Re: Unable to lock accounts with dsidm utility
by Michael Starling
I found the issue. Please disregard.
________________________________
From: Michael Starling <mlstarling31(a)hotmail.com>
Sent: Tuesday, October 26, 2021 3:29 PM
To: 389-users(a)lists.fedoraproject.org <389-users(a)lists.fedoraproject.org>
Subject: [389-users] Unable to lock accounts with dsidm utility
Running the command below as root:
dsidm slapd-mydomainDS -b dc=mydomain,dc=com account lock uid=mstarlingt,ou=People,dc=mydomain,dc=com
Error: Insufficient access - Insufficient 'write' privilege to the 'nsAccountLock' attribute of entry 'uid=mstarlingt,ou=people,dc=mydomain,dc=com'.
Version:
389-ds-base-1.4.3.17-1.module_el8+10764+2b5f8656.x86_64
2 years, 1 month
Unable to lock accounts with dsidm utility
by Michael Starling
Running the command below as root:
dsidm slapd-mydomainDS -b dc=mydomain,dc=com account lock uid=mstarlingt,ou=People,dc=mydomain,dc=com
Error: Insufficient access - Insufficient 'write' privilege to the 'nsAccountLock' attribute of entry 'uid=mstarlingt,ou=people,dc=mydomain,dc=com'.
Version:
389-ds-base-1.4.3.17-1.module_el8+10764+2b5f8656.x86_64
2 years, 1 month
Search directory for userCertificate by fingerprint?
by Graham Leggett
Hi all,
(This is very tricky to google)
Is there a mechanism by which it is possible, given the hash of a userCertificate, to search for userCertificates in a 389ds directory?
Something like this:
(userCertificate=sha256:0a:f0…)
Obviously I can preprocess the directory and store the hash beside the certificate, however there does not seem to be a sensible attribute for that.
Is this possible?
Regards,
Graham
—
2 years, 1 month
Re: anonymous binds
by Mark Reynolds
On 10/21/21 9:26 AM, Michael Starling wrote:
>
>
> ------------------------------------------------------------------------
> *From:* Mark Reynolds <mreynolds(a)redhat.com>
> *Sent:* Tuesday, October 19, 2021 3:47 PM
> *To:* General discussion list for the 389 Directory server project.
> <389-users(a)lists.fedoraproject.org>; Michael Starling
> <mlstarling31(a)hotmail.com>
> *Subject:* Re: [389-users] anonymous binds
>
>
> On 10/19/21 1:43 PM, Michael Starling wrote:
>> Good afternoon.
>>
>> I have a few questions about anon binds.
>>
>> In theory if you have 3000 user objects in the directory and
>> anonymous binds have a limit returning 2000 entries can you still use
>> anonymous binds in LDAP client configurations without issues?
>
> So you have a "resource limit" setup for "anonymous binds" which sets
> the sizelimit to 2000? If that is the case then your client will hit
> this "2000" entry sizelimit - if it does an anonymous bind to the
> server. If it provides credentials then it will not be restricted by
> the configured anonymous resource limits.
>
>> Or does something else take place when a user logs in that only
>> requires the LDAP clients (sssd or nscld) to parse that specific user
>> dn and attributes?
>
> I'm not that familiar with sssd or nscld enough to say, but I'm pretty
> sure they can be configured to use a specific bind dn and password.
>
>>
>> Typically, with OpenLDAP I have created a "bind" user that can read
>> all user/group objects with limited attributes and turned off anon
>> binds so I don't fully understand the behavior of anonymous binds.
>
> In our server you can create users that have aci's that grant them
> specific access as well. Anonymous access can also be disabled in our
> server.
>
> To recap what an anonymous bind is, it is when a client connects to
> the server but does not provide any credentials. The behavior of such
> connections/operations will depend on what aci's and resource limits
> you have configured.
>
> I don't think this is what you are asking about though, so can you
> please clarify your questions?
>
> Thanks,
>
> Mark
>
>
> Hi Mark.
>
>
> Essentially, I'm asking anon binds have a search limit of 2000 objects
> and you have 3000 user objects is it possible that you will have
> problems with user's logging into to Linux clients?
>
It depends on how the client is performing the authentication. If it's
searching for a single user, then you will be fine. Since this is a
"size limit" that means it will not "send" more than 2000 entries back
to the client. However, size limit does /not/ impact how far into the
database a search can go.
>
>
>
> In this scenario user A uses ssh to login to a Linux client using sssd
> as an authentication mechanism. Is sssd we are not specifying a bind
> dn to handle the lookups to 389.
>
>
> When user A initiates the connection to the client, sssd does the anon
> lookup but hits the 2000 limit. If there are 3000 user entries, is it
> possible that user A is unable to make a connection because this user
> potentially is object 2001 and thus the information necessary to be
> returned by 389 to the client fails?
>
If you know SSSD is hitting the sizelimit then yes it is absolutely
possible that it will not find the entry and cause authentication to
unexpectedly fail.
>
>
> Is it a better practice with 389 to create a bind dn with no search
> limit to avoid the scenario above? I understand I can bump the anon
> bind limits but I think eventually I may just convince them to turn
> anon binds off completely. For now, i just want to understand the
> effects of the current implementation.
>
Ideally you should create a "bind user" that has the correct access you
need. Opening up anonymous access is not ideal or recommended.
Regards,
Mark
>
>
>> Mike
>>
>> _______________________________________________
>> 389-users mailing list --389-users(a)lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org>
>> To unsubscribe send an email to389-users-leave(a)lists.fedoraproject.org <mailto:389-users-leave@lists.fedoraproject.org>
>> Fedora Code of Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/ <https://docs.fedoraproject.org/en-US/project/code-of-conduct/>
>> List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines <https://fedoraproject.org/wiki/Mailing_list_guidelines>
>> List Archives:https://lists.fedoraproject.org/archives/list/389-users@lists.fe... <https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...>
>> Do not reply to spam on the list, report it:https://pagure.io/fedora-infrastructure <https://pagure.io/fedora-infrastructure>
> --
> Directory Server Development Team
--
Directory Server Development Team
2 years, 1 month
Re: anonymous binds
by Mark Reynolds
On 10/19/21 1:43 PM, Michael Starling wrote:
> Good afternoon.
>
> I have a few questions about anon binds.
>
> In theory if you have 3000 user objects in the directory and anonymous
> binds have a limit returning 2000 entries can you still use anonymous
> binds in LDAP client configurations without issues?
So you have a "resource limit" setup for "anonymous binds" which sets
the sizelimit to 2000? If that is the case then your client will hit
this "2000" entry sizelimit - if it does an anonymous bind to the
server. If it provides credentials then it will not be restricted by
the configured anonymous resource limits.
> Or does something else take place when a user logs in that only
> requires the LDAP clients (sssd or nscld) to parse that specific user
> dn and attributes?
I'm not that familiar with sssd or nscld enough to say, but I'm pretty
sure they can be configured to use a specific bind dn and password.
>
> Typically, with OpenLDAP I have created a "bind" user that can read
> all user/group objects with limited attributes and turned off anon
> binds so I don't fully understand the behavior of anonymous binds.
In our server you can create users that have aci's that grant them
specific access as well. Anonymous access can also be disabled in our
server.
To recap what an anonymous bind is, it is when a client connects to the
server but does not provide any credentials. The behavior of such
connections/operations will depend on what aci's and resource limits you
have configured.
I don't think this is what you are asking about though, so can you
please clarify your questions?
Thanks,
Mark
>
> Mike
>
> _______________________________________________
> 389-users mailing list --389-users(a)lists.fedoraproject.org
> To unsubscribe send an email to389-users-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:https://lists.fedoraproject.org/archives/list/389-users@lists.fe...
> Do not reply to spam on the list, report it:https://pagure.io/fedora-infrastructure
--
Directory Server Development Team
2 years, 1 month
Re: anonymous binds
by Marc Sauton
depending on the filters used, an error 11 / err=11 / ADMIN_LIMIT_EXCEEDED
/ "Administrative limit exceeded" could be returned, and depending on the
LDAP client, it could be an important error.
it may be a good idea to set a DN for nsslapd-anonlimitsdn , see
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11...
with its associated/dedicated values different from the global settings,
for the attributes nsIdleTimeout , nsTimeLimit and nsSizeLimit
or set a special user entry for those BINDs , with the same 3 user
specified idletimeout, time and size limits to avoid tuning up the general
setting of the size limit.
M.
On Tue, Oct 19, 2021 at 10:44 AM Michael Starling <mlstarling31(a)hotmail.com>
wrote:
> Good afternoon.
>
> I have a few questions about anon binds.
>
> In theory if you have 3000 user objects in the directory and anonymous
> binds have a limit returning 2000 entries can you still use anonymous binds
> in LDAP client configurations without issues? Or does something else take
> place when a user logs in that only requires the LDAP clients (sssd or
> nscld) to parse that specific user dn and attributes?
>
> Typically, with OpenLDAP I have created a "bind" user that can read all
> user/group objects with limited attributes and turned off anon binds so I
> don't fully understand the behavior of anonymous binds.
>
> Mike
> _______________________________________________
> 389-users mailing list -- 389-users(a)lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
2 years, 1 month
anonymous binds
by Michael Starling
Good afternoon.
I have a few questions about anon binds.
In theory if you have 3000 user objects in the directory and anonymous binds have a limit returning 2000 entries can you still use anonymous binds in LDAP client configurations without issues? Or does something else take place when a user logs in that only requires the LDAP clients (sssd or nscld) to parse that specific user dn and attributes?
Typically, with OpenLDAP I have created a "bind" user that can read all user/group objects with limited attributes and turned off anon binds so I don't fully understand the behavior of anonymous binds.
Mike
2 years, 1 month
changelog program - _cl5AddThread - Invalid changelog state - 2
by Kees Bakker
Hi,
Today I tried 389-base 1.4.4.17 for a fix of retro cl trimming [1]
Unfortunately the ns-slapd got into some sort of deadlock, I think. Anyway, I reverted 389-base back to 1.4.3.23.
But now I have a replication problem. Could this have been caused by the update to 1.4.4.17 ? And, if yes, how can I fix this?
[18/Oct/2021:12:17:41.750334062 +0200] - ERR - NSMMReplicationPlugin - changelog program - _cl5AddThread - Invalid changelog state - 2
[18/Oct/2021:12:17:41.782505596 +0200] - ERR - NSMMReplicationPlugin - send_updates - agmt="cn=iparep4.example.com-to-rotte.example.com" (rotte:389): Changelog database was in an incorrect state
[18/Oct/2021:12:17:41.827732779 +0200] - ERR - NSMMReplicationPlugin - repl5_inc_run - agmt="cn=iparep4.example.com-to-rotte.example.com" (rotte:389): Incremental update failed and requires administrator action
[1] https://github.com/389ds/389-ds-base/pull/4895
--
Kees
2 years, 1 month
Lock table is out of available lock entries
by Kees Bakker
Hi,
When my dirsrv was trying to compact the databases I was getting this error
[07/Aug/2021:23:59:02.715984489 +0200] - NOTICE - bdb_compact - Compacting databases ...
[07/Aug/2021:23:59:02.765932397 +0200] - NOTICE - bdb_compact - Compacting DB start: userRoot
[07/Aug/2021:23:59:03.518175414 +0200] - NOTICE - bdb_compact - compactdb: compact userRoot - 417 pages freed
[07/Aug/2021:23:59:03.576427786 +0200] - NOTICE - bdb_compact - Compacting DB start: ipaca
[07/Aug/2021:23:59:03.659941533 +0200] - NOTICE - bdb_compact - compactdb: compact ipaca - 419 pages freed
[07/Aug/2021:23:59:03.718445310 +0200] - NOTICE - bdb_compact - Compacting DB start: changelog
[08/Aug/2021:00:00:40.807571334 +0200] - NOTICE - NSMMReplicationPlugin - changelog program - cl5CompactDBs - compacting replication changelogs...
[08/Aug/2021:00:00:54.309357211 +0200] - ERR - libdb - BDB2055 Lock table is out of available lock entries
[08/Aug/2021:00:00:54.726504736 +0200] - ERR - bdb_compact - compactdb: failed to compact changelog; db error - 12 Cannot allocate memory
[08/Aug/2021:00:00:54.801571421 +0200] - ERR - libdb - BDB2055 Lock table is out of available lock entries
[08/Aug/2021:00:00:54.876618702 +0200] - ERR - NSMMReplicationPlugin - changelog program - cl5CompactDBs - Failed to compact a797bb0b-be1d11eb-88c0b677-613aa2ad; db error - 12 Cannot allocate memory
[08/Aug/2021:00:00:57.253006449 +0200] - NOTICE - bdb_compact - Compacting databases finished.
There are about 402k entries in cn=changelog.
I have a few questions
1) is it normal to have so many entries in cn=changelog? On another replica I have almost 3M entries Isn't this cleaned up?
2) the number of locks is 50000 (there are two config items). Should I increase that number? If so, increase to what?
3) is there maybe something else going on, causing the exhaustion of the locks?
--
Kees Bakker
2 years, 1 month
