Problem browsing LDAP with Outlook
by Chris Bryant
When configuring Microsoft Outlook (not Outlook Express) to access an LDAP directory, there is an option to 'Enable Browsing (requires server support)'. If this option is chosen and the directory server supports it, then you should be able to open the LDAP address book and page up and down through the results. I have been unable to get this working properly with 389 DS.
When I try to browse from Outlook against the 389 DS directory, I am able to see the first page of results perfectly. However, if I move to the next page, only the first object returned will have any attributes included, and all of the rest of the objects in the page will have no attributes. I have a test perl script that duplicates this functionality as well.
I can get this to work properly with an older version of Netscape Directory Server, and I can get it working with OpenDS. Since 389 DS advertises support for the controls that are required for this to work, just like the other two servers, then I would expect it to work there also.
Has anyone out there gotten this to work with 389 DS? If so, can you share if there was anything special that you needed to do to get this to work? I'm trying to determine if this is a bug in the server, or if I'm just missing something in the configuration.
Thanks,
Chris
USA.NET
You Run Your Business. We'll Run Your Email.
This message is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information of USA.NET, Inc. Any unauthorized review, use, copying, disclosure, or distribution is prohibited. If you are not the intended recipient, please immediately contact the sender by reply email and delete all copies of the original message.
3 years, 1 month
MemberOf group restrictions to a client system (server and client running CentOS 7)
by Janet Houser
Hi,
I'm new to 389-ds and last week downloaded and installed the software.
I have a running instance of the server, and I've added TLS/SSL. I've configured a CentOS 7 client to be able to query
the server using TLS/SSL, and all appears working.
I've created users and groups on the 389-ds server successfully. For each user and group, I've enabled posix attributes and my client
can see the unix users and groups using the "getent password" or "getent group" commands.
Now, here's where I'm getting tripped up..........
I need to limit which users have access to which systems. I've been trying to do this via memberOf group limitations.
I found the following online resource (https://thornelabs.net/2013/01/28/aix-restrict-server-login-via-ldap-grou...)
which is close enough to CentOS that the initial commands worked.
I enabled the MemberOf plugin and changed the attributes per the link, and restarted the system.
I created a test group (that I didn't enable a posix GID) and tried to add a single user via:
Right click on group -- > click Properties --> then Members --> click Add --> Search for user --> click Add.
When I try to go this route (which worked before enabling the memberOf plugin) it worked. Now it seems I get the error:
"Cannot save to directory server.
netscape.ldap.LDAPException: error resiult(65): Object class violation"
And the messages file throws the error (/var/log/dirsrv/slapd-<instancename>/errors:
"Entry "uid=test,ou=People,dc=int,dc=com" -- attribute "memberOf" not allowed
[17/Feb/2016:11:22:58 -0700] memberof-plugin - memberof_postop_modify: failed to add dn (cn=testgroup,ou=Groups,dc=int,dc=com) to target. Error (65)"
So it seems my server isn't quite using the memberOf plugin properly, but I'm not sure what else to enable. I'll have to solve this issue before
I even try to filter login access via groups on my client system.
I should mention that if I go under the advanced tab for one of the groups I created, I can add the the attribute "uniquemember", but I'm not sure what I
should set the "value" to be.
I've tried creating new users to see if I could set their "uniquemember" attributes, but no luck. It seems that I don't have the ability to set this attribute
on individual users, only groups.
This might not be the right road to head down when trying to restrict access to servers via groups, so I'm open to any suggestions.
Any suggestions would be appreciated.
3 years, 1 month
Announcing 389 Directory Server 1.4.0.22
by Mark Reynolds
389 Directory Server 1.4.0.22
The 389 Directory Server team is proud to announce 389-ds-base version
1.4.0.22
Fedora packages are available on Fedora 28, and 29
Fedora 29
http://koji.fedoraproject.org/koji/buildinfo?buildID=1240342
Fedora 28
http://koji.fedoraproject.org/koji/buildinfo?buildID=1240341
Bodhi
F29 https://bodhi.fedoraproject.org/updates/FEDORA-2019-35ca2e35b3
F28 https://bodhi.fedoraproject.org/updates/FEDORA-2019-351b02e21e
The new packages and versions are:
* 389-ds-base-1.4.0.22-1
Source tarballs are available for download at Download 389-ds-base
Source
<https://releases.pagure.org/389-ds-base/389-ds-base-1.4.0.22.tar.bz2>
Highlights in 1.4.0.22
Bug fixes
Installation and Upgrade
See Download <https://markdownlivepreview.com/download.html> for
information about setting up your yum repositories.
To install, use *dnf install 389-ds-base*, then run *dscreate*. To
install the Cockput UI plugin use "dnf install cockpit-389-ds"
See Install_Guide
<https://markdownlivepreview.com/howto/howto-install-389.html> for more
information about the initial installation, setup, and upgrade
See Source <https://markdownlivepreview.com/development/source.html> for
information about source tarballs and SCM (git) access.
New UI Progress (Cockpit plugin)
The new UI is broken up into a series of configuration tabs. Here is a
table showing the current progress
*Configuration Tab* *Finished* *Written in ReactJS*
Server tab
Yes
No
Security Tab
No
Database Tab
Yes
Yes
Replication Tab
Yes
No
Schema Tab
Yes
No
Plugins Tab
Yes
Yes
Monitor Tab
No
Feedback
We are very interested in your feedback!
Please provide feedback and comments to the 389-users mailing list:
https://lists.fedoraproject.org/admin/lists/389-users.lists.fedoraproject...
If you find a bug, or would like to see a new feature, file it in our
Pagure project: https://pagure.io/389-ds-base
* Bump version to 1.4.0.22
* Ticket 50308 - Revise memory leak fix
* Ticket 50308 - Fix memory leaks for repeat binds and replication
* Ticket 49873 - (cont 3rd) cleanup debug log
* Ticket 49873 - (cont 2nd) Contention on virtual attribute lookup
* Ticket 50292 - Fix Plugin CLI and UI issues
* Ticket 50289 - Fix various database UI issues
* Ticket 50300 - Fix memory leak in automember plugin
* Ticket 50265 - the warning about skew time could last forever
* Ticket 50260 - Invalid cache flushing improvements
* Ticket 49561 - MEP plugin, upon direct op failure, will delete twice
the same managed entry
* Ticket 50077 - Do not automatically turn automember postop modifies on
* Ticket 50282 - OPERATIONS ERROR when trying to delete a group with
automember members
* Ticket 49873 - (cont) Contention on virtual attribute lookup
* Ticket 50260 - backend txn plugins can corrupt entry cache
* Ticket 50041 - Add CLI functionality for special plugins
* Ticket 50273 - reduce default replication agmt timeout
* Ticket 50234 - one level search returns not matching entry
* Ticket 50232 - export creates not importable ldif file
* Ticket 50215 - UI - implement Database Tab in reachJS
* Ticket 50238 - Failed modrdn can corrupt entry cache
* Ticket 50236 - memberOf should be more robust
* Ticket 50151 - lib389 support cli add/replace/delete on objects
* Ticket 50155 - password history check has no way to just check the
current password
* Ticket 49873 - Contention on virtual attribute lookup
* Ticket 49658 - In replicated topology a single-valued attribute can
diverge
* Ticket 50177 - import task should not be deleted too rapidely after
import finishes to be able to query the status
* Ticket 50165 - Fix issues with dscreate
4 years, 5 months
Announcing 389 Directory Server 1.4.1.2
by Mark Reynolds
389 Directory Server 1.4.1.2
The 389 Directory Server team is proud to announce 389-ds-base version
1.4.1.2
Fedora packages are available on Fedora 30 and rawhide.
https://koji.fedoraproject.org/koji/taskinfo?taskID=33820830 - Rawhide
https://koji.fedoraproject.org/koji/taskinfo?taskID=33820510 - Fedora 30
Bodhi
https://bodhi.fedoraproject.org/updates/FEDORA-2019-caf75e133e
The new packages and versions are:
* 389-ds-base-1.4.1.2-1
Source tarballs are available for download at Download 389-ds-base
Source <https://releases.pagure.org/389-ds-base/389-ds-base-1.4.1.2.tar.bz2>
Highlights in 1.4.1.2
* Version change
Installation and Upgrade
See Download <https://markdownlivepreview.com/download.html> for
information about setting up your yum repositories.
To install, use *dnf install 389-ds-base*, to install the UI Cockpit
plugin use *dnf install cockpit-389-ds* After install completes, run
*dscreate interactive*
For upgrades, simply install the package. There are no further steps
required.
There are no upgrade steps besides installing the new rpms
See Install_Guide
<https://markdownlivepreview.com/howto/howto-install-389.html> for more
information about the initial installation and setup
See Source <https://markdownlivepreview.com/development/source.html> for
information about source tarballs and SCM (git) access.
New UI Progress (Cockpit plugin)
The new UI is broken up into a series of configuration tabs. Here is a
table showing the current progress
*Configuration Tab* *Finished* *Written in ReactJS*
Server tab
Yes
No
Security Tab
No
Database Tab
Yes
Yes
Replication Tab
Yes
No
Schema Tab
Yes
No
Plugins Tab
Yes
Yes
Monitor Tab
No
Feedback
We are very interested in your feedback!
Please provide feedback and comments to the 389-users mailing list:
https://lists.fedoraproject.org/admin/lists/389-users.lists.fedoraproject...
If you find a bug, or would like to see a new feature, file it in our
Pagure project: https://pagure.io/389-ds-base
* Bump version to 1.4.1.2-1
* Ticket 50308 - Revise memory leak fix
* Ticket 50308 - Fix memory leaks for repeat binds and replication
* Ticket 40067 - Use PKG/CHECK/MODULES to detect libraries
* Ticket 49873 - (cont 3rd) cleanup debug log
* Ticket 49873 - (cont 2nd) Contention on virtual attribute lookup
* Ticket 50292 - Fix Plugin CLI and UI issues
* Ticket 50112 - Port ACI test suit from TET to python3(misc and syntax)
* Ticket 50289 - Fix various database UI issues
* Ticket 49463 - After cleanALLruv, replication is looping on keep
alive DEL
* Ticket 50300 - Fix memory leak in automember plugin
* Ticket 50265 - the warning about skew time could last forever
* Ticket 50260 - Invalid cache flushing improvements
* Ticket 49561 - MEP plugin, upon direct op failure, will delete twice
the same managed entry
* Ticket 50077 - Do not automatically turn automember postop modifies on
* Ticket 50282 - OPERATIONS ERROR when trying to delete a group with
automember members
* Ticket 49715 - extend account functionality
* Ticket 49873 - (cont) Contention on virtual attribute lookup
* Ticket 50260 - backend txn plugins can corrupt entry cache
* Ticket 50255 - Port password policy test to use DSLdapObject
* Ticket 49667 - 49668 - remove old spec files
* Ticket 50276 - 389-ds-console is not built on RHEL8 if cockpit_dist
is already present
* Ticket 50112 - Port ACI test suit from TET to python3(Search)
* Ticket 50259 - implement dn construction test
* Ticket 50273 - reduce default replicaton agmt timeout
* Ticket 50208 - lib389- Fix issue with list all instances
* Ticket 50112 - Port ACI test suit from TET to python3(Global Group)
* Ticket 50041 - Add CLI functionality for special plugins
* Ticket 50263 - LDAPS port not listening after installation
* Ticket 49575 - Indicate autosize value errors and corrective actions
* Ticket 50137 - create should not check in non-stateful mode for exist
* Ticket 49655 - remove doap file
* Ticket 50197 - Fix dscreate regression
* Ticket 50234 - one level search returns not matching entry
* Ticket 50257 - lib389 - password policy user vs subtree checks are
broken
* Ticket 50253 - Making an nsManagedRoleDefinition type in
src/lib389/lib389/idm/nsrole.py
* Ticket 49029 - [RFE] improve internal operations logging
* Ticket 50230 - improve ioerror msg when not root/dirsrv
* Ticket 50246 - Fix the regression in old control tools
* Ticket 50197 - Container integration part 2
* Ticket 50197 - Container init tools
* Ticket 50232 - export creates not importable ldif file
* Ticket 50215 - UI - implement Database Tab in reachJS
* Ticket 50243 - refint modrdn stress test
* Ticket 50238 - Failed modrdn can corrupt entry cache
* Ticket 50236 - memberOf should be more robust
* Ticket 50213 - fix list instance issue
* Ticket 50219 - Add generic filter to DSLdapObjects
* Ticket 50227 - Making an cosClassicDefinition type in
src/lib389/lib389/cos.py
* Ticket 50112 - Port ACI test suit from TET to python3(modify)
* Ticket 50224 - warnings on deprecated API usage
* Ticket 50112 - Port ACI test suit from TET to python3(valueaci)
* Ticket 50112 - Port ACI test suit from TET to python3(Aci Atter)
* Ticket 50208 - make instances mark off based on dse.ldif not sysconfig
* Ticket 50170 - composable object types for nsRole in lib389
* Ticket 50199 - disable perl by default
* Ticket 50211 - Making an actual Anonymous type in lib389/idm/account.py
* Ticket 50155 - password history check has no way to just check the
current password
* Ticket 49873 - Contention on virtual attribute lookup
* Ticket 50197 - Container integration improvements
* Ticket 50195 - improve selinux error messages in interactive
* Ticket 49658 - In replicated topology a single-valued attribute can
diverge
* Ticket 50111 - Use pkg-config to detect icu
* Ticket 50165 - Fix issues with dscreate
* Ticket 50177 - import task should not be deleted too rapidely after
import finishes to be able to query the status
* Ticket 50140 - Use high ports in container installs
* Ticket 50184 - Add cli tool parity to dsconf/dsctl
* Ticket 50159 - sssd and config display
4 years, 6 months
Change authentication for LDAP
by Zombie fork
Hi,
We are trying to explore new methods of authentication. We want to move
away from the traditional password based authentication to a more secure
method like using Certificates , keys etc.
Is it possible to implement this? What alternatives do we have?
Can this be applied on a specific user, ou , subtree etc.
Is there any documentation around this?
4 years, 6 months
creating root suffix from cockpit
by Angel Bosch Mora
Hi,
I asked a broad question here:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
but I would like to know specifically if root suffix can be created with cockpit.
thanks,
abosch
-- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent.
-- Abans d'imprimir aquest missatge, pensau si es realment necessari.
4 years, 6 months
home directory creation on login with different permissions.
by Abhisheyk Deb
For example I have 3 users like userA, userB, and userC in 389 Directory
server with home directories set to /home/userA, /home/userB and
/home/userC for them.
On the LDAP client side I have authconfig --enablemkhomedir set to true.
Right now when a new home directory gets created(when the user logins for
the first time) it has the following permissions set for user rwx, groups
--- and others ---.
Is it possible to have home directories with different permissions like
userB's home directory get created with permissions user rwx, group r-x and
others r-x on the LDAP client when it first logins.
Can these attributes be set in 389 Directory Server or do I need to have
custom mkhomedir that needs to do this stuff in system-auth file?.
Thank you
Abhishek Deb
4 years, 6 months
[NOTICE] 389 admin console deprecation, removal, and web UI replacement
by Mark Reynolds
In Fedora 30, all the old java console packages have been marked as
deprecated:
389-console
389-ds-console
389-admin-console
389-admin
389-adminutil
389-dsgw
In Fedora 31 these packages will be removed.
Our new Cockpit [1] plugin (cockpit-389-ds) will be the UI replacement,
but important to note is that the new UI will NOT have an LDAP browser
for looking at and updating "user" entries. The new UI is strictly
designed for server configuration/management. Now there are other free
LDAP browsers out there that can be used like Apache Directory Studio
[2] for those that still need a UI for managing users and groups. We
hope to add a basic LDAP browser in the future, but this will not be
ready for Fedora 31.
Feel free to voice any comments, concerns, or questions.
Regards,
389 Directory Server Development Team
[1] https://cockpit-project.org/
[2] https://directory.apache.org/studio/
4 years, 6 months
Dynamic Group Query Not Returning Members
by Fong, Trevor
Hi There,
I'm trying to set up dynamic groups with 389 DS (1.3.7.5 B2018.184.1411) but my queries against it don't seem to be returning any members.
I have a user set up like this:
objectClass: eduPerson
objectClass: inetLocalMailRecipient
objectClass: inetOrgPerson
objectClass: inetUser
objectClass: organizationalPerson
objectClass: person
objectClass: posixAccount
objectClass: top
cn: Test Abc
gidNumber: <redacted>
homeDirectory: /home/testabc
sn: Abc
uid: testabc
uidNumber: <redacted>
displayName: Test Abc
givenName: Test
loginShell: /bin/bash
userPassword:: <redacted>
I have my dynamic group set up like this:
objectClass: groupOfUniqueNames
objectClass: groupOfURLs
objectClass: top
cn: DynGroup-Test-UniqueMembers
description: uniqueMembers test
memberURL: ldap:///ou=PEOPLE,dc=test?objectClass?sub?(sn=Abc)
The memberURL:
ldap:///ou=PEOPLE,dc=test?objectClass?sub?(sn=Abc)
returns uid=testabc
However my query of the dynamic group doesn't return anything:
ldapsearch -x -D "cn=Directory Manager" -W -b " ou=Groups,dc=test" -s sub -a always -z 1000 "(uniqueMember=uid=testabc,ou=PEOPLE,dc=test)" "objectClass"
Thanks in advance for your help.
Trev
4 years, 6 months
389 Nessus scan
by Edward Patterson
Want to use Nessus scanner to scan 389 DS authentication settings...ie...
password strength and complexity settings...
Is there a plugin for Nessus to do this?
--
*Edward J. Patterson II*
*GDIT, Network Engineer*
*(575) 312-5465 cell/home*
4 years, 6 months
