I'm new to 389-ds and last week downloaded and installed the software.
I have a running instance of the server, and I've added TLS/SSL. I've configured a CentOS 7 client to be able to query
the server using TLS/SSL, and all appears working.
I've created users and groups on the 389-ds server successfully. For each user and group, I've enabled posix attributes and my client
can see the unix users and groups using the "getent password" or "getent group" commands.
Now, here's where I'm getting tripped up..........
I need to limit which users have access to which systems. I've been trying to do this via memberOf group limitations.
I found the following online resource (https://thornelabs.net/2013/01/28/aix-restrict-server-login-via-ldap-grou...)
which is close enough to CentOS that the initial commands worked.
I enabled the MemberOf plugin and changed the attributes per the link, and restarted the system.
I created a test group (that I didn't enable a posix GID) and tried to add a single user via:
Right click on group -- > click Properties --> then Members --> click Add --> Search for user --> click Add.
When I try to go this route (which worked before enabling the memberOf plugin) it worked. Now it seems I get the error:
"Cannot save to directory server.
netscape.ldap.LDAPException: error resiult(65): Object class violation"
And the messages file throws the error (/var/log/dirsrv/slapd-<instancename>/errors:
"Entry "uid=test,ou=People,dc=int,dc=com" -- attribute "memberOf" not allowed
[17/Feb/2016:11:22:58 -0700] memberof-plugin - memberof_postop_modify: failed to add dn (cn=testgroup,ou=Groups,dc=int,dc=com) to target. Error (65)"
So it seems my server isn't quite using the memberOf plugin properly, but I'm not sure what else to enable. I'll have to solve this issue before
I even try to filter login access via groups on my client system.
I should mention that if I go under the advanced tab for one of the groups I created, I can add the the attribute "uniquemember", but I'm not sure what I
should set the "value" to be.
I've tried creating new users to see if I could set their "uniquemember" attributes, but no luck. It seems that I don't have the ability to set this attribute
on individual users, only groups.
This might not be the right road to head down when trying to restrict access to servers via groups, so I'm open to any suggestions.
Any suggestions would be appreciated.
I’ve set up a new 389 DS cluster (389-Directory/184.108.40.206 B2018.016.1710) and have set up a replication agreement from our old cluster (389-Directory/220.127.116.11 B2014.300.2010) to a master node in the new cluster. Problem is that updates in the old cluster take up to 15 mins to make it into the new cluster. We need it to be near instantaneous, like it normally is. Any ideas what I can check?
Thanks a lot,
Senior Programmer Analyst
Information Technology | Engage. Envision. Enable.
The University of British Columbia
trevor.fong(a)ubc.ca<mailto:firstname.lastname@example.org> | 1-604-827-5247<tel:604-827-5247> | it.ubc.ca<http://it.ubc.ca>
I've been looking through the archives for information, but I haven't stumbled on a solution to my problem.
I'm running ds-389 (389-ds-base-18.104.22.168) on a centos 7 box (CentOS Linux release 7.2.1511). I have a centos OS client configured using SSL/TLS
which queries the LDAP server. Per a previous thread, I configured the memeberOf plugin and all seems to be working properly.
I have a php script that will run on the client and change the LDAP password for the user. The problem is, the script looks for the SSHA has
of the password when an ldapsearch is issued.
However, when I issue a general ldapsearch (anonymously) I don't get the userpassword field. I read in your archives that I might have
to be the "directory manager" user in order to see the hashed password. I've been playing around with the ldapsearch syntax, but I can't
quite get it right.
Anyway, my question is, can I set a flag in 389-ds that will display the hashed userpassword? I think that will solve my problem with the php script returning an error that it can't retrieve the old password.
I need one specific attribute to be hidden for anyone but one group.
I've tested this one:
(targetattr = "myCustomAttr") (version 3.0; acl "deny all but admins"; deny (all) groupdn != "ldap:///cn=admins,ou=Groups,dc=company,dc=global";)
and seems to work.
Is this the right way to do it?
Can I face any side effects?
I have inherited a 389 LDAP environment, which is running on RHEL
5.5 server. There are two RHEL 5.5 servers in the LDAP environment (389ds1
Currently the directory is only on one system as the replication hasn't
been working for aprox a year (yikes!!!) I am trying to create a
replication agreement between two servers. When I add the replication
agreement I receive an error " LDAP server is unwilling to perform"
My thought is before I introduce a newer version of the LDAP I should try
to get the replication between the two existing servers working.
Any thoughts on where to begin troubleshooting this? I am a 389 LDAP
On 02/27/2018 03:15 PM, Alberto Viana wrote:
> Hey Mark,
> Another question, what is the right way to disable a subtree policty
> (could not found anything in the docs, even the RHDS)?
> Just delete the policy entry (nsPwPolicyEntry and nsPwTemplateEntry)?
Correct, it can not be turned off. It exists or doesn't. When it's not
present the global policy takes effect.
> And once I did that, the global policy takes over?
> On Tue, Feb 27, 2018 at 4:59 PM, Mark Reynolds <mreynolds(a)redhat.com
> <mailto:email@example.com>> wrote:
> On 02/27/2018 02:30 PM, Alberto Viana wrote:
>> Thanks a lot.
> No problem Alberto!
>> On Tue, Feb 27, 2018 at 4:28 PM, Mark Reynolds
>> <mreynolds(a)redhat.com <mailto:firstname.lastname@example.org>> wrote:
>> On 02/27/2018 02:22 PM, Alberto Viana wrote:
>>> I think I was not clear enough,
>>> I have 2 users under cn=config (my replication users) under
>>> dn: cn=config
>>> If I set a global password policy, this policy applies to
>>> these users?
>> Yes it does
>>> On Tue, Feb 27, 2018 at 3:58 PM, Mark Reynolds
>>> <mreynolds(a)redhat.com <mailto:email@example.com>> wrote:
>>> Correct, all the "global" password policy settings are
>>> stored in the cn=config entry.
>>> On 02/27/2018 01:24 PM, Alberto Viana wrote:
>>>> Hi guys,
>>>> When I enable global password policy, is that suppose
>>>> to affect cn=config?
>>>> I Just want to confirm that.
>>>> 389-users mailing list -- 389-users(a)lists.fedoraproject.org
>>>> To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
On 02/27/2018 02:22 PM, Alberto Viana wrote:
> I think I was not clear enough,
> I have 2 users under cn=config (my replication users) under dn: cn=config
> If I set a global password policy, this policy applies to these users?
Yes it does
> On Tue, Feb 27, 2018 at 3:58 PM, Mark Reynolds <mreynolds(a)redhat.com
> <mailto:firstname.lastname@example.org>> wrote:
> Correct, all the "global" password policy settings are stored in
> the cn=config entry.
> On 02/27/2018 01:24 PM, Alberto Viana wrote:
>> Hi guys,
>> When I enable global password policy, is that suppose to affect
>> I Just want to confirm that.
>> 389-users mailing list -- 389-users(a)lists.fedoraproject.org
>> To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
We have recently setup a new 389 directory server.
One of our problems is to maintain user's accounts. Once we find
proposed accounts for deletion i.e user has retired etc, we want to sent
him an email, inform him that his account will be inactive in 30 days.
Once 30 days are gone, then the account is disabled, for another 30
days and then removed.
Are there any plugins that can help us to achieve the above scenario,
whole or partially?
Thank you in advance
We are in the process of renewing the certificates of our two 389DS
servers which sync through multimaster replication.
We are currently using a self-signed certificate shared between the two
Our topology is like this:
HAProxy : ldap.example.com for load balancing
LDAP1 : ldap1.example.com
LDAP2 : ldap2.example.com
Connections are made from clients to ldaps://ldap.example.com which
sends requests to either ldap1 or ldap2
Following the 'SSL howto'  we would like to have separate 'real'
certificates for the two servers.
If I'm not wrong, the certificate signing requests should be created in
each of the two 'real' servers for their real name and adding
ldap.example.com as subjectaltname.
Is that correct?
If yes, then I have another question: having the two certificates it is
not important which one clients use, is it?