Problem browsing LDAP with Outlook
by Chris Bryant
When configuring Microsoft Outlook (not Outlook Express) to access an LDAP directory, there is an option to 'Enable Browsing (requires server support)'. If this option is chosen and the directory server supports it, then you should be able to open the LDAP address book and page up and down through the results. I have been unable to get this working properly with 389 DS.
When I try to browse from Outlook against the 389 DS directory, I am able to see the first page of results perfectly. However, if I move to the next page, only the first object returned will have any attributes included, and all of the rest of the objects in the page will have no attributes. I have a test perl script that duplicates this functionality as well.
I can get this to work properly with an older version of Netscape Directory Server, and I can get it working with OpenDS. Since 389 DS advertises support for the controls that are required for this to work, just like the other two servers, then I would expect it to work there also.
Has anyone out there gotten this to work with 389 DS? If so, can you share if there was anything special that you needed to do to get this to work? I'm trying to determine if this is a bug in the server, or if I'm just missing something in the configuration.
Thanks,
Chris
USA.NET
You Run Your Business. We'll Run Your Email.
This message is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information of USA.NET, Inc. Any unauthorized review, use, copying, disclosure, or distribution is prohibited. If you are not the intended recipient, please immediately contact the sender by reply email and delete all copies of the original message.
2 years, 3 months
DS start debug mode option
by ghiureai
Hi LIst,
I would like to know if there an option to start DS in debug mode ?
we re- installed the OS on host with DS and trying to use an existing
full backup taken before shutdown ,
getting the following : error 1 when trying to start DS ,no errors or
messages are written to DS log
Isabella
7 years, 7 months
Configuring StartTLS
by Galazios, Costa
Hello,
I am converting my 389 instances to use StartTLS and have hit the following snag.
After running setup-ssl.sh, and adding “nsslapd-security:on” to dse.ldif, and restarting both dirsrv and dirsrv-admin, I am trying to do an ldapsearch to test functionality over tcp/389 with StartTLS.
==
[root@ops-ldap-m-00001 slapd-ops-ldap-m-00001]# ldapsearch -x -LLL -ZZ -p 636 -h "ops-ldap-m-00001.svale.netledger.com" -D cn=manager -w password -b "" -s base objectclass=top
ldap_start_tls: Can't contact LDAP server (-1)
[root@ops-ldap-m-00001 slapd-ops-ldap-m-00001]# ldapsearch -x -LLL -ZZ -p 389 -h "ops-ldap-m-00001.svale.netledger.com" -D cn=manager -w password -b "" -s base objectclass=top
ldap_start_tls: Protocol error (2)
additional info: unsupported extended operation
[root@ops-ldap-m-00001 slapd-ops-ldap-m-00001]#
==
Can someone help illuminate for me what I’ve done wrong?
To learn more about SuiteWorld, visit
www.netsuite.com/suiteworld.
NOTICE: This email and any attachments may contain confidential and proprietary information of NetSuite Inc. and is for the sole use of the intended recipient for the stated purpose. Any improper use or distribution is prohibited. If you are not the intended recipient, please notify the sender; do not review, copy or distribute; and promptly delete or destroy all transmitted information. Please note that all communications and information transmitted through this email system may be monitored and retained by NetSuite or its agents and that all incoming email is automatically scanned by a third party spam and filtering service which may result in deletion of a legitimate e-mail before it is read by the intended recipient.
7 years, 7 months
multimaster replication resync after one server offline
by ghiureai
Hi List,
I would like to know what are the steps to resync a ldap server part of
mutlmaster replication env, the server will be taken off line for 1 day ?
Initially I put the server in read only mode while doing the failover to
other master , and next I shutdown it down for some OS maintenance.
What are steps to resync the replication when will be brought back online ?
Isabella
7 years, 7 months
multimaster replication one host offline
by ghiureai
Hi List,
I have cfg LDAP multimaster replication, one of the hosts will be
offline for some days, do I need to disable the replication agreement
completely at this point? (what will be the minimum cfg)
What are the steps to resync the master after is been brought online ?
Thank you
Isabella
7 years, 7 months
problems building RPM for 389-admin
by Giovanni Baruzzi
Hi all,
sorry for a newcomer question.
After having built the RPM for 389-ds-base and 389-adminutil I’m stuck with a problem with 389-admin.
I was not able to find an „official“ SPEC file and I resorted to one found somewhere in Internet.
The problem is that this file requires the definition of the macro %{_unitdir}, which apparetnly is not defined anymore (?) for Fedora.
How can I solve the problem?
Is there a location for the „official“ spec files?
thank you,
Giovanni
7 years, 7 months
selinux problem with centos 7.1
by Angel Bosch
hi,
I'm having problems installing a new test environment on centos 7.1
when I execute setup-ds-admin.pl i get this message:
Adding port 389 to selinux policy failed - ValueError: SELinux policy is not managed or store cannot be accessed.
I've tried with --debug and it keeps retrying every 5 seconds with same message.
# lsb_release -a
LSB Version: :core-4.1-amd64:core-4.1-noarch
Distributor ID: CentOS
Description: CentOS Linux release 7.1.1503 (Core)
Release: 7.1.1503
Codename: Core
# sestatus
SELinux status: disabled
the only irregular thing is that im using an openvz container, but I have plenty of other DS inside openvz without any problems.
i managed to continue with the installation with a very dirty hack, I modified DSCreate.pm script and added a return in the beggining of updateSelinuxPolicy sub:
####################################################
sub updateSelinuxPolicy {
my $inf = shift;
return 0;
####################################################
did anyone got this same problem?
abosch
--
7 years, 7 months
question about samba and account lockout
by Kevin Taylor
We've been using the old Sun Directory Server (DSEE7) for a long time and have had things working in such a way that when a user on linux or windows locks the account after so many failures, neither windows nor linux will allow them to log in.
The way that was done was to modify the samba source code (in lib/smbldap.c) to point the SambaKickoffTime variable to pwdaccountlockedtime from the LDAP server. This worked.
We want to move to the 389 directory server and perform the same function, but I'm having some issues. The pwdaccountlockedtime isn't there anymore. When the account locks, I see that we have the accountunlocktime attribute being set.
Unfortunately, I can't use that field for samba since it's looking for unix time in seconds. The default value of accountunlocktime is Jan 1 1970, so samba thinks that this is some date in the year 600,000+.
So, are any of the following things possible? If so, how can I do it?
1) When an account locks out on the DS, automatically set the SambaKickoffTime attribute in DS to the current time in seconds
2) Change the default value of accountunlocktime to 00000000000000Z instead of 1970....
3) Change the format of the sambakickofftime inside of samba so that it will acknowledge what the DS offers it.
4) Some other way to get samba to acknowledge that account cannot login automatically upon lockout from DS.
Thanks for your help.
7 years, 7 months
