Problem browsing LDAP with Outlook
by Chris Bryant
When configuring Microsoft Outlook (not Outlook Express) to access an LDAP directory, there is an option to 'Enable Browsing (requires server support)'. If this option is chosen and the directory server supports it, then you should be able to open the LDAP address book and page up and down through the results. I have been unable to get this working properly with 389 DS.
When I try to browse from Outlook against the 389 DS directory, I am able to see the first page of results perfectly. However, if I move to the next page, only the first object returned will have any attributes included, and all of the rest of the objects in the page will have no attributes. I have a test perl script that duplicates this functionality as well.
I can get this to work properly with an older version of Netscape Directory Server, and I can get it working with OpenDS. Since 389 DS advertises support for the controls that are required for this to work, just like the other two servers, then I would expect it to work there also.
Has anyone out there gotten this to work with 389 DS? If so, can you share if there was anything special that you needed to do to get this to work? I'm trying to determine if this is a bug in the server, or if I'm just missing something in the configuration.
Thanks,
Chris
USA.NET
You Run Your Business. We'll Run Your Email.
This message is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information of USA.NET, Inc. Any unauthorized review, use, copying, disclosure, or distribution is prohibited. If you are not the intended recipient, please immediately contact the sender by reply email and delete all copies of the original message.
3 years, 1 month
MemberOf group restrictions to a client system (server and client running CentOS 7)
by Janet Houser
Hi,
I'm new to 389-ds and last week downloaded and installed the software.
I have a running instance of the server, and I've added TLS/SSL. I've configured a CentOS 7 client to be able to query
the server using TLS/SSL, and all appears working.
I've created users and groups on the 389-ds server successfully. For each user and group, I've enabled posix attributes and my client
can see the unix users and groups using the "getent password" or "getent group" commands.
Now, here's where I'm getting tripped up..........
I need to limit which users have access to which systems. I've been trying to do this via memberOf group limitations.
I found the following online resource (https://thornelabs.net/2013/01/28/aix-restrict-server-login-via-ldap-grou...)
which is close enough to CentOS that the initial commands worked.
I enabled the MemberOf plugin and changed the attributes per the link, and restarted the system.
I created a test group (that I didn't enable a posix GID) and tried to add a single user via:
Right click on group -- > click Properties --> then Members --> click Add --> Search for user --> click Add.
When I try to go this route (which worked before enabling the memberOf plugin) it worked. Now it seems I get the error:
"Cannot save to directory server.
netscape.ldap.LDAPException: error resiult(65): Object class violation"
And the messages file throws the error (/var/log/dirsrv/slapd-<instancename>/errors:
"Entry "uid=test,ou=People,dc=int,dc=com" -- attribute "memberOf" not allowed
[17/Feb/2016:11:22:58 -0700] memberof-plugin - memberof_postop_modify: failed to add dn (cn=testgroup,ou=Groups,dc=int,dc=com) to target. Error (65)"
So it seems my server isn't quite using the memberOf plugin properly, but I'm not sure what else to enable. I'll have to solve this issue before
I even try to filter login access via groups on my client system.
I should mention that if I go under the advanced tab for one of the groups I created, I can add the the attribute "uniquemember", but I'm not sure what I
should set the "value" to be.
I've tried creating new users to see if I could set their "uniquemember" attributes, but no luck. It seems that I don't have the ability to set this attribute
on individual users, only groups.
This might not be the right road to head down when trying to restrict access to servers via groups, so I'm open to any suggestions.
Any suggestions would be appreciated.
3 years, 1 month
ldapsearch doesn't return the userpassword field
by Janet Houser
Hi,
I've been looking through the archives for information, but I haven't stumbled on a solution to my problem.
I'm running ds-389 (389-ds-base-1.3.4.0) on a centos 7 box (CentOS Linux release 7.2.1511). I have a centos OS client configured using SSL/TLS
which queries the LDAP server. Per a previous thread, I configured the memeberOf plugin and all seems to be working properly.
I have a php script that will run on the client and change the LDAP password for the user. The problem is, the script looks for the SSHA has
of the password when an ldapsearch is issued.
However, when I issue a general ldapsearch (anonymously) I don't get the userpassword field. I read in your archives that I might have
to be the "directory manager" user in order to see the hashed password. I've been playing around with the ldapsearch syntax, but I can't
quite get it right.
Anyway, my question is, can I set a flag in 389-ds that will display the hashed userpassword? I think that will solve my problem with the php script returning an error that it can't retrieve the old password.
Thanks,
5 years, 4 months
subtree password policy woes
by Morgan Jones
Hello,
We are configuring password policy in 389 directory. We’re running what I believe is the latest stable version form the Epel repository on CentOS 6:
[root@devldapm03 ~]# rpm -qa|grep 389
389-admin-1.1.35-1.el6.x86_64
389-console-1.1.7-1.el6.noarch
389-ds-console-doc-1.2.6-1.el6.noarch
389-ds-base-libs-1.2.11.15-72.el6_7.x86_64
389-admin-console-doc-1.1.8-1.el6.noarch
389-ds-base-1.2.11.15-72.el6_7.x86_64
389-adminutil-1.1.19-1.el6.x86_64
389-ds-1.2.2-1.el6.noarch
389-admin-console-1.1.8-1.el6.noarch
389-ds-console-1.2.6-1.el6.noarch
389-dsgw-1.1.11-1.el6.x86_64
[morgan@devldapm03 ~]$ uname -a
Linux devldapm03.philasd.net 2.6.32-573.26.1.el6.x86_64 #1 SMP Wed May 4 00:57:44 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
[morgan@devldapm03 ~]$ cat /etc/redhat-release
CentOS release 6.7 (Final)
[morgan@devldapm03 ~]$
I just did a yum update, rebooted and installed 389 anew.
The password policy works well if configured globally (from the Data node under Configuration)
However when I attempt to create a subtree level policy (Directory->domain->employees, right click Manage Password Policy->for subtree) under ou=employees,dc=domain,dc=org the effect is as if there is no policy. If I subsequently disable the subtree policy I cannot get the global policy to take over. In fact the only way I’ve been able to get the global policy to work is to re-install from scratch.
I also tried command line configuration and was unable to get the policy working at all though I have more confidence of my understanding of the process via the console.
We’ve tried different policy settings but for testing purposes I’m just setting a minimum password length of 8 characters.
Is there something I’m missing?
thanks,
-morgan
7 years, 3 months
389-ds-base-1.3.5.4 doesn't build on Mageia
by Thomas Spuhler
389-ds-base-1.3.5.4 doesn't build on Mageia
Altlinux reported the same problem with 389-ds-base-1.3.5.3
This is the error:
/libslapd_la-ssl.o
ldap/servers/slapd/ssl.c: In function 'svrcore_setup':
ldap/servers/slapd/ssl.c:1291:5: error: unknown type name 'SVRCOREStdSystemdPinObj'
SVRCOREStdSystemdPinObj *StdPinObj;
^
ldap/servers/slapd/ssl.c:1292:18: error: 'SVRCOREStdSystemdPinObj' undeclared (first use in this function)
StdPinObj = (SVRCOREStdSystemdPinObj *)SVRCORE_GetRegisteredPinObj();
See log http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/2016052...
The attached patch makes it build
--
Best regards
Thomas Spuhler
All of my e-mails have a valid digital signature
ID 60114E63
7 years, 4 months
Solaris and 389-ds
by zarko@etcfstab.com
Hi, we've been using 389-ds running on RedHat7, our ldap clients are many devices and RedHat Linux, now we want to add Solaris 10/11.
We have DUAProfile created and Solaris 11 ldap client initiation was successful, with command :
"ldapclient -v init -a domainname=<example.com> -a profileName=solaris11 <server_ip>".
The command "ldapclient list" show:
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= <ldap-server>
NS_LDAP_SEARCH_BASEDN= dc=<example>,dc=com
NS_LDAP_SEARCH_SCOPE= sub
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_CACHETTL= 43200
NS_LDAP_PROFILE= solaris11
NS_LDAP_SERVICE_SEARCH_DESC= passwd:l=AMER,dc=<example>,dc=com?sub
NS_LDAP_SERVICE_SEARCH_DESC= shadow:l=AMER,dc=<example>,dc=com?sub
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=Groups,dc=<example>,dc=com?sub
NS_LDAP_BIND_TIME= 10
NS_LDAP_ATTRIBUTEMAP= group:gidnumber=gidNumber
NS_LDAP_ATTRIBUTEMAP= passwd:gidnumber=gidNumber
NS_LDAP_ATTRIBUTEMAP= passwd:uidnumber=uidNumber
NS_LDAP_ATTRIBUTEMAP= passwd:homedirectory=homeDirectory
NS_LDAP_ATTRIBUTEMAP= passwd:loginshell=loginShell
NS_LDAP_ATTRIBUTEMAP= shadow:userpassword=userPassword
NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixaccount
NS_LDAP_OBJECTCLASSMAP= group:posixGroup=posixgroup
NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=posixaccount
Some other relevant files' configurations are:
# grep ldap /etc/nsswitch.conf
passwd: files ldap
group: files ldap
netgroup: ldap
automount: files ldap
printers: user files ldap
# cat /etc/pam.d/login
auth requisite pam_authtok_get.so.1 debug
auth required pam_dhkeys.so.1 debug
auth required pam_unix_cred.so.1 debug
#auth binding pam_unix_auth.so.1 server_policy
auth sufficient pam_unix_auth.so.1 server_policy debug
auth required pam_ldap.so.1 debug
# cat /etc/pam.d/other | grep -v ^# | grep -v ^$
auth definitive pam_user_policy.so.1 debug
auth requisite pam_authtok_get.so.1 debug
auth required pam_dhkeys.so.1 debug
auth required pam_unix_cred.so.1 debug
auth sufficient pam_unix_auth.so.1 server_policy debug
auth required pam_ldap.so.1 debug
account requisite pam_roles.so.1
account definitive pam_user_policy.so.1
account required pam_unix_account.so.1
account required pam_tsol_account.so.1
session definitive pam_user_policy.so.1
session required pam_unix_session.so.1
password definitive pam_user_policy.so.1
password include pam_authtok_common
password required pam_authtok_store.so.1
Unfortunately, LDAP client cannot SSH, the logs are
sshd[2497]: [ID 293258 auth.warning] libsldap: Status: 50 Mesg: LDAP ERROR (50): Insufficient access.
sshd[2497]: [ID 717705 auth.debug] pam_user_policy: pam_sm_authenticate(flags = 0x1, argc = 1)
sshd[2497]: [ID 771769 auth.debug] pam_user_policy: find_pam_policy: pam_policy = NULL for user 'zare'
sshd[2497]: [ID 634615 auth.debug] pam_authtok_get:pam_sm_authenticate: flags = 1
sshd[2497]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
sshd[2497]: [ID 285619 auth.debug] ldap pam_sm_authenticate(sshd-kbdint zare), flags = 1
sshd[2497]: [ID 316739 auth.error] pam_ldap: no legal authentication method configured
sshd[2497]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[9] while authenticating: Authentication failed
sshd[2497]: [ID 800047 auth.notice] Failed keyboard-interactive for zdudic from 10.211.55.1 port 52876 ssh2
sshd[2497]: [ID 717705 auth.debug] pam_user_policy: pam_sm_authenticate(flags = 0x1, argc = 1)
sshd[2497]: [ID 771769 auth.debug] pam_user_policy: find_pam_policy: pam_policy = NULL for user 'zare'
sshd[2497]: [ID 634615 auth.debug] pam_authtok_get:pam_sm_authenticate: flags = 1
Any help is appreciated, thanks.
7 years, 4 months
Fwd: Re: audio problems
by gil
-------- Messaggio Inoltrato --------
Oggetto: Re: audio problems
Data: Mon, 23 May 2016 10:14:00 +0200
Mittente: gil <puntogil(a)libero.it>
Rispondi-a: Development discussions related to Fedora
<devel(a)lists.fedoraproject.org>
A: devel(a)lists.fedoraproject.org
Il 23/05/2016 09:41, Samuel Sieb ha scritto:
> On 05/22/2016 03:06 AM, gil wrote:
>> Internal Audio Stereo analogic
>>
>> GK208 HDMI/DP Audio Controller Digital stereo
>>
> Is the internal audio output and not the HDMI selected?
>
sorry what you do mean?
"GK208 HDMI/DP Audio Controller Digital stereo" is the audio device in
my video card
04:00.1 Audio device: NVIDIA Corporation GK208 HDMI/DP Audio Controller
(rev a1)
Subsystem: ASUSTeK Computer Inc. Device 8576
Kernel driver in use: snd_hda_intel
Kernel modules: snd_hda_intel
, and
i must use the
00:14.2 Audio device: Advanced Micro Devices, Inc. [AMD/ATI] SBx00
Azalia (Intel HDA) (rev 40)
Subsystem: ASRock Incorporation Device 0892
Kernel driver in use: snd_hda_intel
Kernel modules: snd_hda_intel
but is not listed in kde pannel control ...
>> aplay -l
>> **** List of PLAYBACK Hardware Devices ****
>> card 0: SB [HDA ATI SB], device 0: ALC892 Analog [ALC892 Analog]
>> Subdevices: 1/1
>> Subdevice #0: subdevice #0
>
> This shows that alsa knows about your hardware.
>
> Run alsamixer in a terminal. You should get a single volume control
> for the pulseaudio output. Make sure that it is up and not muted.
> Press F6 to select a different device and select 0, your HDA device.
> Check that the volume controls and switches are set correctly.
> Normally, pulseaudio should manage it, but this gives you a chance to
> verify and test.
> --
already done but dont solve anythings
thanks
best
.g
> devel mailing list
> devel(a)lists.fedoraproject.org
> http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
--
devel mailing list
devel(a)lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
7 years, 4 months
Fwd: Re: audio problems
by gil
-------- Messaggio Inoltrato --------
Oggetto: Re: audio problems
Data: Mon, 23 May 2016 10:14:00 +0200
Mittente: gil <puntogil(a)libero.it>
Rispondi-a: Development discussions related to Fedora
<devel(a)lists.fedoraproject.org>
A: devel(a)lists.fedoraproject.org
Il 23/05/2016 09:41, Samuel Sieb ha scritto:
> On 05/22/2016 03:06 AM, gil wrote:
>> Internal Audio Stereo analogic
>>
>> GK208 HDMI/DP Audio Controller Digital stereo
>>
> Is the internal audio output and not the HDMI selected?
>
sorry what you do mean?
"GK208 HDMI/DP Audio Controller Digital stereo" is the audio device in
my video card
04:00.1 Audio device: NVIDIA Corporation GK208 HDMI/DP Audio Controller
(rev a1)
Subsystem: ASUSTeK Computer Inc. Device 8576
Kernel driver in use: snd_hda_intel
Kernel modules: snd_hda_intel
, and
i must use the
00:14.2 Audio device: Advanced Micro Devices, Inc. [AMD/ATI] SBx00
Azalia (Intel HDA) (rev 40)
Subsystem: ASRock Incorporation Device 0892
Kernel driver in use: snd_hda_intel
Kernel modules: snd_hda_intel
but is not listed in kde pannel control ...
>> aplay -l
>> **** List of PLAYBACK Hardware Devices ****
>> card 0: SB [HDA ATI SB], device 0: ALC892 Analog [ALC892 Analog]
>> Subdevices: 1/1
>> Subdevice #0: subdevice #0
>
> This shows that alsa knows about your hardware.
>
> Run alsamixer in a terminal. You should get a single volume control
> for the pulseaudio output. Make sure that it is up and not muted.
> Press F6 to select a different device and select 0, your HDA device.
> Check that the volume controls and switches are set correctly.
> Normally, pulseaudio should manage it, but this gives you a chance to
> verify and test.
> --
already done but dont solve anythings
thanks
best
.g
> devel mailing list
> devel(a)lists.fedoraproject.org
> http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
--
devel mailing list
devel(a)lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
7 years, 4 months
Solaris 11 fails to find DUAProfile
by Ž D
Hi there, I have 389ds 1.3.4.0-26 running on OL7 and looks good related
to RedHat and its clone clients.
But I am having issue to initialize Solaris 11. The 389ds came with
60nis.ldif and 60rfc4876.ldif and I have them imported successfully, I
believe below searches show this.
# ldapsearch -h <ldapserver> -b "dc=domain,dc=com" -s sub
"objectclass=duaconfigprofile"
version: 1
dn: cn=solaris11,ou=Profile,dc=domain,dc=com
serviceSearchDescriptor: passwd:l=AMER,dc=domain,dc=com?sub
serviceSearchDescriptor: shadow:l=AMER,dc=domain,dc=com?sub
serviceSearchDescriptor: group:ou=Groups,dc=domain,dc=com?sub
defaultSearchScope: sub
defaultSearchBase: dc=domain,dc=com
defaultServerList: ldapserver.domain.com
cn: solaris11
objectClass: top
objectClass: duaconfigprofile
# ldapsearch -h ca-ldap01 -b "dc=domain,dc=com" -s sub
"objectclass=nisdomainobject"
version: 1
dn: nisdomain=us.domain.com,dc=domain,dc=com
nisDomain: us.domain.com
objectClass: top
objectClass: nisdomainobject
And next step is failing.
# ldapclient -v init -a profileName=solaris11 10.x.x.x
Parsing profileName=solaris11
Arguments parsed:
profileName: solaris11
defaultServerList: 10.x.x.x
Handling init option
About to configure machine by downloading a profile
Can not find the solaris11 DUAProfile
Please let me know if someone has any feedback or any additional
information is needed, thanks in advance.
--
Thanks,
Zarko
7 years, 4 months
x-forwarded-for
by Robert Viduya
We run a cluster of directory servers (4 masters, 2 hubs, 14 slaves) behind a set of F5 Bigip load balancers. Our Bigip admins recently decided to switch the boxes to "one-armed" mode and that services would have to use X-Forwarded-For headers or equivalent to get the actual client IP address. Obviously, LDAP has no equivalent.
So, I've hacked something together and I'm posting it looking for feedback. If the stuff is actually usable for other folks, that's good too.
On the load balancer side, the code is specifically for the F5 Bigips. But if other load balancers have similar abilities to trigger on events and can insert binary data into the datastream, it should be adaptable.
Essentially what I've done is defined a new LDAP Extended Operation with a payload that's a string containing the source IP address of the incoming connection. The load balancer sends this LDAP operation as soon as it opens a connection to the LDAP server, before any other traffic gets sent. On the directory server side, I've written an Extended Operation plugin that then logs the string. All we need is logging, so that's good enough for us. There's room for improvement there though, like making the address available for IP based ACls (which we don't use).
In order to insert an LDAP operation into the stream, the code on the load balancer needs to choose an LDAP message-id that hopefully the real client isn't going to use. Going on the assumption that the client will start at 0 and increment up, I had the code insert a message-id of 0x70000000. I initially thought I'd have to have the code on the load balancer look for the response message and throw it away so the client doesn't see it, but I've found that the clients just seem to ignore it with no ill effects, so I haven't bothered filtering the response out. The less the code on the load balancer does, the better.
There's a possibility that the client could send it's own xff extended operation, but since the load balancer always sends first, we can just ignore any subsequent log entries.
On the directory server plugin side, I needed to be able to log this to the access log, not to the error log. The slapi_log_access function isn't declared in the plugin header file, so I had to declare it manually.
Here's what our log entries look like now, for both 636 (SSL) and 389 (cleartext before starttls):
[17/May/2016:15:34:22 -0400] conn=230843 fd=156 slot=156 SSL connection from 130.207.167.12 to 130.207.183.16
[17/May/2016:15:34:22 -0400] conn=230843 op=0 EXT oid="1.3.6.1.4.1.636.2.11.11.1" name="forwarded-for extended op"
[17/May/2016:15:34:22 -0400] conn=230843 op=0 forwarded for 130.207.167.12
[17/May/2016:15:34:22 -0400] conn=230843 op=0 RESULT err=0 tag=120 nentries=0 etime=0
[17/May/2016:15:34:22 -0400] conn=230844 fd=156 slot=156 connection from 130.207.167.12 to 130.207.183.16
[17/May/2016:15:34:22 -0400] conn=230844 op=0 EXT oid="1.3.6.1.4.1.636.2.11.11.1" name="forwarded-for extended op"
[17/May/2016:15:34:22 -0400] conn=230844 op=0 forwarded for 130.207.167.12
[17/May/2016:15:34:22 -0400] conn=230844 op=0 RESULT err=0 tag=120 nentries=0 etime=0
We haven't switched our Bigips yet, so the "connection from" line still shows the actual client IP address.
F5 Bigip code fragments are called "irules" and are written in TCL. The tar file below contains two different irule files, one for cleartext streams and one for SSL streams. By SSL streams, I mean where SSL connections from the client are terminated at the load balancer and then re-SSLed to the ldap server. Sorry, I'm not writing the other kind.
7 years, 4 months
