389-users September 2018

389-users@lists.fedoraproject.org

14 participants
15 discussions

Problem browsing LDAP with Outlook
by Chris Bryant 26 Aug '20

26 Aug '20

When configuring Microsoft Outlook (not Outlook Express) to access an LDAP directory, there is an option to 'Enable Browsing (requires server support)'. If this option is chosen and the directory server supports it, then you should be able to open the LDAP address book and page up and down through the results. I have been unable to get this working properly with 389 DS. When I try to browse from Outlook against the 389 DS directory, I am able to see the first page of results perfectly. However, if I move to the next page, only the first object returned will have any attributes included, and all of the rest of the objects in the page will have no attributes. I have a test perl script that duplicates this functionality as well. I can get this to work properly with an older version of Netscape Directory Server, and I can get it working with OpenDS. Since 389 DS advertises support for the controls that are required for this to work, just like the other two servers, then I would expect it to work there also. Has anyone out there gotten this to work with 389 DS? If so, can you share if there was anything special that you needed to do to get this to work? I'm trying to determine if this is a bug in the server, or if I'm just missing something in the configuration. Thanks, Chris USA.NET You Run Your Business. We'll Run Your Email. This message is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information of USA.NET, Inc. Any unauthorized review, use, copying, disclosure, or distribution is prohibited. If you are not the intended recipient, please immediately contact the sender by reply email and delete all copies of the original message.

3 2

MemberOf group restrictions to a client system (server and client running CentOS 7)
by Janet Houser 06 Aug '20

06 Aug '20

Hi, I'm new to 389-ds and last week downloaded and installed the software. I have a running instance of the server, and I've added TLS/SSL. I've configured a CentOS 7 client to be able to query the server using TLS/SSL, and all appears working. I've created users and groups on the 389-ds server successfully. For each user and group, I've enabled posix attributes and my client can see the unix users and groups using the "getent password" or "getent group" commands. Now, here's where I'm getting tripped up.......... I need to limit which users have access to which systems. I've been trying to do this via memberOf group limitations. I found the following online resource (https://thornelabs.net/2013/01/28/aix-restrict-server-login-via-ldap-groups…) which is close enough to CentOS that the initial commands worked. I enabled the MemberOf plugin and changed the attributes per the link, and restarted the system. I created a test group (that I didn't enable a posix GID) and tried to add a single user via: Right click on group -- > click Properties --> then Members --> click Add --> Search for user --> click Add. When I try to go this route (which worked before enabling the memberOf plugin) it worked. Now it seems I get the error: "Cannot save to directory server. netscape.ldap.LDAPException: error resiult(65): Object class violation" And the messages file throws the error (/var/log/dirsrv/slapd-<instancename>/errors: "Entry "uid=test,ou=People,dc=int,dc=com" -- attribute "memberOf" not allowed [17/Feb/2016:11:22:58 -0700] memberof-plugin - memberof_postop_modify: failed to add dn (cn=testgroup,ou=Groups,dc=int,dc=com) to target. Error (65)" So it seems my server isn't quite using the memberOf plugin properly, but I'm not sure what else to enable. I'll have to solve this issue before I even try to filter login access via groups on my client system. I should mention that if I go under the advanced tab for one of the groups I created, I can add the the attribute "uniquemember", but I'm not sure what I should set the "value" to be. I've tried creating new users to see if I could set their "uniquemember" attributes, but no luck. It seems that I don't have the ability to set this attribute on individual users, only groups. This might not be the right road to head down when trying to restrict access to servers via groups, so I'm open to any suggestions. Any suggestions would be appreciated.

6 19

tls encryption and key changes: symmetric key failed to unwrap
by Jan Kowalsky 04 Feb '19

04 Feb '19

Hi all, we have the following situation: An 389ds with tls/ssl configured whith an certificate from letsencrypt. Since letsencrypt is short-dated we have an automated update routine for regenerating the cert8.db. Now we have this sort of errors in changelog. [01/Jun/2018:11:46:40 +0200] attrcrypt - attrcrypt_unwrap_key: failed to unwrap key for cipher AES [01/Jun/2018:11:46:40 +0200] attrcrypt - attrcrypt_cipher_init: symmetric key failed to unwrap with the private key; Cert might have been renewed since the key is wrapped. To recover the encrypted contents, keep the wrapped symmetric key value. [01/Jun/2018:11:46:40 +0200] attrcrypt - attrcrypt_unwrap_key: failed to unwrap key for cipher 3DES [01/Jun/2018:11:46:40 +0200] attrcrypt - attrcrypt_cipher_init: symmetric key failed to unwrap with the private key; Cert might have been renewed since the key is wrapped. To recover the encrypted contents, keep the wrapped symmetric key value. [01/Jun/2018:11:46:40 +0200] attrcrypt - All prepared ciphers are not available. Please disable attribute encryption. I never used attribute encryption and we don't need it at the moment. But as far as I understand, it's based on the server private key. This is the one we change every 60 days. The best idea seems to disable attribute encryption (which doesn't make much sense if the private key isn't password protected anyway). Or is there any other way to deal with key changes? Thanks and regards Jan

4 5

error moving an user
by Alberto Viana 08 Oct '18

08 Oct '18

Hey Guys, 389 version: 389-Directory/1.3.7.4.20170912git26a9426 B2017.255.1330 I'm trying to move one of my users to another OU and I see this kind of error: Error while moving entry - [LDAP: error code 1 - Operations Error] java.lang.Exception: [LDAP: error code 1 - Operations Error] at In the log I see: [20/Mar/2018:14:12:27.172553808 -0300] - ERR - ldbm_back_modrdn - SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN plugin returned error but did not set SLAPI_RESULT_CODE I thought that was related to my windows replication, but I disabled it and I'm still getting the error. Any clues?

4 9

password policy
by Alberto Viana 27 Sep '18

27 Sep '18

I have a password applied globally like this: dn: cn=cn\3DnsPwPolicyEntry\2CDC\3Dmy\2CDC\3Ddomain,cn=nsPwPolicyContainer,dc= my,dc=domain passwordLockout: off passwordGraceLimit: 50 passwordWarning: 86400 passwordInHistory: 3 passwordMinLength: 8 passwordMinCategories: 3 passwordStorageScheme: SSHA512 passwordChange: on passwordMaxAge: 31536000 passwordCheckSyntax: on passwordExp: on objectClass: top objectClass: ldapsubentry objectClass: passwordpolicy cn: cn=nsPwPolicyEntry,DC=my,DC=domain In a sub OU, I have this policy: # cn\3DnsPwPolicyEntry\2Cou\3DPOPS\2COU\3DEXTERNOS\2Cou\3Dmy\2Cdc\3Dmy\2Cdc\3 Ddomain, nsPwPolicyContainer, POPS, EXTERNOS, my, my.domain dn: cn=cn\3DnsPwPolicyEntry\2Cou\3DPOPS\2COU\3DEXTERNOS\2Cou\3Dmy\2Cdc\3Dmy\ 2Cdc\3Ddomain,cn=nsPwPolicyContainer,ou=POPS,OU=EXTERNOS,ou=my,dc=my,dc=domain passwordLockout: off passwordGraceLimit: 50 passwordStorageScheme: SSHA passwordChange: on passwordMaxAge: 31536000 passwordCheckSyntax: off passwordExp: off objectClass: top objectClass: ldapsubentry objectClass: passwordpolicy cn: cn=nsPwPolicyEntry,ou=POPS,OU=EXTERNOS,dc=my,dc=domain But when I try to add a prehashed password on this sub OU, I see this kind of error: LDAP: error code 19 - invalid password syntax - passwords with storage scheme are not allowed Is this an expected behavior even if in sub OU I have an password policy with passwordCheckSyntax set to off? If so, do I have any way to disable this behavior? (but I can not disable my global password policy) PS: The password policy is respecting the fact of passwordCheckSyntax is set to off when I try to add a simple password like '1234'.

2 5

Exception in client app
by rainer＠ultra-secure.de 20 Sep '18

20 Sep '18

Hi, I got the following exception sent from a developer who accesses the 389-server (CentOS 7). 13:49:41.440 DEBUG [LdapAccountDAO] - >>LDAP Next Page tld.corp.app.project.common.exceptions.ProjectSystemException: app.project LDAP_EXCEPTION while adding user javax.naming.OperationNotSupportedException: [LDAP: error code 12 - Unavailable Critical Extension]; remaining name 'uid=unittestldapuser,dc=ci,dc=nightly,dc=project,dc=corp,dc=tld' I've also been asked about: ldap.sync.usePagingControl, "false"); and ldap.sync.useVirtualListViewControl, "false"); Couldn't really get this query here to work: https://ldapwiki.com/wiki/View%20the%20Available%20Controls How can I see what it was actually trying to do, what lead to the exception? Regards Rainer

1 0

repl-monitor.pl - monitoring user
by rainer＠ultra-secure.de 11 Sep '18

11 Sep '18

Hi, I'd like to define a special user just for monitoring the replication (instead of using the Directory Manager). What kind of permissions does that user need? Or does that user need to many privileges that I could use the Directory Manager anyway? Rainer

3 2

ldap perfomance
by Ghiurea, Isabella 09 Sep '18

09 Sep '18

Hello Gurus, looking for an answer to the following performance behavior my env: 389-ds-base-1.3.5.15-1.fc24.x86_64 in multimaster fractional replication running rsearch for 5 min with 1 thread seeing spikes for a basic read using index uid And running with 10 threads same search the avg ms/ops performance are much better with no major spike/burst Any explanation much appreciate it see bellow for 1 thread and the spike/burst T 300 -t 1 rsearch: 1 threads launched. T1 min= 0ms, max= 5ms, count = 54710 T1 min= 0ms, max= 42ms, count = 64930 T1 min= 0ms, max= 2ms, count = 65174 T1 min= 0ms, max= 2ms, count = 65110 T1 min= 0ms, max= 44ms, count = 64966 T1 min= 0ms, max= 1ms, count = 65101 T1 min= 0ms, max= 22ms, count = 65056 T1 min= 0ms, max= 32ms, count = 64981 T1 min= 0ms, max= 1ms, count = 65145 T1 min= 0ms, max= 1ms, count = 65223 T1 min= 0ms, max= 27ms, count = 65015 T1 min= 0ms, max= 1ms, count = 65182 T1 min= 0ms, max= 3ms, count = 65213 T1 min= 0ms, max= 23ms, count = 64760 T1 min= 0ms, max= 2ms, count = 64214 T1 min= 0ms, max= 3ms, count = 52279 T1 min= 0ms, max= 11ms, count = 64914 T1 min= 0ms, max= 1ms, count = 65118 T1 min= 0ms, max= 5ms, count = 64852 T1 min= 0ms, max= 91ms, count = 64180 T1 min= 0ms, max= 4ms, count = 64746 T1 min= 0ms, max= 1ms, count = 65080 T1 min= 0ms, max= 12ms, count = 65110 T1 min= 0ms, max= 702ms, count = 59243 T1 min= 0ms, max= 1ms, count = 65082 T1 min= 0ms, max= 89ms, count = 64331 T1 min= 0ms, max= 23ms, count = 64647 T1 min= 0ms, max= 5ms, count = 64818 T1 min= 0ms, max= 55ms, count = 64374 T1 min= 0ms, max= 8ms, count = 64713 T1 min= 0ms, max= 8ms, count = 64713 300 sec >= 300 Final Average rate: 6394.22/sec = 0.1564msec/op, total: 64713 And final avg rate for 10 threads, no significant spike/burst for this num of threads 20180905 14:07:23 - Rate: 16962.10/thr (16962.10/sec = 0.0590ms/op), total:169621 (10 thr) 300 sec >= 300 Final Average rate: 17420.40/sec = 0.0574msec/op, total:169621

6 10

disk i/o: very high write rates
by Jan Kowalsky 07 Sep '18

07 Sep '18

ups, the mail wasn't ready yet - I sent it by accident. Hi all, I'm running a set of three 389-ds servers with about 50 databases with replication on each server. No I'm encounter a constant very hight disk write rate (about 300 write io/sec. - avarage). In the audit-log there is nothing what would explain this. But in iotop I see a lot of threads like: 1621 be/4 dirsrv 0.00 B/s 3.95 K/s 0.00 % 0.46 % ns-slapd -D /etc/dirsrv/slapd-ldap0 -i /var/run/dirsrv/slapd-ldap0.pid -w /var/run/dirsrv/slapd-ldap0.startpid 1628 be/4 dirsrv 0.00 B/s 7.90 K/s 0.00 % 0.46 % ns-slapd -D /etc/dirsrv/slapd-ldap0 -i /var/run/dirsrv/slapd-ldap0.pid -w /var/run/dirsrv/slapd-ldap0.startpid .... 1631 be/4 dirsrv 0.00 B/s 892.18 K/s 0.00 % 0.00 % ns-slapd -D /etc/dirsrv/slapd-ldap0 -i /var/run/dirsrv/slapd-ldap0.pid -w /var/run/dirsrv/slapd-ldap0.startpid 1463 be/4 dirsrv 0.00 B/s 580.31 K/s 0.00 % 0.00 % ns-slapd -D /etc/dirsrv/slapd-ldap0 -i /var/run/dirsrv/slapd-ldap0.pid -w /var/run/dirsrv/slapd-ldap0.startpid 1462 be/4 dirsrv 0.00 B/s 363.19 K/s 0.00 % 0.00 % ns-slapd -D /etc/dirsrv/slapd-ldap0 -i /var/run/dirsrv/slapd-ldap0.pid -w /var/run/dirsrv/slapd-ldap0.startpid I configured caching and have entrycachehits about 99 - but anyway this would have only impact to read-operations. What's conspicuous: One of the three server has a significant higher write rate than the others. When I watch our munin stats the two other have with 40 to 60 write operations per second 10 times less. And one of the server suddenly reduces write-rates from more than 100 to averate 50. Any idea? Regards Jan

5 10

Making the console-GUI localhost-only
by rainer＠ultra-secure.de 07 Sep '18

07 Sep '18

Hi, so, the GUI is really served by a webserver, as it looks like? In /etc/dirsrv/admin-serv/console.conf there is a listen directive. I want to change that to 127.0.0.1 instead of 0.0.0.0. Can I edit that file directly or is there some command I have to run - and are there any other things that rely on that webserver being available on all interfaces, from all IPs. Best Regards Rainer

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-users September 2018