389-users March 2019

389-users@lists.fedoraproject.org

13 participants
15 discussions

Problem browsing LDAP with Outlook
by Chris Bryant 26 Aug '20

26 Aug '20

When configuring Microsoft Outlook (not Outlook Express) to access an LDAP directory, there is an option to 'Enable Browsing (requires server support)'. If this option is chosen and the directory server supports it, then you should be able to open the LDAP address book and page up and down through the results. I have been unable to get this working properly with 389 DS. When I try to browse from Outlook against the 389 DS directory, I am able to see the first page of results perfectly. However, if I move to the next page, only the first object returned will have any attributes included, and all of the rest of the objects in the page will have no attributes. I have a test perl script that duplicates this functionality as well. I can get this to work properly with an older version of Netscape Directory Server, and I can get it working with OpenDS. Since 389 DS advertises support for the controls that are required for this to work, just like the other two servers, then I would expect it to work there also. Has anyone out there gotten this to work with 389 DS? If so, can you share if there was anything special that you needed to do to get this to work? I'm trying to determine if this is a bug in the server, or if I'm just missing something in the configuration. Thanks, Chris USA.NET You Run Your Business. We'll Run Your Email. This message is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information of USA.NET, Inc. Any unauthorized review, use, copying, disclosure, or distribution is prohibited. If you are not the intended recipient, please immediately contact the sender by reply email and delete all copies of the original message.

3 2

MemberOf group restrictions to a client system (server and client running CentOS 7)
by Janet Houser 06 Aug '20

06 Aug '20

Hi, I'm new to 389-ds and last week downloaded and installed the software. I have a running instance of the server, and I've added TLS/SSL. I've configured a CentOS 7 client to be able to query the server using TLS/SSL, and all appears working. I've created users and groups on the 389-ds server successfully. For each user and group, I've enabled posix attributes and my client can see the unix users and groups using the "getent password" or "getent group" commands. Now, here's where I'm getting tripped up.......... I need to limit which users have access to which systems. I've been trying to do this via memberOf group limitations. I found the following online resource (https://thornelabs.net/2013/01/28/aix-restrict-server-login-via-ldap-groups…) which is close enough to CentOS that the initial commands worked. I enabled the MemberOf plugin and changed the attributes per the link, and restarted the system. I created a test group (that I didn't enable a posix GID) and tried to add a single user via: Right click on group -- > click Properties --> then Members --> click Add --> Search for user --> click Add. When I try to go this route (which worked before enabling the memberOf plugin) it worked. Now it seems I get the error: "Cannot save to directory server. netscape.ldap.LDAPException: error resiult(65): Object class violation" And the messages file throws the error (/var/log/dirsrv/slapd-<instancename>/errors: "Entry "uid=test,ou=People,dc=int,dc=com" -- attribute "memberOf" not allowed [17/Feb/2016:11:22:58 -0700] memberof-plugin - memberof_postop_modify: failed to add dn (cn=testgroup,ou=Groups,dc=int,dc=com) to target. Error (65)" So it seems my server isn't quite using the memberOf plugin properly, but I'm not sure what else to enable. I'll have to solve this issue before I even try to filter login access via groups on my client system. I should mention that if I go under the advanced tab for one of the groups I created, I can add the the attribute "uniquemember", but I'm not sure what I should set the "value" to be. I've tried creating new users to see if I could set their "uniquemember" attributes, but no luck. It seems that I don't have the ability to set this attribute on individual users, only groups. This might not be the right road to head down when trying to restrict access to servers via groups, so I'm open to any suggestions. Any suggestions would be appreciated.

6 19

Announcing 389 Directory Server 1.4.0.22
by Mark Reynolds 04 Apr '19

04 Apr '19

389 Directory Server 1.4.0.22 The 389 Directory Server team is proud to announce 389-ds-base version 1.4.0.22 Fedora packages are available on Fedora 28, and 29 Fedora 29 http://koji.fedoraproject.org/koji/buildinfo?buildID=1240342 Fedora 28 http://koji.fedoraproject.org/koji/buildinfo?buildID=1240341 Bodhi F29 https://bodhi.fedoraproject.org/updates/FEDORA-2019-35ca2e35b3 F28 https://bodhi.fedoraproject.org/updates/FEDORA-2019-351b02e21e The new packages and versions are: * 389-ds-base-1.4.0.22-1 Source tarballs are available for download at Download 389-ds-base Source <https://releases.pagure.org/389-ds-base/389-ds-base-1.4.0.22.tar.bz2> Highlights in 1.4.0.22 Bug fixes Installation and Upgrade See Download <https://markdownlivepreview.com/download.html> for information about setting up your yum repositories. To install, use *dnf install 389-ds-base*, then run *dscreate*. To install the Cockput UI plugin use "dnf install cockpit-389-ds" See Install_Guide <https://markdownlivepreview.com/howto/howto-install-389.html> for more information about the initial installation, setup, and upgrade See Source <https://markdownlivepreview.com/development/source.html> for information about source tarballs and SCM (git) access. New UI Progress (Cockpit plugin) The new UI is broken up into a series of configuration tabs. Here is a table showing the current progress *Configuration Tab* *Finished* *Written in ReactJS* Server tab Yes No Security Tab No Database Tab Yes Yes Replication Tab Yes No Schema Tab Yes No Plugins Tab Yes Yes Monitor Tab No Feedback We are very interested in your feedback! Please provide feedback and comments to the 389-users mailing list: https://lists.fedoraproject.org/admin/lists/389-users.lists.fedoraproject.o… If you find a bug, or would like to see a new feature, file it in our Pagure project: https://pagure.io/389-ds-base * Bump version to 1.4.0.22 * Ticket 50308 - Revise memory leak fix * Ticket 50308 - Fix memory leaks for repeat binds and replication * Ticket 49873 - (cont 3rd) cleanup debug log * Ticket 49873 - (cont 2nd) Contention on virtual attribute lookup * Ticket 50292 - Fix Plugin CLI and UI issues * Ticket 50289 - Fix various database UI issues * Ticket 50300 - Fix memory leak in automember plugin * Ticket 50265 - the warning about skew time could last forever * Ticket 50260 - Invalid cache flushing improvements * Ticket 49561 - MEP plugin, upon direct op failure, will delete twice the same managed entry * Ticket 50077 - Do not automatically turn automember postop modifies on * Ticket 50282 - OPERATIONS ERROR when trying to delete a group with automember members * Ticket 49873 - (cont) Contention on virtual attribute lookup * Ticket 50260 - backend txn plugins can corrupt entry cache * Ticket 50041 - Add CLI functionality for special plugins * Ticket 50273 - reduce default replication agmt timeout * Ticket 50234 - one level search returns not matching entry * Ticket 50232 - export creates not importable ldif file * Ticket 50215 - UI - implement Database Tab in reachJS * Ticket 50238 - Failed modrdn can corrupt entry cache * Ticket 50236 - memberOf should be more robust * Ticket 50151 - lib389 support cli add/replace/delete on objects * Ticket 50155 - password history check has no way to just check the current password * Ticket 49873 - Contention on virtual attribute lookup * Ticket 49658 - In replicated topology a single-valued attribute can diverge * Ticket 50177 - import task should not be deleted too rapidely after import finishes to be able to query the status * Ticket 50165 - Fix issues with dscreate

3 3

Announcing 389 Directory Server 1.4.1.2
by Mark Reynolds 30 Mar '19

30 Mar '19

389 Directory Server 1.4.1.2 The 389 Directory Server team is proud to announce 389-ds-base version 1.4.1.2 Fedora packages are available on Fedora 30 and rawhide. https://koji.fedoraproject.org/koji/taskinfo?taskID=33820830 - Rawhide https://koji.fedoraproject.org/koji/taskinfo?taskID=33820510 - Fedora 30 Bodhi https://bodhi.fedoraproject.org/updates/FEDORA-2019-caf75e133e The new packages and versions are: * 389-ds-base-1.4.1.2-1 Source tarballs are available for download at Download 389-ds-base Source <https://releases.pagure.org/389-ds-base/389-ds-base-1.4.1.2.tar.bz2> Highlights in 1.4.1.2 * Version change Installation and Upgrade See Download <https://markdownlivepreview.com/download.html> for information about setting up your yum repositories. To install, use *dnf install 389-ds-base*, to install the UI Cockpit plugin use *dnf install cockpit-389-ds* After install completes, run *dscreate interactive* For upgrades, simply install the package. There are no further steps required. There are no upgrade steps besides installing the new rpms See Install_Guide <https://markdownlivepreview.com/howto/howto-install-389.html> for more information about the initial installation and setup See Source <https://markdownlivepreview.com/development/source.html> for information about source tarballs and SCM (git) access. New UI Progress (Cockpit plugin) The new UI is broken up into a series of configuration tabs. Here is a table showing the current progress *Configuration Tab* *Finished* *Written in ReactJS* Server tab Yes No Security Tab No Database Tab Yes Yes Replication Tab Yes No Schema Tab Yes No Plugins Tab Yes Yes Monitor Tab No Feedback We are very interested in your feedback! Please provide feedback and comments to the 389-users mailing list: https://lists.fedoraproject.org/admin/lists/389-users.lists.fedoraproject.o… If you find a bug, or would like to see a new feature, file it in our Pagure project: https://pagure.io/389-ds-base * Bump version to 1.4.1.2-1 * Ticket 50308 - Revise memory leak fix * Ticket 50308 - Fix memory leaks for repeat binds and replication * Ticket 40067 - Use PKG/CHECK/MODULES to detect libraries * Ticket 49873 - (cont 3rd) cleanup debug log * Ticket 49873 - (cont 2nd) Contention on virtual attribute lookup * Ticket 50292 - Fix Plugin CLI and UI issues * Ticket 50112 - Port ACI test suit from TET to python3(misc and syntax) * Ticket 50289 - Fix various database UI issues * Ticket 49463 - After cleanALLruv, replication is looping on keep alive DEL * Ticket 50300 - Fix memory leak in automember plugin * Ticket 50265 - the warning about skew time could last forever * Ticket 50260 - Invalid cache flushing improvements * Ticket 49561 - MEP plugin, upon direct op failure, will delete twice the same managed entry * Ticket 50077 - Do not automatically turn automember postop modifies on * Ticket 50282 - OPERATIONS ERROR when trying to delete a group with automember members * Ticket 49715 - extend account functionality * Ticket 49873 - (cont) Contention on virtual attribute lookup * Ticket 50260 - backend txn plugins can corrupt entry cache * Ticket 50255 - Port password policy test to use DSLdapObject * Ticket 49667 - 49668 - remove old spec files * Ticket 50276 - 389-ds-console is not built on RHEL8 if cockpit_dist is already present * Ticket 50112 - Port ACI test suit from TET to python3(Search) * Ticket 50259 - implement dn construction test * Ticket 50273 - reduce default replicaton agmt timeout * Ticket 50208 - lib389- Fix issue with list all instances * Ticket 50112 - Port ACI test suit from TET to python3(Global Group) * Ticket 50041 - Add CLI functionality for special plugins * Ticket 50263 - LDAPS port not listening after installation * Ticket 49575 - Indicate autosize value errors and corrective actions * Ticket 50137 - create should not check in non-stateful mode for exist * Ticket 49655 - remove doap file * Ticket 50197 - Fix dscreate regression * Ticket 50234 - one level search returns not matching entry * Ticket 50257 - lib389 - password policy user vs subtree checks are broken * Ticket 50253 - Making an nsManagedRoleDefinition type in src/lib389/lib389/idm/nsrole.py * Ticket 49029 - [RFE] improve internal operations logging * Ticket 50230 - improve ioerror msg when not root/dirsrv * Ticket 50246 - Fix the regression in old control tools * Ticket 50197 - Container integration part 2 * Ticket 50197 - Container init tools * Ticket 50232 - export creates not importable ldif file * Ticket 50215 - UI - implement Database Tab in reachJS * Ticket 50243 - refint modrdn stress test * Ticket 50238 - Failed modrdn can corrupt entry cache * Ticket 50236 - memberOf should be more robust * Ticket 50213 - fix list instance issue * Ticket 50219 - Add generic filter to DSLdapObjects * Ticket 50227 - Making an cosClassicDefinition type in src/lib389/lib389/cos.py * Ticket 50112 - Port ACI test suit from TET to python3(modify) * Ticket 50224 - warnings on deprecated API usage * Ticket 50112 - Port ACI test suit from TET to python3(valueaci) * Ticket 50112 - Port ACI test suit from TET to python3(Aci Atter) * Ticket 50208 - make instances mark off based on dse.ldif not sysconfig * Ticket 50170 - composable object types for nsRole in lib389 * Ticket 50199 - disable perl by default * Ticket 50211 - Making an actual Anonymous type in lib389/idm/account.py * Ticket 50155 - password history check has no way to just check the current password * Ticket 49873 - Contention on virtual attribute lookup * Ticket 50197 - Container integration improvements * Ticket 50195 - improve selinux error messages in interactive * Ticket 49658 - In replicated topology a single-valued attribute can diverge * Ticket 50111 - Use pkg-config to detect icu * Ticket 50165 - Fix issues with dscreate * Ticket 50177 - import task should not be deleted too rapidely after import finishes to be able to query the status * Ticket 50140 - Use high ports in container installs * Ticket 50184 - Add cli tool parity to dsconf/dsctl * Ticket 50159 - sssd and config display

1 0

Change authentication for LDAP
by Zombie fork 25 Mar '19

25 Mar '19

Hi, We are trying to explore new methods of authentication. We want to move away from the traditional password based authentication to a more secure method like using Certificates , keys etc. Is it possible to implement this? What alternatives do we have? Can this be applied on a specific user, ou , subtree etc. Is there any documentation around this?

4 3

creating root suffix from cockpit
by Angel Bosch Mora 22 Mar '19

22 Mar '19

Hi, I asked a broad question here: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject… but I would like to know specifically if root suffix can be created with cockpit. thanks, abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. -- Abans d'imprimir aquest missatge, pensau si es realment necessari.

3 2

home directory creation on login with different permissions.
by Abhisheyk Deb 15 Mar '19

15 Mar '19

For example I have 3 users like userA, userB, and userC in 389 Directory server with home directories set to /home/userA, /home/userB and /home/userC for them. On the LDAP client side I have authconfig --enablemkhomedir set to true. Right now when a new home directory gets created(when the user logins for the first time) it has the following permissions set for user rwx, groups --- and others ---. Is it possible to have home directories with different permissions like userB's home directory get created with permissions user rwx, group r-x and others r-x on the LDAP client when it first logins. Can these attributes be set in 389 Directory Server or do I need to have custom mkhomedir that needs to do this stuff in system-auth file?. Thank you Abhishek Deb

2 1

[NOTICE] 389 admin console deprecation, removal, and web UI replacement
by Mark Reynolds 14 Mar '19

14 Mar '19

In Fedora 30, all the old java console packages have been marked as deprecated: 389-console 389-ds-console 389-admin-console 389-admin 389-adminutil 389-dsgw In Fedora 31 these packages will be removed. Our new Cockpit [1] plugin (cockpit-389-ds) will be the UI replacement, but important to note is that the new UI will NOT have an LDAP browser for looking at and updating "user" entries. The new UI is strictly designed for server configuration/management. Now there are other free LDAP browsers out there that can be used like Apache Directory Studio [2] for those that still need a UI for managing users and groups. We hope to add a basic LDAP browser in the future, but this will not be ready for Fedora 31. Feel free to voice any comments, concerns, or questions. Regards, 389 Directory Server Development Team [1] https://cockpit-project.org/ [2] https://directory.apache.org/studio/

2 1

Dynamic Group Query Not Returning Members
by Fong, Trevor 14 Mar '19

14 Mar '19

Hi There, I'm trying to set up dynamic groups with 389 DS (1.3.7.5 B2018.184.1411) but my queries against it don't seem to be returning any members. I have a user set up like this: objectClass: eduPerson objectClass: inetLocalMailRecipient objectClass: inetOrgPerson objectClass: inetUser objectClass: organizationalPerson objectClass: person objectClass: posixAccount objectClass: top cn: Test Abc gidNumber: <redacted> homeDirectory: /home/testabc sn: Abc uid: testabc uidNumber: <redacted> displayName: Test Abc givenName: Test loginShell: /bin/bash userPassword:: <redacted> I have my dynamic group set up like this: objectClass: groupOfUniqueNames objectClass: groupOfURLs objectClass: top cn: DynGroup-Test-UniqueMembers description: uniqueMembers test memberURL: ldap:///ou=PEOPLE,dc=test?objectClass?sub?(sn=Abc) The memberURL: ldap:///ou=PEOPLE,dc=test?objectClass?sub?(sn=Abc) returns uid=testabc However my query of the dynamic group doesn't return anything: ldapsearch -x -D "cn=Directory Manager" -W -b " ou=Groups,dc=test" -s sub -a always -z 1000 "(uniqueMember=uid=testabc,ou=PEOPLE,dc=test)" "objectClass" Thanks in advance for your help. Trev

2 1

389 Nessus scan
by Edward Patterson 13 Mar '19

13 Mar '19

Want to use Nessus scanner to scan 389 DS authentication settings...ie... password strength and complexity settings... Is there a plugin for Nessus to do this? -- *Edward J. Patterson II* *GDIT, Network Engineer* *(575) 312-5465 cell/home*

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-users March 2019