Problem browsing LDAP with Outlook
by Chris Bryant
When configuring Microsoft Outlook (not Outlook Express) to access an LDAP directory, there is an option to 'Enable Browsing (requires server support)'. If this option is chosen and the directory server supports it, then you should be able to open the LDAP address book and page up and down through the results. I have been unable to get this working properly with 389 DS.
When I try to browse from Outlook against the 389 DS directory, I am able to see the first page of results perfectly. However, if I move to the next page, only the first object returned will have any attributes included, and all of the rest of the objects in the page will have no attributes. I have a test perl script that duplicates this functionality as well.
I can get this to work properly with an older version of Netscape Directory Server, and I can get it working with OpenDS. Since 389 DS advertises support for the controls that are required for this to work, just like the other two servers, then I would expect it to work there also.
Has anyone out there gotten this to work with 389 DS? If so, can you share if there was anything special that you needed to do to get this to work? I'm trying to determine if this is a bug in the server, or if I'm just missing something in the configuration.
Thanks,
Chris
USA.NET
You Run Your Business. We'll Run Your Email.
This message is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information of USA.NET, Inc. Any unauthorized review, use, copying, disclosure, or distribution is prohibited. If you are not the intended recipient, please immediately contact the sender by reply email and delete all copies of the original message.
2 years, 9 months
MemberOf group restrictions to a client system (server and client running CentOS 7)
by Janet Houser
Hi,
I'm new to 389-ds and last week downloaded and installed the software.
I have a running instance of the server, and I've added TLS/SSL. I've configured a CentOS 7 client to be able to query
the server using TLS/SSL, and all appears working.
I've created users and groups on the 389-ds server successfully. For each user and group, I've enabled posix attributes and my client
can see the unix users and groups using the "getent password" or "getent group" commands.
Now, here's where I'm getting tripped up..........
I need to limit which users have access to which systems. I've been trying to do this via memberOf group limitations.
I found the following online resource (https://thornelabs.net/2013/01/28/aix-restrict-server-login-via-ldap-grou...)
which is close enough to CentOS that the initial commands worked.
I enabled the MemberOf plugin and changed the attributes per the link, and restarted the system.
I created a test group (that I didn't enable a posix GID) and tried to add a single user via:
Right click on group -- > click Properties --> then Members --> click Add --> Search for user --> click Add.
When I try to go this route (which worked before enabling the memberOf plugin) it worked. Now it seems I get the error:
"Cannot save to directory server.
netscape.ldap.LDAPException: error resiult(65): Object class violation"
And the messages file throws the error (/var/log/dirsrv/slapd-<instancename>/errors:
"Entry "uid=test,ou=People,dc=int,dc=com" -- attribute "memberOf" not allowed
[17/Feb/2016:11:22:58 -0700] memberof-plugin - memberof_postop_modify: failed to add dn (cn=testgroup,ou=Groups,dc=int,dc=com) to target. Error (65)"
So it seems my server isn't quite using the memberOf plugin properly, but I'm not sure what else to enable. I'll have to solve this issue before
I even try to filter login access via groups on my client system.
I should mention that if I go under the advanced tab for one of the groups I created, I can add the the attribute "uniquemember", but I'm not sure what I
should set the "value" to be.
I've tried creating new users to see if I could set their "uniquemember" attributes, but no luck. It seems that I don't have the ability to set this attribute
on individual users, only groups.
This might not be the right road to head down when trying to restrict access to servers via groups, so I'm open to any suggestions.
Any suggestions would be appreciated.
2 years, 9 months
ldapsearch doesn't return the userpassword field
by Janet Houser
Hi,
I've been looking through the archives for information, but I haven't stumbled on a solution to my problem.
I'm running ds-389 (389-ds-base-1.3.4.0) on a centos 7 box (CentOS Linux release 7.2.1511). I have a centos OS client configured using SSL/TLS
which queries the LDAP server. Per a previous thread, I configured the memeberOf plugin and all seems to be working properly.
I have a php script that will run on the client and change the LDAP password for the user. The problem is, the script looks for the SSHA has
of the password when an ldapsearch is issued.
However, when I issue a general ldapsearch (anonymously) I don't get the userpassword field. I read in your archives that I might have
to be the "directory manager" user in order to see the hashed password. I've been playing around with the ldapsearch syntax, but I can't
quite get it right.
Anyway, my question is, can I set a flag in 389-ds that will display the hashed userpassword? I think that will solve my problem with the php script returning an error that it can't retrieve the old password.
Thanks,
5 years
Broken replicas and CleanRUV question
by Predrag Zečević - Technical Support Analyst
Hi all,
long time ago we have started with 389-DS and due to lack of experience
I have installed and used admin server (which is abandoned later,
because it is too complicated and requires someone at keyboard).
As consequence of that, we have started to replicate netscapeRoot
space... During time, we have upgraded s/w from initial
389-ds-1.2.1-1.el5 (started from FDS repository, moved to EPEL one
later) to today's 389-ds-base-1.3.5.14-1.el6.x86_64 (this one is
compiled from source and that was introduced before we have migrated
boxes from RHEL5 to RHEL6 - actually CentOS OS).
During various phases of upgrades, netscapeRoot replicas went out of
sync (we did not spotted that, because of bug in monitoring script -
that is another issue).
Our setup includes MultiMaster ReadWrite replication (ldap1 <--> ldap2)
and one ReadOnly (ldap3, consumes from both suppliers in MMR).
Right now, this:
$ for ldap in ldap1 ldap2; do
ldapsearch -x -H ldaps://${ldap}.MyDomain.com -b "cn=mapping
tree,cn=config" -D "cn=Directory Manager" -w ${DMPASS} -o ldif-wrap=no
objectClass=nsDS5ReplicationAgreement |\
awk -vLDAP=${ldap} '/^dn/ {printf("#===== %s =====#\n%s\n", LDAP,
$0); next}; /^nsDS5ReplicaHost:/ {printf("%s\n", $0); next;};
/^nsds5replicaLastUpdateStatus:/ {printf("%s\n", $0); next;}'
done
returns (I have excluded working MyDomain replicas output):
$ #===== ldap1 =====#
dn: cn=2eLDAPmmr,cn=replica,cn=o\3Dnetscaperoot,cn=mapping tree,cn=config
nsDS5ReplicaHost: ldap2.MyDomain.com
nsds5replicaLastUpdateStatus: Error (0) No replication sessions started
since server startup
#===== ldap1 =====#
dn: cn=2eLDAPror,cn=replica,cn=o\3Dnetscaperoot,cn=mapping tree,cn=config
nsDS5ReplicaHost: ldap3.MyDomain.com
nsds5replicaLastUpdateStatus: Error (0) No replication sessions started
since server startup
#===== ldap2 =====#
dn: cn=2eLDAPmmr,cn=replica,cn=o\3Dnetscaperoot,cn=mapping tree,cn=config
nsDS5ReplicaHost: ldap1.MyDomain.com
nsds5replicaLastUpdateStatus: Error (0) No replication sessions started
since server startup
#===== ldap2 =====#
dn: cn=2eLDAPror,cn=replica,cn=o\3Dnetscaperoot,cn=mapping tree,cn=config
nsDS5ReplicaHost: ldap3.MyDomain.com
nsds5replicaLastUpdateStatus: Error (0) No replication sessions started
since server startup
I have tried various tricks to recover that replication, but w/o luck...
When I check (for example ldap1) with this:
$ ldapsearch -xLLLo ldif-wrap=no -H ldaps://ldap1.MyDomain.com -D
'cn=directory manager' -w ${DMPASS} -b o=netscapeRoot
'(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))'
I get as result:
dn: cn=replica,cn=o\3Dnetscaperoot,cn=mapping tree,cn=config
objectClass: nsDS5Replica
objectClass: top
nsDS5ReplicaRoot: o=netscaperoot
nsDS5ReplicaType: 3
nsDS5Flags: 1
nsDS5ReplicaId: 11
nsds5ReplicaPurgeDelay: 604800
nsDS5ReplicaBindDN: cn=replication manager,cn=config
nsDS5ReplicaReferral: ldap://ldap2.MyDomain.com:636/o%3dnetscaperoot
cn: replica
nsState:: CwAAAAAAAACRKiRZAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAA==
nsDS5ReplicaName: dc964102-1dd111b2-8970c75e-63880000
nsds50ruv: {replicageneration} 4dcb9f790000000b0000
nsds50ruv: {replica 11 ldap://ldap1.MyDomain.com:0}
nsds50ruv: {replica 21 ldap://ldap2.MyDomain.com:0} 4dda4a3a000000150000
4fd5f742000300150000
nsds5agmtmaxcsn: o=netscaperoot;2eLDAPror;ldap3.MyDomain.com;636;unavailable
nsruvReplicaLastModified: {replica 11 ldap://ldap1.MyDomain.com:0} 00000000
nsruvReplicaLastModified: {replica 21 ldap://ldap2.MyDomain.com:0} 00000000
nsds5ReplicaChangeCount: 1
nsds5replicareapactive: 0
Tried to CleanRUV (ldif applied with ldapmodify command to all suppliers
and consumers):
$ cat /tmp/ldap.cleanRUV-tasks-for-netscapeRoot-replica.11.ldif
dn: cn=replica,cn=o\3Dnetscaperoot,cn=mapping tree,cn=config
changetype: modify
replace: nsds5task
nsds5task: CLEANRUV11
At some moment, ldap1 replied:
"ldap_modify: Server is unwilling to perform (53)"
which explains nothing, because that error means:
"Indicates that the LDAP server cannot process the request because of
server-defined restrictions. This error is returned for the following
reasons: The add entry request violates the server's structure
rules...OR...The modify attribute request specifies attributes that
users cannot modify...OR...Password restrictions prevent the
action...OR...Connection restrictions prevent the action. "
Right now, CleanRUV task is stuck... and replication is still broken...
Similar situation is present on ldap2, with RUV 21 (if not worse):
dn: cn=replica,cn=o\3Dnetscaperoot,cn=mapping tree,cn=config
objectClass: nsDS5Replica
objectClass: top
nsDS5ReplicaRoot: o=netscaperoot
nsDS5ReplicaType: 3
nsDS5Flags: 1
nsDS5ReplicaId: 21
nsds5ReplicaPurgeDelay: 604800
nsDS5ReplicaBindDN: cn=replication manager,cn=config
nsDS5ReplicaReferral: ldap://ldap1.MyDomain.com:636/o%3dnetscaperoot
cn: replica
nsState:: FQAAAAAAAADeiyVZAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAA==
nsDS5ReplicaName: cb016902-1dd111b2-821cbcea-f7780000
nsds50ruv: {replicageneration} 4dcb9f790000000b0000
nsds50ruv: {replica 21 ldap://ldap2.MyDomain.com:0} 4dda4a3a000000150000
4fd5f742000300150000
nsds5agmtmaxcsn: o=netscaperoot;2eLDAPmmr;ldap1.MyDomain.com;636;unavailable
nsds5agmtmaxcsn: o=netscaperoot;2eLDAPror;ldap3.MyDomain.com;636;unavailable
nsruvReplicaLastModified: {replica 21 ldap://ldap2.MyDomain.com:0} 00000000
nsds5ReplicaChangeCount: 1
nsds5replicareapactive: 0
# What would be proper way to get out from this situation?
# Do I have to execute CleanAllRUV task and start replication from
scratch or there is better way?
BTW, loglevel is set to 8192, so from ldap1 logs:
$ sudo grep cleanruv_task: /var/log/dirsrv/slapd-ldap?/errors
[31/May/2017:09:11:39 +0200] NSMMReplicationPlugin - cleanruv_task:
cleaning rid (11)...
we see that task is "started" and never finished
Any advice or documentation (which is more up-2-date) than:
*
http://directory.fedoraproject.org/docs/389ds/howto/howto-cleanruv.html#c...
*
https://access.redhat.com/documentation/en-us/red_hat_directory_server/9....
*
http://directory.fedoraproject.org/docs/389ds/FAQ/troubleshoot-cleanallru...
(CleanRUV FAQ troubleshooting is missing at all)
is welcome.
With best regards.
Predrag Zečević
--
Predrag Zečević
Technical Support Analyst
2e Systems GmbH
Telephone: +49 6196 9505 815, Facsimile: +49 6196 9505 894
Mobile: +49 174 3109 288, Skype: predrag.zecevic
E-mail: predrag.zecevic(a)2e-systems.com
Headquarter: 2e Systems GmbH, Königsteiner Str. 87,
65812 Bad Soden am Taunus, Germany
Company registration: Amtsgericht Königstein (Germany), HRB 7303
Managing director: Phil Douglas
http://www.2e-systems.com/ - Making your business fly!
5 years, 11 months
enabled account policy plugin and incrace changelog db size
by Alparslan Ozturk
Hi,
two 389-ds running with multimaster replication. and dbbackup size 66MB but
when I have enabled "account policy plugin" for tracing lastlogintime of
users.
but now I see changelog db size incraced 3GB
...
the database size is now 3,8G May 25 10:17
74c37b82-3ef411e7-ac57be37-2d84af6b_55dc8a41000000010000.db
...
How can I fix the changelog db size problem.
[root@mhrsldap1 changelogdb]# cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)
[root@mhrsldap1 changelogdb]# rpm -qa |grep 389
389-admin-console-doc-1.1.12-1.el7.noarch
389-adminutil-1.1.22-1.el7.x86_64
389-ds-base-libs-1.3.5.10-20.el7_3.x86_64
389-ds-base-1.3.5.10-20.el7_3.x86_64
389-admin-console-1.1.12-1.el7.noarch
389-ds-console-doc-1.2.16-1.el7.noarch
389-console-1.1.18-1.el7.noarch
389-ds-base-devel-1.3.5.10-20.el7_3.x86_64
389-adminutil-devel-1.1.22-1.el7.x86_64
389-ds-base-snmp-1.3.5.10-20.el7_3.x86_64
389-ds-console-1.2.16-1.el7.noarch
389-admin-1.1.46-1.el7.x86_64
5 years, 11 months
Performance Degradation with Split Database
by Paul Whitney
Still in migration mode from RHEL5/DS 8.2 to CentOS7/DS10 (389-ds-base 1.3.5.10-20).
Our one instance is setup with two databases (userRoot and groupRoot). We are seeing some really high etimes when performing mods/search on the second database (groupRoot). Wondering if anyone else has experienced this issue and what was done to overcome them?
Server is vmware VM with 4 CPU, 64GB RAM, plenty of disk space. CentOS 7 is "tuned" for virtual-guest.
Paul M. Whitney
E-mail: paul.whitney(a)mac.com
Sent from my browser.
5 years, 12 months
If
by Andrei.shlidt
Andrei.shlidt(a)gmail.com
5 years, 12 months
Re: I guess I've found it at last
by Samuele Fogagnolo
Hi!
As you know I've been looking for some stuff for a long time, and I think I've found it at last, just take a look http://second.jamietancredi.com
Kind regards, Samuele Fogagnolo
From: 389-users [mailto:389-users@lists.fedoraproject.org]
Sent: Wednesday, May 24, 2017 11:34 AM
To: sfogagno(a)libero.it
Subject: Praise gaben!
She backs out when I try that. Do you straddle her also? That's how I do the cats' nails... Eva is strong for her size!
I wonder if treats may help. I'm just afraid I'll have to keep feeding her constantly to keep her distracted. But I guess the goal is for her to realize the treats are a reward for her letting me clip.
Sent from Mail for Windows 10
6 years
Port389 website improvements
by William Brown
Hi,
I've been trying to improve accessibility of our documentation on
port389.org. Usability is a big focus for us, so improving this is a
small step in that process.
I have moved a number of how tos to a better location on the
Documentation tab, and linked to the Red Hat Directory Server docs - it
should be only two clicks from the front page to a useful resource!
Some of our content is out of date though :( if you spot out of date
content, please let me know so we can prune it, or update it.
If you have any improvements to suggest, please let the team know,
Thanks,
--
Sincerely,
William Brown
Software Engineer
Red Hat, Australia/Brisbane
6 years
Re: Announcing 389 Directory Server version 1.3.6.6
by Alan Milligan
Hi Mark,
I successfully migrated from 1.3.5.10 to 1.3.6.6 - great job team!
I don't run any admin stuff on those nodes; I think the install/upgrade
release note should perhaps just be setup-ds.pl
Best regards,
Alan
6 years
