Problem browsing LDAP with Outlook
by Chris Bryant
When configuring Microsoft Outlook (not Outlook Express) to access an LDAP directory, there is an option to 'Enable Browsing (requires server support)'. If this option is chosen and the directory server supports it, then you should be able to open the LDAP address book and page up and down through the results. I have been unable to get this working properly with 389 DS.
When I try to browse from Outlook against the 389 DS directory, I am able to see the first page of results perfectly. However, if I move to the next page, only the first object returned will have any attributes included, and all of the rest of the objects in the page will have no attributes. I have a test perl script that duplicates this functionality as well.
I can get this to work properly with an older version of Netscape Directory Server, and I can get it working with OpenDS. Since 389 DS advertises support for the controls that are required for this to work, just like the other two servers, then I would expect it to work there also.
Has anyone out there gotten this to work with 389 DS? If so, can you share if there was anything special that you needed to do to get this to work? I'm trying to determine if this is a bug in the server, or if I'm just missing something in the configuration.
Thanks,
Chris
USA.NET
You Run Your Business. We'll Run Your Email.
This message is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information of USA.NET, Inc. Any unauthorized review, use, copying, disclosure, or distribution is prohibited. If you are not the intended recipient, please immediately contact the sender by reply email and delete all copies of the original message.
2 years, 9 months
MemberOf group restrictions to a client system (server and client running CentOS 7)
by Janet Houser
Hi,
I'm new to 389-ds and last week downloaded and installed the software.
I have a running instance of the server, and I've added TLS/SSL. I've configured a CentOS 7 client to be able to query
the server using TLS/SSL, and all appears working.
I've created users and groups on the 389-ds server successfully. For each user and group, I've enabled posix attributes and my client
can see the unix users and groups using the "getent password" or "getent group" commands.
Now, here's where I'm getting tripped up..........
I need to limit which users have access to which systems. I've been trying to do this via memberOf group limitations.
I found the following online resource (https://thornelabs.net/2013/01/28/aix-restrict-server-login-via-ldap-grou...)
which is close enough to CentOS that the initial commands worked.
I enabled the MemberOf plugin and changed the attributes per the link, and restarted the system.
I created a test group (that I didn't enable a posix GID) and tried to add a single user via:
Right click on group -- > click Properties --> then Members --> click Add --> Search for user --> click Add.
When I try to go this route (which worked before enabling the memberOf plugin) it worked. Now it seems I get the error:
"Cannot save to directory server.
netscape.ldap.LDAPException: error resiult(65): Object class violation"
And the messages file throws the error (/var/log/dirsrv/slapd-<instancename>/errors:
"Entry "uid=test,ou=People,dc=int,dc=com" -- attribute "memberOf" not allowed
[17/Feb/2016:11:22:58 -0700] memberof-plugin - memberof_postop_modify: failed to add dn (cn=testgroup,ou=Groups,dc=int,dc=com) to target. Error (65)"
So it seems my server isn't quite using the memberOf plugin properly, but I'm not sure what else to enable. I'll have to solve this issue before
I even try to filter login access via groups on my client system.
I should mention that if I go under the advanced tab for one of the groups I created, I can add the the attribute "uniquemember", but I'm not sure what I
should set the "value" to be.
I've tried creating new users to see if I could set their "uniquemember" attributes, but no luck. It seems that I don't have the ability to set this attribute
on individual users, only groups.
This might not be the right road to head down when trying to restrict access to servers via groups, so I'm open to any suggestions.
Any suggestions would be appreciated.
2 years, 10 months
tls encryption and key changes: symmetric key failed to unwrap
by Jan Kowalsky
Hi all,
we have the following situation: An 389ds with tls/ssl configured whith
an certificate from letsencrypt.
Since letsencrypt is short-dated we have an automated update routine for
regenerating the cert8.db.
Now we have this sort of errors in changelog.
[01/Jun/2018:11:46:40 +0200] attrcrypt - attrcrypt_unwrap_key: failed to
unwrap key for cipher AES
[01/Jun/2018:11:46:40 +0200] attrcrypt - attrcrypt_cipher_init:
symmetric key failed to unwrap with the private key; Cert might have
been renewed since the key is wrapped. To recover the encrypted
contents, keep the wrapped symmetric key value.
[01/Jun/2018:11:46:40 +0200] attrcrypt - attrcrypt_unwrap_key: failed to
unwrap key for cipher 3DES
[01/Jun/2018:11:46:40 +0200] attrcrypt - attrcrypt_cipher_init:
symmetric key failed to unwrap with the private key; Cert might have
been renewed since the key is wrapped. To recover the encrypted
contents, keep the wrapped symmetric key value.
[01/Jun/2018:11:46:40 +0200] attrcrypt - All prepared ciphers are not
available. Please disable attribute encryption.
I never used attribute encryption and we don't need it at the moment.
But as far as I understand, it's based on the server private key. This
is the one we change every 60 days.
The best idea seems to disable attribute encryption (which doesn't make
much sense if the private key isn't password protected anyway).
Or is there any other way to deal with key changes?
Thanks and regards
Jan
4 years, 4 months
How to install an external certificate
by wodel youchi
Hi,
I have an external certificate : the certificate file, the key file and CA
file.
How can I install this certificate on 389DS? especially how can I specify
to the dirsrv my key file?
Regards.
4 years, 5 months
PassSync Replication from AD RODC to 389 DS
by Abhisheyk Deb
I have the following structure AD RWDC(Read Write), AD RODC(Read Only),
and a 389 DS instance.
PassSync will be installed on the AD RODC and the 389 DS instance will
sync with it.
If the users are created on the AD RWDC and synced with the RODC, can
PassSync still intercept passwords in cleartext format, and push them to
389 DS?
4 years, 5 months
Announcing 389 Directory Server 1.4.0.20
by Mark Reynolds
389 Directory Server 1.4.0.20
The 389 Directory Server team is proud to announce 389-ds-base version
1.4.0.20
Fedora packages are available on Fedora 28, 29, and rawhide.
Rawhide
https://koji.fedoraproject.org/koji/taskinfo?taskID=31464161
<https://koji.fedoraproject.org/koji/taskinfo?taskID=31464161>
Fedora 29
https://koji.fedoraproject.org/koji/taskinfo?taskID=31464159
<https://koji.fedoraproject.org/koji/taskinfo?taskID=31464159>
Fedora 28
https://koji.fedoraproject.org/koji/taskinfo?taskID=31464058
<https://koji.fedoraproject.org/koji/taskinfo?taskID=31464058>
Bodhi
F29 https://bodhi.fedoraproject.org/updates/FEDORA-2018-0f3d7e9434
<https://bodhi.fedoraproject.org/updates/FEDORA-2018-0f3d7e9434>
F28 https://bodhi.fedoraproject.org/updates/FEDORA-2018-cf250e9c09
<https://bodhi.fedoraproject.org/updates/FEDORA-2018-cf250e9c09>
The new packages and versions are:
* 389-ds-base-1.4.0.20-1
Source tarballs are available for download at Download
389-ds-base Source
<https://releases.pagure.org/389-ds-base/389-ds-base-1.4.0.20.tar.bz2>
Highlights in 1.4.0.20
Bug fixes
Installation and Upgrade
See Download <https://www.port389.org/docs/389ds/download.html> for
information about setting up your yum repositories.
To install, use *dnf install 389-ds-base*, then run *dscreate*. For
Cockput UI plugin use “dnf install cockpit-389-ds”
See Install_Guide
<https://www.port389.org/docs/389ds/howto/howto-install-389.html> for
more information about the initial installation, setup, and upgrade
See Source <https://www.port389.org/docs/389ds/development/source.html>
for information about source tarballs and SCM (git) access.
Feedback
We are very interested in your feedback!
Please provide feedback and comments to the 389-users mailing list:
https://lists.fedoraproject.org/admin/lists/389-users.lists.fedoraproject...
If you find a bug, or would like to see a new feature, file it in our
Pagure project: https://pagure.io/389-ds-base
* Bump version to 1.4.0.20
* Ticket 49994 - Add test for backend/suffix CLI functions
* Ticket 50090 - refactor fetch_attr() to slapi_fetch_attr()
* Ticket 50091 - shadowWarning is not generated if passwordWarning is
lower than 86400 seconds (1 day)
* Ticket 50056 - Fix CLI/UI bugs
* Ticket 49864 - Revised replication status messages for transient errors
* Ticket 50071 - Set ports in local_simple_allocate function
* Ticket 50065 - lib389 aci parsing is too strict
* Ticket 50061 - Improve schema loading in UI
* Ticket 50063 - Crash after attempting to restore a single backend
* Ticket 50062 - Replace error by warning in the state machine defined
in repl5_inc_run
* Ticket 50041 - Set the React dataflow foundation and add basic plugin UI
* Ticket 50028 - Revise ds-replcheck usage
* Ticket 50057 - Pass argument into hashtable_new
* Ticket 50053 - improve testcase
* Ticket 50053 - Subtree password policy overrides a user-defined
password policy
* Ticket 49974 - lib389 - List instances with initconfig_dir instead
of sysconf_dir
* Ticket 49984 - Add an empty domain creation to the dscreate
* Ticket 49950 - PassSync not setting pwdLastSet attribute in Active
Directory after Pw update from LDAP sync for normal user
* Ticket 50046 - Remove irrelevant debug-log messages from CLI tools
* Ticket 50022, 50012, 49956, and 49800: Various dsctl/dscreate fixes
* Ticket 49927 - dsctl db2index does not work
* Ticket 49814 - dscreate should handle selinux ports that are in a range
* Ticket 49543 - fix certmap dn comparison
* Ticket 49994 - comment out dev paths
* Ticket 49994 - Add backend features to CLI
* Ticket 48081 - Add new CI tests for password
4 years, 5 months
389ds doesn't start
by Jan Kowalsky
Hi all,
after dirsrv crashed and trying to restart, I got the following errors
and dirsrv doesn't start at all:
[13/Dec/2018:20:17:28 +0100] - 389-Directory/1.3.3.5 B2018.298.1116
starting up
[13/Dec/2018:20:17:28 +0100] - Detected Disorderly Shutdown last time
Directory Server was running, recovering database.
[13/Dec/2018:20:17:29 +0100] - libdb: BDB3017 unable to allocate space
from the buffer cache
[13/Dec/2018:20:17:29 +0100] - libdb: BDB1521 Recovery function for LSN
6120 6259890 failed
[13/Dec/2018:20:17:29 +0100] - libdb: BDB0061 PANIC: Cannot allocate memory
[13/Dec/2018:20:17:29 +0100] - libdb: BDB1546 unable to join the environment
[13/Dec/2018:20:17:29 +0100] - Database Recovery Process FAILED. The
database is not recoverable. err=-30973: BDB0087 DB_RUNRECOVERY: Fatal
error, run database recovery
[13/Dec/2018:20:17:29 +0100] - Please make sure there is enough disk
space for dbcache (400000 bytes) and db region files
[13/Dec/2018:20:17:29 +0100] - start: Failed to init database,
err=-30973 BDB0087 DB_RUNRECOVERY: Fatal error, run database recovery
[13/Dec/2018:20:17:29 +0100] - Failed to start database plugin ldbm database
[13/Dec/2018:20:17:29 +0100] - WARNING: cache too small, increasing to
500K bytes
[13/Dec/2018:20:17:29 +0100] - WARNING: ldbm instance www_local already
exists
[13/Dec/2018:20:17:29 +0100] - ldbm_config_read_instance_entries: failed
to add instance entry cn=www_local,cn=ldbm database,cn=plugins,cn=config
[13/Dec/2018:20:17:29 +0100] - ldbm_config_load_dse_info: failed to read
instance entries
[13/Dec/2018:20:17:29 +0100] - start: Loading database configuration failed
[13/Dec/2018:20:17:29 +0100] - Failed to start database plugin ldbm database
[13/Dec/2018:20:17:29 +0100] - Error: Failed to resolve plugin dependencies
[13/Dec/2018:20:17:29 +0100] - Error: betxnpreoperation plugin 7-bit
check is not started
[13/Dec/2018:20:17:29 +0100] - Error: object plugin Account Policy
Plugin is not started
[13/Dec/2018:20:17:29 +0100] - Error: preoperation plugin Account
Usability Plugin is not started
[13/Dec/2018:20:17:29 +0100] - Error: accesscontrol plugin ACL Plugin is
not started
[13/Dec/2018:20:17:29 +0100] - Error: preoperation plugin ACL
preoperation is not started
[13/Dec/2018:20:17:29 +0100] - Error: betxnpreoperation plugin attribute
uniqueness is not started
[13/Dec/2018:20:17:29 +0100] - Error: betxnpreoperation plugin Auto
Membership Plugin is not started
[13/Dec/2018:20:17:29 +0100] - Error: object plugin Class of Service is
not started
[13/Dec/2018:20:17:29 +0100] - Error: preoperation plugin deref is not
started
[13/Dec/2018:20:17:29 +0100] - Error: preoperation plugin HTTP Client is
not started
[13/Dec/2018:20:17:29 +0100] - Error: database plugin ldbm database is
not started
[13/Dec/2018:20:17:29 +0100] - Error: object plugin Legacy Replication
Plugin is not started
[13/Dec/2018:20:17:29 +0100] - Error: betxnpreoperation plugin Linked
Attributes is not started
[13/Dec/2018:20:17:29 +0100] - Error: betxnpreoperation plugin Managed
Entries is not started
[13/Dec/2018:20:17:29 +0100] - Error: object plugin Multimaster
Replication Plugin is not started
[13/Dec/2018:20:17:29 +0100] - Error: betxnpostoperation plugin
referential integrity postoperation is not started
[13/Dec/2018:20:17:29 +0100] - Error: object plugin Roles Plugin is not
started
[13/Dec/2018:20:17:29 +0100] - Error: object plugin Views is not started
[13/Dec/2018:20:17:29 +0100] - Error: extendedop plugin whoami is not
started
Any idea what to do?
There is plenty of disk-space and 2GB Ram
Thanks and best regards
Jan
4 years, 5 months
Multiple suppliers for a single consumer
by Leonard Lawton
Let's say I have nodes A and B setup in a MMR configuration(providers).
Is it possible to have node C configured as a consumer for both A and B?
I am wanting to have a high availability setup so node C still receives
updates if one of the providers goes down.
4 years, 5 months
