Problem browsing LDAP with Outlook
by Chris Bryant
When configuring Microsoft Outlook (not Outlook Express) to access an LDAP directory, there is an option to 'Enable Browsing (requires server support)'. If this option is chosen and the directory server supports it, then you should be able to open the LDAP address book and page up and down through the results. I have been unable to get this working properly with 389 DS.
When I try to browse from Outlook against the 389 DS directory, I am able to see the first page of results perfectly. However, if I move to the next page, only the first object returned will have any attributes included, and all of the rest of the objects in the page will have no attributes. I have a test perl script that duplicates this functionality as well.
I can get this to work properly with an older version of Netscape Directory Server, and I can get it working with OpenDS. Since 389 DS advertises support for the controls that are required for this to work, just like the other two servers, then I would expect it to work there also.
Has anyone out there gotten this to work with 389 DS? If so, can you share if there was anything special that you needed to do to get this to work? I'm trying to determine if this is a bug in the server, or if I'm just missing something in the configuration.
Thanks,
Chris
USA.NET
You Run Your Business. We'll Run Your Email.
This message is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information of USA.NET, Inc. Any unauthorized review, use, copying, disclosure, or distribution is prohibited. If you are not the intended recipient, please immediately contact the sender by reply email and delete all copies of the original message.
3 years, 6 months
MemberOf group restrictions to a client system (server and client running CentOS 7)
by Janet Houser
Hi,
I'm new to 389-ds and last week downloaded and installed the software.
I have a running instance of the server, and I've added TLS/SSL. I've configured a CentOS 7 client to be able to query
the server using TLS/SSL, and all appears working.
I've created users and groups on the 389-ds server successfully. For each user and group, I've enabled posix attributes and my client
can see the unix users and groups using the "getent password" or "getent group" commands.
Now, here's where I'm getting tripped up..........
I need to limit which users have access to which systems. I've been trying to do this via memberOf group limitations.
I found the following online resource (https://thornelabs.net/2013/01/28/aix-restrict-server-login-via-ldap-grou...)
which is close enough to CentOS that the initial commands worked.
I enabled the MemberOf plugin and changed the attributes per the link, and restarted the system.
I created a test group (that I didn't enable a posix GID) and tried to add a single user via:
Right click on group -- > click Properties --> then Members --> click Add --> Search for user --> click Add.
When I try to go this route (which worked before enabling the memberOf plugin) it worked. Now it seems I get the error:
"Cannot save to directory server.
netscape.ldap.LDAPException: error resiult(65): Object class violation"
And the messages file throws the error (/var/log/dirsrv/slapd-<instancename>/errors:
"Entry "uid=test,ou=People,dc=int,dc=com" -- attribute "memberOf" not allowed
[17/Feb/2016:11:22:58 -0700] memberof-plugin - memberof_postop_modify: failed to add dn (cn=testgroup,ou=Groups,dc=int,dc=com) to target. Error (65)"
So it seems my server isn't quite using the memberOf plugin properly, but I'm not sure what else to enable. I'll have to solve this issue before
I even try to filter login access via groups on my client system.
I should mention that if I go under the advanced tab for one of the groups I created, I can add the the attribute "uniquemember", but I'm not sure what I
should set the "value" to be.
I've tried creating new users to see if I could set their "uniquemember" attributes, but no luck. It seems that I don't have the ability to set this attribute
on individual users, only groups.
This might not be the right road to head down when trying to restrict access to servers via groups, so I'm open to any suggestions.
Any suggestions would be appreciated.
3 years, 7 months
tls encryption and key changes: symmetric key failed to unwrap
by Jan Kowalsky
Hi all,
we have the following situation: An 389ds with tls/ssl configured whith
an certificate from letsencrypt.
Since letsencrypt is short-dated we have an automated update routine for
regenerating the cert8.db.
Now we have this sort of errors in changelog.
[01/Jun/2018:11:46:40 +0200] attrcrypt - attrcrypt_unwrap_key: failed to
unwrap key for cipher AES
[01/Jun/2018:11:46:40 +0200] attrcrypt - attrcrypt_cipher_init:
symmetric key failed to unwrap with the private key; Cert might have
been renewed since the key is wrapped. To recover the encrypted
contents, keep the wrapped symmetric key value.
[01/Jun/2018:11:46:40 +0200] attrcrypt - attrcrypt_unwrap_key: failed to
unwrap key for cipher 3DES
[01/Jun/2018:11:46:40 +0200] attrcrypt - attrcrypt_cipher_init:
symmetric key failed to unwrap with the private key; Cert might have
been renewed since the key is wrapped. To recover the encrypted
contents, keep the wrapped symmetric key value.
[01/Jun/2018:11:46:40 +0200] attrcrypt - All prepared ciphers are not
available. Please disable attribute encryption.
I never used attribute encryption and we don't need it at the moment.
But as far as I understand, it's based on the server private key. This
is the one we change every 60 days.
The best idea seems to disable attribute encryption (which doesn't make
much sense if the private key isn't password protected anyway).
Or is there any other way to deal with key changes?
Thanks and regards
Jan
5 years, 1 month
error moving an user
by Alberto Viana
Hey Guys,
389 version: 389-Directory/1.3.7.4.20170912git26a9426 B2017.255.1330
I'm trying to move one of my users to another OU and I see this kind of
error:
Error while moving entry
- [LDAP: error code 1 - Operations Error]
java.lang.Exception: [LDAP: error code 1 - Operations Error]
at
In the log I see:
[20/Mar/2018:14:12:27.172553808 -0300] - ERR - ldbm_back_modrdn -
SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN plugin returned error but did not set
SLAPI_RESULT_CODE
I thought that was related to my windows replication, but I disabled it and
I'm still getting the error.
Any clues?
5 years, 5 months
More meaningful failure messages when changing passwords
by Mitch Patenaude
Our organization’s security policies impose several constraints on password changes. There is a complexity requirement, and a ban on reuse of old passwords. I’ve gotten all of these requirements worked into the 389 server, but when the constraints aren’t met, the error message is very misleading and opaque:
Password change failed. Server message: Failed to update password
passwd: Authentication token is no longer valid; new one required
This results in a lot of support requests about the inability to change passwords. Is there any way to make the error messages a little more descriptive? We’re using pam_sss and sssd on Centos 7.x.
Thanks,
-- Mitch
5 years, 8 months
Problems with 389-ds-base-1.3.7.5-24.el7_5.x86_64 on EL7
by Orion Poplawski
After our EL7 IPA servers updated to 389-ds-base-1.3.7.5-24.el7_5.x86_64
yesterday, we saw ns-slapd eventually start consuming 100% cpu, eventually
failing to serve some requests, and eventually running out of file descriptors.
I've filed https://pagure.io/389-ds-base/issue/49815
You may want to proceed cautiously with this update. YMMV.
--
Orion Poplawski
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion(a)nwra.com
Boulder, CO 80301 https://www.nwra.com/
5 years, 8 months
tunning DS for idle timeout exceeded
by Ghiurea, Isabella
Hi List
we are running 389-ds-base-1.3.5.15-1.fc24.x86_64 ( OS -FC24)
analyzing access log file today , I am seeing for each of the client T1 msg, our applications are using www pools connection to ldap we have a large number of hosts cfg for min and max pools size , most of connections are always in a open/idle state to be reused by the client.
Initial I had nssldap-idletimeout set to 120 sec, but today I went and increase by factor of 2 in hope to eliminate this T1 msg but no luck so far , the number of file descriptor is set to 4096.
Here is one sample from access log output, I 'm looking to get some input how to tune DS to eliminate T1 message
Client 6:......
88 - Connections
84 - T1 (Idle Timeout Exceeded)
[7] Client:
87 - Connections
84 - T1 (Idle Timeout Exceeded)
[8] Client:
74 - Connections
70 - T1 (Idle Timeout Exceeded)
Thank you
5 years, 8 months
Re: Master-slave replication procedure
by Thomas E Lackey
By happy timing, we (Bozeman Pass) just added one of our in-house tools for
configuring replication to GitHub: https://github.com/bozemanpass/replform.
We call it `replform` as a slight nod towards Hashicorp Terraform.
Obviously they are very different beasts, but what they have in common is
that you specify the infrastructure / topology that you want, and the tool
figures out what changes need to be made to make it happen (eg, create
replication accounts, replica entries, changelogs, agreements, initialize
the replicas, etc.)
Running `replform plan` will tell you what it intends to do and `replform
apply` will make it happen. It is safe to run over again, can handle adding
new hosts, etc.
It sounds like it might work for your case. There is more documentation and
a few examples at: https://github.com/bozemanpass/replform
--
Thomas E Lackey
P.S. Some additional notes and warnings: It supports build MMR or
supplier/consumer replication topologies (or some mix of the two), but not
"chaining" replication with hubs. The other is that while it handles the
removal of a consumer automatically, it does not do the RUV cleaning
necessary when removing a supplier. Lastly, `replform` also supports
pulling credentials for 'cn=repman' and 'cn=Directory Manager' out of
Hashicorp Vault, but that require some Vault tools we created that haven't
made their way into GitHub yet (though they likely will).
5 years, 8 months
Announcing 389 Directory Server 1.3.8.4
by Mark Reynolds
389 Directory Server 1.3.8.4
The 389 Directory Server team is proud to announce 389-ds-base version
1.3.8.4
Fedora packages are available on Fedora 27.
https://koji.fedoraproject.org/koji/taskinfo?taskID=27769199
<https://koji.fedoraproject.org/koji/taskinfo?taskID=27769199>
https://bodhi.fedoraproject.org/updates/FEDORA-2018-84c640b8fa
<https://bodhi.fedoraproject.org/updates/FEDORA-2018-84c640b8fa>
The new packages and versions are:
* 389-ds-base-1.3.8.4-1
Source tarballs are available for download at Download
389-ds-base Source
<https://releases.pagure.org/389-ds-base/389-ds-base-1.3.8.4.tar.bz2>
Highlights in 1.3.8.4
* Bug fixes
Installation and Upgrade
See Download <http://www.port389.org/docs/389ds/download.html> for
information about setting up your yum repositories.
To install, use *yum install 389-ds* yum install 389-ds After install
completes, run *setup-ds-admin.pl* if you have 389-admin installed,
otherwise please run *setup-ds.pl* to set up your directory server.
To upgrade, use *yum upgrade* yum upgrade After upgrade completes, run
*setup-ds-admin.pl -u* if you have 389-admin installed, otherwise please
run *setup-ds.pl* to update your directory server/admin
server/console information.
See Install_Guide
<http://www.port389.org/docs/389ds/legacy/install-guide.html> for more
information about the initial installation, setup, and upgrade
See Source <http://www.port389.org/docs/389ds/development/source.html>
for information about source tarballs and SCM (git) access.
Feedback
We are very interested in your feedback!
Please provide feedback and comments to the 389-users mailing list:
https://lists.fedoraproject.org/admin/lists/389-users.lists.fedoraproject...
If you find a bug, or would like to see a new feature, file it in our
Pagure project: https://pagure.io/389-ds-base
* Bump version to 1.3.8.4
* Ticket 49751 - passwordMustChange attribute is not honored by a RO
consumer if using “Chain on Update”
* Ticket 49734 - Fix various issues with Disk Monitoring
* Ticket 49788 - Fixing 4-byte UTF-8 character validation
5 years, 9 months
Re: Master-slave replication procedure
by Mark Reynolds
On 06/19/2018 05:45 PM, Michal Medvecky wrote:
>
>> 19. 6. 2018 v 23:08, Mark Reynolds <mreynolds(a)redhat.com
>> <mailto:mreynolds@redhat.com>>:
>>
>>> 2) create LDAP entry:
>>> dn: cn=replica,cn=“dc=test,dc=com”,cn=mapping tree,cn=config;
>>> nsds5replicaroot: “dc=test,dc=com"
>>> nsds5replicaid: "{{ range(1,65530) | random }}"
>> If these are read-only consumers the replica ID must be 65535 (for
>> all of them) - not a random number. Only masters get unique replica
>> IDs. This is probably your problem. Fix this first, and if you still
>> have problems then turn on replication error logging and share the
>> results.
>
> Changing to 65535 did not help. The results are the same.
Then please turn on replication error logging and share the logging
results.
>
> Michal
5 years, 9 months