Naming conflict on hub/consumer
by Colin Tulloch
Hi All -
We had a bundle of problems with our MM/consumer setup. Ran of out FDs on the consumers, had the slapd process on a master die, etc.
We're getting things back up and running properly, but having some replication issues now. We've got it mostly cleaned up - the masters are in sync, and all consumers but 1 hub.
However, 1 hub has 3 naming conflicts on an entry. How can we resolve these? Since it's read-only, the normal documented processes won't work of course. The non-conflicted entry isn't receiving updates from the masters. We use the directory for PKI, and the entry contains a CRL that is going to expire - not good.
Do we need to just wait, and the actual entry will get updated at some point? With the errors we had, it seemed to take a long time for the directories to replicate around and catch up.
10 years, 3 months
Deleting home folders when deleting ldap users
by Chaudhari, Rohit K.
Hello,
I'm using JNDI and Java to delete LDAP users, but when I delete them,
their home folders stay on the Desktop. How do I get these to delete as
well without creating a separate script? Is there a toggle in LDAP to
make this happen?
Secondly, if a user has multiple home folders scattered across multiple
systems, how do you clear away all those home folders when deleting a LDAP
user on one central machine linked to all those multiple systems?
Thanks
On 1/22/14 3:26 PM, "Paul Robert Marino" <prmarino1(a)gmail.com> wrote:
>your SSL cert or your DNS is bad. TLS requires full forward and revers
>lookup of the C name for the host to match one of the host names in
>the SSL cert.
>
>
>
>On Wed, Jan 22, 2014 at 3:08 PM, Chaudhari, Rohit K.
><Rohit.Chaudhari(a)jhuapl.edu> wrote:
>> I'm not using kerberos. The other suggestion about using ldappasswd led
>> to the error:
>>
>> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
>> Additional info: TLS: hostname does not match CN in peer certificate
>>
>> Is there a way to create a JNDI equivalent command so that I could add a
>> checkbox to a Java GUI that basically toggles the "force password change
>> after reset" checkbox built into the password policy in 389?
>>
>> On 1/22/14 10:49 AM, "Paul Robert Marino" <prmarino1(a)gmail.com> wrote:
>>
>>>sorry thats not possible.
>>>If you are using Kerberos then you can do it via the kadmin command.
>>>If not then you have to use one of several other tools like the admin
>>>console or ldapmodify for example.
>>>
>>>
>>>On Wed, Jan 22, 2014 at 9:06 AM, Chaudhari, Rohit K.
>>><Rohit.Chaudhari(a)jhuapl.edu> wrote:
>>>> Hello,
>>>>
>>>> I need to be able to reset a LDAP user's password if they forget it
>>>>with the
>>>> user root. But when I try the "passwd" command as root for a LDAP
>>>>user, I
>>>> get the following:
>>>>
>>>> (as root)
>>>> passwd tuser
>>>> Changing password for user tuser.
>>>> Password reset by root is not supported.
>>>> passwd: Authentication token manipulation error.
>>>>
>>>> I am using sssd as the LDAP authentication mechanism tool, to be
>>>>specific.
>>>> Does anyone have a solution to dealing with this issue of resetting a
>>>>LDAP
>>>> user's password if they forgot it?
>>>>
>>>> Thanks,
>>>>
>>>> Rohit
>>>>
>>>> From: <Chaudhari>, "Rohit K. Chaudhari" <rohit.chaudhari(a)jhuapl.edu>
>>>> Date: Tuesday, January 21, 2014 3:29 PM
>>>> To: "General discussion list for the 389 Directory server project."
>>>> <389-users(a)lists.fedoraproject.org>
>>>> Subject: using passwd with 389
>>>>
>>>> Hello,
>>>>
>>>> I want to be able to use the Unix "passwd" command to reset a LDAP
>>>>user's
>>>> password from the command line. However, I keep getting an
>>>>authentication
>>>> token manipulation error whenever I try to reset the password using
>>>>that
>>>> command. What do I need to do in the 389 DS or on Unix in order to
>>>>get
>>>>this
>>>> command to work?
>>>>
>>>> Thanks,
>>>>
>>>> Rohit
>>>>
>>>> --
>>>> 389 users mailing list
>>>> 389-users(a)lists.fedoraproject.org
>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>--
>>>389 users mailing list
>>>389-users(a)lists.fedoraproject.org
>>>https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>> --
>> 389 users mailing list
>> 389-users(a)lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>--
>389 users mailing list
>389-users(a)lists.fedoraproject.org
>https://admin.fedoraproject.org/mailman/listinfo/389-users
10 years, 3 months
using passwd with 389
by Chaudhari, Rohit K.
Hello,
I want to be able to use the Unix "passwd" command to reset a LDAP user's password from the command line. However, I keep getting an authentication token manipulation error whenever I try to reset the password using that command. What do I need to do in the 389 DS or on Unix in order to get this command to work?
Thanks,
Rohit
10 years, 3 months
Replication error
by Diego Woitasen
Hi,
I have a replication error with 389DS. If I try a full resync,
replication works. But if I modify something after that, it fails. The
only lines that I see in the logs are:
[20/Jan/2014:21:12:50 -0300] - _csngen_adjust_local_time: gen state
before 52ddb8ec0001:1390262479:0:29
[20/Jan/2014:21:12:50 -0300] - _csngen_adjust_local_time: gen state
after 52ddbb9f0000:1390263170:0:29
[20/Jan/2014:21:12:50 -0300] NSMMReplicationPlugin -
ruv_add_csn_inprogress: successfully inserted csn 52ddbb9f000000630000
into pending list
[20/Jan/2014:21:12:50 -0300] NSMMReplicationPlugin - Purged state
information from entry
uid=zzj,ou=People,ou=branch,ou=branches,dc=site,dc=ar up to CSN
52d47e6b000000630000
[20/Jan/2014:21:12:50 -0300] NSMMReplicationPlugin - ruv_update_ruv:
successfully committed csn 52ddbb9f000000630000
[20/Jan/2014:21:12:50 -0300] NSMMReplicationPlugin - agmt="cn=main to
cmald" (ldap:389): State: stop_fatal_error -> stop_fatal_error
Not very helpful for me. The last line shows an error, but it's not
very descriptive. What can I do to debug this? Or do you have a hint?
Regards,
Diego
--
Diego Woitasen
Linux and Open Source solutions architect at www.vhgroup.net
10 years, 3 months
Only username as bind dn
by Paolo Barbato
Hi 389-users,
I'm testing last released 389 dirsrv on a rhel 6.5.
I've deployed a PAM passthrough, since I have a central repository for credentials, and it works.
I guess if it would be possible to use a simple username or it's mandatory use syntax like uid=myuser (or cn=..) as bind dn.
ldapsearch -v -LLL -Hldaps://my389 -b"dc=myDC" -D "uid=myUser" -W -x works
ldapsearch -v -LLL -Hldaps://my389 -b"dc=myDC" -D "myUser" -W -x doesn't work
ldap_bind: No such object (32)
additional info: Bind DN [myUser] is invalid or not found
So the question is if would be possible rewrite in some way the bind dn before syntax check.
Regards,
Paolo.
------------------------------------------------------------------------------------------------
Paolo Barbato
Consorzio RFX
corso Stati Uniti,4
Network Administrator
phone: +39 049 8295097 fax: +39 049 8700718
------------------------------------------------------------------------------------------------
10 years, 3 months
The admin server: failed to get a socket for 0.0.0.0
by Jan Tomasek
Hello,
I'm trying to install new LDAP server and facing strange errors:
> [14/01/15:04:47:03] - [Setup] Info Updating the configuration for the httpd engine . . .
> [14/01/15:04:47:03] - [Setup] Warning Error: command 'getsebool httpd_can_connect_ldap' failed - output [getsebool: SELinux is disabled] error [][14/01/15:04:47:03] - [Setup] Info Starting admin server . . .
> [14/01/15:04:47:13] - [Setup] Info output: Starting dirsrv-admin:
> [14/01/15:04:47:13] - [Setup] Info output: [Wed Jan 15 04:47:03 2014] [crit] (22)Invalid argument: alloc_listener: failed to get a socket for 0.0.0.0
> [14/01/15:04:47:13] - [Setup] Info output: Syntax error on line 87 of /etc/dirsrv/admin-serv/console.conf:
> [14/01/15:04:47:13] - [Setup] Info output: Listen setup failed
> [14/01/15:04:47:13] - [Setup] Info output: Server failed to start !!! Please check errors log for problems
> [14/01/15:04:47:13] - [Setup] Info output: ESC[60G[ESC[0;31mFAILEDESC[0;39m]
> [14/01/15:04:47:13] - [Setup] Info The admin server was successfully started.
> [14/01/15:04:47:13] - [Setup] Info Admin server was successfully created, configured, and started.
> [14/01/15:04:47:13] - [Setup] Success Exiting . . .
I have found bug 377: https://fedorahosted.org/389/ticket/377 which
seems to be fixed in 1.1.36 but sadly it's not available yet in
repositories:
> [root@ldap21shadow ~]# yum list installed |grep 389
> 389-admin.x86_64 1.1.35-1.el6 @epel
> 389-admin-console.noarch 1.1.8-1.el6 @epel
> 389-admin-console-doc.noarch 1.1.8-1.el6 @epel
> 389-adminutil.x86_64 1.1.19-1.el6 @epel
> 389-console.noarch 1.1.7-1.el6 @epel
> 389-ds.noarch 1.2.2-1.el6 @epel
> 389-ds-base.x86_64 1.2.11.15-31.el6_5 @updates
> 389-ds-base-libs.x86_64 1.2.11.15-31.el6_5 @updates
> 389-ds-console.noarch 1.2.6-1.el6 @epel
> 389-ds-console-doc.noarch 1.2.6-1.el6 @epel
> 389-dsgw.x86_64 1.1.11-1.el6 @epel
I've tried workaround described there by rmeggins. Output is very
similar, only warning about getsebool is gone:
> Creating directory server . . .
> /usr/sbin/semanage: SELinux policy is not managed or store cannot be accessed.
> /usr/sbin/semanage: SELinux policy is not managed or store cannot be accessed.
> Your new DS instance 'ldap21shadow' was successfully created.
> Creating the configuration directory server . . .
> Beginning Admin Server creation . . .
> Creating Admin Server files and directories . . .
> Updating adm.conf . . .
> Updating admpw . . .
> Registering admin server with the configuration directory server . . .
> Updating adm.conf with information from configuration directory server . . .
> Updating the configuration for the httpd engine . . .
> /usr/sbin/semanage: SELinux policy is not managed or store cannot be accessed.
> /usr/sbin/semanage: SELinux policy is not managed or store cannot be accessed.
> Starting admin server . . .
> output: Starting dirsrv-admin:
> output: [Wed Jan 15 05:11:22 2014] [crit] (22)Invalid argument: alloc_listener: failed to get a socket for 0.0.0.0
> output: Syntax error on line 87 of /etc/dirsrv/admin-serv/console.conf:
> output: Listen setup failed
> output: Server failed to start !!! Please check errors log for problems
> output: [FAILED]
> The admin server was successfully started.
> Admin server was successfully created, configured, and started.
> Exiting . . .
> Log file is '/tmp/setup3KfWko.log'
The console.conf is equal to to configuration on my other servers:
> [root@ldap21shadow ~]# head -87 /etc/dirsrv/admin-serv/console.conf | tail -5
> # e.g. "Listen 12.34.56.78:80"
> #
> # To allow connections to IPv6 addresses add "Listen [::]:80"
> #
> Listen 0.0.0.0:9830
I've tried
Listen 9830
Listen [::]:9830
Listen 127.0.0.1: 9830
Still the same errors:
> [root@ldap21shadow ~]# /etc/init.d/dirsrv-admin start
> Starting dirsrv-admin:
> [Wed Jan 15 05:29:55 2014] [crit] (22)Invalid argument: alloc_listener: failed to get a socket for 0.0.0.0
> Syntax error on line 87 of /etc/dirsrv/admin-serv/console.conf:
> Listen setup failed
Any suggestions?
Thanks!
--
-----------------------
Jan Tomasek aka Semik
http://www.tomasek.cz/
10 years, 3 months
non-unique UID
by Elizabeth Jones
I'm trying to scrub our LDAP data - we imported existing data from an old
sun LDAP to our current 389 DS. I just noticed that there are 5 accounts
in our LDAP that all have the same UID - I didn't think that was possible?
Elizabeth J
10 years, 3 months
Password synchronisation beetween openldap and AD 2008 R2
by Louis-Marie Plumel
Hello,
Actually , i work with openldap.
I've installed an AD 2008 R2.My challenge is to work with both and
synchronise LDAP and AD 2008 R2. After a long research on the web, i don't
find any information about howto synchronise passwords . That's why i come
here to see if with 389 DS it's possible or not.
Thank you for your help.
--
Louis-Marie Plumel
louismarie.plumel(a)gmail.com
10 years, 3 months
Trigger on modify
by Deas, Jim
Is there a way to have 389-DS trigger a script when a group is modified?
I.E. update posix members on changes to static and dynamic groups?
JD
10 years, 3 months
ACI warnings in error log
by Chris Chatfield
Hi,
I'm seeing a similar situation as was described in the mailing list message "errors log - NSACLPlugin - acllas__client_match_URL:" from Feb 2013. The final result of this was a suggestion to file a ticket. As far as I can see this wasn't done. Should I do this (for my scenario)?
On to my case. I'm getting messages like this in my errors log (Centos 6.5, 389DS 1.2.11.15):
NSACLPlugin - acllas__client_match_URL: url [ldap:///gcUID=0001ab51,o=Teamphone.com??sub?(objectclass=gcsubscriber)] scope is subtree but dn [gcUID=0001ab51,o=Teamphone.com] is not a suffix of [cn=tp manager,ou=configuration,o=teamphone.com]
There are acis at the o=teamphone.com subtree which allow administrators access to the whole tree.
There are acis at the gcUID=0001ab51,o=Teamphone.com subtree which allow gcsubscriber entries within that tree to have limited access to the subtree. Note that we have extended the schema such that gcsubscribers extend person, amongst other things. I do not believe this makes any difference to the problem.
The message happens on a connection bound to cn=tp manager,ou=configuration,o=teamphone.com (an administrator) when it searches within the subtree gcUID=0001ab51,o=Teamphone.com. It seems the acis at gcUID=0001ab51,o=Teamphone.com are being evaluated in the context of this administrator. In this case the administrator does not match the aci's userdn url path. This is deliberate as this aci is concerned with gcsubscriber access, not admin access. Other acis higher up give the correct admin access.
So in summary, I think this logging should be downgraded from SLAPI_LOG_FATAL to SLAPI_LOG_ACL for the "acllas__client_match_URL: url [%s] scope is subtree but dn [%s] is not a suffix of [%s]\n" message (and I guess similarly for the onelevel/base scopes too). I notice that the git comment suggested that these lines were debugging.
Would that be the right approach? We're moving away from the Sun/Oracle 5.2 directory server, and this aci is behaving quietly there.
Many thanks,
Chris
10 years, 3 months
