ERR - slapi_ldap_bind - Could not send bind request for id [(anon)] authentication mechanism [EXTERNAL]: error -1 (Can't contact LDAP server), system error 0 (no error), network error 0
by Graham Leggett
Hi all,
We have a long standing 389ds master LDAP server that was found to be unable to contact it’s slaves. Most specifically, the slaves show nothing in their logs about any kind of connection, while the master is logging this:
[12/Nov/2019:21:39:47.212715697 +0000] - ERR - slapi_ldap_bind - Could not send bind request for id [(anon)] authentication mechanism [EXTERNAL]: error -1 (Can't contact LDAP server), system error 0 (no error), network error 0 (Unknown error, host “ldap01:636”)
Key is "system error 0 (no error)”, which leaves us stumped. The error is obviously “success”.
Has anyone seen this kind of thing before?
This is 389ds running on CentOS7 as follows:
389-ds-base-1.3.9.1-10.el7.x86_64
Regards,
Graham
—
5 months
ACI - on OU services didn't match
by Nizar Montassar
Hello All,
I have added three ACI to authorize a group of permission to manage my Service OU like this:
# To modify attrubutes
dn: ou=services,dc=xxx,dc=yyy
aci: (targetattr="description || cn || memberOf || nsUniqueId || nsAccountLock")(targetfilter="(&(objectClass=nsAccount)(objectClass=nsMemberOf)(objectClass=netscapeServer))")(version 3.0; acl "Enable user modify to change services"; allow (write, read)(groupdn="ldap:///cn=service_modify,ou=permissions,dc=xxx,dc=yyy");)
# To permit password reset
dn: ou=services,dc=xxx,dc=yyy
aci: (targetattr="userPassword || nsAccountLock || userCertificate || nsSshPublicKey")(targetfilter="(&(objectClass=nsAccount)(objectClass=nsMemberOf)(objectClass=netscapeServer))")(version 3.0; acl "Enable service password reset"; allow (write, read)(groupdn="ldap:///cn=service_passwd_reset,ou=permissions,dc=xxx,dc=yyy");)
# to allow service account creation
dn: ou=services,dc=xxx,dc=yyy
aci: (targetattr="objectClass || description || nsUniqueId || cn || memberOf || nsAccountLock")(targetfilter="(&(objectClass=nsAccount)(objectClass=nsMemberOf)(objectClass=netscapeServer))")(version 3.0; acl "Enable service admin account create"; allow (write, add, delete, read)(groupdn="ldap:///cn=service_admin,ou=permissions,dc=xxx,dc=yyy");)
Then I have created those groups under the permission OU like this:
cn=servce_admin,ou=permissions,dc=xxx,dc=yyy
cn=servce_modify,ou=permissions,dc=xxx,dc=yyy
cn=servce_passwd_reset,ou=permissions,dc=xxx,dc=yyy
And I have addedd my administrator users on those group.
When testing to createt a service account using one of my adinistrator user th got this error:
"Error: 105 - 3 - 50 - Insufficient access - [] - Insufficient 'add' privilege to add the entry 'cn=test,ou=Services,dc=xxx,dc=yyy'.
If I andrestend cery well this message: the ACI didn't take effect on the service OU.
On my log files there no information, I tried th run my creation command on debbug modeand also the same output.
I need your help on this issue.
Best Regards
7 months, 1 week
err=19 in a BIND operation
by Ciber Center
Hi team,
I'm getting an result err=19 in a BIND operation, Anyone knows why this can happen?
this is the connection trace
conn=2894185 fd=205 slot=205 connection from client_ip to server_ip
conn=2894185 op=0 BIND dn="uid=user1,o=applications,o=school,c=es" method=128 version=3
conn=2894185 op=0 RESULT err=19 tag=97 nentries=0 etime=0.000494384
conn=2894185 op=1 UNBIND
conn=2894185 op=1 fd=205 closed - U1
I understood that error code 19 occurs only in MOD operations, is it correct?
Thanks in advance.
7 months, 2 weeks
Setting "lock" time of an account in the future
by Cenk Y.
Hello,
We are running 389-ds-base.2.2.7 .
While creating accounts, sometimes we know until when they need to be
active. Is there a way to manually set a "expiration date" for the account,
so after that date nsAccount is set to true?
Having gone through rhds and 389-ds pages, it seems it's only possible to
create a policy to deactivate accounts after an inactivity limit.
I can always create a mechanism myself (such as adding a new attribute and
checking it by a cron job ...) , but I want to see if there is a native way
to do this?
Thanks
Cenk
7 months, 2 weeks
389 in Ubuntu 22.04
by morgan jones
Hello,
We are moving to Ubuntu 22.04 across our servers: is there a recommended Ubuntu repo for 389 Directory?
On a related note is there an official Docker image?
We have about 250,000 users and currently have 6 replicas all running CentOS 7.
thanks,
-morgan
7 months, 2 weeks