Problem browsing LDAP with Outlook
by Chris Bryant
When configuring Microsoft Outlook (not Outlook Express) to access an LDAP directory, there is an option to 'Enable Browsing (requires server support)'. If this option is chosen and the directory server supports it, then you should be able to open the LDAP address book and page up and down through the results. I have been unable to get this working properly with 389 DS.
When I try to browse from Outlook against the 389 DS directory, I am able to see the first page of results perfectly. However, if I move to the next page, only the first object returned will have any attributes included, and all of the rest of the objects in the page will have no attributes. I have a test perl script that duplicates this functionality as well.
I can get this to work properly with an older version of Netscape Directory Server, and I can get it working with OpenDS. Since 389 DS advertises support for the controls that are required for this to work, just like the other two servers, then I would expect it to work there also.
Has anyone out there gotten this to work with 389 DS? If so, can you share if there was anything special that you needed to do to get this to work? I'm trying to determine if this is a bug in the server, or if I'm just missing something in the configuration.
Thanks,
Chris
USA.NET
You Run Your Business. We'll Run Your Email.
This message is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information of USA.NET, Inc. Any unauthorized review, use, copying, disclosure, or distribution is prohibited. If you are not the intended recipient, please immediately contact the sender by reply email and delete all copies of the original message.
3 years, 1 month
MemberOf group restrictions to a client system (server and client running CentOS 7)
by Janet Houser
Hi,
I'm new to 389-ds and last week downloaded and installed the software.
I have a running instance of the server, and I've added TLS/SSL. I've configured a CentOS 7 client to be able to query
the server using TLS/SSL, and all appears working.
I've created users and groups on the 389-ds server successfully. For each user and group, I've enabled posix attributes and my client
can see the unix users and groups using the "getent password" or "getent group" commands.
Now, here's where I'm getting tripped up..........
I need to limit which users have access to which systems. I've been trying to do this via memberOf group limitations.
I found the following online resource (https://thornelabs.net/2013/01/28/aix-restrict-server-login-via-ldap-grou...)
which is close enough to CentOS that the initial commands worked.
I enabled the MemberOf plugin and changed the attributes per the link, and restarted the system.
I created a test group (that I didn't enable a posix GID) and tried to add a single user via:
Right click on group -- > click Properties --> then Members --> click Add --> Search for user --> click Add.
When I try to go this route (which worked before enabling the memberOf plugin) it worked. Now it seems I get the error:
"Cannot save to directory server.
netscape.ldap.LDAPException: error resiult(65): Object class violation"
And the messages file throws the error (/var/log/dirsrv/slapd-<instancename>/errors:
"Entry "uid=test,ou=People,dc=int,dc=com" -- attribute "memberOf" not allowed
[17/Feb/2016:11:22:58 -0700] memberof-plugin - memberof_postop_modify: failed to add dn (cn=testgroup,ou=Groups,dc=int,dc=com) to target. Error (65)"
So it seems my server isn't quite using the memberOf plugin properly, but I'm not sure what else to enable. I'll have to solve this issue before
I even try to filter login access via groups on my client system.
I should mention that if I go under the advanced tab for one of the groups I created, I can add the the attribute "uniquemember", but I'm not sure what I
should set the "value" to be.
I've tried creating new users to see if I could set their "uniquemember" attributes, but no luck. It seems that I don't have the ability to set this attribute
on individual users, only groups.
This might not be the right road to head down when trying to restrict access to servers via groups, so I'm open to any suggestions.
Any suggestions would be appreciated.
3 years, 1 month
ldapsearch doesn't return the userpassword field
by Janet Houser
Hi,
I've been looking through the archives for information, but I haven't stumbled on a solution to my problem.
I'm running ds-389 (389-ds-base-1.3.4.0) on a centos 7 box (CentOS Linux release 7.2.1511). I have a centos OS client configured using SSL/TLS
which queries the LDAP server. Per a previous thread, I configured the memeberOf plugin and all seems to be working properly.
I have a php script that will run on the client and change the LDAP password for the user. The problem is, the script looks for the SSHA has
of the password when an ldapsearch is issued.
However, when I issue a general ldapsearch (anonymously) I don't get the userpassword field. I read in your archives that I might have
to be the "directory manager" user in order to see the hashed password. I've been playing around with the ldapsearch syntax, but I can't
quite get it right.
Anyway, my question is, can I set a flag in 389-ds that will display the hashed userpassword? I think that will solve my problem with the php script returning an error that it can't retrieve the old password.
Thanks,
5 years, 4 months
How to disable the HTTP Trace method for the 389 admin console
by dannyboy10177@hotmail.com
Hi
In a security audit it was picked up that the http trace method was enabled on our 389 server for port 9830 which is the port the admin console uses. I have done a check on how to disable this method for a http server and they suggested editing the httpd.conf and adding TraceEnable = off or on older versions something like this on the httpd.conf file.
LoadModule rewrite_module "/usr/local/apache/modules/mod_rewrite.so"
Then add the following as well to your httpd.conf file:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
the file I used to edit these changes was /etc/dirsrv/admin-serv/httpd.conf
Neither of these methods disabled the trace method. Any ideas?
7 years, 7 months
Certain User not Sync From MS AD
by ozikat
Hi All,
I experienced on 1-2 users not sync into 389DS from MS AD.
Under the substree there are about 42 users, and 2 users were not able
to sync into 389DS; even though full sync has been initiate couple of
times. (SN/FN are filled).
From the 42 users, I delete another 5 users; when initiated full sync,
the 5 users were synced back to 389DS, just that 2 users were not able
to pull into 389DS
I am running "one way sync - fromWindows" sync agreement.
Trying to look at access/error logs, nothing mentioned on the logs
during performance full sync.
Anyone experience this before?
p/s: Manually create the user in 389DS so that PassSync can sync from AD
into 389DS.
--
OzikaT
7 years, 7 months
389 server stops after Ansible "hangs up"
by Joshua J. Kugler
Cross post from the ansible list, to see if anyone here has any clue
Ansible 2.0.0.2
Control host: Ubuntu 14.04
Controlled host: CentOS 6
So, I've been trying to set up FreeIPA on my CentOS. I was getting really
frustrated because right after ipa-server-install completed successfully, and
I ran /etc/init.d/ipa start, subsequent commands failed. I finally realized
that dirsrv (389 LDAP server) was stopping soon after starting.
Thinking there was something odd in the ipa startup, I started IPA, slept for
30 seconds, and then tried to start dirsrv. That reported that dirsrv was
already running...but then it shut down right away. Logging in to the machine
and starting dirsrv was fine. Starting dirsrv via
ssh <host> "/etc/init.d/dirsrv start"
also worked.
So, I put this in my Ansible command:
shell: /etc/init.d/dirsrv start && sleep 30
The logs show dirsrv start. And stay started. As soon as that sleep 30
expires, however, and ansible "hangs up" the server immediately shuts down.
Same if I try:
command: /etc/init.d/dirsrv start && sleep 30
Same problem if I wrap the thing in a "script:" command.
WHAT would be killing a daemon, started by an init.d script, to shut down
(cleanly, no less) when ansible is done with the command and disconnects. And
the command to start IPA (or just the server, in the case of chasing down the
bug) is followed by other ansible commands for that host, so it's not like
ansible is done with the host when it "hangs up" after the given command.
I am at my wits end. Does anyone have any ideas how to fix or work around it? I
even tried wrapping the init.d/ipa start in a
screen -d -m
session, but that shuts down right away.
Interestingly enough, if I put this in a script:
#!/bin/bash
screen -d -m /etc/init.d/ipa start /etc/init.d/ipa start
sleep 30
And then pass that to the "screen background" process, even though it has gone
into the background, Ansible won't continue until the script ends and the
screen session terminates...but the dirsrv does stop right away!
So, something truly weird is going on here. Clearly a bug on the dirsrv side,
but a really weird interaction with ansible and its ssh sessions.
Ideas would be greatly appreciated!
j
--
Joshua J. Kugler - Fairbanks, Alaska
Azariah Enterprises - Programming and Website Design
joshua(a)azariah.com - Jabber: pedahzur(a)gmail.com
PGP Key: http://pgp.mit.edu/ ID 0x73B13B6A
7 years, 7 months
"manage certificates" broken in admin console after running setup-ds-admin.pl -u
by Torgersen, Eric A
I am testing upgrading from 1.3.4.0-21.el7_2 to 1.3.4.0-26.el7_2. After the upgrade, I have noticed that "Manage Certificates" no longer works in the admin console. I receive the following error: "NSS shutdown failed: error -8038:unknown."
After doing some additional testing, it appears that just running "setup-ds-admin.pl -u" is sufficient to cause this problem, even without upgrading the 389 packages using yum update. Has anyone else run into this problem?
Thanks,
Eric
Eric Torgersen
Senior Systems Analyst
Information Technology Services
518-250-9725
7 years, 7 months
ldapdelete not successful
by Joel Levin
Odd conundrum - deletion has not been successful on a node with children,
or the children itself.
Previously could delete as expected.
Any guidance would be appreciated.
Version: 389-Directory/1.2.11.29 B2014.094.1833 (multi-master: 2 providers,
3 consumers)
Error Log:
[23/Feb/2016:14:13:49 -0800] entryrdn-index - _entryrdn_delete_key: Failed
to remove ou=vurs; has children
[23/Feb/2016:14:13:49 -0800] - database index operation failed BAD 1031,
err=-1 Unknown error: -1
[23/Feb/2016:14:13:50 -0800] slapi_ldap_bind - Error: could not send bind
request for id [cn=replication manager,cn=config] mech [SIMPLE]: error -1
(Can't contact LDAP server) 0 (unknown) 107 (Transport endpoint is not
connected)
7 years, 7 months
Schema Extention
by Joel Levin
Hi All:
FYI - adding a new schema file to 389 DS cluster - on 1 of the nodes there
were no problems.
But on another node the following error message arises when DS is started.
All file permissions are fine.
Any thoughts on what could be at play?
Starting dirsrv:
eldap2...[18/Feb/2016:15:30:03 -0800] dse - The configuration file
/etc/dirsrv/slapd-eldap2/schema/60edusiscourse.ldif could not be read.
Netscape Portable Runtime -5966 (Access Denied.)
[18/Feb/2016:15:30:03 -0800] dse - Please edit the file to correct the
reported problems and then restart the server.
Thanks.
7 years, 7 months
