October 2014 - 389-users - Fedora Mailing-Lists

by Chris Bryant

When configuring Microsoft Outlook (not Outlook Express) to access an LDAP directory, there is an option to 'Enable Browsing (requires server support)'. If this option is chosen and the directory server supports it, then you should be able to open the LDAP address book and page up and down through the results. I have been unable to get this working properly with 389 DS. When I try to browse from Outlook against the 389 DS directory, I am able to see the first page of results perfectly. However, if I move to the next page, only the first object returned will have any attributes included, and all of the rest of the objects in the page will have no attributes. I have a test perl script that duplicates this functionality as well. I can get this to work properly with an older version of Netscape Directory Server, and I can get it working with OpenDS. Since 389 DS advertises support for the controls that are required for this to work, just like the other two servers, then I would expect it to work there also. Has anyone out there gotten this to work with 389 DS? If so, can you share if there was anything special that you needed to do to get this to work? I'm trying to determine if this is a bug in the server, or if I'm just missing something in the configuration. Thanks, Chris USA.NET You Run Your Business. We'll Run Your Email. This message is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information of USA.NET, Inc. Any unauthorized review, use, copying, disclosure, or distribution is prohibited. If you are not the intended recipient, please immediately contact the sender by reply email and delete all copies of the original message.

2 years, 9 months

3
2
0 / 0

multi-valued nsAccountLock

by Pierre ROUDIER

Hi all, RedHat DS's doc states that the nsAccountLock attribute is multi-valued [1]. Some tests with 389ds led me to think it's also true for 389ds. I cannot think of any reason explaining why it would have to be multi-valued. Do you have any idea? Thank you. [1] https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Serv...

7 years, 10 months

3
2
0 / 0

changelog

by Denise Cosso

Hi, How to modify the attribute nsslapd-encryptionalgorithm in Centos? Thanks, Denise Stop Master servers and set nsslapd-encryptionalgorithm. The allowed value is AES or 3DES. dn: cn=changelog5,cn=config [...] nsslapd-encryptionalgorithm: AES --- Em ter, 4/6/13, Rich Megginson <rmeggins(a)redhat.com> escreveu: De: Rich Megginson <rmeggins(a)redhat.com> Assunto: Re: [389-users] changelog Para: "Denise Cosso" <guanaes51(a)yahoo.com.br> Data: Terça-feira, 4 de Junho de 2013, 16:34 On 06/04/2013 01:26 PM, Denise Cosso wrote: Hi, Rich CentOS release 6.3 (Final) 389-ds-base-libs-1.2.10.2-20.el6_3.x86_64 389-ds-1.2.2-1.el6.noarch 389-dsgw-1.1.10-1.el6.x86_64 389-ds-console-1.2.6-1.el6.noarch 389-ds-console-doc-1.2.6-1.el6.noarch 389-ds-base-1.2.10.2-20.el6_3.x86_64 As far as replication goes - you will need to use a security layer (SSL, TLS, or GSSAPI) to protect the clear text password on the wire As far as encrypting it in the changelog - not sure Denise --- Em ter, 4/6/13, Rich Megginson <rmeggins(a)redhat.com> escreveu: De: Rich Megginson <rmeggins(a)redhat.com> Assunto: Re: [389-users] changelog Para: "General discussion list for the 389 Directory server project." <389-users(a)lists.fedoraproject.org> Cc: "Denise Cosso" <guanaes51(a)yahoo.com.br> Data: Terça-feira, 4 de Junho de 2013, 16:11 On 06/04/2013 12:39 PM, Denise Cosso wrote: Hi, Description of problem: When a userPassword is changed in a server with changelog, the hashed password is logged and also a cleartext pseudo-attribute version. It looks like this: change:: replace: userPassword userPassword: {SHA256}vqtiN2LHdrEUOJUKu+IBVqAVFsAlvFw+11kD/Q== - replace: unhashed#user#password unhashed#user#password: secret12 This unhashed version is used in winsync where the cleartext version of the password must be written to the AD. Now if the DS is involved in replication with another DS, the change will be replayed exactly as it is logged to the other DS replicas, including the cleartext pseudo-attribute password. What platform? What version of 389-ds-base are you using? thanks, Denise -- 389 users mailing list 389-users(a)lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users

8 years, 1 month

2
2
0 / 0

389 GUI/Console

by Gonzalo Fernandez Ordas

Hi I got 389 running on a remote linux box,and I would like to get use of the Console without the need of exporting the X-Windows whenever I want to make a change as I also would prefer not to keep tweaking the configuration files all the time. is there anyway of doing this through any remote client? Any advise on this matter? Thanks very much

8 years, 3 months

4
11
0 / 0

How to get password expiration working?

by Paul Tobias

Hi guys, We need to implement password expiration because of some policy. The problem is users are not able to bind to ldap anymore, after I switch on password expiration for our ou=People subtree . The ldap command line tools and 389-console both just hang forever when trying to connect. This happens even when the user changes the password right before switching on the password expiration so the password cannot be expired yet. When I use the wrong password, then I get "ldap_bind: Invalid credentials (49)", but when I use the correct password, then it's just a hang. If I switch off password expiration then everything returns to normal again. I've followed the guide at https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.... I've tried both 389ds 1.2.11.32 on CentOS 6 and 389ds 1.3.2.23 on Fedora 20 with the same results. Is password expiration working in 389ds at all? Thanks in advance, Paul Tobias

8 years, 5 months

2
2
0 / 0

Please take an action: 389 Directory Server 1.2.11.X Discontinued for EL6

by Noriko Hosoi

389 Directory Server 1.2.11.X Discontinued for EL6 The 389 Directory Server team announces the binary release of 389-ds-base version 1.2.11 for EL6 will be stopped via temporary COPR repository. We encourage you to switch it to the official version included in the Red Hat Enterprise Linux 6 distribution or its equivalent OS. How to switch to the official version Remove a yum repo file which points to the temporary COPR repository (e.g., nhosoi-389-ds-base-epel6-epel-6.repo) from /etc/yum.repos.d. If the current 389 Directory Server 1.2.11 has the greater build number than 15, for instance, 1.2.11.32, downgrade it once by “yum downgrade” as follows. |yum downgrade 389-ds-base 389-ds-base-libs| Then, upgrade to make sure you have the latest version. |yum upgrade 389-ds-base| After upgrade completes, run *setup-ds-admin.pl -u* to update your directory server/admin server/console information. |setup-ds-admin.pl -u| See Install_Guide <http://www.port389.org/docs/389ds/legacy/install-guide.html> for more information about the initial installation, setup, and upgrade See Source <http://www.port389.org/docs/389ds/development/source.html> for information about source tarballs and SCM (git) access. http://www.port389.org/docs/389ds/releases/end-1-2-11.html

8 years, 6 months

2
1
0 / 0

cannot modify db-home-directory at runtime

by Alan Willis

I'm trying to setup a server which uses /dev/shm as the db home dir in much the same way described in this ticket: https://fedorahosted.org/389/ticket/469 >From the description in the ticket, it appears that the entry can be modified at runtime. However when I attempt this, I get an error stating that this value cannot be modified at runtime. The only way I have gotten this to work is by modifying the dse.ldif directly and adding the attribute. Can this be made to require a reboot to take effect? -alan -- [image: fist]Alan Willis Systems Administrator | Riot Games Email: alwillis at riotgames.com For, to speak out once for all, man only plays when in the full meaning of the word he is a man, and *he is only completely a man when he plays*. - J.C. Friedrich von Schiller - Letters upon the Æsthetic Education of Man

8 years, 7 months

2
1
0 / 0

389 not authenticating expired passwords

by Enrique J. Terrazas

Hello, A few weeks ago dirsrv kept stopping, I’d have to go and manually restart the process. I wasn’t able to correctly diagnose the problem and instead opted to update to the latest release of 389-ds. After applying the update dirsrv became stable. However, any users with expired passwords or any new user accounts aren’t able to authenticate. My setup: Two servers in a mullti-master replication environment both running Cent-OS 5.10 and: 389-admin-console-1.1.8-1.el5 389-ds-base-libs-1.2.11.32-1.el5 389-ds-1.2.1-1.el5 389-dsgw-1.1.11-1.el5 389-console-1.1.7-3.el5 389-adminutil-1.1.20-1.el5 389-admin-1.1.29-1.el5 389-ds-console-1.2.6-1.el5 389-admin-console-doc-1.1.8-1.el5 389-ds-console-doc-1.2.6-1.el5 389-ds-base-1.2.11.32-1.el5 In addition to the above problem I’m also seeing the following entries in /var/log/dirsrv/slapd-INSTANCE/errors [28/Oct/2014:17:18:23 -0500] _entry_set_tombstone_rdn - Failed to convert DN cn=cn\3DnsPwTemplateEntry\2Cou\3Dtest_policy\2Cou\3DPeople\2Cdc\3Dece\2Cdc\3Dtamu\2Cdc\3Dedu to RDN [28/Oct/2014:17:18:23 -0500] id2entry - str2entry returned NULL for id 2445, string="rdn" [28/Oct/2014:17:18:23 -0500] _entry_set_tombstone_rdn - Failed to convert DN cn=cn\3DnsPwPolicyEntry\2Cou\3Dtest_policy\2Cou\3DPeople\2Cdc\3Dece\2Cdc\3Dtamu\2Cdc\3Dedu to RDN [28/Oct/2014:17:18:23 -0500] id2entry - str2entry returned NULL for id 2444, string="rdn" [28/Oct/2014:17:18:23 -0500] _entry_set_tombstone_rdn - Failed to convert DN cn=cn\3DnsPwPolicyEntry\2Ccn\3Dtestpass\2Cou\3Dtest_policy\2Cou\3DPeople\2Cdc\3Dece\2Cdc\3Dtamu\2Cdc\3Dedu to RDN [28/Oct/2014:17:18:23 -0500] id2entry - str2entry returned NULL for id 2442, string="rdn" [28/Oct/2014:17:18:23 -0500] _entry_set_tombstone_rdn - Failed to convert DN cn=cn\3DnsPwTemplateEntry\2Cou\3Dtest_policy\2Cou\3DPeople\2Cdc\3Dece\2Cdc\3Dtamu\2Cdc\3Dedu to RDN [28/Oct/2014:17:18:23 -0500] id2entry - str2entry returned NULL for id 2440, string="rdn" [28/Oct/2014:17:18:23 -0500] _entry_set_tombstone_rdn - Failed to convert DN cn=cn\3DnsPwPolicyEntry\2Cou\3Dtest_policy\2Cou\3DPeople\2Cdc\3Dece\2Cdc\3Dtamu\2Cdc\3Dedu to RDN [28/Oct/2014:17:18:23 -0500] id2entry - str2entry returned NULL for id 2439, string="rdn" [28/Oct/2014:17:18:23 -0500] _entry_set_tombstone_rdn - Failed to convert DN cn=cn\3DnsPwTemplateEntry\2Cou\3Dtest_policy\2Cou\3DPeople\2Cdc\3Dece\2Cdc\3Dtamu\2Cdc\3Dedu to RDN [28/Oct/2014:17:18:23 -0500] id2entry - str2entry returned NULL for id 2432, string="rdn" [28/Oct/2014:17:18:23 -0500] _entry_set_tombstone_rdn - Failed to convert DN cn=cn\3DnsPwPolicyEntry\2Cou\3Dtest_policy\2Cou\3DPeople\2Cdc\3Dece\2Cdc\3Dtamu\2Cdc\3Dedu to RDN [28/Oct/2014:17:18:23 -0500] id2entry - str2entry returned NULL for id 2431, string="rdn" [28/Oct/2014:17:18:23 -0500] _entry_set_tombstone_rdn - Failed to convert DN cn=cn\3DnsPwPolicyEntry\2Cou\3Dtest_policy\2Cou\3DPeople\2Cdc\3Dece\2Cdc\3Dtamu\2Cdc\3Dedu to RDN [28/Oct/2014:17:18:23 -0500] id2entry - str2entry returned NULL for id 2429, string="rdn" [28/Oct/2014:17:18:23 -0500] _entry_set_tombstone_rdn - Failed to convert DN cn=cn\3DnsPwPolicyEntry\2Ccn\3Dtestpass\2Cou\3Dtest_policy\2Cou\3DPeople\2Cdc\3Dece\2Cdc\3Dtamu\2Cdc\3Dedu to RDN [28/Oct/2014:17:18:23 -0500] id2entry - str2entry returned NULL for id 2426, string="rdn" [28/Oct/2014:17:18:23 -0500] _entry_set_tombstone_rdn - Failed to convert DN cn=cn\3DnsPwTemplateEntry\2Cou\3Dtest_policy\2Cou\3DPeople\2Cdc\3Dece\2Cdc\3Dtamu\2Cdc\3Dedu to RDN [28/Oct/2014:17:18:23 -0500] id2entry - str2entry returned NULL for id 2424, string="rdn" [28/Oct/2014:17:18:23 -0500] _entry_set_tombstone_rdn - Failed to convert DN cn=cn\3DnsPwPolicyEntry\2Cou\3Dtest_policy\2Cou\3DPeople\2Cdc\3Dece\2Cdc\3Dtamu\2Cdc\3Dedu to RDN [28/Oct/2014:17:18:23 -0500] id2entry - str2entry returned NULL for id 2423, string="rdn" [28/Oct/2014:17:18:23 -0500] _entry_set_tombstone_rdn - Failed to convert DN cn=/softwares to RDN [28/Oct/2014:17:18:23 -0500] id2entry - str2entry returned NULL for id 1756, string="rdn" [28/Oct/2014:17:18:23 -0500] _entry_set_tombstone_rdn - Failed to convert DN cn=/homes to RDN [28/Oct/2014:17:18:23 -0500] id2entry - str2entry returned NULL for id 1754, string="rdn" [28/Oct/2014:17:18:23 -0500] _entry_set_tombstone_rdn - Failed to convert DN cn=/softwares to RDN [28/Oct/2014:17:18:23 -0500] id2entry - str2entry returned NULL for id 1752, string="rdn" [28/Oct/2014:17:18:23 -0500] _entry_set_tombstone_rdn - Failed to convert DN cn=/homes to RDN [28/Oct/2014:17:18:23 -0500] id2entry - str2entry returned NULL for id 1751, string="rdn" [28/Oct/2014:17:18:23 -0500] _entry_set_tombstone_rdn - Failed to convert DN uid=y0m8179 to RDN [28/Oct/2014:17:18:23 -0500] id2entry - str2entry returned NULL for id 1728, string="rdn" [28/Oct/2014:17:18:23 -0500] _entry_set_tombstone_rdn - Failed to convert DN uid=s0k4167 to RDN [28/Oct/2014:17:18:23 -0500] id2entry - str2entry returned NULL for id 1727, string="rdn" [28/Oct/2014:17:18:23 -0500] _entry_set_tombstone_rdn - Failed to convert DN uid=joj4506 to RDN [28/Oct/2014:17:18:23 -0500] id2entry - str2entry returned NULL for id 1726, string="rdn" [28/Oct/2014:17:18:23 -0500] _entry_set_tombstone_rdn - Failed to convert DN uid=dc-449 to RDN [28/Oct/2014:17:18:23 -0500] id2entry - str2entry returned NULL for id 1725, string="rdn" [28/Oct/2014:17:18:23 -0500] _entry_set_tombstone_rdn - Failed to convert DN uid=jp-449 to RDN [28/Oct/2014:17:18:23 -0500] id2entry - str2entry returned NULL for id 1724, string="rdn" [28/Oct/2014:17:18:23 -0500] _entry_set_tombstone_rdn - Failed to convert DN uid=kp-449 to RDN [28/Oct/2014:17:18:23 -0500] id2entry - str2entry returned NULL for id 1723, string="rdn" [28/Oct/2014:17:18:23 -0500] _entry_set_tombstone_rdn - Failed to convert DN uid=cmk-449 to RDN [28/Oct/2014:17:18:23 -0500] id2entry - str2entry returned NULL for id 1722, string="rdn" [28/Oct/2014:17:18:23 -0500] _entry_set_tombstone_rdn - Failed to convert DN uid=cm-449 to RDN [28/Oct/2014:17:18:23 -0500] id2entry - str2entry returned NULL for id 1721, string="rdn" [28/Oct/2014:17:18:23 -0500] _entry_set_tombstone_rdn - Failed to convert DN uid=nma-449 to RDN As well as this: [28/Oct/2014:23:59:01 -0500] - export NetscapeRoot: Processed 186 entries (100%). [28/Oct/2014:23:59:01 -0500] - All database threads now stopped [28/Oct/2014:23:59:02 -0500] ldif2dbm - _get_and_add_parent_rdns: Failed to position cursor at ID 17 [28/Oct/2014:23:59:02 -0500] - ldbm2ldif: Skip ID 17 [28/Oct/2014:23:59:02 -0500] ldif2dbm - _get_and_add_parent_rdns: Failed to position cursor at ID 17 [28/Oct/2014:23:59:02 -0500] - ldbm2ldif: Skip ID 17 [28/Oct/2014:23:59:02 -0500] ldif2dbm - _get_and_add_parent_rdns: Failed to position cursor at ID 17 [28/Oct/2014:23:59:02 -0500] - ldbm2ldif: Skip ID 17 [28/Oct/2014:23:59:02 -0500] ldif2dbm - _get_and_add_parent_rdns: Failed to position cursor at ID 17 [28/Oct/2014:23:59:02 -0500] - ldbm2ldif: Skip ID 17 [28/Oct/2014:23:59:02 -0500] ldif2dbm - _get_and_add_parent_rdns: Failed to position cursor at ID 17 [28/Oct/2014:23:59:02 -0500] - ldbm2ldif: Skip ID 17 [28/Oct/2014:23:59:02 -0500] ldif2dbm - _get_and_add_parent_rdns: Failed to position cursor at ID 17 [28/Oct/2014:23:59:02 -0500] - ldbm2ldif: Skip ID 17 [28/Oct/2014:23:59:02 -0500] ldif2dbm - _get_and_add_parent_rdns: Failed to position cursor at ID 17 [28/Oct/2014:23:59:02 -0500] - ldbm2ldif: Skip ID 17 [28/Oct/2014:23:59:02 -0500] ldif2dbm - _get_and_add_parent_rdns: Failed to position cursor at ID 17 [28/Oct/2014:23:59:02 -0500] - ldbm2ldif: Skip ID 17 [28/Oct/2014:23:59:02 -0500] ldif2dbm - _get_and_add_parent_rdns: Failed to position cursor at ID 17 [28/Oct/2014:23:59:02 -0500] - ldbm2ldif: Skip ID 17 [28/Oct/2014:23:59:02 -0500] ldif2dbm - _get_and_add_parent_rdns: Failed to position cursor at ID 17 [28/Oct/2014:23:59:02 -0500] - ldbm2ldif: Skip ID 17 [28/Oct/2014:23:59:02 -0500] ldif2dbm - _get_and_add_parent_rdns: Failed to position cursor at ID 17 [28/Oct/2014:23:59:02 -0500] - ldbm2ldif: Skip ID 17 [28/Oct/2014:23:59:02 -0500] ldif2dbm - _get_and_add_parent_rdns: Failed to position cursor at ID 17 [28/Oct/2014:23:59:02 -0500] - ldbm2ldif: Skip ID 17 [28/Oct/2014:23:59:02 -0500] ldif2dbm - _get_and_add_parent_rdns: Failed to position cursor at ID 17 [28/Oct/2014:23:59:02 -0500] - ldbm2ldif: Skip ID 17 [28/Oct/2014:23:59:02 -0500] ldif2dbm - _get_and_add_parent_rdns: Failed to position cursor at ID 17 [28/Oct/2014:23:59:02 -0500] - ldbm2ldif: Skip ID 17 [28/Oct/2014:23:59:02 -0500] ldif2dbm - _get_and_add_parent_rdns: Failed to position cursor at ID 17 [28/Oct/2014:23:59:02 -0500] - ldbm2ldif: Skip ID 17 [28/Oct/2014:23:59:02 -0500] ldif2dbm - _get_and_add_parent_rdns: Failed to position cursor at ID 17 [28/Oct/2014:23:59:02 -0500] - ldbm2ldif: Skip ID 17 [28/Oct/2014:23:59:02 -0500] ldif2dbm - _get_and_add_parent_rdns: Failed to position cursor at ID 17 [28/Oct/2014:23:59:02 -0500] - ldbm2ldif: Skip ID 17 [28/Oct/2014:23:59:02 -0500] ldif2dbm - _get_and_add_parent_rdns: Failed to position cursor at ID 17 [28/Oct/2014:23:59:02 -0500] - ldbm2ldif: Skip ID 17 [28/Oct/2014:23:59:02 -0500] ldif2dbm - _get_and_add_parent_rdns: Failed to position cursor at ID 17 [28/Oct/2014:23:59:02 -0500] - ldbm2ldif: Skip ID 17 [28/Oct/2014:23:59:02 -0500] ldif2dbm - _get_and_add_parent_rdns: Failed to position cursor at ID 17 [28/Oct/2014:23:59:02 -0500] - ldbm2ldif: Skip ID 17 [28/Oct/2014:23:59:02 -0500] ldif2dbm - _get_and_add_parent_rdns: Failed to position cursor at ID 17 [28/Oct/2014:23:59:02 -0500] - ldbm2ldif: Skip ID 17 [28/Oct/2014:23:59:02 -0500] ldif2dbm - _get_and_add_parent_rdns: Failed to position cursor at ID 17 [28/Oct/2014:23:59:02 -0500] - ldbm2ldif: Skip ID 17 [28/Oct/2014:23:59:02 -0500] ldif2dbm - _get_and_add_parent_rdns: Failed to position cursor at ID 17 [28/Oct/2014:23:59:02 -0500] - ldbm2ldif: Skip ID 17 [28/Oct/2014:23:59:02 -0500] ldif2dbm - _get_and_add_parent_rdns: Failed to position cursor at ID 17 [28/Oct/2014:23:59:02 -0500] - ldbm2ldif: Skip ID 17 [28/Oct/2014:23:59:02 -0500] ldif2dbm - _get_and_add_parent_rdns: Failed to position cursor at ID 17 [28/Oct/2014:23:59:02 -0500] - ldbm2ldif: Skip ID 17 [28/Oct/2014:23:59:02 -0500] ldif2dbm - _get_and_add_parent_rdns: Failed to position cursor at ID 17 [28/Oct/2014:23:59:02 -0500] - ldbm2ldif: Skip ID 17 [28/Oct/2014:23:59:02 -0500] ldif2dbm - _get_and_add_parent_rdns: Failed to position cursor at ID 17 [28/Oct/2014:23:59:02 -0500] - ldbm2ldif: Skip ID 17 [28/Oct/2014:23:59:02 -0500] ldif2dbm - _get_and_add_parent_rdns: Failed to position cursor at ID 17 [28/Oct/2014:23:59:02 -0500] - ldbm2ldif: Skip ID 17 It appears that I may have some database corruption though. Any help is greatly appreciated. Best regards, Enrique J. Terrazas

8 years, 7 months

1
0
0 / 0

restore into a new ds instance issues

by ghiureai

Hello List, I have create a new ds instance and used the rerstore dif2db cmd to populate the new isntance, the exisitng istance has txlogs cfg on a separate directory ( I copied the 99user.ldif file and macke chaged to db.ldif in new instance) , can't bring the new instance online: I rmeoved the existing log files and restore the path for txlogs to default location, I copied db2entry.db4 but stilll issues etected Disorderly Shutdown last time Directory Server was running, recovering database. [28/Oct/2014:13:04:08 -0700] - libdb: file NetscapeRoot/id2entry.db4 has LSN 1/1593380, past end of log at 1/1828 [28/Oct/2014:13:04:08 -0700] - libdb: Commonly caused by moving a database from one database environment [28/Oct/2014:13:04:08 -0700] - libdb: to another without clearing the database LSNs, or by removing all of [28/Oct/2014:13:04:08 -0700] - libdb: the log files from a database environment [28/Oct/2014:13:04:08 -0700] - libdb: /var/lib/dirsrv/slapd-devldap/db/NetscapeRoot/id2entry.db4: unexpected file type or format [28/Oct/2014:13:04:08 -0700] - dbp->open("NetscapeRoot/id2entry.db4") failed: Invalid argument (22) [28/Oct/2014:13:04:08 -0700] - dblayer_instance_start fail: Invalid argument (22) [28/Oct/2014:13:04:08 -0700] - start: Failed to start databases, err=22 Invalid argument [28/Oct/2014:13:04:08 -0700] - Failed to start database plugin ldbm database [28/Oct/2014:13:04:08 -0700] - WARNING: ldbm instance userRoot already exists

8 years, 7 months

1
0
0 / 0

Re: [389-users] SSL connection with 'startTLS' problem [solved]

by Karel Lang AFD

Hi list, problem is solved. 1. i had to create real user with pw to search through the ldap because i tried to use machine printer acc at first, but ldap server wont allow user without pw doing bind ops more info https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.... 2. i had to specify username with full DN patch on the printer (not just 'username' e.g. 'smith' alone) after specifying uid=smith,ou=users,dc=example,dc=com in the ldap printer settings, printer started finally getting users authorized x 389ds. 3. The 'startTLS' inside SSL is probably a minor problem, because the 389ds can handle it (discard it) and then continue with regular user/pw authentication. very usefull were : https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.... https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.... to debug the 389ds log messages cheers, On 10/25/2014 02:00 PM, 389-users-request(a)lists.fedoraproject.org wrote: > Send 389-users mailing list submissions to > 389-users(a)lists.fedoraproject.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://admin.fedoraproject.org/mailman/listinfo/389-users > or, via email, send a message with subject or body 'help' to > 389-users-request(a)lists.fedoraproject.org > > You can reach the person managing the list at > 389-users-owner(a)lists.fedoraproject.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of 389-users digest..." > > > Today's Topics: > > 1. SSL connection with 'startTLS' problem (Karel Lang AFD) > 2. Please take an action: 389 Directory Server 1.2.11.X > Discontinued for EL6 (Noriko Hosoi) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sat, 25 Oct 2014 00:20:59 +0200 > From: Karel Lang AFD <lang(a)afd.cz> > To: 389-users(a)lists.fedoraproject.org > Subject: [389-users] SSL connection with 'startTLS' problem > Message-ID: <544AD0CB.2080201(a)afd.cz> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > Hi guys, > please anyone could help me to decode error in access log? > > Problem desr.: > I need to make Ricoh C3001 printer authenticate x 389 DS. > > The printer stubbornly tries to start TLS inside SSL connection (if i > read the log file correct?) and the authentication fails, because 389 > doesn't know what to make off it (i think) see: > > The server uses ldaps:// method of connection on 636 port (with > selfsigned certificates). > > [20/Oct/2014:18:31:50 +0200] conn=38 fd=70 slot=70 SSL connection from > 192.168.2.139 to 192.168.2.245 > [20/Oct/2014:18:31:50 +0200] conn=38 SSL 256-bit AES > [20/Oct/2014:18:31:50 +0200] conn=38 op=0 EXT > oid="1.3.6.1.4.1.1466.20037" name="startTLS" > [20/Oct/2014:18:31:50 +0200] conn=38 op=0 RESULT err=1 tag=120 > nentries=0 etime=0 > [20/Oct/2014:18:31:50 +0200] conn=38 op=1 BIND dn="RICOH2-SB$" > method=128 version=3 > [20/Oct/2014:18:31:50 +0200] conn=38 op=1 RESULT err=53 tag=97 > nentries=0 etime=0 > [20/Oct/2014:18:31:51 +0200] conn=38 op=2 UNBIND > [20/Oct/2014:18:31:51 +0200] conn=38 op=2 fd=70 closed - U1 > > The 'err=53' means "server is unwilling to perform" and i see same > message in the printer logs > > also, you can see the printer starts 'extended operation': > EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" > which i think it should not? (because it is already SSL conn from start?) > > different encryption (same result): > [root@srv-022 slapd-srv-022]# cat access | grep conn=48 > [20/Oct/2014:18:35:56 +0200] conn=48 fd=68 slot=68 SSL connection from > 192.168.2.139 to 192.168.2.245 > [20/Oct/2014:18:35:57 +0200] conn=48 SSL 128-bit RC4 > [20/Oct/2014:18:35:57 +0200] conn=48 op=0 EXT > oid="1.3.6.1.4.1.1466.20037" name="startTLS" > [20/Oct/2014:18:35:57 +0200] conn=48 op=0 RESULT err=1 tag=120 > nentries=0 etime=1 > [20/Oct/2014:18:35:57 +0200] conn=48 op=1 BIND dn="RICOH2-SB$" > method=128 version=3 > [20/Oct/2014:18:35:57 +0200] conn=48 op=1 RESULT err=53 tag=97 > nentries=0 etime=0 > [20/Oct/2014:18:35:57 +0200] conn=48 op=2 UNBIND > [20/Oct/2014:18:35:57 +0200] conn=48 op=2 fd=68 closed - U1 > > > Please note the different encryption i tried to use - for eg. 128-bit > RC4 and 256-bit AES etc, but all produces same result. > > > The printer has choice for usinge of ssl: > ssl 2.0 (set to 'yes) > ssl 3.0 (set to 'yes') > tls (i set this option to "NO" - but made no difference and result is > still same) > > Also, the printer has only 2options: > 1. > use SSL/TLS - if i check this, port 636 is automatically used > > 2. > dont use SSL/TLS - if i check this option, port 389 is used > > Not much else to pick on (ofc there is other LDAP things to fill up like > hostname etc.) > > I think this looks like client problem? Or do you think i can try to > tune up something on the server side? - anybody had experienced similar > troubles? > > -- *Karel Lang* *Unix/Linux Administration* lang(a)afd.cz | +420 731 13 40 40 AUFEER DESIGN, s.r.o. | www.aufeerdesign.cz

8 years, 7 months

1
0
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-users October 2014