[389-users] report script
Hi, sorry for this dumb question but I've been searching for it and I can't find it anywhere. Where's the script that shows you a report of most searched objects and other performance related stuff? I remember using it in my old installations to adjust some indexes but I've been playing lately with lot of different versions and I don't see it in /usr/lib/dirsrv/ Thanks for your time, abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[389-users] Re: fips enabled error
> > is it possible to lower the severity of fips enabled info from ERR > > to WARN in messages like this? > Absolutely, changing it now... wow! that was truly fast :) thanks a lot for your time, abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[389-users] fips enabled error
Hi, is it possible to lower the severity of fips enabled info from ERR to WARN in messages like this? [17/May/2021:10:57:02.753271017 +] - ERR - slapd_system_isFIPS - Can not access /proc/sys/crypto/fips_enabled - assuming FIPS is OFF can seem a cosmetic change but it breaks my monitoring scripts. thanks in advance, abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[389-users] Re: gecos syntax
> * sanitise the data to be ia5 compliant IE remove accents etc. I did just that and I leave it here in case anyone is facing same problem (it's a oneliner): cat original-data.ldif | perl -pe 's,^gecos:.*,`echo -n "$&" | iconv -f utf-8 -t ascii//translit`,gei' > sanitized-data.ldif in my server with 12656 entries and 456278 lines it takes 26 seconds to complete. as always, thanks for your time. abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[389-users] gecos syntax
I'm testing a migration from 1.2.8 to latest version and I'm facing some problem while importing data: ldap_add: Invalid syntax (21) additional info: gecos: value #0 invalid per syntax I understand that I'm using UTF8 data here (ÁLBA GARCÍA LÓPEZ) so I have two questions: why old verions allows to fill that data if it's agains syntax? is there any problem if I change syntax from 1.3.6.1.4.1.1466.115.121.1.26 to 1.3.6.1.4.1.1466.115.121.1.15 in my schemas? thanks i advance, abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[389-users] Re: plugin naming
ok, I understand. Can I suggest that this form dsconf myinstance plugin retro-changelog enable also accepts CN value as plugin name? it would be easier than jumping from one syntax to another. I can open a bug/issue if you want. best regards, abosch - Missatge original - > De: "Marc Sauton" > Per: "General discussion list for the 389 Directory server project." > <389-users@lists.fedoraproject.org> > Enviats: Dimarts, 11 de Maig 2021 19:58:28 > Assumpte: [389-users] Re: plugin naming > > and that should have: > https://github.com/389ds/389-ds-base/blob/master/src/lib389/lib389/cli_conf/plugins/retrochangelog.py > def create_parser(subparsers): > retrochangelog = subparsers.add_parser('retro-changelog', > help='Manage > and configure Retro Changelog plugin') > > Thanks, > Marc S. > > > On Tue, May 11, 2021 at 12:51 AM Angel Bosch Mora > > wrote: > > > > it was likely the right time to have this change. > > > and not subject to change anytime soon. > > > > > > is it possible a 389-ds-base-1.4.0 from before March 2019 till > > > lurking > > > around? > > > > > > > I'm using debian packages: > > > > dpkg -l | grep 389-ds-base > > ii 389-ds-base 1.4.4.11-1 > > amd64389 Directory Server suite - server > > ii 389-ds-base-libs:amd641.4.4.11-1 > > amd64389 Directory Server suite - libraries > > > > > > they seem pretty new to me. > > > > abosch > > -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, > > qualsevol fitxer annex, es dirigeix exclusivament a la persona que > > n'es > > destinataria i pot contenir informacio confidencial. En cap cas no > > heu de > > copiar aquest missatge ni lliurar-lo a terceres persones sense > > permis > > expres de l'IMAS. Si no sou la persona destinataria que s'hi indica > > (o la > > responsable de lliurar-l'hi) us demanam que ho notifiqueu > > immediatament a > > l'adreca electronica de la persona remitent. Abans d'imprimir > > aquest > > missatge, pensau si es realment necessari. > > ___ > > 389-users mailing list -- 389-users@lists.fedoraproject.org > > To unsubscribe send an email to > > 389-users-le...@lists.fedoraproject.org > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org > > Do not reply to spam on the list, report it: > > https://pagure.io/fedora-infrastructure > > > > ___ > 389-users mailing list -- 389-users@lists.fedoraproject.org > To unsubscribe send an email to > 389-users-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[389-users] Re: plugin naming
> it was likely the right time to have this change. > and not subject to change anytime soon. > > is it possible a 389-ds-base-1.4.0 from before March 2019 till > lurking > around? > I'm using debian packages: dpkg -l | grep 389-ds-base ii 389-ds-base 1.4.4.11-1 amd64 389 Directory Server suite - server ii 389-ds-base-libs:amd641.4.4.11-1 amd64 389 Directory Server suite - libraries they seem pretty new to me. abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[389-users] plugin naming
hi, I vaguely remember discussing this some time ago but I can't find it now. what's the difference between dsconf myinstance plugin set --enabled on "Retro Changelog Plugin" and dsconf myinstance plugin retro-changelog enable ? any of them is gonna be deprecated? I also noticed that short name is different between versions/distributions (retro-changelog vs retrochangelog), so I prefer to use "Retro Changelog Plugin" if possible for scripting purpouses. is that the right way to do it? best regards, abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[389-users] Re: plugin names and debian packages
> >> As sysadmin I create a lot of script to install/manage services > >> and is confusing having commands that change that often. > > You may find it "more stable" to use lib389 directly rather than the > CLI then. I think the team should talk about the CLI having an > "interface guarantee", and today I don't think I personally would > want to commit to that (but the team hasn't decided on this). I > still see room to change and grow the CLI in ways that may be > breaking, but the core of lib389 today seems "pretty stable". > I understand your recommendation but I don't think I'm going to do that, and I think I "shouldn't" do that. my job as sysadmin is installing, managing, mantaining and monitoring, and dsconf wrapping is just what I need. If I have, for example, a command that tells me if a drive is out of space I don't expect to change that command over the years on different linux systems with different versions. I understand that 389 is under heavy refactoring these last years, I'm just a little bit tired of version conditionals in my recipes (and by the way, I can't find an easy method to check the version with dsconf/dsctl, worth a feature request?). so taking my own example I just expect that `dsconf instance plugin retro-changelog enable' is still valid a year/version later. again, please take my point of view as a frustrated admin with too many tasks to do and too little beers to take on my free time (everything is closed right now in Mallorca :P) cheers, abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] plugin names and debian packages
hi! I'm testing my install recipes on debian and I've found two little problems. on CentOS I execute dsconf myinstance plugin retro-changelog enable but today I tried in debian and it says is an invalid choice: dsconf instance plugin: error: invalid choice: 'retro-changelog' (choose from 'memberof', 'automember', 'referint', 'rootdn', 'usn', 'accountpolicy', 'attruniq', 'dna', 'linkedattr', 'managedentries', 'passthroughauth', 'retrochangelog', 'whoami', 'list', 'get', 'edit') So retro-changelog is called now retrochangelog. Is that a Debian thing or it changed it's name on a recent version? In addition I executed the command with the new name and it gives me a message without a correct variable. dsconf myinstance plugin retrochangelog enable Enabled plugin '%s' Retro Changelog Plugin dsconf myinstance plugin retrochangelog status Plugin '%s' is enabled Retro Changelog Plugin it seems a cosmetic error but I just want to be sure if I need to open a bug. here are the version of the packages: dpkg -l | grep 389 ii 389-ds-base 1.4.0.21-1 amd64 389 Directory Server suite - server ii 389-ds-base-legacy-tools 1.4.0.21-1 amd64 Legacy utilities for 389 Directory Server ii 389-ds-base-libs:amd641.4.0.21-1 amd64 389 Directory Server suite - libraries ii python3-lib3891.4.0.21-1 all Python3 module for accessing and configuring the 389 Directory Server thanks in advance, abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] Re: impact of the CentOS Stream drama
> The 'core team' does not have much involvement in the debian 389-ds > packaging process, but the debian maintainer has always been > responsive and done a great job from what I am able to observe. I > would expect there to be "very little" difference between debian and > centos 389-ds packages. > > Additionally, you could also consider opensuse leap and/or suse linux > enterprise if you want paid support (disclosure - I work for suse > and am paid to maintain 389-ds in those distributions). > thanks a lot for your detailed response. I'm more a Debian guy but I'm willing to test opensuse. best regards, abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] impact of the CentOS Stream drama
hi, I'm not sure if this has been discussed here. Will this project be impacted in some way by the CentOS decission? I'm about to start a new setup and I wanted to use CentOS, but now I'm thinking about Debian. In that regard, is there any difference between Debian packages and CentOS ones? thanks in advance, abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] Re: unattended request cert process
> depending on your version of 389, look at "dsctl tls > import-ca" > > {william@ldapkdc 9:12} ~/development $ dsctl localhost tls import-ca > --help > usage: dsctl [instance] tls import-ca [-h] cert_path nickname > > positional arguments: > cert_path The path to the x509 cert to import as a server CA > nicknameThe name of the certificate once imported > > optional arguments: > -h, --help show this help message and exit > > This allows you to import a PEM CA file. There are a number of other > helpers under the tls subcommand to make cert management easier. > all this is pretty new, right? I can't recall reading this last time I checked docs. anyway, my main problem is that to deploy a node in a truly unattended mode It shouldn't pause at CSR request and continue when CA sign certificates, so I'm trying to have some preconfigured cert databases and signed certs. If there's no way to do that, I can't dynamically create and destroy nodes. the other option is letting the loadbalancer handle encryption, but official docs are very aggressive against that option, but I wonder if I should ignore that recommendation and encrypt at LB level. any hints? abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] unattended request cert process
hi, some time ago I asked for a scriptable way of creating a certificate request, here's the thread: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org/thread/EHWWAHOO3S2HZEWJEXTQKDDRH33NLSMU/#HF7ZPVLMUK32AIEEWPEOLUJGZFXXRCEK I didn't have the time to write anything and I would like to invest some time now. the goal is to create an unattended script for node creation INCLUDING certification with an external CA. I'm thinking about having several precreated certificate databases and download them to nodes. something like: openssl rand -base64 16 > pwfile.txt && certutil -N -d . -f pwfile.txt in several nodes and then scp/wget them to each node. also, do all CSR beforehand and already signed with our CA so I will have a repo of cert databases like: nss/ca_root.crt nss/ldap10 nss/ldap10/cert9.db nss/ldap10/key4.db nss/ldap10/ldap10.example.com.crt nss/ldap10/pkcs11.txt nss/ldap10/pwfile.txt nss/ldap11 nss/ldap11/cert9.db nss/ldap11/key4.db nss/ldap11/ldap11.example.com.crt nss/ldap11/pkcs11.txt nss/ldap11/pwfile.txt nss/ldap12 nss/ldap12/cert9.db nss/ldap12/key4.db nss/ldap12/ldap12.example.com.crt nss/ldap12/pkcs11.txt nss/ldap12/pwfile.txt nss/ldap13 nss/ldap13/cert9.db nss/ldap13/key4.db nss/ldap13/ldap13.example.com.crt nss/ldap13/pkcs11.txt nss/ldap13/pwfile.txt nss/ldap14 nss/ldap14/cert9.db nss/ldap14/key4.db nss/ldap14/ldap14.example.com.crt nss/ldap14/pkcs11.txt nss/ldap14/pwfile.txt nss/ldap15 nss/ldap15/cert9.db nss/ldap15/key4.db nss/ldap15/ldap15.example.com.crt nss/ldap15/pkcs11.txt nss/ldap15/pwfile.txt this step is the only one remaining on my recipe of unattended container creation, so any help will be really appreciated. best regards, abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] Re: precreation nss databases
> The feature doesn't exist yet, so if you write a PEM -> NSS tool, the > project would love to accept it to our source code. It's been > something I have wanted for a while, and recently I have been > thinking with containers I should more seriously develop it, but if > you wanted to add this, we would review and help you achieve it :) > ok, I can try to do my best. The think is I mostly use bash for my scripts with a little python here and there, but I can try to write a helper and see if it works. abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. -- Abans d'imprimir aquest missatge, pensau si es realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] syncrepl client
Hi, I'm performing some tests and would like to configure a syncrepl client like this one: https://github.com/landryb/syncrepl but I don't find useful information. For example, in this project there's a demo script that says abut URL argument: 'An LDAP URL with all information required to do work.' but I'm not sure what is expecting besides the fqdn and port, a filter? a basedn? both? According to docs https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/content-synchronization you can do some exclusion and filtering on server side, so I don't really know what must I configure on the client side. does anyone have any working example of a syncrepl client? thanks in advance, abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. -- Abans d'imprimir aquest missatge, pensau si es realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] Re: SSL configuration on dynamic deployments
> So your 4 write servers are in mmr. Then you have 2 -> N read-onlys > as well which scale up and down. > > Do you plan to have ldap.example.com point to the IP's of the > read-onlys directly? Or to a load balancer? > yes, we already got that. > If this was me, just because of the scaling requirements, I would > actually recommend TLS termination on the load balancer, then ldap > plaintext to the 2 -> N consumers (or ldaps to the consumers where > the LB trusts the CA that signed the readonlies. IE: > > > Client -- TLS connection 1 --> [ LB ] -- TLS Connection 2 --> > [READ_ONLIES] > > TLS connection 1 is presented by the LB, which offers a valid cert/ca > chain. The LB then would re-encrypt but trusting the CA of tls > connection 2 which is a self signed to the read_onlies. > OK, I'll try with this approach. > Another main point here is you'll need to automate that when a > read-only is scaled up (added), you'll need to automate the addition > of the replication agreements to the write servers + conduct a full > reinit on first start. > I'm working on that, as you can see from my previous posts, I'm developing our custom MMR script to automate everything. > Does that help? > Indeed. Thanks a lot for your time, abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. -- Abans d'imprimir aquest missatge, pensau si es realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] acis in 99user.ldif and target on subtree
Hi! two more questions: 1- when migrating should I take care about ACIs in 99user.ldif? rightnow there are four entries: aci: (target="ldap:///cn=schema;)(targetattr !="aci")(version 3.0;acl "anonymous, no acis"; allow (read, search, compare) userdn = "ldap:///anyone;;) aci: (targetattr="*")(version 3.0; acl "Configuration Administrators Group"; allow (all) groupdn="ldap:///cn=Configuration Administrators,ou=Groups,ou=TopologyManagement,o=NetscapeRoot";) aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow (all) userdn="ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot;;) aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = "ldap:///cn=slapd-hhh-ng,cn=389 Directory Server,cn=Server Group,cn=xx.yy.net,ou=xx.net,o=NetscapeRoot";) modifiersname: cn=directory manager modifytimestamp: 20101105155413Z but I never did those. 2- is it mandatory to specify target when setting an ACI in a subtree? best regards, abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. -- Abans d'imprimir aquest missatge, pensau si es realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] keeping internal attributes on export/import
hi! quick question: is there any reason to keep modifyTimestamp, modifiersName, createTimestamp, and creatorsName when reimporting on a migration? abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. -- Abans d'imprimir aquest missatge, pensau si es realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] Re: SSL configuration on dynamic deployments
> I think to answer this, I'd like to see a diagram or description of > the network and deployment topology you have in mind to help advise > for what you want to achieve here :) > Is really very simple. Think of it like the typical MMR with 4 nodes: https://i.imgur.com/DY8aSAo.png but the number of consumers can go from 2 to N. all consumers are read only and we have a generic FQDN pointing to them: ldap.example.com and writable suppliers got their FQDN too: ldapw.example.com is that enough for you? abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. -- Abans d'imprimir aquest missatge, pensau si es realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] keeping nsDS5ReplicaBindDN on manager deletion
I'm testing this new command: dsconf instance replication create-manager and when I create a new manager I can see a new nsDS5ReplicaBindDN on the replica entry. but when I remove the manager with "delete-manager" the nsDS5ReplicaBindDN is not removed. is there a reason for that? why do I need to mantain an old manager entry? should I fill a bug? regards, abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. -- Abans d'imprimir aquest missatge, pensau si es realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] referral on update equivalent with dsconf
Hi, is this new command: dsconf instance replication set --suffix "dc=example,dc=net" --repl-add-ref master1.example.net the same as this modification? REF_LDIF="dn: cn=dc\=example\,dc\=net,cn=mapping tree,cn=config changetype: modify replace: nsslapd-referral nsslapd-referral: ldap://master1.example.net:389/dc\=example\,dc\=net - replace: nsslapd-state nsslapd-state: referral on update " echo "$REF_LDIF" | ldapmodify -h "$HOST" -x -D "$ROOT_DN" -w "$ROOT_PASS" I'm trying to follow all docs https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/managing_replication-configuring-replication-cmd but with new tools, and I'm struggling with some commands. regards, abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. -- Abans d'imprimir aquest missatge, pensau si es realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] configuring nsslapd-referral with virtual host
hi! I'm creating my own MMR script and I would like to know if there's any limitation with the FQDN used in nsslapd-referral as stated in https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/managing_replication-configuring-replication-cmd#Configuring-Replication-Consumers-cmd we use a virtual IP/hostname for consumer readonly servers (ldapr.example.com) and another one for suppliers writable servers (ldapw.example.com). we configure certs using -8 parameter with additional hostnames so client don't complain about name mismatch but I'm not sure if we can find any other problem configuring nsslapd-referral with this virtual name instead of real hostname. any advice? abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. -- Abans d'imprimir aquest missatge, pensau si es realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] Re: docs for 1.4
> If you have a specific question though, I’d be happy to help! > I'm glad you offered :) these are the attributes I'm currently using: cn: description: displayName:: dn: employeeNumber: gecos: gidNumber: homeDirectory: loginShell: mail: manager: member: memberOf: objectClass: petraSshPublicKey: printer-make-and-model: printer-more-info: printer-uri: sambaAcctFlags: sambaNTPassword: sambaPasswordHistory: sambaPwdLastSet: sambaSID: shadowInactive: shadowLastChange: shadowMax: shadowWarning: sn: uid: uidNumber: I want to change ACIs from old behaviour to white list aproach. Should I include objectClass in the ACIs? Do I need to create a deny-all as last ACI so everything that is not allowed gets denied? In your blog you talk about a toolset to test ACIs, is that tool published somewhere? best regards, abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. -- Abans d'imprimir aquest missatge, pensau si es realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] docs for 1.4
hi! is there a way to access documentation for upcoming 1.4 release? I would like to see specifically changes in ACIs as stated in this thread: https://lists.fedorahosted.org/archives/list/389-users@lists.fedoraproject.org/thread/PG5QXDAI2OI4YVIEIDG6QCFIANQPBTSJ/ thanks in advance, abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. -- Abans d'imprimir aquest missatge, pensau si es realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] creating root suffix from cockpit
Hi, I asked a broad question here: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org/thread/7G2Y2ZYBYB7JNOCMIGV5WQMYDAWSD6VM/ but I would like to know specifically if root suffix can be created with cockpit. thanks, abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. -- Abans d'imprimir aquest missatge, pensau si es realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] Re: 389ds on lxc debian
thanks for this detailed explanation. what time frame are we talking here? 1 year? 1 month? I'm evaluating an update/migration from my 1.2 installation and I don't mind waiting a little bit. > As for today, the best advice I can give is use setup-ds.pl without > the > admin tools, and just manage the server from the cli via dse.ldif. > It's > not pretty sadly. > It's ok, I love working from cli best regards, abosch -- Institut Mallorquí d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'és destinatària i pot contenir informació confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permís exprés de l'IMAS. Si no sou la persona destinatària que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreça electrònica de la persona remitent. -- Abans d'imprimir aquest missatge, pensau si és realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] Re: 389ds on lxc debian
> There are a number of users of 389-ds with lxc, just not with the > admin > console that I am aware of. > ok so is just the admin console that can't be installed on lxc. is there any work being done in this matter? should I file a bug? abosch -- Institut Mallorquí d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'és destinatària i pot contenir informació confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permís exprés de l'IMAS. Si no sou la persona destinatària que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreça electrònica de la persona remitent. -- Abans d'imprimir aquest missatge, pensau si és realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] 389ds on lxc debian
hi, I'm trying to install 1.1.43-1+b1 package on lxc with debian 9 and I get this error: invoke-rc.d: initscript dirsrv-admin, action "start" failed. ● dirsrv-admin.service - 389 Administration Server. Loaded: loaded (/lib/systemd/system/dirsrv-admin.service; disabled; vendor preset: enabled) Active: failed (Result: exit-code) since Tue 2018-01-30 12:32:36 CET; 6ms ago Process: 15226 ExecStart=/usr/sbin/apache2 -k start -f /etc/dirsrv/admin-serv/httpd.conf (code=exited, status=1/FAILURE) gen 30 12:32:35 Jafar systemd[1]: dirsrv-admin.service: Failed to reset devices.list: Operation not permitted gen 30 12:32:35 Jafar systemd[1]: Starting 389 Administration Server gen 30 12:32:36 Jafar systemd[1]: dirsrv-admin.service: Control process exited, code=exited status=1 gen 30 12:32:36 Jafar systemd[1]: Failed to start 389 Administration Server.. gen 30 12:32:36 Jafar systemd[1]: dirsrv-admin.service: Unit entered failed state. gen 30 12:32:36 Jafar systemd[1]: dirsrv-admin.service: Failed with result 'exit-code'. it seems a problema about lxc privileges. is there anyone running 389 with lxc? regards, abosch -- Institut Mallorquí d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'és destinatària i pot contenir informació confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permís exprés de l'IMAS. Si no sou la persona destinatària que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreça electrònica de la persona remitent. -- Abans d'imprimir aquest missatge, pensau si és realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Re: [389-users] Problem with samba and 389 Directory server with LDAPS
you have two server certificates with almost same name. be carefull about that. you can inspect details with certutil -d /etc/dirsrv/slapd-xxx01 -L -n server-cert and certutil -d /etc/dirsrv/slapd-xxx01 -L -n Server-cert or use it with a simple pipe to check Alt Names: certutil -d /etc/dirsrv/slapd-xxx01 -L -n Server-cert | grep DNS - Missatge original - [root@xxx ZDRIVE]# certutil -d /etc/dirsrv/slapd-xxx01 -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CA certificate CTu,u,u server-cert u,u,u Server-Cert u,u,u Thanks Rich…. From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Wednesday, September 28, 2011 9:24 AM To: General discussion list for the 389 Directory server project. Cc: David Hoskinson Subject: Re: [389-users] Problem with samba and 389 Directory server with LDAPS On 09/28/2011 06:47 AM, David Hoskinson wrote: I do not have a server.crt.. I created my certs using the following page on the 389 documentation http://directory.fedoraproject.org/wiki/Howto:SSL which creates a cert8.db and key3.db in the past I could do certutil –L something and it would show the cert information but can’t seem to find that command anymore. certutil -d /etc/dirsrv/slapd-instance -L I can authenticate from localhost and any of the client machines even the samba server just fine… I just can’t seem to get samba service to connect. If I have setup things incorrectly I appreciate the help. From: 389-users-boun...@lists.fedoraproject.org [ mailto:389-users-boun...@lists.fedoraproject.org ] On Behalf Of Angel Bosch Mora Sent: Wednesday, September 28, 2011 7:52 AM To: General discussion list for the 389 Directory server project. Subject: Re: [389-users] Problem with samba and 389 Directory server with LDAPS are you sure your certificate is created with your FQDN in it? i've had LOT of problems until i've created correctly my certs. you can check it with openssl x509 -noout -text -in server.crt and i recommend that you include your FQDN as Alternative Name even if is your hostname, that trick saved me lot of headaches. i always create my certs with two alternate names, the FQDN itself and also ldap.mydomain this way you don't have any problems with loadbalancing and such. to create a petition cert with alternate names you can run (one line) certutil -R -s CN=myserver.example.com,OU=example,O=example,L=example,ST=example,C=example -o example.csr -d . -a -8 myserver.example.com,ldap.example.com [2011/09/28 11:23:13, 2] lib/smbldap.c:smbldap_open_connection(786) smbldap_open_connection: connection opened [2011/09/28 11:23:13, 10] lib/smbldap.c:smbldap_connect_system(951) ldap_connect_system: Binding to ldap server ldaps://adm301.stag.cle.us as cn=Directory Manager [2011/09/28 11:23:13, 2] lib/smbldap.c:smbldap_connect_system(982) failed to bind to server ldaps://”FQDN of server”.stag.cle.us with dn=cn=Directory Manager Error: Can't contact LDAP server (unknown) And yes I can resolve the hostname which I have sanitized. Thanks for the tip, but that doesn’t seem to help, still have same result. This was just working on another machine but I had to put that one back to the way it was, and must have missed something. Any more thoughts? From: 389-users-boun...@lists.fedoraproject.org [ mailto:389-users-boun...@lists.fedoraproject.org ] On Behalf Of Angel Bosch Mora Sent: Wednesday, September 28, 2011 3:39 AM To: General discussion list for the 389 Directory server project. Subject: Re: [389-users] Problem with samba and 389 Directory server with LDAPS you have to use FQDN when connecting securely. and you have to use the exact name used in the certificate. I am getting the following message in the /var/log/samba/smbd.log file when I start up samba and try to connect as a user. [2011/09/27 14:23:33, 1] lib/smbldap.c:another_ldap_try(1153) Connection to LDAP server failed for the 15 try! [2011/09/27 14:23:34, 10] lib/smbldap.c:smb_ldap_setup_conn(630) smb_ldap_setup_connection: ldaps://192.168.3.79 [2011/09/27 14:23:34, 2] lib/smbldap.c:smbldap_open_connection(786) smbldap_open_connection: connection opened [2011/09/27 14:23:34, 10] lib/smbldap.c:smbldap_connect_system(951) ldap_connect_system: Binding to ldap server ldaps://192.168.x.x as cn=directory manager,dc=stag,dc=cle,dc=us [2011/09/27 14:23:34, 2] lib/smbldap.c:smbldap_connect_system(982) failed to bind to server ldaps://192.168.x.x with dn=cn=directory manager,dc=stag,dc=cle,dc=us Error: Can't contact LDAP server (unknown) Relevant part of the smb.conf passdb backend = ldapsam: ldaps://192.168.x.x ldap suffix = dc=stag,dc=cle,dc=us ldap machine suffix = ou=people ldap user suffix = ou=people ldap group suffix = ou=groups ldap passwd sync = yes ldap admin dn = cn=directory manager,dc=stag,dc=cle,dc=us obey pam
[389-users] entry-id conflict
hi, i'm setting up another node on my multimaster environment. on the new node i can see differencese on entry-id attribute. is this normal? i guess this is an internal attribute but i'm not sure if must be shared an unique across members of replication. regars, abosch -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] admin server fails to start with PSET failure: Failed to create PSET handle
hi, im having problems starting admin server. i can see just this line on log: [Thu Apr 07 12:26:13 2011] [crit] host_ip_init(): PSET failure: Failed to create PSET handle (pset error = ) not sure if is related, but we had an accident that changed permissions on some files (recursive chmod on wrong directory). main instance seems to work ok, so im a bit lost here. regards, abosch -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Questions about groups and group IDs
- Missatge original - We are planning out how we are going to move from Active Directory to 389-ds. We can add users to our test environment successfully, and give the accounts the proper information (uid, shell, etc.). However, 1 area that we are getting stumped at is groups. In our Active Directory currently, we have several groups that we put our users into based on their function. Those groups have unique group IDs. However, when I make a group on 389-ds, I don't have any way of specifying a group ID. I can make a new user and give it a group ID by default, but that group ID doesn't exist anywhere and I can't find where to assign it or create it. Any ideas on this? you need to use objectClass: posixGroup in your group template. in theory posixGroup and groupOfNames are structural object classes and cannot be combined, but in practice there's a variation of the RFC that allows to use posixGroup as auxiliar. http://osdir.com/ml/ldap.umich/2006-07/msg00015.html regards, abosch -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] get base dn from ldapsearch
- Missatge original - Oddly enough it looks like it comes out as part of the LDIF comment. If you skip the option to tell it to not output ldif comments you'll get your base: $ ldapsearch -d1 -x (uid=example) 21 | grep base # base dc=example,dc=com (default) with scope subtree i don't get any result i my machine and im pretty sure i've my ldap.conf configured: $ ldapsearch -d1 -x (uid=example) 21 | grep base # base with scope subtree can this be a bug? abosch -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] get base dn from ldapsearch
Maybe I am understanding this wrong but could you not just check in the config what the search base is set to on the client side? What is the problem you are trying to solve? yes, you're right. i can just take a look at ldap.conf but there's several places to look: - debian/ubuntu uses /etc/ldap/ldap.conf - RHEL/CentOS uses /etc/openldap/ldap.conf - custom compilations can use any path. ex: /usr/local/ldap/ldap.conf - windows openldap uses... i don't really know :P so what im trying to do is resolving configured base without knowing anything about the client. for example, this command gives me the server even if i dont know anything about the conf: ldapsearch -d1 -x -LLL (uid=example) uid 21 | grep ldap_connect_to_host im just a little bit surprised that i can't find any debuglevel that gives me the BASE abosch -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] get base dn from ldapsearch
hi, not specifically 389 related but: is there a way to guess default base dn for clients (the one configured in /etc/openldap/ldap.conf) with ldapsearch? i've tried with -v, -n and -d but i only get the server, not the base. regards, abosch -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] SSl connection to 389 DS server
ssl connections need the same FQDN specified in the cert to be used when connecting. localhost i hardly going to work. abosch -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] dsml packages
- Missatge original - Yes. We never released dsmlgw as an rpm package. i though i saw something about packages in the docs but i can't find it now. thanks for the answer. -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] dsml packages
hi, i can't find last dsml packages anywhere. must i compile from sources? i use epel repos. regards, abosch -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] upgrading packages
hi, i've some questions about upgrading: - must i run 'setup-ds-admin.pl -u' everytime there's a new package in the repos? - doesn't packaging take care of that? - does it matter how many instances are configured? i've been having some strange problems in my (mixed) environment and i just want to clarify some things. abosch -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] duplicate existing ssl crenentials on another server ?
you must create a certificate with additional hostnames with -8 option. you can view an example here: http://docs.sun.com/app/docs/doc/819-5899/6n7uuth9p?l=enn=1a=view - Missatge original - Hello, After having read through the Howto:SSL document on the 389 wiki, i went ahead and set up SSL for my master instance - it works great, and i couldn't be happier. :) I have a slave set up to do read-only replication from the master ; now, the wiki document has information on how to integrate the certificate into a slave so that the replication can occur over SSL, which i'll no doubt do, but that's not what i'm looking for advice on now. What i'm interested in is actually duplicating the new SSL setup that currently exists on the master. I realise that this sounds funny, but the reason is simple : in our environment, all of the clients and LDAP-aware applications are configured to send requests to a given hostname (which is not the base FQDN of the LDAP server - it's another, separate hostname entirely). If the master goes down, the slave automatically has this separate hostname assigned to it. (Put another way, it's a sort of poor-man's failover. It's far from perfect, and everybody knows it, but that's what's there, so for now we live with it. :P ) What i would appear to need, therefore, is to have the slave be able to respond to incoming SSL requests with exactly the same credentials as the master. Is this even possible, and if so, how would i got about doing it ? Thank you, all. -- Daniel Maher dma + 389users AT witbe DOT net -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Safeguarding against to many established connections
- Missatge original - On 10/19/2010 12:11 PM, Gerrard Geldenhuis wrote: Hi We have recently seen an issue were a single client opened up more than 800 established connections to our directory server. The client did have the proper settings configured and should have closed connections but it did'nt. Is there a way to limit the amount of connections per client or close connections from the server side after a certain period? Without just making the amount of connections ridicuosly high on the directory server how can you safeguard against rogue clients. Our client setting is as follows: idle_timelimit 5 timelimit 10 bind_timelimit 5 We were unable to log into client and it had file system issues so we could not do any further analyses there. I suspect that solutions to this problem probably falls outside of what can be configured in 389? While it's not a 389-specific suggestion, iptables could easily solve this problem for you across the board. :) there's also a setting to close idle connections after X seconds. is somewhere in the 389 console, i can't remember now exactly. abosch -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] sub-suffix creation
hi, im trying to create the entry for a sub-suffix i've created in the console but i can't find any instruction. i've followed official docs: http://www.centos.org/docs/5/html/CDS/ag/8.0/Configuring_Directory_Databases-Creating_and_Maintaining_Suffixes.html#Creating_Suffixes-Creating_a_New_Sub_Suffix_Using_the_Console but there's no info about entries, just databases. any clue? abosch -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] sub-suffix creation
- Missatge original - Hi I a bit confused... have you successfully created the entry using the console and am looking for a ldif example? Or did the creation failed in the console. I can give you examples of how we create our tree and sub suffixes if that will help, they are all in ldif format. i've found some additional info here: http://docs.sun.com/source/816-6698-10/suffixes.html#16762 i was a little bit lost but i've finally managed to create an entry trhough console. all examples i found were using ldif and command line for entry creation, but is really easy with console. just be carefull with using the exact same name as in the suffix database creation. thanks for your time, anyway. abosch -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] ns-slapd processes not dying
- Missatge original - Hi, We had similar problem before, but I am not sure if it is related to your case. The file descriptors that were opened by the ns-slapd process was all in a CLOSE_WAIT state. You can try execute netstat -anput | grep CLOSE_WAIT and see if there's a lot of dangling CLOSE_WAIT socket opened by ns-slapd. seems that is not the case. i can see lot of ESTABLISHED connections, but not a single CLOSE_WAIT. ex: tcp0 0 :::172.26.67.79:389 :::192.168.224.16:53143 ESTABLISHED 315/ns-slapd the quick and dirty workaround is restarting the instance every night. regards, abosch -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users