Questions about 389 and Sendmail virtusertable
by Pro Green European
Hi.
I'd like to know if it is possible to have a user's email address which is typically found and mapped in /etc/mail/virtusertable by Sendmail in 389 somehow.
I haven't found any really good documentation about this, and I'd really like to know if it is possible to have this data in 389 and hopefully some pointers / help on how I achieve this.
Currently the format of the data found in the virtusertable file is standard Sendmail syntax:
email.address(a)domain.tld username(a)host.name.tld
Thx,
/PGE
11 years, 7 months
What to do about windows sync when AD entries move out of scope
by Rich Megginson
Let's say you have a windows sync agreement
AD: cn=Users,dc=example,dc=com
DS: ou=People,dc=example,dc=com
Let's say you also have another user container in AD:
cn=OtherUsers,dc=example,dc=com
Let's say you have a user in AD in cn=Users in sync with a user in DS in
ou=People.
What should happen if you move the user in AD from cn=Users to
cn=OtherUsers? Should DS "disconnect" the entry (i.e. remote the ntuser
attributes) so the entry is no longer in sync? Should winsync do
something else?
Conversely, what should happen if a user is moved from cn=OtherUsers to
cn=Users? Should DS treat it as adding a new user or "connect" an
existing user if the userids match?
11 years, 8 months
Problem compiling sample plugin
by Juan Asensio Sánchez
Hi
I am trying to compile a sample plugin, based on the documentation
from https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9...
I have created the .c, makefile, and installed required packages in
centos 5.5 i386 (gcc, kernel-devel, kernel-headers,
389-ds-base-devel), but when i try to make, I get
gcc -fPIC -c smbattrsync.c
In file included from smbattrsync.c:3:
/usr/include/dirsrv/slapi-plugin.h:65:21: error: prtypes.h: No such
file or directory
/usr/include/dirsrv/slapi-plugin.h:66:18: error: ldap.h: No such file
or directory
/usr/include/dirsrv/slapi-plugin.h:67:19: error: prprf.h: No such file
or directory
In file included from smbattrsync.c:3:
/usr/include/dirsrv/slapi-plugin.h: In function 'NSPR_API':
In my machine, I have prtypes.h in /usr/include/nspr4/, not in
/usr/include/dirsrv, neither /usr/include, and so compiler does not
find it. I am not a experienced programmer; this looks something
basic, but I can not get it to work. Any idea?
Regards.
11 years, 8 months
Do I need separate directory instances for Linux authentication and (for example) IMAP authentication?
by Ray
Hi,
I posted this before without getting a response. I think the question
is super simple to answer for LDAP experts. I'll try to rephrase the
quiestion (in case it was unclear before…)
I've geen googling quite a while on this topic trying all sorts of
keyword combinations and found exactly nothing.
LDAP appears to be commonplace, almost every server software I can
think of comes with an LDAP authentication module. The services that use
the directory may need have different user bases (i.e. not every Linux
user needs to be an IMAP user also and not every IMAP user should
automatically be able to SSH into servers).
What is the right way to achieve the above?:
1) Have separate LDAP instances running, one for IMAP, the other one
for Linux authentication. As there are some users that need both IMAP
and Linux access, some users would need to be set up twice.
2) Have all users in one LDAP instance, and have different sets of
attributes for IMAP and Linux authentication. Those users with IMAP
access have their IMAP attributes filled in and those with Linux logins
have their posix account settings filled with values. Some would have
both. I do not see how to assign different passwords for the two
services for this option. Is there a way?
Are there any other options?
Cheers,
Ray
11 years, 8 months
Backup Directory Server by db2bak.pl script
by Fosiul Alam
Hi
I know you can take a backup of full directory server by using
db2bak.pl
but dont understand what will be syntax
i checked the helped file but no luck
So when i do this
/var/lib/dirsrv/slapd-ldap-2/bak/ldap-2-2012_8_3_10_13_5
ldapmodify: started Fri Aug 3 10:13:05 2012
ldap_init( ldap-2.fosiul.lan, 389 )
add objectclass:
top
extensibleObject
add cn:
backup_2012_8_3_10_13_5
add nsArchiveDir:
/var/lib/dirsrv/slapd-ldap-2/bak/ldap-2-2012_8_3_10_13_5
add nsDatabaseType:
ldbm database
adding new entry cn=backup_2012_8_3_10_13_5, cn=backup, cn=tasks, cn=config
- Ignored:
modify complete
it does not look like its doing anything!!
can any one please help me .
Fosiul
11 years, 8 months
Replication Agreement Between DS 8.2 and 9.0
by Paul Whitney
I am looking everywhere on Internet/Google and cannot find anything that tells me whether or not I can stand up a DS 9 (389DS) and replicate with DS 8.2. Can someone tell me where I might find this answer? Or just tell me the answer?
I am running a multi-master environment and want to stand up DS9, initialize it with data from DS 8.2, then start up replication agreements between the two.
Thank you,
Paul M. Whitney
paul.whitney(a)me.com
11 years, 8 months
problem initializing replica
by Vlad
Hello,
I've problems for initializing replica from Admin console or using
ldapmodify. Although, I'm able to initialize replica from LDIF file
successfully. Below is a snip from errorlog:
************* snip start *****************
[14/Aug/2012:15:09:04 +0200] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=cids is going offline; disabling replication
[14/Aug/2012:15:09:04 +0200] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database
[14/Aug/2012:15:09:04 +0200] - ERROR bulk import abandoned
[14/Aug/2012:15:09:04 +0200] - import userRoot: Aborting all Import threads...
[14/Aug/2012:15:09:11 +0200] - import userRoot: Import threads aborted.
[14/Aug/2012:15:09:11 +0200] - import userRoot: Closing files...
[14/Aug/2012:15:09:11 +0200] - libdb: userRoot/cIDSMemberOf.db4: unable to flush: No such file or directory
[14/Aug/2012:15:09:11 +0200] - libdb: userRoot/mail.db4: unable to flush: No such file or directory
[14/Aug/2012:15:09:11 +0200] - libdb: userRoot/nsuniqueid.db4: unable to flush: No such file or directory
[14/Aug/2012:15:09:11 +0200] - libdb: userRoot/id2entry.db4: unable to flush: No such file or directory
[14/Aug/2012:15:09:11 +0200] - libdb: userRoot/sn.db4: unable to flush: No such file or directory
[14/Aug/2012:15:09:11 +0200] - libdb: userRoot/objectclass.db4: unable to flush: No such file or directory
[14/Aug/2012:15:09:11 +0200] - libdb: userRoot/ou.db4: unable to flush: No such file or directory
[14/Aug/2012:15:09:11 +0200] - libdb: userRoot/aci.db4: unable to flush: No such file or directory
[14/Aug/2012:15:09:11 +0200] - libdb: userRoot/cIDSEntityID.db4: unable to flush: No such file or directory
[14/Aug/2012:15:09:11 +0200] - libdb: userRoot/cn.db4: unable to flush: No such file or directory
[14/Aug/2012:15:09:11 +0200] - libdb: userRoot/entryrdn.db4: unable to flush: No such file or directory
[14/Aug/2012:15:09:11 +0200] - libdb: userRoot/member.db4: unable to flush: No such file or directory
[14/Aug/2012:15:09:11 +0200] - libdb: userRoot/telephoneNumber.db4: unable to flush: No such file or directory
[14/Aug/2012:15:09:11 +0200] - libdb: userRoot/parentid.db4: unable to flush: No such file or directory
[14/Aug/2012:15:09:11 +0200] - import userRoot: Import failed.
[14/Aug/2012:15:09:11 +0200] - process_bulk_import_op: NULL target sdn
************* snip end *****************
These databases are for custom indexes, but I have no clue why they
aren't created automatically (all the indexes as well as custom schema
has been defined before the initialization). I'd greatly appreciate any
help/thoughts.
Thanks in advance,
Vlad.
11 years, 8 months
Re: [389-users] Base plugin
by Carsten Grzemba
Hi,
can you give an example of what you want to do in detail?
Regards
Am 14.08.12, schrieb Juan Asensio Sánchez <okelet(a)gmail.com>:
> Hi
>
> I would like to make a plugin to synchronize some attributes from its
> value in Directory to the equivalent in Samba. The plugin should
> detect the changes in some attributtes, and then calculate and modify
> the equivalent value of the Samba ones. Is there any plugin in the
> standard packages, or has anyone done something similar, to take it as
> a base?
>
> Regards and thanks in advance.
> --
> 389 users mailing list
> 389-users(a)lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
--
Carsten Grzemba
11 years, 8 months
Multiple user directories: what is the best practice?
by Ray
Hi,
I'm currently using 389 for PAM authentication. I would also like to to
use 389 for Cyrus (IMAP) authentication. However, the set of users for
Cyrus is not the same as for PAM: some users may exist in the set of PAM
users but not in the set of Cyrus users and vice versa. Apart from that,
I want the users to use different passwords for PAM and Cyrus.
What is the best practice to adress this?: Should I set up a different
instance of 389 for Cyrus auth and keep my existing 389 instance for PAM
auth separate? Or is there a way to do this in the same instance?
Cheers,
Ray
11 years, 8 months
"failed to decode ldap controls" with 1.2.10.2
by Colin Panisset
I have two different servers, one installed recently (as in, earlier
this week), and one that's been operating fine for more than a year.
The new server is Centos 6.3, with 389-ds-base 1.2.10.2
The old server is Centos 5.5, with 389-ds-base 1.2.9.9
When I attempt to authenticate from an appliance which uses the Ruby
Net::LDAP gem to the old server (via plain LDAP, no SSL), I have no
problems, but when I switch out the old server for the new, I have auth
failures. Other LDAP clients do not exhibit this problem eg ldapsearch,
nslcd, etc)
The logs on the old (working) auth server show:
> [16/Aug/2012:14:16:52 +1000] conn=18453477 fd=576 slot=576 connection from 172.1.2.3 to 172.1.2.4
> [16/Aug/2012:14:16:52 +1000] conn=18453477 op=0 BIND dn="" method=128 version=3
> [16/Aug/2012:14:16:52 +1000] conn=18453477 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=""
> [16/Aug/2012:14:16:52 +1000] conn=18453477 op=1 SRCH base="dc=example" scope=2 filter="(uid=abc)" attrs=ALL
> [16/Aug/2012:14:16:52 +1000] conn=18453477 op=1 RESULT err=0 tag=101 nentries=1 etime=0
> [16/Aug/2012:14:16:52 +1000] conn=18453477 op=2 BIND dn="cn=Some User,ou=people,dc=example" method=128 version=3
> [16/Aug/2012:14:16:52 +1000] conn=18453477 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=some user,ou=people,dc=example"
> [16/Aug/2012:14:16:52 +1000] conn=18453477 op=-1 fd=576 closed - B1
The logs on the new auth server show:
> [16/Aug/2012:09:12:45 +1000] conn=2897 fd=67 slot=67 connection from 172.1.2.3 to 172.1.2.5
> [16/Aug/2012:09:12:45 +1000] conn=2897 op=0 BIND dn="" method=128 version=3
> [16/Aug/2012:09:12:45 +1000] conn=2897 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=""
> [16/Aug/2012:09:12:45 +1000] conn=2897 op=1 SRCH base="" scope=2 filter="(uid=abc)", failed to decode LDAP controls
> [16/Aug/2012:09:12:45 +1000] conn=2897 op=1 RESULT err=2 tag=101 nentries=0 etime=0
> [16/Aug/2012:09:12:45 +1000] conn=2897 op=-1 fd=67 closed - B1
Now, a tcpdump of the search queries shows that both search request
packets from the Net::LDAP appliance are *identical* (except for the
origin port, MAC addresses, etc), but not *quite* the same as the same
query initiated through command-line ldapsearch.
Here's a dump of a request packet from ldapsearch:
> 0x0000: 4500 0074 7882 4000 3f06 6389 ac19 0005 E..tx.@.?.c.....
> 0x0010: ac19 0741 e04a 0185 a6ec 4d60 1c36 5d68 ...A.J....M`.6]h
> 0x0020: 8018 006c d087 0000 0101 080a 0ab9 209a ...l............
> 0x0030: 053b 1109 303e 0201 0263 3904 1a64 633d .;..0>...c9..dc=
> 0x0040: xxxx xxxx xxxx xxxx xxxx 2c64 633d xxxx xxxxxxxxxx,dc=xx
> 0x0050: xx2c 6463 3dxx xx0a 0102 0a01 0002 0100 x,dc=xx.........
> 0x0060: 0201 0001 0100 a30a 0403 7569 6404 03xx ..........uid..x
> 0x0070: xxxx 3000 xx0.
and one from the Net::LDAP appliance:
> 0000 0024 e865 82bf 021b 21c6 b3c8 0800 4500 .$.e....!.....E.
> 0010 006a 1256 4000 4006 c8c3 ac19 0002 ac19 .j.V@.@.........
> 0020 0740 7c26 0185 3666 7186 f3bd ce0d 5018 .@|&..6fq.....P.
> 0030 3908 daef 0000 3040 0201 0263 3904 1a64 9.....0@...c9..d
> 0040 633d 7265 616c 6573 7461 7465 2c64 633d c=xxxxxxxxxx,dc=
> 0050 636f 6d2c 6463 3d61 750a 0102 0a01 0002 xxx,dc=xx.......
> 0060 0101 0201 0001 0100 a30a 0403 7569 6404 ............uid.
> 0070 0363 6d70 3000 a000 .xxx0...
I note that the ldapsearch query uses:
LDAPMessage ::= SEQUENCE { // 0x30 0x3e
while the Net::LDAP query uses:
LDAPMessage ::= SEQUENCE OF Control { // 0x30 0x40
in the PDU -- look at bytes 0x34 and 0x35 in the ldapsearch packet, and
at bytes 0x36 and 0x37 in the Net::LDAP packet.
Is 389-ds behaving correctly in this case, and the Net::LDAP gem is
wrong? Or is this a regression in 389-ds?
--
Colin Panisset
Senior Systems Engineer, REA Group
Ph: +61 (0)3 8456 4636 Mb: +61 (0) 457 788 259
11 years, 8 months
