Restrict read/search permission on attribute with certain value?
by Gary Windham
Hi all,
We're running 389-Directory/1.3.9.0 B2018.304.1940.
Is it possible via ACIs to restrict read/search permission on attributes
with a particular value?
My use case is that we have an "isMemberOf" attribute in our directory, and
we have some group memberships that are of a sensitive nature. I would like
to have all "isMemberOf" attribute values *except* for these sensitive ones
readable/searchable to all authenticated user DNs, and the "sensitive" ones
only readable/searchable by a particular user DN.
Any ideas? From reading the Red Hat directory server ACI documentation, I
can't find a way to do this.
Thanks in advance,
--Gary
*--*
*Gary Windham*
Principal Enterprise Systems Architect
University Information Technology Services
The University of Arizona
Email: windhamg(a)arizona.edu
Office: +1 520 626 5981
3 years, 3 months
Announcing 389 Directory Server 1.4.3.18
by Mark Reynolds
389 Directory Server 1.4.3.18
The 389 Directory Server team is proud to announce 389-ds-base version
1.4.3.18
Fedora packages are available on Fedora 32.
https://koji.fedoraproject.org/koji/taskinfo?taskID=59774017
<https://koji.fedoraproject.org/koji/taskinfo?taskID=59774017> - Fedora 32
https://bodhi.fedoraproject.org/updates/FEDORA-2021-19b143e4a5
<https://bodhi.fedoraproject.org/updates/FEDORA-2021-19b143e4a5> - Bodhi
The new packages and versions are:
* 389-ds-base-1.4.3.18-1
Source tarballs are available for download at Download
389-ds-base Source
<https://github.com/389ds/389-ds-base/archive/389-ds-base-1.4.3.18.tar.gz>
Highlights in 1.4.3.18
* Bug fixes
Installation and Upgrade
See Download <https://www.port389.org/docs/389ds/download.html> for
information about setting up your yum repositories.
To install the server use *dnf install 389-ds-base*
To install the Cockpit UI plugin use *dnf install cockpit-389-ds*
After rpm install completes, run *dscreate interactive*
For upgrades, simply install the package. There are no further
steps required.
There are no upgrade steps besides installing the new rpms
See Install_Guide
<https://www.port389.org/docs/389ds/howto/howto-install-389.html> for
more information about the initial installation and setup
See Source <https://www.port389.org/docs/389ds/development/source.html>
for information about source tarballs and SCM (git) access.
New UI Progress (Cockpit plugin)
The new UI is complete and QE tested.
Feedback
We are very interested in your feedback!
Please provide feedback and comments to the 389-users mailing list:
https://lists.fedoraproject.org/admin/lists/389-users.lists.fedoraproject...
<https://lists.fedoraproject.org/admin/lists/389-users.lists.fedoraproject...>
If you find a bug, or would like to see a new feature, file it in our
GitHub project: https://github.com/389ds/389-ds-base
<https://github.com/389ds/389-ds-base>
* Bump version to 1.4.3.18
* Issue 4513 - CI Tests - fix test failures
* Issue 4528 - Fix cn=monitor SCOPE_ONE search (#4529)
* Issue 4504 - insure that repl_monitor_test use ldapi (for RHEL) -
fix merge issue (#4533)
* Issue 4315 - performance search rate: nagle triggers high rate
of setsocketopt
* Issue 4504 - Insure ldapi is enabled in repl_monitor_test.py (Needed
on RHEL) (#4527)
* Issue 4506 - BUG - Fix bounds on fd table population (#4520)
* Issue 4521 - DS crash in deref plugin if dereferenced entry exists
but is not returned by internal search (#4525)
* Issue 4418 - lib389 - fix ldif2db import_cl parameter
* Issue 4384 - Separate eventq into REALTIME and MONOTONIC
* Issue 4418 - ldif2db - offline. Warn the user of skipped entries
* Issue 4414 - disk monitoring - prevent division by zero crash
* Issue 4507 - Improve csngen testing task (#4508)
* Issue 4486 - Remove random ldif file generation from import test (#4487)
* Issue 4489 - Remove return statement from a void function (#4490)
* Issue 4419 - Warn users of skipped entries during ldif2db online
import (#4476)
* Issue 4418 - ldif2db - offline. Warn the user of skipped entries
* Issue 4504 - Fix pytest test_dsconf_replication_monitor (#4505)
* Issue 4480 - Unexpected info returned to ldap request (#4491)
* Issue 4373 - BUG - one line cleanup, free results in mt if ent 0 (#4502)
* Issue 4500 - Add cockpit enabling to dsctl
* Issue 4272 - RFE - add support for gost-yescrypt for hashing
passwords (#4497)
* Issue 1795 - RFE - Enable logging for libldap and libber in error
log (#4481)
* Issue 4492 - Changelog cache can upload updates from a wrong
starting point (CSN)
* Issue 4373 - BUG - calloc of size 0 in MT build (#4496)
* Issue 4483 - heap-use-after-free in slapi_be_getsuffix
* Issue 4315 - performance search rate: nagle triggers high rate of
setsocketopt (#4437)
* Issue 4243 - Fix test (4th): SyncRepl plugin provides a wrong (#4475)
* Issue 4460 - BUG - add machine name to subject alt names in SSCA (#4472)
* Issue 4284 - dsidm fails to delete an organizationalUnit entry
* Issue 4243 - Fix test: SyncRepl plugin provides a wrong cookie (#4466)
--
389 Directory Server Development Team
3 years, 3 months
Announcing 389 Directory Server 1.4.4.10
by Mark Reynolds
389 Directory Server 1.4.4.10
The 389 Directory Server team is proud to announce 389-ds-base version
1.4.4.10
Fedora packages are available on Fedora 33.
Fedora 33:
https://koji.fedoraproject.org/koji/taskinfo?taskID=59728248
<https://koji.fedoraproject.org/koji/taskinfo?taskID=59728248> - Koji
https://bodhi.fedoraproject.org/updates/FEDORA-2021-e81d94692a
<https://bodhi.fedoraproject.org/updates/FEDORA-2021-e81d94692a> - Bohdi
The new packages and versions are:
* 389-ds-base-1.4.4.10-1
Source tarballs are available for download at Download
389-ds-base Source
<https://github.com/389ds/389-ds-base/archive/389-ds-base-1.4.4.10.tar.gz>
Highlights in 1.4.4.10
* Bug & Security fixes
Installation and Upgrade
See Download <https://www.port389.org/docs/389ds/download.html> for
information about setting up your yum repositories.
To install the server use *dnf install 389-ds-base*
To install the Cockpit UI plugin use *dnf install cockpit-389-ds*
After rpm install completes, run *dscreate interactive*
For upgrades, simply install the package. There are no further
steps required.
There are no upgrade steps besides installing the new rpms
See Install_Guide
<https://www.port389.org/docs/389ds/howto/howto-install-389.html> for
more information about the initial installation and setup
See Source <https://www.port389.org/docs/389ds/development/source.html>
for information about source tarballs and SCM (git) access.
Feedback
We are very interested in your feedback!
Please provide feedback and comments to the 389-users mailing list:
https://lists.fedoraproject.org/admin/lists/389-users.lists.fedoraproject...
<https://lists.fedoraproject.org/admin/lists/389-users.lists.fedoraproject...>
If you find a bug, or would like to see a new feature, file it in our
GitHub project: https://github.com/389ds/389-ds-base
<https://github.com/389ds/389-ds-base>
* Bump version to 1.4.4.10
* Issue 4418 - Fix copy and paste error
* Issue 4381 - RFE - LDAPI authentication DN rewritter
* Issue 4539 - BUG - no such file if no overlays in openldap during
migration (#4540)
* Issue 4513 - CI Tests - fix test failures
* Issue 4528 - Fix cn=monitor SCOPE_ONE search (#4529)
* Issue 4535 - lib389 - healthcheck throws exception if backend is
not replicated
* Issue 4504 - insure that repl_monitor_test use ldapi (for RHEL) -
fix merge issue (#4533)
* Issue 4504 - Insure ldapi is enabled in repl_monitor_test.py (Needed
on RHEL) (#4527)
* Issue 4506 - BUG - Fix bounds on fd table population (#4520)
* Issue 4521 - DS crash in deref plugin if dereferenced entry exists
but is not returned by internal search (#4525)
* Issue 4384 - Separate eventq into REALTIME and MONOTONIC
* Issue 4418 - ldif2db - offline. Warn the user of skipped entries
* Issue 4419 - Warn users of skipped entries during ldif2db online
import (#4476)
* Issue 4414 - disk monitoring - prevent division by zero crash
* Issue 4507 - Improve csngen testing task (#4508)
* Issue 4498 - BUG - entryuuid replication may not work (#4503)
* Issue 4504 - Fix pytest test_dsconf_replication_monitor (#4505)
* Issue 4480 - Unexpected info returned to ldap request (Security Fix)
* Issue 4373 - BUG - one line cleanup, free results in mt if ent 0 (#4502)
* Issue 4500 - Add cockpit enabling to dsctl
* Issue 4272 - RFE - add support for gost-yescrypt for hashing
passwords (#4497)
* Issue 1795 - RFE - Enable logging for libldap and libber in error
log (#4481)
* Issue 4492 - Changelog cache can upload updates from a wrong
starting point (CSN) (#4493)
* Issue 4373 - BUG - calloc of size 0 in MT build (#4496)
* Issue 4483 - heap-use-after-free in slapi_be_getsuffix
* Issue 4224 - cleanup specfile after libsds removal
* Issue 4421 - Unable to build with Rust enabled in closed environment
* Issue 4229 - RFE - Improve rust linking and build performance (#4474)
* Issue 4464 - RFE - clang with ds+asan+rust
* Issue 4224 - openldap can become confused with entryuuid
* Issue 4313 - improve tests and improve readme re refdel
* Issue 4313 - fix potential syncrepl data corruption
* Issue 4315 - performance search rate: nagle triggers high rate of
setsocketopt (#4437)
* Issue 4243 - Fix test (4th): SyncRepl plugin provides a wrong (#4475)
* Issue 4446 - RFE - openldap password hashers
* Issue 4403 - RFE - OpenLDAP pw hash migration tests (#4408)
* Issue 4410 -RFE - ndn cache with arc in rust
* Issue 4460 - BUG - add machine name to subject alt names in SSCA (#4472)
* Issue 4243 - Fix test: SyncRepl plugin provides a wrong cookie
(#4466) (#4466)
--
389 Directory Server Development Team
3 years, 3 months
Announcing 389 Directory Server 2.0.2
by Mark Reynolds
389 Directory Server 2.0.2
The 389 Directory Server team is proud to announce 389-ds-base version 2.0.2
Fedora packages are available on Rawhide (Fedora 34).
Rawhide:
https://koji.fedoraproject.org/koji/taskinfo?taskID=59725113
<https://koji.fedoraproject.org/koji/taskinfo?taskID=59725113>
The new packages and versions are:
* 389-ds-base-2.0.2-1
Source tarballs are available for download at Download
389-ds-base Source
<https://github.com/389ds/389-ds-base/archive/389-ds-base-2.0.2.tar.gz>
Highlights in 2.0.2
* Bug & security fixes
Installation and Upgrade
See Download <https://www.port389.org/docs/389ds/download.html> for
information about setting up your yum repositories.
To install the server use *dnf install 389-ds-base*
To install the Cockpit UI plugin use *dnf install cockpit-389-ds*
After rpm install completes, run *dscreate interactive*
For upgrades, simply install the package. There are no further
steps required.
There are no upgrade steps besides installing the new rpms
See Install_Guide
<https://www.port389.org/docs/389ds/howto/howto-install-389.html> for
more information about the initial installation and setup
See Source <https://www.port389.org/docs/389ds/development/source.html>
for information about source tarballs and SCM (git) access.
Feedback
We are very interested in your feedback!
Please provide feedback and comments to the 389-users mailing list:
https://lists.fedoraproject.org/admin/lists/389-users.lists.fedoraproject...
<https://lists.fedoraproject.org/admin/lists/389-users.lists.fedoraproject...>
If you find a bug, or would like to see a new feature, file it in our
GitHub project: https://github.com/389ds/389-ds-base
<https://github.com/389ds/389-ds-base>
* Bump version to 2.0.2
* Issue 4539 - BUG - no such file if no overlays in openldap during
migration (#4540)
* Issue 4528 - Fix cn=monitor SCOPE_ONE search (#4529)
* Issue 4535 - lib389 - healthcheck throws exception if backend is
not replicated
* Issue 4537 - Use KRB5_CLIENT_KTNAME for client keytabs (#4523)
* Issue 4513 - CI Tests - fix test failures
* Issue 4504 - insure that repl_monitor_test use ldapi (for RHEL) -
fix merge issue (#4533)
* Issue 4315 - performance search rate: nagle triggers high rate
of setsocketopt
* Issue 4504 - pytest test_dsconf_replication_monitor fails on RHEL -
Fix merging issue (#4530)
* Issue 4504 - Insure ldapi is enabled in repl_monitor_test.py (Needed
on RHEL) (#4527)
* Issue 4506 - BUG - Fix bounds on fd table population (#4520)
* Issue 4521 - DS crash in deref plugin if dereferenced entry exists
but is not returned by internal search (#4525)
* Issue 4219 - Log internal unindexed searches (notes=A)
* Issue 4384 - Separate eventq into REALTIME and MONOTONIC
* Issue 4381 - RFE - LDAPI authentication DN rewritter
* Issue 4513 - Fix schema test and lib389 task module (#4514)
* Issue 4414 - disk monitoring - prevent division by zero crash
* Issue 4517 - BUG: Multiple systemd pin warnings (#4518)
* Issue 4507 - Improve csngen testing task (#4508)
* Issue 4498 - BUG - entryuuid replication may not work (#4503)
* Issue 4480 - Unexpected info returned to ldap request (Security fix)
* Issue 4504 - Fix pytest test_dsconf_replication_monitor (#4505)
* Issue 4373 - BUG - one line cleanup, free results in mt if ent 0 (#4502)
* Issue 4500 - Add cockpit enabling to dsctl
* Issue 4272 - RFE - add support for gost-yescrypt for hashing
passwords (#4497)
* Issue 1795 - RFE - Enable logging for libldap and libber in error
log (#4481)
* Issue 3522 - Remove DES to AES conversion code
* Issue 4492 - Changelog cache can upload updates from a wrong
starting point (CSN) (#4493)
* Issue 4373 - BUG - calloc of size 0 in MT build (#4496)
* Issue 4483 - heap-use-after-free in slapi_be_getsuffix
* Issue 4486 - Remove random ldif file generation from import test (#4487)
* Issue 4224 - cleanup specfile after libsds removal
* Issue 4421 - Unable to build with Rust enabled in closed environment
* Issue 4489 - Remove return statement from a void function (#4490)
* Issue 4229 - RFE - Improve rust linking and build performance (#4474)
* Issue 4224 - openldap can become confused with entryuuid
* Issue 4313 - improve tests and improve readme re refdel
* Issue 4313 - fix potential syncrepl data corruption
* Issue 4419 - Warn users of skipped entries during ldif2db online
import (#4476)
* Issue 4243 - Fix test (4th): SyncRepl plugin provides a wrong (#4475)
* Issue 4315 - performance search rate: nagle triggers high rate of
setsocketopt (#4437)
* Issue 4460 - BUG - add machine name to subject alt names in SSCA (#4472)
* Issue 4446 - RFE - openldap password hashers
* Issue 4284 - dsidm fails to delete an organizationalUnit entry
* Issue 4243 - Fix test: SyncRepl plugin provides a wrong cookie
(#4466) (#4466)
* Issue 4464 - RFE - clang with ds+asan+rust
* Issue 4105 - Remove python.six (fix regression)
* Issue 4384 - Use MONOTONIC clock for all timing events and conditions
* Issue 4418 - ldif2db - offline. Warn the user of skipped entries
* Issue 4243 - Fix test: SyncRepl plugin provides a wrong cookie (#4467)
* Issue 4460 - BUG - lib389 should use system tls policy
* Issue 3657 - Add options to dsctl for dsrc file
* Issue 4454 - RFE - fix version numbers to allow object caching
* Issue 3986 - UI - Handle objectclasses that do not have X-ORIGIN set
* Issue 4297 - 2nd fix for on ADD replication URP issue internal
searches with filter containing unescaped chars (#4439)
* Issue 4112 - Added a CI test (#4441)
* Issue 4449 - dsconf replication monitor fails to retrieve database
RUV - consumer (Unavailable) (#4451)
* Issue 4105 - Remove python.six from lib389 (#4456)
* Issue 4440 - BUG - ldifgen with –start-idx option fails with
unsupported operand (#4444)
* Issue 4410 - RFE - ndn cache with arc in rust
* Issue 4373 - BUG - Mapping Tree nodes can be created that are invalid
* Issue 4428 - BUG Paged Results with critical false causes sigsegv
in chaining
* Issue 4428 - Paged Results with Chaining Test Case
* Issue 2054 - do not add referrals for masters with different
data generation
* Issue 4383 - Do not normalize escaped spaces in a DN
* Issue 4432 - After a failed online import the next imports are very slow
* Issue 4316 - performance search rate: useless poll on network send
callback (#4424)
* Issue 4281 - dsidm user status fails with Error: ‘nsUserAccount’
object has no attribute ‘is_locked’
* Issue 4429 - NULL dereference in revert_cache()
* Issue 4412 - Fix CLI repl-agmt requirement for parameters (#4422)
* Issue 4407 - RFE - remove http client and presence plugin (#4409)
* Issue 4398 - build problems at alpine linux
* Issue 4415 - unable to query schema if there are extra parenthesis
--
389 Directory Server Development Team
3 years, 3 months
GSSAPI authentication w/ and w/o rDNS resolution
by Julien Rische
Hi all,
We are working on a FreeIPA infrastructure, but we are facing an issue regarding GSSAPI authentication against 389ds. Our infrastructure is currently moving from enabled to disabled reverse DNS resolution on Kerberos clients. We are also using load-balanced DNS aliases and, as a consequence, nodes of distributed services must provide keys for both a canonical service principal and a localhost service principal.
This setup is similar to the one commonly used for HA proxies, which is described in the 389ds' documentation[1].
We configured the keytab accordingly (ipa01.example.net is the FreeIPA node and ldap.example.net is the load-balanced alias):
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
1 06/30/2020 10:24:28 ldap/ipa01.example.net(a)EXAMPLE.NET
1 06/30/2020 10:24:28 ldap/ipa01.example.net(a)EXAMPLE.NET
1 06/30/2020 11:18:43 ldap/ldap.example.net(a)EXAMPLE.NET
1 06/30/2020 11:18:43 ldap/ldap.example.net(a)EXAMPLE.NET
SASL/GSSAPI authentication works when connecting to ipa01.example.net, or ldap.example.net but only if [libdefaults].rdns=true in /etc/kbr5.conf. When rDNS resolution is disabled, authentication doesn't work any more:
$ ldapwhoami -QY GSSAPI -H ldaps://ldap.example.net
ldap_sasl_interactive_bind_s: Invalid credentials (49)
The ticket me(a)EXAMPLE.NET->ldap/ldap.example.net(a)EXAMPLE.NET is in the ccache, but 389ds rejects it even though the matching key is available in its keytab.
It seems 389ds is checking the incoming ticket against the "nsslapd-localhost" parameter, and rejects it if they are not matching:
dn: cn=config
nsslapd-localhost: ipa01.example.net
Setting "nsslapd-localhost" to "ldap.example.net" fixed this issue, but it causes authentication to ldap/ipa01.example.net(a)EXAMPLE.NET to stop working. Also it is not possible to have multiple "nsslapd-localhost" entries.
Is there a way to disable checking against "nsslapd-localhost" to allow authentication against any key from the configured keytab (we use 389ds version 1.3.10.2)?
Julien Rische
CERN
[1] https://directory.fedoraproject.org/docs/389ds/howto/howto-loadbalance-gs...
3 years, 3 months
impact of the CentOS Stream drama
by Angel Bosch Mora
hi,
I'm not sure if this has been discussed here.
Will this project be impacted in some way by the CentOS decission?
I'm about to start a new setup and I wanted to use CentOS, but now I'm thinking about Debian.
In that regard, is there any difference between Debian packages and CentOS ones?
thanks in advance,
abosch
-- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari.
3 years, 3 months
Failed to change shell via chsh
by SJTU
Hi,
We use 389 as our LDAP service and connect it via SSSD. We find that users cannot change their login shell via "chsh". Is there any suggestion?
Thank you!
Jianwen
3 years, 3 months
Replication status commands seem to fail
by Glenn Morris
Hi,
I'm using version 1.4.3 on CentOS 8.3.
I'm trying to set up replication with a single master and a single consumer,
following the steps from
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11...
It seems to work, in that the database is populated on the consumer, and
when I change a database entry on the master, the change appears on the
consumer.
However, replication status commands seem (?) to indicate that something
isn't working completely right. Eg when I do:
dsconf -w "$passwd" -D "$rootdn" $instance repl-agmt status \
--suffix $suffix $agreement
I get:
Replica Enabled: on
Update In Progress: FALSE
Last Update Start: 20210103213704Z
Last Update End: 20210103213704Z
Number Of Changes Sent: 1:1/0
Number Of Changes Skipped: None
Last Update Status: Error (0) Replica acquired successfully: Incremental
update succeeded
Last Init Start: 19700101000000Z
Last Init End: 19700101000000Z
Last Init Status: unavailable
Reap Active: 0
Replication Status: Not in Synchronization: supplier
(5ff237d3000000010000) consumer (Unavailable) State (green) Reason
(error (0) replica acquired successfully: incremental update succeeded)
Replication Lag Time: Unavailable
The last two entries seem to indicate some problem?
In the logs on the consumer, I see the following entries that I think
might be (?) related to replication:
conn=29 fd=64 slot=64 SSL connection from MASTER.IP to MY.IP
conn=29 op=-1 fd=64 closed - unknown error
If I increase the logging level, I get:
DEBUG - connection_read_operation - connection 77 waited 1 times for
read to be ready
DEBUG - connection_read_operation - PR_Recv for connection 77
returns -12109 (unknown error)
DEBUG - disconnect_server_nomutex_ext - Setting conn 77 fd=64 to
be disconnected: reason -12109
Also, when I restart my consumer for the very first time after setting
up the replication agreement, ns-slapd reliably hangs using 100% CPU.
Strace shows endless:
select(0, NULL, NULL, NULL, {tv_sec=0, tv_usec=0}) = 0 (Timeout)
poll([{fd=22, events=POLLIN}], 1, 0) = 0 (Timeout)
where fd/22 = a pipe.
If I kill -9 it, it starts working.
I'm not sure if this has any relation.
TIA for any insight into all this.
3 years, 3 months
