Stop user being replicated with Active Directory
by Juan Asensio Sánchez
Hi
After one user has been replicated from 389 DS to Active Directory, is
there any way to stop replicating it? I want the user, after deleting
some attrs in 389 DS (ntUser objectClass, ...), be deleted in Active
Directory, but already exists in 389 DS. Is this possible?
Thanks in advance.
12 years, 5 months
console issues
by Josh Ellsworth
I am working on deploying 389 in my organization but I'm having an issue
with the Windows console. After I log in, the console looks like the
screenshot here:
http://imgur.com/W1hVd
When I click on the Directory Server tree it changes to say "this server
component has not yet been downloaded, or it could not be activated.
Press Download to retry."
I need to be able to access the Directory Server properties, any idea
why I can't?
--
Joshua Ellsworth
System Administrator, Primatics Financial
Phone: 571.765.7528
jellsworth(a)primaticsfinancial.com
12 years, 6 months
MMR referral list questions.
by Shardul Kerkar
Hi ,
I am testing MMR on our QA ldap servers using version 1.1.2.
Currently I have setup Master-1 and Master-2 as the two read-write suppliers. Hub-1 has replication agreements with Master-1 and Master-2. Rep-1 has replication to Hub-1.
Consequently Hub-1 has Master-1 and Master-2 in its referral list. Anytime I do a write on rep, the change always takes place on Master-1 and flows down the tree. Only if I bring Master-1 down, does Master-2 take over.
How do I tell Hub-1 to distribute writes equally to both Masters. Also if I want to intentionally do all changes on Master-2, is there a way for Hub to prefer one referral over the other?
Thank you,
Shar
12 years, 6 months
Password sync
by Viento .
Hi all,I have installed a 389ds which sync entries from an Active Directory running on Windows 2003 R2 Enterprise Server. Everything works fine even Password Sync. But I have still 1 problems I don't get solved:
11/30/11 00:35:46: There are no entries that match: test3
11/30/11 00:35:46: Deferring password change for test3
12 years, 6 months
Re: [389-users] How do I configure Solaris 10 as a LDAP client.
by Carsten Grzemba
For SSHA Passwords needs Solaris a proper pam configuration, for SSH especially the section :
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth binding pam_unix_auth.so.1 server_policy
other auth required pam_ldap.so.1
Because there are some variations in the config between the Solaris versions, the best source for the right stack is
# man pam_ldap
Carsten
Am 13.12.11, schrieb Arpit Tolani <arpittolani(a)gmail.com>:
> Below are the configuration i configured, able to see the user in getent passwd output
> see user in ldaplist output.
>
> but cant login. it fails using ssh
>
> bash-3.2# cat /etc/nsswitch.conf |grep -v "^#"
>
> passwd: files ldap
>
> group: files ldap
> hosts: files dns # Added by DHCP
> ipnodes: files dns # Added by DHCP
> networks: files
> protocols: files
> rpc: files
> ethers: files
> netmasks: files
> bootparams: files
>
>
> publickey: files
> netgroup: files
> automount: files
> aliases: files
> services: files
> printers: user files
> auth_attr: files
> prof_attr: files
> project: files
> tnrhtp: files
> tnrhdb: files
>
>
>
> bash-3.2# cat /etc/pam.conf |grep -v "^#"
> login auth requisite pam_authtok_get.so.1
> login auth required pam_dhkeys.so.1
> login auth required pam_unix_cred.so.1
>
> login auth required pam_unix_auth.so.1
>
> login auth required pam_dial_auth.so.1
> login auth required pam_ldap.so.1
> rlogin auth sufficient pam_rhosts_auth.so.1
> rlogin auth requisite pam_authtok_get.so.1
> rlogin auth required pam_dhkeys.so.1
>
>
> rlogin auth required pam_unix_cred.so.1
> rlogin auth required pam_unix_auth.so.1
> rlogin auth required pam_unix_auth.so.1
> krlogin auth required pam_unix_cred.so.1
> krlogin auth required pam_krb5.so.1
>
>
> rsh auth sufficient pam_rhosts_auth.so.1
> rsh auth required pam_unix_cred.so.1
> rsh auth required pam_ldap.so.1
> krsh auth required pam_unix_cred.so.1
> krsh auth required pam_krb5.so.1
>
>
> ktelnet auth required pam_unix_cred.so.1
> ktelnet auth required pam_krb5.so.1
> ppp auth requisite pam_authtok_get.so.1
> ppp auth required pam_dhkeys.so.1
> ppp auth required pam_unix_cred.so.1
>
>
> ppp auth required pam_unix_auth.so.1
> ppp auth required pam_dial_auth.so.1
> ppp auth required pam_ldap.so.1
> other auth requisite pam_authtok_get.so.1
> other auth required pam_dhkeys.so.1
>
>
> other auth required pam_unix_cred.so.1
> other auth required pam_unix_auth.so.1
> other auth required pam_ldap.so.1
> passwd auth required pam_passwd_auth.so.1
> passwd auth required pam_ldap.so.1
>
>
> cron account required pam_unix_account.so.1
> other account sufficient pam_ldap.so.1
> other account requisite pam_roles.so.1
> other account required pam_unix_account.so.1
> other session required pam_unix_session.so.1
>
>
> other password required pam_dhkeys.so.1
> other password requisite pam_authtok_get.so.1
> other password requisite pam_authtok_check.so.1 force_check
> other password required pam_authtok_store.so.1
>
>
>
> bash-3.2# cat /var/ldap/ldap_client_file
> NS_LDAP_FILE_VERSION= 2.0
> NS_LDAP_SERVERS= 192.168.122.155
> NS_LDAP_SEARCH_BASEDN= dc=example,dc=com
> NS_LDAP_AUTH= simple
> NS_LDAP_SEARCH_REF= TRUE
> NS_LDAP_SEARCH_SCOPE= sub
>
>
> NS_LDAP_SEARCH_TIME= 30
> NS_LDAP_CACHETTL= 43200
> NS_LDAP_PROFILE= default
> NS_LDAP_CREDENTIAL_LEVEL= proxy
> NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=People,dc=example,dc=com?sub
> NS_LDAP_SERVICE_SEARCH_DESC= group: ou=Groups,dc=example,dc=com?sub
>
>
> NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=People,dc=example,dc=com?sub
> NS_LDAP_BIND_TIME= 2
>
> bash-3.2# cat /var/ldap/ldap_client_cred
> NS_LDAP_BINDDN="cn=Directory Manager"
> NS_LDAP_BINDPASSWD=redhat123
>
>
>
> bash-3.2# /etc/init.d/ldap.client start
> bash-3.2# svcadm enable network/ldap/client
> bash-3.2# /usr/lib/ldap/ldap_cachemgr -g
>
> bash-3.2# getent passwd test
> test:x:1001:1001::/home/test:/bin/bash
>
>
>
> bash-3.2# ldaplist -l passwd test
> dn: uid=test,ou=People,dc=example,dc=com
> uidNumber: 1001
> sn: test
> gidNumber: 1001
> loginShell: /usr/bin/bash
> shadowMax: 99999
>
> objectClass: person
>
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: top
> uid: test
> shadowLastChange: 12994
>
>
> cn: test
> homeDirectory: /home/test
> shadowWarning: 7
> userPassword: {SSHA}6qy0z4cffk6tZdbh0IaOSOJgAqlmCq/zCtAX+g==
>
>
> --
>
> Thanks & Regards
> Arpit Tolani
>
>
>
>
--
Carsten Grzemba
Tel.: +49 3677 64740
Mobil: +49 171 9749479
Fax:: +49 3677 6474111
Email: carsten.grzemba(a)contac-dt.de
contac Datentechnik GmbH
12 years, 6 months
How do I configure Solaris 10 as a LDAP client.
by Arpit Tolani
Below are the configuration i configured, able to see the user in getent
passwd output
see user in ldaplist output.
but cant login. it fails using ssh
bash-3.2# cat /etc/nsswitch.conf |grep -v "^#"
passwd: files ldap
group: files ldap
hosts: files dns # Added by DHCP
ipnodes: files dns # Added by DHCP
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
netgroup: files
automount: files
aliases: files
services: files
printers: user files
auth_attr: files
prof_attr: files
project: files
tnrhtp: files
tnrhdb: files
bash-3.2# cat /etc/pam.conf |grep -v "^#"
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
login auth required pam_ldap.so.1
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth required pam_unix_auth.so.1
rlogin auth required pam_unix_auth.so.1
krlogin auth required pam_unix_cred.so.1
krlogin auth required pam_krb5.so.1
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
rsh auth required pam_ldap.so.1
krsh auth required pam_unix_cred.so.1
krsh auth required pam_krb5.so.1
ktelnet auth required pam_unix_cred.so.1
ktelnet auth required pam_krb5.so.1
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_cred.so.1
ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
ppp auth required pam_ldap.so.1
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth required pam_unix_auth.so.1
other auth required pam_ldap.so.1
passwd auth required pam_passwd_auth.so.1
passwd auth required pam_ldap.so.1
cron account required pam_unix_account.so.1
other account sufficient pam_ldap.so.1
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
other session required pam_unix_session.so.1
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1 force_check
other password required pam_authtok_store.so.1
bash-3.2# cat /var/ldap/ldap_client_file
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= 192.168.122.155
NS_LDAP_SEARCH_BASEDN= dc=example,dc=com
NS_LDAP_AUTH= simple
NS_LDAP_SEARCH_REF= TRUE
NS_LDAP_SEARCH_SCOPE= sub
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_CACHETTL= 43200
NS_LDAP_PROFILE= default
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=People,dc=example,dc=com?
sub
NS_LDAP_SERVICE_SEARCH_DESC= group: ou=Groups,dc=example,dc=com?sub
NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=People,dc=example,dc=com?sub
NS_LDAP_BIND_TIME= 2
bash-3.2# cat /var/ldap/ldap_client_cred
NS_LDAP_BINDDN="cn=Directory Manager"
NS_LDAP_BINDPASSWD=redhat123
bash-3.2# /etc/init.d/ldap.client start
bash-3.2# svcadm enable network/ldap/client
bash-3.2# /usr/lib/ldap/ldap_cachemgr -g
bash-3.2# getent passwd test
test:x:1001:1001::/home/test:/bin/bash
bash-3.2# ldaplist -l passwd test
dn: uid=test,ou=People,dc=example,dc=com
uidNumber: 1001
sn: test
gidNumber: 1001
loginShell: /usr/bin/bash
shadowMax: 99999
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
uid: test
shadowLastChange: 12994
cn: test
homeDirectory: /home/test
shadowWarning: 7
userPassword: {SSHA}6qy0z4cffk6tZdbh0IaOSOJgAqlmCq/zCtAX+g==
--
Thanks & Regards
Arpit Tolani
12 years, 6 months
[Q] Automatic update of shadowLastChange attribute
by Iain Morgan
Hello,
Is there any way to have 389 DS automatically update the
shadowLastChange attribute when the userPassword attribute is changed
for an entry?
I know that pam_ldap will attempt to update the shadowLastChange
attribute, but this either requires that the user has the privileges to
update this attribute. What I would like is for the server to update the
attribute directly without having to grant extra privileges to the user.
Is there any way to do this?
Thanks
--
Iain Morgan
12 years, 6 months
upgraded to latest 389, now anon binds return no results
by Brian High
Hi 389-users,
Perhaps you can help solve a mystery for me.
I just upgraded 389 Directory on RHEL5, 64bit from 389-ds-base 1.2.2 to 1.2.9.9.
yum --enablerepo=epel upgrade
setup-ds-admin.pl -u
... as prescribed in the release notes:
http://directory.fedoraproject.org/wiki/Release_Notes
Here is the problem. I used to be able to query using ldapsearch like this:
ldapsearch -x -ZZ -h <HOST> -b <BASE> -LLL "(uid=<USER>)" gecos
And I would see:
dn: uid=<USER>,<BASE>
gecos: System User
Now, after the upgrade, this returns no results and no errors, but if
I bind like this, then it works _fine_:
ldapsearch -x -ZZ -D "cn=directory manager" -W -h <HOST> -b <BASE>
-LLL "(uid=<USER>)" gecos
Here is some log output showing the anon. bind search and the
non-anon. bind search (sanitized):
[07/Dec/2011:14:52:14 -0800] conn=120 SSL 256-bit AES
[07/Dec/2011:14:52:14 -0800] conn=120 op=1 BIND dn="" method=128 version=3
[07/Dec/2011:14:52:14 -0800] conn=120 op=1 RESULT err=0 tag=97
nentries=0 etime=0 dn=""
[07/Dec/2011:14:52:14 -0800] conn=120 op=2 SRCH
base="dc=EXAMPLE,dc=COM" scope=2 filter="(uid=USERNAME)" attrs="gecos"
[07/Dec/2011:14:52:14 -0800] conn=120 op=2 RESULT err=0 tag=101
nentries=0 etime=0
[07/Dec/2011:14:52:14 -0800] conn=120 op=3 UNBIND
[07/Dec/2011:14:52:14 -0800] conn=120 op=3 fd=71 closed - U1
[07/Dec/2011:14:53:37 -0800] conn=121 SSL 256-bit AES
[07/Dec/2011:14:53:40 -0800] conn=121 op=2 BIND dn="cn=directory
manager" method=128 version=3
[07/Dec/2011:14:53:40 -0800] conn=121 op=2 RESULT err=0 tag=97
nentries=0 etime=0 dn="cn=directory manager"
[07/Dec/2011:14:53:40 -0800] conn=121 op=3 SRCH
base="dc=EXAMPLE,dc=COM" scope=2 filter="(uid=USERNAME)" attrs="gecos"
[07/Dec/2011:14:53:40 -0800] conn=121 op=3 RESULT err=0 tag=101
nentries=1 etime=0
[07/Dec/2011:14:53:40 -0800] conn=121 op=4 UNBIND
[07/Dec/2011:14:53:40 -0800] conn=121 op=4 fd=71 closed - U1
The only difference I can see is the nentries=1 in the latter test.
So, I looked into the latest features and see there are some more
nsslapd-anonlimitsdn:
nsslapd-allow-anonymous-access: on
... which I have left as defaults. It looks like anonymous binds
should still work.
So, I am wondering, why do anonymous binds no longer return results? Any ideas?
--Brian
12 years, 6 months