date:20180830

[389-users] Re: 389 console is blank

2018-08-30 Thread JESSE LUNT

Hey All,

So if you haven't figured it out today Cassie and I work together and
double team this environment. I ran the following and did get a response
back.

ldapsearch -D "uid=onecampus,ou=Tools,dc=northshore,dc=edu" -w
"northshore-2018" -H ldap://389ds1.northshore.edu:389 -x -b
"cn=config,o=netscaperoot" "objectclass=*"


[image: image.png]

On Thu, Aug 30, 2018 at 3:36 PM Cassandra Reed  wrote:

> Thanks, Mark.  When executing the ldapsearch that you suggested, I am
> getting an error message: ldap_sasl_interactive_bind_s: Unknown
> authentication method (-6) additional info: SASL(-4): no mechanism
> available:
>
> We have been replicating o=netscaperoot - I am not sure how up to date the
> replicas are, considering the trouble that we are having with the config db
> right now...
>
>
> Cassandra Reed
> 978-762-4222
> EDP Systems Analyst III
> North Shore Community College
> 1 Ferncroft Road, Danvers MA 01923
>
>
> On Thu, Aug 30, 2018 at 3:20 PM Mark Reynolds 
> wrote:
>
>>
>>
>> On 08/30/2018 03:07 PM, Cassandra Reed wrote:
>>
>> Hi Mark,
>>
>> You are correct, it does appear that the o=netscaperoot suffix was
>> removed.
>>
>> No, I think it's still there.  Try this search:
>>
>> # ldapsearch -D "cn=directory manager" -W -b o=netscapeoot
>> objectclass=* dn
>>
>> Maybe try restarting the admin server:
>>
>> # restart-ds-admin
>>
>>
>> Are you replicating o=netscaperoot by any chance?
>>
>> Mark
>>
>>
>> Below is a bit of the access log file during the launch of the console.
>> We have two other servers that this Master was replicating to, is it
>> possible to export the netscaperoot from one of those other two servers and
>> import to the Master?  What would this require and would it be service
>> impacting at all?  (Reboot of the server/etc.)  One of the servers hasn't
>> been replicating in some time, would an older version of netscaperoot have
>> any impact on the userroot directory?
>>
>> [30/Aug/2018:14:28:03 -0400] conn=1035324 fd=79 slot=79 connection from
>> 127.0.0.1 to 127.0.0.1
>> [30/Aug/2018:14:28:03 -0400] conn=1035324 op=0 BIND dn="cn=Directory
>> Manager" method=128 version=3
>> [30/Aug/2018:14:28:03 -0400] conn=1035324 op=0 RESULT err=0 tag=97
>> nentries=0 etime=0 dn="cn=directory manager"
>> [30/Aug/2018:14:28:03 -0400] conn=1035324 op=1 SRCH
>> base="cn=user,cn=DefaultObjectClassesContainer,ou=1.1,ou=admin,ou=Global
>> Preferences,ou=northshore.edu,o=NetscapeRoot" scope=0
>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL
>> [30/Aug/2018:14:28:03 -0400] conn=1035324 op=1 RESULT err=32 tag=101
>> nentries=0 etime=0
>> [30/Aug/2018:14:28:03 -0400] conn=1035324 op=2 SRCH
>> base="cn=group,cn=DefaultObjectClassesContainer,ou=1.1,ou=admin,ou=Global
>> Preferences,ou=northshore.edu,o=NetscapeRoot" scope=0
>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL
>> [30/Aug/2018:14:28:03 -0400] conn=1035324 op=2 RESULT err=32 tag=101
>> nentries=0 etime=0
>> [30/Aug/2018:14:28:03 -0400] conn=1035324 op=3 SRCH
>> base="cn=OU,cn=DefaultObjectClassesContainer,ou=1.1,ou=admin,ou=Global
>> Preferences,ou=northshore.edu,o=NetscapeRoot" scope=0
>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL
>> [30/Aug/2018:14:28:03 -0400] conn=1035324 op=3 RESULT err=32 tag=101
>> nentries=0 etime=0
>> [30/Aug/2018:14:28:03 -0400] conn=1035324 op=4 SRCH
>> base="cn=ResourceEditorExtension,ou=1.1,ou=admin,ou=Global Preferences,ou=
>> northshore.edu,o=NetscapeRoot" scope=1
>> filter="(objectClass=nsAdminResourceEditorExtension)" attrs=ALL
>> [30/Aug/2018:14:28:03 -0400] conn=1035324 op=4 RESULT err=32 tag=101
>> nentries=0 etime=0
>>
>>
>> Thank you,
>> -Cassie
>>
>> Cassandra Reed
>> 978-762-4222
>> EDP Systems Analyst III
>> North Shore Community College
>> 1 Ferncroft Road, Danvers MA 01923
>>
>>
>> On Thu, Aug 30, 2018 at 9:44 AM Mark Reynolds 
>> wrote:
>>
>>> Are you logging in as Directory Manager?
>>>
>>> If you are, perhaps the o=netscaperoot suffix was removed from DS?  You
>>> need to look at the access log in this case and what it's doing when you
>>> log in.
>>>
>>> Mark
>>>
>>>
>>

-- 


Jesse Lunt
Director of Network and User Services
Office of Information Services
North Shore Community College
(978)-762-4014
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: 389 console is blank

2018-08-30 Thread Mark Reynolds




On 08/30/2018 03:35 PM, Cassandra Reed wrote:
Thanks, Mark.  When executing the ldapsearch that you suggested, I am 
getting an error message: ldap_sasl_interactive_bind_s: Unknown 
authentication method (-6) additional info: SASL(-4): no mechanism 
available:

Ugh sorry you need to add -x:

ldapsearch -D "cn=directory manager" -W -x -b o=netscapeoot 
objectclass=* dn


We have been replicating o=netscaperoot - I am not sure how up to date 
the replicas are, considering the trouble that we are having with the 
config db right now...
That's the problem.  If you are replicating o=netscaperoot to other 
servers that use the console, are you are basically hosing each one of 
those servers o=netscaperoot suffix.  o=netscaperoot is specific to the 
host in which it was originally created.  You should only replicate 
o=netscaperoot as backup technique, and it should not replicated to a 
server that uses the 389-console - otherwise the console won't work 
(e.g. blank screen)


So the console will only work on the original server you started 
replication from.


Now to fix it, assuming this is the case...

You have to remove o=netscapeorot suffix, and run register-ds-admin.pl 
to recreate o=netscaperoot suffix for that server


Regards,
Mark





Cassandra Reed
978-762-4222
EDP Systems Analyst III
North Shore Community College
1 Ferncroft Road, Danvers MA 01923


On Thu, Aug 30, 2018 at 3:20 PM Mark Reynolds > wrote:




On 08/30/2018 03:07 PM, Cassandra Reed wrote:

Hi Mark,

You are correct, it does appear that the o=netscaperoot suffix
was removed.

No, I think it's still there.  Try this search:

    # ldapsearch -D "cn=directory manager" -W -b o=netscapeoot
objectclass=* dn

Maybe try restarting the admin server:

    # restart-ds-admin


Are you replicating o=netscaperoot by any chance?

Mark



Below is a bit of the access log file during the launch of the
console.  We have two other servers that this Master was
replicating to, is it possible to export the netscaperoot from
one of those other two servers and import to the Master?  What
would this require and would it be service impacting at all? 
(Reboot of the server/etc.)  One of the servers hasn't been
replicating in some time, would an older version of netscaperoot
have any impact on the userroot directory?

[30/Aug/2018:14:28:03 -0400] conn=1035324 fd=79 slot=79
connection from 127.0.0.1 to 127.0.0.1
[30/Aug/2018:14:28:03 -0400] conn=1035324 op=0 BIND
dn="cn=Directory Manager" method=128 version=3
[30/Aug/2018:14:28:03 -0400] conn=1035324 op=0 RESULT err=0
tag=97 nentries=0 etime=0 dn="cn=directory manager"
[30/Aug/2018:14:28:03 -0400] conn=1035324 op=1 SRCH
base="cn=user,cn=DefaultObjectClassesContainer,ou=1.1,ou=admin,ou=Global
Preferences,ou=northshore.edu
,o=NetscapeRoot" scope=0
filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL
[30/Aug/2018:14:28:03 -0400] conn=1035324 op=1 RESULT err=32
tag=101 nentries=0 etime=0
[30/Aug/2018:14:28:03 -0400] conn=1035324 op=2 SRCH
base="cn=group,cn=DefaultObjectClassesContainer,ou=1.1,ou=admin,ou=Global
Preferences,ou=northshore.edu
,o=NetscapeRoot" scope=0
filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL
[30/Aug/2018:14:28:03 -0400] conn=1035324 op=2 RESULT err=32
tag=101 nentries=0 etime=0
[30/Aug/2018:14:28:03 -0400] conn=1035324 op=3 SRCH
base="cn=OU,cn=DefaultObjectClassesContainer,ou=1.1,ou=admin,ou=Global
Preferences,ou=northshore.edu
,o=NetscapeRoot" scope=0
filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL
[30/Aug/2018:14:28:03 -0400] conn=1035324 op=3 RESULT err=32
tag=101 nentries=0 etime=0
[30/Aug/2018:14:28:03 -0400] conn=1035324 op=4 SRCH
base="cn=ResourceEditorExtension,ou=1.1,ou=admin,ou=Global
Preferences,ou=northshore.edu
,o=NetscapeRoot" scope=1
filter="(objectClass=nsAdminResourceEditorExtension)" attrs=ALL
[30/Aug/2018:14:28:03 -0400] conn=1035324 op=4 RESULT err=32
tag=101 nentries=0 etime=0


Thank you,
-Cassie

Cassandra Reed
978-762-4222
EDP Systems Analyst III
North Shore Community College
1 Ferncroft Road, Danvers MA 01923


On Thu, Aug 30, 2018 at 9:44 AM Mark Reynolds
mailto:mreyno...@redhat.com>> wrote:

Are you logging in as Directory Manager?

If you are, perhaps the o=netscaperoot suffix was removed
from DS?  You need to look at the access log in this case and
what it's doing when you log in.

Mark






___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct:

[389-users] Re: 389 console is blank

2018-08-30 Thread Cassandra Reed

Thanks, Mark.  When executing the ldapsearch that you suggested, I am
getting an error message: ldap_sasl_interactive_bind_s: Unknown
authentication method (-6) additional info: SASL(-4): no mechanism
available:

We have been replicating o=netscaperoot - I am not sure how up to date the
replicas are, considering the trouble that we are having with the config db
right now...


Cassandra Reed
978-762-4222
EDP Systems Analyst III
North Shore Community College
1 Ferncroft Road, Danvers MA 01923


On Thu, Aug 30, 2018 at 3:20 PM Mark Reynolds  wrote:

>
>
> On 08/30/2018 03:07 PM, Cassandra Reed wrote:
>
> Hi Mark,
>
> You are correct, it does appear that the o=netscaperoot suffix was
> removed.
>
> No, I think it's still there.  Try this search:
>
> # ldapsearch -D "cn=directory manager" -W -b o=netscapeoot
> objectclass=* dn
>
> Maybe try restarting the admin server:
>
> # restart-ds-admin
>
>
> Are you replicating o=netscaperoot by any chance?
>
> Mark
>
>
> Below is a bit of the access log file during the launch of the console.
> We have two other servers that this Master was replicating to, is it
> possible to export the netscaperoot from one of those other two servers and
> import to the Master?  What would this require and would it be service
> impacting at all?  (Reboot of the server/etc.)  One of the servers hasn't
> been replicating in some time, would an older version of netscaperoot have
> any impact on the userroot directory?
>
> [30/Aug/2018:14:28:03 -0400] conn=1035324 fd=79 slot=79 connection from
> 127.0.0.1 to 127.0.0.1
> [30/Aug/2018:14:28:03 -0400] conn=1035324 op=0 BIND dn="cn=Directory
> Manager" method=128 version=3
> [30/Aug/2018:14:28:03 -0400] conn=1035324 op=0 RESULT err=0 tag=97
> nentries=0 etime=0 dn="cn=directory manager"
> [30/Aug/2018:14:28:03 -0400] conn=1035324 op=1 SRCH
> base="cn=user,cn=DefaultObjectClassesContainer,ou=1.1,ou=admin,ou=Global
> Preferences,ou=northshore.edu,o=NetscapeRoot" scope=0
> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL
> [30/Aug/2018:14:28:03 -0400] conn=1035324 op=1 RESULT err=32 tag=101
> nentries=0 etime=0
> [30/Aug/2018:14:28:03 -0400] conn=1035324 op=2 SRCH
> base="cn=group,cn=DefaultObjectClassesContainer,ou=1.1,ou=admin,ou=Global
> Preferences,ou=northshore.edu,o=NetscapeRoot" scope=0
> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL
> [30/Aug/2018:14:28:03 -0400] conn=1035324 op=2 RESULT err=32 tag=101
> nentries=0 etime=0
> [30/Aug/2018:14:28:03 -0400] conn=1035324 op=3 SRCH
> base="cn=OU,cn=DefaultObjectClassesContainer,ou=1.1,ou=admin,ou=Global
> Preferences,ou=northshore.edu,o=NetscapeRoot" scope=0
> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL
> [30/Aug/2018:14:28:03 -0400] conn=1035324 op=3 RESULT err=32 tag=101
> nentries=0 etime=0
> [30/Aug/2018:14:28:03 -0400] conn=1035324 op=4 SRCH
> base="cn=ResourceEditorExtension,ou=1.1,ou=admin,ou=Global Preferences,ou=
> northshore.edu,o=NetscapeRoot" scope=1
> filter="(objectClass=nsAdminResourceEditorExtension)" attrs=ALL
> [30/Aug/2018:14:28:03 -0400] conn=1035324 op=4 RESULT err=32 tag=101
> nentries=0 etime=0
>
>
> Thank you,
> -Cassie
>
> Cassandra Reed
> 978-762-4222
> EDP Systems Analyst III
> North Shore Community College
> 1 Ferncroft Road, Danvers MA 01923
>
>
> On Thu, Aug 30, 2018 at 9:44 AM Mark Reynolds 
> wrote:
>
>> Are you logging in as Directory Manager?
>>
>> If you are, perhaps the o=netscaperoot suffix was removed from DS?  You
>> need to look at the access log in this case and what it's doing when you
>> log in.
>>
>> Mark
>>
>>
>
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: 389 console is blank

2018-08-30 Thread Mark Reynolds




On 08/30/2018 03:07 PM, Cassandra Reed wrote:

Hi Mark,

You are correct, it does appear that the o=netscaperoot suffix was 
removed.

No, I think it's still there.  Try this search:

    # ldapsearch -D "cn=directory manager" -W -b o=netscapeoot 
objectclass=* dn


Maybe try restarting the admin server:

    # restart-ds-admin


Are you replicating o=netscaperoot by any chance?

Mark


Below is a bit of the access log file during the launch of the 
console.  We have two other servers that this Master was replicating 
to, is it possible to export the netscaperoot from one of those other 
two servers and import to the Master?  What would this require and 
would it be service impacting at all?  (Reboot of the server/etc.)  
One of the servers hasn't been replicating in some time, would an 
older version of netscaperoot have any impact on the userroot directory?


[30/Aug/2018:14:28:03 -0400] conn=1035324 fd=79 slot=79 connection 
from 127.0.0.1 to 127.0.0.1
[30/Aug/2018:14:28:03 -0400] conn=1035324 op=0 BIND dn="cn=Directory 
Manager" method=128 version=3
[30/Aug/2018:14:28:03 -0400] conn=1035324 op=0 RESULT err=0 tag=97 
nentries=0 etime=0 dn="cn=directory manager"
[30/Aug/2018:14:28:03 -0400] conn=1035324 op=1 SRCH 
base="cn=user,cn=DefaultObjectClassesContainer,ou=1.1,ou=admin,ou=Global 
Preferences,ou=northshore.edu ,o=NetscapeRoot" 
scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL
[30/Aug/2018:14:28:03 -0400] conn=1035324 op=1 RESULT err=32 tag=101 
nentries=0 etime=0
[30/Aug/2018:14:28:03 -0400] conn=1035324 op=2 SRCH 
base="cn=group,cn=DefaultObjectClassesContainer,ou=1.1,ou=admin,ou=Global 
Preferences,ou=northshore.edu ,o=NetscapeRoot" 
scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL
[30/Aug/2018:14:28:03 -0400] conn=1035324 op=2 RESULT err=32 tag=101 
nentries=0 etime=0
[30/Aug/2018:14:28:03 -0400] conn=1035324 op=3 SRCH 
base="cn=OU,cn=DefaultObjectClassesContainer,ou=1.1,ou=admin,ou=Global 
Preferences,ou=northshore.edu ,o=NetscapeRoot" 
scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL
[30/Aug/2018:14:28:03 -0400] conn=1035324 op=3 RESULT err=32 tag=101 
nentries=0 etime=0
[30/Aug/2018:14:28:03 -0400] conn=1035324 op=4 SRCH 
base="cn=ResourceEditorExtension,ou=1.1,ou=admin,ou=Global 
Preferences,ou=northshore.edu ,o=NetscapeRoot" 
scope=1 filter="(objectClass=nsAdminResourceEditorExtension)" attrs=ALL
[30/Aug/2018:14:28:03 -0400] conn=1035324 op=4 RESULT err=32 tag=101 
nentries=0 etime=0



Thank you,
-Cassie

Cassandra Reed
978-762-4222
EDP Systems Analyst III
North Shore Community College
1 Ferncroft Road, Danvers MA 01923


On Thu, Aug 30, 2018 at 9:44 AM Mark Reynolds > wrote:


Are you logging in as Directory Manager?

If you are, perhaps the o=netscaperoot suffix was removed from
DS?  You need to look at the access log in this case and what it's
doing when you log in.

Mark




___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] please review: PR 49933 - Crash in delete_passwdPolicy when persistent search connections are terminated unexpectedly

2018-08-30 Thread Mark Reynolds


https://pagure.io/389-ds-base/pull-request/49933
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: ds-privilege-name equivalent

2018-08-30 Thread Mark Reynolds




On 08/30/2018 12:04 PM, rai...@ultra-secure.de wrote:

Am 2018-08-30 00:48, schrieb William Brown:

On Wed, 2018-08-22 at 12:41 +0200, rai...@ultra-secure.de wrote:

Hi,

I have a few users in my open-ds dump that have the following
attribute:

ds-privilege-name: password-reset


Does something like this exist in 389-server or is it done purely on
an
ACI level?


If I recall correctly, if you have the write targetattr userPassword,
you can reset someone's password. I think this is a good example where
we need to document this better as password reset is a common
requriement.

I've CCed on our documentation wizard who may know where this is found,
or where it should be added.




Hi,

thanks for the feedback.

I used "Passwd Admins" feature.

dn: cn=Passwd Admins,dc=the,dc=domain,dc=ch
changetype: add
objectClass: top
objectClass: groupOfUniqueNames
cn: PasswordAdminsGroup
description: Users in this group can change passwords
uniqueMember: cn=TechUser,dc=the,dc=domain,dc=ch
uniqueMember: cn=reg,dc=appusers,dc=the,dc=domain,dc=ch


dn: cn=config
changetype: modify
replace: passwordAdminDN
passwordAdminDN: cn=Passwd Admins,dc=the,dc=domain,dc=ch


These two users had the ds-privilege-name: password-reset attribute

Is that correct?
Correct, the password admin feature gives a user or a group (like what 
you did) fulll unrestricted access for setting user passwords. They can 
reset passwords, add prehashed passwords, and add passwords that violate 
the server's password policy, etc.


http://www.port389.org/docs/389ds/design/password-administrator.html

Mark







Best Regards
Rainer
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: Multi-Master tutorial

2018-08-30 Thread Michal Medvecky

I like this one much more:

https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/deployment_guide/Designing_the_Replication_Process-Common_Replication_Scenarios#Multi_Master_Replication-Multi_Master_Replication_Configuration_A_Four_Suppliers
 



> On 30 Aug 2018, at 18:05, rai...@ultra-secure.de wrote:
> 
> Hi,
> 
> there is this tutorial:
> 
> http://directory.fedoraproject.org/docs/389ds/howto/howto-walkthroughmultimasterssl.html
> 
> 
> But it seems very old.
> 
> 
> Does it still apply?
> 
> 
> 
> Best Regards
> Rainer
> ___
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Multi-Master tutorial

2018-08-30 Thread rainer


Hi,

there is this tutorial:

http://directory.fedoraproject.org/docs/389ds/howto/howto-walkthroughmultimasterssl.html


But it seems very old.


Does it still apply?



Best Regards
Rainer
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: ds-privilege-name equivalent

2018-08-30 Thread rainer


Am 2018-08-30 00:48, schrieb William Brown:

On Wed, 2018-08-22 at 12:41 +0200, rai...@ultra-secure.de wrote:

Hi,

I have a few users in my open-ds dump that have the following
attribute:

ds-privilege-name: password-reset


Does something like this exist in 389-server or is it done purely on
an
ACI level?


If I recall correctly, if you have the write targetattr userPassword,
you can reset someone's password. I think this is a good example where
we need to document this better as password reset is a common
requriement.

I've CCed on our documentation wizard who may know where this is found,
or where it should be added.




Hi,

thanks for the feedback.

I used "Passwd Admins" feature.

dn: cn=Passwd Admins,dc=the,dc=domain,dc=ch
changetype: add
objectClass: top
objectClass: groupOfUniqueNames
cn: PasswordAdminsGroup
description: Users in this group can change passwords
uniqueMember: cn=TechUser,dc=the,dc=domain,dc=ch
uniqueMember: cn=reg,dc=appusers,dc=the,dc=domain,dc=ch


dn: cn=config
changetype: modify
replace: passwordAdminDN
passwordAdminDN: cn=Passwd Admins,dc=the,dc=domain,dc=ch


These two users had the ds-privilege-name: password-reset attribute

Is that correct?




Best Regards
Rainer
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: 389 console is blank

[389-users] Re: 389 console is blank

[389-users] Re: 389 console is blank

[389-users] Re: 389 console is blank

[389-users] please review: PR 49933 - Crash in delete_passwdPolicy when persistent search connections are terminated unexpectedly

[389-users] Re: ds-privilege-name equivalent

[389-users] Re: Multi-Master tutorial

[389-users] Multi-Master tutorial

[389-users] Re: ds-privilege-name equivalent

9 matches

Site Navigation

Mail list logo

Footer information