Re: [389-users] setup-ds-admin.pl errors
Rich, Any clues? On Thu, Nov 21, 2013 at 3:19 PM, Alberto Viana alberto...@gmail.com wrote: $ ./configure --with-openldap I did not specify any CFLAGS. On Thu, Nov 21, 2013 at 3:09 PM, Rich Megginson rmegg...@redhat.comwrote: On 11/21/2013 09:55 AM, Alberto Viana wrote: Rich, Yes. If you need any specific info about how I built please let me know. yes, your configure and cflags, please. Thanks. On Thu, Nov 21, 2013 at 2:51 PM, Rich Megginson rmegg...@redhat.comwrote: On 11/21/2013 09:43 AM, Alberto Viana wrote: Rich, I'm still getting some errors: Could not import LDIF file '/tmp/ldifTVzppg.ldif'. Error: 256. Output: importing data ... [21/Nov/2013:14:42:11 -0200] - Netscape Portable Runtime error -5977: /opt/dirsrv/lib/dirsrv/plugins/libretrocl-plugin.so: undefined symbol: retrocl_cn_lock [21/Nov/2013:14:42:11 -0200] - Could not open library /opt/dirsrv/lib/dirsrv/plugins/libretrocl-plugin.so for plugin Retro Changelog Plugin [21/Nov/2013:14:42:11 -0200] - Unable to load plugin cn=Retro Changelog Plugin,cn=plugins,cn=config Error: Could not create directory server instance 'RNP'. Exiting . . . Log file is '/tmp/setupbogCkT.log' Any Clues? You built this yourself from the 1.3.2.4 source tarball? Thanks On Thu, Nov 21, 2013 at 1:51 PM, Alberto Viana alberto...@gmail.comwrote: Yes, you're right, once ubuntu is based on debian and always link /bin/sh to dash. Thanks. On Thu, Nov 21, 2013 at 1:48 PM, Rich Megginson rmegg...@redhat.comwrote: On 11/21/2013 08:44 AM, Alberto Viana wrote: You are right, /bin/sh was linked to dash shell. I linked to /bin/bash and everything is working as expected. Thanks so much for your help. I think you ran into this issue: https://fedorahosted.org/389/ticket/47511 On Thu, Nov 21, 2013 at 1:35 PM, Rich Megginson rmegg...@redhat.comwrote: On 11/21/2013 08:28 AM, Alberto Viana wrote: Rich, oot@hmg3:~# bash --version GNU bash, version 4.2.24(1)-release (x86_64-pc-linux-gnu) Ok. What about /bin/sh? The problem is that the shell script is complaining that it cannot find the source command. I'm not sure why - that is built-in to bash. Perhaps /bin/sh is in strict posix bourne shell mode, which would require the . command? Perhaps /bin/sh is linked to some other shell like zsh? On Thu, Nov 21, 2013 at 1:23 PM, Rich Megginson rmegg...@redhat.comwrote: On 11/21/2013 08:16 AM, Alberto Viana wrote: Rich, root@hmg3:~# env SHELL=/bin/bash ls -al /bin/sh /bin/sh --version On Thu, Nov 21, 2013 at 1:13 PM, Rich Megginson rmegg...@redhat.com wrote: On 11/21/2013 08:07 AM, Alberto Viana wrote: I'm trying to set up a new instance of 389 DS in my homologation enviroment: 389-ds-base-1.3.2.4 389-adminutil-1.1.18 389-admin-console-1.1.8 After I ran setup-ds-admin.pl, i'm getting the following errors: Are you ready to set up your servers? [yes]: Creating directory server . . . Could not import LDIF file '/tmp/ldif9lEZLw.ldif'. Error: 256. Output: ./ldif2db: 3: ./ldif2db: source: not found ./ldif2db: 5: ./ldif2db: libpath_add: not found ./ldif2db: 6: ./ldif2db: libpath_add: not found ./ldif2db: 7: ./ldif2db: libpath_add: not found ./ldif2db: 8: ./ldif2db: libpath_add: not found ./ldif2db: 84: ./ldif2db: get_init_file: not found ./ldif2db: 85: [: 127: unexpected operator importing data ... usage: ns-slapd ldif2db -D configdir [-d debuglevel] [-n backend_instance_name] [-O] [-g uniqueid_type] [--namespaceid uniqueID][{-s includesuffix}*] [{-x excludesuffix}*] [-E] [-q] {-i ldif-file}* Note: either -n backend_instance_name or -s includesuffix is required. Error: Could not create directory server instance 'RNP'. Exiting . . . Log file is '/tmp/setupBsGuLZ.log' I also tried 389-ds-base-1.3.1.12. Any clues? What is your login shell? -- 389 users mailing list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Password Failure Lockout doesn't seem to work
Yes, I can, after 8 consecutive failed authentications, the account can still successfully query the DS with the correct password. % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w badPword cn=test-user-account ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w badPword cn=test-user-account ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w badPword cn=test-user-account ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w badPword cn=test-user-account ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w badPword cn=test-user-account ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w badPword cn=test-user-account ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w badPword cn=test-user-account ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w badPword cn=test-user-account ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w goodPwrd cn=test-user-account dn: uid=test-user-account,ou=people,dc=my-domain,dc=com description: accountHasItsOwnPwdPolicy objectClass: posixAccount objectClass: shadowAccount objectClass: account objectClass: top uid: test-user-account cn: test-user-account uidNumber: 2853 gidNumber: 2600 gecos: LDAP Test homeDirectory: /home/test-user-account loginShell: /bin/tcsh On 11/25/2013 5:49 PM, 389-users-requ...@lists.fedoraproject.org wrote: From: Rich Megginson rmegg...@redhat.com To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.org Cc: JLPicard jlpicar...@hotmail.com Subject: Re: [389-users] Password Failure Lockout doesn't seem to work Message-ID: 5293d3fc.2090...@redhat.com Content-Type: text/plain; charset=utf-8; Format=flowed On 11/25/2013 03:33 PM, JLPicard wrote: Hi, I am testing out 389_ds_base, version =1.2.11.15,REV=2013.01.31 running on mixed Solaris 10 servers (SPARC and X86) sourced from http://www.opencsw.org/packages/CSW389-ds-base in multi-master mode with 4 servers that is primarily used for authentication and user/group/netgroup management. Most of the Password policy components seem to work as they should, but password failure account lockout doesn't appear to engage after X-failed attempts. After creating a new account, testing a successful login, after 5+ failed logins with bad passwords, I can still login after I would expect to be locked out. I even created a new password policy and applied it to this user and it still doesn't lock him out after 5+ failed logins with bad passwords. Can you reproduce the issue with ldapsearch? ldapsearch ... -D uid=myuser, -w badpassword ... repeat 5 times -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Password Failure Lockout doesn't seem to work
Hi, do you have anonymous bind enabled? Maybe this is why it is working? Just guess. Regards. On 11/26/13 14:13, JLPicard wrote: Yes, I can, after 8 consecutive failed authentications, the account can still successfully query the DS with the correct password. % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w badPword cn=test-user-account ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w badPword cn=test-user-account ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w badPword cn=test-user-account ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w badPword cn=test-user-account ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w badPword cn=test-user-account ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w badPword cn=test-user-account ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w badPword cn=test-user-account ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w badPword cn=test-user-account ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w goodPwrd cn=test-user-account dn: uid=test-user-account,ou=people,dc=my-domain,dc=com description: accountHasItsOwnPwdPolicy objectClass: posixAccount objectClass: shadowAccount objectClass: account objectClass: top uid: test-user-account cn: test-user-account uidNumber: 2853 gidNumber: 2600 gecos: LDAP Test homeDirectory: /home/test-user-account loginShell: /bin/tcsh On 11/25/2013 5:49 PM, 389-users-requ...@lists.fedoraproject.org wrote: From: Rich Megginson rmegg...@redhat.com To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.org Cc: JLPicard jlpicar...@hotmail.com Subject: Re: [389-users] Password Failure Lockout doesn't seem to work Message-ID: 5293d3fc.2090...@redhat.com Content-Type: text/plain; charset=utf-8; Format=flowed On 11/25/2013 03:33 PM, JLPicard wrote: Hi, I am testing out 389_ds_base, version =1.2.11.15,REV=2013.01.31 running on mixed Solaris 10 servers (SPARC and X86) sourced from http://www.opencsw.org/packages/CSW389-ds-base in multi-master mode with 4 servers that is primarily used for authentication and user/group/netgroup management. Most of the Password policy components seem to work as they should, but password failure account lockout doesn't appear to engage after X-failed attempts. After creating a new account, testing a successful login, after 5+ failed logins with bad passwords, I can still login after I would expect to be locked out. I even created a new password policy and applied it to this user and it still doesn't lock him out after 5+ failed logins with bad passwords. Can you reproduce the issue with ldapsearch? ldapsearch ... -D uid=myuser, -w badpassword ... repeat 5 times -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- Predrag Zečević, Technical Support Analyst, 2e Systems GmbH Telephone: +49 6196 9505 815, Facsimile: +49 6196 9505 894 Mobile:+49 174 3109 288, Skype: predrag.zecevic E-mail:predrag.zece...@2e-systems.com Headquarter: 2e Systems GmbH, Königsteiner Str. 87, 65812 Bad Soden am Taunus, Germany Company registration: Amtsgericht Königstein (Germany), HRB 7303 Managing director:Phil Douglas http://www.2e-systems.com/ - Making your business fly! -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] setup-ds-admin.pl errors
On 11/26/2013 04:17 AM, Alberto Viana wrote: Rich, Any clues? Yes, fixed in 1.3.2.6. 1.3.2.7 is out now too. On Thu, Nov 21, 2013 at 3:19 PM, Alberto Viana alberto...@gmail.com mailto:alberto...@gmail.com wrote: $ ./configure --with-openldap I did not specify any CFLAGS. On Thu, Nov 21, 2013 at 3:09 PM, Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote: On 11/21/2013 09:55 AM, Alberto Viana wrote: Rich, Yes. If you need any specific info about how I built please let me know. yes, your configure and cflags, please. Thanks. On Thu, Nov 21, 2013 at 2:51 PM, Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote: On 11/21/2013 09:43 AM, Alberto Viana wrote: Rich, I'm still getting some errors: Could not import LDIF file '/tmp/ldifTVzppg.ldif'. Error: 256. Output: importing data ... [21/Nov/2013:14:42:11 -0200] - Netscape Portable Runtime error -5977: /opt/dirsrv/lib/dirsrv/plugins/libretrocl-plugin.so: undefined symbol: retrocl_cn_lock [21/Nov/2013:14:42:11 -0200] - Could not open library /opt/dirsrv/lib/dirsrv/plugins/libretrocl-plugin.so for plugin Retro Changelog Plugin [21/Nov/2013:14:42:11 -0200] - Unable to load plugin cn=Retro Changelog Plugin,cn=plugins,cn=config Error: Could not create directory server instance 'RNP'. Exiting . . . Log file is '/tmp/setupbogCkT.log' Any Clues? You built this yourself from the 1.3.2.4 source tarball? Thanks On Thu, Nov 21, 2013 at 1:51 PM, Alberto Viana alberto...@gmail.com mailto:alberto...@gmail.com wrote: Yes, you're right, once ubuntu is based on debian and always link /bin/sh to dash. Thanks. On Thu, Nov 21, 2013 at 1:48 PM, Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote: On 11/21/2013 08:44 AM, Alberto Viana wrote: You are right, /bin/sh was linked to dash shell. I linked to /bin/bash and everything is working as expected. Thanks so much for your help. I think you ran into this issue: https://fedorahosted.org/389/ticket/47511 On Thu, Nov 21, 2013 at 1:35 PM, Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote: On 11/21/2013 08:28 AM, Alberto Viana wrote: Rich, oot@hmg3:~# bash --version GNU bash, version 4.2.24(1)-release (x86_64-pc-linux-gnu) Ok. What about /bin/sh? The problem is that the shell script is complaining that it cannot find the source command. I'm not sure why - that is built-in to bash. Perhaps /bin/sh is in strict posix bourne shell mode, which would require the . command? Perhaps /bin/sh is linked to some other shell like zsh? On Thu, Nov 21, 2013 at 1:23 PM, Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote: On 11/21/2013 08:16 AM, Alberto Viana wrote: Rich, root@hmg3:~# env SHELL=/bin/bash ls -al /bin/sh /bin/sh --version On Thu, Nov 21, 2013 at 1:13 PM, Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote: On 11/21/2013 08:07 AM, Alberto Viana wrote: I'm trying to set up a new instance of 389 DS in my homologation enviroment: 389-ds-base-1.3.2.4 389-adminutil-1.1.18 389-admin-console-1.1.8 After I ran setup-ds-admin.pl http://setup-ds-admin.pl, i'm getting the following errors: Are you ready to set up your servers? [yes]: Creating
Re: [389-users] setup-ds-admin.pl errors
Thanks, I will try it. On Tue, Nov 26, 2013 at 11:44 AM, Rich Megginson rmegg...@redhat.comwrote: On 11/26/2013 04:17 AM, Alberto Viana wrote: Rich, Any clues? Yes, fixed in 1.3.2.6. 1.3.2.7 is out now too. On Thu, Nov 21, 2013 at 3:19 PM, Alberto Viana alberto...@gmail.comwrote: $ ./configure --with-openldap I did not specify any CFLAGS. On Thu, Nov 21, 2013 at 3:09 PM, Rich Megginson rmegg...@redhat.comwrote: On 11/21/2013 09:55 AM, Alberto Viana wrote: Rich, Yes. If you need any specific info about how I built please let me know. yes, your configure and cflags, please. Thanks. On Thu, Nov 21, 2013 at 2:51 PM, Rich Megginson rmegg...@redhat.comwrote: On 11/21/2013 09:43 AM, Alberto Viana wrote: Rich, I'm still getting some errors: Could not import LDIF file '/tmp/ldifTVzppg.ldif'. Error: 256. Output: importing data ... [21/Nov/2013:14:42:11 -0200] - Netscape Portable Runtime error -5977: /opt/dirsrv/lib/dirsrv/plugins/libretrocl-plugin.so: undefined symbol: retrocl_cn_lock [21/Nov/2013:14:42:11 -0200] - Could not open library /opt/dirsrv/lib/dirsrv/plugins/libretrocl-plugin.so for plugin Retro Changelog Plugin [21/Nov/2013:14:42:11 -0200] - Unable to load plugin cn=Retro Changelog Plugin,cn=plugins,cn=config Error: Could not create directory server instance 'RNP'. Exiting . . . Log file is '/tmp/setupbogCkT.log' Any Clues? You built this yourself from the 1.3.2.4 source tarball? Thanks On Thu, Nov 21, 2013 at 1:51 PM, Alberto Viana alberto...@gmail.comwrote: Yes, you're right, once ubuntu is based on debian and always link /bin/sh to dash. Thanks. On Thu, Nov 21, 2013 at 1:48 PM, Rich Megginson rmegg...@redhat.comwrote: On 11/21/2013 08:44 AM, Alberto Viana wrote: You are right, /bin/sh was linked to dash shell. I linked to /bin/bash and everything is working as expected. Thanks so much for your help. I think you ran into this issue: https://fedorahosted.org/389/ticket/47511 On Thu, Nov 21, 2013 at 1:35 PM, Rich Megginson rmegg...@redhat.comwrote: On 11/21/2013 08:28 AM, Alberto Viana wrote: Rich, oot@hmg3:~# bash --version GNU bash, version 4.2.24(1)-release (x86_64-pc-linux-gnu) Ok. What about /bin/sh? The problem is that the shell script is complaining that it cannot find the source command. I'm not sure why - that is built-in to bash. Perhaps /bin/sh is in strict posix bourne shell mode, which would require the . command? Perhaps /bin/sh is linked to some other shell like zsh? On Thu, Nov 21, 2013 at 1:23 PM, Rich Megginson rmegg...@redhat.com wrote: On 11/21/2013 08:16 AM, Alberto Viana wrote: Rich, root@hmg3:~# env SHELL=/bin/bash ls -al /bin/sh /bin/sh --version On Thu, Nov 21, 2013 at 1:13 PM, Rich Megginson rmegg...@redhat.com wrote: On 11/21/2013 08:07 AM, Alberto Viana wrote: I'm trying to set up a new instance of 389 DS in my homologation enviroment: 389-ds-base-1.3.2.4 389-adminutil-1.1.18 389-admin-console-1.1.8 After I ran setup-ds-admin.pl, i'm getting the following errors: Are you ready to set up your servers? [yes]: Creating directory server . . . Could not import LDIF file '/tmp/ldif9lEZLw.ldif'. Error: 256. Output: ./ldif2db: 3: ./ldif2db: source: not found ./ldif2db: 5: ./ldif2db: libpath_add: not found ./ldif2db: 6: ./ldif2db: libpath_add: not found ./ldif2db: 7: ./ldif2db: libpath_add: not found ./ldif2db: 8: ./ldif2db: libpath_add: not found ./ldif2db: 84: ./ldif2db: get_init_file: not found ./ldif2db: 85: [: 127: unexpected operator importing data ... usage: ns-slapd ldif2db -D configdir [-d debuglevel] [-n backend_instance_name] [-O] [-g uniqueid_type] [--namespaceid uniqueID][{-s includesuffix}*] [{-x excludesuffix}*] [-E] [-q] {-i ldif-file}* Note: either -n backend_instance_name or -s includesuffix is required. Error: Could not create directory server instance 'RNP'. Exiting . . . Log file is '/tmp/setupBsGuLZ.log' I also tried 389-ds-base-1.3.1.12. Any clues? What is your login shell? -- 389 users mailing list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Password Failure Lockout doesn't seem to work
Hi, did you set: nsslapd-pwpolicy-local: on in cn=config ? Ludwig On 11/26/2013 02:13 PM, JLPicard wrote: Yes, I can, after 8 consecutive failed authentications, the account can still successfully query the DS with the correct password. % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w badPword cn=test-user-account ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w badPword cn=test-user-account ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w badPword cn=test-user-account ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w badPword cn=test-user-account ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w badPword cn=test-user-account ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w badPword cn=test-user-account ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w badPword cn=test-user-account ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w badPword cn=test-user-account ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w goodPwrd cn=test-user-account dn: uid=test-user-account,ou=people,dc=my-domain,dc=com description: accountHasItsOwnPwdPolicy objectClass: posixAccount objectClass: shadowAccount objectClass: account objectClass: top uid: test-user-account cn: test-user-account uidNumber: 2853 gidNumber: 2600 gecos: LDAP Test homeDirectory: /home/test-user-account loginShell: /bin/tcsh On 11/25/2013 5:49 PM, 389-users-requ...@lists.fedoraproject.org wrote: From: Rich Megginson rmegg...@redhat.com To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.org Cc: JLPicard jlpicar...@hotmail.com Subject: Re: [389-users] Password Failure Lockout doesn't seem to work Message-ID: 5293d3fc.2090...@redhat.com Content-Type: text/plain; charset=utf-8; Format=flowed On 11/25/2013 03:33 PM, JLPicard wrote: Hi, I am testing out 389_ds_base, version =1.2.11.15,REV=2013.01.31 running on mixed Solaris 10 servers (SPARC and X86) sourced from http://www.opencsw.org/packages/CSW389-ds-base in multi-master mode with 4 servers that is primarily used for authentication and user/group/netgroup management. Most of the Password policy components seem to work as they should, but password failure account lockout doesn't appear to engage after X-failed attempts. After creating a new account, testing a successful login, after 5+ failed logins with bad passwords, I can still login after I would expect to be locked out. I even created a new password policy and applied it to this user and it still doesn't lock him out after 5+ failed logins with bad passwords. Can you reproduce the issue with ldapsearch? ldapsearch ... -D uid=myuser, -w badpassword ... repeat 5 times -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Upgrade failure
On 11/25/2013 06:26 PM, Gordon Messmer wrote: On 11/25/2013 03:54 PM, Rich Megginson wrote: Is there some reason you need to upgrade from the OS provided official RHEL 6.4 version of 389-ds-base to the non-OS provided version from the rmeggins epel6 repo? I no longer remember why that's there, actually. I feel like there was a feature not available in the RH packages, but have forgotten exactly what. I would suggest just using the 389-ds-base package that comes with RHEL 6. Are you using attribute encryption? No, not as far as I know. Ok. The error message is saying that it cannot find your unlocked server SSL key. I am assuming this all worked before, and you have a pin.txt file and/or you have permanently unlocked your key/cert db. The key/cert db has one key which requires no passphrase, the corresponding certificate, and the certificates of the CA (StartSSL). If you do certutil -d /etc/dirsrv/slapd-* -K does it prompt you for a password/pin? -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] acl__TestRights - cache overflown
Hi, I noticed a warning from error logs that userRoot cache settings were too small compared to db size. I tuned cache values based on this article: https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Performance_Tuning_Guide/memoryusage.html Based on log report, I used following values: Entry cache: nsslapd-cachememsize: 268435456 (256MB) DB cache: nsslapd-dbcachesize: 268435456 (256MB) After this, my second LDAP server gives the following errors: acl__TestRights - cache overflown Some of the queries fails. For example some of the sudoers entries don't work. Questions: 1. I changed values using Console. But for the second LDAP server I was not able to save new nsslapd-dbcachesize value, because Save button was greyed out. I changed value using ldapmodify. But is there a reason why Save button is disabled? 2. Do my values make sense in general? Default values were only 10MB and wondering why is that? I have currently 2GB RAM for directory servers and DBs are relatively small. Log reports userRoot size as 180MB. RAM usage is fine, plenty of free memory. -Vesa -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users