groupOfURLS, groupOfUniqueNames, and memberURL issues
by Nick Cappelletti
Hello Everyone,
I've been banging my head against this one for a few hours and was hoping for some input. I have a group:
dn: cn=mxadmins,cn=groups,cn=accounts,dc=int,dc= example,dc=com
memberURL: ldap:///cn=users,cn=accounts,dc=int,dc= example,dc =com??sub?(ou=Supervisor)
cn: mxadmins
description: MX administrators group
objectClass: top
objectClass: groupOfUniqueNames
objectClass: groupOfURLs
From the documentation I've read, there shouldn't be much more I need to then query that group and pull all the unique members into the list, but unfortunately I'm not getting the results I /think/ I should.
I'm running an older version of DS:
389 Project
389-Directory/1.2.5 B2010.012.2024
Perhaps that's part of the issue, but if anyone can help point me in the right direction it would be greatly appreciated.
Nick Cappelletti
nick(a)switchtower.com
10 years, 6 months
389 DS Achitecture for Multiple Sites
by Kyle Flavin
I'm looking to deploy 389 Directory in my environment to replace an
existing iPlanet installation. I would be using it primarily to store
user account data for authentication purposes. I have two physically
separate data centers that I would like to share the same directory
tree. My initial thinking is to setup 389 DS as follows:
-A Master/Consumer in DataCenter A
-A Master/Consumer in DataCenter B
-Replication agreement between both masters, to mirror the directory
tree in both environments.
Does this sound like a reasonable approach? Is there a better way to do
it? (ie: four masters?) Is there documentation for best practices when
setting up 389 DS in situations such as this?
Thanks.
10 years, 6 months
ACI and authenticating clients/servers
by Vesa Alho
Hi,
First big thanks for all people developing and maintaining 389ds! I've
been learning LDAP for a while and one question which I haven't been
able to figure out.
There are bunch of Debian servers authenticating against 389ds. I
started with anonymous bind to get the basic setup working. Now I would
like to limit access to 389ds. What is the best/recommended way to
achieve this? I have stuff under ou=Groups,dc=domain,dc=com (e.g.
ou=Sales,ou=Groups,dc=domain,dc=com) which I don't want to be visible
for clients/servers.
* Create an entry under people ou=People,dc=domain,dc=com and use that
for credentials on all servers? Create an ACI based on this?
* Create e.g. ou=Servers,dc=domain,dc=com, put an entry there for each
server separately and create an ACI based on this?
Thanks for answering my probably simple question!
Mr. Matti Alho
10 years, 6 months
User management on 389 console
by Alberto Suárez
Hi,
Is it possible to customise the behaviour of the "Create a new user"
menu item so that it used a predefined set of classes and presented the
set of attributes that I wanted to record in LDAP?. If so, how?
Cheers,
Alberto Suarez.
10 years, 6 months
Clients freezing during boot
by Ali Jawad
Hi
I have been running 389 dir server for around 8 months now, recently
whenever I restart or setup a new machine and connect it to the 389 server
using the same settings as the other servers it will freeze during startup
at INIT, I am using an IP in my config files.
Once I remove ldap from nsswitch.conf the servers all boot normally, I did
restart the ldap server and I am sure it is not a firewall issue.
Any input please ?
Regards
10 years, 6 months
ACI help
by Josh Ellsworth
I am trying to grant a specific group the ability to edit one attribute. I have the following ACI in place with no success:
(targetattr ="description")(version 3.0;acl "evolvadmins description modify";allow(all) (groupdn = "ldap:///cn=evolvadmins,ou=Groups,dc=evolv,dc=com");)
Any ideas what I need to do? Any good guides to troubleshooting and writing ACIs?
Josh
--
Joshua Ellsworth
Senior Systems Administrator, Primatics Financial
Phone: 571.765.7528
jellsworth(a)primaticsfinancial.com
10 years, 6 months
Re: [389-users] 389-users Digest, Vol 88, Issue 15
by Vijay Thakur
Thanks for your kind reply. I want to use 389 DS for my web
application. As per the user name and password authentication,
application will access the complete detail of
authenticated user for DS like Home Address, Phone Number, Image, PAN
Card, ID Number, Current Address, Nationality etc.
Is there any one in the list who can clear my doubt to explore the DS
according to my requirement.
With warm regards,
Vijay Thakur
On Saturday 15 September 2012 05:30 PM,
389-users-request(a)lists.fedoraproject.org wrote:
> Send 389-users mailing list submissions to
> 389-users(a)lists.fedoraproject.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://admin.fedoraproject.org/mailman/listinfo/389-users
> or, via email, send a message with subject or body 'help' to
> 389-users-request(a)lists.fedoraproject.org
>
> You can reach the person managing the list at
> 389-users-owner(a)lists.fedoraproject.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of 389-users digest..."
>
>
> Today's Topics:
>
> 1. Re: 389 DS Authentication (Grzegorz Dwornicki)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 14 Sep 2012 23:24:11 +0200
> From: Grzegorz Dwornicki <gd1100(a)gmail.com>
> To: "General discussion list for the 389 Directory server project."
> <389-users(a)lists.fedoraproject.org>
> Subject: Re: [389-users] 389 DS Authentication
> Message-ID:
> <CAOP-CUcoRpSc+DsM1to2J8uaLk7cB30AevXprfMBG9Gv+_ygAA(a)mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-2"
>
> Hi
>
> I tried using samba with ldap backend for windows authentication. I wass
> able to login but I didn't try to do more then logging. I was just curious
> about this.
>
> In this way accounts can have normal linux attributes too. Only problem
> will be with password sync.
>
> But if you chosse only normal ldap there were some projects like pgina. But
> i don't know how this work. I heard from friend once about problems but I
> don't remember the ugly details.
>
> I hope this will help you
>
> Greg.
> 14 wrz 2012 09:19, "Vijay Thakur" <vijay.thakur(a)loopmethods.com> napisał(a):
>
>> All Experts,
>>
>>
>> I have posted my query on many places, but got no satisfactory reply. So i
>> am here for help.
>>
>> I have configured 389 Directory Server in Centos 5.8. I have added some
>> users and groups with DS Console. Now i want to authenticate my windows and
>> linux systems with 389-DS. I have found no information to get system login
>> (Authenticated) by googling it. How can i add systems in Directory server.
>> Kindly suggest that what changes are required at server and client end
>> (Widnows or Linux) to be authenticated by Directory Server.
>>
>> Thanks in advance.
>>
>>
>> Vj++
>> --
>> 389 users mailing list
>> 389-users(a)lists.fedoraproject.**org <389-users(a)lists.fedoraproject.org>
>> https://admin.fedoraproject.**org/mailman/listinfo/389-users<https://admin.fedoraproject.org/mailman/listinfo/389-users>
>
10 years, 6 months
389 DS Authentication
by Vijay Thakur
All Experts,
I have posted my query on many places, but got no satisfactory reply. So
i am here for help.
I have configured 389 Directory Server in Centos 5.8. I have added some
users and groups with DS Console. Now i want to authenticate my windows
and linux systems with 389-DS. I have found no information to get system
login (Authenticated) by googling it. How can i add systems in Directory
server.
Kindly suggest that what changes are required at server and client end
(Widnows or Linux) to be authenticated by Directory Server.
Thanks in advance.
Vj++
10 years, 6 months
extract CA certificate
by Gregory Matthews
is it possible to extract/export the CA certificate stored on a 389
directory server? If so, how so?
GREG
--
Greg Matthews 01235 778658
Scientific Computing Group Leader
Diamond Light Source Ltd. OXON UK
--
This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail.
Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd.
Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message.
Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom
10 years, 6 months
