Problem browsing LDAP with Outlook
by Chris Bryant
When configuring Microsoft Outlook (not Outlook Express) to access an LDAP directory, there is an option to 'Enable Browsing (requires server support)'. If this option is chosen and the directory server supports it, then you should be able to open the LDAP address book and page up and down through the results. I have been unable to get this working properly with 389 DS.
When I try to browse from Outlook against the 389 DS directory, I am able to see the first page of results perfectly. However, if I move to the next page, only the first object returned will have any attributes included, and all of the rest of the objects in the page will have no attributes. I have a test perl script that duplicates this functionality as well.
I can get this to work properly with an older version of Netscape Directory Server, and I can get it working with OpenDS. Since 389 DS advertises support for the controls that are required for this to work, just like the other two servers, then I would expect it to work there also.
Has anyone out there gotten this to work with 389 DS? If so, can you share if there was anything special that you needed to do to get this to work? I'm trying to determine if this is a bug in the server, or if I'm just missing something in the configuration.
You Run Your Business. We'll Run Your Email.
This message is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information of USA.NET, Inc. Any unauthorized review, use, copying, disclosure, or distribution is prohibited. If you are not the intended recipient, please immediately contact the sender by reply email and delete all copies of the original message.
2 years, 9 months
389 Master - Master Replication
by Santos Ramirez
We have a master - master replication agreement. When we initialize the replication it works perfectly we can see changes to a test user we have set up go up and down from the two servers. However at some point the replication stops and we cannot get replication to start once again. The only way we can get replication to start once again is to recreate the replication agreement and then it fails again. Can anyone please point us in a direction. I am relatively new to 389 so any help would be greatly appreciated.
Santos U. Ramirez
Linux Systems Administrator
National DCP, LLC
150 Depot Street
Bellingham, Ma. 02019
This email and any attachments are intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, do not copy or forward to any unauthorized persons, permanently delete the original and notify the sender by replying to this email.
8 years, 8 months
synchronize passwords (DS-> AD)
by Denise Cosso
I would like to help to understand how does the timing of passwords
between Directory Server and AD (Windows8). Configured unidirectional
timing (LDAP->AD), not installed the Windows side PassSync.
The Directory Server is with password in Sha256 and I can only
synchronize passwords with AD if you change the password in plain text
by ldappasswd command. (I know that this password is stored in the
How do I adjust the timing between the Directory Server and AD with
different encryption using a feeling (ldap->ad), without putting
passwords in plain text?
by Aziza Lichir
I would like to know how can I use memberof or member attributes to affect
an appropriate gidNumber to my users to avoid this error: id: can not find
the name of the group identifier 38468
User unable to login with ldap_access_filter on
by Fosiul Alam
Hi Bellow is my sssd.conf
with bellow setting, user cant login.
but if i remove ldap_access_filter , then all user can access
What i am doing wrong...
i just want user from "techops" group to access this server..
any help will be really grateful .
config_file_version = 2
services = nss, pam
domains = LDAP
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307
ldap_uri = ldap://auth2.xxxxxx.lan/,ldap://auth1.xxxxxxxlan/
ldap_search_base = l=uk,dc=xxxx,dc=lan
ldap_tls_reqcert = demand
cache_credentials = true
enumerate = true
debug_level = 10
ldap_tls_cacertdir = /etc/openldap/xxx/
ldap_tls_cert = /etc/openldap/cacerts/CA-xxx.crt
access_provider = ldap
ldap_access_filter = memberUid=cn=techops,ou=groups,l=uk,dc=xxxx,dc=lan
#entry_cache_timeout = 600
#ldap_network_timeout = 3
and the log i get from secure file
2013-05-28T22:13:02.782543+01:00 uk-xxxxx-1 sshd: pam_sss(sshd:auth):
received for user mtest: 9 (Authentication service cannot retrieve
2013-05-28T22:13:04.597478+01:00 uk-xxxx-1 sshd: Failed password for
mtest from xxx.xx.xx.xx port 52664 ssh2
Posix Plug-in problem
I enabled Posix Winsync API, everything works. After, I decide to change to
older versions of windows Posix attributes as describe in the documentation:
And now replication doesn't work, I went to the log error and get:
"uidNumber/gidNumber required by object class "posixAccount""
But in my Active Directory, I want to synchronise some users how don't have
It's possible or do I need to synchronize just users with posix attribute
when this plug-in is enable ?
Computer: centos 6.4
db2index.pl: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
by Graham Leggett
Just to recount an experience in the hope that it saves someone else some trouble.
I was trying to use the ./db2index.pl script to regenerate my indexes, and the script point blank refused to work, telling me:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
To debug this, hack the db2index.pl script to pass the "-d 1" parameter to ldapsearch, which tells ldapsearch to give debug messages instead of the cryptic failure message.
In my case it revealed that db2index.pl was trying to contact the externally accessible public IP of the box on port 389, instead of localhost as it should have in my case. To fix the problem I had to manually hack the script.
Ideally this script shouldn't make blind assumptions as to the name of the LDAP server, but leave it up to the caller.
Indexes and "not" filters
by Graham Leggett
I am still really struggling with something that should be a simple query, but isn't. I have a filter that returns just one single result, as follows:
[25/May/2013:20:54:16 +0100] conn=82 op=10 SRCH base="o=Foo,c=GB" scope=2 filter="(&(associatedDomain=example.com)(!(associatedDomain=host.example.com)))" attrs="associatedDomain"
[25/May/2013:20:54:17 +0100] conn=82 op=10 RESULT err=4 tag=101 nentries=1 etime=1 notes=U
This query however returns the following error:
Search error 4: Size limit exceeded
The "notes=U" in the log gives an excessively cryptic clue - the query wasn't indexed, and the error message seems to be misleading, as it doesn't seem to be the size limit that is exceeded, but rather the time limit.
I have indexed the associatedDomain attribute as follows:
dn: cn=associatedDomain,cn=default indexes,cn=config,cn=ldbm database,cn=plu
Am I correct in understanding that a "eq" index is not enough to handle the "not" part of the filter above?
What do you have to do to index a "not" filter?
Re: [389-users] error log showing Detected Disorderly Shutdown on startup
by Vincent Gerris
I encountered a similar issue.
I got it when creating an index with the vlvindex command, which was
apparently not correct.
The index creation failed with a segfault and after that I could not
start the server anymore.
I was also unable to do deletion of the index, since ldap was not up.
The error log showed also the rebuilding the database, with no
I also tried deleting the vlv named file I found somewhere, with no succes.
Finally because of time pressure I just started over (by removing
everything with remove-ds-admin.pl).
I did find some selinux entry : SELinux is preventing /bin/bash from
search access on the directory
This might have been a cause for the issue, but I am unsure.
I think this situation should somehow be fixable, but I had no clue how.
Now I am off doing a reinstall and a re-import.
Hope this helps anyone, if anyone knows what to do, please post :).
dual change log entry with retro changelog plugin
by Vincent Gerris
We are using Red Hat Enterprise Directory Server (which is a stable 389).
We have been using the retro changelog plugin from the old iPlanet
server for synchronisation to other systems.
Yesterday we noticed that for some reason, when an LDAP modification
is made, 2 entries turn up in de changelog LDAP tree.
It does not seem to happen when the 389-console client is used and a
change is made directly to an account with it,
but when an LDAP modify is done, while the slapd access logs shows 1
modification, the changelog has two entries.
This seems to be a bug.
Does anyone know how to solve this?
I have not found anybody having the issue and nothing in the
These duplicate entries might result in performance issues on the
Any help is greatly appreciated!