Re: A bit help about ACI?
by William Brown
> On 26 Aug 2019, at 17:36, Miljan Žugić <Miljan.Zugic(a)halcom.rs> wrote:
>
> First, i really wanna say big thanks for super fast answer. Above all, concise and technical, concrete with facts..
> Second, i did home work and read it link (which i did before also, but..maybe i miss something 😊 and read again)
> Third, i already did what you write: deny on specific lvl for anonymous (anyone), and allow (whatever) for specific user..But this dosnt work. Looks "deny" is stronger..which is strange for me, your explanation sound perfectly fine.
> Is it possible to get functionality on 389DS like targetbase = sub, onelevel, base..?
> Forth, " using onelevel rules or labeling with filters instead" sound really great. Where i can get some example of this?
Deny is "stronger" yes, but it has interactions that may be "unforseen". It's better to say "you have allow to these limited things" than "you are allowed to lots and we deny little bits we don't want". The deny way leaves room for mistakes if you add a subtree later and forget the deny, or the deny could be too broad, etc.
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/
The documentation here is what is used by Directory Server. Mark already linked the access control chapter. In that section have a look at:
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10...
You can use this rule on ou=people for example
dn: ou=People,dc=example,dc=com
ou: People
aci: (target = "ldap:///uid=*,ou=people,dc=example,dc=com")(targetattr = "uid || cn || displayname")(version 3.0; acl "example"; allow (read, search, compare)(userdn = "ldap:///anyone");)
This would allow "anonymous" and all other accounts to read uid, cn and displayname, where the rdn starts with "uid=" under ou=people.
Does that help? It's always a good idea to try these things out of course :)
>
> And you don’t need to answer. I'm already happy, because i work with Apache ldap till now and ... always some strange behavior and 0 help..and yes, on site on advanced features you can read only " TO DO ..."..
We are always happy to answer, and we hope that we can help you to learn and make your LDAP install be the best possible. If you have any other questions or comments, please always contact us!
>
> Really Best Regards and have nice day!
>
>
>
> Miljan Žugić
> Sistemski inženjer | Systems engineer
> Sistemska podrška | Corporate IT
>
> T +381 11 3306514
> M +381 62 250 523
> E Miljan.Zugic(a)halcom.rs
>
> Halcom a.d.
> Beogradska 39 | 11000 Beograd | Srbija
>
> www.halcom.rs
> -----Original Message-----
> From: William Brown <wbrown(a)suse.de>
> Sent: Monday, August 26, 2019 1:09 AM
> To: 389-users(a)lists.fedoraproject.org
> Cc: Miljan Žugić <Miljan.Zugic(a)halcom.rs>
> Subject: Re: [389-users] Re: A bit help about ACI?
>
>
>
>> On 24 Aug 2019, at 01:48, Mark Reynolds <mreynolds(a)redhat.com> wrote:
>>
>>
>> On 8/23/19 11:34 AM, Mark Reynolds wrote:
>>> Moving to the correct list (389-users)...
>>>
>>> On 8/23/19 9:05 AM, Miljan Žugić wrote:
>>>> I apologize in advance if this is wrong address 😊
>>>> I build up 2 389 DS server, make replication and up till now, all looks fine.
>>>> But I have some issue about ACI. Where I can find good forum or site to get some real examples of ACI ?
>>>>
>>>> Or if you can help me…I want something like this, to make “anonymous” can do read, search and compare for levels B and D, but deny to A and E (actually I have problem with level E, I can do deny to anyone to level E or deeper, but I need some specific accounts to access level E or deeper, so…I stuck how to do that) :
>> First you should really read the access control docs:
>>
>> https://access.redhat.com/documentation/en-us/red_hat_directory_server
>> /10/html/administration_guide/managing_access_control
>>
>> In order to do what you want you need two kinds of aci, allow and deny. You need deny rules because when you set an aci on a subtree it applies to all its children. So as you noted you can deny level E, but it denies everyone even if they previously had access. So you need to add new aci's on level E that open up access to the users/groups you want to have access. So you might end up with "duplicate" aci's at different levels in your tree.
>>
>> So on level B you have your anonymous access aci's - this will apply to all lower branches. On Level E must have a deny "anonymous/anyone" rule, and then you add new acis to level E that open it back up for those you want to have access.
>
> Another way to tackle this is a costemplate that adds a security label to the "onelevels" you want accessible, then have an allow anonymous rule to filter on the security label that is added. Of course, you need to ensure people can't write that label type ...
>
> Deny rules always make aci's messy - they really do make it confusing to audit and "see" what's going on.
>
> So I think here, you should probably reconsider your tree layout and if it's the correct structure, or consider using onelevel rules or labeling with filters instead, to keep it to "allow only" rules.
>
>>
>> HTH,
>>
>> Mark
>>
>>
>>
>>>>
>>>> <image003.png>
>>>>
>>>> Anyhow, BR 😃
>>>>
>>>>
>>>> Miljan Žugić
>>>> Sistemski inženjer | Systems engineer
>>>> Sistemska podrška | Corporate IT
>>>>
>>>> T +381 11 3306514
>>>> M +381 62 250 523
>>>> E Miljan.Zugic(a)halcom.rs
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Halcom a.d.
>>>> Beogradska 39 | 11000 Beograd | Srbija
>>>>
>>>> www.halcom.rs
>>>>
>>>>
>>> --
>>>
>>> 389 Directory Server Development Team
>>>
>>>
>>>
>>> _______________________________________________
>>> 389-users mailing list --
>>> 389-users(a)lists.fedoraproject.org
>>>
>>> To unsubscribe send an email to
>>> 389-users-leave(a)lists.fedoraproject.org
>>>
>>> Fedora Code of Conduct:
>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>
>>> List Guidelines:
>>> https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>
>>> List Archives:
>>> https://lists.fedoraproject.org/archives/list/389-users@lists.fedorap
>>> roject.org
>> --
>>
>> 389 Directory Server Development Team
>>
>> _______________________________________________
>> 389-users mailing list -- 389-users(a)lists.fedoraproject.org To
>> unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines:
>> https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedoraproject.org/archives/list/389-users@lists.fedorapr
>> oject.org
>
> —
> Sincerely,
>
> William Brown
>
> Senior Software Engineer, 389 Directory Server SUSE Labs
>
—
Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server
SUSE Labs
3 years, 6 months
Test LDAP client connection
by Nicolas Kovacs
Hi,
So it looks like my 389 DS server is running. I admit I'm fighting every
step to get this thing to run.
As it looks, the next step is to test the LDAP client connection. Which
leads me to my first question.
When TLS is enabled, is it still possible to get plain (e. g.
unencrypted) connections from a client?
What commands do you use on a Linux client to test basic LDAP
connection, plain and/or secure?
Thanks & Cheers,
Niki
--
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Mail : info(a)microlinux.fr
Tél. : 04 66 63 10 32
Mob. : 06 51 80 12 12
3 years, 6 months
Using self-signed SSL certificate with 389 DS under CentOS 7
by Nicolas Kovacs
Hi,
I've spent a couple hours trying to install a self-signed SSL
certificate in my 389 DS installation running CentOS 7.
The method using the command-line (specified in the RHDS 10
Administration Guide in Chapter 9) doesn't work. Neither do any of the
various HOWTOs and blogs scattered over the web.
So before I go any further. Is there any *working* method to get a
self-signed SSL certificate installed in 389 DS? Any pointers to a
no-nonsense documentation that actually works with my installed version
of 389-DS and doesn't require me to jump through burning loops ?
Cheers,
Niki
--
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Mail : info(a)microlinux.fr
Tél. : 04 66 63 10 32
Mob. : 06 51 80 12 12
3 years, 6 months
Re: A bit help about ACI?
by Mark Reynolds
Moving to the correct list (389-users)...
On 8/23/19 9:05 AM, Miljan Žugić wrote:
>
> I apologize in advance if this is wrong address 😊
>
> I build up 2 389 DS server, make replication and up till now, all
> looks fine.
>
> But I have some issue about ACI. Where I can find good forum or site
> to get some real examples of ACI ?
>
> Or if you can help me…I want something like this, to make “anonymous”
> can do read, search and compare for levels B and D, but deny to A and
> E (actually I have problem with level E, I can do deny to anyone to
> level E or deeper, but I need some specific accounts to access level E
> or deeper, so…I stuck how to do that) :
>
> Anyhow, BR 😃
>
> *Miljan Žugić*
>
> Sistemski inženjer | Systems engineer
>
> Sistemska podrška**| Corporate IT
>
> **
>
> *T* +381 11 3306514
>
> *M*+381 62 250 523
>
> *E* Miljan.Zugic(a)halcom.rs
>
> *Halcom a.d.*
>
> Beogradska 39 | 11000 Beograd | Srbija
>
> *www.halcom.rs*
>
--
389 Directory Server Development Team
3 years, 7 months
389ds automount issue
by DaV
Hi all,
First of all, I don't know whether if this is a bug and I don't know where to submit a bug.
My 389ds info:
OS: CentOS Linux release 7.6.1810 (Core)
389ds: 389-ds-base-1.3.8.4-15.el7.x86_64
On 389ds server, I have configured like this
> # auto.master, service, example.com
> dn: nismapname=auto.master,ou=service,dc=example,dc=com
> nisMapName: auto.master
> objectClass: nisMap
> objectClass: top
>
> # /home, auto.master, service, example.com
> dn: cn=/home,nismapname=auto.master,ou=service,dc=example,dc=com
> nisMapName: home
> objectClass: nisObject
> objectClass: top
> cn: /home
> nisMapEntry: ldap 389ds.example.com
>
> # *, auto.home, service, example.com
> dn: cn=*,nismapname=auto.home,ou=service,dc=example,dc=com
> nisMapName: home
> nisMapEntry: -fstype=nfs4,defaults,_netdev,acl sun:/home/&
> objectClass: nisObject
> objectClass: top
> cn: *:nismapname=auto.home,ou=service,dc=example,dc=com
>
On client side
When I want to change directory under home (cd /home/username), I can't.
So I enable the autofs debug mode, and I see some message like this
> Aug 22 15:55:36 centos automount[2424]: parse_server_string: lookup(ldap): server "ldap://ds.example.com/", base dn "nismapname=auto.home,ou=service,dc=example,dc=com"
The prefix 389 has gone. The client says can't connect LDAP server because in 389ds server I write ldap 389ds.example.com but I see ds.example.com on client-side.
I don't know whether this is a bug. Just write this to let you know. Thanks!
My solution is:
change the 389ds server-side using nisMapEntry: ldap tc-389ds.example.com.
Sincerely,
--
DaV
3 years, 7 months
New SSL
by Fernando Fuentes
After getting everything working I was able to enable SSL on the console.
But now the console is unable to start with the error:
[Thu Aug 22 15:15:35.680397 2019] [:error] [pid 25091:tid
139708987033728] Password for slot internal is incorrect.
[Thu Aug 22 15:15:35.680824 2019] [:error] [pid 25091:tid
139708987033728] NSS initialization failed. Certificate database:
/etc/dirsrv/admin-serv.
[Thu Aug 22 15:15:35.680841 2019] [:error] [pid 25091:tid
139708987033728] SSL Library Error: -8177 The security password entered
is incorrect
What password is this talking about? All of the password entered are
correct... I am confused... :(
3 years, 7 months
SSL on console
by Fernando Fuentes
Hello all.
I have configured SSL to my dirsrv and works just fine but when I try to
configure the ssl portion for the console, Under Admin Server ->
Encryption... I cant find my CA there. How can import it for the Admin
console?
Using Fedore389 Admin Server 1.1.46
TIA!
3 years, 7 months
Place to put lessons learned?
by Chris Motta
We have a new install of 389 Directory server, and have all of our
CentOS 7 hosts authenticating to it. After fiddling with some knobs
for our Palo Alto Networks and GitLab installations, we are success-
fully using the 389-DS server for single sign-on. Those settings might
be useful for others who are using a Palo Alto Networks device and/or
GitLab. Most of the examples for using LDAP for those apps seem to
have a lot for AD LDAP, and not 389-DS. Where is the best place to
post lessons learned from setting up those configurations?
Thanks-
jcm
--
JC Motta (jcm)
IT Consultant
Apex Semi
cmotta(a)apexsemi.com
408-805-0245
--
Confidential and Proprietary Communication of Apex Semiconductor Inc. If
you are not the intended recipient, any dissemination, distribution or
copying this communication is prohibited. If you think that you have
received this email message in error, please email the sender.
3 years, 7 months
issue with fresh install of directory server
by Chase Miller
Hello,
I have a fresh install of Centos 7.
(this is not my first install of Directory Server, btw)
Followed this article:
https://webhostinggeeks.com/howto/setup-389-directory-server-on-centos-7/
cat setupV6AAJP.log
[19/08/19:08:49:28] - [Setup] Info This program will set up the 389
Directory and Administration Servers.
It is recommended that you have "root" privilege to set up the software.
Tips for using this program:
- Press "Enter" to choose the default and go to the next screen
- Type "Control-B" then "Enter" to go back to the previous screen
- Type "Control-C" to cancel the setup program
[19/08/19:08:49:28] - [Setup] Info Would you like to continue with set up?
[19/08/19:08:49:31] - [Setup] Info yes
[19/08/19:08:49:31] - [Setup] Info Your system has been scanned for
potential problems, missing patches,
etc. The following output is a report of the items found that need to
be addressed before running this software in a production
environment.
389 Directory Server system tuning analysis version 14-JULY-2016.
NOTICE : System is x86_64-unknown-linux3.10.0-957.27.2.el7.x86_64 (2
processors).
[19/08/19:08:49:31] - [Setup] Info Would you like to continue?
[19/08/19:08:49:39] - [Setup] Info yes
[19/08/19:08:49:39] - [Setup] Info Choose a setup type:
1. Express
Allows you to quickly set up the servers using the most
common options and pre-defined defaults. Useful for quick
evaluation of the products.
2. Typical
Allows you to specify common defaults and options.
3. Custom
Allows you to specify more advanced options. This is
recommended for experienced server administrators only.
To accept the default shown in brackets, press the Enter key.
[19/08/19:08:49:39] - [Setup] Info Choose a setup type
[19/08/19:08:49:40] - [Setup] Info 2
[19/08/19:08:49:40] - [Setup] Info Enter the fully qualified domain name of
the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: eros.example.com.
To accept the default shown in brackets, press the Enter key.
Warning: This step may take a few minutes if your DNS servers
can not be reached or if DNS is not configured correctly. If
you would rather not wait, hit Ctrl-C and run this program again
with the following command line option to specify the hostname:
General.FullMachineName=your.hostname.domain.name
[19/08/19:08:49:40] - [Setup] Info Computer name
[19/08/19:08:49:42] - [Setup] Info xxxxx.xxxx.com
[19/08/19:08:49:42] - [Setup] Info The servers must run as a specific user
in a specific group.
It is strongly recommended that this user should have no privileges
on the computer (i.e. a non-root user). The setup procedure
will give this user/group some permissions in specific paths/files
to perform server-specific operations.
If you have not yet created a user and group for the servers,
create this user and group using your native operating
system utilities.
[19/08/19:08:49:42] - [Setup] Info System User
[19/08/19:08:49:48] - [Setup] Info dirsrv
[19/08/19:08:49:48] - [Setup] Info System Group
[19/08/19:08:49:49] - [Setup] Info dirsrv
[19/08/19:08:49:49] - [Setup] Info Server information is stored in the
configuration directory server.
This information is used by the console and administration server to
configure and manage your servers. If you have already set up a
configuration directory server, you should register any servers you
set up or create with the configuration server. To do so, the
following information about the configuration server is required: the
fully qualified host name of the form
<hostname>.<domainname>(e.g. hostname.example.com), the port number
(default 389), the suffix, the DN and password of a user having
permission to write the configuration information, usually the
configuration directory administrator, and if you are using security
(TLS/SSL). If you are using TLS/SSL, specify the TLS/SSL (LDAPS) port
number (default 636) instead of the regular LDAP port number, and
provide the CA certificate (in PEM/ASCII format).
If you do not yet have a configuration directory server, enter 'No' to
be prompted to set up one.
[19/08/19:08:49:49] - [Setup] Info Do you want to register this software
with an existing
configuration directory server?
[19/08/19:08:49:52] - [Setup] Info no
[19/08/19:08:49:52] - [Setup] Info Please enter the administrator ID for
the configuration directory
server. This is the ID typically used to log in to the console. You
will also be prompted for the password.
[19/08/19:08:49:52] - [Setup] Info Configuration directory server
administrator ID
[19/08/19:08:49:57] - [Setup] Info admin
[19/08/19:08:49:57] - [Setup] Info Password
[19/08/19:08:50:06] - [Setup] Info Password (confirm)
[19/08/19:08:50:08] - [Setup] Info The information stored in the
configuration directory server can be
separated into different Administration Domains. If you are managing
multiple software releases at the same time, or managing information
about multiple domains, you may use the Administration Domain to keep
them separate.
If you are not using administrative domains, press Enter to select the
default. Otherwise, enter some descriptive, unique name for the
administration domain, such as the name of the organization
responsible for managing the domain.
[19/08/19:08:50:08] - [Setup] Info Administration Domain
[19/08/19:08:50:10] - [Setup] Info xxxx.com
[19/08/19:08:50:10] - [Setup] Info The standard directory server network
port number is 389. However, if
you are not logged as the superuser, or port 389 is in use, the
default value will be a random unused port number greater than 1024.
If you want to use port 389, make sure that you are logged in as the
superuser, that port 389 is not in use.
[19/08/19:08:50:10] - [Setup] Info Directory server network port
[19/08/19:08:50:12] - [Setup] Info 389
[19/08/19:08:50:12] - [Setup] Info Each instance of a directory server
requires a unique identifier.
This identifier is used to name the various
instance specific files and directories in the file system,
as well as for other uses as a server instance identifier.
[19/08/19:08:50:12] - [Setup] Info Directory server identifier
[19/08/19:08:50:13] - [Setup] Info xxxxxxx
[19/08/19:08:50:13] - [Setup] Info The suffix is the root of your directory
tree. The suffix must be a valid DN.
It is recommended that you use the dc=domaincomponent suffix convention.
For example, if your domain is example.com,
you should use dc=example,dc=com for your suffix.
Setup will create this initial suffix for you,
but you may have more than one suffix.
Use the directory server utilities to create additional suffixes.
[19/08/19:08:50:13] - [Setup] Info Suffix
[19/08/19:08:50:14] - [Setup] Info dc=xxxx, dc=com
[19/08/19:08:50:14] - [Setup] Info Certain directory server operations
require an administrative user.
This user is referred to as the Directory Manager and typically has a
bind Distinguished Name (DN) of cn=Directory Manager.
You will also be prompted for the password for this user. The password must
be at least 8 characters long, and contain no spaces.
Press Control-B or type the word "back", then Enter to back up and start
over.
[19/08/19:08:50:14] - [Setup] Info Directory Manager DN
[19/08/19:08:50:16] - [Setup] Info cn=Directory Manager
[19/08/19:08:50:16] - [Setup] Info Password
[19/08/19:08:50:19] - [Setup] Info Password (confirm)
[19/08/19:08:50:21] - [Setup] Info The Administration Server is separate
from any of your web or application
servers since it listens to a different port and access to it is
restricted.
Pick a port number between 1024 and 65535 to run your Administration
Server on. You should NOT use a port number which you plan to
run a web or application server on, rather, select a number which you
will remember and which will not be used for anything else.
[19/08/19:08:50:21] - [Setup] Info Administration port
[19/08/19:08:50:22] - [Setup] Info 9830
[19/08/19:08:50:22] - [Setup] Info The interactive phase is complete. The
script will now set up your
servers. Enter No or go Back if you want to change something.
[19/08/19:08:50:22] - [Setup] Info Are you ready to set up your servers?
[19/08/19:08:50:24] - [Setup] Info yes
[19/08/19:08:50:24] - [Setup] Info Creating directory server . . .
[19/08/19:08:50:30] - [Setup] Info Your new DS instance 'xxxxx' was
successfully created.
[19/08/19:08:50:30] - [Setup] Info Creating the configuration directory
server . . .
[19/08/19:08:50:33] - [Setup] Fatal Error: failed to open an LDAP
connection to host 'xxxxxx.xxxx.com' port '389' as user 'cn=Directory
Manager'. Error: unknown.
[19/08/19:08:50:33] - [Setup] Fatal Failed to create the configuration
directory server
[19/08/19:08:50:33] - [Setup] Fatal Exiting . . .
Log file is '/tmp/setupV6AAJP.log'
3 years, 7 months
Location or package that has things like dsidm, dsconf
by Chris Motta
Hi-
Newbie to 389 DS, but I like it so far, and it's working well for us.
The docs reference tools like dsidm, dsconf, dsctl, but I cant' seem
to find them. I'm wondering if I missed installing a package or missed
a pathname. Any guidance?
Thanks-
jcm
--
JC Motta (jcm)
IT Consultant
Apex Semi
cmotta(a)apexsemi.com
408-805-0245
--
Confidential and Proprietary Communication of Apex Semiconductor Inc. If
you are not the intended recipient, any dissemination, distribution or
copying this communication is prohibited. If you think that you have
received this email message in error, please email the sender.
3 years, 7 months
