Problem browsing LDAP with Outlook
by Chris Bryant
When configuring Microsoft Outlook (not Outlook Express) to access an LDAP directory, there is an option to 'Enable Browsing (requires server support)'. If this option is chosen and the directory server supports it, then you should be able to open the LDAP address book and page up and down through the results. I have been unable to get this working properly with 389 DS.
When I try to browse from Outlook against the 389 DS directory, I am able to see the first page of results perfectly. However, if I move to the next page, only the first object returned will have any attributes included, and all of the rest of the objects in the page will have no attributes. I have a test perl script that duplicates this functionality as well.
I can get this to work properly with an older version of Netscape Directory Server, and I can get it working with OpenDS. Since 389 DS advertises support for the controls that are required for this to work, just like the other two servers, then I would expect it to work there also.
Has anyone out there gotten this to work with 389 DS? If so, can you share if there was anything special that you needed to do to get this to work? I'm trying to determine if this is a bug in the server, or if I'm just missing something in the configuration.
Thanks,
Chris
USA.NET
You Run Your Business. We'll Run Your Email.
This message is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information of USA.NET, Inc. Any unauthorized review, use, copying, disclosure, or distribution is prohibited. If you are not the intended recipient, please immediately contact the sender by reply email and delete all copies of the original message.
3 years
changelog
by Denise Cosso
Hi,
How to modify the attribute nsslapd-encryptionalgorithm in Centos?
Thanks,
Denise
Stop Master servers and set nsslapd-encryptionalgorithm. The allowed value is AES or 3DES.
dn: cn=changelog5,cn=config
[...]
nsslapd-encryptionalgorithm: AES
--- Em ter, 4/6/13, Rich Megginson <rmeggins(a)redhat.com> escreveu:
De: Rich Megginson <rmeggins(a)redhat.com>
Assunto: Re: [389-users] changelog
Para: "Denise Cosso" <guanaes51(a)yahoo.com.br>
Data: Terça-feira, 4 de Junho de 2013, 16:34
On 06/04/2013 01:26 PM, Denise Cosso
wrote:
Hi, Rich
CentOS release 6.3 (Final)
389-ds-base-libs-1.2.10.2-20.el6_3.x86_64
389-ds-1.2.2-1.el6.noarch
389-dsgw-1.1.10-1.el6.x86_64
389-ds-console-1.2.6-1.el6.noarch
389-ds-console-doc-1.2.6-1.el6.noarch
389-ds-base-1.2.10.2-20.el6_3.x86_64
As far as replication goes - you will need to use a security layer
(SSL, TLS, or GSSAPI) to protect the clear text password on the wire
As far as encrypting it in the changelog - not sure
Denise
--- Em ter, 4/6/13, Rich Megginson <rmeggins(a)redhat.com>
escreveu:
De: Rich Megginson <rmeggins(a)redhat.com>
Assunto: Re: [389-users] changelog
Para: "General discussion list for the 389 Directory
server project."
<389-users(a)lists.fedoraproject.org>
Cc: "Denise Cosso" <guanaes51(a)yahoo.com.br>
Data: Terça-feira, 4 de Junho de 2013, 16:11
On
06/04/2013 12:39 PM, Denise Cosso wrote:
Hi,
Description of problem:
When a userPassword is changed in a server with changelog, the hashed password
is logged and also a cleartext pseudo-attribute version. It looks like this:
change::
replace: userPassword
userPassword: {SHA256}vqtiN2LHdrEUOJUKu+IBVqAVFsAlvFw+11kD/Q==
-
replace: unhashed#user#password
unhashed#user#password: secret12
This unhashed version is used in winsync where the cleartext version of the
password must be written to the AD.
Now if the DS is involved in replication with another DS, the change will be
replayed exactly as it is logged to the other DS replicas, including the
cleartext pseudo-attribute password.
What platform? What version of 389-ds-base are you
using?
thanks,
Denise
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
8 years, 5 months
389 GUI/Console
by Gonzalo Fernandez Ordas
Hi
I got 389 running on a remote linux box,and I would like to get use of
the Console without the need of exporting the X-Windows whenever I want
to make a change as I also would prefer not to keep tweaking the
configuration files all the time.
is there anyway of doing this through any remote client?
Any advise on this matter?
Thanks very much
8 years, 6 months
389 Master - Master Replication
by Santos Ramirez
Good Morning,
We have a master - master replication agreement. When we initialize the replication it works perfectly we can see changes to a test user we have set up go up and down from the two servers. However at some point the replication stops and we cannot get replication to start once again. The only way we can get replication to start once again is to recreate the replication agreement and then it fails again. Can anyone please point us in a direction. I am relatively new to 389 so any help would be greatly appreciated.
Santos U. Ramirez
Linux Systems Administrator
National DCP, LLC
150 Depot Street
Bellingham, Ma. 02019
Phone: 508-422-3089
Fax: 508-422-3866
Santos.Ramirez(a)natdcp.com<mailto:Santos.Ramirez@natdcp.com>
This email and any attachments are intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, do not copy or forward to any unauthorized persons, permanently delete the original and notify the sender by replying to this email.
8 years, 11 months
Re: [389-users] 389-users Digest, Vol 110, Issue 27
by Alan Willis
Using the --silent and --file options with register-ds-admin.pl still
presents a prompt for many of the same configuration items included in the
supplied inf file, including ConfigDirectory entries and SuiteSpot user and
group ids. My inf file contains General, admin, and slapd sections, and is
the same one that I use with setup-ds and setup-ds-admin scripts, which are
successful with --silent and --file options. I can supply a sample if that
helps.
thanks!
-alan
On Mon, Jul 28, 2014 at 1:00 PM, <389-users-request(a)lists.fedoraproject.org>
wrote:
>
> Message: 2
> Date: Sun, 27 Jul 2014 15:35:47 +0000
> From: Jesse Defer <Jesse.Defer(a)asu.edu>
> To: General discussion list for the 389 Directory server project.
> <389-users(a)lists.fedoraproject.org>
> Subject: Re: [389-users] Non-interactive register-ds-admin
> Message-ID:
> <
> 6959588297350547BDA8F69C35F39F1F24975ADC(a)exmbw02.asurite.ad.asu.edu>
> Content-Type: text/plain; charset="iso-8859-1"
>
> You must supply it with both the --silent and --file options to the script
> for non-interactive operation. For the .inf file format see
> http://directory.fedoraproject.org/wiki/FDS_Setup
>
> Jesse
>
--
[image: fist]Alan Willis
Systems Administrator | Riot Games
Email: alwillis(a)riotgames.com
Mobile: 00353 (0) 831794044
For, to speak out once for all, man only plays when in the full meaning of
the word he is a man, and *he is only completely a man when he plays*. -
J.C. Friedrich von Schiller - Letters upon the Æsthetic Education of Man
9 years, 1 month
Non-interactive register-ds-admin
by Alan Willis
I'm having a difficult time finding documentation to help me figure out how
to run register-ds-admin silently and noninteractively.
Alternatively, is there any other way to register admin servers with the
configuration directory server? Would setup - DS - admin -u do it?
Can anyone give me some pointers?
Thanks in advance,
-alan
9 years, 2 months
port 389 listener getting hung up on connection locks?
by Thomas Walker
Hi, I've recently been trying to hunt down some odd performance problems with our installation of 389 LDAP (currently 1.3.2.19 but been following recent debian unstable). We've been seeing long delays (tens of seconds at times) handling even the simplest new bind()s while the server otherwise has idle worker threads (and other non-idle worker threads servicing existing conenctions).
Upon grabbing some userland thread stacks during these "hangs" when no new external connections could be established, I saw what looked to be the thread associated with slapd_daemon() in ldap/servers/slapd/daemon.c hung up in setup_pr_read_pds() walking the list of active connections acquiring connection locks (c->c_mutex) sequentially in the process. I stuck some calls to clock_gettime() around the PR_Lock(c->c_mutex) call or or about ldap/servers/slapd/daemon.c:1690 and warned when we waitied for more than a set duration:
[22/Jul/2014:17:37:05 +0000] - setup_pr_read_pds: (fd=192) waited 995.375473 msecs for lock
[22/Jul/2014:17:37:08 +0000] - setup_pr_read_pds: (fd=202) waited 3003.548263 msecs for lock
[22/Jul/2014:17:37:10 +0000] - setup_pr_read_pds: (fd=181) waited 1997.828897 msecs for lock
<up to 20-30 seconds in some extreme cases>
It looks like this could hang for up to CONN_TURBO_TIMEOUT_INTERVAL (default 1 second) per thread in turbo (up to 50% of worker pool by default). While stuck there, it isn't calling handle_listeners() to pull new connections off of the well known port.
Perhaps handle_listeners() should run off in its own thread, away from this connection maitenance? (or if it must be there, a non-blocking PRP_TryLock() or somesuch?)
TIA
Thomas
9 years, 2 months
Retro changelog plugin and ds 1.2.10.14 - modify type missing in changes attribute
by Justin Kinney
Hello,
I'm currently encountering an issue with the retro changelog plugin and the
changes attribute that it adds to the changelog db.
I have two ldap instances: one working, and one not. In the working
instance, I see the following in the changes attribute of the changelog
entry:
replace: userpassword
userpassword: {crypt}...elided...
-
add: userpassword
userpassword: {crypt}...elided...
-
The same change in the broken ldap instance has the following for the
changes attribute:
userpassword: {crypt}...elided...
-
userpassword: {crypt}...elided...
-
Has anyone seen similar behavior? Any ideas where to look to troubleshoot
further?
The primary difference between the two instances is that I have yet to
configure ldaps on the broken instance, which I'm about to do.
Thanks in advance,
Justin
9 years, 2 months
