[389-users] report script
Hi, sorry for this dumb question but I've been searching for it and I can't find it anywhere. Where's the script that shows you a report of most searched objects and other performance related stuff? I remember using it in my old installations to adjust some indexes but I've been playing lately with lot of different versions and I don't see it in /usr/lib/dirsrv/ Thanks for your time, abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[389-users] Re: fips enabled error
> > is it possible to lower the severity of fips enabled info from ERR > > to WARN in messages like this? > Absolutely, changing it now... wow! that was truly fast :) thanks a lot for your time, abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[389-users] fips enabled error
Hi, is it possible to lower the severity of fips enabled info from ERR to WARN in messages like this? [17/May/2021:10:57:02.753271017 +] - ERR - slapd_system_isFIPS - Can not access /proc/sys/crypto/fips_enabled - assuming FIPS is OFF can seem a cosmetic change but it breaks my monitoring scripts. thanks in advance, abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[389-users] Re: gecos syntax
> * sanitise the data to be ia5 compliant IE remove accents etc. I did just that and I leave it here in case anyone is facing same problem (it's a oneliner): cat original-data.ldif | perl -pe 's,^gecos:.*,`echo -n "$&" | iconv -f utf-8 -t ascii//translit`,gei' > sanitized-data.ldif in my server with 12656 entries and 456278 lines it takes 26 seconds to complete. as always, thanks for your time. abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[389-users] gecos syntax
I'm testing a migration from 1.2.8 to latest version and I'm facing some problem while importing data: ldap_add: Invalid syntax (21) additional info: gecos: value #0 invalid per syntax I understand that I'm using UTF8 data here (ÁLBA GARCÍA LÓPEZ) so I have two questions: why old verions allows to fill that data if it's agains syntax? is there any problem if I change syntax from 1.3.6.1.4.1.1466.115.121.1.26 to 1.3.6.1.4.1.1466.115.121.1.15 in my schemas? thanks i advance, abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[389-users] Re: plugin naming
ok, I understand. Can I suggest that this form dsconf myinstance plugin retro-changelog enable also accepts CN value as plugin name? it would be easier than jumping from one syntax to another. I can open a bug/issue if you want. best regards, abosch - Missatge original - > De: "Marc Sauton" > Per: "General discussion list for the 389 Directory server project." > <389-users@lists.fedoraproject.org> > Enviats: Dimarts, 11 de Maig 2021 19:58:28 > Assumpte: [389-users] Re: plugin naming > > and that should have: > https://github.com/389ds/389-ds-base/blob/master/src/lib389/lib389/cli_conf/plugins/retrochangelog.py > def create_parser(subparsers): > retrochangelog = subparsers.add_parser('retro-changelog', > help='Manage > and configure Retro Changelog plugin') > > Thanks, > Marc S. > > > On Tue, May 11, 2021 at 12:51 AM Angel Bosch Mora > > wrote: > > > > it was likely the right time to have this change. > > > and not subject to change anytime soon. > > > > > > is it possible a 389-ds-base-1.4.0 from before March 2019 till > > > lurking > > > around? > > > > > > > I'm using debian packages: > > > > dpkg -l | grep 389-ds-base > > ii 389-ds-base 1.4.4.11-1 > > amd64389 Directory Server suite - server > > ii 389-ds-base-libs:amd641.4.4.11-1 > > amd64389 Directory Server suite - libraries > > > > > > they seem pretty new to me. > > > > abosch > > -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, > > qualsevol fitxer annex, es dirigeix exclusivament a la persona que > > n'es > > destinataria i pot contenir informacio confidencial. En cap cas no > > heu de > > copiar aquest missatge ni lliurar-lo a terceres persones sense > > permis > > expres de l'IMAS. Si no sou la persona destinataria que s'hi indica > > (o la > > responsable de lliurar-l'hi) us demanam que ho notifiqueu > > immediatament a > > l'adreca electronica de la persona remitent. Abans d'imprimir > > aquest > > missatge, pensau si es realment necessari. > > ___ > > 389-users mailing list -- 389-users@lists.fedoraproject.org > > To unsubscribe send an email to > > 389-users-le...@lists.fedoraproject.org > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org > > Do not reply to spam on the list, report it: > > https://pagure.io/fedora-infrastructure > > > > ___ > 389-users mailing list -- 389-users@lists.fedoraproject.org > To unsubscribe send an email to > 389-users-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[389-users] Re: plugin naming
> it was likely the right time to have this change. > and not subject to change anytime soon. > > is it possible a 389-ds-base-1.4.0 from before March 2019 till > lurking > around? > I'm using debian packages: dpkg -l | grep 389-ds-base ii 389-ds-base 1.4.4.11-1 amd64 389 Directory Server suite - server ii 389-ds-base-libs:amd641.4.4.11-1 amd64 389 Directory Server suite - libraries they seem pretty new to me. abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[389-users] plugin naming
hi, I vaguely remember discussing this some time ago but I can't find it now. what's the difference between dsconf myinstance plugin set --enabled on "Retro Changelog Plugin" and dsconf myinstance plugin retro-changelog enable ? any of them is gonna be deprecated? I also noticed that short name is different between versions/distributions (retro-changelog vs retrochangelog), so I prefer to use "Retro Changelog Plugin" if possible for scripting purpouses. is that the right way to do it? best regards, abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[389-users] Re: plugin names and debian packages
> >> As sysadmin I create a lot of script to install/manage services > >> and is confusing having commands that change that often. > > You may find it "more stable" to use lib389 directly rather than the > CLI then. I think the team should talk about the CLI having an > "interface guarantee", and today I don't think I personally would > want to commit to that (but the team hasn't decided on this). I > still see room to change and grow the CLI in ways that may be > breaking, but the core of lib389 today seems "pretty stable". > I understand your recommendation but I don't think I'm going to do that, and I think I "shouldn't" do that. my job as sysadmin is installing, managing, mantaining and monitoring, and dsconf wrapping is just what I need. If I have, for example, a command that tells me if a drive is out of space I don't expect to change that command over the years on different linux systems with different versions. I understand that 389 is under heavy refactoring these last years, I'm just a little bit tired of version conditionals in my recipes (and by the way, I can't find an easy method to check the version with dsconf/dsctl, worth a feature request?). so taking my own example I just expect that `dsconf instance plugin retro-changelog enable' is still valid a year/version later. again, please take my point of view as a frustrated admin with too many tasks to do and too little beers to take on my free time (everything is closed right now in Mallorca :P) cheers, abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] Re: plugin names and debian packages
> Again I think you are looking at the older version of the server. > ok, I understand. I see that version 2 is already out. Can I expect additional changes in dsconf interface or will you try to mantain a stable set of parameters? As sysadmin I create a lot of script to install/manage services and is confusing having commands that change that often. Please take this as a positive criticism :) abosch ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] Re: plugin names and debian packages
thanks for your response Mark, I can see that two other options are removed. I used to configure retro-changelog like this: dsconf myinstance plugin retrochangelog set --max-age 2d dsconf myinstance plugin retrochangelog set --attribute nsuniqueid:targetUniqueId but now it doesn't accept those settings. what's the correct way to configure that? abosch - Missatge original - > De: "Mark Reynolds" > Per: "General discussion list for the 389 Directory server project." > <389-users@lists.fedoraproject.org>, "Angel > Bosch Mora" > Enviats: Dimecres, 27 de Gener 2021 14:43:19 > Assumpte: [389-users] Re: plugin names and debian packages > > Well 1.4.0 is quite old and is no longer maintained/supported. In > newer > versions of 389 it was changed to "retro-changelog". It probably was > changed in 1.4.1. > > HTH, > > Mark > > On 1/27/21 5:41 AM, Angel Bosch Mora wrote: > > hi! > > > > I'm testing my install recipes on debian and I've found two little > > problems. > > > > on CentOS I execute > > > > dsconf myinstance plugin retro-changelog enable > > > > but today I tried in debian and it says is an invalid choice: > > > > dsconf instance plugin: error: invalid choice: > > 'retro-changelog' (choose from 'memberof', 'automember', > > 'referint', 'rootdn', 'usn', 'accountpolicy', 'attruniq', > > 'dna', 'linkedattr', 'managedentries', 'passthroughauth', > > 'retrochangelog', 'whoami', 'list', 'get', 'edit') > > > > > > So retro-changelog is called now retrochangelog. > > > > Is that a Debian thing or it changed it's name on a recent version? > > > > > > In addition I executed the command with the new name and it gives > > me a message without a correct variable. > > > > > > dsconf myinstance plugin retrochangelog enable > > Enabled plugin '%s' Retro Changelog Plugin > > > > dsconf myinstance plugin retrochangelog status > > Plugin '%s' is enabled Retro Changelog Plugin > > > > it seems a cosmetic error but I just want to be sure if I need to > > open a bug. > > > > here are the version of the packages: > > > > dpkg -l | grep 389 > > ii 389-ds-base 1.4.0.21-1 > > amd64389 Directory Server suite - server > > ii 389-ds-base-legacy-tools 1.4.0.21-1 > > amd64Legacy utilities for 389 Directory > > Server > > ii 389-ds-base-libs:amd641.4.0.21-1 > > amd64389 Directory Server suite - > > libraries > > ii python3-lib3891.4.0.21-1 > > all Python3 module for accessing and > > configuring the 389 Directory Server > > > > > > thanks in advance, > > > > abosch > > -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, > > qualsevol fitxer annex, es dirigeix exclusivament a la persona que > > n'es destinataria i pot contenir informacio confidencial. En cap > > cas no heu de copiar aquest missatge ni lliurar-lo a terceres > > persones sense permis expres de l'IMAS. Si no sou la persona > > destinataria que s'hi indica (o la responsable de lliurar-l'hi) us > > demanam que ho notifiqueu immediatament a l'adreca electronica de > > la persona remitent. Abans d'imprimir aquest missatge, pensau si > > es realment necessari. > > ___ > > 389-users mailing list -- 389-users@lists.fedoraproject.org > > To unsubscribe send an email to > > 389-users-le...@lists.fedoraproject.org > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org > > -- > > 389 Directory Server Development Team > ___ > 389-users mailing list -- 389-users@lists.fedoraproject.org > To unsubscribe send an email to > 389-users-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org > ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] plugin names and debian packages
hi! I'm testing my install recipes on debian and I've found two little problems. on CentOS I execute dsconf myinstance plugin retro-changelog enable but today I tried in debian and it says is an invalid choice: dsconf instance plugin: error: invalid choice: 'retro-changelog' (choose from 'memberof', 'automember', 'referint', 'rootdn', 'usn', 'accountpolicy', 'attruniq', 'dna', 'linkedattr', 'managedentries', 'passthroughauth', 'retrochangelog', 'whoami', 'list', 'get', 'edit') So retro-changelog is called now retrochangelog. Is that a Debian thing or it changed it's name on a recent version? In addition I executed the command with the new name and it gives me a message without a correct variable. dsconf myinstance plugin retrochangelog enable Enabled plugin '%s' Retro Changelog Plugin dsconf myinstance plugin retrochangelog status Plugin '%s' is enabled Retro Changelog Plugin it seems a cosmetic error but I just want to be sure if I need to open a bug. here are the version of the packages: dpkg -l | grep 389 ii 389-ds-base 1.4.0.21-1 amd64 389 Directory Server suite - server ii 389-ds-base-legacy-tools 1.4.0.21-1 amd64 Legacy utilities for 389 Directory Server ii 389-ds-base-libs:amd641.4.0.21-1 amd64 389 Directory Server suite - libraries ii python3-lib3891.4.0.21-1 all Python3 module for accessing and configuring the 389 Directory Server thanks in advance, abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] Re: impact of the CentOS Stream drama
> The 'core team' does not have much involvement in the debian 389-ds > packaging process, but the debian maintainer has always been > responsive and done a great job from what I am able to observe. I > would expect there to be "very little" difference between debian and > centos 389-ds packages. > > Additionally, you could also consider opensuse leap and/or suse linux > enterprise if you want paid support (disclosure - I work for suse > and am paid to maintain 389-ds in those distributions). > thanks a lot for your detailed response. I'm more a Debian guy but I'm willing to test opensuse. best regards, abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] impact of the CentOS Stream drama
hi, I'm not sure if this has been discussed here. Will this project be impacted in some way by the CentOS decission? I'm about to start a new setup and I wanted to use CentOS, but now I'm thinking about Debian. In that regard, is there any difference between Debian packages and CentOS ones? thanks in advance, abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] Re: unattended request cert process
> depending on your version of 389, look at "dsctl tls > import-ca" > > {william@ldapkdc 9:12} ~/development $ dsctl localhost tls import-ca > --help > usage: dsctl [instance] tls import-ca [-h] cert_path nickname > > positional arguments: > cert_path The path to the x509 cert to import as a server CA > nicknameThe name of the certificate once imported > > optional arguments: > -h, --help show this help message and exit > > This allows you to import a PEM CA file. There are a number of other > helpers under the tls subcommand to make cert management easier. > all this is pretty new, right? I can't recall reading this last time I checked docs. anyway, my main problem is that to deploy a node in a truly unattended mode It shouldn't pause at CSR request and continue when CA sign certificates, so I'm trying to have some preconfigured cert databases and signed certs. If there's no way to do that, I can't dynamically create and destroy nodes. the other option is letting the loadbalancer handle encryption, but official docs are very aggressive against that option, but I wonder if I should ignore that recommendation and encrypt at LB level. any hints? abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] unattended request cert process
hi, some time ago I asked for a scriptable way of creating a certificate request, here's the thread: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org/thread/EHWWAHOO3S2HZEWJEXTQKDDRH33NLSMU/#HF7ZPVLMUK32AIEEWPEOLUJGZFXXRCEK I didn't have the time to write anything and I would like to invest some time now. the goal is to create an unattended script for node creation INCLUDING certification with an external CA. I'm thinking about having several precreated certificate databases and download them to nodes. something like: openssl rand -base64 16 > pwfile.txt && certutil -N -d . -f pwfile.txt in several nodes and then scp/wget them to each node. also, do all CSR beforehand and already signed with our CA so I will have a repo of cert databases like: nss/ca_root.crt nss/ldap10 nss/ldap10/cert9.db nss/ldap10/key4.db nss/ldap10/ldap10.example.com.crt nss/ldap10/pkcs11.txt nss/ldap10/pwfile.txt nss/ldap11 nss/ldap11/cert9.db nss/ldap11/key4.db nss/ldap11/ldap11.example.com.crt nss/ldap11/pkcs11.txt nss/ldap11/pwfile.txt nss/ldap12 nss/ldap12/cert9.db nss/ldap12/key4.db nss/ldap12/ldap12.example.com.crt nss/ldap12/pkcs11.txt nss/ldap12/pwfile.txt nss/ldap13 nss/ldap13/cert9.db nss/ldap13/key4.db nss/ldap13/ldap13.example.com.crt nss/ldap13/pkcs11.txt nss/ldap13/pwfile.txt nss/ldap14 nss/ldap14/cert9.db nss/ldap14/key4.db nss/ldap14/ldap14.example.com.crt nss/ldap14/pkcs11.txt nss/ldap14/pwfile.txt nss/ldap15 nss/ldap15/cert9.db nss/ldap15/key4.db nss/ldap15/ldap15.example.com.crt nss/ldap15/pkcs11.txt nss/ldap15/pwfile.txt this step is the only one remaining on my recipe of unattended container creation, so any help will be really appreciated. best regards, abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] Re: precreation nss databases
> The feature doesn't exist yet, so if you write a PEM -> NSS tool, the > project would love to accept it to our source code. It's been > something I have wanted for a while, and recently I have been > thinking with containers I should more seriously develop it, but if > you wanted to add this, we would review and help you achieve it :) > ok, I can try to do my best. The think is I mostly use bash for my scripts with a little python here and there, but I can try to write a helper and see if it works. abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. -- Abans d'imprimir aquest missatge, pensau si es realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] Re: precreation nss databases
> However, be mindful that the if you use attribute encryption, this > value is stored in the key3.db, and replacement of this file WILL > destroy your access to your own database! IE if you plan to use this > strategy, you MUST NOT use attribute encryption at the same time. > I'll take that into account. > A better process could be to have a systemd drop in file that on > "start" takes .PEM files and turns them into the nss db, OR loads > them into the existing NSS db. This would be useful upstream too, so > maybe that's a better strategy, and of course, tools for PEM > management are much better from a sys admin view. Would this be a > cleaner approach do you think? > do you have any docs about this process? I'm not really sure if I understand you when you say "This would be useful upstream too", can you elaborate? abosch ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] precreation nss databases
hi, I'm still evaluating some options to securize dynamic nodes and I have some questions regarding certutil and nss databases: Can I create NSS databases on any directory/server and then move files to "/etc/dirsrv/slapd-instance_name" ? If cert8.db and key3.db files are found in that directory are they used automatically by slapd process on reboot? If both answers are affirmative I'll try to script it and hook it within my node creation flow. is there any other detail I should take care of with this approach? thanks, abosch -- ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] syncrepl client
Hi, I'm performing some tests and would like to configure a syncrepl client like this one: https://github.com/landryb/syncrepl but I don't find useful information. For example, in this project there's a demo script that says abut URL argument: 'An LDAP URL with all information required to do work.' but I'm not sure what is expecting besides the fqdn and port, a filter? a basedn? both? According to docs https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/content-synchronization you can do some exclusion and filtering on server side, so I don't really know what must I configure on the client side. does anyone have any working example of a syncrepl client? thanks in advance, abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. -- Abans d'imprimir aquest missatge, pensau si es realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] Re: SSL configuration on dynamic deployments
> So your 4 write servers are in mmr. Then you have 2 -> N read-onlys > as well which scale up and down. > > Do you plan to have ldap.example.com point to the IP's of the > read-onlys directly? Or to a load balancer? > yes, we already got that. > If this was me, just because of the scaling requirements, I would > actually recommend TLS termination on the load balancer, then ldap > plaintext to the 2 -> N consumers (or ldaps to the consumers where > the LB trusts the CA that signed the readonlies. IE: > > > Client -- TLS connection 1 --> [ LB ] -- TLS Connection 2 --> > [READ_ONLIES] > > TLS connection 1 is presented by the LB, which offers a valid cert/ca > chain. The LB then would re-encrypt but trusting the CA of tls > connection 2 which is a self signed to the read_onlies. > OK, I'll try with this approach. > Another main point here is you'll need to automate that when a > read-only is scaled up (added), you'll need to automate the addition > of the replication agreements to the write servers + conduct a full > reinit on first start. > I'm working on that, as you can see from my previous posts, I'm developing our custom MMR script to automate everything. > Does that help? > Indeed. Thanks a lot for your time, abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. -- Abans d'imprimir aquest missatge, pensau si es realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] acis in 99user.ldif and target on subtree
Hi! two more questions: 1- when migrating should I take care about ACIs in 99user.ldif? rightnow there are four entries: aci: (target="ldap:///cn=schema;)(targetattr !="aci")(version 3.0;acl "anonymous, no acis"; allow (read, search, compare) userdn = "ldap:///anyone;;) aci: (targetattr="*")(version 3.0; acl "Configuration Administrators Group"; allow (all) groupdn="ldap:///cn=Configuration Administrators,ou=Groups,ou=TopologyManagement,o=NetscapeRoot";) aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow (all) userdn="ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot;;) aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = "ldap:///cn=slapd-hhh-ng,cn=389 Directory Server,cn=Server Group,cn=xx.yy.net,ou=xx.net,o=NetscapeRoot";) modifiersname: cn=directory manager modifytimestamp: 20101105155413Z but I never did those. 2- is it mandatory to specify target when setting an ACI in a subtree? best regards, abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. -- Abans d'imprimir aquest missatge, pensau si es realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] keeping internal attributes on export/import
hi! quick question: is there any reason to keep modifyTimestamp, modifiersName, createTimestamp, and creatorsName when reimporting on a migration? abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. -- Abans d'imprimir aquest missatge, pensau si es realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] Re: SSL configuration on dynamic deployments
> I think to answer this, I'd like to see a diagram or description of > the network and deployment topology you have in mind to help advise > for what you want to achieve here :) > Is really very simple. Think of it like the typical MMR with 4 nodes: https://i.imgur.com/DY8aSAo.png but the number of consumers can go from 2 to N. all consumers are read only and we have a generic FQDN pointing to them: ldap.example.com and writable suppliers got their FQDN too: ldapw.example.com is that enough for you? abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. -- Abans d'imprimir aquest missatge, pensau si es realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] SSL configuration on dynamic deployments
Hi again, continuing with my automation I'm facing now the problem of SSL configuration. Using certificates at LB level is not recommended acording to https://directory.fedoraproject.org/docs/389ds/howto/howto-ssl.html sharing keys is also discouraged, so my question is if there is a way to prepopulate NSS database with a predefined cert to fast deploy an instance. I my planned setup I'll have 2 masters and 2 to 10 slaves/consumers (maybe more). It will be extremely rare to stop or reinstall masters, but with consumers I want the flexibility to create and destroy them at any moment. Is there any best practice here? abosch -- ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] Re: referral on update equivalent with dsconf
replying to myself to clarify the original doubt: executing something like this on master1 machine: dsconf master1 repl-agmt create --suffix dc=global --host slave1.example.net --port 389 --conn-protocol LDAP --bind-dn cn=repmanager,cn=config --bind-passwd --bind-method SIMPLE master1-to-slave1 will create replication agreement as described in 15.2.4. of official docs AND will modify nsslapd-state and nsslapd-referral on slave1 as described in 15.2.2. so you don't need to manually perform that last step on consumers. and I would like to note too that enabling replication with dsconf will also create replication manager if you specify --bind-passwd so you save an extra step. the command should be something like this: dsconf master1 replication enable --suffix dc=global --role master --replica-id 666 --bind-dn "cn=repmanager,cn=config" --bind-passwd YYY I'll leave all this here just in case any other script lover needs to modify their recipes. good job! abosch - Missatge original ----- > De: "Angel Bosch" > Per: "General discussion list for the 389 Directory server project." > <389-users@lists.fedoraproject.org> > Enviats: Dimecres, 22 de Maig 2019 9:32:30 > Assumpte: [389-users] Re: referral on update equivalent with dsconf > > > which is why the cli tools were misleading you here sadly. I think > > we as a team, need to review and understand what happened here to > > cause them to mislead a person about their function. :( > > > > Sorry that this confusion occured. Does my answer help? > > > > sure! you're answers are always very deep and insightful. > > for me the main problem is that new DS 1.4 is right here but docs are > still about 1.3 and I'm trying to translate my scripts and recipes. > > I was using some kind of old wrappers to install, configure and > launch my instances and I'm struggling with new tools. > > that being said, I love those new tools! they can need some polishing > but dsconf and dsctl are awesome! > > keep it this way guys! > > > abosch > ___ > 389-users mailing list -- 389-users@lists.fedoraproject.org > To unsubscribe send an email to > 389-users-le...@lists.fedoraproject.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org > ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] Re: referral on update equivalent with dsconf
> which is why the cli tools were misleading you here sadly. I think > we as a team, need to review and understand what happened here to > cause them to mislead a person about their function. :( > > Sorry that this confusion occured. Does my answer help? > sure! you're answers are always very deep and insightful. for me the main problem is that new DS 1.4 is right here but docs are still about 1.3 and I'm trying to translate my scripts and recipes. I was using some kind of old wrappers to install, configure and launch my instances and I'm struggling with new tools. that being said, I love those new tools! they can need some polishing but dsconf and dsctl are awesome! keep it this way guys! abosch ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] keeping nsDS5ReplicaBindDN on manager deletion
I'm testing this new command: dsconf instance replication create-manager and when I create a new manager I can see a new nsDS5ReplicaBindDN on the replica entry. but when I remove the manager with "delete-manager" the nsDS5ReplicaBindDN is not removed. is there a reason for that? why do I need to mantain an old manager entry? should I fill a bug? regards, abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. -- Abans d'imprimir aquest missatge, pensau si es realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] referral on update equivalent with dsconf
Hi, is this new command: dsconf instance replication set --suffix "dc=example,dc=net" --repl-add-ref master1.example.net the same as this modification? REF_LDIF="dn: cn=dc\=example\,dc\=net,cn=mapping tree,cn=config changetype: modify replace: nsslapd-referral nsslapd-referral: ldap://master1.example.net:389/dc\=example\,dc\=net - replace: nsslapd-state nsslapd-state: referral on update " echo "$REF_LDIF" | ldapmodify -h "$HOST" -x -D "$ROOT_DN" -w "$ROOT_PASS" I'm trying to follow all docs https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/managing_replication-configuring-replication-cmd but with new tools, and I'm struggling with some commands. regards, abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. -- Abans d'imprimir aquest missatge, pensau si es realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] Re: configuring nsslapd-referral with virtual host
> Do you have load balancers in here at all? Or is it just directly > accessible servers? What does the TLS termination? > yes, we use LB and VIPs to avoid any failure. > If you have load balancers/VIP involved, you should set the > nsslapd-referral to the hostname of the load balancer/VIP, rather > than to individual servers, and all certs must have the SAN for the > LB/VIP in them. > > Does that help? > absolutely, thanks for your time. abosch ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] configuring nsslapd-referral with virtual host
hi! I'm creating my own MMR script and I would like to know if there's any limitation with the FQDN used in nsslapd-referral as stated in https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/managing_replication-configuring-replication-cmd#Configuring-Replication-Consumers-cmd we use a virtual IP/hostname for consumer readonly servers (ldapr.example.com) and another one for suppliers writable servers (ldapw.example.com). we configure certs using -8 parameter with additional hostnames so client don't complain about name mismatch but I'm not sure if we can find any other problem configuring nsslapd-referral with this virtual name instead of real hostname. any advice? abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. -- Abans d'imprimir aquest missatge, pensau si es realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] Re: docs for 1.4
> If you have a specific question though, I’d be happy to help! > I'm glad you offered :) these are the attributes I'm currently using: cn: description: displayName:: dn: employeeNumber: gecos: gidNumber: homeDirectory: loginShell: mail: manager: member: memberOf: objectClass: petraSshPublicKey: printer-make-and-model: printer-more-info: printer-uri: sambaAcctFlags: sambaNTPassword: sambaPasswordHistory: sambaPwdLastSet: sambaSID: shadowInactive: shadowLastChange: shadowMax: shadowWarning: sn: uid: uidNumber: I want to change ACIs from old behaviour to white list aproach. Should I include objectClass in the ACIs? Do I need to create a deny-all as last ACI so everything that is not allowed gets denied? In your blog you talk about a toolset to test ACIs, is that tool published somewhere? best regards, abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. -- Abans d'imprimir aquest missatge, pensau si es realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] docs for 1.4
hi! is there a way to access documentation for upcoming 1.4 release? I would like to see specifically changes in ACIs as stated in this thread: https://lists.fedorahosted.org/archives/list/389-users@lists.fedoraproject.org/thread/PG5QXDAI2OI4YVIEIDG6QCFIANQPBTSJ/ thanks in advance, abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. -- Abans d'imprimir aquest missatge, pensau si es realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] Re: creating root suffix from cockpit
> I am actually working on the UI right now, what exactly would you > like > in the UI? Is creating "sample entries" sufficient for your needs, > or > do you actually need just a basic root node entry created? Adding an > option to create the root node is trivial, but I want to confirm what > you are really looking for. > for me is enough with basic root entry (with its related database). I will import my own LDIF later, so maybe I could use the option to create it with dscreate. Somehow I missed/forgot that option. thanks for your time Mark, I'm really looking forward to migrate my old 389 setup. best regards, abosch ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] creating root suffix from cockpit
Hi, I asked a broad question here: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org/thread/7G2Y2ZYBYB7JNOCMIGV5WQMYDAWSD6VM/ but I would like to know specifically if root suffix can be created with cockpit. thanks, abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. -- Abans d'imprimir aquest missatge, pensau si es realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] Re: ACI to allow group to access one attribute
> I need to see the aci's on your server to help more. Can you please > send me (either to the list, or directly to my email) the output of: > > ldapsearch -x -b "your basedn" -D 'cn=Directory Manager' -w -H > ldaps:// '(aci=*)' aci > > That well help me answer the question as to what is causing this > attribute to be readable, William was kind enough to answer me directly. > # /usr/lib/mozldap/ldapsearch -D 'cn=Directory Manager' -j > /etc/.ldap.secret -b 'dc=global' '(aci=*)' aci > version: 1 > dn: dc=global > aci: (targetattr != "userPassword") (version 3.0; acl "Anonymous > access"; allo > w (read, search, compare)userdn = "ldap:///anyone; See this '!=' in targetattr? This doesn't mean "exclude userPassword from searches" it means "take the set of every attribute that exists in the server, and allow search on ALL of them EXCEPT userPassword.". This aci is a huge security risk because you are disclosing ALL attribute states. It's better to have a super long list of attributes here that you trust to be read. In the next version of Directory Server we fix these default attributes to have sane content. > aci: (targetattr != "nsroledn||aci")(version 3.0; acl "Allow self > entry modifi > cation except for nsroledn and aci attributes"; allow (write)userdn > ="ldap:/ > //self" Again, the same effect here: But this time this allows a user to "self write any attribute that exists EXCEPT these two". Which again has huge security risks, because now they can self edit objectClass, add a container type, child entries They can edit the nsadminlimits, or more. So again, this needs to be a "targetattr = " list of what you WANT to allow self write to. > aci: (targetattr = "*")(version 3.0; acl "Configuration > Adminstrator"; allow ( > all) userdn = > "ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=N > etscapeRoot" > aci: (targetattr ="*")(version 3.0;acl "Configuration Administrators > Group";al > low (all) (groupdn = "ldap:///cn=Configuration Administrators, > ou=Groups, ou > =TopologyManagement, o=NetscapeRoot") > aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow > (all)groupdn = "ld > ap:///dc=global" These three are probably okay, because you expect these members to be able to change everything arbitrarily. I would like to note that all those acis where defined by default during installation and initial configuration of 389, I didn't added anything manually. I understand now that is lot better to have an explicit list of allowed attributes than negative blacklist. If I get it correctly this is a huge security problem and I've seen lot of ldap servers configured this way. thanks again for your time, william. abosch ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] Re: 389ds on lxc debian
thanks for this detailed explanation. what time frame are we talking here? 1 year? 1 month? I'm evaluating an update/migration from my 1.2 installation and I don't mind waiting a little bit. > As for today, the best advice I can give is use setup-ds.pl without > the > admin tools, and just manage the server from the cli via dse.ldif. > It's > not pretty sadly. > It's ok, I love working from cli best regards, abosch -- Institut Mallorquí d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'és destinatària i pot contenir informació confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permís exprés de l'IMAS. Si no sou la persona destinatària que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreça electrònica de la persona remitent. -- Abans d'imprimir aquest missatge, pensau si és realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] Re: 389ds on lxc debian
> There are a number of users of 389-ds with lxc, just not with the > admin > console that I am aware of. > ok so is just the admin console that can't be installed on lxc. is there any work being done in this matter? should I file a bug? abosch -- Institut Mallorquí d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'és destinatària i pot contenir informació confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permís exprés de l'IMAS. Si no sou la persona destinatària que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreça electrònica de la persona remitent. -- Abans d'imprimir aquest missatge, pensau si és realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] 389ds on lxc debian
hi, I'm trying to install 1.1.43-1+b1 package on lxc with debian 9 and I get this error: invoke-rc.d: initscript dirsrv-admin, action "start" failed. ● dirsrv-admin.service - 389 Administration Server. Loaded: loaded (/lib/systemd/system/dirsrv-admin.service; disabled; vendor preset: enabled) Active: failed (Result: exit-code) since Tue 2018-01-30 12:32:36 CET; 6ms ago Process: 15226 ExecStart=/usr/sbin/apache2 -k start -f /etc/dirsrv/admin-serv/httpd.conf (code=exited, status=1/FAILURE) gen 30 12:32:35 Jafar systemd[1]: dirsrv-admin.service: Failed to reset devices.list: Operation not permitted gen 30 12:32:35 Jafar systemd[1]: Starting 389 Administration Server gen 30 12:32:36 Jafar systemd[1]: dirsrv-admin.service: Control process exited, code=exited status=1 gen 30 12:32:36 Jafar systemd[1]: Failed to start 389 Administration Server.. gen 30 12:32:36 Jafar systemd[1]: dirsrv-admin.service: Unit entered failed state. gen 30 12:32:36 Jafar systemd[1]: dirsrv-admin.service: Failed with result 'exit-code'. it seems a problema about lxc privileges. is there anyone running 389 with lxc? regards, abosch -- Institut Mallorquí d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'és destinatària i pot contenir informació confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permís exprés de l'IMAS. Si no sou la persona destinatària que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreça electrònica de la persona remitent. -- Abans d'imprimir aquest missatge, pensau si és realment necessari. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] Re: How to Restrict user authentication per application?
Some people already said that but just want to give my 2c. > - Some application are not using filters along with bind, to control > user login - for some reasons (e.g. not having the capability, are > not designed to get user list, or they do not have need to keep > things about Users, or you can't count on applications be reliable > in accessing the directory correctly but you need control things > centrally) > Is not the job of 389DS to solve architecture flaws or bad designed apps. if an app don't have any AUTHORISATION capabilites either you put a proxy in front and let only the proxy access directly to the app, or you can't really filter who can log in. any modern network oriented app has some kind of authorisation so we're probably talking about legacy or niche apps. > - LDAP Should be able to protect itself, and have more mature > policies in Access Control, even for bind operation. For example; > Think of an environment which a system or application is > compromised, or has malware, or something like those. In that > situation we should be able to protect directory with at least bind > operation ACL, and if possible with more mature access policies. > you can say that about any database oriented app, if mysql/oracle/postgres is compromised I don't think authorisation is the biggest of your problems. and in general I think is a bad idea to transfer app logic to directory/database. from my experience you lose control with little benefit. maybe you should take a look at CAS or OpenAM to address those problems. abosch ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Re: [389-users] DB account master integrated with LDAP
This is most related to architecture than LDAP itself, and is exactly what I've been doing in my current position. You have to decide wich of your user directories will be the main one. In our case was the HHRR app wich imposed an oracle solution. With sql triggers we create the user in our LDAP and then the rest of our apps rely only on LDAP queries. We also have several tasks to synch systems without a direct LDAP connection, like old mysql based apps. This scheduled tasks (usually running at night) dumps the entire directory, check for updates and modify the destination system. If you need more details about some specific task don't hesitate to ask. abosch - Missatge original - > De: "Andy Spooner"> Per: 389-users@lists.fedoraproject.org > Enviats: Dimarts, 3 de Novembre 2015 19:32:44 > Assumpte: [389-users] DB account master integrated with LDAP > > > > I am using ldap to share user account information across two > applications. Is it possible to using 'Application 1' as the central > reference instead of the LDAP server? E.g. Application 1’ holds and > maintains account information, which updates ldap periodically. > 'Application 2' will look up LDAP for account informations. > 'Application 1’ is the main system and will hold millions of > accounts which would operate quicker from the DB without having to > refer to LDAP for usernames, passwords, etc. ‘Application2’ will > require a small subset of users to logon using credentials of users > in the master database – which can be done via LDAP. > -- > 389 users mailing list > 389-users@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Question RE: 389DS
> When SSL-enabling the directory server, am I allowed to use a > wildcard certificate or is it mandatory the certificate include the > FQHN? > the certificate should always contain the FQDN but you can use the alternate extension that allows you to specify multiple names. this is what I use for my setups: certutil -R -s "CN=domssm1.xxx.net,OU=aa,O=bb,L=cc,ST=dd,C=dd" -o domssm1.csr -d . -a -8 domssm1.xxx.net,ldap.xxx.net,ldap-write.xxx.net hope that helps, abosch -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] selinux problem with centos 7.1
hi, I'm having problems installing a new test environment on centos 7.1 when I execute setup-ds-admin.pl i get this message: Adding port 389 to selinux policy failed - ValueError: SELinux policy is not managed or store cannot be accessed. I've tried with --debug and it keeps retrying every 5 seconds with same message. # lsb_release -a LSB Version::core-4.1-amd64:core-4.1-noarch Distributor ID: CentOS Description:CentOS Linux release 7.1.1503 (Core) Release:7.1.1503 Codename: Core # sestatus SELinux status: disabled the only irregular thing is that im using an openvz container, but I have plenty of other DS inside openvz without any problems. i managed to continue with the installation with a very dirty hack, I modified DSCreate.pm script and added a return in the beggining of updateSelinuxPolicy sub: sub updateSelinuxPolicy { my $inf = shift; return 0; did anyone got this same problem? abosch -- -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] selinux problem with centos 7.1
I went through this with Mageia. You either need to enable selinux (permissive) or compile 389-ds without selinux. do you mean I won't be able to execute it without selinux? or is just the installer? abosch -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] stable packages for Centos 7
can someone give me some light on this issue? I'm getting some presure from my direct bosses and I need all info I can get to evaluate our DS environment for next year. thanks in advance. abosch - Missatge original - De: Angel Bosch abo...@ticmallorca.net Per: 389-users@lists.fedoraproject.org Enviats: Dimarts, 23 de Setembre 2014 13:05:33 Assumpte: stable packages for Centos 7 hi, I'm planing to migrate some of my servers to 1.3 branch and I don't know what packages to use. I've found packages from mreynolds: http://copr.fedoraproject.org/coprs/mreynolds/389-ds-base/ and dfas: http://copr.fedoraproject.org/coprs/dfas/389-ds-dfas/ first one seems to be a nightly and I would like to mantain an stable install. should I use dfas? by the way, is the policy-packages situation going to be solved anytime? I found very confusing having to deal with several repos to get a full installation of 389 DS, and I though this spliting thing was temporary just for EL6. thanks for your time, abosch -- -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] stable packages for Centos 7
hi, I'm planing to migrate some of my servers to 1.3 branch and I don't know what packages to use. I've found packages from mreynolds: http://copr.fedoraproject.org/coprs/mreynolds/389-ds-base/ and dfas: http://copr.fedoraproject.org/coprs/dfas/389-ds-dfas/ first one seems to be a nightly and I would like to mantain an stable install. should I use dfas? by the way, is the policy-packages situation going to be solved anytime? I found very confusing having to deal with several repos to get a full installation of 389 DS, and I though this spliting thing was temporary just for EL6. thanks for your time, abosch -- -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Start TLS request accepted. Server willing to negotiate SSL
is not the same /etc/ldap.conf than /etc/openldap/ldap.conf seems that you're missing second one. While attempting to change a directory password I keep getting this message… [root@xxx ~]# ldappasswd -x -ZZ -D cn=directory manager -w “mypass” uid=se253264,ou=people,dc=xxx,dc=cle=dc=us -a oldpass -s newpass ldap_start_tls: Connect error (-11) additional info: Start TLS request accepted.Server willing to negotiate SSL. In researching this I found to add –d1 for additional debugging information and found this probably relevant TLS: could not load client CA list (file:`',dir:`/etc/openldap/cacerts/cacert.asc'). TLS: error:0200A014:system library:opendir:Not a directory ssl_cert.c:816 TLS: error:140D7002:SSL routines:SSL_add_dir_cert_subjects_to_stack:system lib ssl_cert.c:818 ldap_perror I do have the following in my /etc/ldap.conf file ssl yes tls_cacertdir /etc/openldap/cacerts TLS_REQCERT allow pam_password exop And the cacert.asc does exist in that directory. This is the cacert.asc that was created during setup of this machine using the setupssl.sh script and I copied it to the requested directory. I am not seeing anything additional on the HowtoSSL page and realize that TLS is necessary for the password change function. Thanks for any help you may have. I am also under the impression I am supposed to copy the cacert.asc to each client machine so they can authenticate against the cert. is this true also? David Hoskinson | DATATRAK International Systems Engineer Mayfield Heights, Ohio, USA +1.440.443.0082 x 124 (p ) | +1.216 .280.5457 (m) david.hoskin...@datatrak.net | www.datatrak.net -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Problem with samba and 389 Directory server with LDAPS
you have two server certificates with almost same name. be carefull about that. you can inspect details with certutil -d /etc/dirsrv/slapd-xxx01 -L -n server-cert and certutil -d /etc/dirsrv/slapd-xxx01 -L -n Server-cert or use it with a simple pipe to check Alt Names: certutil -d /etc/dirsrv/slapd-xxx01 -L -n Server-cert | grep DNS - Missatge original - [root@xxx ZDRIVE]# certutil -d /etc/dirsrv/slapd-xxx01 -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CA certificate CTu,u,u server-cert u,u,u Server-Cert u,u,u Thanks Rich…. From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Wednesday, September 28, 2011 9:24 AM To: General discussion list for the 389 Directory server project. Cc: David Hoskinson Subject: Re: [389-users] Problem with samba and 389 Directory server with LDAPS On 09/28/2011 06:47 AM, David Hoskinson wrote: I do not have a server.crt.. I created my certs using the following page on the 389 documentation http://directory.fedoraproject.org/wiki/Howto:SSL which creates a cert8.db and key3.db in the past I could do certutil –L something and it would show the cert information but can’t seem to find that command anymore. certutil -d /etc/dirsrv/slapd-instance -L I can authenticate from localhost and any of the client machines even the samba server just fine… I just can’t seem to get samba service to connect. If I have setup things incorrectly I appreciate the help. From: 389-users-boun...@lists.fedoraproject.org [ mailto:389-users-boun...@lists.fedoraproject.org ] On Behalf Of Angel Bosch Mora Sent: Wednesday, September 28, 2011 7:52 AM To: General discussion list for the 389 Directory server project. Subject: Re: [389-users] Problem with samba and 389 Directory server with LDAPS are you sure your certificate is created with your FQDN in it? i've had LOT of problems until i've created correctly my certs. you can check it with openssl x509 -noout -text -in server.crt and i recommend that you include your FQDN as Alternative Name even if is your hostname, that trick saved me lot of headaches. i always create my certs with two alternate names, the FQDN itself and also ldap.mydomain this way you don't have any problems with loadbalancing and such. to create a petition cert with alternate names you can run (one line) certutil -R -s CN=myserver.example.com,OU=example,O=example,L=example,ST=example,C=example -o example.csr -d . -a -8 myserver.example.com,ldap.example.com [2011/09/28 11:23:13, 2] lib/smbldap.c:smbldap_open_connection(786) smbldap_open_connection: connection opened [2011/09/28 11:23:13, 10] lib/smbldap.c:smbldap_connect_system(951) ldap_connect_system: Binding to ldap server ldaps://adm301.stag.cle.us as cn=Directory Manager [2011/09/28 11:23:13, 2] lib/smbldap.c:smbldap_connect_system(982) failed to bind to server ldaps://”FQDN of server”.stag.cle.us with dn=cn=Directory Manager Error: Can't contact LDAP server (unknown) And yes I can resolve the hostname which I have sanitized. Thanks for the tip, but that doesn’t seem to help, still have same result. This was just working on another machine but I had to put that one back to the way it was, and must have missed something. Any more thoughts? From: 389-users-boun...@lists.fedoraproject.org [ mailto:389-users-boun...@lists.fedoraproject.org ] On Behalf Of Angel Bosch Mora Sent: Wednesday, September 28, 2011 3:39 AM To: General discussion list for the 389 Directory server project. Subject: Re: [389-users] Problem with samba and 389 Directory server with LDAPS you have to use FQDN when connecting securely. and you have to use the exact name used in the certificate. I am getting the following message in the /var/log/samba/smbd.log file when I start up samba and try to connect as a user. [2011/09/27 14:23:33, 1] lib/smbldap.c:another_ldap_try(1153) Connection to LDAP server failed for the 15 try! [2011/09/27 14:23:34, 10] lib/smbldap.c:smb_ldap_setup_conn(630) smb_ldap_setup_connection: ldaps://192.168.3.79 [2011/09/27 14:23:34, 2] lib/smbldap.c:smbldap_open_connection(786) smbldap_open_connection: connection opened [2011/09/27 14:23:34, 10] lib/smbldap.c:smbldap_connect_system(951) ldap_connect_system: Binding to ldap server ldaps://192.168.x.x as cn=directory manager,dc=stag,dc=cle,dc=us [2011/09/27 14:23:34, 2] lib/smbldap.c:smbldap_connect_system(982) failed to bind to server ldaps://192.168.x.x with dn=cn=directory manager,dc=stag,dc=cle,dc=us Error: Can't contact LDAP server (unknown) Relevant part of the smb.conf passdb backend = ldapsam: ldaps://192.168.x.x ldap suffix = dc=stag,dc=cle,dc=us ldap machine suffix = ou=people ldap user suffix = ou=people ldap group suffix = ou=groups ldap passwd sync = yes ldap admin dn = cn=directory manager,dc=stag,dc=cle,dc=us obey pam
Re: [389-users] SSL/TLS with a hardware load balancer
- Missatge original - Has anyone engineered a design to run 389-ds servers behind a hardware load balancer like an f5 LTM? I've found this question presented before, but never answered. a) the openldap-clients ldap module will query the first host/uri in the list until the port goes down b) the server can run out of file descriptors or memory and stop answering queries without closing the port c) pointing clients at a virtualized name on a hardware LB will present a name conflict. The SSL cert on the directory server must match the v-name on the LB to answer queries, but it must match the local hostname for replication agreements. cd /etc/dirsrv/instance certutil -R -s CN=hostname,OU=example,O=example,L=example,ST=example,C=example -o example.csr -d . -a -8 hostname.example.com,ldap.example.com,repl.another.one this is the only step that can't be done through gui, the rest is in the official docs. abosch -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] entry-id conflict
hi, i'm setting up another node on my multimaster environment. on the new node i can see differencese on entry-id attribute. is this normal? i guess this is an internal attribute but i'm not sure if must be shared an unique across members of replication. regars, abosch -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] admin server fails to start with PSET failure: Failed to create PSET handle
hi, im having problems starting admin server. i can see just this line on log: [Thu Apr 07 12:26:13 2011] [crit] host_ip_init(): PSET failure: Failed to create PSET handle (pset error = ) not sure if is related, but we had an accident that changed permissions on some files (recursive chmod on wrong directory). main instance seems to work ok, so im a bit lost here. regards, abosch -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] admin server fails to start with PSET failure: Failed to create PSET handle
- Missatge original - On 04/07/2011 04:37 AM, Angel Bosch Mora wrote: hi, im having problems starting admin server. i can see just this line on log: [Thu Apr 07 12:26:13 2011] [crit] host_ip_init(): PSET failure: Failed to create PSET handle (pset error = ) not sure if is related, but we had an accident that changed permissions on some files (recursive chmod on wrong directory). main instance seems to work ok, so im a bit lost here. What platform? What version of 389-ds-base and 389-admin? ls -al /etc/dirsrv/admin-serv sorry, i was a bit nervous this morning :) # lsb_release -a LSB Version: :core-3.1-ia32:core-3.1-noarch:graphics-3.1-ia32:graphics-3.1-noarch Distributor ID: CentOS Description:CentOS release 5.5 (Final) Release:5.5 Codename: Final # rpm -qa | grep 389 389-admin-1.1.11-1.el5 389-ds-console-doc-1.2.3-1.el5 389-adminutil-1.1.8-4.el5 389-dsgw-1.1.5-1.el5 389-admin-console-doc-1.1.5-1.el5 389-admin-console-1.1.5-1.el5 389-ds-1.2.1-1.el5 389-ds-base-1.2.6.1-2.el5 389-ds-console-1.2.3-1.el5 389-console-1.1.4-1.el5 # ls -al /etc/dirsrv/admin-serv/ total 176 drwxrwx--- 2 root duser 4096 Nov 5 18:21 . drwxrwxr-x 7 root duser 4096 Nov 5 18:21 .. -rw-rw 1 root duser 544 Nov 5 18:21 adm.conf -rw-rw 1 root duser40 Nov 5 18:21 admpw -rw-rw 1 root duser 3924 Aug 26 2010 admserv.conf -rw-rw 1 root duser 65536 Mar 15 12:44 cert8.db -rw-rw 1 root duser 4469 Nov 5 18:21 console.conf -rw-rw 1 root duser 26827 Nov 11 12:23 httpd.conf -rw-rw 1 root duser 16384 Mar 15 12:44 key3.db -rw-rw 1 root duser 9093 Mar 18 10:21 local.conf -rw-rw 1 root duser 4502 Aug 26 2010 nss.conf -rw-rw 1 root duser 16384 Nov 5 18:21 secmod.db this duser is the user/grup created before installation and used for setup-ds.pl if you need further info, pls just ask. thnaks, abosch -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Questions about groups and group IDs
- Missatge original - We are planning out how we are going to move from Active Directory to 389-ds. We can add users to our test environment successfully, and give the accounts the proper information (uid, shell, etc.). However, 1 area that we are getting stumped at is groups. In our Active Directory currently, we have several groups that we put our users into based on their function. Those groups have unique group IDs. However, when I make a group on 389-ds, I don't have any way of specifying a group ID. I can make a new user and give it a group ID by default, but that group ID doesn't exist anywhere and I can't find where to assign it or create it. Any ideas on this? you need to use objectClass: posixGroup in your group template. in theory posixGroup and groupOfNames are structural object classes and cannot be combined, but in practice there's a variation of the RFC that allows to use posixGroup as auxiliar. http://osdir.com/ml/ldap.umich/2006-07/msg00015.html regards, abosch -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] get base dn from ldapsearch
- Missatge original - Oddly enough it looks like it comes out as part of the LDIF comment. If you skip the option to tell it to not output ldif comments you'll get your base: $ ldapsearch -d1 -x (uid=example) 21 | grep base # base dc=example,dc=com (default) with scope subtree i don't get any result i my machine and im pretty sure i've my ldap.conf configured: $ ldapsearch -d1 -x (uid=example) 21 | grep base # base with scope subtree can this be a bug? abosch -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] get base dn from ldapsearch
Maybe I am understanding this wrong but could you not just check in the config what the search base is set to on the client side? What is the problem you are trying to solve? yes, you're right. i can just take a look at ldap.conf but there's several places to look: - debian/ubuntu uses /etc/ldap/ldap.conf - RHEL/CentOS uses /etc/openldap/ldap.conf - custom compilations can use any path. ex: /usr/local/ldap/ldap.conf - windows openldap uses... i don't really know :P so what im trying to do is resolving configured base without knowing anything about the client. for example, this command gives me the server even if i dont know anything about the conf: ldapsearch -d1 -x -LLL (uid=example) uid 21 | grep ldap_connect_to_host im just a little bit surprised that i can't find any debuglevel that gives me the BASE abosch -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] get base dn from ldapsearch
hi, not specifically 389 related but: is there a way to guess default base dn for clients (the one configured in /etc/openldap/ldap.conf) with ldapsearch? i've tried with -v, -n and -d but i only get the server, not the base. regards, abosch -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] SSl connection to 389 DS server
ssl connections need the same FQDN specified in the cert to be used when connecting. localhost i hardly going to work. abosch -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] dsml packages
- Missatge original - Yes. We never released dsmlgw as an rpm package. i though i saw something about packages in the docs but i can't find it now. thanks for the answer. -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] dsml packages
hi, i can't find last dsml packages anywhere. must i compile from sources? i use epel repos. regards, abosch -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] upgrading packages
hi, i've some questions about upgrading: - must i run 'setup-ds-admin.pl -u' everytime there's a new package in the repos? - doesn't packaging take care of that? - does it matter how many instances are configured? i've been having some strange problems in my (mixed) environment and i just want to clarify some things. abosch -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] duplicate existing ssl crenentials on another server ?
you must create a certificate with additional hostnames with -8 option. you can view an example here: http://docs.sun.com/app/docs/doc/819-5899/6n7uuth9p?l=enn=1a=view - Missatge original - Hello, After having read through the Howto:SSL document on the 389 wiki, i went ahead and set up SSL for my master instance - it works great, and i couldn't be happier. :) I have a slave set up to do read-only replication from the master ; now, the wiki document has information on how to integrate the certificate into a slave so that the replication can occur over SSL, which i'll no doubt do, but that's not what i'm looking for advice on now. What i'm interested in is actually duplicating the new SSL setup that currently exists on the master. I realise that this sounds funny, but the reason is simple : in our environment, all of the clients and LDAP-aware applications are configured to send requests to a given hostname (which is not the base FQDN of the LDAP server - it's another, separate hostname entirely). If the master goes down, the slave automatically has this separate hostname assigned to it. (Put another way, it's a sort of poor-man's failover. It's far from perfect, and everybody knows it, but that's what's there, so for now we live with it. :P ) What i would appear to need, therefore, is to have the slave be able to respond to incoming SSL requests with exactly the same credentials as the master. Is this even possible, and if so, how would i got about doing it ? Thank you, all. -- Daniel Maher dma + 389users AT witbe DOT net -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Safeguarding against to many established connections
- Missatge original - On 10/19/2010 12:11 PM, Gerrard Geldenhuis wrote: Hi We have recently seen an issue were a single client opened up more than 800 established connections to our directory server. The client did have the proper settings configured and should have closed connections but it did'nt. Is there a way to limit the amount of connections per client or close connections from the server side after a certain period? Without just making the amount of connections ridicuosly high on the directory server how can you safeguard against rogue clients. Our client setting is as follows: idle_timelimit 5 timelimit 10 bind_timelimit 5 We were unable to log into client and it had file system issues so we could not do any further analyses there. I suspect that solutions to this problem probably falls outside of what can be configured in 389? While it's not a 389-specific suggestion, iptables could easily solve this problem for you across the board. :) there's also a setting to close idle connections after X seconds. is somewhere in the 389 console, i can't remember now exactly. abosch -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] sub-suffix creation
hi, im trying to create the entry for a sub-suffix i've created in the console but i can't find any instruction. i've followed official docs: http://www.centos.org/docs/5/html/CDS/ag/8.0/Configuring_Directory_Databases-Creating_and_Maintaining_Suffixes.html#Creating_Suffixes-Creating_a_New_Sub_Suffix_Using_the_Console but there's no info about entries, just databases. any clue? abosch -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] sub-suffix creation
- Missatge original - Hi I a bit confused... have you successfully created the entry using the console and am looking for a ldif example? Or did the creation failed in the console. I can give you examples of how we create our tree and sub suffixes if that will help, they are all in ldif format. i've found some additional info here: http://docs.sun.com/source/816-6698-10/suffixes.html#16762 i was a little bit lost but i've finally managed to create an entry trhough console. all examples i found were using ldif and command line for entry creation, but is really easy with console. just be carefull with using the exact same name as in the suffix database creation. thanks for your time, anyway. abosch -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] ns-slapd processes not dying
- Missatge original - Hi, We had similar problem before, but I am not sure if it is related to your case. The file descriptors that were opened by the ns-slapd process was all in a CLOSE_WAIT state. You can try execute netstat -anput | grep CLOSE_WAIT and see if there's a lot of dangling CLOSE_WAIT socket opened by ns-slapd. seems that is not the case. i can see lot of ESTABLISHED connections, but not a single CLOSE_WAIT. ex: tcp0 0 :::172.26.67.79:389 :::192.168.224.16:53143 ESTABLISHED 315/ns-slapd the quick and dirty workaround is restarting the instance every night. regards, abosch -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users