Hi,
I'm new to 389-ds and last week downloaded and installed the software.
I have a running instance of the server, and I've added TLS/SSL. I've configured a CentOS 7 client to be able to query the server using TLS/SSL, and all appears working.
I've created users and groups on the 389-ds server successfully. For each user and group, I've enabled posix attributes and my client can see the unix users and groups using the "getent password" or "getent group" commands.
Now, here's where I'm getting tripped up..........
I need to limit which users have access to which systems. I've been trying to do this via memberOf group limitations.
I found the following online resource (https://thornelabs.net/2013/01/28/aix-restrict-server-login-via-ldap-groups....) which is close enough to CentOS that the initial commands worked.
I enabled the MemberOf plugin and changed the attributes per the link, and restarted the system.
I created a test group (that I didn't enable a posix GID) and tried to add a single user via:
Right click on group -- > click Properties --> then Members --> click Add --> Search for user --> click Add.
When I try to go this route (which worked before enabling the memberOf plugin) it worked. Now it seems I get the error:
"Cannot save to directory server. netscape.ldap.LDAPException: error resiult(65): Object class violation"
And the messages file throws the error (/var/log/dirsrv/slapd-<instancename>/errors:
"Entry "uid=test,ou=People,dc=int,dc=com" -- attribute "memberOf" not allowed [17/Feb/2016:11:22:58 -0700] memberof-plugin - memberof_postop_modify: failed to add dn (cn=testgroup,ou=Groups,dc=int,dc=com) to target. Error (65)"
So it seems my server isn't quite using the memberOf plugin properly, but I'm not sure what else to enable. I'll have to solve this issue before I even try to filter login access via groups on my client system.
I should mention that if I go under the advanced tab for one of the groups I created, I can add the the attribute "uniquemember", but I'm not sure what I should set the "value" to be.
I've tried creating new users to see if I could set their "uniquemember" attributes, but no luck. It seems that I don't have the ability to set this attribute on individual users, only groups.
This might not be the right road to head down when trying to restrict access to servers via groups, so I'm open to any suggestions.
Any suggestions would be appreciated.
The memberOf plugin is trying to add the "memberOf" attribute to the entry, but the entry is missing an objectclass that allows "memberOf". Typically you need to add "objectclass: inetuser" to all your entries for memberOf Plugin to work as you'd expect.
If you are using "389-ds-base-1.3.4" or later, the memberOf plugin can automatically add "inetuser" to the entries for you(if it is missing).
http://www.port389.org/docs/389ds/design/memberof-auto-add-oc.html
Mark
On 02/17/2016 01:37 PM, houser@nso.edu wrote:
Hi,
I'm new to 389-ds and last week downloaded and installed the software.
I have a running instance of the server, and I've added TLS/SSL. I've configured a CentOS 7 client to be able to query the server using TLS/SSL, and all appears working.
I've created users and groups on the 389-ds server successfully. For each user and group, I've enabled posix attributes and my client can see the unix users and groups using the "getent password" or "getent group" commands.
Now, here's where I'm getting tripped up..........
I need to limit which users have access to which systems. I've been trying to do this via memberOf group limitations.
I found the following online resource (https://thornelabs.net/2013/01/28/aix-restrict-server-login-via-ldap-groups....) which is close enough to CentOS that the initial commands worked.
I enabled the MemberOf plugin and changed the attributes per the link, and restarted the system.
I created a test group (that I didn't enable a posix GID) and tried to add a single user via:
Right click on group -- > click Properties --> then Members --> click Add --> Search for user --> click Add.
When I try to go this route (which worked before enabling the memberOf plugin) it worked. Now it seems I get the error:
"Cannot save to directory server. netscape.ldap.LDAPException: error resiult(65): Object class violation"
And the messages file throws the error (/var/log/dirsrv/slapd-<instancename>/errors:
"Entry "uid=test,ou=People,dc=int,dc=com" -- attribute "memberOf" not allowed [17/Feb/2016:11:22:58 -0700] memberof-plugin - memberof_postop_modify: failed to add dn (cn=testgroup,ou=Groups,dc=int,dc=com) to target. Error (65)"
So it seems my server isn't quite using the memberOf plugin properly, but I'm not sure what else to enable. I'll have to solve this issue before I even try to filter login access via groups on my client system.
I should mention that if I go under the advanced tab for one of the groups I created, I can add the the attribute "uniquemember", but I'm not sure what I should set the "value" to be.
I've tried creating new users to see if I could set their "uniquemember" attributes, but no luck. It seems that I don't have the ability to set this attribute on individual users, only groups.
This might not be the right road to head down when trying to restrict access to servers via groups, so I'm open to any suggestions.
Any suggestions would be appreciated.
389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
Hi Mark,
Thanks for responding so quickly. Fortunately I'm running 1.3.4.0-26, so I should be able to have the memberOf plugin automatically add the "inetuser" to my entries if needed.
I took a look at the document you mentioned (thanks!), and I'm still a bit confused (apologies for being thick).
I'm in the Advanced settings of the MemberOf plugin, and there isn't an option to add the attribute "memberofAutoAddOC" and set the default value to inetUser.
An ldapsearch still fails to show any entries with cn=MemberOf Plugin,.....
I'm sure I'm missing the obvious. Any suggestions would be appreciated.
Thanks.
On 2/17/16 12:58 PM, Mark Reynolds wrote:
The memberOf plugin is trying to add the "memberOf" attribute to the entry, but the entry is missing an objectclass that allows "memberOf". Typically you need to add "objectclass: inetuser" to all your entries for memberOf Plugin to work as you'd expect.
If you are using "389-ds-base-1.3.4" or later, the memberOf plugin can automatically add "inetuser" to the entries for you(if it is missing).
http://www.port389.org/docs/389ds/design/memberof-auto-add-oc.html
Mark
On 02/17/2016 01:37 PM, houser@nso.edu wrote:
Hi,
I'm new to 389-ds and last week downloaded and installed the software.
I have a running instance of the server, and I've added TLS/SSL. I've configured a CentOS 7 client to be able to query the server using TLS/SSL, and all appears working.
I've created users and groups on the 389-ds server successfully. For each user and group, I've enabled posix attributes and my client can see the unix users and groups using the "getent password" or "getent group" commands.
Now, here's where I'm getting tripped up..........
I need to limit which users have access to which systems. I've been trying to do this via memberOf group limitations.
I found the following online resource (https://thornelabs.net/2013/01/28/aix-restrict-server-login-via-ldap-groups....) which is close enough to CentOS that the initial commands worked.
I enabled the MemberOf plugin and changed the attributes per the link, and restarted the system.
I created a test group (that I didn't enable a posix GID) and tried to add a single user via:
Right click on group -- > click Properties --> then Members --> click Add --> Search for user --> click Add.
When I try to go this route (which worked before enabling the memberOf plugin) it worked. Now it seems I get the error:
"Cannot save to directory server. netscape.ldap.LDAPException: error resiult(65): Object class violation"
And the messages file throws the error (/var/log/dirsrv/slapd-<instancename>/errors:
"Entry "uid=test,ou=People,dc=int,dc=com" -- attribute "memberOf" not allowed [17/Feb/2016:11:22:58 -0700] memberof-plugin - memberof_postop_modify: failed to add dn (cn=testgroup,ou=Groups,dc=int,dc=com) to target. Error (65)"
So it seems my server isn't quite using the memberOf plugin properly, but I'm not sure what else to enable. I'll have to solve this issue before I even try to filter login access via groups on my client system.
I should mention that if I go under the advanced tab for one of the groups I created, I can add the the attribute "uniquemember", but I'm not sure what I should set the "value" to be.
I've tried creating new users to see if I could set their "uniquemember" attributes, but no luck. It seems that I don't have the ability to set this attribute on individual users, only groups.
This might not be the right road to head down when trying to restrict access to servers via groups, so I'm open to any suggestions.
Any suggestions would be appreciated.
389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
-- 389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
On 02/17/2016 04:45 PM, Janet Houser wrote:
Hi Mark,
Thanks for responding so quickly. Fortunately I'm running 1.3.4.0-26, so I should be able to have the memberOf plugin automatically add the "inetuser" to my entries if needed.
I took a look at the document you mentioned (thanks!), and I'm still a bit confused (apologies for being thick).
I'm in the Advanced settings of the MemberOf plugin, and there isn't an option to add the attribute "memberofAutoAddOC" and set the default value to inetUser.
An ldapsearch still fails to show any entries with cn=MemberOf Plugin,.....
Are you doing the search as Directory Manager?
ldapsearch -D "cn=directory manager" -W -xLLL -b "cn=config" "(cn=memberof plugin)"
I'm not 100% sure your build of 1.3.4 has this fix - that's a pretty early version - I'm looking into this now, and I will get back to you once I have this info.
Mark
I'm sure I'm missing the obvious. Any suggestions would be appreciated.
Thanks.
On 2/17/16 12:58 PM, Mark Reynolds wrote:
The memberOf plugin is trying to add the "memberOf" attribute to the entry, but the entry is missing an objectclass that allows "memberOf". Typically you need to add "objectclass: inetuser" to all your entries for memberOf Plugin to work as you'd expect.
If you are using "389-ds-base-1.3.4" or later, the memberOf plugin can automatically add "inetuser" to the entries for you(if it is missing).
http://www.port389.org/docs/389ds/design/memberof-auto-add-oc.html
Mark
On 02/17/2016 01:37 PM, houser@nso.edu wrote:
Hi,
I'm new to 389-ds and last week downloaded and installed the software.
I have a running instance of the server, and I've added TLS/SSL. I've configured a CentOS 7 client to be able to query the server using TLS/SSL, and all appears working.
I've created users and groups on the 389-ds server successfully. For each user and group, I've enabled posix attributes and my client can see the unix users and groups using the "getent password" or "getent group" commands.
Now, here's where I'm getting tripped up..........
I need to limit which users have access to which systems. I've been trying to do this via memberOf group limitations.
I found the following online resource (https://thornelabs.net/2013/01/28/aix-restrict-server-login-via-ldap-groups....) which is close enough to CentOS that the initial commands worked.
I enabled the MemberOf plugin and changed the attributes per the link, and restarted the system.
I created a test group (that I didn't enable a posix GID) and tried to add a single user via:
Right click on group -- > click Properties --> then Members --> click Add --> Search for user --> click Add.
When I try to go this route (which worked before enabling the memberOf plugin) it worked. Now it seems I get the error:
"Cannot save to directory server. netscape.ldap.LDAPException: error resiult(65): Object class violation"
And the messages file throws the error (/var/log/dirsrv/slapd-<instancename>/errors:
"Entry "uid=test,ou=People,dc=int,dc=com" -- attribute "memberOf" not allowed [17/Feb/2016:11:22:58 -0700] memberof-plugin - memberof_postop_modify: failed to add dn (cn=testgroup,ou=Groups,dc=int,dc=com) to target. Error (65)"
So it seems my server isn't quite using the memberOf plugin properly, but I'm not sure what else to enable. I'll have to solve this issue before I even try to filter login access via groups on my client system.
I should mention that if I go under the advanced tab for one of the groups I created, I can add the the attribute "uniquemember", but I'm not sure what I should set the "value" to be.
I've tried creating new users to see if I could set their "uniquemember" attributes, but no luck. It seems that I don't have the ability to set this attribute on individual users, only groups.
This might not be the right road to head down when trying to restrict access to servers via groups, so I'm open to any suggestions.
Any suggestions would be appreciated.
389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
-- 389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
-- 389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
On 02/17/2016 04:45 PM, Janet Houser wrote:
Hi Mark,
Thanks for responding so quickly. Fortunately I'm running 1.3.4.0-26, so I should be able to have the memberOf plugin automatically add the "inetuser" to my entries if needed.
Sorry this fix was a not released until 1.3.4.5-1. I'm not sure if you can upgrade or not, if not you'll need to manually add this objectclass to your user entries.
Regards, Mark
I took a look at the document you mentioned (thanks!), and I'm still a bit confused (apologies for being thick).
I'm in the Advanced settings of the MemberOf plugin, and there isn't an option to add the attribute "memberofAutoAddOC" and set the default value to inetUser.
An ldapsearch still fails to show any entries with cn=MemberOf Plugin,.....
I'm sure I'm missing the obvious. Any suggestions would be appreciated.
Thanks.
On 2/17/16 12:58 PM, Mark Reynolds wrote:
The memberOf plugin is trying to add the "memberOf" attribute to the entry, but the entry is missing an objectclass that allows "memberOf". Typically you need to add "objectclass: inetuser" to all your entries for memberOf Plugin to work as you'd expect.
If you are using "389-ds-base-1.3.4" or later, the memberOf plugin can automatically add "inetuser" to the entries for you(if it is missing).
http://www.port389.org/docs/389ds/design/memberof-auto-add-oc.html
Mark
On 02/17/2016 01:37 PM, houser@nso.edu wrote:
Hi,
I'm new to 389-ds and last week downloaded and installed the software.
I have a running instance of the server, and I've added TLS/SSL. I've configured a CentOS 7 client to be able to query the server using TLS/SSL, and all appears working.
I've created users and groups on the 389-ds server successfully. For each user and group, I've enabled posix attributes and my client can see the unix users and groups using the "getent password" or "getent group" commands.
Now, here's where I'm getting tripped up..........
I need to limit which users have access to which systems. I've been trying to do this via memberOf group limitations.
I found the following online resource (https://thornelabs.net/2013/01/28/aix-restrict-server-login-via-ldap-groups....) which is close enough to CentOS that the initial commands worked.
I enabled the MemberOf plugin and changed the attributes per the link, and restarted the system.
I created a test group (that I didn't enable a posix GID) and tried to add a single user via:
Right click on group -- > click Properties --> then Members --> click Add --> Search for user --> click Add.
When I try to go this route (which worked before enabling the memberOf plugin) it worked. Now it seems I get the error:
"Cannot save to directory server. netscape.ldap.LDAPException: error resiult(65): Object class violation"
And the messages file throws the error (/var/log/dirsrv/slapd-<instancename>/errors:
"Entry "uid=test,ou=People,dc=int,dc=com" -- attribute "memberOf" not allowed [17/Feb/2016:11:22:58 -0700] memberof-plugin - memberof_postop_modify: failed to add dn (cn=testgroup,ou=Groups,dc=int,dc=com) to target. Error (65)"
So it seems my server isn't quite using the memberOf plugin properly, but I'm not sure what else to enable. I'll have to solve this issue before I even try to filter login access via groups on my client system.
I should mention that if I go under the advanced tab for one of the groups I created, I can add the the attribute "uniquemember", but I'm not sure what I should set the "value" to be.
I've tried creating new users to see if I could set their "uniquemember" attributes, but no luck. It seems that I don't have the ability to set this attribute on individual users, only groups.
This might not be the right road to head down when trying to restrict access to servers via groups, so I'm open to any suggestions.
Any suggestions would be appreciated.
389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
-- 389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
-- 389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
Hi Mark,
Thanks for all your help. This is a new ldap server, so I'll try to go the upgrade route.
For short-term testing of the memberOf restrictions to my CentOS client system, I've gone ahead and added the inetUser to the objectclass of a couple of my test users.
I'll see if I can now get filtering to work.
Cheers,
On 2/17/16 6:51 PM, Mark Reynolds wrote:
On 02/17/2016 04:45 PM, Janet Houser wrote:
Hi Mark,
Thanks for responding so quickly. Fortunately I'm running 1.3.4.0-26, so I should be able to have the memberOf plugin automatically add the "inetuser" to my entries if needed.
Sorry this fix was a not released until 1.3.4.5-1. I'm not sure if you can upgrade or not, if not you'll need to manually add this objectclass to your user entries.
Regards, Mark
I took a look at the document you mentioned (thanks!), and I'm still a bit confused (apologies for being thick).
I'm in the Advanced settings of the MemberOf plugin, and there isn't an option to add the attribute "memberofAutoAddOC" and set the default value to inetUser.
An ldapsearch still fails to show any entries with cn=MemberOf Plugin,.....
I'm sure I'm missing the obvious. Any suggestions would be appreciated.
Thanks.
On 2/17/16 12:58 PM, Mark Reynolds wrote:
The memberOf plugin is trying to add the "memberOf" attribute to the entry, but the entry is missing an objectclass that allows "memberOf". Typically you need to add "objectclass: inetuser" to all your entries for memberOf Plugin to work as you'd expect.
If you are using "389-ds-base-1.3.4" or later, the memberOf plugin can automatically add "inetuser" to the entries for you(if it is missing).
http://www.port389.org/docs/389ds/design/memberof-auto-add-oc.html
Mark
On 02/17/2016 01:37 PM, houser@nso.edu wrote:
Hi,
I'm new to 389-ds and last week downloaded and installed the software.
I have a running instance of the server, and I've added TLS/SSL. I've configured a CentOS 7 client to be able to query the server using TLS/SSL, and all appears working.
I've created users and groups on the 389-ds server successfully. For each user and group, I've enabled posix attributes and my client can see the unix users and groups using the "getent password" or "getent group" commands.
Now, here's where I'm getting tripped up..........
I need to limit which users have access to which systems. I've been trying to do this via memberOf group limitations.
I found the following online resource (https://thornelabs.net/2013/01/28/aix-restrict-server-login-via-ldap-groups....) which is close enough to CentOS that the initial commands worked.
I enabled the MemberOf plugin and changed the attributes per the link, and restarted the system.
I created a test group (that I didn't enable a posix GID) and tried to add a single user via:
Right click on group -- > click Properties --> then Members --> click Add --> Search for user --> click Add.
When I try to go this route (which worked before enabling the memberOf plugin) it worked. Now it seems I get the error:
"Cannot save to directory server. netscape.ldap.LDAPException: error resiult(65): Object class violation"
And the messages file throws the error (/var/log/dirsrv/slapd-<instancename>/errors:
"Entry "uid=test,ou=People,dc=int,dc=com" -- attribute "memberOf" not allowed [17/Feb/2016:11:22:58 -0700] memberof-plugin - memberof_postop_modify: failed to add dn (cn=testgroup,ou=Groups,dc=int,dc=com) to target. Error (65)"
So it seems my server isn't quite using the memberOf plugin properly, but I'm not sure what else to enable. I'll have to solve this issue before I even try to filter login access via groups on my client system.
I should mention that if I go under the advanced tab for one of the groups I created, I can add the the attribute "uniquemember", but I'm not sure what I should set the "value" to be.
I've tried creating new users to see if I could set their "uniquemember" attributes, but no luck. It seems that I don't have the ability to set this attribute on individual users, only groups.
This might not be the right road to head down when trying to restrict access to servers via groups, so I'm open to any suggestions.
Any suggestions would be appreciated.
389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
-- 389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
-- 389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
-- 389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
Hi folks,
I've been using 389-ds for about 6 months and have successfully configured various linux systems as LDAP clients (CentOS, Ubuntu, openSUSE, etc.).
I'm now trying to connect a Mac system (OS X 10.10) into the LDAP server and I'm getting a strange error.
From Users & Groups, when I "Join" a "Network Account Server" and enter the FQDN of my 389-ds server, I'm given the message:
"This server does not provide a secure (SSL) connection. Do you want to continue?"
I've selected "yes" and moved forward with LDAPv3 with LDAP Mappings set to RFC2307.
Using the mac dscl command, I can query users from the command line using:
dscl /LDAPv3/FQDN_of_server -read Users/testuser
In the 389 Management Console, under "Encryption", I have "Enable SSL for this server" and set "Allow client authentication". The postfix groups I created resolve properly, and changing a test file to a specific uid / gid will resolve properly to the name/group of a user in the 389-ds database.
However, when a user tries to change their password, it fails with a generic "general failure" message. The access log on the 389-ds ldap server shows the following for the connection:
CONNECT fd=113 slot=113 connection from xxx.xx.xx.218 to xxx.xx.xx.4 EXT oid='1.3.6.1.4.1.l466.20037" name = "startTLS" RESULT err=0 tag=120 nentries=0 etime=0 DISCONNECT fd=113 closed - Encountered end of file
I believe the inability to change a user's password is link to the fact that the mac isn't speaking to the LDAP server using SSL, but I'm not sure what I'm missing in the server configuration to allow the Mac to connect via SSL.
Any hints would be appreciated.
Thanks,
janet
Ok...
Fixed the SSL issue by adding the server cert to the mac's keychain and "trusting" it.
See: http://people.ivec.uwa.edu.au/ashley.chew/fedora-ds/fedora-ds-26072006.html
The above procedure is a bit old, but the general idea works for Mac OS 10.10.
On 8/19/16 10:59 AM, Janet Houser wrote:
Hi folks,
I've been using 389-ds for about 6 months and have successfully configured various linux systems as LDAP clients (CentOS, Ubuntu, openSUSE, etc.).
I'm now trying to connect a Mac system (OS X 10.10) into the LDAP server and I'm getting a strange error.
From Users & Groups, when I "Join" a "Network Account Server" and enter the FQDN of my 389-ds server, I'm given the message:
"This server does not provide a secure (SSL) connection. Do you want to continue?"
I've selected "yes" and moved forward with LDAPv3 with LDAP Mappings set to RFC2307.
Using the mac dscl command, I can query users from the command line using:
dscl /LDAPv3/FQDN_of_server -read Users/testuser
In the 389 Management Console, under "Encryption", I have "Enable SSL for this server" and set "Allow client authentication". The postfix groups I created resolve properly, and changing a test file to a specific uid / gid will resolve properly to the name/group of a user in the 389-ds database.
However, when a user tries to change their password, it fails with a generic "general failure" message. The access log on the 389-ds ldap server shows the following for the connection:
CONNECT fd=113 slot=113 connection from xxx.xx.xx.218 to xxx.xx.xx.4 EXT oid='1.3.6.1.4.1.l466.20037" name = "startTLS" RESULT err=0 tag=120 nentries=0 etime=0 DISCONNECT fd=113 closed - Encountered end of file
I believe the inability to change a user's password is link to the fact that the mac isn't speaking to the LDAP server using SSL, but I'm not sure what I'm missing in the server configuration to allow the Mac to connect via SSL.
Any hints would be appreciated.
Thanks,
janet
Hi Folks,
I've been trying to slave a Mac OS X 10.10 system into a 389 Directory Server.
Using the mac dscl command, I can query users from the command line using:
dscl /LDAPv3/FQDN_of_server -read Users/testuser
As root on the Mac system, I can "su" to an LDAP user and create files. The ownership and group of the files created by the LDAP user look correct.
But I'm running into the issue where I can't ssh, console login, or "su" to an LDAP user from an unprivileged account.
I'm seeing a the error:
..... sshd<XXX>: error: PAM: authentication error for testuser ....
I believe the problem is with the authorization file in the /etc/pam.d directory of the client, but I've tried several changes to compensate for the error, and nothing works.
Has anyone else run across this issue?
Thanks,
Hi Folks,
I just created a Centos 7 VM (CentOS release 7.6.1810) and did a yum install of the epel directory:
yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
and an install of 389-DS:
yum install 389*
I ran setup-ds-admin.pl as a stand alone system (this is a test machine). After the installation, I ran the following
VERBOSE=1 /usr/bin/389-console
which yielded an unfamiliar error:
/usr/bin/build-classpath: Could not find slf4j-api.jar Java extension for this JVM /usr/bin/build-classpath: error: Some specified jars were not found Java virtual machine used: /usr/lib/jvm/jre/bin/java classpath used: /usr/share/java/apache-commons-codec.jar:/usr/share/java/apache-commons-lang.jar:/usr/lib/java/jss4.jar:/usr/share/java/ldapjdk.jar:/usr/share/java/idm-console-base.jar:/usr/share/java/idm-console-mcc.jar:/usr/share/java/idm-console-mcc_en.jar:/usr/share/java/idm-console-nmclf.jar:/usr/share/java/idm-console-nmclf_en.jar:/usr/share/java/389-console_en.jar main class used: com.netscape.management.client.console.Console flags used: options used: -Djava.util.prefs.systemRoot=/root/.389-console -Djava.util.prefs.userRoot=/root/.389-console arguments used:
I've built two test systems in the past, the most recent being in March of this year, and I've never seen this error before. My other two systems don't show the apache-sommons-codex.jar and the apache-commons-lang.jar file in the classpath and one of the systems is at the same CentOS release as this new server.
I'm searching info about java and 389-DS to see if I need to add something to the system but I haven't had any luck yet. I'm sure there is a simple fix and I'm overlooking the obvious.
The java packages between the systems look the same so I'm not quite sure why the clean build is looking for this jar file.
Any suggestions would be appreciated.
Thanks,
janet
Additional info... I just did a yum update on one of my 389-DS centos 7 boxes and I'm seeing the same error. So it must be something about the new java files that the 389-console binary doesn't like.
It could be worth checking the rpm versions of the 389-ds-console between your test system and your new system?
It could also be good to check `yum whatprovides "*/slf4j-api.jar" ` in case there is a missing dependency?
I'm not an expert on the console, so I hope that Mark can answer soon as he's our remaining console master.
On 27 Aug 2019, at 04:19, Janet H houser@nso.edu wrote:
Additional info... I just did a yum update on one of my 389-DS centos 7 boxes and I'm seeing the same error. So it must be something about the new java files that the 389-console binary doesn't like. _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
— Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server SUSE Labs
Hi William,
Thanks! I'll work the issue from the OS side and post the solution here when I find it.
Cheers,
On 8/26/19 5:12 PM, William Brown wrote:
It could be worth checking the rpm versions of the 389-ds-console between your test system and your new system?
It could also be good to check `yum whatprovides "*/slf4j-api.jar" ` in case there is a missing dependency?
I'm not an expert on the console, so I hope that Mark can answer soon as he's our remaining console master.
On 27 Aug 2019, at 04:19, Janet H houser@nso.edu wrote:
Additional info... I just did a yum update on one of my 389-DS centos 7 boxes and I'm seeing the same error. So it must be something about the new java files that the 389-console binary doesn't like. _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
— Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server SUSE Labs _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
Well, I feel a little foolish.
Simply doing "yum install slf4j" seems to have fixed the error.
[admin]# VERBOSE=1 /usr/bin/389-console
Java virtual machine used: /usr/lib/jvm/jre/bin/java classpath used: /usr/share/java/apache-commons-codec.jar:/usr/share/java/apache-commons-lang.jar:/usr/share/java/slf4j/api.jar:/usr/share/java/slf4j/ext.jar:/usr/share/java/slf4j/jcl-over-slf4j.jar:/usr/share/java/slf4j/jcl.jar:/usr/share/java/slf4j/jdk14.jar:/usr/share/java/slf4j/jul-to-slf4j.jar:/usr/share/java/slf4j/log4j-over-slf4j.jar:/usr/share/java/slf4j/log4j12.jar:/usr/share/java/slf4j/migrator.jar:/usr/share/java/slf4j/nop.jar:/usr/share/java/slf4j/simple.jar:/usr/share/java/slf4j/site.jar:/usr/share/java/slf4j/slf4j-api.jar:/usr/share/java/slf4j/slf4j-ext.jar:/usr/share/java/slf4j/slf4j-jcl.jar:/usr/share/java/slf4j/slf4j-jdk14.jar:/usr/share/java/slf4j/slf4j-log4j12.jar:/usr/share/java/slf4j/slf4j-migrator.jar:/usr/share/java/slf4j/slf4j-nop.jar:/usr/share/java/slf4j/slf4j-simple.jar:/usr/share/java/slf4j/slf4j-site.jar:/usr/lib/java/jss4.jar:/usr/share/java/ldapjdk.jar:/usr/share/java/idm-console-base.jar:/usr/share/java/idm-console-mcc.jar:/usr/share/java/idm-console-mcc_en.jar:/usr/share/java/idm-console-nmclf.jar:/usr/share/java/idm-console-nmclf_en.jar:/usr/share/java/389-console_en.jar main class used: com.netscape.management.client.console.Console flags used: options used: -Djava.util.prefs.systemRoot=/root/.389-console -Djava.util.prefs.userRoot=/root/.389-console arguments used:
Thanks William.... Sorry for the dumb question.
On 8/26/19 5:12 PM, William Brown wrote:
It could be worth checking the rpm versions of the 389-ds-console between your test system and your new system?
It could also be good to check `yum whatprovides "*/slf4j-api.jar" ` in case there is a missing dependency?
I'm not an expert on the console, so I hope that Mark can answer soon as he's our remaining console master.
On 27 Aug 2019, at 04:19, Janet H houser@nso.edu wrote:
Additional info... I just did a yum update on one of my 389-DS centos 7 boxes and I'm seeing the same error. So it must be something about the new java files that the 389-console binary doesn't like. _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
— Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server SUSE Labs _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
On 27 Aug 2019, at 23:36, Janet Houser houser@nso.edu wrote:
Well, I feel a little foolish.
Simply doing "yum install slf4j" seems to have fixed the error.
I wonder if a package has a missing dependency in that case? You could raise an issue on RH BZ, and provide the details of your yum history (yum history is the command iirc). If you want me to review the report before you submit it, I'm happy to do so.
Thanks William.... Sorry for the dumb question.
There is no need to apologise - there are no dumb questions. We are all here on this mailing list to help and share our experience so that you can fix your issues and get the help you need.
I look forward to helping you with any other questions you have in the future. Thanks for using 389-ds and being part of our community!
On 8/26/19 5:12 PM, William Brown wrote:
It could be worth checking the rpm versions of the 389-ds-console between your test system and your new system?
It could also be good to check `yum whatprovides "*/slf4j-api.jar" ` in case there is a missing dependency?
I'm not an expert on the console, so I hope that Mark can answer soon as he's our remaining console master.
On 27 Aug 2019, at 04:19, Janet H houser@nso.edu wrote:
Additional info... I just did a yum update on one of my 389-DS centos 7 boxes and I'm seeing the same error. So it must be something about the new java files that the 389-console binary doesn't like. _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
— Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server SUSE Labs _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
— Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server SUSE Labs
Hi Folks,
I'm working to set up a PingFederate server to communicate with Apps at a sister location. I'm told that the software needs to send the "employeeID" in order to authenticate with the offsite server.
Under the Directory Server --> Schema --> Tab Attributes, DS-389 has the attribute "employeeNumber" which I can add to a user's LDAP information. There doesn't seem to be a way to change the name on this page, and when I tried adding a "User Defined Attribute", it wouldn't show up under "Advanced" for a user.
Is there a way to add this field to all users and change the name to "employeeID"?
I'm searching, but I haven't found a way to do this via the 389-console.
Thanks in advance!
j
On 8/6/20 9:11 AM, Janet Houser wrote:
Hi Folks,
I'm working to set up a PingFederate server to communicate with Apps at a sister location. I'm told that the software needs to send the "employeeID" in order to authenticate with the offsite server.
Under the Directory Server --> Schema --> Tab Attributes, DS-389 has the attribute "employeeNumber" which I can add to a user's LDAP information. There doesn't seem to be a way to change the name on this page, and when I tried adding a "User Defined Attribute", it wouldn't show up under "Advanced" for a user.
Is there a way to add this field to all users and change the name to "employeeID"?
I'm searching, but I haven't found a way to do this via the 389-console.
Sorry the old java 389-console is not flexible, and there is no way to customize it. We have a new Administration Web UI on RHEL 8, but it does not do entry management. There is an LDAP browser being worked on as a side project, but it is not ready yet. Perhaps Apache Directory Studio (which is free) can achieve what you need? I would look into that first...
Regards,
Mark
Thanks in advance!
j _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
Hi Mark,
Thanks for the quick response. I'll look into other options.
Cheers,
On 8/6/20 7:27 AM, Mark Reynolds wrote:
On 8/6/20 9:11 AM, Janet Houser wrote:
Hi Folks,
I'm working to set up a PingFederate server to communicate with Apps at a sister location. I'm told that the software needs to send the "employeeID" in order to authenticate with the offsite server.
Under the Directory Server --> Schema --> Tab Attributes, DS-389 has the attribute "employeeNumber" which I can add to a user's LDAP information. There doesn't seem to be a way to change the name on this page, and when I tried adding a "User Defined Attribute", it wouldn't show up under "Advanced" for a user.
Is there a way to add this field to all users and change the name to "employeeID"?
I'm searching, but I haven't found a way to do this via the 389-console.
Sorry the old java 389-console is not flexible, and there is no way to customize it. We have a new Administration Web UI on RHEL 8, but it does not do entry management. There is an LDAP browser being worked on as a side project, but it is not ready yet. Perhaps Apache Directory Studio (which is free) can achieve what you need? I would look into that first...
Regards,
Mark
Thanks in advance!
j _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
Hi,
EmployeeID looks to be a direct mapping of EmployeeNumber. EmployeeNumber is defined in rfc2798 and delivered as a standard definition in /share/dirsrv/schema/06inetorgperson.ldif. Even if defining EmployeeId as alias of EmployeeNumber is possible I would not recommend to update a standard definition. Instead you may try to add EmployeeID in the instance specific custom definitions "/etc/dirsrv/slapd-<instance>/schema/99user.ldif". I think those changes should be done without the console.
If employeeiD is identical to employeeNumber and the users are already provisionned, I am afraid the easier way is to alias the standard definition. Else you could update those entries adding employeeid based on employeeNumber value. It also exists the possibility to make it a virtual attribute. Using a combinaison of managed entry [1] and indirect cos [2]. Or to use rewriters (filter rewrite and computed attributes).
[1] https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/ht... [2] https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/ht...
regards theirry
On 8/6/20 3:11 PM, Janet Houser wrote:
Hi Folks,
I'm working to set up a PingFederate server to communicate with Apps at a sister location. I'm told that the software needs to send the "employeeID" in order to authenticate with the offsite server.
Under the Directory Server --> Schema --> Tab Attributes, DS-389 has the attribute "employeeNumber" which I can add to a user's LDAP information. There doesn't seem to be a way to change the name on this page, and when I tried adding a "User Defined Attribute", it wouldn't show up under "Advanced" for a user.
Is there a way to add this field to all users and change the name to "employeeID"?
I'm searching, but I haven't found a way to do this via the 389-console.
Thanks in advance!
j _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
Hi Theirry,
Many thanks! I'll try this.
Cheers,
On 8/6/20 8:04 AM, thierry bordaz wrote:
Hi,
EmployeeID looks to be a direct mapping of EmployeeNumber. EmployeeNumber is defined in rfc2798 and delivered as a standard definition in /share/dirsrv/schema/06inetorgperson.ldif. Even if defining EmployeeId as alias of EmployeeNumber is possible I would not recommend to update a standard definition. Instead you may try to add EmployeeID in the instance specific custom definitions "/etc/dirsrv/slapd-<instance>/schema/99user.ldif". I think those changes should be done without the console.
If employeeiD is identical to employeeNumber and the users are already provisionned, I am afraid the easier way is to alias the standard definition. Else you could update those entries adding employeeid based on employeeNumber value. It also exists the possibility to make it a virtual attribute. Using a combinaison of managed entry [1] and indirect cos [2]. Or to use rewriters (filter rewrite and computed attributes).
[1] https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/ht... [2] https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/ht...
regards theirry
On 8/6/20 3:11 PM, Janet Houser wrote:
Hi Folks,
I'm working to set up a PingFederate server to communicate with Apps at a sister location. I'm told that the software needs to send the "employeeID" in order to authenticate with the offsite server.
Under the Directory Server --> Schema --> Tab Attributes, DS-389 has the attribute "employeeNumber" which I can add to a user's LDAP information. There doesn't seem to be a way to change the name on this page, and when I tried adding a "User Defined Attribute", it wouldn't show up under "Advanced" for a user.
Is there a way to add this field to all users and change the name to "employeeID"?
I'm searching, but I haven't found a way to do this via the 389-console.
Thanks in advance!
j _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
389-users@lists.fedoraproject.org