B) only A has been
> running consistently for many years. That is why I needed to do a
> re-initialization of B. The re-initialization was done at the
> 'my_suffix' level and not NetscapeRoot.
>
> I assumed that the config data would be running on both dual masters.
> Maybe I am incorrect?
>
> access from Master A for 'admin' bind:
>
> [23/Apr/2012:16:07:50 -0700] conn=2575 fd=71 slot=71 connection from
> 10.10.10.24 to 10.10.10.24
> [23/Apr/2012:16:07:50 -0700] conn=2575 op=0 BIND dn="uid=admin,
> ou=Administrators, ou=TopologyManagement, o=NetscapeRoot" method=128
> version=3
> [23/Apr/2012:16:07:50 -0700] conn=2575 op=0 RESULT err=0 tag=97
> nentries=0 etime=0
> dn="uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
> [23/Apr/2012:16:07:50 -0700] conn=2575 op=1 SRCH base="cn=statusping,
> cn=operation, cn=tasks, cn=admin-serv-masterA, cn=fedora
> administration server, cn=server group, cn=masterA.sub.domain.biz
> <http://masterA.sub.domain.biz>, ou=sub.domain.biz
> <http://sub.domain.biz>, o=netscaperoot" scope=0
> filter="(nsExecRef=*)" attrs="nsExecRef nsLogSuppress"
> [23/Apr/2012:16:07:50 -0700] conn=2575 op=1 RESULT err=0 tag=101
> nentries=1 etime=0
> [23/Apr/2012:16:07:50 -0700] conn=2575 op=2 SRCH
> base="cn=admin-serv-masterA, cn=Fedora Administration Server,
> cn=Server Group, cn=masterA.sub.domain.biz
> <http://masterA.sub.domain.biz>, ou=sub.domain.biz
> <http://sub.domain.biz>, o=NetscapeRoot" scope=2
> filter="(nsExecRef=*)" attrs="nsExecRef nsLogSuppress"
> [23/Apr/2012:16:07:50 -0700] conn=2575 op=2 RESULT err=0 tag=101
> nentries=24 etime=0
> [23/Apr/2012:16:07:50 -0700] conn=2575 op=3 SRCH
> base="cn=slapd-masterA, cn=Fedora Directory Server, cn=Server Group,
> cn=masterA.sub.domain.biz <http://masterA.sub.domain.biz>,
> ou=sub.domain.biz <http://sub.domain.biz>, o=NetscapeRoot" scope=2
> filter="(nsExecRef=*)" attrs="nsExecRef nsLogSuppress"
> [23/Apr/2012:16:07:50 -0700] conn=2575 op=3 RESULT err=0 tag=101
> nentries=13 etime=0
> [23/Apr/2012:16:07:50 -0700] conn=2575 op=4 SRCH base="cn=Fedora
> Directory Server, cn=Server Group, cn=masterA.sub.domain.biz
> <http://masterA.sub.domain.biz>, ou=sub.domain.biz
> <http://sub.domain.biz>, o=NetscapeRoot" scope=2
> filter="(nsExecRef=*)" attrs="nsExecRef nsLogSuppress"
> [23/Apr/2012:16:07:50 -0700] conn=2575 op=4 RESULT err=0 tag=101
> nentries=17 etime=0
> [23/Apr/2012:16:07:50 -0700] conn=2575 op=5 SRCH base="cn=Fedora
> Administration Server, cn=Server Group, cn=masterA.sub.domain.biz
> <http://masterA.sub.domain.biz>, ou=sub.domain.biz
> <http://sub.domain.biz>, o=NetscapeRoot" scope=2
> filter="(nsExecRef=*)" attrs="nsExecRef nsLogSuppress"
> [23/Apr/2012:16:07:50 -0700] conn=2575 op=5 RESULT err=0 tag=101
> nentries=24 etime=0
> [23/Apr/2012:16:07:50 -0700] conn=2575 op=6 UNBIND
> [23/Apr/2012:16:07:50 -0700] conn=2575 op=6 fd=71 closed - U1
>
>
> access from master A for 'cn=Directory Manager' bind:
>
> [23/Apr/2012:16:37:36 -0700] conn=2594 fd=68 slot=68 connection from
> 10.10.10.24 to 10.10.10.24
> [23/Apr/2012:16:37:36 -0700] conn=2594 op=0 BIND
> dn="cn=admin-serv-masterA, cn=Fedora Administration Server, cn=Server
> Group, cn=masterA.sub.domain.biz <http://masterA.sub.domain.biz>,
> ou=sub.domain.biz <http://sub.domain.biz>, o=NetscapeRoot" method=128
> version=3
> [23/Apr/2012:16:37:36 -0700] conn=2594 op=0 RESULT err=0 tag=97
> nentries=0 etime=0 dn="cn=admin-serv-masterA,cn=fedora administration
> server,cn=server group,cn=masterA.sub.domain.biz
> <http://masterA.sub.domain.biz>,ou=sub.domain.biz
> <http://sub.domain.biz>,o=netscaperoot"
> [23/Apr/2012:16:37:36 -0700] conn=2594 op=1 BIND dn="cn=Directory
> Manager" method=128 version=3
> [23/Apr/2012:16:37:36 -0700] conn=2594 op=1 RESULT err=0 tag=97
> nentries=0 etime=0 dn="cn=directory manager"
> [23/Apr/2012:16:37:36 -0700] conn=2594 op=2 UNBIND
> [23/Apr/2012:16:37:36 -0700] conn=2594 op=2 fd=68 closed - U1
>
>
> This are from master A where logging in as either works fine. It
> looks like I need to configure o=netscaperoot on master B somehow?
>
> thanks,
>
> Herb
>
>
>
> On Mon, Apr 23, 2012 at 1:13 PM, Mark Reynolds <mareynol(a)redhat.com
> <mailto:mareynol@redhat.com>> wrote:
>
> Herb,
>
> Do you know which server is hosting the config data for the
> console(o=netscaperoot)? If you do, please provide the access log
> output showing the "cn=directory manager" and "admin" binds? It
> might not hurt to restart the admin server.
>
> Thanks,
> Mark
>
>
>
> On 04/23/2012 04:06 PM, Herb Burnswell wrote:
>> Hi All,
>>
>> After re-initialization of a dual master server I now cannot log
>> into the directory management console as cn=Directory Manager. I
>> receive the error:
>>
>> Cannot logon because of an incorrect user id, incorrect password,
>> or Directory problem.
>> httpException:
>> Resoponse: HTTP/1.1 401 Unauthorized
>> Status: 401
>> URL: http://url/admin-serv/authenticate
>>
>> I know the password is correct as I can drop into an ldapmodify
>> session with ./ldapmodify -D "cn=Directory Manager" -w <passwd>
>> without error.
>>
>> I've seen a few inquiries about this issue around the web but
>> nothing to resolve the issue. I see the following in
>> /opt/fedora-ds/admin-serv/logs/error:
>>
>> security (27749): for host <hostname> trying to GET
>> /admin-serv/authenticate, basic-ncsa reports: user cn=Directory
>> Manager does not exist in pwfile
>> /opt/fedora-ds/admin-serv/config/admpw
>>
>> It is correct that there is not a line for cn=Directory Manager
>> in admpw, but it is not located in the admpw file on the other
>> dual master and I can log into its management console as
>> cn=Directory Manager without error. They both just contain a
>> line for user 'admin'.
>>
>> When I try to log in as 'admin' (works fine on other dual master)
>> I receive:
>>
>> cannot connect to the directory server:
>> netscape.ldap.LDAPException: error result (32) matchedDN = ou
>> =<domain>,o=netscaperoot; no such object
>>
>> Is there something else that I need to do after
>> re-initialization? Any guidance is greatly appreciated.
>>
>> Thanks in advance,
>>
>> Herb
>>
>>
>>
>>
>> --
>> 389 users mailing list
>> 389-users(a)lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org>
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
11 years, 7 months
newbie question about replication
by Maurizio Marini
i have a server fedora-ds running by 2009 with changelog activated, maybe 3
years ago I tried to replicate and i forgot the check after the tests
now i have to setup replica for a disaster recovery and I have discovered the
check; yesterday i setup replica server importing all the db and now
userRoot ldif backup has the same entries in eiter the server
as far as i can argue, starting replication now requires a fresh changelog,
isn't it?
any hint will be very apreciated
--
Cordiali Saluti
Dr. Maurizio Marini
CoST - Computers Services and Technologies S.r.l.
Via Longhi, 13 - 20137 Milano
P. IVA 09585780159
Tel +39 02 45446.207
Fax +39 02 45446.333
Questo messaggio e i suoi allegati sono indirizzati esclusivamente alle persone
indicate. La diffusione, copia o qualsiasi altra azione derivante dalla
conoscenza di queste informazioni sono rigorosamente vietate. Qualora abbiate
ricevuto questo documento per errore siete cortesemente pregati di darne
immediata comunicazione al mittente e di provvedere alla sua distruzione.
Grazie. This e-mail and any attachment are confidential and may contain
privileged information intended for the addressee(s) only. Dissemination,
copying, printing or use by anybody else is unauthorized. If you are not the
intended recipient, please delete this message and any attachment and advise
the sender by return e-mail. Thank you
11 years, 7 months
management console authentication error
by Herb Burnswell
Hi All,
After re-initialization of a dual master server I now cannot log into the
directory management console as cn=Directory Manager. I receive the error:
Cannot logon because of an incorrect user id, incorrect password, or
Directory problem.
httpException:
Resoponse: HTTP/1.1 401 Unauthorized
Status: 401
URL: http://url/admin-serv/authenticate
I know the password is correct as I can drop into an ldapmodify session
with ./ldapmodify -D "cn=Directory Manager" -w <passwd> without error.
I've seen a few inquiries about this issue around the web but nothing to
resolve the issue. I see the following in
/opt/fedora-ds/admin-serv/logs/error:
security (27749): for host <hostname> trying to GET
/admin-serv/authenticate, basic-ncsa reports: user cn=Directory Manager
does not exist in pwfile /opt/fedora-ds/admin-serv/config/admpw
It is correct that there is not a line for cn=Directory Manager in admpw,
but it is not located in the admpw file on the other dual master and I can
log into its management console as cn=Directory Manager without error.
They both just contain a line for user 'admin'.
When I try to log in as 'admin' (works fine on other dual master) I receive:
cannot connect to the directory server:
netscape.ldap.LDAPException: error result (32) matchedDN = ou
=<domain>,o=netscaperoot; no such object
Is there something else that I need to do after re-initialization? Any
guidance is greatly appreciated.
Thanks in advance,
Herb
11 years, 7 months
Re: [389-users] Repair replication
by Herb Burnswell
Thanks for the reply David.
>> 1. How can I find out which system(s) is/are master, consumer, hub, etc?
>>>>You should be able to determine the role of the Directory Server for
each
>>>>system by logging into the LDAP console under
>>>>"Configuration->Replication". The role is either "Single Master",
"Hub" or
>>>>"Dedicated Consumer".
I was able to determine that we have two "Multiple Master" systems. Let's
call them 'A' and 'B'. System A has been the only system running for what
appears to be several years (it is being backed up nightly). System B has
been off for some time but is running now.
>> 2. How do I confirm that the systems have the correct credentials for
replication? (I am receiving: "Unable to acquire replica: Permission
denied.")
a. How can I change the bind dn "cn=replication,cn=config" credentials
on each system to ensure replication will work?
>>>>You can do that on the console as well. Just navigate down the
directory
>>>>tree and manually reset the password for the replication user account.
>>>>There's a possibility that your replication user account's password
expired.
I can navigate to the screen to reset the password for the replication user
account. I have not reset the passwords yet as I am reading documentation
to confirm that system B will simply update it's data to system A's upon
resuming replication.
>> 3. I assume that upon repairing replication (apparently it has not been
working for several years) the systems will all replicate to the most
recent information. Correct?
>>>>I think that's the tricky part. Make sure you backup your directory on
all
>>>>the LDAP first so you have something to roll back. I *believe* the last
>>>>step when setting up replication is initializing the directory and that
>>>>will wipe out directory on the other LDAP. Someone on the list might
be
>>>>able to provide a better on this but I am just giving you a heads up
that
>>>>this can be a complicated process.
Given the fact that system B has not been running for some time, ideally it
would simply replicate to the current data on system A. After replication
is reestablished the systems are set up to "Always keep directories in
sync". If anyone can confirm the behavior that will occur upon replication
on these two systems it would be greatly appreciated.
Thanks in advance,
Herb
------------------------------
>
> Message: 2
> Date: Thu, 22 Mar 2012 10:40:34 -0400
> From: Chun Tat David Chu <beyonddc.storage(a)gmail.com>
> To: "General discussion list for the 389 Directory server project."
> <389-users(a)lists.fedoraproject.org>
> Subject: Re: [389-users] Repair replication
> Message-ID:
> <CANCf8oLYKet99sB_ou4U3CER8U89UgwZhGUBTHekcF9HWNKL9g(a)mail.gmail.com
> >
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hey Herb,
>
> You should refer to the Red Hat Directory Server administration guide for
> detail about setting up replication which you can locate in here.
> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/
>
> >> 1. How can I find out which system(s) is/are master, consumer, hub, etc?
> You should be able to determine the role of the Directory Server for each
> system by logging into the LDAP console under
> "Configuration->Replication". The role is either "Single Master", "Hub" or
> "Dedicated Consumer".
>
> >> 2. How do I confirm that the systems have the correct credentials for
> replication? (I am receiving: "Unable to acquire replica: Permission
> denied.")
> a. How can I change the bind dn "cn=replication,cn=config" credentials
> on each system to ensure replication will work?
> You can do that on the console as well. Just navigate down the directory
> tree and manually reset the password for the replication user account.
> There's a possibility that your replication user account's password
> expired.
>
> >> 3. I assume that upon repairing replication (apparently it has not been
> working for several years) the systems will all replicate to the most
> recent information. Correct?
> I think that's the tricky part. Make sure you backup your directory on all
> the LDAP first so you have something to roll back. I *believe* the last
> step when setting up replication is initializing the directory and that
> will wipe out directory on the other LDAP. Someone on the list might be
> able to provide a better on this but I am just giving you a heads up that
> this can be a complicated process.
>
> Good luck
>
> - David
>
> 2012/3/21 Herb Burnswell <herbert.burnswell(a)gmail.com>
>
> > Hi All,
> >
> > I'm new to LDAP administration and have been tasked with fixing the
> system
> > replication of 4 Linux systems running Fedora Directory Services. I am
> > very comfortable working with Linux/Unix but am not experienced with
> LDAP.
> > I've been reading the communications from this user group and reading as
> > much as I can from documentation. I believe this environment is not too
> > complex but I am looking for some guidance, any assistance is greatly
> > appreciated.
> >
> > Info:
> >
> > OS: Fedora Core 4
> > LDAP: Fedora Directory Server v 7.1
> >
> > First, I know that both the systems and FDS versions are ancient.
> > However, at this point I need to get the replication working prior to
> > putting together a migration plan. I have access to the Directory
> Manager
> > console and am comfortable running command line commands as well. Either
> > way is fine.
> >
> > Questions:
> >
> > 1. How can I find out which system(s) is/are master, consumer, hub, etc?
> >
> > 2. How do I confirm that the systems have the correct credentials for
> > replication? (I am receiving: "Unable to acquire replica: Permission
> > denied.")
> > a. How can I change the bind dn "cn=replication,cn=config"
> credentials
> > on each system to ensure replication will work?
> >
> > 3. I assume that upon repairing replication (apparently it has not been
> > working for several years) the systems will all replicate to the most
> > recent information. Correct?
> >
> > Again, any guidance is greatly appreciated.
> >
> > Thanks in advance,
> >
> > Herb
> >
> > --
> > 389 users mailing list
> > 389-users(a)lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/389-users
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.fedoraproject.org/pipermail/389-users/attachments/20120322/e...
> >
>
>
11 years, 7 months
