Problem browsing LDAP with Outlook
by Chris Bryant
When configuring Microsoft Outlook (not Outlook Express) to access an LDAP directory, there is an option to 'Enable Browsing (requires server support)'. If this option is chosen and the directory server supports it, then you should be able to open the LDAP address book and page up and down through the results. I have been unable to get this working properly with 389 DS.
When I try to browse from Outlook against the 389 DS directory, I am able to see the first page of results perfectly. However, if I move to the next page, only the first object returned will have any attributes included, and all of the rest of the objects in the page will have no attributes. I have a test perl script that duplicates this functionality as well.
I can get this to work properly with an older version of Netscape Directory Server, and I can get it working with OpenDS. Since 389 DS advertises support for the controls that are required for this to work, just like the other two servers, then I would expect it to work there also.
Has anyone out there gotten this to work with 389 DS? If so, can you share if there was anything special that you needed to do to get this to work? I'm trying to determine if this is a bug in the server, or if I'm just missing something in the configuration.
Thanks,
Chris
USA.NET
You Run Your Business. We'll Run Your Email.
This message is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information of USA.NET, Inc. Any unauthorized review, use, copying, disclosure, or distribution is prohibited. If you are not the intended recipient, please immediately contact the sender by reply email and delete all copies of the original message.
3 years, 1 month
nsAccountLock - Server is unwilling to perform
by Mitja Mihelič
Hi!
We are using using nsAccountLock=true to lock user accounts. We also
have dovecot authenticating users against the 389DS.
If we set nsAccountLock=true, then we get
Oct 20 14:39:30 SERVER dovecot: auth: Error:
ldap(USERNAME,193.X.Y.Z,<aaaaaaaaaaaaaaaa>): ldap_bind() failed: Server
is unwilling to perform
Oct 20 14:39:31 SERVER dovecot: auth:
ldap(USERNAME,193.X.Y.Z,<aaaaaaaaaaaaaaaa>): Falling back to expired
data from cache
Dovecot thinks the server is not working properly so it reads login info
from its cache and authentication succeeds.
Can I set 389DS to return a different response?
Something that says: "User is locked" or "Authentication failed"...
Kind regards, Mitja
--
--
Mitja Mihelič
ARNES, Tehnološki park 18, p.p. 7, SI-1001 Ljubljana, Slovenia
tel: +386 1 479 8800, fax: +386 1 479 88 99
7 years, 9 months
Passwordless sudo - is it possible?
by Todor Petkov
Hello all,
I have the following setup:
389-ds server and various machines are configured to retrieve user
information via SSSD.
There is an user in the ldap server, called userx. This user is used by
HP UCMDB to log in machines and perform discovery of installed packages,
settings etc.
Due to the nature of the HP product, it requires passwordless sudo.
As I read, there is no way for ldap user to be added in sudoers file
vith NOPASSWD option, is this correct?
Regards,
7 years, 10 months
Re: [389-users] DS crashed /killed by OS
by Fong, Trevor
Hi German,
Apologies for resurrecting an old thread.
We're also experiencing something similar. We're currently running
389-ds-base-1.2.11.15-48.el6_6.x86_64
I'm afraid I don't have login privileges in order to view the details of the bug you linked.
Could you please post details of how you defined an entry cache to include the whole db, and why this works?
FYI - moves are afoot re upgrading DS on a set of new servers, but in the meantime, we need to address this issue.
Thanks a lot,
Trev
On 2015-02-05, 1:57 AM, "389-users-bounces(a)lists.fedoraproject.org on behalf of German Parente" <389-users-bounces(a)lists.fedoraproject.org on behalf of gparente(a)redhat.com> wrote:
>
>Hi,
>
>we have had several customer cases showing this behavior. In one of these cases, we have confirmed it was due to memory fragmentation after cache-trashing.
>
>We have stopped seeing this behavior by defining an entry cache which includes the whole db (when possible, of course).
>
>Details can be found at:
>
>https://bugzilla.redhat.com/show_bug.cgi?id=1186512
>Apparent memory leak in ns-slapd; OOM-Killer invoked
>
>Regards,
>
>German
>
>----- Original Message -----
>> From: "David Boreham" <david_list(a)boreham.org>
>> To: 389-users(a)lists.fedoraproject.org
>> Sent: Wednesday, February 4, 2015 8:50:55 PM
>> Subject: Re: [389-users] DS crashed /killed by OS
>>
>> On 2/4/2015 11:20 AM, ghiureai wrote:
>>
>>
>>
>> Out of memory: Kill process 2090 (ns-slapd) score 954 or sacrifice child
>>
>> It wasn't clear to me from your post whether you already have a good
>> understanding of the OOM killer behavior in the kernel.
>> On the chance that you're not yet familiar with its ways, suggest reading,
>> for example this article :
>> http://unix.stackexchange.com/questions/153585/how-oom-killer-decides-whi...
>> I mention this because it may not be the DS that is the problem (not saying
>> that it absolutely is not, but it might not be).
>> The OMM killer picks a process that is using a large amount of memory, and
>> kills it in order to preserve system stability.
>> This does not necessarily imply that the process it kills is the process that
>> is causing the system to run out of memory.
>> You said that the DS "crashed", but in fact the kernel killed it -- not quite
>> the same thing!
>>
>> It is also possible that the system has insufficient memory for the processes
>> it is running, DS cache size and so on.
>> Certainly it is worthwhile checking that the DS hasn't been inadvertently
>> configured to use more peak memory than the machine has available.
>>
>> Bottom line : there are a few potential explanations, including but not
>> limited to a memory leak in the DS process.
>> Some analysis will be needed to identify the cause. As a precaution, if you
>> can -- configure more swap space on the box.
>> This will allow more runway before the kernel starts looking for processes to
>> kill, and hence more time to figure out what's using memory and why.
>>
>>
>>
>>
>>
>>
>> --
>> 389 users mailing list
>> 389-users(a)lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>--
>389 users mailing list
>389-users(a)lists.fedoraproject.org
>https://admin.fedoraproject.org/mailman/listinfo/389-users
7 years, 10 months
IP Address on ACI
by Joel Levin
Hi All:
I inserted the first ACI with an IP Address restriction: tested from all
angles but seems to fail when the IP address restricted added.
ACI template:
(targetattr = "foobar") (version 3.0;acl "redcap-svc REDCap SA Read
Only";allow (read,compare,search)(userdn = "ldap:///example") and
(dns="123.123.123.123");)
Is there an additional configuration to set for IP address restriction to
take hold in 389 DS?
Thanks.
7 years, 11 months
Re: [389-users] WinSync agreement deletes directoryt server users
by Mizrahi, Yair
i'll do some comparison tomorrow between affected and unaffected user, hopefully I will find something
Sent from my Samsung device
-------- Original message --------
From: Noriko Hosoi <nhosoi(a)redhat.com>
Date: 19/10/2015 19:04 (GMT+02:00)
To: 389-users(a)lists.fedoraproject.org
Subject: Re: [389-users] WinSync agreement deletes directoryt server users
Thank you for the update.
Regarding this symptom:
> they are also gets deleted from directory server (around 200 users from 550).
I'm curious what's the difference between the deleted 200 users and the rest.
Thanks,
--noriko
On 10/19/2015 12:35 AM, Mizrahi, Yair wrote:
Hi Noriko,
This is the version I have installed:
389-ds-base-1.2.11.15-60.el6.x86_64 on CentOS 6.5
I was able to work around the problem by backing up the group and people OU to LDIF files , do the sync (which deleted the affected accounts)and after that importing them back, this caused the LDAP server to sync them to AD.
BTW I noticed the initial sync is deleting the same accounts.
Thanks,
From: 389-users-bounces(a)lists.fedoraproject.org<mailto:389-users-bounces@lists.fedoraproject.org> [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of Noriko Hosoi
Sent: Monday, October 19, 2015 12:23 AM
To: 389-users(a)lists.fedoraproject.org<mailto:389-users@lists.fedoraproject.org>
Subject: Re: [389-users] WinSync agreement deletes directoryt server users
On 10/18/2015 02:06 AM, Mizrahi, Yair wrote:
Hi,
I have setup a sync agreement between directory server and active directory 2012R2 and I’m getting a very strange behavior, if I am doing 2 way sync (the default) the sync completes successfully but not all the users are created in AD, not only that , they are also gets deleted from directory server (around 200 users from 550).
I’m syncing to Blank OU in AD
My DS version is 1.2.2-1
Is it the version of 389-ds-base (not 389-ds)?
rpm -q 389-ds-base
Thanks,
[cid:][cid:]
Yair Mizrahi
Sr Lab IT engineer
Office: + 972 722563243
Mobile: + 972 54 2327687
Email: Yair.Mizrahi(a)emc.com<mailto:Yair.Mizrahi@emc.com>
EMC² - XtremIO
Glil Yam 46905,
Herzliya,
Israel
www.emc.com<http://www.emc.com/>
--
389 users mailing list
389-users(a)lists.fedoraproject.org<mailto:389-users@lists.fedoraproject.org>
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users(a)lists.fedoraproject.org<mailto:389-users@lists.fedoraproject.org>
https://admin.fedoraproject.org/mailman/listinfo/389-users
7 years, 11 months
Missing 389-console?
by Gary Algier
Hello,
I can't seem to get 389-console.
I installed CentOS 7.1.1503 and EPEL 7 and tried to install 389-ds. There
seems to no longer be a master 389-ds package:
root@ds3 104% yum list \*389\*
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: mirrors.tripadvisor.com
* core-0: cobbler.ulticom.com
* epel: mirror.symnds.com
* extras: mirrors.gigenet.com
* updates: mirror.nexcess.net
Installed Packages
389-admin.x86_64 1.1.38-1.el7
@epel
389-adminutil.x86_64 1.1.21-2.el7
@epel
389-ds-base.x86_64 1.3.3.1-20.el7_1
@updates
389-ds-base-libs.x86_64 1.3.3.1-20.el7_1
@updates
Available Packages
389-adminutil-devel.x86_64 1.1.21-2.el7
epel
389-ds-base-devel.x86_64 1.3.3.1-20.el7_1
updates
texlive-xunicode.noarch 2:svn23897.0.981-32.el7
base
texlive-xunicode-doc.noarch 2:svn23897.0.981-32.el7
base
up-imapproxy.x86_64 1.2.8-0.5.20130726svn14389.el7
epel
root@ds3 105%
So I installed all the 389-* packages that were non-devel. I ran the setup
and got the system going, but now there is no console:
root@ds3 112% yum provides 389-console
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: mirrors.tripadvisor.com
* core-0: cobbler.ulticom.com
* epel: mirror.symnds.com
* extras: mirrors.gigenet.com
* updates: mirror.nexcess.net
No matches found
root@ds3 113%
Is there some other place I need to go?
--
Gary Algier
7 years, 11 months
updating/removing user indexes Q
by ghiureai
Hi List,
I would like to know if after removing user indexes using the admin
console there is need to run the
|db2index.pl| script while the ldap is shutdown or should be fine to
run with DS online?
Thank you
Isabella
7 years, 11 months
