September 2014 - 389-users - Fedora Mailing-Lists

by Pierre ROUDIER

Hi all, RedHat DS's doc states that the nsAccountLock attribute is multi-valued [1]. Some tests with 389ds led me to think it's also true for 389ds. I cannot think of any reason explaining why it would have to be multi-valued. Do you have any idea? Thank you. [1] https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Serv...

4 years, 10 months

3
2
0 / 0

changelog

by Denise Cosso

Hi, How to modify the attribute nsslapd-encryptionalgorithm in Centos? Thanks, Denise Stop Master servers and set nsslapd-encryptionalgorithm. The allowed value is AES or 3DES. dn: cn=changelog5,cn=config [...] nsslapd-encryptionalgorithm: AES --- Em ter, 4/6/13, Rich Megginson <rmeggins(a)redhat.com> escreveu: De: Rich Megginson <rmeggins(a)redhat.com> Assunto: Re: [389-users] changelog Para: "Denise Cosso" <guanaes51(a)yahoo.com.br> Data: Terça-feira, 4 de Junho de 2013, 16:34 On 06/04/2013 01:26 PM, Denise Cosso wrote: Hi, Rich CentOS release 6.3 (Final) 389-ds-base-libs-1.2.10.2-20.el6_3.x86_64 389-ds-1.2.2-1.el6.noarch 389-dsgw-1.1.10-1.el6.x86_64 389-ds-console-1.2.6-1.el6.noarch 389-ds-console-doc-1.2.6-1.el6.noarch 389-ds-base-1.2.10.2-20.el6_3.x86_64 As far as replication goes - you will need to use a security layer (SSL, TLS, or GSSAPI) to protect the clear text password on the wire As far as encrypting it in the changelog - not sure Denise --- Em ter, 4/6/13, Rich Megginson <rmeggins(a)redhat.com> escreveu: De: Rich Megginson <rmeggins(a)redhat.com> Assunto: Re: [389-users] changelog Para: "General discussion list for the 389 Directory server project." <389-users(a)lists.fedoraproject.org> Cc: "Denise Cosso" <guanaes51(a)yahoo.com.br> Data: Terça-feira, 4 de Junho de 2013, 16:11 On 06/04/2013 12:39 PM, Denise Cosso wrote: Hi, Description of problem: When a userPassword is changed in a server with changelog, the hashed password is logged and also a cleartext pseudo-attribute version. It looks like this: change:: replace: userPassword userPassword: {SHA256}vqtiN2LHdrEUOJUKu+IBVqAVFsAlvFw+11kD/Q== - replace: unhashed#user#password unhashed#user#password: secret12 This unhashed version is used in winsync where the cleartext version of the password must be written to the AD. Now if the DS is involved in replication with another DS, the change will be replayed exactly as it is logged to the other DS replicas, including the cleartext pseudo-attribute password. What platform? What version of 389-ds-base are you using? thanks, Denise -- 389 users mailing list 389-users(a)lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users

5 years, 1 month

2
2
0 / 0

389 GUI/Console

by Gonzalo Fernandez Ordas

Hi I got 389 running on a remote linux box,and I would like to get use of the Console without the need of exporting the X-Windows whenever I want to make a change as I also would prefer not to keep tweaking the configuration files all the time. is there anyway of doing this through any remote client? Any advise on this matter? Thanks very much

5 years, 2 months

4
11
0 / 0

How to get password expiration working?

by Paul Tobias

Hi guys, We need to implement password expiration because of some policy. The problem is users are not able to bind to ldap anymore, after I switch on password expiration for our ou=People subtree . The ldap command line tools and 389-console both just hang forever when trying to connect. This happens even when the user changes the password right before switching on the password expiration so the password cannot be expired yet. When I use the wrong password, then I get "ldap_bind: Invalid credentials (49)", but when I use the correct password, then it's just a hang. If I switch off password expiration then everything returns to normal again. I've followed the guide at https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.... I've tried both 389ds 1.2.11.32 on CentOS 6 and 389ds 1.3.2.23 on Fedora 20 with the same results. Is password expiration working in 389ds at all? Thanks in advance, Paul Tobias

5 years, 5 months

2
2
0 / 0

SASL configuration

by Dhiraj Deshpande

Hi folks, Need to configure sasl mecanism so that i can use DIGEST-MD5 mechanism with my autofs configuration. With PLAIN it is working fine but need to use DIGEST-MD5. Where i can specify. [root@ibm001 ~]# cat /etc/autofs_ldap_auth.conf <?xml version="1.0" ?>  <autofs_ldap_sasl_conf usetls="no" tlsrequired="no" authrequired="yes" authtype="DIGEST-MD5" user="proxyuser" secret="XXX" /> -- Thanks & Regards Dhiraj S. Deshpande

5 years, 7 months

1
1
0 / 0

stable packages for Centos 7

by Angel Bosch

hi, I'm planing to migrate some of my servers to 1.3 branch and I don't know what packages to use. I've found packages from mreynolds: http://copr.fedoraproject.org/coprs/mreynolds/389-ds-base/ and dfas: http://copr.fedoraproject.org/coprs/dfas/389-ds-dfas/ first one seems to be a nightly and I would like to mantain an stable install. should I use dfas? by the way, is the policy-packages situation going to be solved anytime? I found very confusing having to deal with several repos to get a full installation of 389 DS, and I though this spliting thing was temporary just for EL6. thanks for your time, abosch --

5 years, 7 months

2
2
0 / 0

389 Master - Master Replication

by Santos Ramirez

Good Morning, We have a master - master replication agreement. When we initialize the replication it works perfectly we can see changes to a test user we have set up go up and down from the two servers. However at some point the replication stops and we cannot get replication to start once again. The only way we can get replication to start once again is to recreate the replication agreement and then it fails again. Can anyone please point us in a direction. I am relatively new to 389 so any help would be greatly appreciated. Santos U. Ramirez Linux Systems Administrator National DCP, LLC 150 Depot Street Bellingham, Ma. 02019 Phone: 508-422-3089 Fax: 508-422-3866 Santos.Ramirez(a)natdcp.com<mailto:Santos.Ramirez@natdcp.com> This email and any attachments are intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, do not copy or forward to any unauthorized persons, permanently delete the original and notify the sender by replying to this email.

5 years, 7 months

3
9
0 / 0

Proper handling of "No original_tombstone for changenumber" errors

by Anthony Joseph Messina

Using two fully updated FreeIPA F20 masters with freeipa- server-3.3.5-1.fc20.x86_64 and 389-ds-base-1.3.2.23-1.fc20.x86_64, I've noticed that I'm getting a lot of the following errors in the 389 DS error log, especially at server startup. "No original_tombstone for changenumber=511851,cn=changelog!!" Most often, the same changenumber repeats over and over, but there are some other changenumbers listed as well. The changenumbers are different on each master. My concern is I'm preparing my thought process about the upcoming upgrade from F20 to F21 and it looks like I may need to create a new FreeIPA master and "migrate" the Dogtag stuff, etc. rather than a simple "yum upgrade" on each master. Yuck! What is the proper way to correct for these apparent errors and get these masters working with each other in a clean manner? Thanks. -A -- Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E

5 years, 8 months

2
5
0 / 0

register-ds-admin against external LDAP urls

by Alan Willis

The documentation for register-ds-admin.pl says the following: "The register-ds-admin.pl script does not support external LDAP URLs, so the Directory Server instance must be registered against a local Admin Server." Would there be any issues in creating the ldap entries that this script creates in a remote configuration directory instead of a local one? -alan -- [image: fist]Alan Willis Systems Administrator | Riot Games Email: alwillis at riotgames.com For, to speak out once for all, man only plays when in the full meaning of the word he is a man, and *he is only completely a man when he plays*. - J.C. Friedrich von Schiller - Letters upon the Æsthetic Education of Man

5 years, 8 months

3
2
0 / 0

Point-in-time Recovery

by MND EXA

Hi Experts, We are using 389 DS as authentication source for a web portal. Their is about 45 millions entries. The user data is distributed accros the Directory Server (just cn, sn and password are valued) and an Oracle Database (All identification and business related data). The challenge here is to keep consistent accros those two systems (a user having an entry in the database should have one in the Directory Server). This especially requires being able to perform a point-in-time restore of the Directory Server (No problem with the Oracle Database, we able to do that). Our environment is made of two Directory Servers in a multi-master replication. I came up with waht I think can be a solution but something is telling me their should be a better way to do that. So here am to ask for advices from yours experts : Here what I think be a solution but not confident about that: -The backup files and changelog db are store in a share storage monted on the Directory Server -Every week, take a (full) backup of the server (using db2bak) -Whenever their is a issues: -Disable replication -Make a point-in-time recovery of my database -Create a script that dump the changelog db to an ldif file (using dbscan) -Parse the ldif to obtain a compliant ldif file -Truncate the ldif file to juste keep the changes to be restored -Restore the two Directory Server using their corresponding (full) backups (the weekly ones) -Active replication -Replay the ldif computed from the changelog db using ldapmodify This seems daunting, cumbersome... So any advices ? Thank you in advance for your responses. Kind Regards,

5 years, 8 months

2
3
0 / 0

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-users September 2014