February 2013 - 389-users - Fedora Mailing-Lists

errors log - NSACLPlugin - acllas__client_match_URL:

by Picture Book

After using dynamic group in ACL, I see the following messages in errors log 1 ldapsearch -h localhost -p 389 -D "uid=ttest,ou=people,ou=Test,dc=example,dc=com" -w sp -b "ou=people,ou=Test,dc=example,dc=com" [31/Jan/2013:10:53:36 -0500] NSACLPlugin - acllas__client_match_URL: url [ldap:///ou=special,ou=test,dc=example,dc=com??one?(&(objectclass=inetorgperson)(cn=*))] scope is onelevel but dn [ou=special,ou=test,dc=example,dc=com] is not a direct child of [ou=people,ou=test,dc=example,dc=com] 2. ldapsearch -h localhost -p 389 -D "uid=test11,ou=Test,dc=example,dc=com" -w sp -b "ou=people,ou=Test,dc=example,dc=com" [31/Jan/2013:10:58:12 -0500] NSACLPlugin - acllas__client_match_URL: url [ldap:///ou=special,ou=test,dc=example,dc=com??one?(&(objectclass=inetorgperson)(cn=*))] scope is onelevel but dn [ou=special,ou=test,dc=example,dc=com] is not a direct child of [ou=test,dc=example,dc=com] repeat search 1 & 2, acllas__client_match_URL error message doen't repeat. 3. ldapsearch -h localhost -p 389 -D "uid=aclp,ou=special,ou=Test,dc=example,dc=com" -w sp -b "ou=people,ou=Test,dc=example,dc=com" no message in errors log This is the dynamic group: dn: cn=all special users,ou=special,ou=Test,dc=example,dc=com objectClass: groupofurls objectClass: groupofuniquenames objectClass: top cn: all special users memberURL: ldap:///ou=special,ou=test,dc=example,dc=com??one?(&(objectclass= inetorgperson)(cn=*)) This is the ACL dn: ou=people,ou=Test,dc=example,dc=com objectClass: organizationalunit objectClass: top ou: people aci: (targetattr = "*") (version 3.0;acl "special users";allow (all)(groupdn = "ldap:///cn=all special users,ou=special,ou=Test,dc=example,dc=com");) createTimestamp: 20130131152507Z The following is the ldif export of the test setup version: 1 dn: ou=Test,dc=example,dc=com objectClass: organizationalunit objectClass: top ou: Test createTimestamp: 20130123175104Z creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo ot entrydn: ou=test,dc=example,dc=com entryid: 10 hasSubordinates: TRUE modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR oot modifyTimestamp: 20130123175104Z nsUniqueId: 6428fe79-658511e2-9283c9b9-f4c01566 numSubordinates: 5 parentid: 1 subschemaSubentry: cn=schema dn: cn=mygroup,ou=Test,dc=example,dc=com objectClass: groupofuniquenames objectClass: top cn: mygroup uniqueMember: uid=test11,ou=test,dc=example,dc=com createTimestamp: 20130123175116Z creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo ot entrydn: cn=mygroup,ou=test,dc=example,dc=com entryid: 11 hasSubordinates: FALSE modifiersName: cn=referential integrity postoperation,cn=plugins,cn=config modifyTimestamp: 20130123182725Z nsUniqueId: 6428fe7a-658511e2-9283c9b9-f4c01566 numSubordinates: 0 parentid: 10 subschemaSubentry: cn=schema dn: uid=test11,ou=Test,dc=example,dc=com objectClass: inetorgperson objectClass: organizationalPerson objectClass: person objectClass: top cn: test 1 sn: 1 givenName: test uid: test11 userPassword:: e1NTSEF9QUNkS1NiOFVkOFJQSy9TeklGN2pCN2trblQvYWpkZjBwZy84c0E9P Q== createTimestamp: 20130123175131Z creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo ot entrydn: uid=test11,ou=test,dc=example,dc=com entryid: 12 hasSubordinates: FALSE modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR oot modifyTimestamp: 20130131155727Z nsUniqueId: 6428fe7b-658511e2-9283c9b9-f4c01566 numSubordinates: 0 parentid: 10 passwordGraceUserTime: 0 subschemaSubentry: cn=schema dn: ou=people,ou=Test,dc=example,dc=com objectClass: organizationalunit objectClass: top ou: people aci: (targetattr = "*") (version 3.0;acl "special users";allow (all)(groupdn = "ldap:///cn=all special users,ou=special,ou=Test,dc=example,dc=com");) createTimestamp: 20130131152507Z creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo ot entrydn: ou=people,ou=test,dc=example,dc=com entryid: 13 hasSubordinates: TRUE modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR oot modifyTimestamp: 20130131155032Z nsUniqueId: 55ac9901-6bba11e2-9283c9b9-f4c01566 numSubordinates: 1 parentid: 10 subschemaSubentry: cn=schema dn: ou=groups,ou=Test,dc=example,dc=com objectClass: organizationalunit objectClass: top ou: groups createTimestamp: 20130131152521Z creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo ot entrydn: ou=groups,ou=test,dc=example,dc=com entryid: 14 hasSubordinates: FALSE modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR oot modifyTimestamp: 20130131152521Z nsUniqueId: 55ac9902-6bba11e2-9283c9b9-f4c01566 numSubordinates: 0 parentid: 10 subschemaSubentry: cn=schema dn: ou=special,ou=Test,dc=example,dc=com objectClass: organizationalunit objectClass: top ou: special createTimestamp: 20130131152543Z creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo ot entrydn: ou=special,ou=test,dc=example,dc=com entryid: 15 hasSubordinates: TRUE modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR oot modifyTimestamp: 20130131152543Z nsUniqueId: 796fdf01-6bba11e2-9283c9b9-f4c01566 numSubordinates: 2 parentid: 10 subschemaSubentry: cn=schema dn: uid=aclp,ou=special,ou=Test,dc=example,dc=com objectClass: inetorgperson objectClass: organizationalPerson objectClass: person objectClass: top cn: acl problem sn: problem givenName: acl uid: aclp userPassword:: e1NTSEF9dE1MR0F6bzhjcDJMb2JTN2FoMkZTcnE1RS9PTXg2S0FEUEtjMnc9P Q== createTimestamp: 20130131152618Z creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo ot entrydn: uid=aclp,ou=special,ou=test,dc=example,dc=com entryid: 16 hasSubordinates: FALSE modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR oot modifyTimestamp: 20130131152854Z nsUniqueId: 796fdf02-6bba11e2-9283c9b9-f4c01566 numSubordinates: 0 parentid: 15 passwordGraceUserTime: 0 subschemaSubentry: cn=schema dn: cn=all special users,ou=special,ou=Test,dc=example,dc=com objectClass: groupofurls objectClass: groupofuniquenames objectClass: top cn: all special users memberURL: ldap:///ou=special,ou=test,dc=example,dc=com??one?(&(objectclass= inetorgperson)(cn=*)) createTimestamp: 20130131152806Z creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo ot entrydn: cn=all special users,ou=special,ou=test,dc=example,dc=com entryid: 17 hasSubordinates: FALSE modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR oot modifyTimestamp: 20130131155311Z nsUniqueId: c0f66b01-6bba11e2-9283c9b9-f4c01566 numSubordinates: 0 parentid: 15 subschemaSubentry: cn=schema dn: uid=ttest,ou=people,ou=Test,dc=example,dc=com objectClass: inetorgperson objectClass: organizationalPerson objectClass: person objectClass: top cn: test test sn: test givenName: test uid: ttest userPassword:: e1NTSEF9VktyMVRzbHgxbVRJbGJJQlRnTXlRamVmREpHVE1nQk8yNnNucVE9P Q== createTimestamp: 20130131152911Z creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo ot entrydn: uid=ttest,ou=people,ou=test,dc=example,dc=com entryid: 18 hasSubordinates: FALSE modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR oot modifyTimestamp: 20130131154252Z nsUniqueId: e4b9b101-6bba11e2-9283c9b9-f4c01566 numSubordinates: 0 parentid: 13 passwordGraceUserTime: 0 subschemaSubentry: cn=schema

11 years, 4 months

2
3
0 / 0

Can't create DSInstances as user (uid !=0) with 389-ds-base-1.3.0.2-1.fc18.x86_64 on FC18

by Luca Menegus

Hi all, I need to run some integration test against 389 DS on our CI-system but when I introduced a new F18 CI-slave creation of new ds instances with setup-ds.pl started to fail. Problem seems to be that setup-ds.pl tries to update systemd releted conf even when run as a user. Simply skipping systemd stuff when user is not root fixes the problem: in /usr/lib64/dirsrv/perl/DSCreate.pm update sub updateSystemD to include a uid check [...] sub updateSystemD { my $inf = shift; my $unitdir = "/usr/lib/systemd/system"; my $confbasedir = "/etc/systemd/system"; my $confdir = "$confbasedir/dirsrv.target.wants"; if (!$unitdir or !$confdir or ! -d $unitdir or ! -d $confdir >>>> or !(getLogin() eq 'root') <<<<<) { debug(3, "no systemd - skipping\n"); return (); } [...] DS Version: 389-ds-base-1.3.0.2-1.fc18.x86_64 Shell I open a bug or is this mail enough? Regards, Luca Luca Menegus D.B.M. S.r.l Via Enrico Noe, 23 - 20133 Milano (MI) Italy. Phone: +39 02 26600525 Mobile: +39 3346220663

11 years, 4 months

2
2
0 / 0

How to check if user is locked

by Todor Petkov

Hello all, I followed this guide https://www.centos.org/docs/5/html/CDS/ag/8.0/User_Account_Management-Man... to implement password lock policy. The user is locked, the automatic unlock is also fine. How can I check if the user is locked, is there any way to see it using the 389-console or ldapsearch or phpldapadmin for example? I checked and can not find any. I would like to be able to know that the user can not log because he is locked and unlock it. I found out that reseting the password works as unlocking, but is there another way? Thanks,

11 years, 4 months

2
2
0 / 0

questions about client certificate-base authentication

by yp

Hi all, I'm testing the 389 DS on centos 6 and I had a problem with the certmap.conf file. The certmap.conf file exists (and there is no symlink between them) at 2 locations : /etc/dirsrv/config and /etc/dirsrv/slapd-instancename. The documentation https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9... says that we need to edit /etc/dirsrv/config/certmap.conf, but during my testing, after modifying this file and restarting the server, the mapping did not work. And I needed to edit the conf file in the slapd-instancename to be able to authenticate via a client-certificate. It seems that /etc/dirsrv/config/certmap.conf is not used at all ( I removed the file, restarted the server and authentication was working). I don't know if I missed something but is the documentation outdated about this point ? And what is the purpose of /etc/dirsrv/config/certmap.conf ? By the way, in some examples of the documentation, the DNComps property has the DC keyword but this attribute is not listed in the available RDN keywords. Should I open a bugzilla report about this ? I must also say that the documentation about 389 DS has impressed me by its very high quality and quantity of information therein. Best regards, -- Alan Cox wrote: > Linus Torvalds wrote: > > And quite frankly, if your disk can push 50MB/s through a 1kB > > non-contiguous filesystem, then my name is Bugs Bunny. > > Hi Bugs 8), previously Frodo Rabbit, .. I think you watch too much > kids tv 8) Three kids will do that to you. Some day, you too will be there. - Linus Torvalds and Alan Cox on linux-kernel

11 years, 4 months

2
2
0 / 0

Console error

by carne_de_passaro

Hi, I build all components of the 389-ds 1.3.0.2 version The service is running alright, I've imported a ldif with my objects with ldif2db and it did just fine. My problem is with the console. I can enter on the first console, use my credentials and so. When I try to open both, admin server or diretctory server console, an error message appears and I can't open the console. I try to open the console with this command: root@server:~# 389-console -x nologo -D * after select "server group" and try to open the admin server and the directory server ClassLoader: getLocalJarList():Unable to read /root/.389-console/patch/ directory ClassLoader: start parsing ClassLoader: done Instantiate cn=admin-serv-foo-ldap02,cn=389 Administration Server,cn=Server Group,cn=foo-ldap02.bar,ou=foo-teste,o=NetscapeRoot ClassLoaderUtil.getClass(com.netscape.management.admserv.AdminServer@389-admin-1.1.jar(a)cn=admin-serv-foo-ldap02,cn=389 Administration Server,cn=Server Group,cn=foo-ldap02.bar,ou=foo-teste,o=NetscapeRoot) ClassLoader: no manifest found for 389-admin-1.1.jar ClassLoader: No manifest file for 389-admin-1.1.jar ClassLoader: new LocalJarClassLoader 389-admin-1.1.jar:{389-admin-1.1.jar 389-admin-1.1_en.jar } ClassLoader: Create loader 389-admin-1.1.jar ERROR ServerNode.createServerInstance: could not create com.netscape.management.admserv.AdminServer@389-admin-1.1.jar(a)cn=admin-serv-foo-ldap02,cn=389 Administration Server,cn=Server Group,cn=foo-ldap02.bar,ou=foo-teste,o=NetscapeRoot Exception: java.lang.ClassCastException: com.netscape.management.admserv.AdminServer cannot be cast to com.netscape.management.client.topology.IServerObject Instantiate cn=slapd-foo-ldap02,cn=389 Directory Server,cn=Server Group,cn=foo-ldap02.bar,ou=foo-teste,o=NetscapeRoot ClassLoaderUtil.getClass(com.netscape.admin.dirserv.DSAdmin@389-ds-1.2.jar(a)cn=admin-serv-foo-ldap02,cn=389 Administration Server,cn=Server Group,cn=foo-ldap02.bar,ou=foo-teste,o=NetscapeRoot) ClassLoader: manifest loaded for 389-ds-1.2.jar ClassLoader: new LocalJarClassLoader 389-ds-1.2.jar:{389-ds-1.2.jar 389-ds-1.2_en.jar } ClassLoader: Create loader 389-ds-1.2.jar ERROR ServerNode.createServerInstance: could not create com.netscape.admin.dirserv.DSAdmin@389-ds-1.2.jar(a)cn=admin-serv-foo-ldap02,cn=389 Administration Server,cn=Server Group,cn=foo-ldap02.bar,ou=foo-teste,o=NetscapeRoot Exception: java.lang.ClassCastException: com.netscape.admin.dirserv.DSAdmin cannot be cast to com.netscape.management.client.topology.IServerObject My java version is: Java version "1.6.0_24" OpenJDK Runtime Environment (IcedTea6 1.11.5) (rhel-1.50.1.11.5.el6_3-x86_64) OpenJDK 64-Bit Server VM (build 20.0-b12, mixed mode) Components used in this setup: 389-ds-base-1.3.0.2 389-adminutil-1.1.14 389-admin-1.1.31 idm-console-framework-1.1.7 389-console-1.1.7 389-ds-console-1.2.6 389-admin-console-1.1.8 What am I missing here? Thanks in advance

11 years, 4 months

1
0
0 / 0

1.3.x to EPEL repos - when?

by Vesa Alho

Hi, I'm currently planning to do a 389 production installation and was wondering is there point to wait until new 1.3.x is available in repos? Does someone know when 1.3.x can be expected in EPEL? Thanks. -Vesa

11 years, 4 months

2
3
0 / 0

Re: [389-users] ACL Question

by rayane karim

Hi about the tree got ou=Students,ou=People,dc=example,dc=com who contain students members and cn=Students Manager,ou=Groups,dc=dc=example,dc=com witch uniqueMember field contain student manager have tried succefully acl for allowing modify,add,delete etc. with (targetfilter= "((Affectation=testaff))") (targetattr = "*") (targetfilter= "(Affectation=testaff)") (version 3.0;acl "Student restriction Acl"; allow (all)(groupdn = "ldap:///cn=Students Manager,ou=Groups,dc=example,dc=com");) (applied on ou=Students,ou=People,dc=example,dc=com node) Simply now need another opposite of previous aci ie previous admin account (cn=Students Manager) of student branch allowed only to see+modify account on ou=Students,ou=People,dc=example,dc=com branch retriction based on Affectation field ie Affectation<>testaff then not visible Thanks > > ------------------------------ > > Message: 3 > Date: Thu, 31 Jan 2013 16:20:51 +0100 > From: Ludwig Krispenz <lkrispen(a)redhat.com> > To: 389-users(a)lists.fedoraproject.org > Subject: Re: [389-users] ACL Question > Message-ID: <510A8BD3.3060006(a)redhat.com> > Content-Type: text/plain; charset="utf-8"; Format="flowed" > > Hi, > > it is always difficult to talk about a single aci since access is > controlled by applying all exxising acis, and one aci can prevent the > effect of another one. > Also you're talking about hiding entries, but the aci you propose is > about allowwing access, so making entries visible to the group. > > Could you provide more info on the tree and entries you have and whoc > should be able to do what. What do you mean by "only certain people" ? > Did you try some acis and it didn't work ? > > Regards, > Ludwig > > On 01/31/2013 12:35 PM, rayane karim wrote: > > Hi > > need to setup an acl restriction based on targetfilter like > > > > (targetattr = "*") (targetfilter= "(!(Affectation=testaff))") (version > > 3.0;acl "Student restriction Acl";allow (write)(groupdn = > > "ldap:///cn=Students Manager,ou=Groups,dc=example,dc=com");) > > > > this rule hide all the student branch > > ou=Students,ou=People,dc=example,dc=com > > on witch it is applied > > > > need to hide only certain people form student banch for cn=Students > > Manage > > > > pepole that havn't (Affectation=testaff) attribute > > > > thank's > > > > > > > > > > -- > > 389 users mailing list > > 389-users(a)lists.fedoraproject.org > > https://admin.fedoraproject.org/mailman/listinfo/389-users > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://lists.fedoraproject.org/pipermail/389-users/attachments/20130131/5... > > > > ------------------------------ >

11 years, 4 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-users February 2013