Problem browsing LDAP with Outlook
by Chris Bryant
When configuring Microsoft Outlook (not Outlook Express) to access an LDAP directory, there is an option to 'Enable Browsing (requires server support)'. If this option is chosen and the directory server supports it, then you should be able to open the LDAP address book and page up and down through the results. I have been unable to get this working properly with 389 DS.
When I try to browse from Outlook against the 389 DS directory, I am able to see the first page of results perfectly. However, if I move to the next page, only the first object returned will have any attributes included, and all of the rest of the objects in the page will have no attributes. I have a test perl script that duplicates this functionality as well.
I can get this to work properly with an older version of Netscape Directory Server, and I can get it working with OpenDS. Since 389 DS advertises support for the controls that are required for this to work, just like the other two servers, then I would expect it to work there also.
Has anyone out there gotten this to work with 389 DS? If so, can you share if there was anything special that you needed to do to get this to work? I'm trying to determine if this is a bug in the server, or if I'm just missing something in the configuration.
Thanks,
Chris
USA.NET
You Run Your Business. We'll Run Your Email.
This message is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information of USA.NET, Inc. Any unauthorized review, use, copying, disclosure, or distribution is prohibited. If you are not the intended recipient, please immediately contact the sender by reply email and delete all copies of the original message.
3 years, 3 months
replica from DS to AD
by Fabien Gasbayet
Hi,
I have 2 questions.
1 - On this diagram :
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9....
Password replication seems bi-directional...
But on my attemps...
from DS to AD, I can sync users but passwords are always blank.
Only if I change passwords on AD, they'll be replicated on DS.
2- If I delete an user on DS and lauch the replication... The user is not removed on AD.
So, is it possible to sync password from DS to AD ?
And is it possible to delete users on DS with replica on AD ?
Thanks a lot
Best regards
Fabien
8 years, 3 months
replication monitoring
by Russell Beall
Hello,
I have deployed a MMR cluster with a recent (about April) version of 389 from the CentOS 6 repository.
Following example 2 of this document, I have tried to set up a monitoring script on each node to verify that replication is correctly succeeding:
http://directory.fedoraproject.org/docs/389ds/howto/howto-replicationmoni...
The monitoring command-line search usually works, but when replication is occurring it returns a false-positive for replication errors because some of the replicas are busy.
Rather than grepping out on the word “busy” which might lead us to miss the state when everything is erring out because everything is busy, I thought I should ask for recommendations on handling this.
My best idea is to run the command several times over several seconds and if it fails more than X times in a row, then issue an alert. Of course that wouldn’t work if there was a longer-than-usual replication underway. Is there a better way to do this?
Thank you,
Russ.
8 years, 3 months
Java Version For 389-console
by John Trump
Which versions of java are supported for 389-console? I currently
have 389-console-1.1.7-1.el6.noarch installed running java 1.8. When I try
to launch I get: Error: Could not find or load main class error:
8 years, 3 months
How to modify the logging dir
by bahan w
Hello !
I installed recently FreeIPA 3.0.0-47 and I have a question related to the
logging dir used.
We know that the logs are stored in /var/log/dirsrv folder but we would
like to move this elsewhere ?
Do you know if it is possible ?
Best regards.
Bahan
8 years, 3 months
Restict master-master replication
by vinay garg
hi list,
we have multi-master settup
1. Primary master
2. Secondary Master
HOw can we apply restriction on Primary master that primary master can
replicaiton only modify, add on secondary master. But Primary master dont
have permission to delete replication data on secondary master.
Any idea how to restrict From Primary Master to Secondary master
--
*RegardsVinay Garg*
*Keen & Able Comp. Pvt. ltd.*
*9990770734*
8 years, 3 months
password encryption imponrting issue
by vinay garg
Dear list,
We have master-master replication setup. We have migrate openldap to
389-ds.
In openldap, password encryption type was md5, ssha, sha etc. When we
import openldap database to 389-ds. Data imported succesfully.
But some user can login because tbey are using md5 encryption method. some
users cannot login because they are using ssha,sha encryption method.
Please suggest how can we manage imported ssha,sha encryption method in
389-ds.
8 years, 3 months
access to LDAP log/access file to non admin users
by ghiureai
Hi List,
I need a nice , clean solution to give access to LDAP error log and
access file to developers team on our prod ldap , mentioned I they
will not be allowed to log in the actual LDAP host, at present time
dev's are using Appache Studio
Thank you for all your input
8 years, 4 months
Admin Server. How to turn off access control by host/domain name?
by Aleksey Chudov
Hi,
I'm configuring 389 DS on CentOS 7 using some packages from epel-testing
# rpm -qa | grep 389 | sort
389-admin-1.1.42-1.el7.x86_64
389-admin-console-1.1.10-1.el7.noarch
389-admin-console-doc-1.1.10-1.el7.noarch
389-adminutil-1.1.22-1.el7.x86_64
389-console-1.1.9-1.el7.noarch
389-ds-1.2.2-1.el7.centos.noarch
389-ds-base-1.3.3.1-20.el7_1.x86_64
389-ds-base-libs-1.3.3.1-20.el7_1.x86_64
389-ds-console-1.2.12-1.el7.noarch
389-ds-console-doc-1.2.12-1.el7.noarch
There is a lot of warnings in /var/log/dirsrv/admin-serv/error
[Tue Aug 11 16:59:43.061536 2015] [:warn] [pid 6814:tid 140053607032576]
[client 10.10.10.22:50957] admserv_host_ip_check: failed to get host by ip
addr [10.10.10.22] - check your host and DNS configuration
According to documentation
http://directory.fedoraproject.org/docs/389ds/howto/howto-adminserverldap...
nsAdminAccessHosts attribute can be deleted to turn off access control by
host/domain name.
But deleting "nsAdminAccessHosts" leads to also deleting
"configuration.nsAdminAccessHosts" from /etc/dirsrv/admin-serv/local.conf.
After that Admin Server doesn't start with error
[Tue Aug 11 17:03:51.704255 2015] [:crit] [pid 7292:tid 140568690079808]
host_ip_init(): PSET failure: Could not retrieve access hosts attribute
(pset error = )
If i put empty parameter "configuration.nsAdminAccessHosts: " in
/etc/dirsrv/admin-serv/local.conf Admin Server works as expected until next
configuration change from Management Console. After next restart
"configuration.nsAdminAccessHosts" is again missing from config because
there is no "nsAdminAccessHosts" in directory and Admin Server doesn't
start again.
Is it a bug? How to turn off access control by host/domain name?
Aleksey
8 years, 4 months
Replication reinit skipping entries
by Trey Dockendorf
I recently discovered my two 389DS servers in master-master replication had
some inconsistencies. Initially the only differences were 3 users added to
ldap01 did not exist in ldap02. I re-initialized ldap02 from ldap01 and
now am seeing that 3 groups defined are being skipped [1].
I read in another thread that someone else saw this when they moved a LDAP
record from one location to another in the directory. I believe that may
be what happened here as I know the SLURM user and group both used to exist
in a different OU. I moved them to the "Service" OUs some months ago.
What's odd is that this move did not cause the user records to be skipped,
just the group records. The thread I saw regarding something similar
appears to have the fix resolved in 1.2.10 series. Is this some different
bug?
As a work around and test of a fix I deleted the 'backupuser' LDAP group
from ldap01 and added it back via a LDIF. I then reinitialized ldap02 from
ldap01 and that group now exists on ldap02, but I still get a warning [2].
The nsuniqueid in the warning is not the nsuniqueid of the newly created
backupuser entry. Is there anything to be concerned about with this
warning?
These are the 389-ds packages installed on both ldap01 and ldap02:
389-admin-1.1.35-1.el6.x86_64
389-admin-console-1.1.8-1.el6.noarch
389-admin-console-doc-1.1.8-1.el6.noarch
389-adminutil-1.1.19-1.el6.x86_64
389-adminutil-devel-1.1.19-1.el6.x86_64
389-console-1.1.7-1.el6.noarch
389-ds-1.2.2-1.el6.noarch
389-ds-base-1.2.11.15-32.el6_5.x86_64
389-ds-base-devel-1.2.11.15-32.el6_5.x86_64
389-ds-base-libs-1.2.11.15-32.el6_5.x86_64
389-ds-console-1.2.6-1.el6.noarch
389-ds-console-doc-1.2.6-1.el6.noarch
389-dsgw-1.1.11-1.el6.x86_64
Let me know what other information may be useful and if this is something I
need to submit as a bug report.
Thanks,
- Trey
[1]:
[07/Aug/2015:12:35:20 -0500] NSMMReplicationPlugin - conn=353332 op=3
Relinquishing consumer connection extension
[07/Aug/2015:12:35:20 -0500] - import userRoot: WARNING: Skipping entry
"cn=slurm,ou=Service Groups,dc=brazos,dc=tamu,dc=edu" which has no parent,
ending at line 0 of file "(bulk import)"
[07/Aug/2015:12:35:20 -0500] - import userRoot: WARNING: Skipping entry
"cn=rsv,ou=Service Groups,dc=brazos,dc=tamu,dc=edu" which has no parent,
ending at line 0 of file "(bulk import)"
[07/Aug/2015:12:35:20 -0500] - import userRoot: WARNING: bad entry: ID 20
[07/Aug/2015:12:35:20 -0500] - import userRoot: WARNING: bad entry: ID 22
[07/Aug/2015:12:35:21 -0500] - import userRoot: WARNING: Skipping entry
"cn=backupuser,ou=Service Groups,dc=brazos,dc=tamu,dc=edu" which has no
parent, ending at line 0 of file "(bulk import)"
[07/Aug/2015:12:35:21 -0500] - import userRoot: WARNING: bad entry: ID 4102
[07/Aug/2015:12:35:24 -0500] NSMMReplicationPlugin - conn=353332 op=4242
Acquired consumer connection extension
[07/Aug/2015:12:35:24 -0500] - import userRoot: Workers finished; cleaning
up...
[07/Aug/2015:12:35:24 -0500] - import userRoot: Workers cleaned up.
[07/Aug/2015:12:35:24 -0500] - import userRoot: Indexing complete.
Post-processing...
[07/Aug/2015:12:35:24 -0500] - import userRoot: Generating numSubordinates
complete.
[07/Aug/2015:12:35:24 -0500] - import userRoot: Flushing caches...
[07/Aug/2015:12:35:24 -0500] - import userRoot: Closing files...
[07/Aug/2015:12:35:24 -0500] - import userRoot: Import complete. Processed
4238 entries (3 were skipped) in 4 seconds. (1059.50 entries/sec)
[2]:
[07/Aug/2015:12:38:48 -0500] NSMMReplicationPlugin - conn=353340 op=3
Relinquishing consumer connection extension
[07/Aug/2015:12:38:49 -0500] - import userRoot: WARNING: Skipping entry
"cn=slurm,ou=Service Groups,dc=brazos,dc=tamu,dc=edu" which has no parent,
ending at line 0 of file "(bulk import)"
[07/Aug/2015:12:38:49 -0500] - import userRoot: WARNING: Skipping entry
"cn=rsv,ou=Service Groups,dc=brazos,dc=tamu,dc=edu" which has no parent,
ending at line 0 of file "(bulk import)"
[07/Aug/2015:12:38:49 -0500] - import userRoot: WARNING: bad entry: ID 20
[07/Aug/2015:12:38:49 -0500] - import userRoot: WARNING: bad entry: ID 22
[07/Aug/2015:12:38:50 -0500] - import userRoot: WARNING: Skipping entry
"nsuniqueid=15ed1e81-b6a411e3-9084dfca-5696e563,cn=backupuser,ou=Service
Groups,dc=brazos,dc=tamu,dc=edu" which has no parent, ending at line 0 of
file "(bulk import)"
[07/Aug/2015:12:38:50 -0500] - import userRoot: WARNING: bad entry: ID 4102
[07/Aug/2015:12:38:52 -0500] NSMMReplicationPlugin - conn=353340 op=4243
Acquired consumer connection extension
[07/Aug/2015:12:38:52 -0500] - import userRoot: Workers finished; cleaning
up...
[07/Aug/2015:12:38:52 -0500] - import userRoot: Workers cleaned up.
[07/Aug/2015:12:38:52 -0500] - import userRoot: Indexing complete.
Post-processing...
[07/Aug/2015:12:38:52 -0500] - import userRoot: Generating numSubordinates
complete.
[07/Aug/2015:12:38:52 -0500] - import userRoot: Flushing caches...
[07/Aug/2015:12:38:52 -0500] - import userRoot: Closing files...
[07/Aug/2015:12:38:53 -0500] - import userRoot: Import complete. Processed
4239 entries (3 were skipped) in 5 seconds. (847.80 entries/sec)
8 years, 4 months
