[389-users] Posible bug in Schema Reload plug-in validator?
Hello, I'm running 389DS version 1.4.4.11-2 on Debian Bullseye and when I try dynamic schema reload I get this error: [08/Apr/2022:09:50:38.481339672 +0200] - INFO - schemareload - schemareload_thread - Schema reload task starts (schema dir: default) ... [08/Apr/2022:09:50:38.528960187 +0200] - ERR - parse_attr_str - Cannot find parent attribute type "certSubjectDN" [08/Apr/2022:09:50:38.534608629 +0200] - ERR - dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-ldap33/schema/96radoc.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - attribute type raOfficerSubjectDN: Missing parent attribute syntax OID [08/Apr/2022:09:50:38.539912128 +0200] - ERR - schema_reload - slapi_validate_schema_files failed [08/Apr/2022:09:50:38.544588257 +0200] - ERR - schemareload - schemareload_thread - Schema validation failed. raOfficerSubjectDN is defined this way: attributeTypes: ( raOfficerSubjectDN-oid NAME 'raOfficerSubjectDN' DESC 'RA office subject DN; KDO' SUP certSubjectDN SINGLE-VALUE X-ORIGIN 'CESNET RA DOC' ) and certSubjectDN is defined: attributeTypes: ( certSubjectDN-oid NAME 'certsubjectdn' DESC 'CESNET Attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'CESNET' ) It is interesting that when I restart whole server it starts correctly and in schema is attribute present: ldapsearch -H ldaps://ldap33 -x -b 'cn=schema' -o ldif-wrap=no + ... attributeTypes: ( raOfficerSubjectDN-oid NAME 'raOfficerSubjectDN' DESC 'RA office subject DN; KDO' SUP certSubjectDN SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'CESNET RA DOC' ) I was looking for attributeType syntax and in RFC 2252 is written: ... Servers SHOULD provide at least one of the "SUP" and "SYNTAX" fields for each AttributeTypeDescription. Isn't there a bug in validator which is used by Schema Reload plug-in? Best regards -- --- Jan Tomasek aka Semik http://www.tomasek.cz/ ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[389-users] Re: Forbidden uid?
Hi Mark, no that is not what I need. I need to prevent our personal department from creating users like 'root', 'sys', 'dev', ... and similar potentially problematic usernames for unix systems. Monday is much better than friday. Today, I clearly see that this is task for libattr-unique-plugin plugin. I'm going to create ou=Forbidden Users,dc=example,dc=com with all forbidden user entries. :) Best regards -- --- Jan Tomasek aka Semik http://www.tomasek.cz/ On 16. 04. 21 20:19, Mark Reynolds wrote: You can create aci's that restrict specific DN's from doing specific actions like ADD. Is that what you mean? If so, look at the Admin guide for more information: https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/managing_access_control HTH, Mark On 4/16/21 10:49 AM, Jan Tomasek wrote: Hi, is there a way how to provide 389DS with list of forbidden uid to prevent creating such user? For example 'root', 'sys', ... Thanks ___ 389-users mailing list --389-users@lists.fedoraproject.org To unsubscribe send an email to389-users-le...@lists.fedoraproject.org Fedora Code of Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org Do not reply to spam on the list, report it:https://pagure.io/fedora-infrastructure -- 389 Directory Server Development Team smime.p7s Description: S/MIME Cryptographic Signature ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[389-users] Forbidden uid?
Hi, is there a way how to provide 389DS with list of forbidden uid to prevent creating such user? For example 'root', 'sys', ... Thanks -- ------- Jan Tomasek aka Semik http://www.tomasek.cz/ smime.p7s Description: S/MIME Cryptographic Signature ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[389-users] Preserving create & modifyTimestamp during import
Hi, I need to import sub-suffix into the existing suffix on a running server. When I use: dsconf -D "cn=Directory Manager" -w "$pswd" ldap://localhost backend import userRoot sub-suffix.ldif than userRoot is truncated and later import fails with error: [13/Apr/2021:15:08:41.180921374 +0200] - WARN - import_foreman - import userRoot: Skipping entry "o=sub,o=suffix" which has no parent, ending at line 36 of file "/root/sub-suffix.ldif" One way is to dump existing userRoot and later re-import complete backend: dsconf -D "cn=Directory Manager" -w "$pswd" ldap://localhost backend import userRoot suffix.ldif sub-suffix.ldif But that means downtime I'm trying to avoid. Other import way is use ldapadd but that means that server replaces operational attributes: creatorsName modifiersName createTimestamp modifyTimestamp Is there a way how to import sub-suffix into existing and running server and preserve those operational attributes at the same time? Thanks -- --- Jan Tomasek aka Semik http://www.tomasek.cz/ ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[389-users] Password Upgrade on Bind modify
Hi, I've upgraded from older 389DS to 1.4.4.11 and realized that server started upgrading hashing algorithm of userPassword it is fine, but it also moves forward passwordExpirationTime. I know I can set dn: cn=config nsslapd-enable-upgrade-hash: off to disable this feature. Is there way how to only disable passwordExpirationTime updating and keep password hash upgrading enabled? -- ------- Jan Tomasek aka Semik http://www.tomasek.cz/ smime.p7s Description: S/MIME Cryptographic Signature ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[389-users] Unindexed search even on indexed database
Hello, I'm worrying about log lines: [04/Mar/2021:10:08:47.982170561 +0100] - NOTICE - ldbm_back_search - Unindexed search: search base="o=tcs2,o=apps,dc=cesnet,dc=cz" scope=2 filter="(entryStatus=issued)" conn=115 op=1 Index is defined: # dsconf -D "cn=Directory Manager" -w "$pswd" ldap://localhost backend index get TCS2_apps_cesnet_cz --attr entryStatus dn: cn=entryStatus,cn=index,cn=TCS2_apps_cesnet_cz,cn=ldbm database,cn=plugins,cn=config cn: entryStatus nsIndexType: eq nsIndexType: pres nsSystemIndex: False objectClass: top objectClass: nsIndex Database is freshly reindexed: # dsconf -D "cn=Directory Manager" -w "$pswd" ldap://localhost backend index reindex TCS2_apps_cesnet_cz --attr entryStatus Index task index_attrs_03042021_100813 completed successfully Successfully reindexed database # tail /var/log/dirsrv/slapd-cml3/errors [04/Mar/2021:10:08:19.181006893 +0100] - INFO - bdb_db2index - TCS2_apps_cesnet_cz: Indexed 43000 entries (83%). [04/Mar/2021:10:08:19.304566154 +0100] - INFO - bdb_db2index - TCS2_apps_cesnet_cz: Indexed 44000 entries (85%). [04/Mar/2021:10:08:19.430861272 +0100] - INFO - bdb_db2index - TCS2_apps_cesnet_cz: Indexed 45000 entries (86%). [04/Mar/2021:10:08:19.554529568 +0100] - INFO - bdb_db2index - TCS2_apps_cesnet_cz: Indexed 46000 entries (88%). [04/Mar/2021:10:08:19.671814136 +0100] - INFO - bdb_db2index - TCS2_apps_cesnet_cz: Indexed 47000 entries (90%). [04/Mar/2021:10:08:19.791473662 +0100] - INFO - bdb_db2index - TCS2_apps_cesnet_cz: Indexed 48000 entries (92%). [04/Mar/2021:10:08:19.911157930 +0100] - INFO - bdb_db2index - TCS2_apps_cesnet_cz: Indexed 49000 entries (94%). [04/Mar/2021:10:08:20.032595700 +0100] - INFO - bdb_db2index - TCS2_apps_cesnet_cz: Indexed 5 entries (96%). [04/Mar/2021:10:08:20.153813121 +0100] - INFO - bdb_db2index - TCS2_apps_cesnet_cz: Indexed 51000 entries (98%). [04/Mar/2021:10:08:20.244942556 +0100] - INFO - bdb_db2index - TCS2_apps_cesnet_cz: Finished indexing. But server is still complaining: # time ldapsearch -H ldap://localhost -x -b o=TCS2,o=apps,dc=cesnet,dc=cz '(entryStatus=issued)' # extended LDIF # # LDAPv3 # base with scope subtree # filter: (entryStatus=issued) # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 real0m0.920s user0m0.014s sys 0m0.001s # tail /var/log/dirsrv/slapd-cml3/errors ... [04/Mar/2021:10:08:20.153813121 +0100] - INFO - bdb_db2index - TCS2_apps_cesnet_cz: Indexed 51000 entries (98%). [04/Mar/2021:10:08:20.244942556 +0100] - INFO - bdb_db2index - TCS2_apps_cesnet_cz: Finished indexing. [04/Mar/2021:10:08:47.982170561 +0100] - NOTICE - ldbm_back_search - Unindexed search: search base="o=tcs2,o=apps,dc=cesnet,dc=cz" scope=2 filter="(entryStatus=issued)" conn=115 op=1 Some DB were created during reindex: # ls -l /var/lib/dirsrv/slapd-cml3/db/TCS2_apps_cesnet_cz/ total 358212 -rw--- 1 dirsrv dirsrv 16384 Feb 22 10:08 aci.db -rw--- 1 dirsrv dirsrv 2760704 Feb 22 10:09 ancestorid.db -rw--- 1 dirsrv dirsrv 19668992 Mar 3 16:53 cn.db -rw--- 1 dirsrv dirsrv51 Mar 4 09:54 DBVERSION -rw--- 1 dirsrv dirsrv 24576 Mar 3 16:53 dc.db -rw--- 1 dirsrv dirsrv 13254656 Feb 22 10:09 entryrdn.db -rw--- 1 dirsrv dirsrv 1114112 Mar 4 10:08 entryStatus.db -rw--- 1 dirsrv dirsrv 16384 Feb 22 10:07 entryusn.db -rw--- 1 dirsrv dirsrv 3063808 Mar 3 16:54 givenName.db -rw--- 1 dirsrv dirsrv 285548544 Mar 4 10:09 id2entry.db -rw--- 1 dirsrv dirsrv 16056320 Mar 3 16:54 mail.db -rw--- 1 dirsrv dirsrv 16384 Feb 22 10:08 nscpEntryDN.db -rw--- 1 dirsrv dirsrv 3891200 Feb 22 10:09 nsuniqueid.db -rw--- 1 dirsrv dirsrv 24576 Feb 22 10:09 numsubordinates.db -rw--- 1 dirsrv dirsrv 1466368 Feb 22 10:09 objectclass.db -rw--- 1 dirsrv dirsrv811008 Feb 22 10:09 parentid.db -rw--- 1 dirsrv dirsrv258048 Mar 4 10:00 replication_changelog.db -rw--- 1 dirsrv dirsrv 3735552 Mar 3 16:55 sn.db -rw--- 1 dirsrv dirsrv335872 Mar 4 09:26 tcs2certificate.db -rw--- 1 dirsrv dirsrv 32768 Mar 3 16:55 tcs2cesnetorgdn.db -rw--- 1 dirsrv dirsrv 2826240 Mar 3 16:55 tcs2crtserialnumber.db -rw--- 1 dirsrv dirsrv 3809280 Mar 3 16:55 tcs2crtsubject.db -rw--- 1 dirsrv dirsrv 16384 Mar 3 16:55 tcs2idpentityid.db -rw--- 1 dirsrv dirsrv 3276800 Mar 3 16:56 tcs2requesterdn.db -rw--- 1 dirsrv dirsrv393216 Mar 3 16:56 tcs2role.db -rw--- 1 dirsrv dirsrv 3219456 Mar 3 16:56 telephoneNumber.db -rw--- 1 dirsrv dirsrv516096 Mar 3 16:56 uid.db -rw--- 1 dirsrv dirsrv647168 Mar 3 16:57 unstructuredname.db Any ideas how to fix the problem? -- --- Jan Tomasek aka Semik http://www.tomasek.cz/ ___ 389-users mailing list -- 389-users@lists.f
[389-users] Plugin for enforcing minimum attribute length
Hi, is there any plugin for enforcing minimum attribute length? I never needed such thing, but now it would be nice to be able to enforce min 3 characters for dc attribute in one subtree. Is it possible? Thanks -- --- Jan Tomasek aka Semik http://www.tomasek.cz/ smime.p7s Description: S/MIME Cryptographic Signature ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[389-users] Re: ERR - _entryrdn_insert_key - Same DN (dn: nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff,dc=cesnet,dc=cz) is already in the ,entryrdn file with different ID 10458. Expected ID is 10459
Hi Thierry,
On 15. 01. 21 11:06, thierry bordaz wrote:
Would you be able to run those commands:
dbscan -f /var/lib/dirsrv//db/cesnet_cz /nsuniqueid.db -k
=fff-fff-fff-fff -r =fff-fff-fff-fff
This seqfaults:
root@cml3:~# dbscan -f /var/lib/dirsrv/slapd-cml3/db/test/nsuniqueid.db
-k =fff-fff-fff-fff -r =fff-fff-fff-fff
Can't find key '=fff-fff-fff-fff'
Segmentation fault
strace:
openat(AT_FDCWD, "/var/lib/dirsrv/slapd-cml3/db/test/nsuniqueid.db",
O_RDONLY) = 3
fcntl(3, F_GETFD) = 0
fcntl(3, F_SETFD, FD_CLOEXEC) = 0
fstat(3, {st_mode=S_IFREG|0600, st_size=16384, ...}) = 0
mmap(NULL, 16384, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f51149b3000
fstat(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(0x88, 0x1), ...}) = 0
write(1, "Can't find key '=fff-fff"..., 50Can't find key
'=fff-fff-fff-fff'
) = 50
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR,
si_addr=0x7fff3c00} ---
+++ killed by SIGSEGV +++
Segmentation fault
I've created simple test suffix (see ldif) and problem persist :(
Error is now:
[18/Jan/2021:15:36:07.639103043 +0100] - ERR - _entryrdn_insert_key -
Same DN (dn: nsuniqueid=---,dc=test) is
already in the entryrdn file with different ID 4. Expected ID is 6.
[18/Jan/2021:15:36:07.639405490 +0100] - ERR - index_addordel_entry -
database index operation failed BAD 1023, err= Unknown error
[18/Jan/2021:15:36:07.794625784 +0100] - ERR - NSMMReplicationPlugin -
_replica_configure_ruv - Failed to create replica ruv tombstone entry
(dc=test); LDAP error - 1
[18/Jan/2021:15:36:07.794954251 +0100] - ERR - NSMMReplicationPlugin -
replica_new - Unable to configure replica dc=test:
root@cml3:~# dbscan -f /var/lib/dirsrv/slapd-cml3/db/test/nsuniqueid.db
=d5658282-599911eb-af359663-f13d537d
=d5658283-599911eb-af359663-f13d537d
=d5658284-599911eb-af359663-f13d537d
=d5658285-599911eb-af359663-f13d537d
root@cml3:~# dbscan -f /var/lib/dirsrv/slapd-cml3/db/test/id2entry.db -K 4
id 4
rdn: nsuniqueid=---
objectClass: top
objectClass: nsTombstone
objectClass: extensibleobject
nsUniqueId: ---
nsds50ruv: {replicageneration} 60059bd30001
nsds50ruv: {replica 1 ldap://cml3.cesnet.cz:389} 60059bdd00020001
60059c66
0001
dc: test
nscpEntryDN: dc=test
nsruvReplicaLastModified: {replica 1 ldap://cml3.cesnet.cz:389} 60059c66
nsds5agmtmaxcsn:
dc=test;test-ldap31;ldap31.cesnet.cz;636;65535;60059c6600
01
nsds5agmtmaxcsn:
dc=test;test-ldap32;ldap32.cesnet.cz;636;65535;60059c6600
01
root@cml3:~# dbscan -f /var/lib/dirsrv/slapd-cml3/db/test/id2entry.db -K 6
Can't set cursor to returned item: BDB0073 DB_NOTFOUND: No matching
key/data pair found
free(): invalid pointer
Aborted
After I run reindex on backend:
# root@cml3:~# dsctl cml3 db2index test
fff... entry shows in nsuniqueid.db
root@cml3:~# dbscan -f /var/lib/dirsrv/slapd-cml3/db/test/nsuniqueid.db
=d5658282-599911eb-af359663-f13d537d
=d5658283-599911eb-af359663-f13d537d
=d5658284-599911eb-af359663-f13d537d
=d5658285-599911eb-af359663-f13d537d
=---
Now is server able to start. Need reinitialization of both replicas and
after reinitialization works. Untill next complete reindex. ;)
I've tested once again with fresh db. record rdn:
nsuniqueid=--- appears in nsuniqueid.db
after reinitialization of both replicas is completed.
Isn't my problem related to this:
https://github.com/389ds/389-ds-base/issues/273 ?
My system is Debian Buster and 389 DS is in version 1.4.4.9 taken from
Debian Bullseye. If I can provide some more debug info please let me know.
I hope I can operate servers this without doing reindex on all
attributes, but it would be nice if this will be fixed.
Thanks
--
---
Jan Tomasek aka Semik
http://www.tomasek.cz/
dn: dc=test
modifyTimestamp: 20200212102827Z
modifiersName: cn=directory manager
objectClass: top
objectClass: dcobject
dc: test
creatorsName: cn=directory manager
createTimestamp: 20100418093235Z
dn: ou=People,dc=test
modifyTimestamp: 20200622122744Z
modifiersName: cn=directory manager
ou: People
objectClass: top
objectClass: organizationalunit
creatorsName: cn=directory manager
createTimestamp: 20100418093236Z
dn: uid=test,ou=People,dc=test
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
uid: test
sn: Test
cn: Jan Test
smime.p7s
Description: S/MIME Cryptographic Signature
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an
[389-users] ERR - _entryrdn_insert_key - Same DN (dn: nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff,dc=cesnet,dc=cz) is already in the ,entryrdn file with different ID 10458. Expected ID is 10459.
2.658177768 +0100] - INFO - ldbm_back_ldbm2index - cesnet_cz: Indexed 2000 entries (19%). [13/Jan/2021:16:43:13.208182425 +0100] - INFO - ldbm_back_ldbm2index - cesnet_cz: Indexed 3000 entries (28%). [13/Jan/2021:16:43:13.960876293 +0100] - INFO - ldbm_back_ldbm2index - cesnet_cz: Indexed 4000 entries (38%). [13/Jan/2021:16:43:14.630850682 +0100] - INFO - ldbm_back_ldbm2index - cesnet_cz: Indexed 5000 entries (47%). [13/Jan/2021:16:43:15.394532510 +0100] - INFO - ldbm_back_ldbm2index - cesnet_cz: Indexed 6000 entries (57%). [13/Jan/2021:16:43:16.170632542 +0100] - INFO - ldbm_back_ldbm2index - cesnet_cz: Indexed 7000 entries (66%). [13/Jan/2021:16:43:16.796304684 +0100] - INFO - ldbm_back_ldbm2index - cesnet_cz: Indexed 8000 entries (76%). [13/Jan/2021:16:43:17.506801263 +0100] - INFO - ldbm_back_ldbm2index - cesnet_cz: Indexed 9000 entries (86%). [13/Jan/2021:16:43:18.067960870 +0100] - INFO - ldbm_back_ldbm2index - cesnet_cz: Indexed 1 entries (95%). [13/Jan/2021:16:43:18.243288780 +0100] - INFO - ldbm_back_ldbm2index - cesnet_cz: Finished indexing. [13/Jan/2021:16:43:19.246780004 +0100] - ERR - _entryrdn_insert_key - Same DN (dn: nsuniqueid=---,dc=cesnet,dc=cz) is already in the entryrdn file with different ID 10458. Expected ID is 10459. [13/Jan/2021:16:43:19.247170757 +0100] - ERR - index_addordel_entry - database index operation failed BAD 1023, err= Unknown error [13/Jan/2021:16:43:19.247525937 +0100] - ERR - NSMMReplicationPlugin - _replica_configure_ruv - Failed to create replica ruv tombstone entry (dc=cesnet,dc=cz); LDAP error - 1 [13/Jan/2021:16:43:49.252019156 +0100] - ERR - _entryrdn_insert_key - Same DN (dn: nsuniqueid=---,dc=cesnet,dc=cz) is already in the entryrdn file with different ID 10458. Expected ID is 10459. [13/Jan/2021:16:43:49.252315849 +0100] - ERR - index_addordel_entry - database index operation failed BAD 1023, err= Unknown error [13/Jan/2021:16:43:49.252556037 +0100] - ERR - NSMMReplicationPlugin - _replica_configure_ruv - Failed to create replica ruv tombstone entry (dc=cesnet,dc=cz); LDAP error - 1 I tried to do indexes one after one, everyting is working fine untill I try to rebuild index for entryrdn and nsuniqueid. The second one start causing error: [13/Jan/2021:15:25:12.460676505 +0100] - ERR - _entryrdn_insert_key - Same DN (dn: nsuniqueid=---,dc=cesnet,dc=cz) is already in the entryrdn file with different ID 10454. Expected ID is 10456. [13/Jan/2021:15:25:12.460870191 +0100] - ERR - index_addordel_entry - database index operation failed BAD 1023, err= Unknown error [13/Jan/2021:15:25:12.461119957 +0100] - ERR - NSMMReplicationPlugin - _replica_configure_ruv - Failed to create replica ruv tombstone entry (dc=cesnet,dc=cz); LDAP error - 1 Only solution I've discovered is to disable replication, reinitializing all suffixes. This is quite painful.:( How to avoid this error? And how to fix it when it happens? Thanks for any sugestions. -- --- Jan Tomasek aka Semik http://www.tomasek.cz/ ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] Re: A plugin to record modification timestamp and modifiers DN for specific attribute
Hi William, > An interesting idea that could bring you a lot assurance, would be to > integrate and test with Address Sanitiser. This would help you find > and detect potential memory safety issues in the plugin. If you want > some advice on how to do this, I'm happy to help. Using Address Sanitiser is completely new topic to me. But I would like to give it try, if you would by so nice to provide me with pointers how to start. Thanks -- ----------- Jan Tomasek aka Semik http://www.tomasek.cz/ smime.p7s Description: S/MIME Cryptographic Signature ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] LDAPS only plugin & how to disable LDAP protocol at all
Hello, in past, I've created a simple plug-in for disabling authenticated binds over non-encrypted lines. But still allowing anonymous binds over LDAP. I did know about nsslapd-require-secure-binds but if recall correctly it is including SASL authenticated binds which I believe protects only user password and not transferred data. I published plug-in here: https://github.com/CESNET/389ds-plugin-ldapsonly but it is maybe obsoleted today. Today I think is TLS a must. Is it possible to disable 389 port at all? Or instruct 389 DS to bind port 389 on localhost? -- ------- Jan Tomasek aka Semik http://www.tomasek.cz/ smime.p7s Description: S/MIME Cryptographic Signature ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] Re: A plugin to record modification timestamp and modifiers DN for specific attribute
Hi William, On 9/9/20 2:31 AM, William Brown wrote: >> I need to keep track when and by whom was entryStatus attribute >> modified. For those informations, we have two attributes >> entryStatusTimestamp and entryStatusModifier attributes. And every time >> entryStatus is changed, our plugin changes automatically those two >> attributes. >> >> Is there any standard, or maybe some contributed plugin how I can >> achieve this? > > Sadly, I can't think of anything that exists today that achieves what you > want, so I think you'll need to stick with this. After some debugging I've identified the problem, it was not caused by incompatibility with never 389DS, but by weird config syntax requiring TAB characters. Which I lost during Copy&Paste. :( In case anyone is interested I've published it: https://github.com/CESNET/389ds-plugin-ssm I can't say it's nice code and repository isn't clean, there are some unused files related to OTP which was used at FEL CTU, in time strong crypto export from USA to our country was prohibited. But still it might be interesting for someone... Best regards -- --- Jan Tomasek aka Semik http://www.tomasek.cz/ smime.p7s Description: S/MIME Cryptographic Signature ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] A plugin to record modification timestamp and modifiers DN for specific attribute
Hello, I have one historical plug-in (from times of SunOne Directory), it was in past ported for 1.2 version of 389 DS. But it fails to work with 1.4. It is a bit more complicated than the one I was seeking help before, but maybe it is possible to replace it with some standard plug-in. However, I didn't find any suitable. :( We are using attribute named entryStatus with several possible values like prepared, active, marked, dead - those are used for keeping status of user entry. I need to keep track when and by whom was entryStatus attribute modified. For those informations, we have two attributes entryStatusTimestamp and entryStatusModifier attributes. And every time entryStatus is changed, our plugin changes automatically those two attributes. Is there any standard, or maybe some contributed plugin how I can achieve this? Thanks -- ------- Jan Tomasek aka Semik http://www.tomasek.cz/ smime.p7s Description: S/MIME Cryptographic Signature ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] Re: Plugin-in Guide for 1.4.0
Hi William,
Reading this trace, it looks like you are missing debug symbols or devel information.
Honestly, I'm not sure how to get this on debian, maybe "pkgname-dbgsym" aka
389-ds-dbgsym or similar needs to be installed?
Debian way is to add an extra repository, which contains all -dbgsym
packages. It is described here: https://wiki.debian.org/HowToGetABacktrace
The problem was in the declaration of variable method:
static int do_pre_bind(Slapi_PBlock *pb, char* errmsg)
{
static const char* attributes[] = {"cn", NULL};
plugin_config_t* conf;
int rc, method;
...
conf = &s_conf;
...
if (slapi_pblock_get(pb, SLAPI_BIND_TARGET, &dn) != 0
|| slapi_pblock_get(pb, SLAPI_BIND_METHOD, &method) != 0
...
Calling 'slapi_pblock_get(pb, SLAPI_BIND_METHOD, &method)' causes
overwrite of conf.
In
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html-single/plug-in_guide/index#Plugin_Programming_Guide-Processing_an_LDAP_Bind_Operation-Getting_and_Setting_Parameters_for_the_Bind_Operation
is return of 'slapi_pblock_get(pb, SLAPI_BIND_METHOD, &method)' still 'int'
But in the source:
https://pagure.io/389-ds-base/blob/master/f/ldap/servers/slapd/pblock.c#_1578
is used ber_tag_t
After I changed the declaration:
ber_tag_t method;
Plugin started work. I need to deeply test it, but it looks good.
I appreciate your kind way of helping me.
Thanks a lot!
--
---
Jan Tomasek aka Semik
http://www.tomasek.cz/
smime.p7s
Description: S/MIME Cryptographic Signature
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] Re: Plugin-in Guide for 1.4.0
Hi Mark,
On 8/28/20 2:51 PM, Mark Reynolds wrote:
Sorry the plugin guide has not been maintained in a long time. There was
a discussion to just remove it. Can you provide the stack trace from
the crash? I'm sure we help get it straightened out...
you are very kind. My C knowledge is kinda outdated, it's about 20years
I last time created something bigger in C.
I'm fighting with gdb how to be able trace debug 389 ds with plugin loaded:
root@ldap33:~# gdb /usr/sbin/ns-slapd
(gdb) run -d 65536 -D /etc/dirsrv/slapd-ldap33 -i
/var/run/dirsrv/slapd-ldap33.pid
Starting program: /usr/sbin/ns-slapd -d 65536 -D /etc/dirsrv/slapd-ldap33 -i
/var/run/dirsrv/slapd-ldap33.pid
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[31/Aug/2020:11:14:36.396980567 +0200] - DEBUG - syntax-plugin - => bin_init
...
[31/Aug/2020:11:15:11.443569660 +0200] - ERR - altpass-plugin - do_pre_bind: 1
[31/Aug/2020:11:15:11.445011559 +0200] - ERR - altpass-plugin - do_pre_bind: 2
[31/Aug/2020:11:15:11.446302153 +0200] - ERR - altpass-plugin - do_pre_bind: 3
[31/Aug/2020:11:15:11.447546080 +0200] - ERR - altpass-plugin - do_pre_bind: 4
[31/Aug/2020:11:15:11.448848356 +0200] - ERR - altpass-plugin - do_pre_bind: 5
[31/Aug/2020:11:15:11.450387903 +0200] - ERR - altpass-plugin - do_pre_bind: 6
[31/Aug/2020:11:15:11.451510488 +0200] - ERR - altpass-plugin - do_pre_bind: 7
[31/Aug/2020:11:15:11.453559193 +0200] - ERR - altpass-plugin - do_pre_bind: 8
[31/Aug/2020:11:15:11.454709087 +0200] - ERR - altpass-plugin - do_pre_bind: 9
[31/Aug/2020:11:15:11.455636136 +0200] - ERR - altpass-plugin - do_pre_bind: 9a
[31/Aug/2020:11:15:11.456657442 +0200] - ERR - altpass-plugin - do_pre_bind:
9a: filter=(memberNisNetgroup=2001:718:1:6::134:138)
Thread 17 "ns-slapd" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffd0ff9700 (LWP 28079)]
0x74318b52 in do_pre_bind () from
/usr/lib/x86_64-linux-gnu/dirsrv/plugins/altpass-plugin.so
(gdb) bt
#0 0x74318b52 in do_pre_bind () at
/usr/lib/x86_64-linux-gnu/dirsrv/plugins/altpass-plugin.so
#1 0x74318f3b in pre_bind () at
/usr/lib/x86_64-linux-gnu/dirsrv/plugins/altpass-plugin.so
#2 0x77f0c409 in None () at
/usr/lib/x86_64-linux-gnu/dirsrv/libslapd.so.0
#3 0x77f0c654 in plugin_call_plugins () at
/usr/lib/x86_64-linux-gnu/dirsrv/libslapd.so.0
#4 0x5556907e in None ()
#5 0x5557045a in None ()
#6 0x77c13ec7 in None () at /usr/lib/x86_64-linux-gnu/libnspr4.so
#7 0x77bb3fa3 in start_thread (arg=) at
pthread_create.c:486
#8 0x777ed4cf in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:95
When I set breakpoint at start of do_pre_bind():
(gdb) b do_pre_bind
Breakpoint 1 at 0x7431879a
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
[Switching to Thread 0x7fffd0ff9700 (LWP 28116)]
Thread 17 "ns-slapd" hit Breakpoint 1, 0x7431879a in do_pre_bind ()
from /usr/lib/x86_64-linux-gnu/dirsrv/plugins/altpass-plugin.so
(gdb)
(gdb) l
1 ../sysdeps/x86_64/crti.S: No such file or directory.
(gdb)
Tips how to properly set debug environment would be very welcome. I was
unable to locate crti.S anywhere in debian packages
https://packages.debian.org/search?searchon=contents&keywords=x86_64%2Fcrti.S&mode=path&suite=stable&arch=any
Source code around SIGSEGV place:
slapi_entry_free(user_entry);
user_entry = NULL;
log_fatal("do_pre_bind: 9\n");
// Find corresponding service(s)
char filter[200];
snprintf(filter, sizeof(filter), "(memberNisNetgroup=%s)", clientIP);
log_fatal("do_pre_bind: 9a\n");
log_fatal("do_pre_bind: 9a: filter=%s\n", filter);
find_entries(conf->group_suffix, filter, attributes, &matching_services);
function find_entries() is never entered.
Thanks
--
---
Jan Tomasek aka Semik
http://www.tomasek.cz/
smime.p7s
Description: S/MIME Cryptographic Signature
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] Plugin-in Guide for 1.4.0
Hi, I'm migrating 389DS from 1.2.11 to 1.4.0.11 on Debian Buster. I have two plug-ins which I would like to use with new server, they compile ok. But server crashes when they are about to be used. What is actual documentation? I've found https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/plug-in_guide/Plugin_Programming_Guide-Preface-Using_DS_Plug_in_APIs But I'm not sure it this is latest for plugins. For server itself it is not, it speaks about obsoleted Admin Console. Thanks -- ----------- Jan Tomasek aka Semik http://www.tomasek.cz/ smime.p7s Description: S/MIME Cryptographic Signature ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] Creating extra backend database for sub-sub-suffix
Hi, I've this directory structure: dc=example,dc=cz + o=apps,dc=example,dc=cz + o=TCS2,o=aps,dc=example,dc=cz I would like store o=TCS2,o=aps,dc=example,dc=cz in it's own database, to be able create custom indexes only for entries under o=TCS2,o=aps,dc=example,dc=cz. When I create it this way: dsconf -D "cn=Directory Manager" -w "$pswd" \ ldap://localhost backend create \ --be-name "example_cz" --suffix="dc=example,dc=cz" dsconf -D "cn=Directory Manager" -w "$pswd" \ ldap://localhost backend create \ --be-name "TCS2_apps_example_cz" \ --suffix="o=TCS2,o=apps,dc=example,dc=cz" \ --parent-suffix="o=apps,dc=example,dc=cz" Then I'm unable find o=TCS2 under o=apps,dc=example,dc=cz: semik@doma:~$ ldapsearch -LLL -H ldaps://ldap.example.cz -D "cn=directory manager" -W -x -b o=apps,dc=example,dc=cz '(o=TCS2)' Enter LDAP Password: semik@doma:~$ But it is there: semik@doma:~$ ldapsearch -LLL -H ldaps://ldap.example.cz -D "cn=directory manager" -W -x -b o=TCS2,o=apps,dc=example,dc=cz '(o=TCS2)' Enter LDAP Password: dn: o=TCS2,o=apps,dc=example,dc=cz objectClass: top objectClass: organization o: TCS2 It is very likely because 389DS doesn't understand what I want to do. semik@doma:~$ ldapsearch -LLL -H ldaps://ldap.example.cz -D "cn=directory manager" -W -x -s base -b '' '(objectClass=*)' namingContexts nsBackendSuffix Enter LDAP Password: dn: namingContexts: o=TCS2,o=apps,dc=example,dc=cz namingContexts: dc=example,dc=cz nsBackendSuffix: example_cz:dc=example,dc=cz nsBackendSuffix: TCS2_apps_example_cz:o=TCS2,o=apps,dc=example,dc=cz When I create another database for o=apps,dc=example,dc=cz this way: dsconf -D "cn=Directory Manager" -w "$pswd" \ ldap://localhost backend create \ --be-name "example_cz" --suffix="dc=example,dc=cz" dsconf -D "cn=Directory Manager" -w "$pswd" \ ldap://localhost backend create \ --be-name "apps_example_cz" \ --suffix="o=apps,dc=example,dc=cz" \ --parent-suffix="dc=example,dc=cz" dsconf -D "cn=Directory Manager" -w "$pswd" \ ldap://localhost backend create \ --be-name "TCS2_apps_example_cz" \ --suffix="o=TCS2,o=apps,dc=example,dc=cz" \ --parent-suffix="o=apps,dc=example,dc=cz" It works: semik@doma:~$ ldapsearch -LLL -H ldaps://ldap.example.cz -D "cn=directory manager" -W -x -b o=apps,dc=example,dc=cz '(o=TCS2)' Enter LDAP Password: dn: o=TCS2,o=apps,dc=example,dc=cz objectClass: top objectClass: organization o: TCS2 semik@doma:~$ ldapsearch -LLL -H ldaps://ldap.example.cz -D "cn=directory manager" -W -x -s base -b '' '(objectClass=*)' namingContexts nsBackendSuffix Enter LDAP Password: dn: namingContexts: dc=example,dc=cz nsBackendSuffix: example_cz:dc=example,dc=cz nsBackendSuffix: apps_example_cz:o=apps,dc=example,dc=cz nsBackendSuffix: TCS2_apps_example_cz:o=TCS2,o=apps,dc=example,dc=cz In first scenario, there are two separate namingContexts o=TCS2,o=apps,dc=example,dc=cz and dc=example,dc=cz. I want to get rid of extra apps_example_cz backend database if possible. Is there a way how to NOT create database for o=apps,dc=example,dc=cz? Thanks -- --- Jan Tomasek aka Semik http://www.tomasek.cz/ smime.p7s Description: S/MIME Cryptographic Signature ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] Re: How to disable attribute encryption
On 8/18/20 3:21 PM, Mark Reynolds wrote: Looks like you are all good then... Yes, but... is it possible to prevent creating "encrypted attribute keys" and seeing in logs message: ERR - attrcrypt_cipher_init - Symmetric key failed to unwrap with the private key; Cert might have been renewed since the key is wrapped. To recover the encrypted contents, keep the wrapped symmetric key value. every time I replace LDAPS certificate? -- ------- Jan Tomasek aka Semik http://www.tomasek.cz/ smime.p7s Description: S/MIME Cryptographic Signature ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] Re: How to disable attribute encryption
Hi Mark, On 8/18/20 2:56 PM, Mark Reynolds wrote: The best option would be config option to disable attribute encryption for all databases but I failed to find if it is possible. You have to delete each attribute that was configured for attribute encryption (like what you did above, but you cna also use the CLI tools): https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/configuring_attribute_encryption#disabling_encryption_for_an_attribute_using_the_command_line I didn't explicitly configure any attribute for encryption. But server any way creates encryption keys. When I try: # dsconf cml3 backend attr-encrypt --list dc=cesnet,dc=cz There are no encrypted attributes for this backend Also: # ldapsearch -H ldap://localhost -D "cn=Directory Manager" -W -LLL -o ldif-wrap=no -b "cn=ldbm database,cn=plugins,cn=config" "(objectClass=nsAttributeEncryption)" Enter LDAP Password: # -- --- Jan Tomasek aka Semik http://www.tomasek.cz/ smime.p7s Description: S/MIME Cryptographic Signature ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] How to disable attribute encryption
Hello, is it possible to disable attribute encryption in 389 DS? I'm running 1.4.0.21 @ Debian Buster. After replacing TLS certificate I'm receiving errors: [18/Aug/2020:10:25:16.099482453 +0200] - ERR - attrcrypt_unwrap_key - Failed to unwrap key for cipher 3DES [18/Aug/2020:10:25:16.099670006 +0200] - ERR - attrcrypt_cipher_init - Symmetric key failed to unwrap with the private key; Cert might have been renewed since the key is wrapped. To recover the encrypted contents, keep the wrapped symmetric key value. I found: https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/updating_the_tls_certificates_used_for_attribute_encryption But, I do not use any encrypted attribute so dumping and restoring database is not nice way how to deal witch such error. Just, deleting all keys and server restart works too: ldapsearch -H ldap://localhost -D "cn=Directory Manager" -W -LLL -o ldif-wrap=no -b "cn=ldbm database,cn=plugins,cn=config" "(nsSymmetricKey=*)" dn | sed "s/^$/changetype: delete\n/" | ldapmodify -H ldap://localhost -D "cn=Directory Manager" -W Enter LDAP Password: Enter LDAP Password: *** deleting entry "cn=3DES,cn=encrypted attribute keys,cn=xxx,cn=ldbm database,cn=plugins,cn=config" deleting entry "cn=AES,cn=encrypted attribute keys,cn=xxx,cn=ldbm database,cn=plugins,cn=config" deleting entry "cn=3DES,cn=encrypted attribute keys,xxx,cn=ldbm database,cn=plugins,cn=config" deleting entry "cn=AES,cn=encrypted attribute keys,xxx,cn=ldbm database,cn=plugins,cn=config" ... The best option would be config option to disable attribute encryption for all databases but I failed to find if it is possible. Thanks -- --- Jan Tomasek aka Semik http://www.tomasek.cz/ smime.p7s Description: S/MIME Cryptographic Signature ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] Re: Production level 389 release
Hi Mark, On 4/2/19 3:46 PM, Mark Reynolds wrote: I'm preparing migration from 389 DS 1.2.5. I'm using single master and 4 replicas all on RedHat which I would like to abandon in favor Debian which is my main platform. ... And as I have mentioned multiple times on this mailing list the 389-admin/console packages are deprecated and will completely removed in Fedora 31. So I am afraid on Debian and other platforms that do not have "Cockpit" there will not be any kind of UI. In fact, it is possible to install Cockpit on Debian Buster, it just isn't present in the minimal installation. It wasn't working for me, I will give it another try and send a bug report as Timo Aaltonen ask in some later email. I need to verify first, I never heard about Cockpit before. I expect/hope the new Cockpit UI will be 100% complete in the next two months (hopefully sooner). It looks very nice, I will monitor this mailing list more closely. Thanks for your work. -- --- Jan Tomasek aka Semik http://www.tomasek.cz/ ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] Production level 389 release
Hi, I'm preparing migration from 389 DS 1.2.5. I'm using single master and 4 replicas all on RedHat which I would like to abandon in favor Debian which is my main platform. My idea was to use 389-ds 1.4.x line on Debian/Buster, but there is completely missing 389-admin package [1]. They ship cockpit-389-ds 1.4.0.21-1 which completely doesn't work on Debian. It declares that 389-ds-base isn't installed. It is installed and configured. I tried Fedora 29, there is 1.4.0.21-1.fc29 and it works... somehow. Schema editation is possible. But database management is broken, it shows two suffixes dc=example,dc=com and o=ipaca.com which are not present in 389-ds configuration dse.ldif file. And it is unable to detect defined suffix. It looks nice, but it seems that many things might not be working even on Fedora. Is it possible to manage 389-ds 1.4.x with 389-admin 1.1.46 and 389-admin-console 1.1.12-5.fc29? This is combination Fedora 29 come with. Or is it safer to stick with 389-ds 1.3.x which is shipped with RHEL 7 & Debian/Stretch? And use 389-admin & 389-console for managing them? Thanks for responses [1] https://packages.debian.org/search?keywords=389-admin&searchon=names&suite=all§ion=all -- --- Jan Tomasek aka Semik http://www.tomasek.cz/ ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] Database to LDIF without running DS?
Hello, I did stupid mistake and deleted some entries... only backup I do have are *db4 files from filesystem backup. Is there any chance how to convert them to LDIF without running DS? I can't restore them to place where active database is running. And I do not see other way how to use db2ldif.pl. Thanks -- ------- Jan Tomasek aka Semik http://www.tomasek.cz/ -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] How relevant is Poodlebleed Bug to 389?
Hello, On 10/15/2014 04:58 PM, Rich Megginson wrote: is http://poodlebleed.com/ related to 389? I think it is, this is not implementation flaw in OpenSSL, this seems to be related to the SSLv3 design. By not commenting this, I assume that. Yes. This bug is relevant even to 389. I've found: http://directory.fedoraproject.org/docs/389ds/design/nss-cipher-design.html but new syntax with -SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA doesn't seem to be working on my system: The new syntax might not yet be supported on 1.2.11 (el5) https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_SSL-Setting_Security_Preferences.html For 1.2.11.28-1.el5 I've succeeded with this setting: nsSSL2: off nsSSL3: off nsSSL3Ciphers: +all, -rsa_rc4_40_md5, -rsa_rc2_40_md5, -rsa_des_sha, -dhe_dss_des_sha, -rsa_rc4_128_md5, -fortezza_rc4_128_sha, -tls_dhe_dss_rc4_128_sha, -tls_rsa_export1024_with_rc4_56_sha, -tls_dhe_dss_1024_rc4_sha, -tls_dhe_rsa_aes_128_sha, -tls_dhe_dss_aes_128_sha Thanks -- ----------- Jan Tomasek aka Semik http://www.tomasek.cz/ -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] How relevant is Poodlebleed Bug to 389?
Hello, is http://poodlebleed.com/ related to 389? I think it is, this is not implementation flaw in OpenSSL, this seems to be related to the SSLv3 design. I've found: http://directory.fedoraproject.org/docs/389ds/design/nss-cipher-design.html but new syntax with -SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA doesn't seem to be working on my system: ldap-dev:~# yum list installed |grep 389 389-admin.x86_64 1.1.29-1.el5 389-admin-console.noarch 1.1.8-1.el5 389-admin-console-doc.noarch 1.1.8-1.el5 389-adminutil.x86_64 1.1.20-1.el5 389-console.noarch1.1.7-3.el5 389-ds.noarch 1.2.1-1.el5 389-ds-base.x86_641.2.11.28-1.el5 389-ds-base-devel.x86_64 1.2.11.28-1.el5 389-ds-base-libs.x86_64 1.2.11.28-1.el5 389-ds-console.noarch 1.2.6-1.el5 389-ds-console-doc.noarch 1.2.6-1.el5 389-dsgw.x86_64 1.1.11-1.el5 I'm running on CentOS 5 with EPEL sources. Thanks -- ----------- Jan Tomasek aka Semik http://www.tomasek.cz/ -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] ACI to permit user create his own subentry?
On 02/06/2014 11:23 AM, Jan Tomasek wrote: > I need user to be able to add subentry bellow his own entry. > > In this structure: > > dc=cz > ou=People > uid=test1 > dc=123 ?? > uid=test2 > > How to write ACI that test1 could add only under his own entry? Sadly > (target = "ldap:///self";) is not permited. > > Any idea how to write ACI at level of ou=People? I have found solution: (targetfilter = "(&(objectclass=appPassword)(!(objectClass=inetOrgPerson)))") (version 3.0;acl "appPassword parrent (add, delete)";allow (add,delete)(userdn = "ldap:///parent";);) and one more to hide added entries from everyone except of parent: (targetattr = "*")(targetfilter = "(objectclass=appPassword)") (version 3.0;acl "appPassword hide except parent";deny (all) (userdn ="ldap:///anyone"; and not userdn = "ldap:///parent";);) :) -- --- Jan Tomasek aka Semik http://www.tomasek.cz/ -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] ACI to permit user create his own subentry?
Hello, I need user to be able to add subentry bellow his own entry. In this structure: dc=cz ou=People uid=test1 dc=123 ?? uid=test2 How to write ACI that test1 could add only under his own entry? Sadly (target = "ldap:///self";) is not permited. Any idea how to write ACI at level of ou=People? -- ------- Jan Tomasek aka Semik http://www.tomasek.cz/ -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] The admin server: failed to get a socket for 0.0.0.0
On 01/15/2014 11:30 AM, Jan Tomasek wrote: >> [root@ldap21shadow ~]# /etc/init.d/dirsrv-admin start >> Starting dirsrv-admin: >> [Wed Jan 15 05:29:55 2014] [crit] (22)Invalid argument: >> alloc_listener: failed to get a socket for 0.0.0.0 >> Syntax error on line 87 of /etc/dirsrv/admin-serv/console.conf: >> Listen setup failed after upgrading to linux-image-2.6.32-5-openvz-amd64 the problem is gone. So just for record. Versions: > # yum list installed |grep 389 > 389-admin.x86_64 1.1.23-1.el5 > installed > 389-admin-console.noarch 1.1.8-1.el5 > installed > 389-admin-console-doc.noarch 1.1.8-1.el5 > installed > 389-adminutil.x86_64 1.1.14-1.el5 > installed > 389-console.noarch 1.1.7-3.el5 > installed > 389-ds.noarch1.2.1-1.el5 > installed > 389-ds-base.x86_64 1.2.9.9-1.el5 > installed > 389-ds-base-libs.x86_64 1.2.9.9-1.el5 > installed > 389-ds-console.noarch1.2.6-1.el5 > installed > 389-ds-console-doc.noarch1.2.6-1.el5 > installed > 389-dsgw.x86_64 1.1.7-2.el5 > installed are correctly running on OpenVZ kernel 2.6.26 from Debian Squeeze and: > # yum list installed |grep 389 > 389-admin.x86_641.1.35-1.el6 @epel > > 389-admin-console.noarch1.1.8-1.el6@epel > > 389-admin-console-doc.noarch1.1.8-1.el6@epel > > 389-adminutil.x86_641.1.19-1.el6 @epel > > 389-console.noarch 1.1.7-1.el6@epel > > 389-ds.noarch 1.2.2-1.el6@epel > > 389-ds-base.x86_64 1.2.11.15-31.el6_5 > @updates > 389-ds-base-libs.x86_64 1.2.11.15-31.el6_5 > @updates > 389-ds-console.noarch 1.2.6-1.el6@epel > > 389-ds-console-doc.noarch 1.2.6-1.el6 @epel > > 389-dsgw.x86_64 1.1.11-1.el6 @epel > are not. Weird. :) -- --- Jan Tomasek aka Semik http://www.tomasek.cz/ signature.asc Description: OpenPGP digital signature -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] The admin server: failed to get a socket for 0.0.0.0
On 01/15/2014 08:39 PM, Jonathan Vaughn wrote: Ah, I should have been more clear - I was asking if it was, because sometimes that sort of error can be caused be SELinux blocking the bind operation. If it's not enabled, it obviously isn't the culprit though. Though since you mention OpenVZ... maybe there's something weird with the OpenVZ kernel? OpenVZ doesn't support SElinux, but when: [root@ldap21shadow ~]# sestatus SELinux status: disabled than it should not be issue. I'm running other instances of 389 under OpenVZ so that is not problem. [root@ldap21shadow ~]# head -87 /etc/dirsrv/admin-serv/console.conf | tail -5 # e.g. "Listen 12.34.56.78:80" # # To allow connections to IPv6 addresses add "Listen [::]:80" # Listen 0.0.0.0:9830 [root@ldap21shadow ~]# /etc/init.d/dirsrv-admin start Starting dirsrv-admin: [Wed Jan 15 05:29:55 2014] [crit] (22)Invalid argument: alloc_listener: failed to get a socket for 0.0.0.0 Syntax error on line 87 of /etc/dirsrv/admin-serv/console.conf: Listen setup failed Server failed to start !!! Please check errors log for problems Why Syntax error on "Listen 0.0.0.0:9830"? -- --- Jan Tomasek aka Semik http://www.tomasek.cz/ -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] The admin server: failed to get a socket for 0.0.0.0
On 01/15/2014 06:57 PM, Jonathan Vaughn wrote: > SELinux enabled? No. I would like to avoid that. The server should run inside OpenVZ container where is not possible to enable it. -- --- Jan Tomasek aka Semik http://www.tomasek.cz/ -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] The admin server: failed to get a socket for 0.0.0.0
Hello, I'm trying to install new LDAP server and facing strange errors: [14/01/15:04:47:03] - [Setup] Info Updating the configuration for the httpd engine . . . [14/01/15:04:47:03] - [Setup] Warning Error: command 'getsebool httpd_can_connect_ldap' failed - output [getsebool: SELinux is disabled] error [][14/01/15:04:47:03] - [Setup] Info Starting admin server . . . [14/01/15:04:47:13] - [Setup] Info output: Starting dirsrv-admin: [14/01/15:04:47:13] - [Setup] Info output: [Wed Jan 15 04:47:03 2014] [crit] (22)Invalid argument: alloc_listener: failed to get a socket for 0.0.0.0 [14/01/15:04:47:13] - [Setup] Info output: Syntax error on line 87 of /etc/dirsrv/admin-serv/console.conf: [14/01/15:04:47:13] - [Setup] Info output: Listen setup failed [14/01/15:04:47:13] - [Setup] Info output: Server failed to start !!! Please check errors log for problems [14/01/15:04:47:13] - [Setup] Info output: ESC[60G[ESC[0;31mFAILEDESC[0;39m] [14/01/15:04:47:13] - [Setup] Info The admin server was successfully started. [14/01/15:04:47:13] - [Setup] Info Admin server was successfully created, configured, and started. [14/01/15:04:47:13] - [Setup] Success Exiting . . . I have found bug 377: https://fedorahosted.org/389/ticket/377 which seems to be fixed in 1.1.36 but sadly it's not available yet in repositories: [root@ldap21shadow ~]# yum list installed |grep 389 389-admin.x86_641.1.35-1.el6 @epel 389-admin-console.noarch1.1.8-1.el6@epel 389-admin-console-doc.noarch1.1.8-1.el6@epel 389-adminutil.x86_641.1.19-1.el6 @epel 389-console.noarch 1.1.7-1.el6@epel 389-ds.noarch 1.2.2-1.el6@epel 389-ds-base.x86_64 1.2.11.15-31.el6_5 @updates 389-ds-base-libs.x86_64 1.2.11.15-31.el6_5 @updates 389-ds-console.noarch 1.2.6-1.el6@epel 389-ds-console-doc.noarch 1.2.6-1.el6@epel 389-dsgw.x86_64 1.1.11-1.el6 @epel I've tried workaround described there by rmeggins. Output is very similar, only warning about getsebool is gone: Creating directory server . . . /usr/sbin/semanage: SELinux policy is not managed or store cannot be accessed. /usr/sbin/semanage: SELinux policy is not managed or store cannot be accessed. Your new DS instance 'ldap21shadow' was successfully created. Creating the configuration directory server . . . Beginning Admin Server creation . . . Creating Admin Server files and directories . . . Updating adm.conf . . . Updating admpw . . . Registering admin server with the configuration directory server . . . Updating adm.conf with information from configuration directory server . . . Updating the configuration for the httpd engine . . . /usr/sbin/semanage: SELinux policy is not managed or store cannot be accessed. /usr/sbin/semanage: SELinux policy is not managed or store cannot be accessed. Starting admin server . . . output: Starting dirsrv-admin: output: [Wed Jan 15 05:11:22 2014] [crit] (22)Invalid argument: alloc_listener: failed to get a socket for 0.0.0.0 output: Syntax error on line 87 of /etc/dirsrv/admin-serv/console.conf: output: Listen setup failed output: Server failed to start !!! Please check errors log for problems output:[FAILED] The admin server was successfully started. Admin server was successfully created, configured, and started. Exiting . . . Log file is '/tmp/setup3KfWko.log' The console.conf is equal to to configuration on my other servers: [root@ldap21shadow ~]# head -87 /etc/dirsrv/admin-serv/console.conf | tail -5 # e.g. "Listen 12.34.56.78:80" # # To allow connections to IPv6 addresses add "Listen [::]:80" # Listen 0.0.0.0:9830 I've tried Listen 9830 Listen [::]:9830 Listen 127.0.0.1: 9830 Still the same errors: [root@ldap21shadow ~]# /etc/init.d/dirsrv-admin start Starting dirsrv-admin: [Wed Jan 15 05:29:55 2014] [crit] (22)Invalid argument: alloc_listener: failed to get a socket for 0.0.0.0 Syntax error on line 87 of /etc/dirsrv/admin-serv/console.conf: Listen setup failed Any suggestions? Thanks! -- --- Jan Tomasek aka Semik http://www.tomasek.cz/ [14/01/15:05:10:46] - [Setup] Info This program will set up the 389 Directory and Administration Servers. It is recommended that you have "root" privilege to set up the software. Tips for using this program: - Press "Enter" to choose the default and go to the next screen - Type "Control-B" then "Enter" to go back to the previous screen - Type "Control-C" to cancel the setup program [14/01/15:05:10:46] - [Setup] Inf
Re: [389-users] Secondary passwords - like Google's application specific passwords
Hello,
please, does anybyody any idea how to implement this with 389?
Thanks
Jan
On 11/04/2013 07:40 PM, Jan Tomasek wrote:
Hi,
my question about PAM, libscript... come from my idea: I would like to
implement secondary passwords in very similar way like Google's
application specific passwords works. [1]
We are using LDAP for centralized user management. Systems providing
services to users are verified against this LDAP. Users are saving those
passwords within mail clients, in workstation, in tablet, ... we would
like to provide option to users to not store their main password within
their clients. We would like to offer them alternative passwords working
for email, calendar client and so on on specific device. In case of
compromising one of devices - user will have only to revoke password for
that device.
In short. I want to users offer possibility to generate secondary
passwords working for email, and so on. I expect them to create multiple
passwords marked with some nickname, like:
phone-email
tablet-email
phone-calendar
and so on. Those passwords should work with standard LDAP bind but not
necessarily on the same suffix and/or where primary LDAP is. We would
like to split primary LDAP passwors used for financial and high trust
applications from those serving email and calendar.
How to do something like this with 389 DS?
My idea is this:
uid=semik,dc=neco
objectClass: inetOrgPerson
cn: Jan Tomasek
sn: Tomasek
uid: semik
userPassword: {SSHA}...
dc=12345,uid=semik,dc=neco
objectClass: appPassword
dc: 12345
password: some-generated-password1
passwordLabel: phone-email
dc=12395,uid=semik,dc=neco
objectClass: appPassword
dc: 12395
password: some-generated-password2
passwordLabel: tablet-email
dc=12399,uid=semik,dc=neco
objectClass: appPassword
dc: 12399
password: some-generated-password3
passwordLabel: phone-calendar
I tried to implement this as PAM Pass through authentication. It works
but it is very fragile.
I'm looking for more robust and faster way. I know it is possible to do
this with PreOperation Plugin but maybe there is some easier way. Or
maybe already someone implemented such plugin.
Any comments? Ideas?
Thanks
[1] https://support.google.com/accounts/answer/185833
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] PAM Pass through authentication only one threaded
On 11/04/2013 05:22 PM, Rich Megginson wrote: > On 11/04/2013 09:08 AM, Jan Tomasek wrote: >> On 11/04/2013 05:04 PM, Rich Megginson wrote: >> >>> Does the script open a connection to the same server it is being called >>> from? >> >> Yes. > > So this is a case of self-deadlock? I don't understand. What is it > exactly that you expect will happen? If there is one connection it works. If there is 29 parallel bind requests it works. If there is 30 and more it immediately hang. I'm seeking why 29 is ok and 30 is bad. In other words deadlock happens only if I run 30+ parallel connections. I do this: > for i in `seq 1 30` > do > time ldapsearch -LLL -H ldaps://xxx.cesnet.cz -x \ > -b dc=perun-shadow,dc=cesnet,dc=cz \ > -D "uid=semik$i,ou=People,dc=perun-shadow,dc=cesnet,dc=cz" \ > -w 'zadek' -s base dn & > done and 389 is immediately deadlocked. That should not happen I think. The script itself binds anonymously so it should not go into PAM. That script was just proof of concept. Maybe I should explain what I want to do in other thread. -- --- Jan Tomasek aka Semik http://www.tomasek.cz/ signature.asc Description: OpenPGP digital signature -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] SINGLE MASTER REPLICATION.
Hello Ezequiel On 11/02/2013 02:55 PM, Ezequiel Larrarte wrote: > Hi people, I'm trying 389DS for the first time. After reading > documentation about posible replication scenarios, I ve decided to try > the single master replication, which is very simple. > > I got it up and running between two servers: server1 (master - > supplier), server2 (slave - consumer) > > I do not understand why this update works: > * I open 389ds-console on server2 (slave - consumer) > * Add a new user > * The new user is replicated successfully to server1 (master - supplier) > > Consumers are supposed to be read only ... ??? LDAP has concept of referrer which is sort of redirection. If client tries to modify replica, replica refuses and provides location where it is possible to complete modification request. Most clients do not understand referrers but 389 console does. Try ldapmodify from command line you will see that it will fail. You can disable this on your replica. Check referrals tab in configuration suffix configuration. -- --- Jan Tomasek aka Semik http://www.tomasek.cz/ -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] PAM Pass through authentication only one threaded
Hi Rich,
On 11/01/2013 02:22 PM, Rich Megginson wrote:
All ldapsearch scripts are executed in background = in parallel way.
But server process them in serial way. I can tell that by increasing
time needed to process ldapsearches. Increment around 2sec is caused
by pam_unix delay because of wrong password.
Is 389 bind process really serialized? Or have I just overlooked some
limit?
PAM is not thread safe, in our experience, so we have to serialize calls
into PAM.
thank you for confirmation of my observation.
In fact I'm able to put my 389 server into deadlock.
I've written simple auth script for libpam-script [1] It's purpose is to
check pasword of user in other than main entry, attached.
Content of /etc/pam.d/ldapserver:
auth required/lib/security/pam_script.so onerr=fail
dir=/usr/share/libpam-script
accountrequired/lib/security/pam_script.so onerr=fail
dir=/usr/share/libpam-script
[root@pdap 8445]# ls -l /usr/share/libpam-script
total 8
lrwxrwxrwx 1 root root 11 Oct 31 17:52 pam_script_acct -> perlauth.pl
lrwxrwxrwx 1 root root 11 Oct 31 17:52 pam_script_auth -> perlauth.pl
-rwxr-xr-x 1 root root 2450 Oct 31 19:45 perlauth.pl
It works fine in it's serialized way - until there is maximum 29
parallel connections.
If there is 30 or more parallel connections 389 hangs for ever. Very
often killing process ldapsearch process does not help. Server is very
often unable to restart so I have to kill it with -9.
My question is if there is any limit related to number of parallel bind
operations. I guess there is something to related to 30 or more likely
to 60 - my plugin itself open next connection to the same LDAP server.
Thanks
[1] http://sourceforge.net/projects/pam-script/--
-------
Jan Tomasek aka Semik
http://www.tomasek.cz/
#!/usr/bin/perl -w
use strict;
use Net::LDAPS;
use Net::LDAP::Constant qw(LDAP_SUCCESS);
use Sys::Syslog qw(:standard :macros);
use Net::LDAP::Util qw(escape_filter_value);
my $prg_name = $0;
$prg_name =~ s/.*\///;
my $ldap_host = 'localhost';
my $ldap_port = 636;
my $pam_user = 'PAM_USER';
my $pam_type = 'PAM_TYPE';
my $pam_password = 'PAM_AUTHTOK';
sub syslog_escape {
my $str = shift;
my @chr = split(//, $str);
for(my $i=0; $i<@chr; $i++) {
if (ord($chr[$i])>127) {
$chr[$i] = sprintf('\0x%X', ord($chr[$i]));
};
};
return join('', @chr);
};
sub logger {
my $priority = shift;
my $msg = shift;
openlog($prg_name, 'pid', LOG_LOCAL0);
syslog($priority, syslog_escape($msg));
closelog;
};
sub local_die {
logger(LOG_ERR, @_);
die;
};
sub log_pam_env {
my @out;
foreach my $key (keys %ENV) {
next unless ($key =~ /^PAM_/);
if ($key eq 'PAM_AUTHTOK') {
if (exists $ENV{$key}) {
if ($ENV{$pam_password} eq '') {
push @out, "$key=";
} else {
push @out, "$key=*hidden*" ;
};
};
} else {
push @out, "$key=".$ENV{$key};
};
};
logger(LOG_ERR, 'PAM env: '.join(' ', @out));
};
# Log all PAM_* env variables we got from LDAP server
log_pam_env();
my $ldaps = Net::LDAPS->new($ldap_host,
port => $ldap_port) or die "$@";
my $conn = $ldaps->bind;# TODO an anonymous bind
unless ($ENV{$pam_user}) {
local_die "Missing $pam_user in environment";
};
unless ($ENV{$pam_type}) {
local_die "Missing $pam_type in environment";
};
unless ($ENV{$pam_password}) {
if ($ENV{$pam_type} eq 'auth') {
local_die "Missing $pam_password in environment";
};
};
my $filter = '(objectClass=appPassword)';
if ($ENV{$pam_type} eq 'auth') {
$filter = "(&$filter(altUserPassword=".escape_filter_value($ENV{$pam_password})."))";
};
logger(LOG_ERR, $filter);
my $mesg = $ldaps->search( # perform a search
base => $ENV{$pam_user},
filter => $filter,
);
if ($mesg->code == LDAP_SUCCESS) {
foreach my $entry ($mesg->entries) {
# todo pridat popisku hesla ktera matchla
logger(LOG_ERR, 'Matched: '.$entry->dn);
exit 0;
};
local_die('Invalid password.');
} else {
local_die $mesg->error;
};
# K tomuhle bychom se nikdy nemeli dostat
local_die('This should not happen.');
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] PAM Pass through authentication only one threaded
Hello, I'm experimenting with PAM through authentication and it looks that 389 process parallel requests in serial way. To demonstrate this behavior I use simple testing script: for i in `seq 1 10` do time ldapsearch -LLL -H ldaps://xxx.cesnet.cz -x \ -b dc=perun-shadow,dc=cesnet,dc=cz \ -D "uid=semik$i,ou=People,dc=perun-shadow,dc=cesnet,dc=cz" \ -w 'zadek' -s base dn & done here is part of the output I get: bind DN [uid=semik6,ou=People,dc=perun-shadow,dc=cesnet,dc=cz] real0m2.127s bind DN [uid=semik10,ou=People,dc=perun-shadow,dc=cesnet,dc=cz] real0m4.392s bind DN [uid=semik1,ou=People,dc=perun-shadow,dc=cesnet,dc=cz] real0m6.405s bind DN [uid=semik5,ou=People,dc=perun-shadow,dc=cesnet,dc=cz] real0m8.699s bind DN [uid=semik2,ou=People,dc=perun-shadow,dc=cesnet,dc=cz] real0m10.926s ... All ldapsearch scripts are executed in background = in parallel way. But server process them in serial way. I can tell that by increasing time needed to process ldapsearches. Increment around 2sec is caused by pam_unix delay because of wrong password. Is 389 bind process really serialized? Or have I just overlooked some limit? Configuration of PAM plugin: dn: cn=PAM Pass Through Auth,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject objectClass: pamConfig cn: PAM Pass Through Auth nsslapd-pluginPath: libpam-passthru-plugin nsslapd-pluginInitfunc: pam_passthruauth_init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on nsslapd-pluginloadglobal: true nsslapd-plugin-depends-on-type: database pamMissingSuffix: ALLOW pamExcludeSuffix: cn=config pamIDMapMethod: RDN pamIDAttr: notUsedWithRDNMethod pamFallback: FALSE pamSecure: TRUE pamService: sshd nsslapd-pluginId: pam_passthruauth nsslapd-pluginVersion: 1.2.11.15 nsslapd-pluginVendor: 389 Project nsslapd-pluginDescription: PAM pass through authentication plugin nsslapd-pluginarg0: pamIncludeSuffix nsslapd-pluginarg1: dc=perun-shadow,dc=cesnet,dc=cz modifiersName: cn=directory manager modifyTimestamp: 20131101085721Z Thank you for any suggestions! -- --- Jan Tomasek aka Semik http://www.tomasek.cz/ -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
