Problem browsing LDAP with Outlook
by Chris Bryant
When configuring Microsoft Outlook (not Outlook Express) to access an LDAP directory, there is an option to 'Enable Browsing (requires server support)'. If this option is chosen and the directory server supports it, then you should be able to open the LDAP address book and page up and down through the results. I have been unable to get this working properly with 389 DS.
When I try to browse from Outlook against the 389 DS directory, I am able to see the first page of results perfectly. However, if I move to the next page, only the first object returned will have any attributes included, and all of the rest of the objects in the page will have no attributes. I have a test perl script that duplicates this functionality as well.
I can get this to work properly with an older version of Netscape Directory Server, and I can get it working with OpenDS. Since 389 DS advertises support for the controls that are required for this to work, just like the other two servers, then I would expect it to work there also.
Has anyone out there gotten this to work with 389 DS? If so, can you share if there was anything special that you needed to do to get this to work? I'm trying to determine if this is a bug in the server, or if I'm just missing something in the configuration.
Thanks,
Chris
USA.NET
You Run Your Business. We'll Run Your Email.
This message is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information of USA.NET, Inc. Any unauthorized review, use, copying, disclosure, or distribution is prohibited. If you are not the intended recipient, please immediately contact the sender by reply email and delete all copies of the original message.
3 years, 3 months
MemberOf group restrictions to a client system (server and client running CentOS 7)
by Janet Houser
Hi,
I'm new to 389-ds and last week downloaded and installed the software.
I have a running instance of the server, and I've added TLS/SSL. I've configured a CentOS 7 client to be able to query
the server using TLS/SSL, and all appears working.
I've created users and groups on the 389-ds server successfully. For each user and group, I've enabled posix attributes and my client
can see the unix users and groups using the "getent password" or "getent group" commands.
Now, here's where I'm getting tripped up..........
I need to limit which users have access to which systems. I've been trying to do this via memberOf group limitations.
I found the following online resource (https://thornelabs.net/2013/01/28/aix-restrict-server-login-via-ldap-grou...)
which is close enough to CentOS that the initial commands worked.
I enabled the MemberOf plugin and changed the attributes per the link, and restarted the system.
I created a test group (that I didn't enable a posix GID) and tried to add a single user via:
Right click on group -- > click Properties --> then Members --> click Add --> Search for user --> click Add.
When I try to go this route (which worked before enabling the memberOf plugin) it worked. Now it seems I get the error:
"Cannot save to directory server.
netscape.ldap.LDAPException: error resiult(65): Object class violation"
And the messages file throws the error (/var/log/dirsrv/slapd-<instancename>/errors:
"Entry "uid=test,ou=People,dc=int,dc=com" -- attribute "memberOf" not allowed
[17/Feb/2016:11:22:58 -0700] memberof-plugin - memberof_postop_modify: failed to add dn (cn=testgroup,ou=Groups,dc=int,dc=com) to target. Error (65)"
So it seems my server isn't quite using the memberOf plugin properly, but I'm not sure what else to enable. I'll have to solve this issue before
I even try to filter login access via groups on my client system.
I should mention that if I go under the advanced tab for one of the groups I created, I can add the the attribute "uniquemember", but I'm not sure what I
should set the "value" to be.
I've tried creating new users to see if I could set their "uniquemember" attributes, but no luck. It seems that I don't have the ability to set this attribute
on individual users, only groups.
This might not be the right road to head down when trying to restrict access to servers via groups, so I'm open to any suggestions.
Any suggestions would be appreciated.
3 years, 4 months
error moving an user
by Alberto Viana
Hey Guys,
389 version: 389-Directory/1.3.7.4.20170912git26a9426 B2017.255.1330
I'm trying to move one of my users to another OU and I see this kind of
error:
Error while moving entry
- [LDAP: error code 1 - Operations Error]
java.lang.Exception: [LDAP: error code 1 - Operations Error]
at
In the log I see:
[20/Mar/2018:14:12:27.172553808 -0300] - ERR - ldbm_back_modrdn -
SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN plugin returned error but did not set
SLAPI_RESULT_CODE
I thought that was related to my windows replication, but I disabled it and
I'm still getting the error.
Any clues?
5 years, 1 month
Replication Delay
by Fong, Trevor
Hi Everyone,
I’ve set up a new 389 DS cluster (389-Directory/1.3.6.1 B2018.016.1710) and have set up a replication agreement from our old cluster (389-Directory/1.2.11.15 B2014.300.2010) to a master node in the new cluster. Problem is that updates in the old cluster take up to 15 mins to make it into the new cluster. We need it to be near instantaneous, like it normally is. Any ideas what I can check?
Thanks a lot,
Trev
_________________________________________________
Trevor Fong
Senior Programmer Analyst
Information Technology | Engage. Envision. Enable.
The University of British Columbia
trevor.fong(a)ubc.ca<mailto:trevor.fong@ubc.ca> | 1-604-827-5247<tel:604-827-5247> | it.ubc.ca<http://it.ubc.ca>
5 years, 6 months
ldapsearch doesn't return the userpassword field
by Janet Houser
Hi,
I've been looking through the archives for information, but I haven't stumbled on a solution to my problem.
I'm running ds-389 (389-ds-base-1.3.4.0) on a centos 7 box (CentOS Linux release 7.2.1511). I have a centos OS client configured using SSL/TLS
which queries the LDAP server. Per a previous thread, I configured the memeberOf plugin and all seems to be working properly.
I have a php script that will run on the client and change the LDAP password for the user. The problem is, the script looks for the SSHA has
of the password when an ldapsearch is issued.
However, when I issue a general ldapsearch (anonymously) I don't get the userpassword field. I read in your archives that I might have
to be the "directory manager" user in order to see the hashed password. I've been playing around with the ldapsearch syntax, but I can't
quite get it right.
Anyway, my question is, can I set a flag in 389-ds that will display the hashed userpassword? I think that will solve my problem with the php script returning an error that it can't retrieve the old password.
Thanks,
5 years, 6 months
Using PBKDF2_SHA256 Hashes
by Joe Cooter
Hi,
I’m attempting to build an application using the userPassword attribute, with hashes stored using PBKDF2_SHA256. However, using the passlib hash library for pbkdf2_sha256 is complaining about a malformed hash. Looking at the hash, it appears that there aren’t any delimiters between the salt, iterations, etc.
Is there some additional encoding happening on the userPassword attribute?
5 years, 8 months
a replication problem
by Sergei Gerasenko
Hi guys,
I ran into a rather significant problem. I needed to rebuild two nodes in my topology and re-include them under the same hostnames. What I’m seeing now is that the replication to these new nodes is broken. Replication from them seems to work. I suspect that we have some stale metadata somewhere in the topology whereby the old nodes are still present somewhere in the agreements under other ids?
What’s the best way to troubleshoot this?
Thanks again,
Sergei
5 years, 8 months
Re: replication question
by Mark Reynolds
On 03/23/2018 09:05 AM, JESSE LUNT wrote:
> Here is the dse.ldif on 389ds2 (strange that it is in a slapd-389ds1
> directory, I thought it was supposed to create a directory named
> slapd-hostname. Could this server be a clone? )
Perhaps, but you can name an instance anything you want.
I see a problem here:
dn: cn=replica,cn=dc\3Dnorthshore\2Cdc\3Dedu,cn=mapping tree,cn=config
...
...
nsDS5ReplicaBindDN: cn=directory manager
nsDS5ReplicaBindDN needs to be one of the replication managers (you have
two) - it should not be the "Directory Manager":
uid=rmanager,cn=config or uid=RManager2,cn=config
Then on the replication agreement(s) on 389ds1, make sure the agreement
bind dn (and credentials) is for one of these replication managers.
Fix this first, and lets see what happens.
Mark
>
>
>
> On Thu, Mar 22, 2018 at 4:08 PM, Mark Reynolds <mreynolds(a)redhat.com
> <mailto:mreynolds@redhat.com>> wrote:
>
>
>
> On 03/22/2018 04:04 PM, JESSE LUNT wrote:
>> When I access the 389ds2 using an ldap browser, I still do not
>> see the user Root database. However, would I see it if it hasn't
>> finished initializing?
> You said you already created the userRoot database on 389ds2, so
> you are saying you don't see it anymore?
>
> Any chance I could see the dse.ldif from 389ds2? Perhaps 389ds2
> is not properly configured?
>
> Anyway you need to look at the logs next to figure out why the
> initialization is not occurring. The access log should show a
> connection coming from 389ds1, and it binding as your replication
> manager. The errors log might also have useful info (on either
> server).
>
> Mark
>>
>>
>> Jesse
>>
>> Sent from my iPhone
>>
>> On Mar 22, 2018, at 1:30 PM, Mark Reynolds <mreynolds(a)redhat.com
>> <mailto:mreynolds@redhat.com>> wrote:
>>
>>> How man entries are in the 389ds1?
>>>
>>> You need to look at the access/errors logs on 389ds2 to see if
>>> 389ds1 is making contact and what is it doing.
>>>
>>> It's also possible it finished initializing. Are there any
>>> entries on 389ds2? If you make an update on 389ds1 does it
>>> appear on 389ds2?
>>>
>>> On 03/22/2018 12:51 PM, JESSE LUNT wrote:
>>>> Hello,
>>>>
>>>> I am trying to replicate my userRoot database to another
>>>> 389LDAP server (supplier: 389ds1, consumer: 389ds2). The
>>>> database on the supplier has not been replicated to any server
>>>> for more than 2 years. (yikes!!!).
>>>>
>>>> I have been successful in backing up the database in question,
>>>> and am now trying to create a replica agreement. I created the
>>>> root suffix on the consumer side (389ds2) and then created a
>>>> replication agreement from the admin console. The admin console
>>>> has been in the state of wait while consumer is initialized.
>>>>
>>>> <image.png>
>>>>
>>>> Here is the output from the repl-monitor script
>>>>
>>>> Enter password for (:): Master: 389ds1.northshore.edu:389
>>>> <http://389ds1.northshore.edu:389>
>>>> ldap://389ds1.northshore.edu:389/
>>>> <http://389ds1.northshore.edu:389/>
>>>> Replica ID: 1212
>>>> Replica Root: dc=northshore,dc=edu
>>>> Max CSN: 5ab3dd8f000004bc0000 (03/22/2018 12:45:03)
>>>> Use of uninitialized value in string at
>>>> /usr/bin/repl-monitor.pl <http://repl-monitor.pl> line 814, <>
>>>> line 1.
>>>> Use of uninitialized value in join or string at
>>>> /usr/bin/repl-monitor.pl <http://repl-monitor.pl> line 1151, <>
>>>> line 1.
>>>> Receiver: 389ds2.northshore.edu:389
>>>> <http://389ds2.northshore.edu:389>
>>>> ldap://389ds2.northshore.edu:389/
>>>> <http://389ds2.northshore.edu:389/>
>>>> Type: consumer
>>>> Time Lag: - ?:??:??
>>>> Max CSN: none
>>>> Use of uninitialized value in concatenation (.) or string at
>>>> /usr/bin/repl-monitor.pl <http://repl-monitor.pl> line 855, <>
>>>> line 1.
>>>> Last Modify Time:
>>>> Supplier: 389ds1.northshore.edu:389
>>>> <http://389ds1.northshore.edu:389>
>>>> Sent/Skipped: 0 / 0
>>>> Update Status: 0 Replica acquired successfully: Incremental
>>>> update started
>>>> Update Started: 03/22/2018 12:45:01
>>>> Update Ended: 03/22/2018 12:45:01
>>>> Schedule: always in sync
>>>> SSL: n
>>>> Replica ID: 1971
>>>> Replica Root: o=netscaperoot
>>>> Max CSN: 5ab1364d000407b30000 (03/20/2018 12:26:53 4 0)
>>>> Receiver: 389ds2.northshore.edu:389
>>>> <http://389ds2.northshore.edu:389>
>>>> ldap://389ds2.northshore.edu:389/
>>>> <http://389ds2.northshore.edu:389/>
>>>> Type: consumer
>>>> Time Lag: 0:00:00
>>>> Max CSN: 5ab1364d000407b30000 (03/20/2018 12:26:53 4 0)
>>>> Last Modify Time: 3/20/2018 12:26:52
>>>> Supplier: 389ds1.northshore.edu:389
>>>> <http://389ds1.northshore.edu:389>
>>>> Sent/Skipped: 0 / 0
>>>> Update Status: 0 Replica acquired successfully: Incremental
>>>> update succeeded
>>>> Update Started: 03/20/2018 13:58:15
>>>> Update Ended: 03/20/2018 13:58:15
>>>> Schedule: always in sync
>>>> SSL: n
>>>>
>>>>
>>>> My question is... is this hung or is the replication
>>>> initialization going to take days because of how long it has
>>>> been since it has replicated the database?
>>>> --
>>>>
>>>>
>>>> Thanks,
>>>>
>>>> Jesse
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> 389-users mailing list -- 389-users(a)lists.fedoraproject.org
>>>> <mailto:389-users@lists.fedoraproject.org>
>>>> To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
>>>> <mailto:389-users-leave@lists.fedoraproject.org>
>>>
>
>
>
>
> --
>
>
> Jesse Lunt
> Director of Network and User Services
> Office of Information Services
> North Shore Community College
> (978)-762-4014
>
>
5 years, 8 months
replication question
by JESSE LUNT
Hello,
I am trying to replicate my userRoot database to another 389LDAP
server (supplier: 389ds1, consumer: 389ds2). The database on the supplier
has not been replicated to any server for more than 2 years. (yikes!!!).
I have been successful in backing up the database in question, and am now
trying to create a replica agreement. I created the root suffix on the
consumer side (389ds2) and then created a replication agreement from the
admin console. The admin console has been in the state of wait while
consumer is initialized.
Here is the output from the repl-monitor script
Enter password for (:): Master: 389ds1.northshore.edu:389 ldap://
389ds1.northshore.edu:389/
Replica ID: 1212
Replica Root: dc=northshore,dc=edu
Max CSN: 5ab3dd8f000004bc0000 (03/22/2018 12:45:03)
Use of uninitialized value in string at /usr/bin/repl-monitor.pl line 814,
<> line 1.
Use of uninitialized value in join or string at /usr/bin/repl-monitor.pl
line 1151, <> line 1.
Receiver: 389ds2.northshore.edu:389 ldap://389ds2.northshore.edu:389/
Type: consumer
Time Lag: - ?:??:??
Max CSN: none
Use of uninitialized value in concatenation (.) or string at /usr/bin/
repl-monitor.pl line 855, <> line 1.
Last Modify Time:
Supplier: 389ds1.northshore.edu:389
Sent/Skipped: 0 / 0
Update Status: 0 Replica acquired successfully: Incremental update started
Update Started: 03/22/2018 12:45:01
Update Ended: 03/22/2018 12:45:01
Schedule: always in sync
SSL: n
Replica ID: 1971
Replica Root: o=netscaperoot
Max CSN: 5ab1364d000407b30000 (03/20/2018 12:26:53 4 0)
Receiver: 389ds2.northshore.edu:389 ldap://389ds2.northshore.edu:389/
Type: consumer
Time Lag: 0:00:00
Max CSN: 5ab1364d000407b30000 (03/20/2018 12:26:53 4 0)
Last Modify Time: 3/20/2018 12:26:52
Supplier: 389ds1.northshore.edu:389
Sent/Skipped: 0 / 0
Update Status: 0 Replica acquired successfully: Incremental update succeeded
Update Started: 03/20/2018 13:58:15
Update Ended: 03/20/2018 13:58:15
Schedule: always in sync
SSL: n
My question is... is this hung or is the replication initialization going
to take days because of how long it has been since it has replicated the
database?
--
Thanks,
Jesse
5 years, 8 months
use GSSAPI behind a haproxy
by Alex M
Hello!
I'm trying setup balancing freeipa with haproxy, using this article: http://directory.fedoraproject.org/docs/389ds/howto/howto-loadbalance-gss...,
On this step:
-------
On the ldap1 server you should extract this keytab:
kinit <account with admins privilige>
ipa-getkeytab -s dc.ipa.example.com -p ldap/haproxydemo.ipa.example.com -k /etc/dirsrv/slapd-localhost/ldap.keytab --retrieve
Important is the –retrieve flag to prevent the keytab contents changing.
------
First, a got "failed to parse result insufficient access rights" error
After:
ipa service-allow-retrieve-keytab ldap/haproxydemo.ipa.example.com --groups=admins
i get the following error:
Failed to parse result: krbPrincipalKey not found
So, i run it without -r key. It success.
Then, after i'm adding KRB5_KTNAME=/etc/dirsrv/slapd-localhost/ldap.keytab to /etc/sysconfig/dirsrv-<instance>
After this freeipa fails to start
In my setup - haproxydemo.ipa.example.com - is a haproxy (with ipa client, A/PTR records)
ldap1.ipa.example.com (ldap2, ldap3) is a working freeipa replicas
Any advices, what am i doing wrong?
Host os
Fedora server 25
Freeipa
VERSION: 4.5.4, API_VERSION: 2.228
rpm -qi 389-ds-base
Name : 389-ds-base
Version : 1.3.5.18
Release : 1.fc25
5 years, 8 months