1.2.11.xx in stable repos
by Lulzim KELMENI
Hello,
We are planning to update our 389-ds from version
389-ds-base-1.2.10.7-1.el6.x86_64 to version 1.2.11.xx.
We have tested
the 389-ds-base-1.2.11.23-3.el6.x86_64 version from
epel-testing-389-ds-base repo. We have not find any probem with this
version.
When do you think that this version will reach the "stable"
repos ?
Actually, the only 1.2.11.xx version in the stable repo is not
installable because of dependancy problem :
> --> Finished Dependency
Resolution
> Error: Package: 389-ds-base-1.2.11.22-1.el6.x86_64
(/389-ds-base-1.2.11.22-1.el6.x86_64)
> Requires: perl-Socket
> Error:
389-ds-base conflicts with
selinux-policy-targeted-3.7.19-195.el6_4.18.noarch
> You could try using
--skip-broken to work around the problem
> You could try running: rpm
-Va --nofiles --nodigest
Thank you,
KELMENI Lulzim
Direction des
Systèmes d'Information
Service Systèmes, Réseaux, Téléphonie, Bases de
données
Mairie de Saint-Ouen
01.49.45.69.76
10 years, 5 months
389 illegal seek after Replication Delete
by Jeffrey Dunham
We're running 389-Directory/1.2.10.14 on Rhel5.3 and just ran into a
database issue that we've not seen before.
I don't know if it's related to the replication delete just before it, but
we've successfully added and deleted multiple replication entries before.
There's plenty of more errors in the logs just like this before we
restarted. I wish we could have gotten a stack trace during the time, but
it crashed during the recovery and we did get a coredump then. Any help
would be appreciated.
[14/Nov/2013:22:00:31 +0000] NSMMReplicationPlugin - agmt_delete: begin
[14/Nov/2013:22:01:01 +0000] NSMMReplicationPlugin - agmt="cn=ldapserver"
(ldap-server:389): Unable to receive the response for a startReplication
extended operation to consumer (Local error). Will retry later.
[14/Nov/2013:22:01:39 +0000] - libdb: seek: 5456737 0 2: Illegal seek
[14/Nov/2013:22:01:39 +0000] - libdb: seek: 5456737 0 2: Illegal seek
[14/Nov/2013:22:01:39 +0000] - Serious Error---Failed in
dblayer_txn_commit, err=29 (Illegal seek)
[14/Nov/2013:22:01:40 +0000] - libdb: seek: 5456737 0 2: Illegal seek
[14/Nov/2013:22:01:40 +0000] - libdb: seek: 5456737 0 2: Illegal seek
[14/Nov/2013:22:01:40 +0000] - Serious Error---Failed in
dblayer_txn_commit, err=29 (Illegal seek)
[14/Nov/2013:22:01:40 +0000] NSMMReplicationPlugin -
replica_replace_ruv_tombstone: failed to update replication update vector
for replica o=amazon.com: LDAP error - 1
[14/Nov/2013:22:01:40 +0000] - libdb: seek: 5456737 0 2: Illegal seek
[14/Nov/2013:22:01:40 +0000] - id2entry_add failed, err=29 Illegal seek
[14/Nov/2013:22:01:40 +0000] - libdb: seek: 5456737 0 2: Illegal seek
[14/Nov/2013:22:01:40 +0000] - id2entry_add failed, err=29 Illegal seek
[14/Nov/2013:22:01:41 +0000] - libdb: seek: 5456737 0 2: Illegal seek
[14/Nov/2013:22:01:41 +0000] - id2entry_add failed, err=29 Illegal seek
[14/Nov/2013:22:01:42 +0000] - libdb: seek: 5456737 0 2: Illegal seek
[14/Nov/2013:22:01:42 +0000] - libdb: seek: 5456737 0 2: Illegal seek
[14/Nov/2013:22:01:42 +0000] - Serious Error---Failed in
dblayer_txn_commit, err=29 (Illegal seek)
[14/Nov/2013:22:01:42 +0000] NSMMReplicationPlugin -
replica_replace_ruv_tombstone: failed to update replication update vector
for replica o=amazon.com: LDAP error - 1
[14/Nov/2013:22:01:42 +0000] - libdb: seek: 5456737 0 2: Illegal seek
[14/Nov/2013:22:01:42 +0000] - id2entry_add failed, err=29 Illegal seek
[14/Nov/2013:22:01:42 +0000] - libdb: seek: 5456737 0 2: Illegal seek
[14/Nov/2013:22:01:42 +0000] - database index operation failed BAD 1130,
err=29 Illegal seek
[14/Nov/2013:22:01:42 +0000] - database index operation failed BAD 1140,
err=29 Illegal seek
[14/Nov/2013:22:01:42 +0000] - database index operation failed BAD 1250,
err=29 Illegal seek
[14/Nov/2013:22:01:42 +0000] - libdb: seek: 5456737 0 2: Illegal seek
[14/Nov/2013:22:01:42 +0000] - idl_new.c BAD 60, err=29 Illegal seek
[14/Nov/2013:22:01:42 +0000] - database index operation failed BAD 1130,
err=29 Illegal seek
[14/Nov/2013:22:01:42 +0000] - database index operation failed BAD 1140,
err=29 Illegal seek
[14/Nov/2013:22:01:42 +0000] - database index operation failed BAD 1230,
err=29 Illegal seek
[14/Nov/2013:22:01:42 +0000] - database index operation failed BAD 1040,
err=29 Illegal seek
-Jeff
10 years, 5 months
389 1.3 - something to consider
by Michael Gettes
As I currently understand things, 389 1.2 is available via RPM dist channels (including epel test using rmeggins people repo) and 1.3 is available by source tarball.
due to how my organization handles firewall access, it is quite the PITA to build network source based software which makes it rather difficult for me to deploy 1.3 in test or prod. If there was any chance of getting 1.3 (and beyond) via a standard RPM dist channel, I would be willing to run it, maybe even in production! as i attempted to build 1.3 it had requirements which would have necessitated building via git or something similar and i got stuck cuz of how we do things here (no comment on how we do things, please).
if i have any of this wrong, i’d greatly appreciate being corrected. pointers welcome.
like i said, something to consider.
have a great weekend all!
/mrg
10 years, 5 months
Secondary passwords - like Google's application specific passwords
by Jan Tomasek
Hi,
my question about PAM, libscript... come from my idea: I would like to
implement secondary passwords in very similar way like Google's
application specific passwords works. [1]
We are using LDAP for centralized user management. Systems providing
services to users are verified against this LDAP. Users are saving those
passwords within mail clients, in workstation, in tablet, ... we would
like to provide option to users to not store their main password within
their clients. We would like to offer them alternative passwords working
for email, calendar client and so on on specific device. In case of
compromising one of devices - user will have only to revoke password for
that device.
In short. I want to users offer possibility to generate secondary
passwords working for email, and so on. I expect them to create multiple
passwords marked with some nickname, like:
phone-email
tablet-email
phone-calendar
and so on. Those passwords should work with standard LDAP bind but not
necessarily on the same suffix and/or where primary LDAP is. We would
like to split primary LDAP passwors used for financial and high trust
applications from those serving email and calendar.
How to do something like this with 389 DS?
My idea is this:
uid=semik,dc=neco
objectClass: inetOrgPerson
cn: Jan Tomasek
sn: Tomasek
uid: semik
userPassword: {SSHA}...
dc=12345,uid=semik,dc=neco
objectClass: appPassword
dc: 12345
password: some-generated-password1
passwordLabel: phone-email
dc=12395,uid=semik,dc=neco
objectClass: appPassword
dc: 12395
password: some-generated-password2
passwordLabel: tablet-email
dc=12399,uid=semik,dc=neco
objectClass: appPassword
dc: 12399
password: some-generated-password3
passwordLabel: phone-calendar
I tried to implement this as PAM Pass through authentication. It works
but it is very fragile.
I'm looking for more robust and faster way. I know it is possible to do
this with PreOperation Plugin but maybe there is some easier way. Or
maybe already someone implemented such plugin.
Any comments? Ideas?
Thanks
[1] https://support.google.com/accounts/answer/185833
--
-----------------------
Jan Tomasek aka Semik
http://www.tomasek.cz/
10 years, 5 months
Re: [389-users] Secondary passwords - like Google's application specific passwords
by Howard Chu
> Date: Wed, 06 Nov 2013 16:43:55 +0100
> From: Petr Spacek <pspacek(a)redhat.com>
> On 6.11.2013 17:34, Jan Tomasek wrote:
>> Hello,
>>
>> please, does anybyody any idea how to implement this with 389?
>
> According to http://tools.ietf.org/html/rfc4519#section-2.41
> the userPassword attribute is multi-valued.
>
> Did you try to add multiple values to the attribute?
>
> I never tried it, so no warranty :-)
That's not a solution - storing multiple values in the userPassword attribute
makes all of them valid for any application. It does not ensure that only one
specific application binds with a particular password.
What are the "fragile" aspects of the scheme Jan described? What are the
specific problems that need to be improved on?
>
> Petr^2 Spacek
>
>> Thanks
>>
>> Jan
>>
>> On 11/04/2013 07:40 PM, Jan Tomasek wrote:
>>> Hi,
>>>
>>> my question about PAM, libscript... come from my idea: I would like to
>>> implement secondary passwords in very similar way like Google's
>>> application specific passwords works. [1]
>>>
>>> We are using LDAP for centralized user management. Systems providing
>>> services to users are verified against this LDAP. Users are saving those
>>> passwords within mail clients, in workstation, in tablet, ... we would
>>> like to provide option to users to not store their main password within
>>> their clients. We would like to offer them alternative passwords working
>>> for email, calendar client and so on on specific device. In case of
>>> compromising one of devices - user will have only to revoke password for
>>> that device.
>>>
>>> In short. I want to users offer possibility to generate secondary
>>> passwords working for email, and so on. I expect them to create multiple
>>> passwords marked with some nickname, like:
>>> phone-email
>>> tablet-email
>>> phone-calendar
>>> and so on. Those passwords should work with standard LDAP bind but not
>>> necessarily on the same suffix and/or where primary LDAP is. We would
>>> like to split primary LDAP passwors used for financial and high trust
>>> applications from those serving email and calendar.
>>>
>>> How to do something like this with 389 DS?
>>>
>>> My idea is this:
>>>
>>> uid=semik,dc=neco
>>> objectClass: inetOrgPerson
>>> cn: Jan Tomasek
>>> sn: Tomasek
>>> uid: semik
>>> userPassword: {SSHA}...
>>>
>>> dc=12345,uid=semik,dc=neco
>>> objectClass: appPassword
>>> dc: 12345
>>> password: some-generated-password1
>>> passwordLabel: phone-email
>>>
>>> dc=12395,uid=semik,dc=neco
>>> objectClass: appPassword
>>> dc: 12395
>>> password: some-generated-password2
>>> passwordLabel: tablet-email
>>>
>>> dc=12399,uid=semik,dc=neco
>>> objectClass: appPassword
>>> dc: 12399
>>> password: some-generated-password3
>>> passwordLabel: phone-calendar
>>>
>>>
>>> I tried to implement this as PAM Pass through authentication. It works
>>> but it is very fragile.
>>>
>>> I'm looking for more robust and faster way. I know it is possible to do
>>> this with PreOperation Plugin but maybe there is some easier way. Or
>>> maybe already someone implemented such plugin.
>>>
>>> Any comments? Ideas?
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
10 years, 5 months
COMPATIBILITY BETWEEN VERSIONS.
by Ezequiel Larrarte
Hi people ...
Nowadays, I have CentOS5 on my servers, but next year I ll start
setting up CentOS 6 on them.
I ll first install 389DS on the main CentOS5 servers from EPEL
repository (currently version 1.2.1) and I guess replication between
them ll work fine because I m using the same version of 389DS.
The thing is that EPEL for CentOS 6 has 389DS version 1.2.2 instead of 1.2.1.
So, what would a safe way to migrate to a newer version of 389DS?
- Do I have to migrate all CentOS 5 servers participating in the
replication process at the same time to CentOS 6?
- How do you handle that kind of situations? Is there any
documentation I can read?
Thanks!
--
---------------------------------------------------------
Ezequiel Larrarte.
" ... God Always Takes The Simplest Way! ... "
10 years, 5 months
Export Replica Question
by Paul Whitney
I have a master, hub, and 4 consumers.
I want to initialize the consumers who have a replication agreement from the hub.
Is it okay to export the replica from one replication agreement to a consumer and use the that same replica for the three other consumers?
Paul
10 years, 5 months
PAM Pass through authentication only one threaded
by Jan Tomasek
Hello,
I'm experimenting with PAM through authentication and it looks that 389
process parallel requests in serial way.
To demonstrate this behavior I use simple testing script:
for i in `seq 1 10`
do
time ldapsearch -LLL -H ldaps://xxx.cesnet.cz -x \
-b dc=perun-shadow,dc=cesnet,dc=cz \
-D "uid=semik$i,ou=People,dc=perun-shadow,dc=cesnet,dc=cz" \
-w 'zadek' -s base dn &
done
here is part of the output I get:
bind DN [uid=semik6,ou=People,dc=perun-shadow,dc=cesnet,dc=cz]
real 0m2.127s
bind DN [uid=semik10,ou=People,dc=perun-shadow,dc=cesnet,dc=cz]
real 0m4.392s
bind DN [uid=semik1,ou=People,dc=perun-shadow,dc=cesnet,dc=cz]
real 0m6.405s
bind DN [uid=semik5,ou=People,dc=perun-shadow,dc=cesnet,dc=cz]
real 0m8.699s
bind DN [uid=semik2,ou=People,dc=perun-shadow,dc=cesnet,dc=cz]
real 0m10.926s
...
All ldapsearch scripts are executed in background = in parallel way. But
server process them in serial way. I can tell that by increasing time
needed to process ldapsearches. Increment around 2sec is caused by
pam_unix delay because of wrong password.
Is 389 bind process really serialized? Or have I just overlooked some limit?
Configuration of PAM plugin:
dn: cn=PAM Pass Through Auth,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
objectClass: pamConfig
cn: PAM Pass Through Auth
nsslapd-pluginPath: libpam-passthru-plugin
nsslapd-pluginInitfunc: pam_passthruauth_init
nsslapd-pluginType: preoperation
nsslapd-pluginEnabled: on
nsslapd-pluginloadglobal: true
nsslapd-plugin-depends-on-type: database
pamMissingSuffix: ALLOW
pamExcludeSuffix: cn=config
pamIDMapMethod: RDN
pamIDAttr: notUsedWithRDNMethod
pamFallback: FALSE
pamSecure: TRUE
pamService: sshd
nsslapd-pluginId: pam_passthruauth
nsslapd-pluginVersion: 1.2.11.15
nsslapd-pluginVendor: 389 Project
nsslapd-pluginDescription: PAM pass through authentication plugin
nsslapd-pluginarg0: pamIncludeSuffix
nsslapd-pluginarg1: dc=perun-shadow,dc=cesnet,dc=cz
modifiersName: cn=directory manager
modifyTimestamp: 20131101085721Z
Thank you for any suggestions!
--
-----------------------
Jan Tomasek aka Semik
http://www.tomasek.cz/
10 years, 5 months
SAMBA.
by Ezequiel Larrarte
I m trying to do LDAP authentication using 389DS using SAMBA.
I m using ldap ssl = off in smb.conf but when I try to smbpasswd a
user I get that this kind of operation needs a secure channel.
If I set ldap ssl = start tls, SAMBA does not start complaining about TLS!
Maybe certificate validation issue?
- Does 389DS come with TLS support by default?
Thanks!
--
---------------------------------------------------------
Ezequiel Larrarte.
" ... God Always Takes The Simplest Way! ... "
10 years, 5 months
Synching UIDs
by Heathe Yeakley
I'm getting started with 389 server. I have a data center where I want to
synch the UIDs across hundreds of Red Hat boxes. I'm starting my way
through the documentation right now. I'm assuming 389 has some kind of
utility/shell script/something to synch UIDs across unix systems for SSO.
A) Is my assumption correct?
B) Can anyone point me to the chapter in the documentation that explains
how to do this?
Thank you.
--
- Heathe Kyle Yeakley
Happiness is a choice that requires effort at times.
- Aeschylus
10 years, 5 months