December 2013 - 389-users - Fedora Mailing-Lists

by Chris Bryant

When configuring Microsoft Outlook (not Outlook Express) to access an LDAP directory, there is an option to 'Enable Browsing (requires server support)'. If this option is chosen and the directory server supports it, then you should be able to open the LDAP address book and page up and down through the results. I have been unable to get this working properly with 389 DS. When I try to browse from Outlook against the 389 DS directory, I am able to see the first page of results perfectly. However, if I move to the next page, only the first object returned will have any attributes included, and all of the rest of the objects in the page will have no attributes. I have a test perl script that duplicates this functionality as well. I can get this to work properly with an older version of Netscape Directory Server, and I can get it working with OpenDS. Since 389 DS advertises support for the controls that are required for this to work, just like the other two servers, then I would expect it to work there also. Has anyone out there gotten this to work with 389 DS? If so, can you share if there was anything special that you needed to do to get this to work? I'm trying to determine if this is a bug in the server, or if I'm just missing something in the configuration. Thanks, Chris USA.NET You Run Your Business. We'll Run Your Email. This message is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information of USA.NET, Inc. Any unauthorized review, use, copying, disclosure, or distribution is prohibited. If you are not the intended recipient, please immediately contact the sender by reply email and delete all copies of the original message.

3 years, 3 months

3
2
0 / 0

multi-valued nsAccountLock

by Pierre ROUDIER

Hi all, RedHat DS's doc states that the nsAccountLock attribute is multi-valued [1]. Some tests with 389ds led me to think it's also true for 389ds. I cannot think of any reason explaining why it would have to be multi-valued. Do you have any idea? Thank you. [1] https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Serv...

8 years, 5 months

3
2
0 / 0

changelog

by Denise Cosso

Hi, How to modify the attribute nsslapd-encryptionalgorithm in Centos? Thanks, Denise Stop Master servers and set nsslapd-encryptionalgorithm. The allowed value is AES or 3DES. dn: cn=changelog5,cn=config [...] nsslapd-encryptionalgorithm: AES --- Em ter, 4/6/13, Rich Megginson <rmeggins(a)redhat.com> escreveu: De: Rich Megginson <rmeggins(a)redhat.com> Assunto: Re: [389-users] changelog Para: "Denise Cosso" <guanaes51(a)yahoo.com.br> Data: Terça-feira, 4 de Junho de 2013, 16:34 On 06/04/2013 01:26 PM, Denise Cosso wrote: Hi, Rich CentOS release 6.3 (Final) 389-ds-base-libs-1.2.10.2-20.el6_3.x86_64 389-ds-1.2.2-1.el6.noarch 389-dsgw-1.1.10-1.el6.x86_64 389-ds-console-1.2.6-1.el6.noarch 389-ds-console-doc-1.2.6-1.el6.noarch 389-ds-base-1.2.10.2-20.el6_3.x86_64 As far as replication goes - you will need to use a security layer (SSL, TLS, or GSSAPI) to protect the clear text password on the wire As far as encrypting it in the changelog - not sure Denise --- Em ter, 4/6/13, Rich Megginson <rmeggins(a)redhat.com> escreveu: De: Rich Megginson <rmeggins(a)redhat.com> Assunto: Re: [389-users] changelog Para: "General discussion list for the 389 Directory server project." <389-users(a)lists.fedoraproject.org> Cc: "Denise Cosso" <guanaes51(a)yahoo.com.br> Data: Terça-feira, 4 de Junho de 2013, 16:11 On 06/04/2013 12:39 PM, Denise Cosso wrote: Hi, Description of problem: When a userPassword is changed in a server with changelog, the hashed password is logged and also a cleartext pseudo-attribute version. It looks like this: change:: replace: userPassword userPassword: {SHA256}vqtiN2LHdrEUOJUKu+IBVqAVFsAlvFw+11kD/Q== - replace: unhashed#user#password unhashed#user#password: secret12 This unhashed version is used in winsync where the cleartext version of the password must be written to the AD. Now if the DS is involved in replication with another DS, the change will be replayed exactly as it is logged to the other DS replicas, including the cleartext pseudo-attribute password. What platform? What version of 389-ds-base are you using? thanks, Denise -- 389 users mailing list 389-users(a)lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users

8 years, 7 months

2
2
0 / 0

389 Master - Master Replication

by Santos Ramirez

Good Morning, We have a master - master replication agreement. When we initialize the replication it works perfectly we can see changes to a test user we have set up go up and down from the two servers. However at some point the replication stops and we cannot get replication to start once again. The only way we can get replication to start once again is to recreate the replication agreement and then it fails again. Can anyone please point us in a direction. I am relatively new to 389 so any help would be greatly appreciated. Santos U. Ramirez Linux Systems Administrator National DCP, LLC 150 Depot Street Bellingham, Ma. 02019 Phone: 508-422-3089 Fax: 508-422-3866 Santos.Ramirez(a)natdcp.com<mailto:Santos.Ramirez@natdcp.com> This email and any attachments are intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, do not copy or forward to any unauthorized persons, permanently delete the original and notify the sender by replying to this email.

9 years, 2 months

3
9
0 / 0

DS+SSL Start up Errors...

by David Barr

Good Morning! I’m working my way through http://directory.fedoraproject.org/wiki/Howto:SSL trying to create the certificates with OpenSSL, and then get them added to the NSS database. Most of that is fine. It’s only at the end that the directory server refuses to start, with these errors: ### SSL alert: Security Initialization: Unable to authenticate (Netscape Portable Runtime error -8192 - An I/O error occurred during security authorization.) ERROR: SSL Initialization Failed. ### Here’s what I’m going through. These commands are cut/pasted out of a script, so you’ll see my variable substitution. As far as that goes, these commands all return without error. (For what it’s worth, once everything works, I plan to post the script as an alternative to setupssl.sh and setupssl2.sh.) ### Private Key: openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:$PRIVATE_RSA_BITS -outform PEM -out $F_PRIVATE_KEY ### CA Certificate: openssl req -new -x509 -extensions v3_ca -key $F_PRIVATE_KEY -days $CERT_CA_EXPIRE \ -subj $CERT_CA_SUBJ -out $F_CERT_CA ### Host Certificate Request: openssl req -new -nodes -key $F_PRIVATE_KEY -days $HOST_CERT_EXPIRE -subj $CERT_CA_SUBJ \ -out $F_CERT_REQ ### Self-sign the Request: openssl ca -keyfile $F_PRIVATE_KEY -selfsign -days $HOST_CERT_EXPIRE -in $F_CERT_REQ \ -out $F_HOST_CERT ### Create a password file to use with creating and populating the certificate database: echo $PASSWORD > $F_PW_FILE chown nobody:nobody $F_PW_FILE chmod u+r,u-wxs,g-rwxs,o-rwxt $F_PW_FILE ### Create the pin.txt file for NSPR: echo "Internal (Software) Token:$PASSWORD" > $F_PINFILE chown nobody:nobody $F_PINFILE chmod u+r,u-wxs,g-rwxs,o-rwxt $F_PINFILE ### Adapt the host certificate to PKCS12 format: openssl pkcs12 -export -in $F_HOST_CERT -inkey $F_PRIVATE_KEY -out $F_HOST_PKCS \ -passout file:${F_PW_FILE} -name "${PKCS_CERT_NAME}" ### Create the certificate database: certutil -N -d sql:$D_INSTANCE_VAR -f $F_PW_FILE ### Import the host certificate: pk12util -v -i $F_HOST_PKCS -d sql:$D_INSTANCE_VAR -k $F_PW_FILE -w $F_PW_FILE ### Import the CA certificate: certutil -A -d sql:$D_INSTANCE_VAR -n "Local CA Certificate" -t CT,, -a -i $F_CERT_CA -f $F_PW_FILE ### List the certificates (This returns both certificates in good order): certutil -L -d sql:$D_INSTANCE_VAR ### Finally, the LDAP modifications (I also set up the “MemberOf” plugin, here. That’s been redacted for clarity.): ldapmodify -x -h localhost -D "cn=Directory Manager" -w $PASSWORD <<EOT dn: cn=config changeType: modify replace: passwordStorageScheme passwordStorageScheme: SSHA512 - add: nsslapd-security nsslapd-security: on - replace: nsslapd-ssl-check-hostname nsslapd-ssl-check-hostname: off dn: cn=encryption,cn=config changetype: modify replace: nsSSL3 nsSSL3: on - replace: nsSSLClientAuth nsSSLClientAuth: allowed - add: nsSSL3Ciphers nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza, +fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha, +tls_rsa_export1024_with_des_cbc_sha,-rc4,-rc4export,-rc2,-rc2export,-des, -desede3 dn: cn=RSA,cn=encryption,cn=config changetype: add objectclass: top objectclass: nsEncryptionModule cn: RSA nsSSLPersonalitySSL: Server-Cert nsSSLToken: internal (software) nsSSLActivation: on EOT After that, `service restart dirsrv ${INSTANCE}`, as nobody:nobody, returns the errors I showed at the top of this message. Thoughts? Thanks! David -- David - Offbeat http://dafydd.livejournal.com dafydd - Online http://pgp.mit.edu/ Battalion 4 - Black Rock City Emergency Services Department Integrity*Commitment*Communication*Support ----5----1----5----2----5----3----5----4----5----5----5----6----5----7-- Pavlov walks into a bar. The phone rings and he says, "Damn! I forgot to feed the dog!"

9 years, 11 months

2
1
0 / 0

Re: [389-users] "Re:Binding Directory Manager as default Bind when using SSL/TLS certificate (please help)"

by Fosiul alam

Hi Predrag I just realized that from server itself i can do search without providing BindDN and password. But Cant do this from client.... example bellow from Server itself [root@puppet-1 slapd-puppet-1]# ldapsearch -xZZZ # extended LDIF # # LDAPv3 # base <dc=fosiul,dc=lan> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # fosiul.lan dn: dc=fosiul,dc=lan dc: fosiul objectClass: domain objectClass: top # groups, fosiul.lan dn: ou=groups,dc=fosiul,dc=lan ou: groups objectClass: organizationalUnit objectClass: top # search result search: 3 result: 0 Success # numResponses: 3 # numEntries: 2 [root@puppet-1 slapd-puppet-1]# So, looks like there is a restriction from Client anonymous search .. Any idea where to look at ??

9 years, 11 months

3
2
0 / 0

"Re:Binding Directory Manager as default Bind when using SSL/TLS certificate (please help)"(Solved-Thanks)

by Fosiul alam

Hi Guys yes, its been sorted now . the issues was Anynomouse acl , after I set it, all are fine. Thanks Again.

9 years, 11 months

1
0
0 / 0

Re: [389-users] "Re:Binding Directory Manager as default Bind when using SSL/TLS certificate (please help)"

by Fosiul alam

Hi, Bellow is my /etc/openldap/ldap.conf URI ldap://puppet-1.fosiul.lan/ BASE dc=fosiul,dc=lan TLS_CACERTDIR /etc/openldap/cacerts tls_cacertfile /etc/openldap/cacerts/CRT.crt Dont i need to Bind this cn=Directory manager with ssl'/TLS search ?? Something like this Overview of Autobind and LDAPI https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Serv... Kind Regards

9 years, 11 months

3
2
0 / 0

Re: [389-users] "Re:Binding Directory Manager as default Bind when using SSL/TLS certificate (please help)"

by Fosiul alam

Hi Arpit, as you can see, when i am not definning any Cn=directory Manager + password its failling to show all the entries. Bellow does not show any Entries : [root at test ~]# /usr/bin/ldapsearch -xZZ -b 'dc=fosiul,dc=lan' --------------------- # extended LDIF # # LDAPv3 # base <dc=fosiul,dc=lan> with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 3 result: 0 Success # numResponses: 1 No Error, no Entries ------------------------------------------------ [root at test ~]# /usr/bin/ldapsearch -xZZ -D 'cn=Directory Manager' -b 'dc=fosiul,dc=lan' # extended LDIF # # LDAPv3 # base <dc=fosiul,dc=lan> with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 3 result: 0 Success # numResponses: 1 [root at test ~]# Only Works :-- ------------------ [root at test ~]# /usr/bin/ldapsearch -xZZ -D 'cn=Directory Manager' -w 'xxx' -b 'dc=fosiul,dc=lan' # extended LDIF # # LDAPv3 # base <dc=fosiul,dc=lan> with scope subtree # filter: (objectclass=*) # requesting: ALL # # fosiul.lan dn: dc=fosiul,dc=lan dc: fosiul objectClass: domain objectClass: top # groups, fosiul.lan dn: ou=groups,dc=fosiul,dc=lan ou: groups objectClass: organizationalUnit objectClass: top # search result search: 3 result: 0 Success # numResponses: 3 # numEntries: 2 [root at test ~]#

9 years, 11 months

1
0
0 / 0

Re: [389-users] "Re:Binding Directory Manager as default Bind when using SSL/TLS certificate (please help)"

by Fosiul alam

Further to this :- As you can see, bellow should give me the full Entry , but it does not .. [root@test ~]# /usr/bin/ldapsearch -xZZ -b 'dc=fosiul,dc=lan' # extended LDIF # # LDAPv3 # base <dc=fosiul,dc=lan> with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 3 result: 0 Success # numResponses: 1 No Error, but no Entries ------------------------------------------------ [root@test ~]# /usr/bin/ldapsearch -xZZ -D 'cn=Directory Manager' -b 'dc=fosiul,dc=lan' # extended LDIF # # LDAPv3 # base <dc=fosiul,dc=lan> with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 3 result: 0 Success # numResponses: 1 [root@test ~]# Only Works :-- ------------------ [root@test ~]# /usr/bin/ldapsearch -xZZ -D 'cn=Directory Manager' -w 'xxx' -b 'dc=fosiul,dc=lan' # extended LDIF # # LDAPv3 # base <dc=fosiul,dc=lan> with scope subtree # filter: (objectclass=*) # requesting: ALL # # fosiul.lan dn: dc=fosiul,dc=lan dc: fosiul objectClass: domain objectClass: top # groups, fosiul.lan dn: ou=groups,dc=fosiul,dc=lan ou: groups objectClass: organizationalUnit objectClass: top # search result search: 3 result: 0 Success # numResponses: 3 # numEntries: 2 [root@test ~]#

9 years, 11 months

1
0
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-users December 2013