Problem browsing LDAP with Outlook
by Chris Bryant
When configuring Microsoft Outlook (not Outlook Express) to access an LDAP directory, there is an option to 'Enable Browsing (requires server support)'. If this option is chosen and the directory server supports it, then you should be able to open the LDAP address book and page up and down through the results. I have been unable to get this working properly with 389 DS.
When I try to browse from Outlook against the 389 DS directory, I am able to see the first page of results perfectly. However, if I move to the next page, only the first object returned will have any attributes included, and all of the rest of the objects in the page will have no attributes. I have a test perl script that duplicates this functionality as well.
I can get this to work properly with an older version of Netscape Directory Server, and I can get it working with OpenDS. Since 389 DS advertises support for the controls that are required for this to work, just like the other two servers, then I would expect it to work there also.
Has anyone out there gotten this to work with 389 DS? If so, can you share if there was anything special that you needed to do to get this to work? I'm trying to determine if this is a bug in the server, or if I'm just missing something in the configuration.
Thanks,
Chris
USA.NET
You Run Your Business. We'll Run Your Email.
This message is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information of USA.NET, Inc. Any unauthorized review, use, copying, disclosure, or distribution is prohibited. If you are not the intended recipient, please immediately contact the sender by reply email and delete all copies of the original message.
2 years, 9 months
MemberOf group restrictions to a client system (server and client running CentOS 7)
by Janet Houser
Hi,
I'm new to 389-ds and last week downloaded and installed the software.
I have a running instance of the server, and I've added TLS/SSL. I've configured a CentOS 7 client to be able to query
the server using TLS/SSL, and all appears working.
I've created users and groups on the 389-ds server successfully. For each user and group, I've enabled posix attributes and my client
can see the unix users and groups using the "getent password" or "getent group" commands.
Now, here's where I'm getting tripped up..........
I need to limit which users have access to which systems. I've been trying to do this via memberOf group limitations.
I found the following online resource (https://thornelabs.net/2013/01/28/aix-restrict-server-login-via-ldap-grou...)
which is close enough to CentOS that the initial commands worked.
I enabled the MemberOf plugin and changed the attributes per the link, and restarted the system.
I created a test group (that I didn't enable a posix GID) and tried to add a single user via:
Right click on group -- > click Properties --> then Members --> click Add --> Search for user --> click Add.
When I try to go this route (which worked before enabling the memberOf plugin) it worked. Now it seems I get the error:
"Cannot save to directory server.
netscape.ldap.LDAPException: error resiult(65): Object class violation"
And the messages file throws the error (/var/log/dirsrv/slapd-<instancename>/errors:
"Entry "uid=test,ou=People,dc=int,dc=com" -- attribute "memberOf" not allowed
[17/Feb/2016:11:22:58 -0700] memberof-plugin - memberof_postop_modify: failed to add dn (cn=testgroup,ou=Groups,dc=int,dc=com) to target. Error (65)"
So it seems my server isn't quite using the memberOf plugin properly, but I'm not sure what else to enable. I'll have to solve this issue before
I even try to filter login access via groups on my client system.
I should mention that if I go under the advanced tab for one of the groups I created, I can add the the attribute "uniquemember", but I'm not sure what I
should set the "value" to be.
I've tried creating new users to see if I could set their "uniquemember" attributes, but no luck. It seems that I don't have the ability to set this attribute
on individual users, only groups.
This might not be the right road to head down when trying to restrict access to servers via groups, so I'm open to any suggestions.
Any suggestions would be appreciated.
2 years, 9 months
Proper upgrade procedure using Redhat repo and yum
by Patrick Landry
I have two servers running with multi master replication. The servers are
running RHEL 7.4 with 389-ds installed via yum using the rhel-7-server-rpms
repository. The hosts are behind a load balancer and all client access is through
the load balancer.
I would like to upgrade to the latest release available in rhel-7-server-rpms. I
have the following packages installed related to 389ds:
389-admin-1.1.46-1.el7.x86_64
389-admin-console-1.1.12-1.el7.noarch
389-admin-console-doc-1.1.12-1.el7.noarch
389-adminutil-1.1.21-2.el7.x86_64
389-console-1.1.18-1.el7.noarch
389-ds-1.2.2-6.el7.noarch
389-ds-base-1.3.7.5-21.el7_5.x86_64
389-ds-base-libs-1.3.7.5-21.el7_5.x86_64
389-ds-console-1.2.16-1.el7.noarch
389-ds-console-doc-1.2.16-1.el7.noarch
389-dsgw-1.1.11-5.el7.x86_64
Only two of those packages appear to have updates available; 389-ds-base and 389-ds-base-libs.
Is this the correct procedure?
1. remove server1 from the load balancer config to halt client requests
2. stop the dirsrv and dirsrv-admin services on server1
3. run "yum upgrade 389-ds-base 389-ds-base-libs" on server1
4. run "setup-ds-admin.pl -u" on server1
5. restart dirsrv and dirsrv-admin on server1
6. verify replication is still working
7. add server1 back to load balancer config
8. repeat steps 1-7 on server2
I presume that replication will continue to work after upgrading server1 but before
upgrading server2. I believe that at step 4, I don't *also* have to run "setup-ds.pl".
Is that correct?
Thanks.
--
Patrick Landry
Director, UCSS
University of Louisiana at Lafayette
patrick.landry(a)louisiana.edu
3 years, 11 months
syncrepl client
by Angel Bosch Mora
Hi,
I'm performing some tests and would like to configure a syncrepl client like this one:
https://github.com/landryb/syncrepl
but I don't find useful information. For example, in this project there's a demo script that says abut URL argument:
'An LDAP URL with all information required to do work.'
but I'm not sure what is expecting besides the fqdn and port, a filter? a basedn? both?
According to docs https://access.redhat.com/documentation/en-us/red_hat_directory_server/10...
you can do some exclusion and filtering on server side, so I don't really know what must I configure on the client side.
does anyone have any working example of a syncrepl client?
thanks in advance,
abosch
-- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent.
-- Abans d'imprimir aquest missatge, pensau si es realment necessari.
4 years
Announcing 389 Directory Server 1.4.1.3
by Mark Reynolds
389 Directory Server 1.4.1.3
The 389 Directory Server team is proud to announce 389-ds-base version
1.4.1.3
Fedora packages are available on Fedora 30 and rawhide.
https://koji.fedoraproject.org/koji/taskinfo?taskID=35035898
<https://koji.fedoraproject.org/koji/taskinfo?taskID=35035898> - Rawhide
https://koji.fedoraproject.org/koji/taskinfo?taskID=35035974
<https://koji.fedoraproject.org/koji/taskinfo?taskID=35035974> - Fedora 30
Bodhi
https://bodhi.fedoraproject.org/updates/FEDORA-2019-ac3a8134ef
<https://bodhi.fedoraproject.org/updates/FEDORA-2019-ac3a8134ef>
The new packages and versions are:
* 389-ds-base-1.4.1.3-1
Source tarballs are available for download at Download
389-ds-base Source
<https://releases.pagure.org/389-ds-base/389-ds-base-1.4.1.3.tar.bz2>
Highlights in 1.4.1.3
* Bug fixes
Installation and Upgrade
See Download <https://www.port389.org/docs/389ds/download.html> for
information about setting up your yum repositories.
To install the server use *dnf install 389-ds-base*
To install the Cockpit UI plugin use *dnf install cockpit-389-ds*
After install completes, run *dscreate interactive*
For upgrades, simply install the package. There are no further
steps required.
There are no upgrade steps besides installing the new rpms
See Install_Guide
<https://www.port389.org/docs/389ds/howto/howto-install-389.html> for
more information about the initial installation and setup
See Source <https://www.port389.org/docs/389ds/development/source.html>
for information about source tarballs and SCM (git) access.
New UI Progress (Cockpit plugin)
The new UI is broken up into a series of configuration tabs. Here is a
table showing the current progress
Configuration Tab Finished Written in ReachJS
Server Tab Yes No
Security Tab No
Database Tab Yes Yes
Replication Tab Yes No
Schema Tab Yes No
Plugin Tab Yes Yes
Monitor Tab Yes Yes
Feedback
We are very interested in your feedback!
Please provide feedback and comments to the 389-users mailing list:
https://lists.fedoraproject.org/admin/lists/389-users.lists.fedoraproject...
If you find a bug, or would like to see a new feature, file it in our
Pagure project: https://pagure.io/389-ds-base
* Fri May 24 2019 Mark Reynolds mreynolds(a)redhat.com
<mailto:mreynolds@redhat.com> - 1.4.1.3-1
* Bump version to 1.4.1.3
* Issue 49761 - Fix CI test suite issues
* Issue 50041 - Add the rest UI Plugin tabs - Part 2
* Issue 50340 - 2nd try - structs for diabled plugins will not be freed
* Issue 50403 - Instance creation fails on 1.3.9 using perl utils and
latest lib389
* Issue 50389 - ns-slapd craches while two threads are polling the
same connection
* Issue 48851 - investigate and port TET matching rules
filter tests(scanlimit)
* Issue 50037 - lib389 fails to install in venv under non-root user
* Issue 50112 - Port ACI test suit from TET to python3(userattr)
* Issue 50393 - maxlogsperdir accepting negative values
* Issue 50112 - Port ACI test suit from TET to python3(roledn)
* Issue 49960 - Core schema contains strings instead of numer oids
* Issue 50396 - Crash in PAM plugin when user does not exist
* Issue 50387 - enable_tls() should label ports with ldap_port_t
* Issue 50390 - Add Managed Entries Plug-in Config Entry schema
* Issue 50306 - Fix regression with maxbersize
* Issue 50384 - Missing dependency: cracklib-dicts
* Issue 49029 - [RFE] improve internal operations logging
* Issue 49761 - Fix CI test suite issues
* Issue 50374 - dsdim posixgroup create fails with ERROR
* Issue 50251 - clear text passwords visable in CLI verbose mode logging
* Issue 50378 - ACI’s with IPv4 and IPv6 bind rules do not work for
IPv6 clients
* Issue 48851 - investigate and port TET matching rules filter tests
* Issue 50220 - attr_encryption test suite failing
* Issue 50370 - CleanAllRUV task crashing during server shutdown
* Issue 50340 - structs for disabled plugins will not be freed
* Issue 50164 - Add test for dscreate to basic test suite
* Issue 50363 - ds-replcheck incorrectly reports error out of order
multi-valued attributes
* Issue 49730 - MozLDAP bindings have been unsupported for a while
* Issue 50353 - Categorize tests by tiers
* Issue 50303 - Add creation date to task data
* Issue 50358 - Create a Bitwise Plugin class in plugins.py
* Remove the nss3 path prefix from the cert.h C preprocessor source
file inclusion
* Issue 50329 - revert fix
* Issue 50112 - Port ACI test suit from TET to python3(keyaci)
* Issue 50344 - tidy rpm vs build systemd flag handling
* Issue 50067 - Fix krb5 dependency in a specfile
* Issue 50340 - structs for diabled plugins will not be freed
* Issue 50327 - Add replication conflict support to UI
* Issue 50327 - Add replication conflict entry support to lib389/CLI
* Issue 50329 - improve connection default parameters
* Issue 50313 - Add a NestedRole type to lib389
* Issue 50112 - Port ACI test suit from TET to python3(Delete and Add)
* Issue 49390, 50019 - support cn=config compare operations
* Issue 50041 - Add the rest UI Plugin tabs - Part 1
* Issue 50329 - Possible Security Issue: DOS due to ioblocktimeout not
applying to TLS
* Issue 49990 - Increase the default FD limits
* Issue 50306 - (cont typo) Move connection config inside struct
* Issue 50291 - Add monitor tab functionality to Cockpit UI
* Issue 50317 - fix ds-backtrace issue on latest gdb
* Issue 50305 - Revise CleanAllRUV task restart process
* Issue 49915 - Fix typo
* Issue 50026 - Audit log does not capture the operation where
nsslapd-lookthroughlimit is modified
* Issue 49899 - fix pin.txt and pwdfile permissions
* Issue 49915 - Add regression test
* Issue 50303 - Add task creation date to task data
* Issue 50306 - Move connection config inside struct
* Issue 50240 - Improve task logging
* Issue 50032 - Fix deprecation warnings in tests
* Issue 50310 - fix sasl header include
* Issue 49390 - improve compare and cn=config compare tests
4 years
SSL configuration on dynamic deployments
by Angel Bosch
Hi again,
continuing with my automation I'm facing now the problem of SSL configuration.
Using certificates at LB level is not recommended acording to https://directory.fedoraproject.org/docs/389ds/howto/howto-ssl.html
sharing keys is also discouraged, so my question is if there is a way to prepopulate NSS database with a predefined cert to fast deploy an instance.
I my planned setup I'll have 2 masters and 2 to 10 slaves/consumers (maybe more).
It will be extremely rare to stop or reinstall masters, but with consumers I want the flexibility to create and destroy them at any moment.
Is there any best practice here?
abosch
--
4 years
acis in 99user.ldif and target on subtree
by Angel Bosch Mora
Hi!
two more questions:
1- when migrating should I take care about ACIs in 99user.ldif? rightnow there are four entries:
aci: (target="ldap:///cn=schema")(targetattr !="aci")(version 3.0;acl "anonymous, no acis"; allow (read, search, compare) userdn = "ldap:///anyone";)
aci: (targetattr="*")(version 3.0; acl "Configuration Administrators Group"; allow (all) groupdn="ldap:///cn=Configuration Administrators,ou=Groups,ou=TopologyManagement,o=NetscapeRoot";)
aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow (all) userdn="ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot";)
aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = "ldap:///cn=slapd-hhh-ng,cn=389 Directory Server,cn=Server Group,cn=xx.yy.net,ou=xx.net,o=NetscapeRoot";)
modifiersname: cn=directory manager
modifytimestamp: 20101105155413Z
but I never did those.
2- is it mandatory to specify target when setting an ACI in a subtree?
best regards,
abosch
-- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent.
-- Abans d'imprimir aquest missatge, pensau si es realment necessari.
4 years
keeping internal attributes on export/import
by Angel Bosch Mora
hi!
quick question: is there any reason to keep modifyTimestamp, modifiersName, createTimestamp, and creatorsName when reimporting on a migration?
abosch
-- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent.
-- Abans d'imprimir aquest missatge, pensau si es realment necessari.
4 years
referral on update equivalent with dsconf
by Angel Bosch Mora
Hi,
is this new command:
dsconf instance replication set --suffix "dc=example,dc=net" --repl-add-ref master1.example.net
the same as this modification?
REF_LDIF="dn: cn=dc\=example\,dc\=net,cn=mapping tree,cn=config
changetype: modify
replace: nsslapd-referral
nsslapd-referral: ldap://master1.example.net:389/dc\=example\,dc\=net
-
replace: nsslapd-state
nsslapd-state: referral on update
"
echo "$REF_LDIF" | ldapmodify -h "$HOST" -x -D "$ROOT_DN" -w "$ROOT_PASS"
I'm trying to follow all docs https://access.redhat.com/documentation/en-us/red_hat_directory_server/10...
but with new tools, and I'm struggling with some commands.
regards,
abosch
-- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent.
-- Abans d'imprimir aquest missatge, pensau si es realment necessari.
4 years
