X11 forwarding refused
by Aziza Lichir
hello,
I'm new to this project and i would like to know how to use DS-389 without
the graphical interface in CentOs6.
Thank you
--
*___________________________________________________________*
**
*Aziza Lichir*
*
*
9 years, 11 months
clean ruv error
by Moisés Barba Pérez
Hi,
Tryint to clean a ruv of an old server (the server doesn't exist any more)
I use:
[root@xxx ~]# ldapmodify -D "cn=Directory Manager" -x -W <<EOF
> > dn: cn=X-Y1-Y2, cn=replica, cn="o=xxx,dc=xxx,dc=xx", cn=mapping tree,
> cn=config
> > changetype: modify
> > replace: nsds5task
> > nsds5task: CLEANRUVxx
> > EOF
>
obtaining:
modifying entry "cn=X-Y1-Y2, cn=replica, cn="o=xxx,dc=xxx,dc=xxx",
> cn=mapping tree, cn=config"
> ldapmodify: Server is unwilling to perform (53)
>
Which could be the problem? Can I just delete de attribute nsds50ruv in
that entry?
nsds50ruv: {replica 3 ldap://server3:389} xxxx yyyy -> I want to delete
> this one
> nsds50ruv: {replica 2 ldap://server1:389} xxxx yyyy
> nsds50ruv: {replica 1 ldap://server2:389} xxxx yyyy
> nsds50ruv: {replicageneration} xxxx
>
By the way, what is it the meaning of nsds50ruv because I have been looking
for it and I only read about "internal state".
Thanks in advance.
Moses.
9 years, 11 months
Reg aci field missing
by s.varadha rajan
Hi Team,
We have implemented 389-ds in Ubuntu 12.04 LTS. Everything is working
fine.we have created ou called "groups " such as ou=groups,dc=xxx,dc=com.
same 389-ds (1.2.1-0ubuntu2)implemented in the Ubuntu linux 10.04 LTS and
we can see the "aci" attributes in the groups OU. Same aci is not available
in the "1.2.10.4-0ubuntu3.1".
For example, if i connected my *older ldap server* through phpldapadmin and
select any group from "ou=groups,dc=xxx,dc=com" , i can see the below
fields from aci attribute,
(targetattr="*")
(target="ldap:///cn=*,ou=services,ou=groups,dc=xxx,dc=com") (version
3.0;acl "<group name>"; allow (write)(userdn="ldap:///uid=<user
name>,ou=people,dc=xxx,dc=com");)
(targetattr="*")
(target="ldap:///cn=*,ou=services,ou=groups,dc=xxx,dc=com") (version
3.0;acl "<group name>"; allow (write)(userdn="ldap:///uid=<user
name>,ou=people,dc=xxx,dc=com");)
(targetattr="*")
(target="ldap:///cn=*,ou=services,ou=groups,dc=xxx,dc=com") (version
3.0;acl "<group name>"; allow (write)(userdn="ldap:///uid=<user
name>,ou=people,dc=xxx,dc=com");)
For getting the same details, if i connect to my new LDAP server through
phpldapadmin, "aci" attribute itself not displayed.
Is it the attribute is related to samba ? Refered some of the blogs through
net, if i search through ldapsearch,
ldapsearch -x -h localhost -p <port no> -s base -b "cn=schema"
"objectclass=*" | grep -i samba -> output is displayed in the old server
with some values.same command if i apply in new server, no output.
My question may be silly,pls don't mistake.what could be the reason ?
Regards,
Varad
9 years, 11 months
Setting up a test server
by harry.devine@faa.gov
I am trying to implement a "Forgot Password" web page for our organization
and I am at the point where I want to update the user's account with the
temporary password. Since I don't want to have any issues on the
production servers, I have installed a virtual machine with CentOS 6.4 and
have installed 389-ds on it. The server seems to be running (i.e. I can
do an ldapsearch command and see the test users that I have), but I can't
seem to be able to log in as any of those users.
I have used the Authentication GUI to set the log in method to LDAP and
have put in the required information, but if I try to "su" over as one of
those users, or log out and try to enter one of the test user names, I get
an error saying that the user was not found.
So, how can I configure CentOS 6.4 to allow access to the test 389-ds
server?
Thanks,
Harry
Harry Devine
Common ARTS Software Development
AJM-245
(609)485-4218
Harry.Devine(a)faa.gov
9 years, 11 months
passwordexpirationtime reset to 19700101000001Z
by Ryan Mindaña
Hi Everyone,
I have this experience when I enabled password policy in 389 DS, at first
it was working properly but after sometime I encountered a strange problem,
when resetting the users password or if the user change password the
"passwordexpirationtime" is being reset to "19700101000001Z" and so policy
for password expiration stop working.
Version:
389-ds-console-doc-1.2.6-1.el5
389-ds-base-1.2.9.9-1.el5
389-ds-1.2.1-1.el5
389-ds-base-libs-1.2.9.9-1.el5
389-ds-console-1.2.6-1.el5
389-console-1.1.7-3.el5
389-adminutil-1.1.14-1.el5
389-admin-console-1.1.8-1.el5
389-admin-console-doc-1.1.8-1.el5
389-admin-1.1.23-1.el5
389-dsgw-1.1.7-2.el5
ERROR:
22/Apr/2013:05:29:04 +0800] _entry_set_tombstone_rdn - Failed to convert DN
cn=cn\3DnsPwPolicyEntry\2Cou\3DPeople\2Cdc\3Dexample\2Cdc\3Dcom\2Cdc\3Dsg
to RDN
[22/Apr/2013:05:29:04 +0800] id2entry - str2entry returned NULL for id 579,
string="rdn"
22/Apr/2013:05:29:04 +0800] _entry_set_tombstone_rdn - Failed to convert DN
cn=cn\3DnsPwTemplateEntry\2Cou\3DPeople\2Cdc\3Dexample\2Cdc\3Dcom\2Cdc\3Dsg
to RDN
[22/Apr/2013:05:29:04 +0800] id2entry - str2entry returned NULL for id 580,
string="rdn"
[22/Apr/2013:12:00:01 +0800] - cos_cache_query_attr: failed to normalize dn
ou=People,dc=example,dc=com,dc. Processing the pre normalized dn.
The problem begun when we modify the password policy (doing a disable and
enable)
Thanks
Ryan
9 years, 11 months
Replicate memberOf from Active Directory
by Dan Weintraub
Hi all,
I have a hopefully quickish question about memberOf attributes. I've got a
389 server replicating from an Active Directory setup. If I run a user
search against the LDAP interface of Active Directory I get memberOf:
attributes but they don't appear replicating to the 389 server.
I want to get those attributes from my 389 server and I was hoping for a
little guidance before I start digging into how to do this. Do I need to
install the plugin to get this replication working? It also seems like the
plugin could generate these attributes on its own. Would this be a good
idea? It seems like replicating the already existing attributes might be a
better idea, but I could be wrong. I have also read that the memberOf
attribute is stored as a "back-link" in AD so maybe this kind of data
can't be replicated?
Any thoughts or guidance on where to learn more would be greatly
appreciated!
Thanks!
Dan
Dan Weintraub | Systems Engineer I
V: 877.327.8422
mailto:Dan.Weintraub@dealer.com | www.dealer.com
9 years, 11 months
Issue creating new users on 389 DS running on Ubuntu Server 12.04
by Andrei Wasylyk
I'm having a really weird issue where any new user I create in 389 DS is not able to browse the directory.
What I mean is that the user binds without any issue, but when you use any directory browser client the user sees nothing in the tree. Also, I've been collaborating with a few in house developers who are writing LDAP auth into their applications - and for both (Java and Perl using the LDAP libraries) they get the same behavior - they are able to bind but the directory is empty.
Now if you use any user account that was created before (maybe a week or two ago - I'm not sure) then everything suceeds without any issue.
Also, I have a replication consumer and if I connect to it with the new credential everything works fine as well.
Using Apache Directory Studio (it's mainly what I use for troubleshooting when 389-console breaks) when I try to connect the error I get is:
"Missing schema location in RootDSE, using default schema"
Apparently it is referring to the subschemaSubentry attribute in the RootDSE - I can verify that it is there however and seems to be readable by all including anonymous.
If I use the JNDI provider for apacheDS then I get the same error followed by 4 LDAP error 53s (unwilling to perform).
Any ideas? This is our production LDAP server and I'm getting a bit desperate, I have backups from every week and I'm considering just turning it back until the issue disappears - but it would forever trouble me not to figure out what happenned and how to fix it in the future.
Thanks in advance for any input.
Andrei Wasylyk
Systems Analyst
9 years, 11 months
Can i use Same Certificate for all my ldap server
by expert alert
Hi
I am planning to deploy all my ldap server by puppet.
so I am wondering, Can i use Same Server Certificate and CA certificate
(Directory server) for all my server ???
if yes, then under which directory shall i place those certificate ??
Thanks for help
Robert
9 years, 11 months
Re: [389-users] problem connecting with old solaris servers
by Carsten Grzemba
Hi,
have this Solaris 9 Box's worked with the old iPlanet DS?.
For the password you have to configure the /etc/pam.conf like described in the man pages:
$ man pam_ldap
it is different to Solaris10
I guess that Solaris needs also the VLV's for getentpwent, which can created by run /usr/lib/ldap/idsconfig.
You can use this script also for the 389DS if you fake the version check to the 5.2 version (you can google for this).
BTW: If you use ldaps you must provide the CA' cert in an old cert7.db on the Solarsi9 Client.
HTH
Carsten
Am 15.04.13 schrieb Elizabeth Jones <bajones(a)panix.com>:
> We are trying to move our servers off a very old version of iplanet (circa
> 2002) to 389 DS. The data in both ldaps is almost identical, except that
> there was some stuff in the iplanet that couldn't convert over to 389. I'm
> not sure exactly what wouldn't convert, except that I couldn't do an
> export of the iplanet database and import into 389, instead did an ldif.
>
> Everything we have converted so far (RHEL 4,5,6 and Solaris 10) has gone
> over successfully, but I'm running into problems with some old Solaris 9
> servers. They seem to be connecting successfully to the ldap, but not
> pulling back a password. getent passwd shows the list of users in the
> ldap, and I can su from root to my user account. When I have su'ed to my
> account, groups shows all the groups that I have in my ldap account on the
> new DS.
>
> I noticed this in the ldap logs, but I don't know what SolarisAuditUser
> means --
>
> [13/Apr/2013:23:42:07 -0500] conn=2042387 op=1 SRCH
> base="ou=people,dc=mycompany,dc=com" scope=2 filter="(&(object
> Class=SolarisAuditUser)(uid=ejones))" attrs="uid SolarisAuditAlways
> SolarisAuditNever"
>
> Is anyone familiar with this?
>
> thanks -
>
> EJ
>
> --
> 389 users mailing list
> 389-users(a)lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
9 years, 11 months
problem connecting with old solaris servers
by Elizabeth Jones
We are trying to move our servers off a very old version of iplanet (circa
2002) to 389 DS. The data in both ldaps is almost identical, except that
there was some stuff in the iplanet that couldn't convert over to 389. I'm
not sure exactly what wouldn't convert, except that I couldn't do an
export of the iplanet database and import into 389, instead did an ldif.
Everything we have converted so far (RHEL 4,5,6 and Solaris 10) has gone
over successfully, but I'm running into problems with some old Solaris 9
servers. They seem to be connecting successfully to the ldap, but not
pulling back a password. getent passwd shows the list of users in the
ldap, and I can su from root to my user account. When I have su'ed to my
account, groups shows all the groups that I have in my ldap account on the
new DS.
I noticed this in the ldap logs, but I don't know what SolarisAuditUser
means --
[13/Apr/2013:23:42:07 -0500] conn=2042387 op=1 SRCH
base="ou=people,dc=mycompany,dc=com" scope=2 filter="(&(object
Class=SolarisAuditUser)(uid=ejones))" attrs="uid SolarisAuditAlways
SolarisAuditNever"
Is anyone familiar with this?
thanks -
EJ
9 years, 11 months