[389-users] Re: When 389ds will be available on CentOS 8

2019-10-29 Thread wodel youchi 
Hi,

Any idea when the cockpit plugin for 389DS will be available on CentOS8?

Regards.

Le ven. 25 oct. 2019 à 11:45, wodel youchi  a
écrit :

> Hi and thanks,
>
> Any idea when the 389ds cockpit plug-in will be available for centos 8?
>
> Regards.
>
> Le mar. 8 oct. 2019 08:44, Matus Honek  a écrit :
>
>> So, what is currently available (tested with `docker run -ti centos:8`):
>> 1. Enable the stream: dnf module enable 389-ds
>> 2. Install the actual package: dnf install 389-ds-base
>>
>> Anyway, this does not contain the Cockpit plugin, yet. Will need to
>> figure that out...
>>
>> On Tue, Oct 8, 2019 at 12:30 AM William Brown  wrote:
>> >
>> >
>> >
>> > > On 7 Oct 2019, at 21:06, wodel youchi  wrote:
>> > >
>> > > Hi,
>> > >
>> > > Is there any news about the availability of 389DS on CentOS8?
>> >
>> > I can see it in the mirrors here:
>> >
>> >
>> http://mirror.internode.on.net/pub/centos/8/AppStream/x86_64/os/Packages/
>> >
>> > Not sure how you enable that AppStream yet though, haven't played with
>> centos8 yet.
>> >
>> > >
>> > > Regards.
>> > > ___
>> > > 389-users mailing list -- 389-users@lists.fedoraproject.org
>> > > To unsubscribe send an email to
>> 389-users-le...@lists.fedoraproject.org
>> > > Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> > > List Guidelines:
>> https://fedoraproject.org/wiki/Mailing_list_guidelines
>> > > List Archives:
>> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>> >
>> > —
>> > Sincerely,
>> >
>> > William Brown
>> >
>> > Senior Software Engineer, 389 Directory Server
>> > SUSE Labs
>> > ___
>> > 389-users mailing list -- 389-users@lists.fedoraproject.org
>> > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
>> > Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> > List Archives:
>> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>>
>>
>>
>> --
>> Matúš Honěk
>> Software Engineer
>> Red Hat Czech
>> ___
>> 389-users mailing list -- 389-users@lists.fedoraproject.org
>> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>>
>
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: When 389ds will be available on CentOS 8

2019-10-25 Thread wodel youchi 
Hi and thanks,

Any idea when the 389ds cockpit plug-in will be available for centos 8?

Regards.

Le mar. 8 oct. 2019 08:44, Matus Honek  a écrit :

> So, what is currently available (tested with `docker run -ti centos:8`):
> 1. Enable the stream: dnf module enable 389-ds
> 2. Install the actual package: dnf install 389-ds-base
>
> Anyway, this does not contain the Cockpit plugin, yet. Will need to
> figure that out...
>
> On Tue, Oct 8, 2019 at 12:30 AM William Brown  wrote:
> >
> >
> >
> > > On 7 Oct 2019, at 21:06, wodel youchi  wrote:
> > >
> > > Hi,
> > >
> > > Is there any news about the availability of 389DS on CentOS8?
> >
> > I can see it in the mirrors here:
> >
> >
> http://mirror.internode.on.net/pub/centos/8/AppStream/x86_64/os/Packages/
> >
> > Not sure how you enable that AppStream yet though, haven't played with
> centos8 yet.
> >
> > >
> > > Regards.
> > > ___
> > > 389-users mailing list -- 389-users@lists.fedoraproject.org
> > > To unsubscribe send an email to
> 389-users-le...@lists.fedoraproject.org
> > > Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> >
> > —
> > Sincerely,
> >
> > William Brown
> >
> > Senior Software Engineer, 389 Directory Server
> > SUSE Labs
> > ___
> > 389-users mailing list -- 389-users@lists.fedoraproject.org
> > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
> > Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>
>
>
> --
> Matúš Honěk
> Software Engineer
> Red Hat Czech
> ___
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] When 389ds will be available on CentOS 8

2019-10-07 Thread wodel youchi 
Hi,

Is there any news about the availability of 389DS on CentOS8?

Regards.
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Server listening only on tcp6

2019-06-12 Thread wodel youchi 
Hi,

I am using a new installation on Cento 7 updated.
I am using these packages for 389DS
389-adminutil-1.1.21-2.el7.x86_64
389-ds-base-1.3.8.4-15.el7.x86_64
389-admin-console-doc-1.1.12-1.el7.noarch
389-ds-base-libs-1.3.8.4-15.el7.x86_64
389-console-1.1.19-4.el7.noarch
389-admin-1.1.46-1.el7.x86_64
389-admin-console-1.1.12-1.el7.noarch
389-ds-console-doc-1.2.16-1.el7.noarch
389-ds-1.2.2-6.el7.noarch
389-ds-console-1.2.16-1.el7.noarch
389-dsgw-1.1.11-5.el7.x86_64

The netstat on both ports 389 and 636 show that the daemon is listening on
tcp6 only.

as a workaround i modified nsslapd-listenhost and nsslapd-securelistenhost
to 0.0.0.0

it's the first time I ma getting this behavior.

Regards.


Virus-free.
www.avast.com

<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: Update userpassword from consummer

2019-02-28 Thread wodel youchi 
Hi,

I did a test using ldappasswd, and it didn't work, I didn't get any error
message from the CLI, and the $? variable returned 0, but the password has
not been changed.
After issuing the command I tried an ldapsearch with the Adam user using
the new-password and it didn't work "Invalid credentials", but using the
old password the ldapsearch worked.

4) Modify userPassword from the slave using *ldappasswd*
*ldappasswd -D "uid=lnadmin,ou=special users,dc=example,dc=com" -W -p 389
-h idm02.example.com <http://idm02.example.com> -x -ZZ -S
"uid=adam,ou=people,dc=example,dc=com"*
New password:
Re-enter new password:
Enter LDAP Password:

Result : echo $? returns 0 but the userPassword is not changed
ldapsearch -h 127.0.0.1 -D "uid=adam,ou=people,dc=example,dc=com" -b
"ou=people,dc=example,dc=com" -x -w newpass
ldap_bind: Invalid credentials (49)

Log from the slave :
Access :
[25/Feb/2019:15:08:09.356356670 +0100] conn=61 fd=67 slot=67 connection
from 192.168.40.102 to 192.168.40.102
[25/Feb/2019:15:08:09.356588390 +0100] conn=61 op=0 EXT
oid="1.3.6.1.4.1.1466.20037" name="start_tls_plugin"
[25/Feb/2019:15:08:09.356724270 +0100] conn=61 op=0 RESULT err=0 tag=120
nentries=0 etime=0.286023
[25/Feb/2019:15:08:09.371819345 +0100] conn=61 TLS1.2 256-bit AES-GCM
[25/Feb/2019:15:08:13.222914479 +0100] conn=61 op=2 BIND
dn="uid=lnadmin,ou=special users,dc=example,dc=com" method=128 version=3
[25/Feb/2019:15:08:13.225541735 +0100] conn=61 op=2 RESULT err=0 tag=97
nentries=0 etime=0.0002835224 dn="uid=lnadmin,ou=special
users,dc=example,dc=com"
[25/Feb/2019:15:08:13.225980566 +0100] conn=61 op=3 EXT
oid="1.3.6.1.4.1.4203.1.11.1" name="passwd_modify_plugin"
[25/Feb/2019:15:08:13.235729939 +0100] conn=61 op=3 RESULT err=0 tag=120
nentries=0 etime=0.0009925134
[25/Feb/2019:15:08:13.236534952 +0100] conn=61 op=4 UNBIND
[25/Feb/2019:15:08:13.236573244 +0100] conn=61 op=4 fd=67 closed - U1

Log from the master:
Access :
[25/Feb/2019:15:08:45.318668395 +0100] conn=31 fd=87 slot=87 SSL connection
from 192.168.40.102 to 192.168.40.101
[25/Feb/2019:15:08:45.323871405 +0100] conn=31 TLS1.2 256-bit AES-GCM
[25/Feb/2019:15:08:45.324437562 +0100] conn=31 op=0 BIND
dn="uid=lnadmin,ou=special users,dc=example,dc=com" method=128 version=3
[25/Feb/2019:15:08:45.324636529 +0100] conn=31 op=0 RESULT err=0 tag=97
nentries=0 etime=0.0005924433 dn="uid=lnadmin,ou=special
users,dc=example,dc=com"


Regards.

Le jeu. 28 févr. 2019 à 01:48, William Brown  a écrit :

>
>
> > On 27 Feb 2019, at 19:25, wodel youchi  wrote:
> >
> > Hi,
> >
> > What do you mean by : enable password-migration mode? can you elaborate,
> where do I have to enable it? on the master on the slave?
>
>
> https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/configuration_command_and_file_reference/core_server_configuration_reference#nsslapd-allow-hashed-passwords
>
> This is the setting I am referring to.
>
> >
> > In my previous post I did test changing the password using both clear an
> pre-hashed password, and it didn't work.
> >
> > 2) Modify userPassword from the slave using clear text password
> > ldapmodify -h localhost -p 389  -D "uid=lnadmin,ou=special
> users,dc=example,dc=com" -w pass -x  < > dn: uid=adam,ou=people,dc=example,dc=com
> > changetype: modify
> > replace: userPassword
> > userPassword: password
> > EOF
> > modifying entry "uid=adam,ou=people,dc=example,dc=com"
> > ldap_modify: Constraint violation (19)
> > additional info: database configuration error - please contact
> the system administrator
> >
> >
> > 3) Modify userPassword from the slave using encrypted password
> > ldapmodify -h localhost -p 389  -D "uid=lnadmin,ou=special
> users,dc=example,dc=com" -w wolverine -x  < > dn: uid=adam,ou=people,dc=example,dc=com
> > changetype: modify
> > replace: userPassword
> > userPassword: {SSHA}gvg6KehxZNYcLnLrAJrI0TzWpQzXH0oe
> > EOF
> > modifying entry "uid=adam,ou=people,dc=example,dc=com"
> > ldap_modify: Constraint violation (19)
> > additional info: invalid password syntax - passwords with
> storage scheme are not allowed
> >
>
> Passwords have some special handling. Does a ldappasswd extended operation
> on the replica work?
>
>
> >
> > Regards.
> >
> > Le mer. 27 févr. 2019 à 00:44, William Brown  a écrit :
> >
> >
> > > On 26 Feb 2019, at 00:23, wodel youchi  wrote:
> > >
> > > 3) Modify userPassword from the slave using encrypted password
> > > ldapmodify -h localhost -p 389  -D "uid=lnadmin,ou=special
> us

[389-users] Re: Update userpassword from consummer

2019-02-27 Thread wodel youchi 
Hi,

What do you mean by : enable password-migration mode? can you elaborate,
where do I have to enable it? on the master on the slave?

In my previous post I did test changing the password using both clear an
pre-hashed password, and it didn't work.

2) Modify userPassword from the slave using* clear text password*
ldapmodify -h localhost -p 389  -D "uid=lnadmin,ou=special
users,dc=example,dc=com" -w pass -x  < a écrit :

>
>
> > On 26 Feb 2019, at 00:23, wodel youchi  wrote:
> >
> > 3) Modify userPassword from the slave using encrypted password
> > ldapmodify -h localhost -p 389  -D "uid=lnadmin,ou=special
> users,dc=example,dc=com" -w wolverine -x  < > dn: uid=adam,ou=people,dc=example,dc=com
> > changetype: modify
> > replace: userPassword
> > userPassword: {SSHA}gvg6KehxZNYcLnLrAJrI0TzWpQzXH0oe
> > EOF
> > modifying entry "uid=adam,ou=people,dc=example,dc=com"
> > ldap_modify: Constraint violation (19)
> > additional info: invalid password syntax - passwords with
> storage scheme are not allowed
>
>
> IIRC you aren’t able to set a password into the field that is pre-hashed.
> You either need to enable password-migration mode, or you should supply the
> plaintext password and the server hashes it for you. Does that fix the
> issue?
>
> —
> Sincerely,
>
> William Brown
> Software Engineer, 389 Directory Server
> SUSE Labs
>
>
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: Update userpassword from consummer

2019-02-25 Thread wodel youchi 
Hi,
I redid the configuration from scratch, and I've created a new user
(uid=lnadmin,ou=special users,dc=example,dc=com) and I gave him
administrative rights.
This new user belongs to the chained area.

I did some tests with this account to modify users attributes including the
userPassword attribute from the master server, and it works perfectly.

on the other hand, on the slave, modifying other attributes other than
userPassword works and the update is chained.
But modifying userPassword didn't work, and here are the results :

*1) Modify givenname from the slave*
ldapmodify -h localhost -p 389  -D "uid=lnadmin,ou=special
users,dc=example,dc=com" -w pass -x  < EOF
modifying entry "uid=adam,ou=people,dc=example,dc=com"

*Result* : the modification is done and chained to the master, but I get an
error shown in the error log on the slave (see below in bold-red)

*Log from the slave *:
*Access* :
[25/Feb/2019:14:56:06.577269198 +0100] conn=54 fd=67 slot=67 connection
from ::1 to ::1
[25/Feb/2019:14:56:06.577393763 +0100] conn=54 op=0 BIND
dn="uid=lnadmin,ou=special users,dc=example,dc=com" method=128 version=3
[25/Feb/2019:14:56:06.578398778 +0100] conn=54 op=0 RESULT err=0 tag=97
nentries=0 etime=0.0001044129 dn="uid=lnadmin,ou=special
users,dc=example,dc=com"
[25/Feb/2019:14:56:06.578704548 +0100] conn=54 op=1 MOD
dn="uid=adam,ou=people,dc=example,dc=com"
[25/Feb/2019:14:56:06.677356989 +0100] conn=55 fd=68 slot=68 SSL connection
from 192.168.40.101 to 192.168.40.102
[25/Feb/2019:14:56:06.684970522 +0100] conn=55 TLS1.2 256-bit AES-GCM
[25/Feb/2019:14:56:06.685359430 +0100] conn=55 op=0 BIND dn="cn=replication
manager,cn=config" method=128 version=3
[25/Feb/2019:14:56:06.685504876 +0100] conn=55 op=0 RESULT err=0 tag=97
nentries=0 etime=0.0008085105 dn="cn=replication manager,cn=config"
[25/Feb/2019:14:56:06.685951988 +0100] conn=55 op=1 SRCH base="" scope=0
filter="(objectClass=*)" attrs="supportedControl supportedExtension"
[25/Feb/2019:14:56:06.686522468 +0100] conn=55 op=1 RESULT err=0 tag=101
nentries=1 etime=0.641275
[25/Feb/2019:14:56:06.686921120 +0100] conn=55 op=2 SRCH base="" scope=0
filter="(objectClass=*)" attrs="supportedControl supportedExtension"
[25/Feb/2019:14:56:06.687436239 +0100] conn=55 op=2 RESULT err=0 tag=101
nentries=1 etime=0.630283
[25/Feb/2019:14:56:06.687958906 +0100] conn=55 op=3 EXT
oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop"
[25/Feb/2019:14:56:06.688118224 +0100] conn=55 op=3 RESULT err=0 tag=120
nentries=0 etime=0.245044
[25/Feb/2019:14:56:06.689082577 +0100] conn=55 op=4 MOD
dn="uid=adam,ou=people,dc=example,dc=com"
[25/Feb/2019:14:56:06.695724845 +0100] conn=54 op=1 RESULT err=0 tag=103
nentries=0 etime=0.0117138489
[25/Feb/2019:14:56:06.696481191 +0100] conn=54 op=2 UNBIND
[25/Feb/2019:14:56:06.696496220 +0100] conn=54 op=2 fd=67 closed - U1
[25/Feb/2019:14:56:06.702453879 +0100] conn=55 op=4 RESULT err=0 tag=103
nentries=0 etime=0.0013403378 csn=5c73f3f60001
[25/Feb/2019:14:56:06.834935702 +0100] conn=55 op=5 EXT
oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop"
[25/Feb/2019:14:56:06.844701440 +0100] conn=55 op=5 RESULT err=0 tag=120
nentries=0 etime=0.0010011286



*Error : [25/Feb/2019:14:56:06.659891340 +0100] - ERR -
managed-entries-plugin - mep_mod_post_op - Unable to fetch postop
entry.[25/Feb/2019:14:56:06.680435055 +0100] - ERR - chaining database -
chaining_back_modify - modify (uid=adam,ou=people,dc=example,dc=com): post
betxn failed, error (-1)*


*2) Modify userPassword from the slave using clear text password*
ldapmodify -h localhost -p 389  -D "uid=lnadmin,ou=special
users,dc=example,dc=com" -w pass -x  < a écrit :

>
>
> > On 19 Feb 2019, at 00:54, Mark Reynolds  wrote:
> >
> >
> >
> > On 2/18/19 7:46 AM, wodel youchi wrote:
> >> Hi,
> >>
> >> I did a test, but unfortunately it didn't work for me.
> >>
> >> This is my LAB:
> >>  • 389DS Servers :
> >>  • OS CentOS7 all updates
> >>  • 389DS version 1.3.8.4-22
> >>  • domain : dc=example,dc=com
> >>  • users on : uid=%u,ou=people,dc=example,dc=com
> >>  • One master server (idm01.example.com) and one slave
> server (idm02.example.com).
> >>  • Replication configured for userRoot database
> (dc=example,dc=com)
> >>  • Replication uses this user cn=replication
> manager,cn=config
> >>  • Password Policy is configured.
> >>  • Mail server Zimbra 8.8.11
> >>  • OS CentOS7 all updates
> >>  • Zimbra FOSS 8.8.11.
> >>

[389-users] Replicate 389DS with another LDAP server

2019-02-19 Thread wodel youchi 
Hi,

is it possible to create a replication matser/master or master/slave
between 389DS and another LDAP server openldap for example?

Regards.
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: Update userpassword from consummer

2019-02-18 Thread wodel youchi 
vice.PERM_DENIED


Did I respect the procedure?
i didn't find anything about chain modification on RedHat documentation,
did I miss anything?

Regards.

Le lun. 18 févr. 2019 à 00:58, William Brown  a écrit :

> I don’t see any reason why it wouldn’t still work today? It would be good
> if you were able to test a development deployment and let us know the
> results and processes taken?
>
> > On 17 Feb 2019, at 21:48, wodel youchi  wrote:
> >
> > Hi,
> >
> > We have a master 389DS Server, and several Slaves.
> >
> > The slaves are in the front, and the clients can use them for search and
> authentication.
> >
> > We have also a mailing solution, and we want to allow users to modify
> their passwords.
> >
> > I've read this article :
> https://directory.fedoraproject.org/docs/389ds/howto/howto-chainonupdate.html
> >
> > I don't know it it's still supported.
> >
> > The idea is to chain password modification via the slave to the master.
> >
> > Regards.
> >
> > Regards.
> > ___
> > 389-users mailing list -- 389-users@lists.fedoraproject.org
> > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>
> —
> Sincerely,
>
> William Brown
> Software Engineer, 389 Directory Server
> SUSE Labs
> ___
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Update userpassword from consummer

2019-02-17 Thread wodel youchi 
Hi,

We have a master 389DS Server, and several Slaves.

The slaves are in the front, and the clients can use them for search and
authentication.

We have also a mailing solution, and we want to allow users to modify their
passwords.

I've read this article :
https://directory.fedoraproject.org/docs/389ds/howto/howto-chainonupdate.html

I don't know it it's still supported.

The idea is to chain password modification via the slave to the master.

Regards.

Regards.
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Force users to modify their passwords

2018-12-14 Thread wodel youchi 
Hi,

We have 389DS as our main directory server, and we use it with many
applications.
recently we moved our mail application to Zimbra. Zimbra can use an
external LDAP server for authentication, and we did configure that and it
works.

In 389DS, in password policy configuration, there is the check-box to force
a user to change his password on the first login, we did try it but,
without success.

Could this parameter be used to force users to change their passwords?

Regards.


Garanti
sans virus. www.avast.com

<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: How to install an external certificate

2018-12-14 Thread wodel youchi 
Hi,

Any suggestions?

Regards.

<https://www.avast.com/sig-email?utm_medium=email_source=link_campaign=sig-email_content=webmail>
Garanti
sans virus. www.avast.com
<https://www.avast.com/sig-email?utm_medium=email_source=link_campaign=sig-email_content=webmail>
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

Le lun. 10 déc. 2018 à 00:01, wodel youchi  a
écrit :

> Hi,
>
> I have an external certificate : the certificate file, the key file and CA
> file.
>
> How can I install this certificate on 389DS? especially how can I specify
> to the dirsrv my key file?
>
> Regards.
>
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] How to install an external certificate

2018-12-09 Thread wodel youchi 
Hi,

I have an external certificate : the certificate file, the key file and CA
file.

How can I install this certificate on 389DS? especially how can I specify
to the dirsrv my key file?

Regards.
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: User cannot change it's own password

2018-11-24 Thread wodel youchi 
Hi,
Thanks for the help.

1- Yes users can change their passwords.
2 - In the log I don't have much, I didn't change the verbosity of the
server

But I did something else and I don't really understand it.

My first configuration of Password Policy was Global and by the way I have
a master slave installation.

Reading the Directory Server Documentation, I found that I can create a
specific Password Policy, so I took the ou=people,dc=example,dc=com and I
created a new Password Policy and this time the policy worked, users may
change their passwords.

But I had another "issue", i don't know if I can call it that way. The
documentation says that the Password Policy get bypassed when using the
Admin account or the Directory Manager to change user password, but I got
two behaviors :
- if I change the user password using the cmd line with ldappasswd, the
policy get enforced even when using Directory Manager to make the change.
- if I change the user password using 389DS Console, the policy get
bypassed when using Directory Manager to make the change.

So in conclusion I have :
- The global password policy is not working.
- The local policy is working, but with different behaviors.

For now I am using the local Password Policy because it's doing the job...

Regards.

Le jeu. 22 nov. 2018 à 21:35, Olivier JUDITH  a écrit :

> Hi,
>
> Does your user has rights to write userPassword attribute ?
> What do you have in the server  log  /var/log/dirsrv/dirsrv@/errors
> file ?
>
> rgds
> ___
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] User cannot change it's own password

2018-11-22 Thread wodel youchi 
Hi,

I am using 389-ds-base-1.3.7.5-28.el7_5.x86_64 on CentOS7 All is up to date.

I configured a password policy, and I checked User may change password, but
when I try

[root@idm01 ~]# ldappasswd -p 389 -h idm01.example.com -ZZ -x -D
"uid=jane.doe,ou=people,dc=example,dc=com" -W -a oldpass -s newpass


I get :

*Result: Server is unwilling to perform (53)Additional info: User is not
allowed to change password*

any idea?

Regards.
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: Need help to tune 389 DS

2017-02-24 Thread wodel youchi 
Hi,
And thanks for your replies.

We 're using cn=Directory Manager, for now, because we have a problem with
the password module of the horde groupware, we tried to use the self change
password, but it didn't work we got this error "constraint violation".

Concerning the filter 'objectClass=*', it's not used on the mail server, I
will investigate this with the webmaster to see which filters used, and try
to correct them.

Another question, is it wise to refuse unindexed searches, and switch
'nsslapd-require-index' to 'on' as suggested by the logconv script ?

Regards.

2017-02-23 18:08 GMT+01:00 Mark Reynolds :

>
>
> On 02/23/2017 11:53 AM, Steve Holden wrote:
> >> -Original Message-
> >> From: Mark Reynolds [mailto:marey...@redhat.com]
> >> Sent: 23 February 2017 16:00
> >> To: General discussion list for the 389 Directory server project. <389-
> >> us...@lists.fedoraproject.org>
> >> Subject: [389-users] Re: Need help to tune 389 DS
> >>
> >> On 02/23/2017 10:48 AM, Gordon Messmer wrote:
> >>> On 02/23/2017 12:11 AM, William Brown wrote:
>  As Noriko pointed you, you are missing nsIndexType: pres on this
> >>> I hate to repeat myself, but is that a thing that changed *recently*?
> >> No, it has always only been indexed for "eq".
> >>
> >> As Rich said, having a "pres" index on objectclass is redundant(and
> >> wasteful).  Every entry has objectclass - so if this was indexed for
> >> "presence" it could actually create overhead.  It's faster to read
> >> directly from the DB, or candidate list, than trying to use an index
> >> that contains every entry anyway.
> > Hi, folks
> >
> > We've seen similar problems (and weren't sure whether the objectClass
> > issues were part of broader indexing issues - more on that separately).
> >
> > We discourage the use of '(objectClass=*)' as a (partial) filter for
> precisely
> > the reason Mark mentions - but one of our applications is hard-coded to
> > use it, and our monitoring tools are highlighting that searches which
> contain
> > that *partial* filter are being logged as partially unindexed:
> >
> >   conn=3921153 op=1 SRCH base="ou=people,dc=brighton,dc=ac,dc=uk"
> > scope=2 filter="(&(objectClass=*)(uid=USERNAME))" attrs=ALL
> >   conn=3921153 op=1 RESULT err=0 tag=101 nentries=1 etime=0 notes=U
> >
> > Would you recommend we just ignore these warnings?
> Yes it can be ignored since the etime is 0.  It's always about the etimes
> :)
> >
> >
> > And am I right in assuming you wouldn't recommend adding 'nsIndexType:
> pres'
> > to 'cn=objectclass,cn=index,cn=userRoot,cn=ldbm
> database,cn=plugins,cn=config'
> > as it wouldn't actually improve performance? (and would just generate a
> 1:1 map of every entry!)
> Right, do not use "pres" for objectclass
> >
> >
> > Out of interest, is there a reason why a filter which *only* includes
> 'objectClass=*'
> > doesn't do that...?
> >
> >   conn=3914283 op=1 SRCH base="uid=USERNAME,ou=People,
> dc=brighton,dc=ac,dc=uk"
> > scope=0 filter="(objectClass=*)" attrs=ALL
> >   conn=3914283 op=1 RESULT err=0 tag=101 nentries=1 etime=0
> >
> > Or is that just because in this case the base is the uid (not the branch
> above it)?
> Correct, because it's a base search (scope=0) the filter does not need
> to scan the database - only the target/base entry is checked.
>
> Regards,
> Mark
> >
> > Best wishes,
> > Steve
> >
> >
> >
> > ___
> > This email has been scanned by MessageLabs' Email Security System
> > on behalf of the University of Brighton. For more information see:
> > https://staff.brighton.ac.uk/is/computing/Pages/Email/spam.aspx
> > ___
> > 389-users mailing list -- 389-users@lists.fedoraproject.org
> > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
> ___
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
>
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org

[389-users] Need help to tune 389 DS

2017-02-22 Thread wodel youchi 
Hi,

We have a simple installation of 389DS, a master/slave installation.

Our directory server is mainly used with our mail and portal servers for
now.

We did create some custom attributes for our needs.

Here is a simple entry model :































*uid=lastname.firstname,ou=People,dc=domain;dc=tlddn:
uid=lastname.firstname,ou=People,dc=domain,dc=tldou: SUPPORT
TEAMrecruitmentDate: 20030510mailQuota: 2048576000
<%28204%29%20857-6000>teletexTerminalIdentifier: 3053maidenName:
MaindeNameemployeeNumber: 28813gender: FdepartmentNumber: 1121employeeType:
SmailAlternateAddress: f.lastname@domain.tlddisplayName: Lastname
Firstnamemail: lastname.firstname@domain.tldjobTitle: Supervisorsn:
Firstnamecn: LastnameobjectClass: topobjectClass: personobjectClass:
organizationalPersonobjectClass: inetorgpersonobjectClass:
shadowAccountobjectClass: mailrecipientobjectClass:
customprofilemailMessageStore: /var/vmail/lastname.firstnameuid:
lastname.firstnamemailHost: mail.domain.tldtitle: MuserPassword::
e1NIQX02TjBCaXpjcWRkNVJCUXlyVHV6TDlwT1NGK3c9*

*webtelxmail : f.lastn...@telex.domain.tld*


We run logconv against our directory Server and we get a pretty long result
file, with some recommendations, but we don't know how proceed, especially
with indexes.

we have many entries like these












*  Unindexed Search #32105 (notes=A)  -  Date/Time:
13/Jan/2017:01:21:49  -  Connection Number: 434118  -  Operation
Number:  74292  -  Etime: 0  -  Nentries:
0  -  IP Address:172.16.16.9  -  Search Base:
ou=people,dc=domain,dc=tld  -  Search Scope:  2 (subtree)  -
Search Filter:
(&(null=uid=lastname.lastname,ou=people,dc=domain,dc=tld))  -  Bind
DN:   cn=directory manager*

*Unindexed Search #76240 (notes=A)  -  Date/Time: *





*13/Jan/2017:00:16:55  -  Connection Number: 433231  -  Operation
Number:  205936  -  Etime: 0  -  Nentries:
0  -  IP Address:Unknown_Host  -  Search Base:
ou=people,*

*dc=domain,dc=tld-  Search Scope:  2 (subtree)  -  Search
Filter: (&(null=uid=lastname2.firstname2,ou=people,*


*dc=domain,dc=tld))Unindexed Component #1 (notes=U)  -
Date/Time: *





*13/Jan/2017:00:01:19  -  Connection Number: 433951  -  Operation
Number:  1  -  Etime: 0  -  Nentries:  0
-  IP Address:172.16.16.1  -  Search Base:   ou=people,*


*dc=domain,dc=tld  -  Search Scope:  2 (subtree)  -  Search
Filter: (&(objectclass=*)(uid=pat))  -  Bind DN:
uid=dovecot,**dc=domain,dc=tld*


In the end of the result file we got this :

In the end of the result file we got this :

FDs Taken:573
FDs Returned: 569
Highest FD Taken: 81

Broken Pipes: 0
Connections Reset By Peer:0
Resource Unavailable: 235
 -  235  (T1) Idle Timeout Exceeded
Max BER Size Exceeded:0

Binds:4627
Unbinds:  45
 - LDAP v2 Binds: 24
 - LDAP v3 Binds: 4603
 - AUTOBINDs: 0
 - SSL Client Binds:  0
 - Failed SSL Client Binds:   0
 - SASL Binds:0
 - Directory Manager Binds:   4
 - Anonymous Binds:   24
 - Other Binds:   4599



- Connection Latency Details -

 (in seconds)<=1234-56-1011-15>15
 --
 (# of connections)250835554244

- Current Open Connection IDs -

Conn Number:  434505 (172.16.16.8)
Conn Number:  434171 (172.16.16.9)
Conn Number:  434506 (172.16.16.8)
Conn Number:  434301 (172.16.16.9)
Conn Number:  434150 (172.16.16.9)
Conn Number:  434118 (172.16.16.9)
Conn Number:  434507 (172.16.16.8)
Conn Number:  434508 (172.16.16.8)
Conn Number:  434504 (172.16.16.8)


- Errors -

err=0295657Successful Operations
err=32  627No Such Object
err=49   44Invalid Credentials (Bad Password)
err=424Size Limit Exceeded
err=116Administrative Limit Exceeded (Look Through
Limit)

- Top 10 Failed Logins --

12  uid=lastname.firstname,ou=people,dc=domain,dc=tld
12  uid=admin,ou=people,dc=domain,dc=tld
8   uid=lastname10.firstname10,ou=people,dc=domain,dc=tld
4   uid=lastname11.firstname11,ou=people,dc=domain,dc=tld
3   uid=lastname12.firstname12,ou=people,dc=domain,dc=tld
3   uid=lastname13.firstname13,ou=people,dc=domain,dc=tld
2   uid=dakar,ou=people,dc=domain,dc=tld

>From the IP address(s) :

32  Unknown_Host
12  172.16.16.1


- Total Connection Codes -

B1  289   Bad Ber Tag Encountered
T1  235   Idle Timeout Exceeded
U1   45   Cleanly Closed Connections


- Top 10 Clients -

[389-users] Re: Remote Management Console doesn't show "Directory Server" entry anymore

2016-10-04 Thread wodel youchi 
Hi again,

I did find that the console architecture and the JRE I was using were
different, the console was 64bits while the JRE was 32bits.

I uninstalled the JRE and installed the latest one found on oracle's site
the v8 update 102.

This did solve the problem, but I can't explain why it worked with the
slave server.

I think, it was a java problem not an architecture problem, but I am not
sure.

Thank you all for your help.

Regards



Regards.

2016-09-29 23:48 GMT+01:00 Noriko Hosoi <nho...@redhat.com>:

> 2016-09-29 15:11 GMT+01:00 Mark Reynolds <marey...@redhat.com>:
>
>> I've never heard of this happening.  What version of the windows console
>> do you have?
>>
> I have never seen it, either...  Could the 389-console-win version be
> 389-Console-1.1.15 (installer: 389-Console-1.1.15-x86_64.msi)?  What are
> the Windows and java version?
>
> Did you have a chance to refresh the Console?
>
> Also, if you remove 389-ds-1.2_en.jar and 389-ds-1.2.jar from
> .389-console/jar directory in the Administrator's home directory, does it
> change any behavior?
>
> Thanks,
> --noriko
>
>
> On 09/29/2016 02:53 PM, wodel youchi wrote:
>
> Hi, and thanks for your responses.
>
> I did the test with both localhost and the Windows station, and here are
> the results
>
> 1- localhost
>
> using :* /usr/bin/389-console -a
> <http://localhost:9830>http://localhost:9830 <http://localhost:9830>* to
> launch the console
>
> Logged as cn=Directory Manager
>
> [29/Sep/2016:20:41:59 +0100] conn=7219 op=0 BIND dn="cn=Directory Manager"
> method=128 version=3
> [29/Sep/2016:20:41:59 +0100] conn=7219 op=0 RESULT err=0 tag=97 nentries=0
> etime=0 dn="cn=directory manager"
> [29/Sep/2016:20:41:59 +0100] conn=7219 op=1 SRCH base="cn=user,cn=
> DefaultObjectClassesContainer,ou=1.1,ou=admin,ou=Global
> Preferences,ou=mydomain.tld,o=NetscapeRoot" scope=0
> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL
> [29/Sep/2016:20:41:59 +0100] conn=7219 op=1 RESULT err=0 tag=101
> nentries=1 etime=0
> ...
>
>
>
>
> *[29/Sep/2016:20:42:22 +0100] conn=7219 op=46 SRCH base="cn=Server
> Group,cn=idm01.mydomain.tld,ou=mydomain.tld,o=NetscapeRoot" scope=1
> filter="(objectClass=nsApplication)" attrs=ALL [29/Sep/2016:20:42:22 +0100]
> conn=7219 op=46 SORT cn (2) [29/Sep/2016:20:42:22 +0100] conn=7219 op=46
> RESULT err=0 tag=101 nentries=2 etime=0 *[29/Sep/2016:20:42:22 +0100]
> conn=7219 op=47 SRCH base="cn=389 Administration Server,cn=Server
> Group,cn=idm01.mydomain.tld,ou=mydomain.tld,o=NetscapeRoot" scope=1
> filter="(objectClass=netscapeServer)" attrs=ALL
> [29/Sep/2016:20:42:22 +0100] conn=7219 op=47 SORT cn (2)
> [29/Sep/2016:20:42:22 +0100] conn=7219 op=47 RESULT err=0 tag=101
> nentries=1 etime=0
> [29/Sep/2016:20:42:22 +0100] conn=7219 op=48 SRCH
> base="cn=configuration,cn=admin-serv-idm01,cn=389 Administration
> Server,cn=Server Group,cn=idm01.mydomain.tld,ou=mydomain.tld,o=NetscapeRoot"
> scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL
> [29/Sep/2016:20:42:22 +0100] conn=7219 op=48 RESULT err=0 tag=101
> nentries=1 etime=0
> [29/Sep/2016:20:42:22 +0100] conn=7219 op=49 SRCH
> base="cn=configuration,cn=admin-serv-idm01,cn=389 Administration
> Server,cn=Server Group,cn=idm01.mydomain.tld,ou=mydomain.tld,o=NetscapeRoot"
> scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL
> [29/Sep/2016:20:42:22 +0100] conn=7219 op=49 RESULT err=0 tag=101
> nentries=1 etime=0
> [29/Sep/2016:20:42:22 +0100] conn=7219 op=50 SRCH
> base="cn=configuration,cn=admin-serv-idm01,cn=389 Administration
> Server,cn=Server Group,cn=idm01.mydomain.tld,ou=mydomain.tld,o=NetscapeRoot"
> scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL
> [29/Sep/2016:20:42:22 +0100] conn=7219 op=50 RESULT err=0 tag=101
> nentries=1 etime=0
> [29/Sep/2016:20:42:22 +0100] conn=7219 op=51 SRCH
> base="cn=admin-serv-idm01,cn=389 Administration Server,cn=Server
> Group,cn=idm01.mydomain.tld,ou=mydomain.tld,o=NetscapeRoot" scope=0
> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL
> [29/Sep/2016:20:42:22 +0100] conn=7219 op=51 RESULT err=0 tag=101
> nentries=1 etime=0
> [29/Sep/2016:20:42:22 +0100] conn=7219 op=52 SRCH base="cn=389
> Administration Server,cn=Server Group,cn=idm01.mydomain.tld,
> ou=mydomain.tld,o=NetscapeRoot" scope=0 
> filter="(|(objectClass=*)(objectClass=ldapsubentry))"
> attrs=ALL
> [29/Sep/2016:20:42:22 +0100] conn=7219 op=52 RESULT err=0 tag=101
> nentries=1 etime=0
> [29/Sep/2016:20:42:22 +0

[389-users] Re: Remote Management Console doesn't show "Directory Server" entry anymore

2016-09-29 Thread wodel youchi 
Hi,

Anyone?!!!

Regards.

2016-09-27 22:33 GMT+01:00 wodel youchi <wodel.you...@gmail.com>:

> Hi,
>
> I am using 389DS on Centos7 x64
>
> [root@idm01 ~]# rpm -qa | grep 389
> 389-admin-console-doc-1.1.10-1.el7.noarch
> 389-console-1.1.9-1.el7.noarch
> 389-adminutil-1.1.22-1.el7.x86_64
> 389-admin-1.1.42-1.el7.x86_64
> 389-ds-base-1.3.4.0-33.el7_2.x86_64
> 389-ds-console-1.2.12-1.el7.noarch
> 389-ds-base-libs-1.3.4.0-33.el7_2.x86_64
> 389-admin-console-1.1.10-1.el7.noarch
> 389-ds-console-doc-1.2.12-1.el7.noarch
>
> A week ago I started having a weird problem using the 389DS's java
> management console remotely.
>
> If I connect locally with the console, I get the two entries of the
> directory server under server group :
> - Administration server
> - Directory server
>
> But when I use the console from another machine, a Windows machine with
> the management console installed on it, I get only the "Administration
> server" entry.
>
> So I cannot access the directory server to modify entries.
> I am using the 'Directoy Manager' to login to the console.
>
> I didn't find anything special on the error and access logs from neither
> the admin server no from the directory server.
>
> any idea where to search.
>
> Regards.
>
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org

[389-users] Re: Change users password using horde's module passwd

2016-04-12 Thread wodel youchi 
Hi, and thanks again.

I took a look on the 389DS's console, in configuration -> Data ->
Passwords, and there is no special configuration

Enable fine-grained password policy is : Disabled

in User password change :
User may change password is : Enbaled
Allow changes in = 0 days
keep password history is : Disabled

Password never expire : Enabled

Password syntax : Disabled

Password Encryption is SSHA.

Another thing : I tried to use ldappasswd command (from the mail server)
with the user credentials, and it worked even with simple passwords:
ldappasswd -H ldap://idm01.example.com -x -D
"uid=nagios,ou=people,dc=example,dc=com" -w nagios2016 -a nagios2016 -s
azertyu7 -v -Z
ldap_initialize( ldap://idm01.example.com:389/??base )
Result: Success (0)


Regards.

2016-04-12 12:39 GMT+01:00 Ludwig Krispenz <lkris...@redhat.com>:

> Hi,
> I was not talking about access control, but about password policy -
> quality of passwords, reuse, expiration, when it can be changed ...
> Please read:
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/User_Account_Management.html#User_Account_Management-Managing_the_Password_Policy
>
>
>
> On 04/12/2016 12:35 PM, wodel youchi wrote:
>
> Hi, and thanks
>
> But as I understand, there is and AC created for
> ou=people,dc=example,dc=com called "Allow self entry modification" and
> userPassword attribute is selected for write.
> is there another AC that supersedes this one?
>
> Regards.
>
> 2016-04-12 11:19 GMT+01:00 Ludwig Krispenz <lkris...@redhat.com>:
>
>>
>> On 04/12/2016 11:50 AM, wodel youchi wrote:
>>
>> Hi,
>>
>> I am trying to make horde's module passwd let users change their
>> passwords.
>>
>> In the configuration file of the moduke there are two options for ldap :
>>
>> - ldap : this option uses the users credentials to modify the password
>> (the user change his password with his credentials).
>>
>> - ldapadmin : this option uses the admin, such as the Directory Manager
>> to modify the user's password.
>>
>> the first one, didn't work for me, I get in the horde log : could not
>> replace userPassword attribute, LDAP server : constraint violation.
>>
>> the second one worked.
>>
>> In the error log of 389DS, I didn't find any useful error message.
>>
>> PS : tls is enabled.
>>
>>
>> any idea?
>>
>> changing th pw as user, you probably violate the password policy
>>
>>
>>
>> Regards.
>>
>>
>> --
>> 389 users mailing list
>> 389-users@%(host_name)shttp://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
>>
>>
>> --
>> Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
>> Commercial register: Amtsgericht Muenchen, HRB 153243,
>> Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, 
>> Michael O'Neill
>>
>>
>> --
>> 389 users mailing list
>> 389-users@%(host_name)s
>>
>> http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
>>
>
>
>
> --
> 389 users mailing list
> 389-users@%(host_name)shttp://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
>
>
> --
> Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
> Commercial register: Amtsgericht Muenchen, HRB 153243,
> Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael 
> O'Neill
>
>
> --
> 389 users mailing list
> 389-users@%(host_name)s
>
> http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
>
--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org

[389-users] Re: Change users password using horde's module passwd

2016-04-12 Thread wodel youchi 
Hi, and thanks

But as I understand, there is and AC created for
ou=people,dc=example,dc=com called "Allow self entry modification" and
userPassword attribute is selected for write.
is there another AC that supersedes this one?

Regards.

2016-04-12 11:19 GMT+01:00 Ludwig Krispenz <lkris...@redhat.com>:

>
> On 04/12/2016 11:50 AM, wodel youchi wrote:
>
> Hi,
>
> I am trying to make horde's module passwd let users change their passwords.
>
> In the configuration file of the moduke there are two options for ldap :
>
> - ldap : this option uses the users credentials to modify the password
> (the user change his password with his credentials).
>
> - ldapadmin : this option uses the admin, such as the Directory Manager to
> modify the user's password.
>
> the first one, didn't work for me, I get in the horde log : could not
> replace userPassword attribute, LDAP server : constraint violation.
>
> the second one worked.
>
> In the error log of 389DS, I didn't find any useful error message.
>
> PS : tls is enabled.
>
>
> any idea?
>
> changing th pw as user, you probably violate the password policy
>
>
>
> Regards.
>
>
> --
> 389 users mailing list
> 389-users@%(host_name)shttp://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
>
>
> --
> Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
> Commercial register: Amtsgericht Muenchen, HRB 153243,
> Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael 
> O'Neill
>
>
> --
> 389 users mailing list
> 389-users@%(host_name)s
>
> http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
>
--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org

[389-users] Change users password using horde's module passwd

2016-04-12 Thread wodel youchi 
Hi,

I am trying to make horde's module passwd let users change their passwords.

In the configuration file of the moduke there are two options for ldap :

- ldap : this option uses the users credentials to modify the password (the
user change his password with his credentials).

- ldapadmin : this option uses the admin, such as the Directory Manager to
modify the user's password.

the first one, didn't work for me, I get in the horde log : could not
replace userPassword attribute, LDAP server : constraint violation.

the second one worked.

In the error log of 389DS, I didn't find any useful error message.

PS : tls is enabled.


any idea?


Regards.
--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org

[389-users] Configure the behavior of the creation of some attributes

2016-04-07 Thread wodel youchi 
Hi,

When using the 389DS console to create a new user, can we configure the
behavior of the creation of some attributes?
for example, for our mailing service the user's uid is of the form :
*lastname.firstname* and the email address is of the form :

*lastname.firstn...@example.com *
When using the 389DS console, the uid is generated from the first letter of
the first name + the last name, and the email is not generated.

can this behavior be configured, to tell the console to combine the last
name + first name to generate the uid and add the domain to generate the
email address?

Regards.
--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org

[389-users] Default values for attributes when creating new users

2016-04-06 Thread wodel youchi 
Hi,

is it possible to configure 389DS to give some attributes default values?

We're migrating from openLDAP to 389DS, which will be used to authenticate
mail users, we want to give for example *mailQuota* a default value for new
accounts.

is this possible?


Regards.
--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org

[389-users] 389 Backup

2016-03-09 Thread wodel youchi 
Hi,

Is it possible to create a specific user to use to backup 389DS server
other than the Directory Manager, to use the db2bak.pl with a cronjob
without exposing the DM password.

Regards.
--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org

[389-users] Passwords migration from openldap to 389DS

2016-03-02 Thread wodel youchi 
Hi,

We're planning the migration from openldap to 389DS,
we did some tests, and we have some problems with users passwords migration.

We found this article in 389DS's website
http://directory.fedoraproject.org/docs/389ds/design/password-migration-design.html

Is this implemented or not yet or completely abandoned?

the Pass through plugin worked, but we didn't find the "password migration
mode option" to catch the passwords.

Regards.
--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org

[389-users] Re: Installation of 389 DS

2016-03-02 Thread wodel youchi 
Hi and thanks for your help,

This is the link of the documentation :

https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Installation_Guide/Preparing_for_a_Directory_Server_Installation-Considerations.html

and it is the actual documentation of the RDS v10

Regards.

2016-03-03 1:05 GMT+01:00 William Brown <wibr...@redhat.com>:

> On Wed, 2016-03-02 at 19:28 +0100, wodel youchi wrote:
> > Hi,
> >
> > I am a newbie on 389 DS, I was following the RDS install document from
> > RedHat Documentation.
> >
> > OS: Centos 7.2 x64 latest updates
> > 389 DS :
> > 389-admin-console-1.1.10-1.el7.noarch
> > 389-ds-base-libs-1.3.4.0-26.el7_2.x86_64
> > 389-ds-base-1.3.4.0-26.el7_2.x86_64
> > 389-console-1.1.9-1.el7.noarch
> > 389-ds-console-1.2.12-1.el7.noarch
> > 389-adminutil-1.1.22-1.el7.x86_64
> > 389-admin-1.1.42-1.el7.x86_64
> >
> > In the consideration before setting up DS, it's mentioned that we need to
> > add this line to
>
> Can you provide a link to the documentation you are looking at?
>
> >
> >
> >
> > */etc/pam.d/system-authsession required /lib/security/$ISA/pam_limits.so*
> >
> > After adding this line and rebooting the server, I am getting this error
> > when I try to login into it:
> > *Unknown module*
> >
> > in */var/log/secure* I have
> > *login: PAM unable to dlopen(/lib/security/$ISA/pam_limits.so):
> > /lib/security/../../lib64/security/pam_limits.so: cannot open shared
> object
> > file: No such file or directory*
> >
> > I did read the */etc/pam.d/system-auth* file again, and I found that
> there
> > is a line like this in it
> > *session required  pam_limits.so*
> >
> > My question is : do I need the
> > *session required /lib/security/$ISA/pam_limits.so*
> > for 389 to work properly ?
> > and if yes, how to avoid the above error?
> >
> > if no, does
> > *session required  pam_limits.so*
> > do the work?
>
> This looks like the old way (EL5 era) of modifying pam. These days you
> would just
> change the line to be:
>
> session required pam_limits.so
>
> But IIRC that's already part of the pam configuration as you have already
> noted, so you SHOULD NOT need to touch this.
>
> In other words, yes, pam_limits.so already does the work.
>
>
> To be honest, I think that it's irrelevant these days, as on el7 it would
> be the
> limits set by systemd that take effect, not the login shell limits, so you
> should
> set those. Look at:
>
> /etc/sysconfig/dirsrv.systemd
>
> This file is included by /usr/lib/systemd/system/dirsrv@.service
>
> Which is used to start / stop dirsrv on el7.
>
> I hope that helps you.
>
>
> --
> Sincerely,
>
> William Brown
> Software Engineer
> Red Hat, Brisbane
>
>
> --
> 389 users mailing list
> 389-users@%(host_name)s
>
> http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
>
--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org

[389-users] Installation of 389 DS

2016-03-02 Thread wodel youchi 
Hi,

I am a newbie on 389 DS, I was following the RDS install document from
RedHat Documentation.

OS: Centos 7.2 x64 latest updates
389 DS :
389-admin-console-1.1.10-1.el7.noarch
389-ds-base-libs-1.3.4.0-26.el7_2.x86_64
389-ds-base-1.3.4.0-26.el7_2.x86_64
389-console-1.1.9-1.el7.noarch
389-ds-console-1.2.12-1.el7.noarch
389-adminutil-1.1.22-1.el7.x86_64
389-admin-1.1.42-1.el7.x86_64

In the consideration before setting up DS, it's mentioned that we need to
add this line to



*/etc/pam.d/system-authsession required /lib/security/$ISA/pam_limits.so*

After adding this line and rebooting the server, I am getting this error
when I try to login into it:
*Unknown module*

in */var/log/secure* I have
*login: PAM unable to dlopen(/lib/security/$ISA/pam_limits.so):
/lib/security/../../lib64/security/pam_limits.so: cannot open shared object
file: No such file or directory*

I did read the */etc/pam.d/system-auth* file again, and I found that there
is a line like this in it
*session required  pam_limits.so*

My question is : do I need the
*session required /lib/security/$ISA/pam_limits.so*
for 389 to work properly ?
and if yes, how to avoid the above error?

if no, does
*session required  pam_limits.so*
do the work?

Regards.
--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org