I was wondering if anyone here has integrated PWM into your 389 DS and
might be able to help me out.
We want to use PWM just for allowing users to change their passwords. I
followed the documentation that is here
https://docs.google.com/document/d/1I9u1xaVrIOTFj8Le7uzCM5zGqrODCi9Udo2gGZyAapc/edit
rator
> Primatics Financial
>
>
>
> -----Original Message-
> From: 389-users-boun...@lists.fedoraproject.org
> [mailto:389-users-boun...@lists.fedoraproject.org] On Behalf Of Elizabeth
> Jones
> Sent: Tuesday, March 05, 2013 12:12 PM
> To: 389-users@lists.fedoraproject.
We are trying to move our servers off a very old version of iplanet (circa
2002) to 389 DS. The data in both ldaps is almost identical, except that
there was some stuff in the iplanet that couldn't convert over to 389. I'm
not sure exactly what wouldn't convert, except that I couldn't do an
export
Have any of you run into problems using 389 DS for svn ldap
authentication? I just discovered that our svn instance is not
authenticating successfully with our 389 DS, although I can see from
tcpdumps that it is successfully pulling the password back. I'm wondering
if there is something in the 389
> On 12/06/2013 12:35 AM, Elizabeth Jones wrote:
>
>
> Hello,
>
> what do you mean by "not authenticating successfully"? Anything in
> apache logs?
The logs show this --
[Tue Jun 11 17:02:08 2013] [warn] [client a.b.c.d] [23830] auth_ldap
authenticate: user myus
We recently discovered that some of our users can pad their login
passwords with additional characters and still get authenticated by our
389DS. Our server was migrated from another server and we didn't set
anything as far as password requirements in the 389DS because we didn't
want to end up locki
my cn=directory manager password has somehow gotten changed or corrupted.
I have a 389-console session open that I'm hoping I can use to reset
directory manager back to where its supposed to be, but I don't know where
in 389-console I would do this. Can anyone point me in the right
direction?
than
Is there an ldap command that I can use to determine what encryption is
being used for the passwords in my 389 DS?
Elizabeth J
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
I'm trying to scrub our LDAP data - we imported existing data from an old
sun LDAP to our current 389 DS. I just noticed that there are 5 accounts
in our LDAP that all have the same UID - I didn't think that was possible?
Elizabeth J
--
389 users mailing list
389-users@lists.fedoraproject.org
htt
Hi - I have just encountered a replication error on our 389DS. We are
running Version 1.2.10.12 Build number 2012.180.1623. We had the
following error earlier today from our ldap1 server (running multimaster)
-
07/Feb/2014:13:06:52 -0600] NSMMReplicationPlugin - changelog program -
agmt="cn=ldap
> On 02/07/2014 10:16 PM, Elizabeth Jones wrote:
>> Hi - I have just encountered a replication error on our 389DS. We are
>> running Version 1.2.10.12 Build number 2012.180.1623. We had the
>> following error earlier today from our ldap1 server (running
>> multima
>>
>> It's going to be practically impossible to support 1.2.10. Can you
>> upgrade to 1.2.11?
>>
>
> I'm heading that way right now. I found a bug on redhat that looks like
> it is exactly what I'm running into --
>
> https://bugzilla.redhat.com/show_bug.cgi?id=947583
Can I have different vers
> On 02/10/2014 02:40 PM, Elizabeth Jones wrote:
>> Can I have different versions of 389DS running together? I have
>> upgraded
>> the server that I think is my problem and I want to try to initialize it
>> from one of my other servers, but it just occurred to me that
I'm having some problems trying to import an existing database into a new
server. I know I was able to do this in the past, but since I'm an idiot I
did not take notes on what I did and now I can't seem to recreate it.
The new server was built from scratch and I configured a vanilla 389DS on
it.
> How are you taking a backup, and how are you doing the import? What
> backend/database are you trying to restore? What do you mean it turns
> into ldap2? What is the exact problem as it sounds like the import is
> working?
I'm taking the backup off my production server with db2bak.pl script
Does anyone know of any 389 training that they could recommend? My
manager has decided that he wants me to have "ldap training", but I am not
aware of anything for 389 DS other than all the online documentation.
thanks -
EJ
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admi
Have any of you encountered issues with replication over long distances,
such as between data centers? We have a master in each of our data
centers and a consumer at each data center, but all changes are pretty
much made at data center A and then replicated to its local consumer, then
across our m
We upgraded our servers to 389-ds-base-1.2.11.25-1.el6.x86_64 a couple of
months ago, and earlier this evening I tried to initialize a corrupted
replica but it did not initialize successfully. I was using the
389-console gui, not sure if that makes any difference. My logs showed
that the initiali
the size in the consumers'
> config file.
>
> Thanks,
> --noriko
>
> Elizabeth Jones wrote:
>> We upgraded our servers to 389-ds-base-1.2.11.25-1.el6.x86_64 a couple
>> of
>> months ago, and earlier this evening I tried to initialize a corrupted
>> replica but it
I have all kinds of borkage in my ldap today.
I created a new ou in one of my data centers,
ou=cdc,ou=service accts,ou=staff,ou=people,dc=mycompany,dc=com
under this I added 2 users. About 5 minutes later I got an alarm from my
monitoring system saying that replication had failed, and I discover
> rpm -q 389-ds-base
389-ds-base-1.2.11.25-1.el6.x86_64
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
As an added bonus, I now see this when I try to ldapsearch for this ou in
my first ldap and in its local consumer --
ldap1:
dn: nsuniqueid=dde5bb01-ca5811e3-af3cad6b-9c050417,ou=CDC,ou=Service
Accts,ou=People,dc=mycompany,dc=com
ldap2 (local consumer):
dn: ou=CDC,ou=Service Accts,ou=People,dc=myc
>
> You mentioned 2 servers ldap1 and ldap2. Are they both masters? You put
> "local consumer" to ldap2. Does that mean ldap2 is a read only replica?
We have two data centers and each data center has an ldap1 and ldap2. All
4 are masters, but we only ever send updates to DCA-ldap1. That then
I finally have permission to configure password policy in our ldap
servers, but have a question about how it is enforced. Our service desk is
able to access our LDAPs using LDAP Account Manager (LAM) and other admins
can use LAM or tools like jexplorer. Once I have password policy in
place, does a
I'm kind of confused about how to handle encryption certificates with a
load balancer in place. I'm using the setupssl.sh script to create our
certs and insert them into the LDAP instances - and this uses each LDAP
servers hostname.
Our current configuration is that ldap requests go to a GTM, whi
> no need for wildcard certs⦠use the Subject Alt Name. Works fine. Been
> doing it for years. certutil supports it as well.
>
> /mrg
Thanks, this looks like it is what I need. I do have a question about this
though - we have a single url that we use that is on our GTM - the GTM
routes the re
I'm finally ready to configure encryption on our LDAP servers, but I just
discovered the previous admin had already set the password - to something
I don't know. The previous admin was summarily dismissed one morning and
would not be the type of guy who I could call and say by the way what was
the
> I'm finally ready to configure encryption on our LDAP servers, but I just
> discovered the previous admin had already set the password - to something
> I don't know. The previous admin was summarily dismissed one morning and
> would not be the type of guy who I could call and say by the way what
I'm trying to figure out if 389 supports a way to track users last login.
I found this page
http://directory.fedoraproject.org/wiki/Account_Policy_Design#Logging
Does anyone know of any other documentation on implementing this?
thanks -
EJ
--
389 users mailing list
389-users@lists.fedoraproject
I need some help understanding the difference between password policy for
user versus subtree and where it needs to be set.
Using the 389 console gui, I see that I can set the password policy under
the configuration tab in the data section. I am thinking this creates a
global policy? - but this d
The password policy settings that I have configured in my ldap don't seem
to be taking effect. For instance - I just set the policy on a user
account so that the password has to contain 8 characters, alpha, numeral,
uppercase and lowercase and special character. Then I changed and saved
the passw
We currently have 4 way multi-master replication running over port 389 but
I need to secure it. In looking at what we have now, it looks to me like
I can't edit the existing replication agreements but will have to make all
new replication agreements - is this correct?
I was looking at this doc
ht
> We currently have 4 way multi-master replication running over port 389 but
> I need to secure it. In looking at what we have now, it looks to me like
> I can't edit the existing replication agreements but will have to make all
> new replication agreements - is this correct?
>
> I was looking at
I'm suddenly stumped by self-signed certs.
I used the setupssl2.sh script to generate my certs and install them into
my ldap. I end up with this --
# certutil -L -d .
Certificate Nickname Trust Attributes
Have a question on TLS replication with 4 LDAP servers.
Each of the 4 LDAP servers has its own CA cert (each with a unique
nickname and serial number).
If I install just one of the CA certs onto the master and then initialize
one of its consumers, its fine. But if I install a second CA cert on t
User error, as usual. My certs had ^M at the end of the lines. Once I
found and deleted those all the certs worked.
> Have a question on TLS replication with 4 LDAP servers.
>
> Each of the 4 LDAP servers has its own CA cert (each with a unique
> nickname and serial number).
>
> If I install ju
We seem to have something odd going on with our password policy.
I configured global password policy on our LDAPs so that all accounts
under our userRoot subtree expire, then under the subtrees that contain
our service accounts I configured to never expire. But I just noticed
that the accounts un
We have a service desk account that I created in our LDAP that has the
ability to add/delete/modify all our user accounts. Except that now that
we have password policy in place, it can no longer modify our user account
passwords. I have confirmed that the password changes that it is doing
conform
Doing some experimenting with user password policies.
I created an account and then applied a user level fine grained password
policy on that account. Then I deleted the account. Then I recreated the
account, and the fine grained password policy still exists/is associated
with this account. Why
I'm trying to use ns-inactivate.pl to deactivate user accounts, but I
don't know how to get it to use port 636. It works fine on 389 but if I
use -p 636 no dice. I dont see that there is a flag to tell it where to
find the cert that it needs to make the connection.
Elizabeth J
--
389 users mai
I have multimaster replication set up on 4 LDAP servers but can't get
secure replication working on one of the servers. The setup is like this
--
data center 1data center 2
ldap1 <---> ldap1
^ | ^ |
additional info -
I increased logging on my supplier and see this error now -
TLS: hostname does not match CN in peer certificate
When I created the replication agreement, it is giving me a default
consumer, I don't know why. The default is ldap1.mycompany.com:389.
The certificate from ldap1 has
>
> On 08/20/2014 03:58 PM, Elizabeth Jones wrote:
>> additional info -
>> I increased logging on my supplier and see this error now -
>>
>> TLS: hostname does not match CN in peer certificate
>>
>> When I created the replication agreement, it is giving
>
> On 08/22/2014 10:34 AM, Elizabeth Jones wrote:
>>> On 08/20/2014 03:58 PM, Elizabeth Jones wrote:
>>>> additional info -
>>>> I increased logging on my supplier and see this error now -
>>>>
>>>> TLS: hostname does not match
I don't know if this is relevant to my on-going replication woes...
On my consumer, I have the following certs -
Server-Cert u,u,u
CA certificate CTu,u,u
CAcertva2
none of them returned the fully qualified name for the certs, but only
one had a problem with it. I changed it from hostname to the fully
qualified name in the script.
Elizabeth
>
> On 08/25/2014 10:21 AM, Elizabeth Jones wrote:
>>> On 08/22/2014 10:34 AM, Elizabeth Jones wrote:
We have a 389DS instance that has started having a strange problem when it
runs its backups -
[04/Sep/2014:01:05:01 -0500] - Backup finished.
[04/Sep/2014:05:55:01 -0500] - chown_dir_files: file
(/var/log/dirsrv/slapd-vadc-ldap2-prod/errors) chown failed (13)
Permission denied.
[04/Sep/2014:05:55:
Actually, it seems to be happening every time the instance is restarted.
Just had it happen again:
--. 1 nobody nobody 2960 Sep 5 09:19 errors
> We have a 389DS instance that has started having a strange problem when it
> runs its backups -
>
> [04/Sep/2014:01:05:01 -0500] - Back
48 matches
Mail list logo
