errors log - NSACLPlugin - acllas__client_match_URL:
by Picture Book
After using dynamic group in ACL, I see the following messages in errors log
1
ldapsearch -h localhost -p 389 -D "uid=ttest,ou=people,ou=Test,dc=example,dc=com" -w sp -b "ou=people,ou=Test,dc=example,dc=com"
[31/Jan/2013:10:53:36 -0500] NSACLPlugin - acllas__client_match_URL: url [ldap:///ou=special,ou=test,dc=example,dc=com??one?(&(objectclass=inetorgperson)(cn=*))] scope is onelevel but dn [ou=special,ou=test,dc=example,dc=com] is not a direct child of [ou=people,ou=test,dc=example,dc=com]
2.
ldapsearch -h localhost -p 389 -D "uid=test11,ou=Test,dc=example,dc=com" -w sp -b "ou=people,ou=Test,dc=example,dc=com"
[31/Jan/2013:10:58:12 -0500] NSACLPlugin - acllas__client_match_URL: url [ldap:///ou=special,ou=test,dc=example,dc=com??one?(&(objectclass=inetorgperson)(cn=*))] scope is onelevel but dn [ou=special,ou=test,dc=example,dc=com] is not a direct child of [ou=test,dc=example,dc=com]
repeat search 1 & 2, acllas__client_match_URL error message doen't repeat.
3.
ldapsearch -h localhost -p 389 -D "uid=aclp,ou=special,ou=Test,dc=example,dc=com" -w sp -b "ou=people,ou=Test,dc=example,dc=com"
no message in errors log
This is the dynamic group:
dn: cn=all special users,ou=special,ou=Test,dc=example,dc=com
objectClass: groupofurls
objectClass: groupofuniquenames
objectClass: top
cn: all special users
memberURL: ldap:///ou=special,ou=test,dc=example,dc=com??one?(&(objectclass=
inetorgperson)(cn=*))
This is the ACL
dn: ou=people,ou=Test,dc=example,dc=com
objectClass: organizationalunit
objectClass: top
ou: people
aci: (targetattr = "*") (version 3.0;acl "special users";allow (all)(groupdn
= "ldap:///cn=all special users,ou=special,ou=Test,dc=example,dc=com");)
createTimestamp: 20130131152507Z
The following is the ldif export of the test setup
version: 1
dn: ou=Test,dc=example,dc=com
objectClass: organizationalunit
objectClass: top
ou: Test
createTimestamp: 20130123175104Z
creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo
ot
entrydn: ou=test,dc=example,dc=com
entryid: 10
hasSubordinates: TRUE
modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR
oot
modifyTimestamp: 20130123175104Z
nsUniqueId: 6428fe79-658511e2-9283c9b9-f4c01566
numSubordinates: 5
parentid: 1
subschemaSubentry: cn=schema
dn: cn=mygroup,ou=Test,dc=example,dc=com
objectClass: groupofuniquenames
objectClass: top
cn: mygroup
uniqueMember: uid=test11,ou=test,dc=example,dc=com
createTimestamp: 20130123175116Z
creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo
ot
entrydn: cn=mygroup,ou=test,dc=example,dc=com
entryid: 11
hasSubordinates: FALSE
modifiersName: cn=referential integrity postoperation,cn=plugins,cn=config
modifyTimestamp: 20130123182725Z
nsUniqueId: 6428fe7a-658511e2-9283c9b9-f4c01566
numSubordinates: 0
parentid: 10
subschemaSubentry: cn=schema
dn: uid=test11,ou=Test,dc=example,dc=com
objectClass: inetorgperson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: test 1
sn: 1
givenName: test
uid: test11
userPassword:: e1NTSEF9QUNkS1NiOFVkOFJQSy9TeklGN2pCN2trblQvYWpkZjBwZy84c0E9P
Q==
createTimestamp: 20130123175131Z
creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo
ot
entrydn: uid=test11,ou=test,dc=example,dc=com
entryid: 12
hasSubordinates: FALSE
modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR
oot
modifyTimestamp: 20130131155727Z
nsUniqueId: 6428fe7b-658511e2-9283c9b9-f4c01566
numSubordinates: 0
parentid: 10
passwordGraceUserTime: 0
subschemaSubentry: cn=schema
dn: ou=people,ou=Test,dc=example,dc=com
objectClass: organizationalunit
objectClass: top
ou: people
aci: (targetattr = "*") (version 3.0;acl "special users";allow (all)(groupdn
= "ldap:///cn=all special users,ou=special,ou=Test,dc=example,dc=com");)
createTimestamp: 20130131152507Z
creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo
ot
entrydn: ou=people,ou=test,dc=example,dc=com
entryid: 13
hasSubordinates: TRUE
modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR
oot
modifyTimestamp: 20130131155032Z
nsUniqueId: 55ac9901-6bba11e2-9283c9b9-f4c01566
numSubordinates: 1
parentid: 10
subschemaSubentry: cn=schema
dn: ou=groups,ou=Test,dc=example,dc=com
objectClass: organizationalunit
objectClass: top
ou: groups
createTimestamp: 20130131152521Z
creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo
ot
entrydn: ou=groups,ou=test,dc=example,dc=com
entryid: 14
hasSubordinates: FALSE
modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR
oot
modifyTimestamp: 20130131152521Z
nsUniqueId: 55ac9902-6bba11e2-9283c9b9-f4c01566
numSubordinates: 0
parentid: 10
subschemaSubentry: cn=schema
dn: ou=special,ou=Test,dc=example,dc=com
objectClass: organizationalunit
objectClass: top
ou: special
createTimestamp: 20130131152543Z
creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo
ot
entrydn: ou=special,ou=test,dc=example,dc=com
entryid: 15
hasSubordinates: TRUE
modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR
oot
modifyTimestamp: 20130131152543Z
nsUniqueId: 796fdf01-6bba11e2-9283c9b9-f4c01566
numSubordinates: 2
parentid: 10
subschemaSubentry: cn=schema
dn: uid=aclp,ou=special,ou=Test,dc=example,dc=com
objectClass: inetorgperson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: acl problem
sn: problem
givenName: acl
uid: aclp
userPassword:: e1NTSEF9dE1MR0F6bzhjcDJMb2JTN2FoMkZTcnE1RS9PTXg2S0FEUEtjMnc9P
Q==
createTimestamp: 20130131152618Z
creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo
ot
entrydn: uid=aclp,ou=special,ou=test,dc=example,dc=com
entryid: 16
hasSubordinates: FALSE
modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR
oot
modifyTimestamp: 20130131152854Z
nsUniqueId: 796fdf02-6bba11e2-9283c9b9-f4c01566
numSubordinates: 0
parentid: 15
passwordGraceUserTime: 0
subschemaSubentry: cn=schema
dn: cn=all special users,ou=special,ou=Test,dc=example,dc=com
objectClass: groupofurls
objectClass: groupofuniquenames
objectClass: top
cn: all special users
memberURL: ldap:///ou=special,ou=test,dc=example,dc=com??one?(&(objectclass=
inetorgperson)(cn=*))
createTimestamp: 20130131152806Z
creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo
ot
entrydn: cn=all special users,ou=special,ou=test,dc=example,dc=com
entryid: 17
hasSubordinates: FALSE
modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR
oot
modifyTimestamp: 20130131155311Z
nsUniqueId: c0f66b01-6bba11e2-9283c9b9-f4c01566
numSubordinates: 0
parentid: 15
subschemaSubentry: cn=schema
dn: uid=ttest,ou=people,ou=Test,dc=example,dc=com
objectClass: inetorgperson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: test test
sn: test
givenName: test
uid: ttest
userPassword:: e1NTSEF9VktyMVRzbHgxbVRJbGJJQlRnTXlRamVmREpHVE1nQk8yNnNucVE9P
Q==
createTimestamp: 20130131152911Z
creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo
ot
entrydn: uid=ttest,ou=people,ou=test,dc=example,dc=com
entryid: 18
hasSubordinates: FALSE
modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR
oot
modifyTimestamp: 20130131154252Z
nsUniqueId: e4b9b101-6bba11e2-9283c9b9-f4c01566
numSubordinates: 0
parentid: 13
passwordGraceUserTime: 0
subschemaSubentry: cn=schema
11 years, 4 months
Can't create DSInstances as user (uid !=0) with 389-ds-base-1.3.0.2-1.fc18.x86_64 on FC18
by Luca Menegus
Hi all,
I need to run some integration test against 389 DS on our CI-system but when I introduced a new F18 CI-slave creation of new ds instances with setup-ds.pl started to fail.
Problem seems to be that setup-ds.pl tries to update systemd releted conf even when run as a user.
Simply skipping systemd stuff when user is not root fixes the problem:
in /usr/lib64/dirsrv/perl/DSCreate.pm update sub updateSystemD to include a uid check
[...]
sub updateSystemD {
my $inf = shift;
my $unitdir = "/usr/lib/systemd/system";
my $confbasedir = "/etc/systemd/system";
my $confdir = "$confbasedir/dirsrv.target.wants";
if (!$unitdir or !$confdir or ! -d $unitdir or ! -d $confdir >>>> or !(getLogin() eq 'root') <<<<<) {
debug(3, "no systemd - skipping\n");
return ();
}
[...]
DS Version: 389-ds-base-1.3.0.2-1.fc18.x86_64
Shell I open a bug or is this mail enough?
Regards,
Luca
Luca Menegus
D.B.M. S.r.l
Via Enrico Noe, 23 - 20133 Milano (MI) Italy.
Phone: +39 02 26600525
Mobile: +39 3346220663
11 years, 4 months
How to check if user is locked
by Todor Petkov
Hello all,
I followed this guide
https://www.centos.org/docs/5/html/CDS/ag/8.0/User_Account_Management-Man...
to implement password lock policy. The user is locked, the automatic
unlock is also fine.
How can I check if the user is locked, is there any way to see it using
the 389-console or ldapsearch or phpldapadmin for example? I checked and
can not find any. I would like to be able to know that the user can not
log because he is locked and unlock it. I found out that reseting the
password works as unlocking, but is there another way?
Thanks,
11 years, 4 months
questions about client certificate-base authentication
by yp
Hi all,
I'm testing the 389 DS on centos 6 and I had a problem with the
certmap.conf file.
The certmap.conf file exists (and there is no symlink between them) at
2 locations : /etc/dirsrv/config and /etc/dirsrv/slapd-instancename.
The documentation
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9...
says that we need to edit /etc/dirsrv/config/certmap.conf, but during
my testing, after modifying this file and restarting the server, the
mapping did not work. And I needed to edit the conf file in the
slapd-instancename to be able to authenticate via a client-certificate.
It seems that /etc/dirsrv/config/certmap.conf is not used at all ( I
removed the file, restarted the server and authentication was working).
I don't know if I missed something but is the documentation outdated
about this point ? And what is the purpose
of /etc/dirsrv/config/certmap.conf ?
By the way, in some examples of the documentation, the DNComps property
has the DC keyword but this attribute is not listed in the available
RDN keywords. Should I open a bugzilla report about this ?
I must also say that the documentation about 389 DS has impressed
me by its very high quality and quantity of information therein.
Best regards,
--
Alan Cox wrote:
> Linus Torvalds wrote:
> > And quite frankly, if your disk can push 50MB/s through a 1kB
> > non-contiguous filesystem, then my name is Bugs Bunny.
>
> Hi Bugs 8), previously Frodo Rabbit, .. I think you watch too much
> kids tv 8)
Three kids will do that to you. Some day, you too will be there.
- Linus Torvalds and Alan Cox on linux-kernel
11 years, 4 months
Console error
by carne_de_passaro
Hi,
I build all components of the 389-ds 1.3.0.2 version
The service is running alright, I've imported a ldif with my objects with
ldif2db and it did just fine.
My problem is with the console. I can enter on the first console, use my
credentials and so. When I try to open both, admin server or diretctory
server console, an error message appears and I can't open the console.
I try to open the console with this command:
root@server:~# 389-console -x nologo -D
* after select "server group" and try to open the admin server and the
directory server
ClassLoader: getLocalJarList():Unable to read /root/.389-console/patch/
directory
ClassLoader: start parsing
ClassLoader: done
Instantiate cn=admin-serv-foo-ldap02,cn=389 Administration
Server,cn=Server Group,cn=foo-ldap02.bar,ou=foo-teste,o=NetscapeRoot
ClassLoaderUtil.getClass(com.netscape.management.admserv.AdminServer@389-admin-1.1.jar(a)cn=admin-serv-foo-ldap02,cn=389
Administration Server,cn=Server
Group,cn=foo-ldap02.bar,ou=foo-teste,o=NetscapeRoot)
ClassLoader: no manifest found for 389-admin-1.1.jar
ClassLoader: No manifest file for 389-admin-1.1.jar
ClassLoader: new LocalJarClassLoader 389-admin-1.1.jar:{389-admin-1.1.jar
389-admin-1.1_en.jar }
ClassLoader: Create loader 389-admin-1.1.jar
ERROR ServerNode.createServerInstance: could not create
com.netscape.management.admserv.AdminServer@389-admin-1.1.jar(a)cn=admin-serv-foo-ldap02,cn=389
Administration Server,cn=Server
Group,cn=foo-ldap02.bar,ou=foo-teste,o=NetscapeRoot
Exception: java.lang.ClassCastException:
com.netscape.management.admserv.AdminServer cannot be cast to
com.netscape.management.client.topology.IServerObject
Instantiate cn=slapd-foo-ldap02,cn=389 Directory Server,cn=Server
Group,cn=foo-ldap02.bar,ou=foo-teste,o=NetscapeRoot
ClassLoaderUtil.getClass(com.netscape.admin.dirserv.DSAdmin@389-ds-1.2.jar(a)cn=admin-serv-foo-ldap02,cn=389
Administration Server,cn=Server
Group,cn=foo-ldap02.bar,ou=foo-teste,o=NetscapeRoot)
ClassLoader: manifest loaded for 389-ds-1.2.jar
ClassLoader: new LocalJarClassLoader 389-ds-1.2.jar:{389-ds-1.2.jar
389-ds-1.2_en.jar }
ClassLoader: Create loader 389-ds-1.2.jar
ERROR ServerNode.createServerInstance: could not create
com.netscape.admin.dirserv.DSAdmin@389-ds-1.2.jar(a)cn=admin-serv-foo-ldap02,cn=389
Administration Server,cn=Server
Group,cn=foo-ldap02.bar,ou=foo-teste,o=NetscapeRoot
Exception: java.lang.ClassCastException:
com.netscape.admin.dirserv.DSAdmin cannot be cast to
com.netscape.management.client.topology.IServerObject
My java version is:
Java version "1.6.0_24"
OpenJDK Runtime Environment (IcedTea6 1.11.5)
(rhel-1.50.1.11.5.el6_3-x86_64)
OpenJDK 64-Bit Server VM (build 20.0-b12, mixed mode)
Components used in this setup:
389-ds-base-1.3.0.2
389-adminutil-1.1.14
389-admin-1.1.31
idm-console-framework-1.1.7
389-console-1.1.7
389-ds-console-1.2.6
389-admin-console-1.1.8
What am I missing here?
Thanks in advance
11 years, 4 months
1.3.x to EPEL repos - when?
by Vesa Alho
Hi,
I'm currently planning to do a 389 production installation and was
wondering is there point to wait until new 1.3.x is available in repos?
Does someone know when 1.3.x can be expected in EPEL? Thanks.
-Vesa
11 years, 4 months
Re: [389-users] ACL Question
by rayane karim
Hi
about the tree got
ou=Students,ou=People,dc=example,dc=com
who contain students members
and
cn=Students Manager,ou=Groups,dc=dc=example,dc=com
witch uniqueMember field contain student manager
have tried succefully acl for allowing modify,add,delete etc. with
(targetfilter= "((Affectation=testaff))")
(targetattr = "*") (targetfilter= "(Affectation=testaff)") (version 3.0;acl
"Student restriction Acl";
allow (all)(groupdn = "ldap:///cn=Students
Manager,ou=Groups,dc=example,dc=com");)
(applied on ou=Students,ou=People,dc=example,dc=com node)
Simply now need another opposite of previous aci ie
previous admin account (cn=Students Manager) of student branch allowed
only to see+modify
account on
ou=Students,ou=People,dc=example,dc=com branch
retriction based on Affectation field ie Affectation<>testaff then
not visible
Thanks
>
> ------------------------------
>
> Message: 3
> Date: Thu, 31 Jan 2013 16:20:51 +0100
> From: Ludwig Krispenz <lkrispen(a)redhat.com>
> To: 389-users(a)lists.fedoraproject.org
> Subject: Re: [389-users] ACL Question
> Message-ID: <510A8BD3.3060006(a)redhat.com>
> Content-Type: text/plain; charset="utf-8"; Format="flowed"
>
> Hi,
>
> it is always difficult to talk about a single aci since access is
> controlled by applying all exxising acis, and one aci can prevent the
> effect of another one.
> Also you're talking about hiding entries, but the aci you propose is
> about allowwing access, so making entries visible to the group.
>
> Could you provide more info on the tree and entries you have and whoc
> should be able to do what. What do you mean by "only certain people" ?
> Did you try some acis and it didn't work ?
>
> Regards,
> Ludwig
>
> On 01/31/2013 12:35 PM, rayane karim wrote:
> > Hi
> > need to setup an acl restriction based on targetfilter like
> >
> > (targetattr = "*") (targetfilter= "(!(Affectation=testaff))") (version
> > 3.0;acl "Student restriction Acl";allow (write)(groupdn =
> > "ldap:///cn=Students Manager,ou=Groups,dc=example,dc=com");)
> >
> > this rule hide all the student branch
> > ou=Students,ou=People,dc=example,dc=com
> > on witch it is applied
> >
> > need to hide only certain people form student banch for cn=Students
> > Manage
> >
> > pepole that havn't (Affectation=testaff) attribute
> >
> > thank's
> >
> >
> >
> >
> > --
> > 389 users mailing list
> > 389-users(a)lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/389-users
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.fedoraproject.org/pipermail/389-users/attachments/20130131/5...
> >
>
> ------------------------------
>
11 years, 4 months