[389-users] Re: Self-service password reset?

2016-10-19 Thread Kalchik, Jeffery 
I’d looked at pwm some time ago, don’t recall why I didn’t pursue it any 
further.  I’ve pulled a current copy, but seem to be stuck at the PWM 
administrators group entry in the configuration screens (never returns any 
entries.)  The search string appears to be something like:

filter="(groupmembership=cn=Directory 
Administrators,ou=testou,dc=example,dc=com)"

I’m not familiar with the groupmembership attribute in the filter.  I have 
added groupmembership to the memberofattr in the memberOf plugin (yes, I did 
restart this daemon,) without any change in behavior.

However….. this really isn’t germane to 389-ds, but more towards PWM.  I’ll 
take this over there, unless anybody else has an interest in continuing (and 
the list moderators are good with that.

Jeff
From: Patrick Landry [mailto:patrick.lan...@louisiana.edu]
Sent: Tuesday, October 18, 2016 9:28 AM
To: General discussion list for the 389 Directory server project. 
<389-users@lists.fedoraproject.org>
Subject: [389-users] Re: Self-service password reset?

I am not sure if it will fit your needs but we have used PWM with good results.

https://github.com/pwm-project/pwm


From: "Jeffery Kalchik" 
>
To: "General discussion list for the 389 Directory server project." 
<389-users@lists.fedoraproject.org>
Sent: Tuesday, October 18, 2016 8:01:00 AM
Subject: [389-users] Self-service password reset?

I’ll admit up front that comparatively speaking, this is a tiny, tiny, tiny 
little environment, only a few hundred users in the directory service.

We have a 60 day password expiration requirement.  Users range from nerdy 
infrastructure types to Windows developers to business users.

Is anybody using an httpd (Apache2) based self-service password reset tool?

I’ve been looking at the LTB self-service password reset 
application(http://ltb-project.org/wiki/documentation/self-service-password/latest/start).
  I can probably get it to work for me, but I’m also looking at some fairly 
non-trivial modifications, I suspect.

Jeff Kalchik
Systems Engineering
Land O’Lakes
This message may contain confidential material from Land O'Lakes, Inc. (or its 
subsidiary) for the sole use of the intended recipient(s) and may not be 
reviewed, disclosed, copied, distributed or used by anyone other than the 
intended recipient(s). If you are not the intended recipient, please contact 
the sender by reply email and delete all copies of this message.
___
389-users mailing list -- 
389-users@lists.fedoraproject.org
To unsubscribe send an email to 
389-users-le...@lists.fedoraproject.org


--

[cid:image001.jpg@01D229E4.5B95C530]


Patrick Landry
Director, UCSS
University of Louisiana at Lafayette
p...@louisiana.edu


This message may contain confidential material from Land O'Lakes, Inc. (or its 
subsidiary) for the sole use of the intended recipient(s) and may not be 
reviewed, disclosed, copied, distributed or used by anyone other than the 
intended recipient(s). If you are not the intended recipient, please contact 
the sender by reply email and delete all copies of this message.
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org

[389-users] Self-service password reset?

2016-10-18 Thread Kalchik, Jeffery 
I'll admit up front that comparatively speaking, this is a tiny, tiny, tiny 
little environment, only a few hundred users in the directory service.

We have a 60 day password expiration requirement.  Users range from nerdy 
infrastructure types to Windows developers to business users.

Is anybody using an httpd (Apache2) based self-service password reset tool?

I've been looking at the LTB self-service password reset 
application(http://ltb-project.org/wiki/documentation/self-service-password/latest/start).
  I can probably get it to work for me, but I'm also looking at some fairly 
non-trivial modifications, I suspect.

Jeff Kalchik
Systems Engineering
Land O'Lakes
This message may contain confidential material from Land O'Lakes, Inc. (or its 
subsidiary) for the sole use of the intended recipient(s) and may not be 
reviewed, disclosed, copied, distributed or used by anyone other than the 
intended recipient(s). If you are not the intended recipient, please contact 
the sender by reply email and delete all copies of this message.
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org

[389-users] Re: Remote Management Console doesn't show "Directory Server" entry anymore

2016-09-29 Thread Kalchik, Jeffery 
That’s my customary mode of operation, as a Java based X11 Window application 
does not perform well over a VPN connection here.  In the several years I’ve 
been running this application (both HP-UX and now Linux/CentOS6,) I don’t 
recall seeing anything like this.

Are you absolutely sure that your connection strings are proper, and connecting 
to the right configuration server?  Might be time to increase your logging for 
more detail.

Jeff Kalchik
Systems Engineering
Land O’Lakes

From: wodel youchi [mailto:wodel.you...@gmail.com]
Sent: Thursday, September 29, 2016 2:44 AM
To: General discussion list for the 389 Directory server project. 
<389-users@lists.fedoraproject.org>
Subject: [389-users] Re: Remote Management Console doesn't show "Directory 
Server" entry anymore

Hi,
Anyone?!!!
Regards.

2016-09-27 22:33 GMT+01:00 wodel youchi 
>:
Hi,
I am using 389DS on Centos7 x64

[root@idm01 ~]# rpm -qa | grep 389
389-admin-console-doc-1.1.10-1.el7.noarch
389-console-1.1.9-1.el7.noarch
389-adminutil-1.1.22-1.el7.x86_64
389-admin-1.1.42-1.el7.x86_64
389-ds-base-1.3.4.0-33.el7_2.x86_64
389-ds-console-1.2.12-1.el7.noarch
389-ds-base-libs-1.3.4.0-33.el7_2.x86_64
389-admin-console-1.1.10-1.el7.noarch
389-ds-console-doc-1.2.12-1.el7.noarch
A week ago I started having a weird problem using the 389DS's java management 
console remotely.
If I connect locally with the console, I get the two entries of the directory 
server under server group :
- Administration server
- Directory server
But when I use the console from another machine, a Windows machine with the 
management console installed on it, I get only the "Administration server" 
entry.
So I cannot access the directory server to modify entries.
I am using the 'Directoy Manager' to login to the console.
I didn't find anything special on the error and access logs from neither the 
admin server no from the directory server.
any idea where to search.
Regards.

This message may contain confidential material from Land O'Lakes, Inc. (or its 
subsidiary) for the sole use of the intended recipient(s) and may not be 
reviewed, disclosed, copied, distributed or used by anyone other than the 
intended recipient(s). If you are not the intended recipient, please contact 
the sender by reply email and delete all copies of this message.
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org

[389-users] Re: Login restrictions

2016-04-29 Thread Kalchik, Jeffery 
Hrrrm. my mistake.  nss_base_passwd in /etc/ldap.conf does have nearly the 
same syntax as ldap_user_search_base in /etc/sssd/sssd.conf.  I was thinking 
there was an addition level of parentheses or extention to the filter itself.

nss_base_passwd 
ou=OU,dc=fq,dc=dn?sub?|(host=hostname)(nsrole=cn=Role1,ou=OU,dc=fq,dc=cn)...

or

nss_base_passwd ou=OU,dc=fq,dc=dn?sub?|(host=hostname)(gidNumber=12345)...

You should be able to use any valid filter expression.  Remember that there's 
another implied and operation so the effective test at login looks something 
like:

(&(uid=uidname)|(host=hostname)(gidNumber=12345)...)

We've very specifically gone to role based access rather than groups.  Being 
able to attach multiple roles to a user gives us a lot of flexibility.

I don't recall making any PAM changes other than what auth_config applies.  
auth_config downloads and installs my CA certificate, & configures the majority 
of LDAP client stuff on EL5, EL6 and EL7 based systems, generally during 
kickstarts, but can work on appliances (assuming the vendor will allow you to 
make these sorts of changes.)  Otherwise, it's a bit of filter configuration in 
/etc/sssd/sssd.conf or /etc/ldap.conf.

Jeff Kalchik
Systems Engineering
Land O'Lakes

-Original Message-
From: Enrico Morelli [mailto:more...@cerm.unifi.it]
Sent: Friday, April 29, 2016 3:02 AM
To: 389-users@lists.fedoraproject.org
Subject: [389-users] Re: Login restrictions

On Thu, 28 Apr 2016 13:12:56 +
"Kalchik, Jeffery" <jdkalc...@landolakes.com> wrote:

> Good morning.
>
> It might be enlightening to define "a lot of machines."  I have ~300
> clients tied to a 3 node 389-ds cluster, with a few hundred accounts.
>
> I've built access restrictions here on the basis of hostname and
> NSRole definitions.  For Linux hosts using sssd, I have a filter
> expression in ldap_user_search_base that ends up something like:
>
> ldap_user_search_base =
> ou=OU,dc=fq,dc=dn?sub?|(host=hostname)(nsrole=cn=Role1,ou=OU,dc=fq,dc=cn)...
>
> I use a similar expression in /etc/ldap.conf for earlier versions,
> using nss_base_passwd (there is a difference in syntax.)  As a side
> note, I'd started a few years back with the pam_filter call, and
> discovered that I was overrunning a buffer.  My Linux kickstarts build
> these expressions for me automatically, and I've got scripts set up to
> extend as necessary.  Similar filters work for both AIX and HP-UX.
>

Can you give me some ldap.conf example to filter logins?
Because I've 5.x RedHat machines that doesn't use sssd, so I need other ways to 
perform login restrictions.

>
> adduser?  Unless I'm missing something completely, that's only for
> local accounts.

Yes of course. I wrote that to answer to simple_allow_users suggestion.

>
> Jeff Kalchik
> Systems Engineering
> Land O'Lakes
>
> -Original Message-
> From: Enrico Morelli [mailto:more...@cerm.unifi.it]
> Sent: Thursday, April 28, 2016 4:07 AM
> To: 389-users@lists.fedoraproject.org
> Subject: [389-users] Re: Login restrictions
>
> On Wed, 27 Apr 2016 17:44:22 -
> "Lukas Slebodnik" <lsleb...@fedoraproject.org> wrote:
>
> > > Is it possible to restrict login only to to whom bound to a
> > > determinated group?
> > >
> > > I tried to use the following lines in sssd.conf but doesn't works:
> > >
> > > access_provider = ldap
> > > ldap_access_order = filter
> > > ldap_access_filter = (gidNumber=900)
> > I think it might be simpler to use access_provider simple @see man
> > sssd-simple
> >
> >[domain/example.com]
> >access_provider = simple
> >simple_allow_users = user1, user2
>
> Could be, but I think to loose the LDAP benefit. I've a lot of
> machines and to avoid to create/remove users on each machine I
> installed 389ds. So if I've to add/remove user to the
> simple_allow_users on each machine I can continue to use adduser. Or
> not?
>
> --
> -
>   Enrico Morelli
>   System Administrator | Programmer | Web Developer
>
>   CERM - Polo Scientifico
>   Via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY
>   phone: +39 055 457 4269
>   fax:   +39 055 457 4927
> -
> --
> 389-users mailing list
> 389-users@lists.fedoraproject.org
> http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproje
> ct.org This message may contain confidential material from Land
> O'Lakes, Inc. (or its subsidiary) for the sole use of the intended
> recipient(s) and may not be reviewed, disclosed, copied, distributed
> or used by anyone other than the intended recipient(s). I

[389-users] Re: Login restrictions

2016-04-28 Thread Kalchik, Jeffery 
Good morning.

It might be enlightening to define "a lot of machines."  I have ~300 clients 
tied to a 3 node 389-ds cluster, with a few hundred accounts.

I've built access restrictions here on the basis of hostname and NSRole 
definitions.  For Linux hosts using sssd, I have a filter expression in 
ldap_user_search_base that ends up something like:

ldap_user_search_base = 
ou=OU,dc=fq,dc=dn?sub?|(host=hostname)(nsrole=cn=Role1,ou=OU,dc=fq,dc=cn)...

I use a similar expression in /etc/ldap.conf for earlier versions, using 
nss_base_passwd (there is a difference in syntax.)  As a side note, I'd started 
a few years back with the pam_filter call, and discovered that I was 
overrunning a buffer.  My Linux kickstarts build these expressions for me 
automatically, and I've got scripts set up to extend as necessary.  Similar 
filters work for both AIX and HP-UX.

With the exception of HP-UX (due to the way that filtering is implemented in 
the LDAP-UX client,) this does have the pleasant side effect of only showing 
users that are authorized for a particular server, not the entire list of 
accounts when running 'getent passwd' or the O/S equivalent.

Obviously, you can tailor the filtering expressions to search on arbitrary 
attributes.

adduser?  Unless I'm missing something completely, that's only for local 
accounts.

Jeff Kalchik
Systems Engineering
Land O'Lakes

-Original Message-
From: Enrico Morelli [mailto:more...@cerm.unifi.it]
Sent: Thursday, April 28, 2016 4:07 AM
To: 389-users@lists.fedoraproject.org
Subject: [389-users] Re: Login restrictions

On Wed, 27 Apr 2016 17:44:22 -
"Lukas Slebodnik"  wrote:

> > Is it possible to restrict login only to to whom bound to a
> > determinated group?
> >
> > I tried to use the following lines in sssd.conf but doesn't works:
> >
> > access_provider = ldap
> > ldap_access_order = filter
> > ldap_access_filter = (gidNumber=900)
> I think it might be simpler to use access_provider simple @see man
> sssd-simple
>
>[domain/example.com]
>access_provider = simple
>simple_allow_users = user1, user2

Could be, but I think to loose the LDAP benefit. I've a lot of machines and to 
avoid to create/remove users on each machine I installed 389ds.
So if I've to add/remove user to the simple_allow_users on each machine I can 
continue to use adduser. Or not?

--
-
  Enrico Morelli
  System Administrator | Programmer | Web Developer

  CERM - Polo Scientifico
  Via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY
  phone: +39 055 457 4269
  fax:   +39 055 457 4927
-
--
389-users mailing list
389-users@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
This message may contain confidential material from Land O'Lakes, Inc. (or its 
subsidiary) for the sole use of the intended recipient(s) and may not be 
reviewed, disclosed, copied, distributed or used by anyone other than the 
intended recipient(s). If you are not the intended recipient, please contact 
the sender by reply email and delete all copies of this message.
--
389-users mailing list
389-users@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org

Re: [389-users] Replication LDIF

2014-06-19 Thread Kalchik, Jeffery 
This is something I've been working on, for a new 389 implementation here.  I 
was hoping to get this to a point for a one shot scripted install for a new 
cluster, don't think that's going to happen.  Scripting new replication systems 
on running servers shouldn't be too horrible.

You'll need to make a number of entries.  One for a replica user (doesn't need 
to be unique to a replica agreement,) one for replication itself, and one for 
each replica agreement.  Here's some examples to get started:

repluser.ldif:
dn: cn=replication hostname,cn=config
objectClass: inetorgperson
objectClass: person
objectClass: top
cn: replication hostname
sn: replicationhostname
userPassword: sTuff1t
passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0

replica.ldif:
dn:  cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
changetype: add
objectclass: top
objectclass: nsds5replica
objectclass: extensibleObject
cn: replica
nsds5replicaroot: dc=example,dc=com
nsds5replicaid: 1
nsds5replicatype: 3
nsds5flags: 1
nsds5ReplicaPurgeDelay: 2419200
nsds5ReplicaBindDN: cn=replication hostname,cn=config

replagreement.ldif:
dn: cn=host1 host2,cn=replica,cn= dc\3Dexample\2Cdc\3Dcom,cn=mapping 
tree,cn=config
objectclass: top
objectclass: nsDS5ReplicationAgreement
cn: host1 host2
nsds5replicaroot: dc=example,dc=com
nsds5replicahost: hostname.example.com
nsds5replicaport: 636
nsds5replicabindmethod: SIMPLE
nsds5replicatransportinfo: SSL
nsds5ReplicaBindDN: cn=replication hostname,cn=config
nsds5replicacredentials: password
description: agreement between host1 and host2
nsds5BeginReplicaRefresh: start
nsds5replicatedattributelist: (objectclass=*) $ EXCLUDE authorityRevocationList 
accountUnlockTime memberOf
nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE accountUnlockTime 
memberOf

Note that this does do replication over SSL.  I'll leave it as an exercise for 
the student to replicate TLS over 389, or in cleartext.

I found a bunch of the info to support this in Chapter 11 of RH's DS 9.0 Admin 
Guide.

Hope this helps.

Jeff

-Original Message-
From: 389-users-boun...@lists.fedoraproject.org 
[mailto:389-users-boun...@lists.fedoraproject.org] On Behalf Of Steven Crothers
Sent: Thursday, June 19, 2014 9:16 AM
To: General discussion list for the 389 Directory server project.
Subject: [389-users] Replication LDIF

Hello,

I'm familiar with using 389-console for replication start/stops.
However, I'm trying to automate the entire process using a script to on-demand 
create slaves/masters etc.

Can anybody point me in the right direction to find LDIF for a brand new and 
empty 389 server to be joined either as a master or a slave to a cluster?

All the documentation appears to be really focused on using 389-console, but I 
can't believe that's the only way.

Steven Crothers
steven.croth...@gmail.com
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
This message may contain confidential material from Land O'Lakes, Inc. (or its 
subsidiary) for the sole use of the intended recipient(s) and may not be 
reviewed, disclosed, copied, distributed or used by anyone other than the 
intended recipient(s). If you are not the intended recipient, please contact 
the sender by reply email and delete all copies of this message.
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users