[389-announce] Announcing 389 Directory Server version 1.3.1.8
by Rich Megginson
389 Directory Server 1.3.1.8
The 389 Directory Server team is proud to announce 389-ds-base version
1.3.1.8.
Fedora packages are available from the Fedora 19 and 20 Testing
repositories. It will move to the Fedora Stable repositories once it has
received enough karma in Bodhi. We encourage you to test and provide
feedback here
<https://admin.fedoraproject.org/updates/389-ds-base-1.3.1.7-1.fc19> in
order to speed up the push to the Stable repositories.
The new packages and versions are:
* 389-ds-base-1.3.1.8-1
A source tarball is available for download at
http://port389.org/sources/389-ds-base-1.3.1.8.tar.bz2
Highlights in 1.3.1.8
The start/stop/restart scripts work in conjunction with systemd (systemctl) now. The last release broke slapi-nis, and this has been fixed.
Installation and Upgrade
See Download <http://directory.fedoraproject.org/wiki/Download> for
information about setting up your yum repositories.
To install, use *yum install 389-ds* yum install 389-ds After install
completes, run *setup-ds-admin.pl* to set up your directory server.
setup-ds-admin.pl
To upgrade, use *yum upgrade* yum upgrade After upgrade completes, run
*setup-ds-admin.pl -u* to update your directory server/admin
server/console information. setup-ds-admin.pl -u
See Install_Guide
<http://directory.fedoraproject.org/wiki/Install_Guide> for more
information about the initial installation, setup, and upgrade
See Source <http://directory.fedoraproject.org/wiki/Source> for
information about source tarballs and SCM (git) access.
Feedback
We are very interested in your feedback!
Please provide feedback and comments to the 389-users mailing list:
https://admin.fedoraproject.org/mailman/listinfo/389-users
If you find a bug, or would like to see a new feature, file it in our
Trac instance: https://fedorahosted.org/389
Detailed Changelog since 1.3.1.7
* Ticket #47455 - valgrind - value mem leaks, uninit mem usage
The fix for slapi-nis
* Ticket 47500 - start-dirsrv/restart-dirsrv/stop-disrv do not register
with systemd correctly
Retrieved from "http://port389.org/wiki/Releases/1.3.1.8"
10 years, 7 months
Re: [389-users] Membership of Roles
by Andy Spooner
Is there a check list or debug routine that I can follow to get membership
of groups to work correctly?
From: Andy [mailto:racingyacht1@gmail.com]
Sent: 05 September 2013 15:33
To: 'General discussion list for the 389 Directory server project.'
Subject: RE: [389-users] Membership of Roles
I haven't been able to get membership of groups to work in either Liferay or
blog system. The error has to be with my setup groups or the memberOf
plugin. All users have objectclass inetUser. I enabled the memberOf plugin
before creating the test group, and also ran the fixup script when I found
that the group was not working.
Interestingly the blog system recognizes groups that were part of the
initial installation of 389. The group that I need to recognise
uniquemembers for is the group I created call blogEditorGroup.
Screenshot from blog system test of communications with ldap. Note the group
= blogEditorGroup, does not recognise any of the three members created for
the test.
Search Result (max 10 entries)
Group Name
Group Fullname
Group Member
Directory Administrators
Directory Administrators
cn=Directory Manager
Accounting Managers
Accounting Managers
cn=Directory Manager
HR Managers
HR Managers
cn=Directory Manager
QA Managers
QA Managers
cn=Directory Manager
PD Managers
PD Managers
cn=Directory Manager
blogEditorsGroup
blogEditorsGroup
Access log:
[05/Sep/2013:15:15:52 +0100] conn=11 op=0 RESULT err=0 tag=97 nentries=0
etime=0 dn="cn=directory manager"
[05/Sep/2013:15:15:52 +0100] conn=11 op=1 SRCH base="dc=xxxx,dc=com" scope=2
filter="(&(objectClass=groupOfUniqueNames))" attrs="nsUniqueId cn cn
uniqueMember"
[05/Sep/2013:15:15:52 +0100] conn=11 op=1 RESULT err=0 tag=101 nentries=6
etime=0
[05/Sep/2013:15:15:52 +0100] conn=11 op=2 SRCH base="dc=xxxx,dc=com" scope=2
filter="(objectClass=*)" attrs="uid mail cn memberUid"
[05/Sep/2013:15:15:52 +0100] conn=11 op=2 RESULT err=4 tag=101 nentries=10
etime=0 notes=U
[05/Sep/2013:15:15:52 +0100] conn=11 op=3 SRCH base="dc=xxxx,dc=com" scope=2
filter="(|(uniqueMember=))" attrs="cn cn"
[05/Sep/2013:15:15:52 +0100] conn=11 op=3 RESULT err=0 tag=101 nentries=0
etime=0
[05/Sep/2013:15:15:52 +0100] conn=11 op=4 SRCH base="dc=xxxx,dc=com" scope=2
filter="(|(uniqueMember=))" attrs="cn cn"
[05/Sep/2013:15:15:52 +0100] conn=11 op=4 RESULT err=0 tag=101 nentries=0
etime=0
[05/Sep/2013:15:15:52 +0100] conn=11 op=5 SRCH base="dc=xxxx,dc=com" scope=2
filter="(|(uniqueMember=))" attrs="cn cn"
[05/Sep/2013:15:15:52 +0100] conn=11 op=5 RESULT err=0 tag=101 nentries=0
etime=0
[05/Sep/2013:15:15:52 +0100] conn=11 op=6 SRCH base="dc=xxxx,dc=com" scope=2
filter="(|(uniqueMember=))" attrs="cn cn"
[05/Sep/2013:15:15:52 +0100] conn=11 op=6 RESULT err=0 tag=101 nentries=0
etime=0
[05/Sep/2013:15:15:52 +0100] conn=11 op=7 SRCH base="dc=xxxx,dc=com" scope=2
filter="(|(uniqueMember=))" attrs="cn cn"
[05/Sep/2013:15:15:52 +0100] conn=11 op=7 RESULT err=0 tag=101 nentries=0
etime=0
[05/Sep/2013:15:15:52 +0100] conn=11 op=8 SRCH base="dc=xxxx,dc=com" scope=2
filter="(|(uniqueMember=))" attrs="cn cn"
[05/Sep/2013:15:15:52 +0100] conn=11 op=8 RESULT err=0 tag=101 nentries=0
etime=0
[05/Sep/2013:15:15:52 +0100] conn=11 op=9 SRCH base="dc=xxxx,dc=com" scope=2
filter="(|(uniqueMember=))" attrs="cn cn"
[05/Sep/2013:15:15:52 +0100] conn=11 op=9 RESULT err=0 tag=101 nentries=0
etime=0
[05/Sep/2013:15:15:52 +0100] conn=11 op=10 SRCH base="dc=xxxx,dc=com"
scope=2 filter="(|(uniqueMember=))" attrs="cn cn"
[05/Sep/2013:15:15:52 +0100] conn=11 op=10 RESULT err=0 tag=101 nentries=0
etime=0
[05/Sep/2013:15:15:52 +0100] conn=11 op=11 SRCH base="dc=xxxx,dc=com"
scope=2 filter="(|(uniqueMember=))" attrs="cn cn"
[05/Sep/2013:15:15:52 +0100] conn=11 op=11 RESULT err=0 tag=101 nentries=0
etime=0
[05/Sep/2013:15:15:52 +0100] conn=11 op=12 SRCH base="dc=xxxx,dc=com"
scope=2 filter="(|(uniqueMember=))" attrs="cn cn"
[05/Sep/2013:15:15:52 +0100] conn=11 op=12 RESULT err=0 tag=101 nentries=0
etime=0
[05/Sep/2013:15:15:52 +0100] conn=11 op=-1 fd=67 closed - B1
[05/Sep/2013:15:17:12 +0100] conn=12 fd=67 slot=67 connection from
192.168.20.38 to 192.168.20.28
[05/Sep/2013:15:17:12 +0100] conn=12 op=0 BIND dn="cn=Directory Manager"
method=128 version=3
[05/Sep/2013:15:17:12 +0100] conn=12 op=0 RESULT err=0 tag=97 nentries=0
etime=0 dn="cn=directory manager"
[05/Sep/2013:15:17:12 +0100] conn=12 op=1 SRCH base="dc=xxxx,dc=com" scope=2
filter="(objectClass=inetOrgPerson)" attrs="cn"
[05/Sep/2013:15:17:12 +0100] conn=12 op=1 RESULT err=0 tag=101 nentries=4
etime=0 notes=P
[05/Sep/2013:15:17:12 +0100] conn=12 op=2 SRCH base="cn=Test
user1+uid=100001,ou=People,dc=xxxx,dc=com" scope=0 filter="(objectClass=*)"
attrs="uid cn mail cn nsRole title givenName userPassword sn creatorsName
createTimestamp modifiersName modifyTimestamp"
[05/Sep/2013:15:17:12 +0100] conn=12 op=2 RESULT err=0 tag=101 nentries=1
etime=0
[05/Sep/2013:15:17:12 +0100] conn=12 op=3 SRCH
base="uid=100000001,ou=People,dc=xxxx,dc=com" scope=0
filter="(objectClass=*)" attrs="uid cn mail cn nsRole title givenName
userPassword sn creatorsName createTimestamp modifiersName modifyTimestamp"
[05/Sep/2013:15:17:12 +0100] conn=12 op=3 RESULT err=0 tag=101 nentries=1
etime=0
[05/Sep/2013:15:17:12 +0100] conn=12 op=4 SRCH
base="uid=100002,ou=People,dc=xxxx,dc=com" scope=0 filter="(objectClass=*)"
attrs="uid cn mail cn nsRole title givenName userPassword sn creatorsName
createTimestamp modifiersName modifyTimestamp"
[05/Sep/2013:15:17:12 +0100] conn=12 op=4 RESULT err=0 tag=101 nentries=1
etime=0
[05/Sep/2013:15:17:12 +0100] conn=12 op=5 SRCH
base="uid=100003,ou=People,dc=xxxx,dc=com" scope=0 filter="(objectClass=*)"
attrs="uid cn mail cn nsRole title givenName userPassword sn creatorsName
createTimestamp modifiersName modifyTimestamp"
[05/Sep/2013:15:17:12 +0100] conn=12 op=5 RESULT err=0 tag=101 nentries=1
etime=0
From: Andy [mailto:racingyacht1@gmail.com]
Sent: 03 September 2013 22:23
To: 'General discussion list for the 389 Directory server project.'
Subject: RE: [389-users] Membership of Roles
Jonathan,
That could be the root of the groups issue. I enabled the memberOf plugin
after creating the groups and users.
I will be testing in a few minutes.
From: 389-users-bounces(a)lists.fedoraproject.org
[mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of Jonathan
Vaughn
Sent: 03 September 2013 22:02
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Membership of Roles
If you had your users and groups created before enabling memberOf, you'll
need to modify their group membership (per user, easiest would be to add all
to a temporary group then remove the group after memberOf populates) to
trigger memberOf creation. It only gets set on changes, and won't
autogenerate for existing memberships until a change occurs. It WILL
regenerate all memberships even if you change just one, so you can just
throw everyone into a group as I said to trigger it. There was a script in
some FDS / 389DS howto someplace that was supposed to background trigger it,
but I never got it to work.
On Tue, Sep 3, 2013 at 3:47 PM, Andy <racingyacht1(a)gmail.com> wrote:
Hi Rich,
I had added the inetUser objectclass on the test cases of groups that
failed. I was wondering if I had incorrectly configured arguments of the
memberOf plugin. I will read the documentation again.
I should be done rebuilding my instance of 389 in an hour or so.
From: Rich Megginson [mailto:rmeggins@redhat.com]
Sent: 03 September 2013 20:47
To: Andy
Cc: 'General discussion list for the 389 Directory server project.'
Subject: Re: [389-users] Membership of Roles
On 09/03/2013 01:22 PM, Andy wrote:
Hi Rich,
I am having the same problem with groups, so I am wondering if I have groups
configured correctly. Especially the configuration of the memberOf plugin.
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/
9.0/html/Administration_Guide/Advanced_Entry_Management.html#groups-cmd-memb
erof
Especially this part:
6.1.4.2. Object Classes Which Support memberof Attributes
The most common people object classes - such as inetorgperson and person -
do not allow the memberOf attribute. To allow the MemberOf Plug-in to add
the memberOf attribute to a user entry, make sure that that entry belongs to
the inetUser object class, which does allow the memberOf attribute.
Similarly, if an attribute other than memberOf is used in the user entry,
then make sure that the user entry belongs to an object class that allows
that attribute.
I'm in the process of reconfiguring my instance of ldap, as it was
misbehaving after I tried out various configuration to get roles and groups
to work.
From: Rich Megginson [mailto:rmeggins@redhat.com]
Sent: 03 September 2013 14:48
To: General discussion list for the 389 Directory server project.
Cc: Andy
Subject: Re: [389-users] Membership of Roles
On 09/01/2013 05:50 AM, Andy wrote:
Please find additional information on the configuration of the blog system
My configuration:
AuthenticationModule LDAP
LDAPAuthURL ldap://xxxxx:389/dc=xxxx,dc=com?mail
LDAPAuthBindDN cn=Directory Manager (will replace with application user
account once phase one integration is completed)
LDAPAuthPassword xxxxxx
LDAPAuthSASLMechanism PLAIN (note SSL not yet configured)
ExternalUserManagement 1
ExternalGroupManagement 1
ExternalUserSyncFrequency 60
LDAPGroupNameAttribute cn
LDAPGroupIdAttribute nsUniqueId
LDAPGroupFullNameAttribute cn
LDAPGroupMemberAttribute memberof
LDAPGroupSearchBase ou=customers,dc=xxx,dc=com
LDAPGroupFilter (objectclass=ldapSubEntry)
LDAPUserIdAttribute uid
LDAPUserEmailAttribute mail
LDAPUserFullNameAttribute cn
LDAPUserGroupMemberAttribute nsrole
I think this is going to be problematic, and may not work at all. With
groups, there is an actual group entry, which lists all of the members.
With roles, the role entry does not list all of the members. So a query
like
SRCH base="ou=customers,dc=xxxx,dc=com" scope=2
filter="(&(|(member=cn=xxxxrolecommentertest,ou=customers,dc=xxxx,dc=com))(o
bjectClass=ldapSubEntry))"
will not work because there is no role entry which lists it's members in a
"member" attribute.
If you can configure it to search all of the users, you might be able to do
a search like
SRCH base="ou=customers,dc=xxxx,dc=com" scope=2
filter="(nsRole=cn=xxxxrolecommentertest,ou=customers,dc=xxxx,dc=com)"
Roles will automatically populate each user's entry with the nsRole
attribute. This attribute lists all of the roles to which that user
belongs. nsRole is an operational attribute, so you must explicitly request
it on the command line if you want to see it (e.g. in an ldapsearch
command).
The default settings for OpenLDAP installations are:
Stage 1
Authentication URL
ldap://<FQDN of LDAP server>:389/dc=xxxx,dc=com?mail
Authentication DN
Authentication Password
Password
Test Username
Test email address
Test Password
Password for test user
Stage 2
Group Search Base Attribute
dc=xxx,dc=com
Group Filter Attribute
(objectClass=groupOfUniqueNames)
Attributes
OpenLDAP
User ID Attribute
entryUUID
Email Attribute
mail
User Fullname Attribute
cn
User Member Attribute
uid
GroupID Attribute
entryUUID
Group Name Attribute
cn
Group Fullname Attribute
cn
Group Member Attribute
memberUid
From: Andy [mailto:racingyacht1@gmail.com]
Sent: 31 August 2013 13:43
To: '389-users(a)lists.fedoraproject.org'
Subject: Membership of Roles
Hello
I am testing integration of 389-ds with a blogging system. I plan to use
roles instead of groups to automatically give users rights to service on the
blog system. However, I am having problems with the system identifying
members of roles. I need help with defining the correct search parameters to
identify which roles a uid or cn is a member of.
>From within the blog system I'm using LDAPGroupFilter
(objectclass=ldapSubEntry) to list the roles. The roles list correctly as
groups within the blog system.
>From within 389 the members of roles are configured as filtered, and I can
see the configured members using the Directory Server GUI.
The blog system is not identifying members of roles when it does its search
against 389. Note, users can log into the blog system using the accounts
created on 389. I don't think I am applying the correct search criteria to
identify group membership. I need advice on creation of the correct search
criteria for membership of roles/groups.
Sample log from access
[31/Aug/2013:11:09:39 +0100] conn=265 op=0 BIND dn="cn=Directory Manager"
method=128 version=3
[31/Aug/2013:11:09:39 +0100] conn=265 op=0 RESULT err=0 tag=97 nentries=0
etime=0 dn="cn=directory manager"
[31/Aug/2013:11:09:39 +0100] conn=265 op=1 SRCH base="dc=xxxx,dc=com"
scope=2 filter="(&(mail=testuser16(a)xxxx.com)(objectClass=*))
<mailto:mail=testuser16@xxxx.com%29%28objectClass=*%29%29> "
attrs="distinguishedName"
[31/Aug/2013:11:09:39 +0100] conn=265 op=1 RESULT err=0 tag=101 nentries=1
etime=0
[31/Aug/2013:11:09:39 +0100] conn=265 op=2 BIND
dn="uid=1000016,ou=Customers,dc=xxxx,dc=com" method=128 version=3
[31/Aug/2013:11:09:39 +0100] conn=265 op=2 RESULT err=0 tag=97 nentries=0
etime=0 dn="uid=1000016,ou=customers,dc=xxxx,dc=com"
[31/Aug/2013:11:09:39 +0100] conn=265 op=3 BIND dn="cn=Directory Manager"
method=128 version=3
[31/Aug/2013:11:09:39 +0100] conn=265 op=3 RESULT err=0 tag=97 nentries=0
etime=0 dn="cn=directory manager"
[31/Aug/2013:11:09:39 +0100] conn=265 op=4 SRCH base="dc=xxxx,dc=com"
scope=2 filter="(&(mail=testuser16(a)xxxx.com)(objectClass=*))
<mailto:mail=testuser16@xxxx.com%29%28objectClass=*%29%29> " attrs="uid mail
cn mail distinguishedName"
[31/Aug/2013:11:09:39 +0100] conn=265 op=4 RESULT err=0 tag=101 nentries=1
etime=0
[31/Aug/2013:11:09:39 +0100] conn=265 op=5 SRCH base="dc=xxxx,dc=com"
scope=2 filter="(|(uid=1000016))" attrs="nsRole"
[31/Aug/2013:11:09:39 +0100] conn=265 op=5 RESULT err=0 tag=101 nentries=1
etime=0
[31/Aug/2013:11:09:39 +0100] conn=265 op=6 SRCH
base="ou=customers,dc=xxxx,dc=com" scope=2
filter="(&(|(member=cn=xxxxrolecommentertest,ou=customers,dc=xxxx,dc=com))(o
bjectClass=ldapSubEntry))" attrs="cn cn member nsUniqueId"
[31/Aug/2013:11:09:39 +0100] conn=265 op=6 RESULT err=0 tag=101 nentries=0
etime=0
[31/Aug/2013:11:09:39 +0100] conn=265 op=7 UNBIND
[31/Aug/2013:11:09:39 +0100] conn=265 op=7 fd=68 closed - U1
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
10 years, 7 months
userPassword attribute
by Alberto Viana
389-Directory/1.3.1.3 B2013.193.1948
I set an ACI to specific user to add,read or modify everything on this OU:
dn: ou=UFRGS,ou=RNP,dc=homolog,dc=rnp
changetype: modify
add: aci
aci: (targetattr="*")(version 3.0;aci "ufrgs add permission";allow
(add,read,write,compare)
userdn="ldap:///uid=app.ufrgs.w,ou=APLICACOES,ou=RNP,dc=homolog,dc=rnp";)
But when I do a ldapsearch with this user (app.ufrgs.w) on this OU I cant
see the userpassword attribute.
dn: uid=teste123,ou=UFRGS,ou=RNP,dc=homolog,dc=rnp
uid: teste123
givenName: teste123
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: ntUser
sn: teste
cn: teste123
ntUserDomainId: teste123
ntUserCreateNewAccount: true
ntUserDeleteAccount: true
I Also tried this kind of ACI:
dn: ou=UFRGS,ou=RNP,dc=homolog,dc=rnp
changetype: modify
add: aci
aci: (targetattr="userPassword")(version 3.0;aci "ufrgs userpass
permission";allow (all)
userdn="ldap:///uid=app.ufrgs.w,ou=APLICACOES,ou=RNP,dc=homolog,dc=rnp";)
When I do it with "Directory Manager" I can see the userpassword attribute.
What I have to do?
10 years, 7 months
Re: [389-users] Membership of Roles
by Andy Spooner
I haven't been able to get membership of groups to work in either Liferay or
blog system. The error has to be with my setup groups or the memberOf
plugin. All users have objectclass inetUser. I enabled the memberOf plugin
before creating the test group, and also ran the fixup script when I found
that the group was not working.
Interestingly the blog system recognizes groups that were part of the
initial installation of 389. The group that I need to recognise
uniquemembers for is the group I created call blogEditorGroup.
Screenshot from blog system test of communications with ldap. Note the group
= blogEditorGroup, does not recognise any of the three members created for
the test.
Search Result (max 10 entries)
Group Name
Group Fullname
Group Member
Directory Administrators
Directory Administrators
cn=Directory Manager
Accounting Managers
Accounting Managers
cn=Directory Manager
HR Managers
HR Managers
cn=Directory Manager
QA Managers
QA Managers
cn=Directory Manager
PD Managers
PD Managers
cn=Directory Manager
blogEditorsGroup
blogEditorsGroup
Access log:
[05/Sep/2013:15:15:52 +0100] conn=11 op=0 RESULT err=0 tag=97 nentries=0
etime=0 dn="cn=directory manager"
[05/Sep/2013:15:15:52 +0100] conn=11 op=1 SRCH base="dc=xxxx,dc=com" scope=2
filter="(&(objectClass=groupOfUniqueNames))" attrs="nsUniqueId cn cn
uniqueMember"
[05/Sep/2013:15:15:52 +0100] conn=11 op=1 RESULT err=0 tag=101 nentries=6
etime=0
[05/Sep/2013:15:15:52 +0100] conn=11 op=2 SRCH base="dc=xxxx,dc=com" scope=2
filter="(objectClass=*)" attrs="uid mail cn memberUid"
[05/Sep/2013:15:15:52 +0100] conn=11 op=2 RESULT err=4 tag=101 nentries=10
etime=0 notes=U
[05/Sep/2013:15:15:52 +0100] conn=11 op=3 SRCH base="dc=xxxx,dc=com" scope=2
filter="(|(uniqueMember=))" attrs="cn cn"
[05/Sep/2013:15:15:52 +0100] conn=11 op=3 RESULT err=0 tag=101 nentries=0
etime=0
[05/Sep/2013:15:15:52 +0100] conn=11 op=4 SRCH base="dc=xxxx,dc=com" scope=2
filter="(|(uniqueMember=))" attrs="cn cn"
[05/Sep/2013:15:15:52 +0100] conn=11 op=4 RESULT err=0 tag=101 nentries=0
etime=0
[05/Sep/2013:15:15:52 +0100] conn=11 op=5 SRCH base="dc=xxxx,dc=com" scope=2
filter="(|(uniqueMember=))" attrs="cn cn"
[05/Sep/2013:15:15:52 +0100] conn=11 op=5 RESULT err=0 tag=101 nentries=0
etime=0
[05/Sep/2013:15:15:52 +0100] conn=11 op=6 SRCH base="dc=xxxx,dc=com" scope=2
filter="(|(uniqueMember=))" attrs="cn cn"
[05/Sep/2013:15:15:52 +0100] conn=11 op=6 RESULT err=0 tag=101 nentries=0
etime=0
[05/Sep/2013:15:15:52 +0100] conn=11 op=7 SRCH base="dc=xxxx,dc=com" scope=2
filter="(|(uniqueMember=))" attrs="cn cn"
[05/Sep/2013:15:15:52 +0100] conn=11 op=7 RESULT err=0 tag=101 nentries=0
etime=0
[05/Sep/2013:15:15:52 +0100] conn=11 op=8 SRCH base="dc=xxxx,dc=com" scope=2
filter="(|(uniqueMember=))" attrs="cn cn"
[05/Sep/2013:15:15:52 +0100] conn=11 op=8 RESULT err=0 tag=101 nentries=0
etime=0
[05/Sep/2013:15:15:52 +0100] conn=11 op=9 SRCH base="dc=xxxx,dc=com" scope=2
filter="(|(uniqueMember=))" attrs="cn cn"
[05/Sep/2013:15:15:52 +0100] conn=11 op=9 RESULT err=0 tag=101 nentries=0
etime=0
[05/Sep/2013:15:15:52 +0100] conn=11 op=10 SRCH base="dc=xxxx,dc=com"
scope=2 filter="(|(uniqueMember=))" attrs="cn cn"
[05/Sep/2013:15:15:52 +0100] conn=11 op=10 RESULT err=0 tag=101 nentries=0
etime=0
[05/Sep/2013:15:15:52 +0100] conn=11 op=11 SRCH base="dc=xxxx,dc=com"
scope=2 filter="(|(uniqueMember=))" attrs="cn cn"
[05/Sep/2013:15:15:52 +0100] conn=11 op=11 RESULT err=0 tag=101 nentries=0
etime=0
[05/Sep/2013:15:15:52 +0100] conn=11 op=12 SRCH base="dc=xxxx,dc=com"
scope=2 filter="(|(uniqueMember=))" attrs="cn cn"
[05/Sep/2013:15:15:52 +0100] conn=11 op=12 RESULT err=0 tag=101 nentries=0
etime=0
[05/Sep/2013:15:15:52 +0100] conn=11 op=-1 fd=67 closed - B1
[05/Sep/2013:15:17:12 +0100] conn=12 fd=67 slot=67 connection from
192.168.20.38 to 192.168.20.28
[05/Sep/2013:15:17:12 +0100] conn=12 op=0 BIND dn="cn=Directory Manager"
method=128 version=3
[05/Sep/2013:15:17:12 +0100] conn=12 op=0 RESULT err=0 tag=97 nentries=0
etime=0 dn="cn=directory manager"
[05/Sep/2013:15:17:12 +0100] conn=12 op=1 SRCH base="dc=xxxx,dc=com" scope=2
filter="(objectClass=inetOrgPerson)" attrs="cn"
[05/Sep/2013:15:17:12 +0100] conn=12 op=1 RESULT err=0 tag=101 nentries=4
etime=0 notes=P
[05/Sep/2013:15:17:12 +0100] conn=12 op=2 SRCH base="cn=Test
user1+uid=100001,ou=People,dc=xxxx,dc=com" scope=0 filter="(objectClass=*)"
attrs="uid cn mail cn nsRole title givenName userPassword sn creatorsName
createTimestamp modifiersName modifyTimestamp"
[05/Sep/2013:15:17:12 +0100] conn=12 op=2 RESULT err=0 tag=101 nentries=1
etime=0
[05/Sep/2013:15:17:12 +0100] conn=12 op=3 SRCH
base="uid=100000001,ou=People,dc=xxxx,dc=com" scope=0
filter="(objectClass=*)" attrs="uid cn mail cn nsRole title givenName
userPassword sn creatorsName createTimestamp modifiersName modifyTimestamp"
[05/Sep/2013:15:17:12 +0100] conn=12 op=3 RESULT err=0 tag=101 nentries=1
etime=0
[05/Sep/2013:15:17:12 +0100] conn=12 op=4 SRCH
base="uid=100002,ou=People,dc=xxxx,dc=com" scope=0 filter="(objectClass=*)"
attrs="uid cn mail cn nsRole title givenName userPassword sn creatorsName
createTimestamp modifiersName modifyTimestamp"
[05/Sep/2013:15:17:12 +0100] conn=12 op=4 RESULT err=0 tag=101 nentries=1
etime=0
[05/Sep/2013:15:17:12 +0100] conn=12 op=5 SRCH
base="uid=100003,ou=People,dc=xxxx,dc=com" scope=0 filter="(objectClass=*)"
attrs="uid cn mail cn nsRole title givenName userPassword sn creatorsName
createTimestamp modifiersName modifyTimestamp"
[05/Sep/2013:15:17:12 +0100] conn=12 op=5 RESULT err=0 tag=101 nentries=1
etime=0
From: Andy [mailto:racingyacht1@gmail.com]
Sent: 03 September 2013 22:23
To: 'General discussion list for the 389 Directory server project.'
Subject: RE: [389-users] Membership of Roles
Jonathan,
That could be the root of the groups issue. I enabled the memberOf plugin
after creating the groups and users.
I will be testing in a few minutes.
From: 389-users-bounces(a)lists.fedoraproject.org
[mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of Jonathan
Vaughn
Sent: 03 September 2013 22:02
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Membership of Roles
If you had your users and groups created before enabling memberOf, you'll
need to modify their group membership (per user, easiest would be to add all
to a temporary group then remove the group after memberOf populates) to
trigger memberOf creation. It only gets set on changes, and won't
autogenerate for existing memberships until a change occurs. It WILL
regenerate all memberships even if you change just one, so you can just
throw everyone into a group as I said to trigger it. There was a script in
some FDS / 389DS howto someplace that was supposed to background trigger it,
but I never got it to work.
On Tue, Sep 3, 2013 at 3:47 PM, Andy <racingyacht1(a)gmail.com> wrote:
Hi Rich,
I had added the inetUser objectclass on the test cases of groups that
failed. I was wondering if I had incorrectly configured arguments of the
memberOf plugin. I will read the documentation again.
I should be done rebuilding my instance of 389 in an hour or so.
From: Rich Megginson [mailto:rmeggins@redhat.com]
Sent: 03 September 2013 20:47
To: Andy
Cc: 'General discussion list for the 389 Directory server project.'
Subject: Re: [389-users] Membership of Roles
On 09/03/2013 01:22 PM, Andy wrote:
Hi Rich,
I am having the same problem with groups, so I am wondering if I have groups
configured correctly. Especially the configuration of the memberOf plugin.
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/
9.0/html/Administration_Guide/Advanced_Entry_Management.html#groups-cmd-memb
erof
Especially this part:
6.1.4.2. Object Classes Which Support memberof Attributes
The most common people object classes - such as inetorgperson and person -
do not allow the memberOf attribute. To allow the MemberOf Plug-in to add
the memberOf attribute to a user entry, make sure that that entry belongs to
the inetUser object class, which does allow the memberOf attribute.
Similarly, if an attribute other than memberOf is used in the user entry,
then make sure that the user entry belongs to an object class that allows
that attribute.
I'm in the process of reconfiguring my instance of ldap, as it was
misbehaving after I tried out various configuration to get roles and groups
to work.
From: Rich Megginson [mailto:rmeggins@redhat.com]
Sent: 03 September 2013 14:48
To: General discussion list for the 389 Directory server project.
Cc: Andy
Subject: Re: [389-users] Membership of Roles
On 09/01/2013 05:50 AM, Andy wrote:
Please find additional information on the configuration of the blog system
My configuration:
AuthenticationModule LDAP
LDAPAuthURL ldap://xxxxx:389/dc=xxxx,dc=com?mail
LDAPAuthBindDN cn=Directory Manager (will replace with application user
account once phase one integration is completed)
LDAPAuthPassword xxxxxx
LDAPAuthSASLMechanism PLAIN (note SSL not yet configured)
ExternalUserManagement 1
ExternalGroupManagement 1
ExternalUserSyncFrequency 60
LDAPGroupNameAttribute cn
LDAPGroupIdAttribute nsUniqueId
LDAPGroupFullNameAttribute cn
LDAPGroupMemberAttribute memberof
LDAPGroupSearchBase ou=customers,dc=xxx,dc=com
LDAPGroupFilter (objectclass=ldapSubEntry)
LDAPUserIdAttribute uid
LDAPUserEmailAttribute mail
LDAPUserFullNameAttribute cn
LDAPUserGroupMemberAttribute nsrole
I think this is going to be problematic, and may not work at all. With
groups, there is an actual group entry, which lists all of the members.
With roles, the role entry does not list all of the members. So a query
like
SRCH base="ou=customers,dc=xxxx,dc=com" scope=2
filter="(&(|(member=cn=xxxxrolecommentertest,ou=customers,dc=xxxx,dc=com))(o
bjectClass=ldapSubEntry))"
will not work because there is no role entry which lists it's members in a
"member" attribute.
If you can configure it to search all of the users, you might be able to do
a search like
SRCH base="ou=customers,dc=xxxx,dc=com" scope=2
filter="(nsRole=cn=xxxxrolecommentertest,ou=customers,dc=xxxx,dc=com)"
Roles will automatically populate each user's entry with the nsRole
attribute. This attribute lists all of the roles to which that user
belongs. nsRole is an operational attribute, so you must explicitly request
it on the command line if you want to see it (e.g. in an ldapsearch
command).
The default settings for OpenLDAP installations are:
Stage 1
Authentication URL
ldap://<FQDN of LDAP server>:389/dc=xxxx,dc=com?mail
Authentication DN
Authentication Password
Password
Test Username
Test email address
Test Password
Password for test user
Stage 2
Group Search Base Attribute
dc=xxx,dc=com
Group Filter Attribute
(objectClass=groupOfUniqueNames)
Attributes
OpenLDAP
User ID Attribute
entryUUID
Email Attribute
mail
User Fullname Attribute
cn
User Member Attribute
uid
GroupID Attribute
entryUUID
Group Name Attribute
cn
Group Fullname Attribute
cn
Group Member Attribute
memberUid
From: Andy [mailto:racingyacht1@gmail.com]
Sent: 31 August 2013 13:43
To: '389-users(a)lists.fedoraproject.org'
Subject: Membership of Roles
Hello
I am testing integration of 389-ds with a blogging system. I plan to use
roles instead of groups to automatically give users rights to service on the
blog system. However, I am having problems with the system identifying
members of roles. I need help with defining the correct search parameters to
identify which roles a uid or cn is a member of.
>From within the blog system I'm using LDAPGroupFilter
(objectclass=ldapSubEntry) to list the roles. The roles list correctly as
groups within the blog system.
>From within 389 the members of roles are configured as filtered, and I can
see the configured members using the Directory Server GUI.
The blog system is not identifying members of roles when it does its search
against 389. Note, users can log into the blog system using the accounts
created on 389. I don't think I am applying the correct search criteria to
identify group membership. I need advice on creation of the correct search
criteria for membership of roles/groups.
Sample log from access
[31/Aug/2013:11:09:39 +0100] conn=265 op=0 BIND dn="cn=Directory Manager"
method=128 version=3
[31/Aug/2013:11:09:39 +0100] conn=265 op=0 RESULT err=0 tag=97 nentries=0
etime=0 dn="cn=directory manager"
[31/Aug/2013:11:09:39 +0100] conn=265 op=1 SRCH base="dc=xxxx,dc=com"
scope=2 filter="(&(mail=testuser16(a)xxxx.com)(objectClass=*))
<mailto:mail=testuser16@xxxx.com%29%28objectClass=*%29%29> "
attrs="distinguishedName"
[31/Aug/2013:11:09:39 +0100] conn=265 op=1 RESULT err=0 tag=101 nentries=1
etime=0
[31/Aug/2013:11:09:39 +0100] conn=265 op=2 BIND
dn="uid=1000016,ou=Customers,dc=xxxx,dc=com" method=128 version=3
[31/Aug/2013:11:09:39 +0100] conn=265 op=2 RESULT err=0 tag=97 nentries=0
etime=0 dn="uid=1000016,ou=customers,dc=xxxx,dc=com"
[31/Aug/2013:11:09:39 +0100] conn=265 op=3 BIND dn="cn=Directory Manager"
method=128 version=3
[31/Aug/2013:11:09:39 +0100] conn=265 op=3 RESULT err=0 tag=97 nentries=0
etime=0 dn="cn=directory manager"
[31/Aug/2013:11:09:39 +0100] conn=265 op=4 SRCH base="dc=xxxx,dc=com"
scope=2 filter="(&(mail=testuser16(a)xxxx.com)(objectClass=*))
<mailto:mail=testuser16@xxxx.com%29%28objectClass=*%29%29> " attrs="uid mail
cn mail distinguishedName"
[31/Aug/2013:11:09:39 +0100] conn=265 op=4 RESULT err=0 tag=101 nentries=1
etime=0
[31/Aug/2013:11:09:39 +0100] conn=265 op=5 SRCH base="dc=xxxx,dc=com"
scope=2 filter="(|(uid=1000016))" attrs="nsRole"
[31/Aug/2013:11:09:39 +0100] conn=265 op=5 RESULT err=0 tag=101 nentries=1
etime=0
[31/Aug/2013:11:09:39 +0100] conn=265 op=6 SRCH
base="ou=customers,dc=xxxx,dc=com" scope=2
filter="(&(|(member=cn=xxxxrolecommentertest,ou=customers,dc=xxxx,dc=com))(o
bjectClass=ldapSubEntry))" attrs="cn cn member nsUniqueId"
[31/Aug/2013:11:09:39 +0100] conn=265 op=6 RESULT err=0 tag=101 nentries=0
etime=0
[31/Aug/2013:11:09:39 +0100] conn=265 op=7 UNBIND
[31/Aug/2013:11:09:39 +0100] conn=265 op=7 fd=68 closed - U1
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
10 years, 7 months
ACI invalid syntax
by Mitja Mihelič
Hi!
We are moving our Directory server from CentOS 5 Directory Server to
CentOS 6 with 389 Directory Server.
Our DIT looks like this:
dc=example,dc=com
|- dc=guests,dc=example,dc=com
We would like the users in dc=example,dc=com to have full write
permissions for their own entries. Users in dc=guests,dc=example,dc=com
must not have that permission.
For that reason we had the following ACI applied to the
dc=example,dc=com node:
(targetattr = "*")
(target = "ldap:///*@example.com,dc=example, dc=com")
(version 3.0;
acl "Write to example.com - self";
allow (read,compare,search,write)
(userdn = "ldap:///self")
;)
This ACI works on the ol' CentOS 5 and the installed CentOS Directory
server.
However the very same ACI cannot be applied in the 389DS on CentOS 6.
LDAPException: Invalid syntax (21)
How should the ACI be written to work on CentOS 6 389DS?
Kind regards,
Mitja
--
--
Mitja Mihelič
ARNES, Tehnološki park 18, p.p. 7, SI-1001 Ljubljana, Slovenia
tel: +386 1 479 8877, fax: +386 1 479 88 78
10 years, 7 months
Re: [389-users] Membership of Roles
by Andy Spooner
Please find additional information on the configuration of the blog system
My configuration:
AuthenticationModule LDAP
LDAPAuthURL ldap://xxxxx:389/dc=sf4u,dc=com?mail
LDAPAuthBindDN cn=Directory Manager (will replace with application user
account once phase one integration is completed)
LDAPAuthPassword xxxxxx
LDAPAuthSASLMechanism PLAIN (note SSL not yet configured)
ExternalUserManagement 1
ExternalGroupManagement 1
ExternalUserSyncFrequency 60
LDAPGroupNameAttribute cn
LDAPGroupIdAttribute nsUniqueId
LDAPGroupFullNameAttribute cn
LDAPGroupMemberAttribute memberof
LDAPGroupSearchBase ou=customers,dc=xxx,dc=com
LDAPGroupFilter (objectclass=ldapSubEntry)
LDAPUserIdAttribute uid
LDAPUserEmailAttribute mail
LDAPUserFullNameAttribute cn
LDAPUserGroupMemberAttribute nsrole
The default settings for OpenLDAP installations are:
Stage 1
Authentication URL
ldap://<FQDN of LDAP server>:389/dc=xxxx,dc=com?mail
Authentication DN
Authentication Password
Password
Test Username
Test email address
Test Password
Password for test user
Stage 2
Group Search Base Attribute
dc=xxx,dc=com
Group Filter Attribute
(objectClass=groupOfUniqueNames)
Attributes
OpenLDAP
User ID Attribute
entryUUID
Email Attribute
mail
User Fullname Attribute
cn
User Member Attribute
uid
GroupID Attribute
entryUUID
Group Name Attribute
cn
Group Fullname Attribute
cn
Group Member Attribute
memberUid
From: Andy [mailto:racingyacht1@gmail.com]
Sent: 31 August 2013 13:43
To: '389-users(a)lists.fedoraproject.org'
Subject: Membership of Roles
Hello
I am testing integration of 389-ds with a blogging system. I plan to use
roles instead of groups to automatically give users rights to service on the
blog system. However, I am having problems with the system identifying
members of roles. I need help with defining the correct search parameters to
identify which roles a uid or cn is a member of.
>From within the blog system I'm using LDAPGroupFilter
(objectclass=ldapSubEntry) to list the roles. The roles list correctly as
groups within the blog system.
>From within 389 the members of roles are configured as filtered, and I can
see the configured members using the Directory Server GUI.
The blog system is not identifying members of roles when it does its search
against 389. Note, users can log into the blog system using the accounts
created on 389. I don't think I am applying the correct search criteria to
identify group membership. I need advice on creation of the correct search
criteria for membership of roles/groups.
Sample log from access
[31/Aug/2013:11:09:39 +0100] conn=265 op=0 BIND dn="cn=Directory Manager"
method=128 version=3
[31/Aug/2013:11:09:39 +0100] conn=265 op=0 RESULT err=0 tag=97 nentries=0
etime=0 dn="cn=directory manager"
[31/Aug/2013:11:09:39 +0100] conn=265 op=1 SRCH base="dc=xxxx,dc=com"
scope=2 filter="(&(mail=testuser16(a)xxxx.com)(objectClass=*))"
attrs="distinguishedName"
[31/Aug/2013:11:09:39 +0100] conn=265 op=1 RESULT err=0 tag=101 nentries=1
etime=0
[31/Aug/2013:11:09:39 +0100] conn=265 op=2 BIND
dn="uid=1000016,ou=Customers,dc=xxxx,dc=com" method=128 version=3
[31/Aug/2013:11:09:39 +0100] conn=265 op=2 RESULT err=0 tag=97 nentries=0
etime=0 dn="uid=1000016,ou=customers,dc=xxxx,dc=com"
[31/Aug/2013:11:09:39 +0100] conn=265 op=3 BIND dn="cn=Directory Manager"
method=128 version=3
[31/Aug/2013:11:09:39 +0100] conn=265 op=3 RESULT err=0 tag=97 nentries=0
etime=0 dn="cn=directory manager"
[31/Aug/2013:11:09:39 +0100] conn=265 op=4 SRCH base="dc=xxxx,dc=com"
scope=2 filter="(&(mail=testuser16(a)xxxx.com)(objectClass=*))" attrs="uid
mail cn mail distinguishedName"
[31/Aug/2013:11:09:39 +0100] conn=265 op=4 RESULT err=0 tag=101 nentries=1
etime=0
[31/Aug/2013:11:09:39 +0100] conn=265 op=5 SRCH base="dc=xxxx,dc=com"
scope=2 filter="(|(uid=1000016))" attrs="nsRole"
[31/Aug/2013:11:09:39 +0100] conn=265 op=5 RESULT err=0 tag=101 nentries=1
etime=0
[31/Aug/2013:11:09:39 +0100] conn=265 op=6 SRCH
base="ou=customers,dc=xxxx,dc=com" scope=2
filter="(&(|(member=cn=xxxxrolecommentertest,ou=customers,dc=xxxx,dc=com))(o
bjectClass=ldapSubEntry))" attrs="cn cn member nsUniqueId"
[31/Aug/2013:11:09:39 +0100] conn=265 op=6 RESULT err=0 tag=101 nentries=0
etime=0
[31/Aug/2013:11:09:39 +0100] conn=265 op=7 UNBIND
[31/Aug/2013:11:09:39 +0100] conn=265 op=7 fd=68 closed - U1
10 years, 7 months
Consumer Initialization Failure
by Wick, Samson
Running 389-ds version 1.2.2-1 (according to the rpm)
In attempting to stand up a new consumer in our environment, the process of allowing the supplier to initialize the consumer directly would corrupt the consumer irrevocably.
I have ruled out firewalls, SSL issues etc.
When attempting to initialize via an ldif, I get errors on three user accounts more or less identical to this:
WARNING: skipping entry "uid=<etc.....>" ending line 296901 of file "<path to my ldif file>"
REASON: entry too large (15503712 bytes) for the buffer size (8388608 bytes)
When I examine the ldif file that the supplier created, the three user objects it's complaining about all have +/- 100,000 entries like this:
userPassword;vucsn-520b35cb000000010000;deleted: {SSHA256}5WJ9hosO3JO9VLa32nqxmGjn3XoShD1c1g+abekZDCFTX1MM187Bjg==
Each line has a different hash. But most of the other user objects only have a couple of these lines.
Clearly 100k+ password changes is a little excessive and it's something I'll need to look into, but in the meantime, can anyone help me figure out what has caused all of these to remain in the directory, and what can I do to clean them up?
Thanks,
Samson
10 years, 7 months