Problem browsing LDAP with Outlook
by Chris Bryant
When configuring Microsoft Outlook (not Outlook Express) to access an LDAP directory, there is an option to 'Enable Browsing (requires server support)'. If this option is chosen and the directory server supports it, then you should be able to open the LDAP address book and page up and down through the results. I have been unable to get this working properly with 389 DS.
When I try to browse from Outlook against the 389 DS directory, I am able to see the first page of results perfectly. However, if I move to the next page, only the first object returned will have any attributes included, and all of the rest of the objects in the page will have no attributes. I have a test perl script that duplicates this functionality as well.
I can get this to work properly with an older version of Netscape Directory Server, and I can get it working with OpenDS. Since 389 DS advertises support for the controls that are required for this to work, just like the other two servers, then I would expect it to work there also.
Has anyone out there gotten this to work with 389 DS? If so, can you share if there was anything special that you needed to do to get this to work? I'm trying to determine if this is a bug in the server, or if I'm just missing something in the configuration.
Thanks,
Chris
USA.NET
You Run Your Business. We'll Run Your Email.
This message is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information of USA.NET, Inc. Any unauthorized review, use, copying, disclosure, or distribution is prohibited. If you are not the intended recipient, please immediately contact the sender by reply email and delete all copies of the original message.
3 years, 1 month
MemberOf group restrictions to a client system (server and client running CentOS 7)
by Janet Houser
Hi,
I'm new to 389-ds and last week downloaded and installed the software.
I have a running instance of the server, and I've added TLS/SSL. I've configured a CentOS 7 client to be able to query
the server using TLS/SSL, and all appears working.
I've created users and groups on the 389-ds server successfully. For each user and group, I've enabled posix attributes and my client
can see the unix users and groups using the "getent password" or "getent group" commands.
Now, here's where I'm getting tripped up..........
I need to limit which users have access to which systems. I've been trying to do this via memberOf group limitations.
I found the following online resource (https://thornelabs.net/2013/01/28/aix-restrict-server-login-via-ldap-grou...)
which is close enough to CentOS that the initial commands worked.
I enabled the MemberOf plugin and changed the attributes per the link, and restarted the system.
I created a test group (that I didn't enable a posix GID) and tried to add a single user via:
Right click on group -- > click Properties --> then Members --> click Add --> Search for user --> click Add.
When I try to go this route (which worked before enabling the memberOf plugin) it worked. Now it seems I get the error:
"Cannot save to directory server.
netscape.ldap.LDAPException: error resiult(65): Object class violation"
And the messages file throws the error (/var/log/dirsrv/slapd-<instancename>/errors:
"Entry "uid=test,ou=People,dc=int,dc=com" -- attribute "memberOf" not allowed
[17/Feb/2016:11:22:58 -0700] memberof-plugin - memberof_postop_modify: failed to add dn (cn=testgroup,ou=Groups,dc=int,dc=com) to target. Error (65)"
So it seems my server isn't quite using the memberOf plugin properly, but I'm not sure what else to enable. I'll have to solve this issue before
I even try to filter login access via groups on my client system.
I should mention that if I go under the advanced tab for one of the groups I created, I can add the the attribute "uniquemember", but I'm not sure what I
should set the "value" to be.
I've tried creating new users to see if I could set their "uniquemember" attributes, but no luck. It seems that I don't have the ability to set this attribute
on individual users, only groups.
This might not be the right road to head down when trying to restrict access to servers via groups, so I'm open to any suggestions.
Any suggestions would be appreciated.
3 years, 1 month
ldapsearch doesn't return the userpassword field
by Janet Houser
Hi,
I've been looking through the archives for information, but I haven't stumbled on a solution to my problem.
I'm running ds-389 (389-ds-base-1.3.4.0) on a centos 7 box (CentOS Linux release 7.2.1511). I have a centos OS client configured using SSL/TLS
which queries the LDAP server. Per a previous thread, I configured the memeberOf plugin and all seems to be working properly.
I have a php script that will run on the client and change the LDAP password for the user. The problem is, the script looks for the SSHA has
of the password when an ldapsearch is issued.
However, when I issue a general ldapsearch (anonymously) I don't get the userpassword field. I read in your archives that I might have
to be the "directory manager" user in order to see the hashed password. I've been playing around with the ldapsearch syntax, but I can't
quite get it right.
Anyway, my question is, can I set a flag in 389-ds that will display the hashed userpassword? I think that will solve my problem with the php script returning an error that it can't retrieve the old password.
Thanks,
5 years, 4 months
Inadvertent Update Applied to Directory Server
by Paul Whitney
We have a few new servers deployed with 389-ds-base version 1.3.5.10-21. These servers were deployed in an environment where auto-patching happens and we forgot to disable that feature.
Overnight the servers were updated to 389-ds-base version 1.3.6.1-19. All of the upgraded servers are now in a bad state. We have tried multiple ways to reinitialize them but cannot seem to get the servers to work again. We do see in the logs when they d startup "Abnormal shutdown detected, rebuilding database". But then the server stays in that state and does nothing that I can tell other than touch the timestamp on the __DB files.
Are versions 1.3.5.10-21 and 1.3.6.1-19 not compatible? Can anyone suggest a way to reinit these servers without having to rebuild them?
Reinit has been attempted by doing the following methods:
- Console reinit. (Failed, cannot connect to server)
- Export replica for the server. (Import successful, however gets into the "rebuild database" state.
- Copied the entire instance (/var/lib/dirsrv/slapd-myinstance) and restart. Same state as the one above.
Paul M. Whitney
E-mail: paul.whitney(a)mac.com
Cell: 410.493.9448
Sent from my browser.
5 years, 10 months
Last Successful Replication Time Stamp on Console
by Paul Whitney
We are seeing an issue with our replication agreements on 389DS. When we look at the Console, we used to be able to tell when was the last successful attempt to replicate and end of said replication. Same thing for Initialization state.
With the new 389DS (currently using version 1.3.5.10-21), the time stamps always revert back to "Wed, Dec 31, 19:00:00 EST 1969". So we have no quick way of discerning when the last successful replication or initialization occurred. Is this a feature or a bug/nuisance?
Paul M. Whitney
E-mail: paul.whitney(a)mac.com
Sent from my browser.
5 years, 10 months
performance tuning
by Sergei Gerasenko
Hi,
I’ve been trying to estimate how optimal our settings are. I’ve read about the cn=monitor section and I see that there are several paths that have cn=monitor:
dn: cn=monitor,cn=ldbm database,cn=plugins,cn=config
dn: cn=monitor,cn=changelog,cn=ldbm database,cn=plugins,cn=config
dn: cn=monitor,cn=ipaca,cn=ldbm database,cn=plugins,cn=config
dn: cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
First question, what’s the difference between them?
Here’s the output of ldapsearch for the 1st and 4th variants. Does anybody see something abnormal?
------------------------------------------------------------------------------------------------
# => 'cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config’
------------------------------------------------------------------------------------------------
dn: cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
cn: monitor
objectClass: top
objectClass: extensibleObject
database: ldbm database
readonly: 0
entrycachehits: 176959465
entrycachetries: 262445216
entrycachehitratio: 67
currententrycachesize: 10479044
maxentrycachesize: 10485760
currententrycachecount: 1409
maxentrycachecount: -1
dncachehits: 80627325
dncachetries: 80647850
dncachehitratio: 99
currentdncachesize: 1013607
maxdncachesize: 10485760
currentdncachecount: 9375
maxdncachecount: -1
normalizeddncachetries: 634018073
normalizeddncachehits: 633931903
normalizeddncachemisses: 86170
normalizeddncachehitratio: 99
currentnormalizeddncachesize: 19244372
maxnormalizeddncachesize: 20971520
currentnormalizeddncachecount: 86170
dbfilename-0: userRoot/nsds5ReplConflict.db
dbfilecachehit-0: 0
dbfilecachemiss-0: 3
dbfilepagein-0: 3
dbfilepageout-0: 0
dbfilename-1: userRoot/memberOf.db
dbfilecachehit-1: 188045
dbfilecachemiss-1: 4684
dbfilepagein-1: 4684
dbfilepageout-1: 1325
dbfilename-4: userRoot/cn.db
dbfilecachehit-4: 234345675
dbfilecachemiss-4: 69406
dbfilepagein-4: 69406
dbfilepageout-4: 6967
dbfilename-7: userRoot/numsubordinates.db
dbfilecachehit-7: 64
dbfilecachemiss-7: 143
dbfilepagein-7: 143
dbfilepageout-7: 148
dbfilename-8: userRoot/uid.db
dbfilecachehit-8: 23978617
dbfilecachemiss-8: 15927
dbfilepagein-8: 15927
dbfilepageout-8: 38
dbfilename-9: userRoot/fqdn.db
dbfilecachehit-9: 1719355
dbfilecachemiss-9: 187947
dbfilepagein-9: 187947
dbfilepageout-9: 440
dbfilename-10: userRoot/memberallowcmd.db
dbfilecachehit-10: 1615
dbfilecachemiss-10: 492
dbfilepagein-10: 492
dbfilepageout-10: 0
dbfilename-11: userRoot/krbPrincipalName.db
dbfilecachehit-11: 25458823
dbfilecachemiss-11: 484795
dbfilepagein-11: 484789
dbfilepageout-11: 9526
dbfilename-12: userRoot/member.db
dbfilecachehit-12: 114136
dbfilecachemiss-12: 13041
dbfilepagein-12: 13041
dbfilepageout-12: 11865
dbfilename-13: userRoot/memberUser.db
dbfilecachehit-13: 27275
dbfilecachemiss-13: 849
dbfilepagein-13: 849
dbfilepageout-13: 306
dbfilename-14: userRoot/nsuniqueid.db
dbfilecachehit-14: 95501
dbfilecachemiss-14: 11980
dbfilepagein-14: 11980
dbfilepageout-14: 181
dbfilename-16: userRoot/mail.db
dbfilecachehit-16: 196
dbfilecachemiss-16: 209
dbfilepagein-16: 209
dbfilepageout-16: 203
dbfilename-17: userRoot/parentid.db
dbfilecachehit-17: 14494
dbfilecachemiss-17: 2956
dbfilepagein-17: 2956
dbfilepageout-17: 432
dbfilename-19: userRoot/givenName.db
dbfilecachehit-19: 42
dbfilecachemiss-19: 44
dbfilepagein-19: 44
dbfilepageout-19: 38
dbfilename-20: userRoot/uidnumber.db
dbfilecachehit-20: 711150
dbfilecachemiss-20: 12493
dbfilepagein-20: 12493
dbfilepageout-20: 5
dbfilename-21: userRoot/ipauniqueid.db
dbfilecachehit-21: 38595230
dbfilecachemiss-21: 406501
dbfilepagein-21: 406501
dbfilepageout-21: 169
dbfilename-22: userRoot/ipasudorunasgroup.db
dbfilecachehit-22: 812
dbfilecachemiss-22: 242
dbfilepagein-22: 242
dbfilepageout-22: 0
dbfilename-23: userRoot/objectclass.db
dbfilecachehit-23: 1027902225
dbfilecachemiss-23: 49163
dbfilepagein-23: 49163
dbfilepageout-23: 3332
dbfilename-24: userRoot/memberdenycmd.db
dbfilecachehit-24: 803
dbfilecachemiss-24: 251
dbfilepagein-24: 251
dbfilepageout-24: 0
dbfilename-25: userRoot/ipakrbprincipalalias.db
dbfilecachehit-25: 7957213
dbfilecachemiss-25: 226
dbfilepagein-25: 226
dbfilepageout-25: 0
dbfilename-29: userRoot/id2entry.db
dbfilecachehit-29: 255566500
dbfilecachemiss-29: 9612037
dbfilepagein-29: 9612016
dbfilepageout-29: 54967
dbfilename-30: userRoot/ancestorid.db
dbfilecachehit-30: 21700375
dbfilecachemiss-30: 78004
dbfilepagein-30: 78004
dbfilepageout-30: 1112
dbfilename-31: userRoot/aci.db
dbfilecachehit-31: 1
dbfilecachemiss-31: 2
dbfilepagein-31: 2
dbfilepageout-31: 0
dbfilename-32: userRoot/ipasudorunas.db
dbfilecachehit-32: 1875
dbfilecachemiss-32: 512
dbfilepagein-32: 512
dbfilepageout-32: 18
dbfilename-33: userRoot/nscpEntryDN.db
dbfilecachehit-33: 61
dbfilecachemiss-33: 68
dbfilepagein-33: 68
dbfilepageout-33: 69
dbfilename-35: userRoot/sn.db
dbfilecachehit-35: 46
dbfilecachemiss-35: 52
dbfilepagein-35: 52
dbfilepageout-35: 46
dbfilename-36: userRoot/displayname.db
dbfilecachehit-36: 95
dbfilecachemiss-36: 64
dbfilepagein-36: 64
dbfilepageout-36: 60
dbfilename-37: userRoot/userCertificate.db
dbfilecachehit-37: 280
dbfilecachemiss-37: 183
dbfilepagein-37: 183
dbfilepageout-37: 109
dbfilename-38: userRoot/entryusn.db
dbfilecachehit-38: 336424258
dbfilecachemiss-38: 39046
dbfilepagein-38: 39046
dbfilepageout-38: 10837
dbfilename-40: userRoot/krbCanonicalName.db
dbfilecachehit-40: 17974
dbfilecachemiss-40: 8484
dbfilepagein-40: 8484
dbfilepageout-40: 7703
dbfilename-41: userRoot/managedby.db
dbfilecachehit-41: 48870
dbfilecachemiss-41: 19625
dbfilepagein-41: 19625
dbfilepageout-41: 17508
dbfilename-42: userRoot/nsTombstoneCSN.db
dbfilecachehit-42: 62
dbfilecachemiss-42: 66
dbfilepagein-42: 66
dbfilepageout-42: 68
dbfilename-43: userRoot/gidnumber.db
dbfilecachehit-43: 2932108
dbfilecachemiss-43: 6784
dbfilepagein-43: 6784
dbfilepageout-43: 6
dbfilename-44: userRoot/entryrdn.db
dbfilecachehit-44: 44453058
dbfilecachemiss-44: 176393
dbfilepagein-44: 176393
dbfilepageout-44: 1009
dbfilename-46: userRoot/memberservice.db
dbfilecachehit-46: 485
dbfilecachemiss-46: 48
dbfilepagein-46: 48
dbfilepageout-46: 44
dbfilename-47: userRoot/memberHost.db
dbfilecachehit-47: 98612
dbfilecachemiss-47: 8592
dbfilepagein-47: 8592
dbfilepageout-47: 1795
------------------------------------------------------------------------------------
# => 'cn=monitor,cn=ldbm database,cn=plugins,cn=config’
------------------------------------------------------------------------------------
dn: cn=monitor,cn=ldbm database,cn=plugins,cn=config
cn: monitor
objectClass: top
objectClass: extensibleObject
database: ldbm database
dbcachehits: 2301984153
dbcachetries: 2314592529
dbcachehitratio: 99
dbcachepagein: 12608350
dbcachepageout: 426726
dbcacheroevict: 12463454
dbcacherwevict: 145594
5 years, 10 months
Announcing 389 Directory Server 1.3.7.8
by Mark Reynolds
389 Directory Server 1.3.7.8
The 389 Directory Server team is proud to announce 389-ds-base
version 1.3.7.8
Fedora packages are available on Fedora 27.
https://koji.fedoraproject.org/koji/taskinfo?taskID=23264039
<https://koji.fedoraproject.org/koji/taskinfo?taskID=23264039>
https://bodhi.fedoraproject.org/updates/FEDORA-2017-ab83b12bb0
<https://bodhi.fedoraproject.org/updates/FEDORA-2017-ab83b12bb0>
The new packages and versions are:
* 389-ds-base-1.3.7.8-1
Source tarballs are available for download at Download
389-ds-base Source
<https://releases.pagure.org/389-ds-base/389-ds-base-1.3.7.8.tar.bz2>
Highlights in 1.3.7.8
* Bug fixes
Installation and Upgrade
See Download <http://www.port389.org/docs/389ds/download.html> for
information about setting up your yum repositories.
To install, use *yum install 389-ds* yum install 389-ds After install
completes, run *setup-ds-admin.pl* if you have 389-admin installed,
otherwise please run *setup-ds.pl* to set up your directory server.
To upgrade, use *yum upgrade* yum upgrade After upgrade completes, run
*setup-ds-admin.pl -u* if you have 389-admin installed, otherwise please
run *setup-ds.pl* to update your directory server/admin
server/console information.
See Install_Guide
<http://www.port389.org/docs/389ds/legacy/install-guide.html> for more
information about the initial installation, setup, and upgrade
See Source <http://www.port389.org/docs/389ds/development/source.html>
for information about source tarballs and SCM (git) access.
Feedback
We are very interested in your feedback!
Please provide feedback and comments to the 389-users mailing list:
https://lists.fedoraproject.org/admin/lists/389-users.lists.fedoraproject...
If you find a bug, or would like to see a new feature, file it in our
Pagure project: https://pagure.io/389-ds-base
* Bump version to 1.3.7.8
* Ticket 49298 - fix complier warn
* Ticket 49298 - Correct error codes with config restore.
* Ticket 49435 - Fix NS race condition on loaded test systems
* Ticket 49454 - SSL Client Authentication breaks in FIPS mode
* Ticket 49410 - opened connection can remain no longer poll, like hanging
* Ticket 48118 - fix compiler warning for incorrect return type
* Ticket 49443 - scope one searches in 1.3.7 give incorrect results
* Ticket 48118 - At startup, changelog can be erronously rebuilt after
a normal shutdown
* Ticket 49377 - Incoming BER too large with TLS on plain port
* Ticket 49441 - Import crashes with large indexed binary attributes
5 years, 10 months
Announcing 389 Directory Server 1.4.0.3
by Mark Reynolds
389 Directory Server 1.4.0.3
The 389 Directory Server team is proud to announce 389-ds-base
version 1.4.0.3
Fedora packages are available on Fedora 28(rawhide).
https://koji.fedoraproject.org/koji/taskinfo?taskID=23262737
<https://koji.fedoraproject.org/koji/taskinfo?taskID=23262737>
The new packages and versions are:
* 389-ds-base-1.4.0.3-1
Source tarballs are available for download at Download
389-ds-base Source
<https://releases.pagure.org/389-ds-base/389-ds-base-1.4.0.3.tar.bz2>
Highlights in 1.4.0.3
* Version change
Installation and Upgrade
See Download <http://www.port389.org/docs/389ds/download.html> for
information about setting up your yum repositories.
To install, use *yum install 389-ds* yum install 389-ds After install
completes, run *setup-ds-admin.pl* if you have 389-admin installed,
otherwise please run *setup-ds.pl* to set up your directory server.
To upgrade, use *yum upgrade* yum upgrade After upgrade completes, run
*setup-ds-admin.pl -u* if you have 389-admin installed, otherwise please
run *setup-ds.pl* to update your directory server/admin
server/console information.
See Install_Guide
<http://www.port389.org/docs/389ds/legacy/install-guide.html> for more
information about the initial installation, setup, and upgrade
See Source <http://www.port389.org/docs/389ds/development/source.html>
for information about source tarballs and SCM (git) access.
Feedback
We are very interested in your feedback!
Please provide feedback and comments to the 389-users mailing list:
https://lists.fedoraproject.org/admin/lists/389-users.lists.fedoraproject...
If you find a bug, or would like to see a new feature, file it in our
Pagure project: https://pagure.io/389-ds-base
* Bump version to 1.4.0.3
* Ticket 49457 - Fix spal_meminfo_get function prototype
* Ticket 49455 - Add tests to monitor test suit.
* Ticket 49448 - dynamic default pw scheme based on environment.
* Ticket 49298 - fix complier warn
* Ticket 49298 - Correct error codes with config restore.
* Ticket 49454 - SSL Client Authentication breaks in FIPS mode
* Ticket 49453 - passwd.py to use pwdhash defaults.
* Ticket 49427 - whitespace in fedse.c
* Ticket 49410 - opened connection can remain no longer poll, like hanging
* Ticket 48118 - fix compiler warning for incorrect return type
* Ticket 49451 - Add environment markers to lib389 dependencies
* Ticket 49325 - Proof of concept rust tqueue in sds
* Ticket 49443 - scope one searches in 1.3.7 give incorrect results
* Ticket 48118 - At startup, changelog can be erronously rebuilt after
a normal shutdown
* Ticket 49412 - SIGSEV when setting invalid changelog config value
* Ticket 49441 - Import crashes - oneline fix
* Ticket 49377 - Incoming BER too large with TLS on plain port
* Ticket 49441 - Import crashes with large indexed binary attributes
* Ticket 49435 - Fix NS race condition on loaded test systems
* Ticket 77 - lib389 - Refactor docstrings in rST format - part 2
* Ticket 17 - lib389 - dsremove support
* Ticket 3 - lib389 - python 3 compat for paged results test
* Ticket 3 - lib389 - Python 3 support for memberof plugin test suit
* Ticket 3 - lib389 - config test
* Ticket 3 - lib389 - python 3 support ds_logs tests
* Ticket 3 - lib389 - python 3 support for betxn test
5 years, 10 months
Announcing 389 Directory Server 1.3.6.12
by Mark Reynolds
389 Directory Server 1.3.6.12
The 389 Directory Server team is proud to announce 389-ds-base
version 1.3.6.12
Fedora packages are available from the Fedora 26.
https://koji.fedoraproject.org/koji/taskinfo?taskID=23264569
<https://koji.fedoraproject.org/koji/taskinfo?taskID=23264569>
https://bodhi.fedoraproject.org/updates/FEDORA-2017-b3a6321ce3
<https://bodhi.fedoraproject.org/updates/FEDORA-2017-b3a6321ce3>
The new packages and versions are:
* 389-ds-base-1.3.6.12-1 Fedora 26
Source tarballs are available for download at Download
389-ds-base Source
<https://releases.pagure.org/389-ds-base/389-ds-base-1.3.6.12.tar.bz2>
Highlights in 1.3.6.12
* Bug fix
Installation and Upgrade
See Download <http://www.port389.org/docs/389ds/download.html> for
information about setting up your yum repositories.
To install, use *yum install 389-ds* yum install 389-ds After install
completes, run *setup-ds-admin.pl* if you have 389-admin installed,
otherwise please run *setup-ds.pl* to set up your directory server.
To upgrade, use *yum upgrade* yum upgrade After upgrade completes, run
*setup-ds-admin.pl -u* if you have 389-admin installed, otherwise please
run *setup-ds.pl* to update your directory server/admin
server/console information.
See Install_Guide
<http://www.port389.org/docs/389ds/legacy/install-guide.html> for more
information about the initial installation, setup, and upgrade
See Source <http://www.port389.org/docs/389ds/development/source.html>
for information about source tarballs and SCM (git) access.
Feedback
We are very interested in your feedback!
Please provide feedback and comments to the 389-users mailing list:
https://lists.fedoraproject.org/admin/lists/389-users.lists.fedoraproject...
If you find a bug, or would like to see a new feature, file it in our
Pagure project: https://pagure.io/389-ds-base
* Bump version to 1.3.6.12
* Ticket 49298 - fix complier warn
* Ticket 49298 - Correct error codes with config restore.
* Ticket 49410 - opened connection can remain no longer poll, like hanging
5 years, 10 months
ip address based aci
by Jan Kowalsky
Hi all,
after reading post on the lists regarding acis I was wondering what will
be the preferred way to only grant access to the directory for hosts in
the own network.
On some comments I read that it's generally discouraged to use aci's
with a "not" logic like:
ip != 10.0.0.*
or something like this.
Does this apply to ip address based access too?
My approach would be just someting like:
aci: (targetattr = "*") (version 3.0;acl "Bind from special IPs
only";deny (all) (ip != "192.168.100.*" and ip != "10.0.0.*);)
do allow only from 192.168.100.* networks or from 10.0.0.*.
As long as I understood, I have to define aci's for every base dn
separately if I running multiple databases. Is there any way to define
this for the whole server?
Thanks and Regards
Jan
5 years, 10 months
