Problem browsing LDAP with Outlook
by Chris Bryant
When configuring Microsoft Outlook (not Outlook Express) to access an LDAP directory, there is an option to 'Enable Browsing (requires server support)'. If this option is chosen and the directory server supports it, then you should be able to open the LDAP address book and page up and down through the results. I have been unable to get this working properly with 389 DS.
When I try to browse from Outlook against the 389 DS directory, I am able to see the first page of results perfectly. However, if I move to the next page, only the first object returned will have any attributes included, and all of the rest of the objects in the page will have no attributes. I have a test perl script that duplicates this functionality as well.
I can get this to work properly with an older version of Netscape Directory Server, and I can get it working with OpenDS. Since 389 DS advertises support for the controls that are required for this to work, just like the other two servers, then I would expect it to work there also.
Has anyone out there gotten this to work with 389 DS? If so, can you share if there was anything special that you needed to do to get this to work? I'm trying to determine if this is a bug in the server, or if I'm just missing something in the configuration.
Thanks,
Chris
USA.NET
You Run Your Business. We'll Run Your Email.
This message is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information of USA.NET, Inc. Any unauthorized review, use, copying, disclosure, or distribution is prohibited. If you are not the intended recipient, please immediately contact the sender by reply email and delete all copies of the original message.
3 years, 3 months
MemberOf group restrictions to a client system (server and client running CentOS 7)
by Janet Houser
Hi,
I'm new to 389-ds and last week downloaded and installed the software.
I have a running instance of the server, and I've added TLS/SSL. I've configured a CentOS 7 client to be able to query
the server using TLS/SSL, and all appears working.
I've created users and groups on the 389-ds server successfully. For each user and group, I've enabled posix attributes and my client
can see the unix users and groups using the "getent password" or "getent group" commands.
Now, here's where I'm getting tripped up..........
I need to limit which users have access to which systems. I've been trying to do this via memberOf group limitations.
I found the following online resource (https://thornelabs.net/2013/01/28/aix-restrict-server-login-via-ldap-grou...)
which is close enough to CentOS that the initial commands worked.
I enabled the MemberOf plugin and changed the attributes per the link, and restarted the system.
I created a test group (that I didn't enable a posix GID) and tried to add a single user via:
Right click on group -- > click Properties --> then Members --> click Add --> Search for user --> click Add.
When I try to go this route (which worked before enabling the memberOf plugin) it worked. Now it seems I get the error:
"Cannot save to directory server.
netscape.ldap.LDAPException: error resiult(65): Object class violation"
And the messages file throws the error (/var/log/dirsrv/slapd-<instancename>/errors:
"Entry "uid=test,ou=People,dc=int,dc=com" -- attribute "memberOf" not allowed
[17/Feb/2016:11:22:58 -0700] memberof-plugin - memberof_postop_modify: failed to add dn (cn=testgroup,ou=Groups,dc=int,dc=com) to target. Error (65)"
So it seems my server isn't quite using the memberOf plugin properly, but I'm not sure what else to enable. I'll have to solve this issue before
I even try to filter login access via groups on my client system.
I should mention that if I go under the advanced tab for one of the groups I created, I can add the the attribute "uniquemember", but I'm not sure what I
should set the "value" to be.
I've tried creating new users to see if I could set their "uniquemember" attributes, but no luck. It seems that I don't have the ability to set this attribute
on individual users, only groups.
This might not be the right road to head down when trying to restrict access to servers via groups, so I'm open to any suggestions.
Any suggestions would be appreciated.
3 years, 4 months
tls encryption and key changes: symmetric key failed to unwrap
by Jan Kowalsky
Hi all,
we have the following situation: An 389ds with tls/ssl configured whith
an certificate from letsencrypt.
Since letsencrypt is short-dated we have an automated update routine for
regenerating the cert8.db.
Now we have this sort of errors in changelog.
[01/Jun/2018:11:46:40 +0200] attrcrypt - attrcrypt_unwrap_key: failed to
unwrap key for cipher AES
[01/Jun/2018:11:46:40 +0200] attrcrypt - attrcrypt_cipher_init:
symmetric key failed to unwrap with the private key; Cert might have
been renewed since the key is wrapped. To recover the encrypted
contents, keep the wrapped symmetric key value.
[01/Jun/2018:11:46:40 +0200] attrcrypt - attrcrypt_unwrap_key: failed to
unwrap key for cipher 3DES
[01/Jun/2018:11:46:40 +0200] attrcrypt - attrcrypt_cipher_init:
symmetric key failed to unwrap with the private key; Cert might have
been renewed since the key is wrapped. To recover the encrypted
contents, keep the wrapped symmetric key value.
[01/Jun/2018:11:46:40 +0200] attrcrypt - All prepared ciphers are not
available. Please disable attribute encryption.
I never used attribute encryption and we don't need it at the moment.
But as far as I understand, it's based on the server private key. This
is the one we change every 60 days.
The best idea seems to disable attribute encryption (which doesn't make
much sense if the private key isn't password protected anyway).
Or is there any other way to deal with key changes?
Thanks and regards
Jan
4 years, 10 months
error moving an user
by Alberto Viana
Hey Guys,
389 version: 389-Directory/1.3.7.4.20170912git26a9426 B2017.255.1330
I'm trying to move one of my users to another OU and I see this kind of
error:
Error while moving entry
- [LDAP: error code 1 - Operations Error]
java.lang.Exception: [LDAP: error code 1 - Operations Error]
at
In the log I see:
[20/Mar/2018:14:12:27.172553808 -0300] - ERR - ldbm_back_modrdn -
SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN plugin returned error but did not set
SLAPI_RESULT_CODE
I thought that was related to my windows replication, but I disabled it and
I'm still getting the error.
Any clues?
5 years, 2 months
password policy
by Alberto Viana
I have a password applied globally like this:
dn:
cn=cn\3DnsPwPolicyEntry\2CDC\3Dmy\2CDC\3Ddomain,cn=nsPwPolicyContainer,dc=
my,dc=domain
passwordLockout: off
passwordGraceLimit: 50
passwordWarning: 86400
passwordInHistory: 3
passwordMinLength: 8
passwordMinCategories: 3
passwordStorageScheme: SSHA512
passwordChange: on
passwordMaxAge: 31536000
passwordCheckSyntax: on
passwordExp: on
objectClass: top
objectClass: ldapsubentry
objectClass: passwordpolicy
cn: cn=nsPwPolicyEntry,DC=my,DC=domain
In a sub OU, I have this policy:
#
cn\3DnsPwPolicyEntry\2Cou\3DPOPS\2COU\3DEXTERNOS\2Cou\3Dmy\2Cdc\3Dmy\2Cdc\3
Ddomain, nsPwPolicyContainer, POPS, EXTERNOS, my, my.domain
dn: cn=cn\3DnsPwPolicyEntry\2Cou\3DPOPS\2COU\3DEXTERNOS\2Cou\3Dmy\2Cdc\3Dmy\
2Cdc\3Ddomain,cn=nsPwPolicyContainer,ou=POPS,OU=EXTERNOS,ou=my,dc=my,dc=domain
passwordLockout: off
passwordGraceLimit: 50
passwordStorageScheme: SSHA
passwordChange: on
passwordMaxAge: 31536000
passwordCheckSyntax: off
passwordExp: off
objectClass: top
objectClass: ldapsubentry
objectClass: passwordpolicy
cn: cn=nsPwPolicyEntry,ou=POPS,OU=EXTERNOS,dc=my,dc=domain
But when I try to add a prehashed password on this sub OU, I see this kind
of error:
LDAP: error code 19 - invalid password syntax - passwords with storage
scheme are not allowed
Is this an expected behavior even if in sub OU I have an password policy
with passwordCheckSyntax set to off? If so, do I have any way to disable
this behavior? (but I can not disable my global password policy)
PS: The password policy is respecting the fact of passwordCheckSyntax is
set to off when I try to add a simple password like '1234'.
5 years, 2 months
Exception in client app
by rainer@ultra-secure.de
Hi,
I got the following exception sent from a developer who accesses the
389-server (CentOS 7).
13:49:41.440 DEBUG [LdapAccountDAO] - >>LDAP Next Page
tld.corp.app.project.common.exceptions.ProjectSystemException:
app.project LDAP_EXCEPTION while adding user
javax.naming.OperationNotSupportedException: [LDAP: error code 12 -
Unavailable Critical Extension]; remaining name
'uid=unittestldapuser,dc=ci,dc=nightly,dc=project,dc=corp,dc=tld'
I've also been asked about:
ldap.sync.usePagingControl, "false");
and
ldap.sync.useVirtualListViewControl, "false");
Couldn't really get this query here to work:
https://ldapwiki.com/wiki/View%20the%20Available%20Controls
How can I see what it was actually trying to do, what lead to the
exception?
Regards
Rainer
5 years, 2 months
repl-monitor.pl - monitoring user
by rainer@ultra-secure.de
Hi,
I'd like to define a special user just for monitoring the replication
(instead of using the Directory Manager).
What kind of permissions does that user need?
Or does that user need to many privileges that I could use the Directory
Manager anyway?
Rainer
5 years, 3 months
ldap perfomance
by Ghiurea, Isabella
Hello Gurus,
looking for an answer to the following performance behavior
my env: 389-ds-base-1.3.5.15-1.fc24.x86_64 in multimaster fractional replication
running rsearch for 5 min with 1 thread seeing spikes for a basic read using index uid
And running with 10 threads same search the avg ms/ops performance are much better with no major spike/burst
Any explanation much appreciate it
see bellow for 1 thread and the spike/burst
T 300 -t 1
rsearch: 1 threads launched.
T1 min= 0ms, max= 5ms, count = 54710
T1 min= 0ms, max= 42ms, count = 64930
T1 min= 0ms, max= 2ms, count = 65174
T1 min= 0ms, max= 2ms, count = 65110
T1 min= 0ms, max= 44ms, count = 64966
T1 min= 0ms, max= 1ms, count = 65101
T1 min= 0ms, max= 22ms, count = 65056
T1 min= 0ms, max= 32ms, count = 64981
T1 min= 0ms, max= 1ms, count = 65145
T1 min= 0ms, max= 1ms, count = 65223
T1 min= 0ms, max= 27ms, count = 65015
T1 min= 0ms, max= 1ms, count = 65182
T1 min= 0ms, max= 3ms, count = 65213
T1 min= 0ms, max= 23ms, count = 64760
T1 min= 0ms, max= 2ms, count = 64214
T1 min= 0ms, max= 3ms, count = 52279
T1 min= 0ms, max= 11ms, count = 64914
T1 min= 0ms, max= 1ms, count = 65118
T1 min= 0ms, max= 5ms, count = 64852
T1 min= 0ms, max= 91ms, count = 64180
T1 min= 0ms, max= 4ms, count = 64746
T1 min= 0ms, max= 1ms, count = 65080
T1 min= 0ms, max= 12ms, count = 65110
T1 min= 0ms, max= 702ms, count = 59243
T1 min= 0ms, max= 1ms, count = 65082
T1 min= 0ms, max= 89ms, count = 64331
T1 min= 0ms, max= 23ms, count = 64647
T1 min= 0ms, max= 5ms, count = 64818
T1 min= 0ms, max= 55ms, count = 64374
T1 min= 0ms, max= 8ms, count = 64713
T1 min= 0ms, max= 8ms, count = 64713
300 sec >= 300
Final Average rate: 6394.22/sec = 0.1564msec/op, total: 64713
And final avg rate for 10 threads, no significant spike/burst for this num of threads
20180905 14:07:23 - Rate: 16962.10/thr (16962.10/sec = 0.0590ms/op), total:169621 (10 thr)
300 sec >= 300
Final Average rate: 17420.40/sec = 0.0574msec/op, total:169621
5 years, 3 months
disk i/o: very high write rates
by Jan Kowalsky
ups, the mail wasn't ready yet - I sent it by accident.
Hi all,
I'm running a set of three 389-ds servers with about 50 databases with
replication on each server.
No I'm encounter a constant very hight disk write rate (about 300 write
io/sec. - avarage).
In the audit-log there is nothing what would explain this. But in iotop
I see a lot of threads like:
1621 be/4 dirsrv 0.00 B/s 3.95 K/s 0.00 % 0.46 % ns-slapd -D
/etc/dirsrv/slapd-ldap0 -i /var/run/dirsrv/slapd-ldap0.pid -w
/var/run/dirsrv/slapd-ldap0.startpid
1628 be/4 dirsrv 0.00 B/s 7.90 K/s 0.00 % 0.46 % ns-slapd -D
/etc/dirsrv/slapd-ldap0 -i /var/run/dirsrv/slapd-ldap0.pid -w
/var/run/dirsrv/slapd-ldap0.startpid
....
1631 be/4 dirsrv 0.00 B/s 892.18 K/s 0.00 % 0.00 % ns-slapd -D
/etc/dirsrv/slapd-ldap0 -i /var/run/dirsrv/slapd-ldap0.pid -w
/var/run/dirsrv/slapd-ldap0.startpid
1463 be/4 dirsrv 0.00 B/s 580.31 K/s 0.00 % 0.00 % ns-slapd -D
/etc/dirsrv/slapd-ldap0 -i /var/run/dirsrv/slapd-ldap0.pid -w
/var/run/dirsrv/slapd-ldap0.startpid
1462 be/4 dirsrv 0.00 B/s 363.19 K/s 0.00 % 0.00 % ns-slapd -D
/etc/dirsrv/slapd-ldap0 -i /var/run/dirsrv/slapd-ldap0.pid -w
/var/run/dirsrv/slapd-ldap0.startpid
I configured caching and have entrycachehits about 99 - but anyway this
would have only impact to read-operations.
What's conspicuous: One of the three server has a significant higher
write rate than the others. When I watch our munin stats the two other
have with 40 to 60 write operations per second 10 times less. And one
of the server suddenly reduces write-rates from more than 100 to averate 50.
Any idea?
Regards
Jan
5 years, 3 months
Making the console-GUI localhost-only
by rainer@ultra-secure.de
Hi,
so, the GUI is really served by a webserver, as it looks like?
In /etc/dirsrv/admin-serv/console.conf there is a listen directive.
I want to change that to 127.0.0.1 instead of 0.0.0.0. Can I edit that
file directly or is there some command I have to run - and are there any
other things that rely on that webserver being available on all
interfaces, from all IPs.
Best Regards
Rainer
5 years, 3 months
