April 2015 - 389-users - Fedora Mailing-Lists

by Pierre ROUDIER

Hi all, RedHat DS's doc states that the nsAccountLock attribute is multi-valued [1]. Some tests with 389ds led me to think it's also true for 389ds. I cannot think of any reason explaining why it would have to be multi-valued. Do you have any idea? Thank you. [1] https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Serv...

4 years, 7 months

3
2
0 / 0

Announcing 389 Directory Server version 1.3.3.10

by Noriko Hosoi

389 Directory Server 1.3.3.10 The 389 Directory Server team is proud to announce 389-ds-base version 1.3.3.10. Fedora packages are available from the Fedora 21, 22 and Rawhide repositories. The new packages and versions are: * 389-ds-base-1.3.3.10-1 A source tarball is available for download at Download Source <http://www.port389.org/binaries/389-ds-base-1.3.3.10.tar.bz2> Highlights in 1.3.3.10 * One important security bug was fixed. Installation and Upgrade See Download <http://www.port389.org/docs/389ds/download.html> for information about setting up your yum repositories. To install, use *yum install 389-ds* yum install 389-ds After install completes, run *setup-ds-admin.pl* to set up your directory server. setup-ds-admin.pl To upgrade, use *yum upgrade* yum upgrade After upgrade completes, run *setup-ds-admin.pl -u* to update your directory server/admin server/console information. setup-ds-admin.pl -u See Install_Guide <http://www.port389.org/docs/389ds/legacy/install-guide.html> for more information about the initial installation, setup, and upgrade See Source <http://www.port389.org/docs/389ds/development/source.html> for information about source tarballs and SCM (git) access. Feedback We are very interested in your feedback! Please provide feedback and comments to the 389-users mailing list: https://admin.fedoraproject.org/mailman/listinfo/389-users as well as https://admin.fedoraproject.org/updates/389-ds-base-1.3.3.10-1.fc21 <https://admin.fedoraproject.org/updates/389-ds-base-1.3.3.10-1.fc21> and https://admin.fedoraproject.org/updates/389-ds-base-1.3.3.10-1.fc22 <https://admin.fedoraproject.org/updates/389-ds-base-1.3.3.10-1.fc22>. If you find a bug, or would like to see a new feature, file it in our Trac instance: https://fedorahosted.org/389 Detailed Changelog since 1.3.3.8 * Bug 1216203 - CVE-2015-1854 389ds-base: access control bypass with modrdn [fedora-all] http://www.port389.org/docs/389ds/releases/release-1-3-3-10.html

4 years, 10 months

1
0
0 / 0

DS start debug mode option

by ghiureai

Hi LIst, I would like to know if there an option to start DS in debug mode ? we re- installed the OS on host with DS and trying to use an existing full backup taken before shutdown , getting the following : error 1 when trying to start DS ,no errors or messages are written to DS log Isabella

4 years, 10 months

1
0
0 / 0

Configuring StartTLS

by Galazios, Costa

Hello, I am converting my 389 instances to use StartTLS and have hit the following snag. After running setup-ssl.sh, and adding “nsslapd-security:on” to dse.ldif, and restarting both dirsrv and dirsrv-admin, I am trying to do an ldapsearch to test functionality over tcp/389 with StartTLS. == [root@ops-ldap-m-00001 slapd-ops-ldap-m-00001]# ldapsearch -x -LLL -ZZ -p 636 -h "ops-ldap-m-00001.svale.netledger.com" -D cn=manager -w password -b "" -s base objectclass=top ldap_start_tls: Can't contact LDAP server (-1) [root@ops-ldap-m-00001 slapd-ops-ldap-m-00001]# ldapsearch -x -LLL -ZZ -p 389 -h "ops-ldap-m-00001.svale.netledger.com" -D cn=manager -w password -b "" -s base objectclass=top ldap_start_tls: Protocol error (2) additional info: unsupported extended operation [root@ops-ldap-m-00001 slapd-ops-ldap-m-00001]# == Can someone help illuminate for me what I’ve done wrong? To learn more about SuiteWorld, visit www.netsuite.com/suiteworld. NOTICE: This email and any attachments may contain confidential and proprietary information of NetSuite Inc. and is for the sole use of the intended recipient for the stated purpose. Any improper use or distribution is prohibited. If you are not the intended recipient, please notify the sender; do not review, copy or distribute; and promptly delete or destroy all transmitted information. Please note that all communications and information transmitted through this email system may be monitored and retained by NetSuite or its agents and that all incoming email is automatically scanned by a third party spam and filtering service which may result in deletion of a legitimate e-mail before it is read by the intended recipient.

4 years, 10 months

1
0
0 / 0

multimaster replication resync after one server offline

by ghiureai

Hi List, I would like to know what are the steps to resync a ldap server part of mutlmaster replication env, the server will be taken off line for 1 day ? Initially I put the server in read only mode while doing the failover to other master , and next I shutdown it down for some OS maintenance. What are steps to resync the replication when will be brought back online ? Isabella

4 years, 10 months

1
0
0 / 0

multimaster replication one host offline

by ghiureai

Hi List, I have cfg LDAP multimaster replication, one of the hosts will be offline for some days, do I need to disable the replication agreement completely at this point? (what will be the minimum cfg) What are the steps to resync the master after is been brought online ? Thank you Isabella

4 years, 10 months

3
2
0 / 0

problems building RPM for 389-admin

by Giovanni Baruzzi

Hi all, sorry for a newcomer question. After having built the RPM for 389-ds-base and 389-adminutil I’m stuck with a problem with 389-admin. I was not able to find an „official“ SPEC file and I resorted to one found somewhere in Internet. The problem is that this file requires the definition of the macro %{_unitdir}, which apparetnly is not defined anymore (?) for Fedora. How can I solve the problem? Is there a location for the „official“ spec files? thank you, Giovanni

4 years, 10 months

3
2
0 / 0

selinux problem with centos 7.1

by Angel Bosch

hi, I'm having problems installing a new test environment on centos 7.1 when I execute setup-ds-admin.pl i get this message: Adding port 389 to selinux policy failed - ValueError: SELinux policy is not managed or store cannot be accessed. I've tried with --debug and it keeps retrying every 5 seconds with same message. # lsb_release -a LSB Version: :core-4.1-amd64:core-4.1-noarch Distributor ID: CentOS Description: CentOS Linux release 7.1.1503 (Core) Release: 7.1.1503 Codename: Core # sestatus SELinux status: disabled the only irregular thing is that im using an openvz container, but I have plenty of other DS inside openvz without any problems. i managed to continue with the installation with a very dirty hack, I modified DSCreate.pm script and added a return in the beggining of updateSelinuxPolicy sub: #################################################### sub updateSelinuxPolicy { my $inf = shift; return 0; #################################################### did anyone got this same problem? abosch --

4 years, 10 months

3
4
0 / 0

question about samba and account lockout

by Kevin Taylor

We've been using the old Sun Directory Server (DSEE7) for a long time and have had things working in such a way that when a user on linux or windows locks the account after so many failures, neither windows nor linux will allow them to log in. The way that was done was to modify the samba source code (in lib/smbldap.c) to point the SambaKickoffTime variable to pwdaccountlockedtime from the LDAP server. This worked. We want to move to the 389 directory server and perform the same function, but I'm having some issues. The pwdaccountlockedtime isn't there anymore. When the account locks, I see that we have the accountunlocktime attribute being set. Unfortunately, I can't use that field for samba since it's looking for unix time in seconds. The default value of accountunlocktime is Jan 1 1970, so samba thinks that this is some date in the year 600,000+. So, are any of the following things possible? If so, how can I do it? 1) When an account locks out on the DS, automatically set the SambaKickoffTime attribute in DS to the current time in seconds 2) Change the default value of accountunlocktime to 00000000000000Z instead of 1970.... 3) Change the format of the sambakickofftime inside of samba so that it will acknowledge what the DS offers it. 4) Some other way to get samba to acknowledge that account cannot login automatically upon lockout from DS. Thanks for your help.

4 years, 10 months

1
0
0 / 0

Troubles with automated deployment of secure 389 server

by Nicolas Martin

Hello, I've been trying to deploy a secure 389 server with TLS/SSL on the port 636. If I do things manually, it works alright. But using the scripts provided on the website, I run into some troubles. BACKGROUND INFO: Attached to this mail are the scripts and conf file I use. My setupssl.sh is a modified version of the setupssl2.ssh meant for DS >= 1.1. I changed the cipher suite and I changed the name of the admin cert from server-cert to admin-cert for clarity (I changed manually the name of the certificate in the admin console configuration file accordingly). Reason behind the cipher suite change is that the one in the original script prevents the script from running (AttributeType error) so I used a cipher suite from a working, manually deployed LDAP server. I use the packages provided with RHEL6U5. Here are the components version: 389-ds-base-1.2.11.15-34.el6_5.x86_64 389-ds-1.2.2-1.el6.noarch 389-ds-console-1.2.6-1.el6.noarch 389-adminutil-1.1.19-1.el6.x86_64 389-admin-console-1.1.8-1.el6.noarch 389-dsgw-1.1.11-1.el6.x86_64 389-admin-1.1.35-1.el6.x86_64 389-admin-console-doc-1.1.8-1.el6.noarch 389-ds-console-doc-1.2.6-1.el6.noarch 389-ds-base-libs-1.2.11.15-34.el6_5.x86_64 389-console-1.1.7-1.el6.noarch openjdk version: java-1.6.0-openjdk-1.6.0.0-6.1.13.4.el6_5.x86_64 PROBLEM DESCRIPTION: Once the scripts are ran, I start 389-console using the https URL. Authentication yields an error message: "Cannot connect..." Console with debugging enabled shows this error message: Unable to create ssl socket org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8054) You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert. /var/log/dirsrv/admin-server/error has the following line: [error] SSL Library Error: -12271 SSL client cannot verify your certificate Certificates list from admin server: admin-cert u,u,u CA certificate CT,, Certificates list from slapd-myserver7: CA certificate CTu,u,u admin-cert u,u,u Server-Cert u,u,u My certificates all have different serial numbers: 1000 for CA, 1001 for Server-Cert, 1002 for admin-cert. If I disable the security for the console by setting NSSEngine to Off, I can log to the console with the normal http URL, but as soon as I access a certificate-related tab (For example "Manage Certificates" or the Encryption tab of the server), I get the following error message: Unable to create ssl socket org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-12263) SSL received a record that exceeded the maximum permissible length. Has anyone ever experienced these SSL errors ? Is there something I can compare between my working, manually deployed LDAP servers and the one that I try to deploy automatically ? Thanks in advance. Regards, Nicolas Martin

4 years, 10 months

1
0
0 / 0

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-users April 2015