[389-users] Allow filters through PTA Plugin
Hi all, I'm pretty new in the usage of 389-DS and I would like to know if some of you could help me achieve a feature that would: Have a 389-Directory server in front of AD Domain Controllers acting as "ldap proxy" to protect access to the DC but allowing to authenticate users with their LDAP AD account AND allowing to retrieve the list of Groups members (via filters) of the AD through PTA ? Is that possible and how could achieve this ? Thanks for your help Bernard Lheureux. Ce message transmis par voie électronique ainsi que toutes ses annexes contiennent des informations qui peuvent être confidentielles ou protégées. Ces informations sont uniquement destinées à l’usage des personnes ou des entités précisées dans les champs ‘A’, ‘Cc’ et ‘Cci’. Si vous n’êtes pas l’un de ces destinataires, soyez conscient que toute forme, partielle ou complète, de divulgation, copie, distribution ou utilisation de ces informations est strictement interdite. Si vous avez reçu ce message par erreur, veuillez nous en informer par téléphone ou par message électronique et détruire les informations immédiatement. Ce message n’engage que son signataire et aucunement son employeur. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] Re: Allow filters through PTA Plugin
On 11/6/18 4:04 AM, LHEUREUX Bernard wrote: Hi all, I'm pretty new in the usage of 389-DS and I would like to know if some of you could help me achieve a feature that would: Have a 389-Directory server in front of AD Domain Controllers acting as "ldap proxy" to protect access to the DC but allowing to authenticate users with their LDAP AD account AND allowing to retrieve the list of Groups members (via filters) of the AD through PTA ? Is that possible and how could achieve this ? Yes, but you need to use SSSD as well: https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/pam-pta#pam-pta-sssd I personally have not done this, but it is documented in the Administration Guide HTH, Mark Thanks for your help Bernard Lheureux. Ce message transmis par voie électronique ainsi que toutes ses annexes contiennent des informations qui peuvent être confidentielles ou protégées. Ces informations sont uniquement destinées à l’usage des personnes ou des entités précisées dans les champs ‘A’, ‘Cc’ et ‘Cci’. Si vous n’êtes pas l’un de ces destinataires, soyez conscient que toute forme, partielle ou complète, de divulgation, copie, distribution ou utilisation de ces informations est strictement interdite. Si vous avez reçu ce message par erreur, veuillez nous en informer par téléphone ou par message électronique et détruire les informations immédiatement. Ce message n’engage que son signataire et aucunement son employeur. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] Unable to enable SSL using ldapmodify on 389-Directory/1.3.7.5
Hi I’m in the process of migrating from 389-Directory/1.2.11.15 -> 389-Directory/1.3.7.5. I’m trying to automate the setup. I’m finding that I can no longer enable SSL via the command line using ldapmodify. For V1.3.7.5 setup I followed https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/enabling_tls. After restarting the service, SSL is not enabled. I am able to use the Admin Console to enable SSL. I found that the following is missing from when I setup via ldapmodify vs Admin Console. Following is missing even after following the RedHat documentation. nsSSL3: on nsSSL3Ciphers: -rsa_null_md5,-rsa_null_sha,+rsa_rc4_128_md5,+ sa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+ ,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_exp 56_sha,+tls_rsa_export1024_with_des_cbc_sha,+tls_rsa_aes_128 _256_sha nsKeyfile: alias/slapd-X-key3.db nsCertfile: alias/slapd-X-cert8.db # RSA, encryption, config dn: cn=RSA,cn=encryption,cn=config nsSSLToken: internal (software) nsSSLPersonalitySSL: server-cert nsSSLActivation: on objectClass: top objectClass: nsEncryptionModule cn: RSA I do notice that when I make the changes via ldapmodify it says that the changes have been successfully made, but they don’t show up in a search before and after a service restart. Also “nsslapd-security” never changes from off to on via command line edit. Here is some info about my system. OS: CentOS Linux release 7.5.1804 (Core) 389 packages installed: 389-adminutil-1.1.21-2.el7.x86_64 389-admin-console-doc-1.1.12-1.el7.noarch 389-admin-console-1.1.12-1.el7.noarch 389-ds-base-libs-1.3.7.5-28.el7_5.x86_64 389-ds-console-1.2.16-1.el7.noarch 389-ds-1.2.2-6.el7.noarch 389-ds-base-1.3.7.5-28.el7_5.x86_64 389-ds-console-doc-1.2.16-1.el7.noarch 389-admin-1.1.46-1.el7.x86_64 389-console-1.1.18-1.el7.noarch 389-dsgw-1.1.11-5.el7.x86_64 Version of Directory Server: 389-Directory/1.3.7.5 B2018.269.1826 Commands executing: ldapmodify -x -D "cn=Directory Manager" -w << EOF dn: cn=config changetype: modify replace: nsslapd-securePort nsslapd-securePort: 636 - replace: nsslapd-security nsslapd-security: on dn: cn=RSA,cn=encryption,cn=config changetype: modify replace: nsSSLToken nsSSLToken: internal (software) - replace: nsSSLPersonalitySSL nsSSLPersonalitySSL: server-cert - replace: nsSSLActivation nsSSLActivation: on EOF systemctl restart dirsrv@X.service ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] Re: Unable to enable SSL using ldapmodify on 389-Directory/1.3.7.5
On 11/6/18 4:43 PM, Jason Jenkins wrote: Hi I’m in the process of migrating from 389-Directory/1.2.11.15 -> 389-Directory/1.3.7.5. I’m trying to automate the setup. I’m finding that I can no longer enable SSL via the command line using ldapmodify. For V1.3.7.5 setup I followed https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/enabling_tls. After restarting the service, SSL is not enabled. I am able to use the Admin Console to enable SSL. I found that the following is missing from when I setup via ldapmodify vs Admin Console. Following is missing even after following the RedHat documentation. nsSSL3: on nsSSL3Ciphers: -rsa_null_md5,-rsa_null_sha,+rsa_rc4_128_md5,+ sa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+ ,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_exp 56_sha,+tls_rsa_export1024_with_des_cbc_sha,+tls_rsa_aes_128 _256_sha ^^^ This is not required, and in fact most of the ciphers seem outdated, but that should not be contributing to the problem. nsKeyfile: alias/slapd-X-key3.db nsCertfile: alias/slapd-X-cert8.db # RSA, encryption, config dn: cn=RSA,cn=encryption,cn=config nsSSLToken: internal (software) nsSSLPersonalitySSL: server-cert nsSSLActivation: on objectClass: top objectClass: nsEncryptionModule cn: RSA This is mentioned in the admin guide link you provided I do notice that when I make the changes via ldapmodify it says that the changes have been successfully made, but they don’t show up in a search before and after a service restart. Also “nsslapd-security” never changes from off to on via command line edit. Here is some info about my system. Is there anything in the errors log after the restart? FYI, I've never heard of config settings that get reverted after a restart. One thing to try for debugging purposes is to enable the audit log to verify the server accepted the changes in the first place. So I would start over again using ldapmodify (with the audit log enabled.) When things get messed up after the restart please provide us the audit and errors log. Thanks, Mark *OS*: CentOS Linux release 7.5.1804 (Core) *389 packages installed*: 389-adminutil-1.1.21-2.el7.x86_64 389-admin-console-doc-1.1.12-1.el7.noarch 389-admin-console-1.1.12-1.el7.noarch 389-ds-base-libs-1.3.7.5-28.el7_5.x86_64 389-ds-console-1.2.16-1.el7.noarch 389-ds-1.2.2-6.el7.noarch 389-ds-base-1.3.7.5-28.el7_5.x86_64 389-ds-console-doc-1.2.16-1.el7.noarch 389-admin-1.1.46-1.el7.x86_64 389-console-1.1.18-1.el7.noarch 389-dsgw-1.1.11-5.el7.x86_64 *Version of Directory Server*: 389-Directory/1.3.7.5 B2018.269.1826 *Commands executing*: ldapmodify -x -D "cn=Directory Manager" -w << EOF dn: cn=config changetype: modify replace: nsslapd-securePort nsslapd-securePort: 636 - replace: nsslapd-security nsslapd-security: on dn: cn=RSA,cn=encryption,cn=config changetype: modify replace: nsSSLToken nsSSLToken: internal (software) - replace: nsSSLPersonalitySSL nsSSLPersonalitySSL: server-cert - replace: nsSSLActivation nsSSLActivation: on EOF systemctl restart dirsrv@X.service ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
