389-users April 2013

389-users@lists.fedoraproject.org

38 participants
41 discussions

X11 forwarding refused
by Aziza Lichir 23 Apr '13

23 Apr '13

hello, I'm new to this project and i would like to know how to use DS-389 without the graphical interface in CentOs6. Thank you -- *___________________________________________________________* ** *Aziza Lichir* * *

4 15

clean ruv error
by Moisés Barba Pérez 22 Apr '13

22 Apr '13

Hi, Tryint to clean a ruv of an old server (the server doesn't exist any more) I use: [root@xxx ~]# ldapmodify -D "cn=Directory Manager" -x -W <<EOF > > dn: cn=X-Y1-Y2, cn=replica, cn="o=xxx,dc=xxx,dc=xx", cn=mapping tree, > cn=config > > changetype: modify > > replace: nsds5task > > nsds5task: CLEANRUVxx > > EOF > obtaining: modifying entry "cn=X-Y1-Y2, cn=replica, cn="o=xxx,dc=xxx,dc=xxx", > cn=mapping tree, cn=config" > ldapmodify: Server is unwilling to perform (53) > Which could be the problem? Can I just delete de attribute nsds50ruv in that entry? nsds50ruv: {replica 3 ldap://server3:389} xxxx yyyy -> I want to delete > this one > nsds50ruv: {replica 2 ldap://server1:389} xxxx yyyy > nsds50ruv: {replica 1 ldap://server2:389} xxxx yyyy > nsds50ruv: {replicageneration} xxxx > By the way, what is it the meaning of nsds50ruv because I have been looking for it and I only read about "internal state". Thanks in advance. Moses.

3 2

Reg aci field missing
by s.varadha rajan 22 Apr '13

22 Apr '13

Hi Team, We have implemented 389-ds in Ubuntu 12.04 LTS. Everything is working fine.we have created ou called "groups " such as ou=groups,dc=xxx,dc=com. same 389-ds (1.2.1-0ubuntu2)implemented in the Ubuntu linux 10.04 LTS and we can see the "aci" attributes in the groups OU. Same aci is not available in the "1.2.10.4-0ubuntu3.1". For example, if i connected my *older ldap server* through phpldapadmin and select any group from "ou=groups,dc=xxx,dc=com" , i can see the below fields from aci attribute, (targetattr="*") (target="ldap:///cn=*,ou=services,ou=groups,dc=xxx,dc=com") (version 3.0;acl "<group name>"; allow (write)(userdn="ldap:///uid=<user name>,ou=people,dc=xxx,dc=com");) (targetattr="*") (target="ldap:///cn=*,ou=services,ou=groups,dc=xxx,dc=com") (version 3.0;acl "<group name>"; allow (write)(userdn="ldap:///uid=<user name>,ou=people,dc=xxx,dc=com");) (targetattr="*") (target="ldap:///cn=*,ou=services,ou=groups,dc=xxx,dc=com") (version 3.0;acl "<group name>"; allow (write)(userdn="ldap:///uid=<user name>,ou=people,dc=xxx,dc=com");) For getting the same details, if i connect to my new LDAP server through phpldapadmin, "aci" attribute itself not displayed. Is it the attribute is related to samba ? Refered some of the blogs through net, if i search through ldapsearch, ldapsearch -x -h localhost -p <port no> -s base -b "cn=schema" "objectclass=*" | grep -i samba -> output is displayed in the old server with some values.same command if i apply in new server, no output. My question may be silly,pls don't mistake.what could be the reason ? Regards, Varad

2 1

Setting up a test server
by harry.devine＠faa.gov 22 Apr '13

22 Apr '13

I am trying to implement a "Forgot Password" web page for our organization and I am at the point where I want to update the user's account with the temporary password. Since I don't want to have any issues on the production servers, I have installed a virtual machine with CentOS 6.4 and have installed 389-ds on it. The server seems to be running (i.e. I can do an ldapsearch command and see the test users that I have), but I can't seem to be able to log in as any of those users. I have used the Authentication GUI to set the log in method to LDAP and have put in the required information, but if I try to "su" over as one of those users, or log out and try to enter one of the test user names, I get an error saying that the user was not found. So, how can I configure CentOS 6.4 to allow access to the test 389-ds server? Thanks, Harry Harry Devine Common ARTS Software Development AJM-245 (609)485-4218 Harry.Devine(a)faa.gov

3 3

passwordexpirationtime reset to 19700101000001Z
by Ryan Mindaña 22 Apr '13

22 Apr '13

Hi Everyone, I have this experience when I enabled password policy in 389 DS, at first it was working properly but after sometime I encountered a strange problem, when resetting the users password or if the user change password the "passwordexpirationtime" is being reset to "19700101000001Z" and so policy for password expiration stop working. Version: 389-ds-console-doc-1.2.6-1.el5 389-ds-base-1.2.9.9-1.el5 389-ds-1.2.1-1.el5 389-ds-base-libs-1.2.9.9-1.el5 389-ds-console-1.2.6-1.el5 389-console-1.1.7-3.el5 389-adminutil-1.1.14-1.el5 389-admin-console-1.1.8-1.el5 389-admin-console-doc-1.1.8-1.el5 389-admin-1.1.23-1.el5 389-dsgw-1.1.7-2.el5 ERROR: 22/Apr/2013:05:29:04 +0800] _entry_set_tombstone_rdn - Failed to convert DN cn=cn\3DnsPwPolicyEntry\2Cou\3DPeople\2Cdc\3Dexample\2Cdc\3Dcom\2Cdc\3Dsg to RDN [22/Apr/2013:05:29:04 +0800] id2entry - str2entry returned NULL for id 579, string="rdn" 22/Apr/2013:05:29:04 +0800] _entry_set_tombstone_rdn - Failed to convert DN cn=cn\3DnsPwTemplateEntry\2Cou\3DPeople\2Cdc\3Dexample\2Cdc\3Dcom\2Cdc\3Dsg to RDN [22/Apr/2013:05:29:04 +0800] id2entry - str2entry returned NULL for id 580, string="rdn" [22/Apr/2013:12:00:01 +0800] - cos_cache_query_attr: failed to normalize dn ou=People,dc=example,dc=com,dc. Processing the pre normalized dn. The problem begun when we modify the password policy (doing a disable and enable) Thanks Ryan

1 0

Replicate memberOf from Active Directory
by Dan Weintraub 18 Apr '13

18 Apr '13

Hi all, I have a hopefully quickish question about memberOf attributes. I've got a 389 server replicating from an Active Directory setup. If I run a user search against the LDAP interface of Active Directory I get memberOf: attributes but they don't appear replicating to the 389 server. I want to get those attributes from my 389 server and I was hoping for a little guidance before I start digging into how to do this. Do I need to install the plugin to get this replication working? It also seems like the plugin could generate these attributes on its own. Would this be a good idea? It seems like replicating the already existing attributes might be a better idea, but I could be wrong. I have also read that the memberOf attribute is stored as a "back-link" in AD so maybe this kind of data can't be replicated? Any thoughts or guidance on where to learn more would be greatly appreciated! Thanks! Dan Dan Weintraub | Systems Engineer I V: 877.327.8422 mailto:Dan.Weintraub@dealer.com | www.dealer.com

1 0

Issue creating new users on 389 DS running on Ubuntu Server 12.04
by Andrei Wasylyk 17 Apr '13

17 Apr '13

I'm having a really weird issue where any new user I create in 389 DS is not able to browse the directory. What I mean is that the user binds without any issue, but when you use any directory browser client the user sees nothing in the tree. Also, I've been collaborating with a few in house developers who are writing LDAP auth into their applications - and for both (Java and Perl using the LDAP libraries) they get the same behavior - they are able to bind but the directory is empty. Now if you use any user account that was created before (maybe a week or two ago - I'm not sure) then everything suceeds without any issue. Also, I have a replication consumer and if I connect to it with the new credential everything works fine as well. Using Apache Directory Studio (it's mainly what I use for troubleshooting when 389-console breaks) when I try to connect the error I get is: "Missing schema location in RootDSE, using default schema" Apparently it is referring to the subschemaSubentry attribute in the RootDSE - I can verify that it is there however and seems to be readable by all including anonymous. If I use the JNDI provider for apacheDS then I get the same error followed by 4 LDAP error 53s (unwilling to perform). Any ideas? This is our production LDAP server and I'm getting a bit desperate, I have backups from every week and I'm considering just turning it back until the issue disappears - but it would forever trouble me not to figure out what happenned and how to fix it in the future. Thanks in advance for any input. Andrei Wasylyk Systems Analyst

1 0

Can i use Same Certificate for all my ldap server
by expert alert 17 Apr '13

17 Apr '13

Hi I am planning to deploy all my ldap server by puppet. so I am wondering, Can i use Same Server Certificate and CA certificate (Directory server) for all my server ??? if yes, then under which directory shall i place those certificate ?? Thanks for help Robert

4 3

Re: [389-users] problem connecting with old solaris servers
by Carsten Grzemba 16 Apr '13

16 Apr '13

Hi, have this Solaris 9 Box's worked with the old iPlanet DS?. For the password you have to configure the /etc/pam.conf like described in the man pages: $ man pam_ldap it is different to Solaris10 I guess that Solaris needs also the VLV's for getentpwent, which can created by run /usr/lib/ldap/idsconfig. You can use this script also for the 389DS if you fake the version check to the 5.2 version (you can google for this). BTW: If you use ldaps you must provide the CA' cert in an old cert7.db on the Solarsi9 Client. HTH Carsten Am 15.04.13 schrieb Elizabeth Jones <bajones(a)panix.com>: > We are trying to move our servers off a very old version of iplanet (circa > 2002) to 389 DS. The data in both ldaps is almost identical, except that > there was some stuff in the iplanet that couldn't convert over to 389. I'm > not sure exactly what wouldn't convert, except that I couldn't do an > export of the iplanet database and import into 389, instead did an ldif. > > Everything we have converted so far (RHEL 4,5,6 and Solaris 10) has gone > over successfully, but I'm running into problems with some old Solaris 9 > servers. They seem to be connecting successfully to the ldap, but not > pulling back a password. getent passwd shows the list of users in the > ldap, and I can su from root to my user account. When I have su'ed to my > account, groups shows all the groups that I have in my ldap account on the > new DS. > > I noticed this in the ldap logs, but I don't know what SolarisAuditUser > means -- > > [13/Apr/2013:23:42:07 -0500] conn=2042387 op=1 SRCH > base="ou=people,dc=mycompany,dc=com" scope=2 filter="(&(object > Class=SolarisAuditUser)(uid=ejones))" attrs="uid SolarisAuditAlways > SolarisAuditNever" > > Is anyone familiar with this? > > thanks - > > EJ > > -- > 389 users mailing list > 389-users(a)lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users >

1 0

problem connecting with old solaris servers
by Elizabeth Jones 15 Apr '13

15 Apr '13

We are trying to move our servers off a very old version of iplanet (circa 2002) to 389 DS. The data in both ldaps is almost identical, except that there was some stuff in the iplanet that couldn't convert over to 389. I'm not sure exactly what wouldn't convert, except that I couldn't do an export of the iplanet database and import into 389, instead did an ldif. Everything we have converted so far (RHEL 4,5,6 and Solaris 10) has gone over successfully, but I'm running into problems with some old Solaris 9 servers. They seem to be connecting successfully to the ldap, but not pulling back a password. getent passwd shows the list of users in the ldap, and I can su from root to my user account. When I have su'ed to my account, groups shows all the groups that I have in my ldap account on the new DS. I noticed this in the ldap logs, but I don't know what SolarisAuditUser means -- [13/Apr/2013:23:42:07 -0500] conn=2042387 op=1 SRCH base="ou=people,dc=mycompany,dc=com" scope=2 filter="(&(object Class=SolarisAuditUser)(uid=ejones))" attrs="uid SolarisAuditAlways SolarisAuditNever" Is anyone familiar with this? thanks - EJ

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-users April 2013