[389-users] Re: How to Restrict user authentication per application?

[msarmadi]

Using groups helps when apps want to get user info. In that there are ACI 
capability and also searchfilter, which makes it possible to control user login 
access. 

However if you use multiple application and each has its own method of 
authentication, there you face something that does not have searchfilter, or 
proxy account. Also there are application that only can Bind as user enters 
their credential and after that either they don't need other infos from 
Directory either the other info's are collected from another Data Store, like 
mysql,oracle, etc.

--
All in all, I'm aware of such solution and already using it, but the problem 
I'm addressing is not that.

I need to take control of Bind operation, based on IP, time, user's Attribute, 
 which I could not find in 389ds.
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org

Re: ssh/screen -- cmdline vs php

[Samuel Sieb]

On 11/16/2016 05:58 PM, bruce wrote:

when I run the cmd from a test php... using backticks.. the remote
ssh/screen/app isn't run...

I suspect that when run that way, the process doesn't have a terminal so 
some things might not work.  Also, assuming you're running the php from 
a web server, the web server user (most likely apache) might not have 
permission to create network connections.  Check for selinux errors. 
Can you tell how far it gets?  Does it start the ssh process?  Does the 
ssh process connect?  etc.

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

[389-users] Re: Self-service password reset?

[msarmadi]

Hello

We've used both PWM and  LTB self-service password reset.
Both are good. 

LTB is in php, simple and working and very easy to customize.
PWM is in Java, feature rich and much more than just a self-service.

Choosing a suitable one is defined by your needs. In many projects I prefer LTB.

Hope it helps
Cheers
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org

Re: Does mDNS play well in regular DNS env?

[Tim]

Tom H: 
>>> You can change it by setting "domain-name=something_else" in
>>> "/etc/avahi/avahi-daemon.conf".

Samuel Sieb: 
>> Although that would immediately make you incompatible with all the devices
>> you're probably wanting to talk to. :-)

On Fri, 2016-11-04 at 23:47 +0200, Tom H wrote: 
> If the ".local" devices that you're connecting to are served by
> regular dns, it's not a problem.

Recently I tried adding a Pixma MG7760 printer to my LAN, and there was
no end of trouble.  Sometimes the Windows and Mac computers found it,
sometimes they didn't, I've only briefly played with Linux drivers for
it (well, select a PPD file that you can download from Canon, and it
prints nicely, but haven't tried the scanner).

It's one of those printers with USB, LAN, WLAN, NFC interfaces.  Most of
that use automatic settings, though there's a plethora of options that
you can change.  And to make things more awkward, it only wants to use
one of those connection types, it doesn't want to be available on your
ethernet LAN and wireless, simultaneously.

It uses some mixture of normal TCP/IP networking and Bonjour, and it
doesn't seem to use both independently.  For example, my DHCP server
automatically gives everything else a name and IP, and puts them into
the local DNS server, as well.  But that doesn't work with this printer
(I have to manually set in a hostname, on my DHCP server).  It gets
assigned an IP, but that's all that happens.  The installable (Mac and
PC) printer software seems to want to use Bonjour to find the printer,
and usually fails (more directly about that next paragraph).  For what
it's worth, it often fails to find the printer when connected via the
USB cable, too.

My understanding, though, of the .local issues is that such devices will
have to be using the 169.254.x.y IP addresses (which they can do, as
devices can have more than one IP, but it's not doing that).  And, for
your other network devices to also have to have a 169.254.x.y addresses
(same conditions as before - they can have those addresses as well as
regular LAN addresses, but they don't).  None of the computers, do
though, because as soon as they get assigned a regular IP, they don't
bother with self-assigning themselves a random link-local address, as
well.  And the equipment won't talk with 169.254.x.y addresses that are
outside of their 192.168.x.y subnets, normally.  So, Bonjour seems to
get left out of the equation.

So, from my point of view, .local isn't automatic, doesn't work, can't
work.

I'd take the printer back, but I needed something that can print onto
DVDs, for work purposes, and it's the only printer I can locally buy
that will do that.  Thanks to all the networking shenanigans, and
awkward Linux compatibility, I did that by creating a picture I want to
print on the disc, copying that to a SD memory card, and printing
directly from that card plugged into the printer.

Gawd but I hate half-baked, and proprietary, consumer equipment.


-- 
[tim@localhost ~]$ uname -rsvp
Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64

Boilerplate:  All mail to my mailbox is automatically deleted, there is
no point trying to privately email me, I only get to see the messages
posted to the mailing list.

The internet, your opportunity to learn from other peoples' mistakes.


___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

ssh/screen -- cmdline vs php

[bruce]

Hey guys..

I crafted a test php app to generate the test cmdline to ssh into the
remote box, attach to the screen, and fire off the testApp...

This works as expected from the cmdline...

I
   su - crawl_user,
 then run the cmd, take a look on another term, that's set to the
ipAddress. When I attach to the screen.. I see the app running..
Checking the procTbl shows the app running as well...

However

when I run the cmd from a test php... using backticks.. the remote
ssh/screen/app isn't run...

Any pointers on what I can look at to debug this..

the actual cmd that works on the cmdline::

 ssh  -t crawl_user@162.243.166.31  "screen -r crawlSession  -X stuff
'/crawl_tmp/startCollegeCrawl_test_bycol.php   --crawlDir /crawl_tmp
--nfsDir /cloud_nfs  --nfsFetchDir /cloud_nfs_fetch  --colName
austincc_0'$(echo -ne '\015')  "



the test php that generates the above cmd...

//--run the bycol for the college, using the ipAddress..
$scmd="ssh  -t crawl_user@".$bycol_ip_list[$cnt].'  "screen -r
crawlSession  -X stuff ';
$scmd=$scmd."'/crawl_tmp/startCollegeCrawl_test_bycol.php
--crawlDir /crawl_tmp  ";
$scmd=$scmd."--nfsDir /cloud_nfs  --nfsFetchDir /cloud_nfs_fetch  ";
$scmd=$scmd."--colName ".$d."'$(echo -ne '\\015')  ".'"';

print "bycol cmd .. ".$scmd."\n";

$scmd=`$scmd`;
print " stop..bycol sleeping prior to starting..\n";
exit();



thanks
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

evolution tweaks ?

[DJ Delorie]

Just upgraded to F24 and there are a few things about Evolution I
don't like...

1. the left-hand calendar pane uses white-on-blue for the "shown"
   days, as well as the weekday-name rows.  How do I change the
   colors?

2. The "Select Today" button scrolls the big month view window to the
   start of the current month.  How do I make it scroll to the start
   of the current week instead?  I have no need to see what's already
   happened, but it used to show me the 4-5 upcoming weeks.

3. Scroll wheel in the calendar side pane scrolls the months, but
   leaves the selection in the same place on the screen - effectively
   scrolling the months in the big pane.  How do I get it to leave the
   big pane alone until I click on a date?  Or at least leave it alone
   until its 'selection' would bump off the top/bottom of the side
   pane?  (i.e. I want to see the next 4 weeks in the big window, and
   the next 4 months in the side window).
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: USB3 Type C -

[Georg Hess]

On 16.11.2016 22:31, Rick Stevens wrote:
> On 11/16/2016 01:00 PM, Joe Zeff wrote:
>> On 11/16/2016 12:47 PM, Rick Stevens wrote:
>>> On 11/16/2016 11:08 AM, Mark Haney wrote:
> I think his comment was more related to the fact that all USB3 uses the
> Type-C connectors now.
>>> Not true. I have USB3 ports on type A connectors on a new mobo.
>>>
>>
>> I don't want to nitpick, but when was that mobo designed?  The new
>> connectors might be too recent for it.
> 
> I don't have access to the design plans for it so I have no idea
> although I bought one three months ago. All I'm saying is USB3 does not
> mean type C connectors or vice versa. Will all new mobos have type C? I
> don't know. I sure as hell hope not because I don't want to have to buy
> a gazillion adapter cables if and when I replace my mobos.

There are some quite new motherboards with
USB2.0 Type A, USB3.0 Type A, USB 3.1 Type A and USB3.1 Type C
Connectors on them.
https://www.asus.com/Motherboards/X99-A-II/specifications/

And I don't think Type A will disappear, this mobo even has a PS/2
Connector. And those are arguably old.

> So I'm an old fart and I do not subscribe to the "new is always better"
> mantra that so many others seem to. I'm glad I still have my old Galaxy
> phone so the damned battery doesn't explode in my pocket or cause 3rd
> degree burns on my tush and I can replace it when it goes bad instead
> of ponying up $300 for a new phone. Bloody ridiculous! Sheesh!
> --
> - Rick Stevens, Systems Engineer, AllDigitalri...@alldigital.com -
> - AIM/Skype: therps2ICQ: 226437340   Yahoo: origrps2 -
> --
> -  On a scale of 1 to 10 I'd say...  oh, somewhere in there. -
> --
> ___
> users mailing list -- users@lists.fedoraproject.org
> To unsubscribe send an email to users-le...@lists.fedoraproject.org
> 



signature.asc
Description: OpenPGP digital signature
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

[389-users] Re: performance degrades over time on CentOS 7

[Gordon Messmer]

On 11/16/2016 01:23 PM, William Brown wrote:

What's your ioblocktimeout set to?


nsslapd-ioblocktimeout: 180


How many connections are idle on the server?


How would I check?


Are you seeing OOM behaviour or memory not being released to the OS?


No, the systems use very little memory:

# free
  totalusedfree  shared buff/cache   
available

Mem:1883872  148932   72752   97156 1662188 1429468
Swap:   2097148   65064 2032084

No OOM actions are recorded.


What specs are your servers ie cpu and memory, is it ecc memory?


These are virtual machines with 4 allocated cores and 2GB of RAM. The 
host systems are Intel(R) Xeon(R) CPU E5-2620 v3 with 64 of ECC RAM.  
The two VMs running 389-ds are on different physical hosts, but have the 
same problems at roughly the same frequency, at roughly the same uptime.



What kind of disk are they on? Are there issues in dmesg?


One physical system has a RAID10 mdraid array of SAS disks.  The other 
has a RAID1 mdraid array of SAS disks.  No errors have been recorded.


The virtual machines are LVM-backed with standard (not sparse) LVs.


Have you configured system activity reporter (sar), and have out from
the same time of disk io, memory usage, cpu etc?


I believe that's set up by default, yes.

https://paste.fedoraproject.org/483468/93401501/

The DS stopped responding at about 12:30AM in this readout (system time 
is in UTC).



What's your sysctl setup like?


Standard for a CentOS 7 system, with these additions:

net.ipv4.ip_local_port_range = 1024 65000
net.ipv4.tcp_keepalive_time = 600



Have you increased file descriptors for Directory Server?


I thought I had, but it looks like I haven't:

# cat /proc/sys/fs/file-max
185059
# grep nofile /etc/security/limits.conf
#- nofile - max number of open file descriptors
# grep ulimit /etc/profile


nsslapd-maxdescriptors: 1024


Have you lowered the TCP close wait timeout?


No.


When I hear of problems like this, I'm always inclined to investigate
the host first, as there is a surprising amount that can affect DS from
the host.


I suspect so, too, since the problem correlates with the system uptime, 
not how long the daemon has been running.  But beyond that I'm not sure 
how to track this down further.

___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org

Re: USB3 Type C -

[Doug]

On 11/16/2016 03:35 PM, Louis Lagendijk wrote:

On Wed, 2016-11-16 at 12:47 -0800, Rick Stevens wrote:

On 11/16/2016 11:08 AM, Mark Haney wrote:

I think his comment was more related to the fact that all USB3 uses
the
Type-C connectors now.

Not true. I have USB3 ports on type A connectors on a new mobo.


My brandnew HP Probook 470 G4 laptop has both a type A and a type C
port, so I can use either connector.


An earlier post in this thread referred to adapters. The cheapest was 
almost $5 and was at the end of an 18" cable! What a PITA that would be!


My old computer didn't have USB3, so I put in a card--then I had to 
remote the connection to the front of the PC, which I did with Velcro. 
But it's


not as if the connection were built in to the case. And now to get two 
connections at the front of the computer we'll have to have TWO diddlies


like this!  Phooey!  And then I suppose that the new flash drives will 
all have the type C connectors, so they won't even plug into old ports. 
What a mess!


--doug

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

[389-users] Re: How to Restrict user authentication per application?

[William Brown]

On Wed, 2016-11-16 at 13:30 +, Mehdi Sarmadi wrote:
> Hello 
> 
> 
> In 389ds ACI, many operations like search,read,write,... can be restricted 
> based on evaluating time, ip, dns name, authenticated user and some other 
> conditions. 
> 
> 
> We have multiple applications which authenticate(bind only) their users with 
> a Directory (389ds). 
> 
> 
> I need to restrict users from logging on applications based on a policy. For 
> example UserA could be logged on App1, and not App2, and so on. 
> For that I'm looking for a feature that could be helpful. 

Is this just "who is allowed to access appX" or is it "while logged into
A you cannot login to B?"

Anyway, my advice is use groups and memberof if it's the first case.

Add the users to groups IE:

objectClass: groupOfNames
member: uid=user,ou=People,dc=


Then if you have the memberOf plugin enabled, you want to run the fixup
task initially.

Once done, you should see:

dn: uid=william,ou=People,dc=...
uid: william
objectClass: inetUser  <<-- Your users MUST have this objectClass
to accept the memberof attr.
memberOf: cn=network_admins,ou=Groups,dc=...

Now you can filter in your application config based on:

ldap_auth_filter = '(memberOf=cn=network_admins,ou=Groups,dc=...)' 

Hope that helps. 


> 
> 
> 1. 
> I thought of a feature in ACI, in which ACI could be defined on Bind 
> operations, too. For example we could define an ACI saying users with a 
> filter, say (attributeA=App1) or (objectClass=App1User) and fromIP 
> restriction(of the server of application App1), allows or denies binding of 
> users. And users + apps which are not match in the criteria could not 
> login(they will get err=49 or Invalid Credential), and those who match could 
> login. 
> 
> 
> 2. 
> I thought of another solution, too, in which by putting users in dynamic 
> containers which have bind feature. For example there is a certain type of OU 
> which is dynamically filled by users that has certain characteristic, 
> - OU=App1,DC=domain,DC=com contains users with (attributeA=App1) or 
> (objectClass=App1User). 
> - OU=App2,DC=domain,DC=com contains users with (attributeA=App2) or 
> (objectClass=App1User). 
> 
> 
> In this case I can tell app1 to authenticate UserA against its own 
> OU=App1,DC=domain,DC=com contains users, and app2 against 
> OU=App2,DC=domain,DC=com. 
> 
> 
> 
> 
> I'm wondering if anyone has any idea or had been in the same place. 
> 
> 
> Thanks 
> ___ 389-users mailing list -- 
> 389-users@lists.fedoraproject.org To unsubscribe send an email to 
> 389-users-le...@lists.fedoraproject.org

-- 
Sincerely,

William Brown
Software Engineer
Red Hat, Brisbane


signature.asc
Description: This is a digitally signed message part
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org

Re: USB3 Type C -

[Louis Lagendijk]

On Wed, 2016-11-16 at 12:47 -0800, Rick Stevens wrote:
> On 11/16/2016 11:08 AM, Mark Haney wrote:
> > 
> > I think his comment was more related to the fact that all USB3 uses
> > the
> > Type-C connectors now.  
> 
> Not true. I have USB3 ports on type A connectors on a new mobo.
> 
My brandnew HP Probook 470 G4 laptop has both a type A and a type C
port, so I can use either connector.

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: USB3 Type C -

[Rick Stevens]

On 11/16/2016 01:00 PM, Joe Zeff wrote:
> On 11/16/2016 12:47 PM, Rick Stevens wrote:
>> On 11/16/2016 11:08 AM, Mark Haney wrote:
>>> >I think his comment was more related to the fact that all USB3 uses the
>>> >Type-C connectors now.
>> Not true. I have USB3 ports on type A connectors on a new mobo.
>>
> 
> I don't want to nitpick, but when was that mobo designed?  The new
> connectors might be too recent for it.

I don't have access to the design plans for it so I have no idea
although I bought one three months ago. All I'm saying is USB3 does not
mean type C connectors or vice versa. Will all new mobos have type C? I
don't know. I sure as hell hope not because I don't want to have to buy
a gazillion adapter cables if and when I replace my mobos.

So I'm an old fart and I do not subscribe to the "new is always better"
mantra that so many others seem to. I'm glad I still have my old Galaxy
phone so the damned battery doesn't explode in my pocket or cause 3rd
degree burns on my tush and I can replace it when it goes bad instead
of ponying up $300 for a new phone. Bloody ridiculous! Sheesh!
--
- Rick Stevens, Systems Engineer, AllDigitalri...@alldigital.com -
- AIM/Skype: therps2ICQ: 226437340   Yahoo: origrps2 -
--
-  On a scale of 1 to 10 I'd say...  oh, somewhere in there. -
--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: USB3 Type C -

[fred roller]

On Wed, Nov 16, 2016 at 4:00 PM, Joe Zeff  wrote:

> >I think his comment was more related to the fact that all USB3 uses the
>> >Type-C connectors now.
>
>
All USB3.1 the 3.0 will have the type A and that is the confusion it
seems... I have a 3.0 USB on the Laptop <6 months old with Type A and my
wife's phone, barely a month old, has a Type C connection.  This is just a
new tech transitional period we are in and we will be purchasing adapters
upgrading systems etc. to accommodate over the course of a few months or
more.  Change - it is the only things that doesn't change.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

[389-users] Re: performance degrades over time on CentOS 7

[William Brown]

On Wed, 2016-11-16 at 10:24 -0800, Gordon Messmer wrote:
> On 11/16/2016 09:21 AM, Rich Megginson wrote:
> > I suggest you file a ticket at https://fedorahosted.org/389/newticket 
> > and attach this and the other information for tracking.  This doesn't 
> > seem like an issue that will be easily resolved . . . 
> 
> 
> OK.  Is there any other data I can gather right now?  The problem takes 
> a few months to manifest, but once it does it gets pretty bad.  That 
> gives us narrow, rare windows to get useful data.

What's your ioblocktimeout set to?
How many connections are idle on the server?
Are you seeing OOM behaviour or memory not being released to the OS?
What specs are your servers ie cpu and memory, is it ecc memory? 
What kind of disk are they on? Are there issues in dmesg?
Have you configured system activity reporter (sar), and have out from
the same time of disk io, memory usage, cpu etc? 
What's your sysctl setup like?
Have you increased file descriptors for Directory Server?
Have you lowered the TCP close wait timeout?

When I hear of problems like this, I'm always inclined to investigate
the host first, as there is a surprising amount that can affect DS from
the host.

-- 
Sincerely,

William Brown
Software Engineer
Red Hat, Brisbane


signature.asc
Description: This is a digitally signed message part
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org

Re: USB3 Type C -

[Joe Zeff]

On 11/16/2016 12:47 PM, Rick Stevens wrote:

On 11/16/2016 11:08 AM, Mark Haney wrote:

>I think his comment was more related to the fact that all USB3 uses the
>Type-C connectors now.

Not true. I have USB3 ports on type A connectors on a new mobo.



I don't want to nitpick, but when was that mobo designed?  The new 
connectors might be too recent for it.

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: USB3 Type C -

[Rick Stevens]

On 11/16/2016 11:08 AM, Mark Haney wrote:
> I think his comment was more related to the fact that all USB3 uses the
> Type-C connectors now.  

Not true. I have USB3 ports on type A connectors on a new mobo.

> On Wed, Nov 16, 2016 at 2:01 PM, fred roller  > wrote:
> 
> 
> 
> On Wed, Nov 16, 2016 at 1:43 PM, George N. White III
> > wrote:
> 
> On Wed, Nov 16, 2016 at 1:51 PM, Bob Goodwin
> > wrote:
> 
> 
> I installed a new MSI mainboard about a month ago that has
> four USB3 connectors on the back panel that accept nothing I
> have on hand. Apparently it is known as a "type C"
> connector. How do I deal with this? Googling has not
> produced much useful information, I may not have used the
> right keywords, but I would like to adapt them to the old
> style conventional connectors on my flash drives, cables, etc.
> 
> I know this is not strictly a Fedora problem but it is a
> problem in using my Fedora systems when I can't connect to
> then. I was not aware of the difference before I bought the
> board, would appreciate information on how others have dealt
> with this..
> 
> Bob//
> 
> 
> You could go to the DongleCompany (formerly known as Apple)
> Store.  They recently announced big discounts on the dongles,
> but not sure if you have to
> own one of the current Apple products to qualify,
>  
> 
> 
> [snip]
> 
> " USB Type-C isn’t the same thing as USB 3.1. USB Type-C is just a
> connector shape, and the underlying technology could just be USB 2
> or USB 3.0."
> 
> from:
> 
> http://www.howtogeek.com/211843/usb-type-c-explained-what-it-is-and-why-youll-want-it/
> 
> 
> 
> Just a new standard to replace a multitude of cables including, in
> time, your audio/video cables, printer, data, et al.  This was
> touched on about 10 years ago when developers were talking about the
> use of photonics as a data stream which would push data in the Tb
> ranges and reducing the need of multiple cables to just one for
> everything.  While not directly related it is a step in that
> direction. USB 3.1 (not the type C) reportedly will push about 10
> Gb/s.  As Dave pointed out, adapters will be needed for a spell.
> 
> -- Fred
> 
> 
> ___
> users mailing list -- users@lists.fedoraproject.org
> 
> To unsubscribe send an email to users-le...@lists.fedoraproject.org
> 
> 
> 
> 
> 
> -- 
> 
> Mark Haney ::: Senior Systems Engineer
> 
> *VIF* *International Education*
> P.O. Box 3566 ::: Chapel Hill, N.C. 27515 ::: USA
> 919-265-5006 office
> 
> Global learning for all.
> www.viflearn.com 
> Find VIF on Facebook
>  | Twitter
>  | LinkedIn
> 
> 
> Recognized as a ‘Best for the World’
>  B Corp!
> 
> 
> 
> ___
> users mailing list -- users@lists.fedoraproject.org
> To unsubscribe send an email to users-le...@lists.fedoraproject.org
> 


-- 
--
- Rick Stevens, Systems Engineer, AllDigitalri...@alldigital.com -
- AIM/Skype: therps2ICQ: 226437340   Yahoo: origrps2 -
--
-Artificial Intelligence usually beats real stupidity.   -
--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: USB3 Type C -

[Gordon Messmer]

On 11/16/2016 10:43 AM, George N. White III wrote:
You could go to the DongleCompany (formerly known as Apple) Store.  
They recently announced big discounts on the dongles, but not sure if 
you have to

own one of the current Apple products to qualify,



There are less expensive options, even after the discount:

http://www.apple.com/shop/product/MJ1M2AM/A/usb-c-to-usb-adapter?fnode=85

http://www.monoprice.com/product?p_id=14841

http://www.monoprice.com/product?p_id=13006

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: USB3 Type C -

[Mark Haney]

I think his comment was more related to the fact that all USB3 uses the
Type-C connectors now.


On Wed, Nov 16, 2016 at 2:01 PM, fred roller  wrote:

>
>
> On Wed, Nov 16, 2016 at 1:43 PM, George N. White III 
> wrote:
>
>> On Wed, Nov 16, 2016 at 1:51 PM, Bob Goodwin 
>> wrote:
>>
>>>
>>> I installed a new MSI mainboard about a month ago that has four USB3
>>> connectors on the back panel that accept nothing I have on hand. Apparently
>>> it is known as a "type C" connector. How do I deal with this? Googling has
>>> not produced much useful information, I may not have used the right
>>> keywords, but I would like to adapt them to the old style conventional
>>> connectors on my flash drives, cables, etc.
>>>
>>> I know this is not strictly a Fedora problem but it is a problem in
>>> using my Fedora systems when I can't connect to then. I was not aware of
>>> the difference before I bought the board, would appreciate information on
>>> how others have dealt with this..
>>>
>>> Bob//
>>>
>>
>> You could go to the DongleCompany (formerly known as Apple) Store.  They
>> recently announced big discounts on the dongles, but not sure if you have to
>> own one of the current Apple products to qualify,
>>
>>
>
> [snip]
>
> " USB Type-C isn’t the same thing as USB 3.1. USB Type-C is just a
> connector shape, and the underlying technology could just be USB 2 or USB
> 3.0."
>
> from:
> http://www.howtogeek.com/211843/usb-type-c-explained-
> what-it-is-and-why-youll-want-it/
>
> Just a new standard to replace a multitude of cables including, in time,
> your audio/video cables, printer, data, et al.  This was touched on about
> 10 years ago when developers were talking about the use of photonics as a
> data stream which would push data in the Tb ranges and reducing the need of
> multiple cables to just one for everything.  While not directly related it
> is a step in that direction. USB 3.1 (not the type C) reportedly will push
> about 10 Gb/s.  As Dave pointed out, adapters will be needed for a spell.
>
> -- Fred
>
>
> ___
> users mailing list -- users@lists.fedoraproject.org
> To unsubscribe send an email to users-le...@lists.fedoraproject.org
>
>


-- 

Mark Haney ::: Senior Systems Engineer
*VIF* *International Education*
P.O. Box 3566 ::: Chapel Hill, N.C. 27515 ::: USA
919-265-5006 office

Global learning for all.
www.viflearn.com
Find VIF on Facebook  |
Twitter  | LinkedIn


Recognized as a ‘Best for the World’
 B Corp!
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: USB3 Type C -

[fred roller]

On Wed, Nov 16, 2016 at 1:43 PM, George N. White III 
wrote:

> On Wed, Nov 16, 2016 at 1:51 PM, Bob Goodwin 
> wrote:
>
>>
>> I installed a new MSI mainboard about a month ago that has four USB3
>> connectors on the back panel that accept nothing I have on hand. Apparently
>> it is known as a "type C" connector. How do I deal with this? Googling has
>> not produced much useful information, I may not have used the right
>> keywords, but I would like to adapt them to the old style conventional
>> connectors on my flash drives, cables, etc.
>>
>> I know this is not strictly a Fedora problem but it is a problem in using
>> my Fedora systems when I can't connect to then. I was not aware of the
>> difference before I bought the board, would appreciate information on how
>> others have dealt with this..
>>
>> Bob//
>>
>
> You could go to the DongleCompany (formerly known as Apple) Store.  They
> recently announced big discounts on the dongles, but not sure if you have to
> own one of the current Apple products to qualify,
>
>

[snip]

" USB Type-C isn’t the same thing as USB 3.1. USB Type-C is just a
connector shape, and the underlying technology could just be USB 2 or USB
3.0."

from:
http://www.howtogeek.com/211843/usb-type-c-explained-what-it-is-and-why-youll-want-it/

Just a new standard to replace a multitude of cables including, in time,
your audio/video cables, printer, data, et al.  This was touched on about
10 years ago when developers were talking about the use of photonics as a
data stream which would push data in the Tb ranges and reducing the need of
multiple cables to just one for everything.  While not directly related it
is a step in that direction. USB 3.1 (not the type C) reportedly will push
about 10 Gb/s.  As Dave pointed out, adapters will be needed for a spell.

-- Fred
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: USB3 Type C -

[Mark Haney]

-- You could go to the DongleCompany (formerly known as Apple) Store.

That's bloody brilliant.  Well done.



On Wed, Nov 16, 2016 at 1:43 PM, George N. White III 
wrote:

> On Wed, Nov 16, 2016 at 1:51 PM, Bob Goodwin 
> wrote:
>
>>
>> I installed a new MSI mainboard about a month ago that has four USB3
>> connectors on the back panel that accept nothing I have on hand. Apparently
>> it is known as a "type C" connector. How do I deal with this? Googling has
>> not produced much useful information, I may not have used the right
>> keywords, but I would like to adapt them to the old style conventional
>> connectors on my flash drives, cables, etc.
>>
>> I know this is not strictly a Fedora problem but it is a problem in using
>> my Fedora systems when I can't connect to then. I was not aware of the
>> difference before I bought the board, would appreciate information on how
>> others have dealt with this..
>>
>> Bob//
>>
>
> You could go to the DongleCompany (formerly known as Apple) Store.  They
> recently announced big discounts on the dongles, but not sure if you have to
> own one of the current Apple products to qualify,
>
>
>>
>>
>> --
>> Bob Goodwin - Zuni, Virginia, USA
>> http://www.qrz.com/db/W2BOD
>> box10  FEDORA-25b/64bit LINUX XFCE Fastmail POP3
>> ___
>> users mailing list -- users@lists.fedoraproject.org
>> To unsubscribe send an email to users-le...@lists.fedoraproject.org
>>
>
>
>
> --
> George N. White III 
> Head of St. Margarets Bay, Nova Scotia
>
> ___
> users mailing list -- users@lists.fedoraproject.org
> To unsubscribe send an email to users-le...@lists.fedoraproject.org
>
>


-- 

Mark Haney ::: Senior Systems Engineer
*VIF* *International Education*
P.O. Box 3566 ::: Chapel Hill, N.C. 27515 ::: USA
919-265-5006 office

Global learning for all.
www.viflearn.com
Find VIF on Facebook  |
Twitter  | LinkedIn


Recognized as a ‘Best for the World’
 B Corp!
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

[389-users] Re: performance degrades over time on CentOS 7

[Michael Lang]

Am 11/16/2016 um 7:24 PM schrieb Gordon Messmer:


On 11/16/2016 09:21 AM, Rich Megginson wrote:
I suggest you file a ticket at https://fedorahosted.org/389/newticket 
and attach this and the other information for tracking.  This doesn't 
seem like an issue that will be easily resolved . . . 



OK.  Is there any other data I can gather right now?  The problem 
takes a few months to manifest, but once it does it gets pretty bad.  
That gives us narrow, rare windows to get useful data.


I would monitor the system(s) OS behavior with (example) collectd at 
least cpu, memory, load, iowait. Additional any either query/behavior 
specific monitoring can be implemented using collectd plugins like 
perl/python
and additional the generic available stats like provided through 
cn=snmp,cn=monitor


regards
mIke

example collectd plugin 
/usr/share/collectd/python-plugins/389_monitorstats.py


import collectd
import ldap

instances= {}
config   = None
monitorattrs = ['anonymousbinds', 'unauthbinds', 'simpleauthbinds',
'strongauthbinds', 'bindsecurityerrors', 'inops', 
'readops',
'compareops', 'addentryops', 'removeentryops', 
'modifyentryops',
'modifyrdnops', 'listops', 'searchops', 
'onelevelsearchops',
'wholesubtreesearchops', 'referrals', 'chainings', 
'securityerrors',

'errors', 'connections', 'connectionseq', 'bytesrecv',
'bytessent', 'entriesreturned', 'referralsreturned', 
'masterentries',

'copyentries', 'cacheentries', 'cachehits', 'slavehits']

class LDAPStats(object):
def __init__(self, hostname=None, port=389, binddn=None, bindpw=None):
self.hostname   = hostname
self.binddn = binddn
self.bindpw = bindpw
self.port   = int(port)
if self.hostname != None:
self.__get_stats__()
def __get_stats__(self):
self.srv= ldap.open(self.hostname, self.port)
if self.binddn != None:
self.srv.simple_bind_s(self.binddn, self.bindpw)
dn, attrs = self.srv.search_s('cn=snmp,cn=monitor', 
ldap.SCOPE_BASE, attrlist=monitorattrs)[0]

for a in monitorattrs:
if int(attrs[a][0]) < 0:
attrs[a][0] = int(attrs[a][0]) * -1
setattr(self, a, int(attrs[a][0]))
del self.srv
def get_stats(self, hr=False):
stats = []
for a in monitorattrs:
stats.append(int(getattr(self, a)))
if hr == False:
return stats
else:
return zip(monitorattrs, stats)

def configer(config):
global instances
collectd.debug('Configuring Stuff')
# children', 'key', 'parent', 'values'
for c in config.children:
if c.key == 'server':
for srv in c.children:
if srv.key == 'hostname':
hostname = '.'.join(srv.values)
elif srv.key == 'port':
port = int(srv.values[0])
instances[hostname] = port

def initer():
collectd.debug('initing stuff')

def reader(input_data=None):
global instances
for h in instances:
srv = LDAPStats(hostname=h, port=instances[h])
metric  = collectd.Values(host=h, 
type='389monitorstats', plugin='389monitorstats', type_instance=h)

metric.values   = srv.get_stats()
metric.dispatch()

collectd.register_config(configer)
collectd.register_init(initer)
collectd.register_read(reader)


the corresponding /usr/share/collectd/types.db entry looks as follows

389monitorstatsanonymousbinds:COUNTER:0:U, unauthbinds:COUNTER:0:U, 
simpleauthbinds:COUNTER:0:U, strongauthbinds:COUNTER:0:U, 
bindsecurityerrors:COUNTER:0:U, inops:COUNTER:0:U, readops:COUNTER:0:U, 
compareops:COUNTER:0:U, addentryops:COUNTER:0:U, 
removeentryops:COUNTER:0:U, modifyentryops:COUNTER:0:U, 
modifyrdnops:COUNTER:0:U, listops:COUNTER:0:U, searchops:COUNTER:0:U, 
onelevelsearchops:COUNTER:0:U, wholesubtrsearchops:COUNTER:0:U, 
referrals:COUNTER:0:U, chainings:COUNTER:0:U, 
securityerrors:COUNTER:0:U, errors:COUNTER:0:U, connections:DERIVE:U:U, 
connectionseq:COUNTER:0:U, bytesrecv:COUNTER:0:U, bytessent:COUNTER:0:U, 
entriesreturned:COUNTER:0:U, referralsreturned:COUNTER:0:U, 
masterentries:COUNTER:0:U, copyentries:COUNTER:0:U, 
cacheentries:COUNTER:0:U, cachehits:COUNTER:0:U, slavehits:COUNTER:0:U



and collectd configuration  /etc/collectd.d/python.conf

LoadPlugin python


ModulePath "/usr/share/collectd/python-plugins"
LogTraces true
Interactive false
Import "389_monitorstats"


hostnamelocalhost
port389





___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org


___
389-users mailing list -- 

Re: USB3 Type C -

[George N. White III]

On Wed, Nov 16, 2016 at 1:51 PM, Bob Goodwin  wrote:

>
> I installed a new MSI mainboard about a month ago that has four USB3
> connectors on the back panel that accept nothing I have on hand. Apparently
> it is known as a "type C" connector. How do I deal with this? Googling has
> not produced much useful information, I may not have used the right
> keywords, but I would like to adapt them to the old style conventional
> connectors on my flash drives, cables, etc.
>
> I know this is not strictly a Fedora problem but it is a problem in using
> my Fedora systems when I can't connect to then. I was not aware of the
> difference before I bought the board, would appreciate information on how
> others have dealt with this..
>
> Bob//
>

You could go to the DongleCompany (formerly known as Apple) Store.  They
recently announced big discounts on the dongles, but not sure if you have to
own one of the current Apple products to qualify,


>
>
> --
> Bob Goodwin - Zuni, Virginia, USA
> http://www.qrz.com/db/W2BOD
> box10  FEDORA-25b/64bit LINUX XFCE Fastmail POP3
> ___
> users mailing list -- users@lists.fedoraproject.org
> To unsubscribe send an email to users-le...@lists.fedoraproject.org
>



-- 
George N. White III 
Head of St. Margarets Bay, Nova Scotia
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

[389-users] Re: performance degrades over time on CentOS 7

[Gordon Messmer]

On 11/16/2016 09:21 AM, Rich Megginson wrote:
I suggest you file a ticket at https://fedorahosted.org/389/newticket 
and attach this and the other information for tracking.  This doesn't 
seem like an issue that will be easily resolved . . . 



OK.  Is there any other data I can gather right now?  The problem takes 
a few months to manifest, but once it does it gets pretty bad.  That 
gives us narrow, rare windows to get useful data.

___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org

Re: USB3 Type C -

[Rick Stevens]

On 11/16/2016 09:51 AM, Bob Goodwin wrote:
> 
> I installed a new MSI mainboard about a month ago that has four USB3
> connectors on the back panel that accept nothing I have on hand.
> Apparently it is known as a "type C" connector. How do I deal with this?
> Googling has not produced much useful information, I may not have used
> the right keywords, but I would like to adapt them to the old style
> conventional connectors on my flash drives, cables, etc.
> 
> I know this is not strictly a Fedora problem but it is a problem in
> using my Fedora systems when I can't connect to then. I was not aware of
> the difference before I bought the board, would appreciate information
> on how others have dealt with this..

You will have to get adapters. The type C connector can supply higher
power (100W) than the type A connectors you're used to, and you can
insert it either-way up (it's symmetrical).

Note that the presence of a type C connector does not necessarily mean
you have USB 3 or USB 3.1--it can be used on USB 2.x as well. It's just
a connector and the idea is to get rid of the type A, type B, mini A,
mini B, micro A and micro B connectors and use a single one. USB 3 is
still indicated by a blue connector. USB 3.1 is turquoise (which sucks
as I'm mildly red/green color blind).
--
- Rick Stevens, Systems Engineer, AllDigitalri...@alldigital.com -
- AIM/Skype: therps2ICQ: 226437340   Yahoo: origrps2 -
--
- Political Correctness: The insane doctrine that postulates that it -
- is entirely possible to pick up a turd by the clean end.   -
--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: USB3 Type C -

[Dave Stevens]

Quoting Bob Goodwin :



I installed a new MSI mainboard about a month ago that has four USB3  
connectors on the back panel that accept nothing I have on hand.  
Apparently it is known as a "type C" connector. How do I deal with  
this? Googling has not produced much useful information, I may not  
have used the right keywords, but I would like to adapt them to the  
old style conventional connectors on my flash drives, cables, etc.


something like this?

http://www.ebay.ca/itm/Type-C-3-1-Male-to-USB2-0-A-Female-Adapter-OTG-Data-Sync-Cable-Adapter-Connector-/401150948673?var==item5d6675b541:m:mtu8YJjsWh2ujtN1DfVCzSg

d



I know this is not strictly a Fedora problem but it is a problem in  
using my Fedora systems when I can't connect to then. I was not  
aware of the difference before I bought the board, would appreciate  
information on how others have dealt with this..


Bob//


--
Bob Goodwin - Zuni, Virginia, USA
http://www.qrz.com/db/W2BOD
box10  FEDORA-25b/64bit LINUX XFCE Fastmail POP3
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org





--
"As long as politics is the shadow cast on society by big business,
the attenuation of the shadow will not change the substance."

-- John Dewey




___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

USB3 Type C -

[Bob Goodwin]

I installed a new MSI mainboard about a 
month ago that has four USB3 connectors 
on the back panel that accept nothing I 
have on hand. Apparently it is known as 
a "type C" connector. How do I deal with 
this? Googling has not produced much 
useful information, I may not have used 
the right keywords, but I would like to 
adapt them to the old style conventional 
connectors on my flash drives, cables, etc.


I know this is not strictly a Fedora 
problem but it is a problem in using my 
Fedora systems when I can't connect to 
then. I was not aware of the difference 
before I bought the board, would 
appreciate information on how others 
have dealt with this..


Bob//


--
Bob Goodwin - Zuni, Virginia, USA
http://www.qrz.com/db/W2BOD
box10  FEDORA-25b/64bit LINUX XFCE Fastmail POP3
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

[389-users] Re: performance degrades over time on CentOS 7

[Rich Megginson]

On 11/15/2016 05:51 PM, Gordon Messmer wrote:

On 11/15/2016 12:08 PM, Rich Megginson wrote:
It is also useful to get a few stacktraces which will give us 
detailed information about what the server is doing.  For example, if 
you can "catch" the server while it is misbehaving, and get 
stacktraces every second for 10 seconds. 
http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-hangs 



This might be really good news:  In addition to oddly high CPU 
utilization, we sometimes see slapd lock up completely.   I managed to 
catch the server in such a state and get a backtrace. Can you let me 
know if this clarifies the problem at all?


When the server wedged, an ldap client would complete a connect() call 
to establish the connection, write some data, and then hang indefinitely:


connect(3, {sa_family=AF_INET6, sin6_port=htons(389), 
inet_pton(AF_INET6, "::1", _addr), sin6_flowinfo=0, 
sin6_scope_id=0}, 28) = 0
write(3, 
"0>\2\1\1c9\4\0\n\1\0\n\1\0\2\1\0\2\1\0\1\1\0\207\vobjectclass0\31\4\27supportedSASLMechanisms", 
64) = 64
poll([{fd=3, events=POLLIN|POLLPRI}], 1, 4294967295) = ? 
ERESTART_RESTARTBLOCK (Interrupted by signal)


I'd been running dbmon.sh in a terminal, and it had hung with no 
output for several minutes.  The last thing it printed was rather normal:


  dbname  count  free  free%size
userroot:ent   3607  78692851   75.0  7253.9
userroot:dn3607  10162827   96.989.5


I suggest you file a ticket at https://fedorahosted.org/389/newticket 
and attach this and the other information for tracking.  This doesn't 
seem like an issue that will be easily resolved . . .






___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org


___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org

Re: OT: determining when a pdf file was created/by whom

[William Oliver]

On Tue, 2016-11-15 at 23:37 -0800, Samuel Sieb wrote:
> 
> > 
> That information is not necessarily available, but if you right-
> click 
> the document in Nautilus, choose properties and go to the Document
> tab, 
> it will show you the information that is available.
> 

A command-line tool might be pdfinfo -- part of the xpdf package.

billo
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

[389-users] How to Restrict user authentication per application?

[Mehdi Sarmadi]

Hello 


In 389ds ACI, many operations like search,read,write,... can be restricted 
based on evaluating time, ip, dns name, authenticated user and some other 
conditions. 


We have multiple applications which authenticate(bind only) their users with a 
Directory (389ds). 


I need to restrict users from logging on applications based on a policy. For 
example UserA could be logged on App1, and not App2, and so on. 
For that I'm looking for a feature that could be helpful. 


1. 
I thought of a feature in ACI, in which ACI could be defined on Bind 
operations, too. For example we could define an ACI saying users with a filter, 
say (attributeA=App1) or (objectClass=App1User) and fromIP restriction(of the 
server of application App1), allows or denies binding of users. And users + 
apps which are not match in the criteria could not login(they will get err=49 
or Invalid Credential), and those who match could login. 


2. 
I thought of another solution, too, in which by putting users in dynamic 
containers which have bind feature. For example there is a certain type of OU 
which is dynamically filled by users that has certain characteristic, 
- OU=App1,DC=domain,DC=com contains users with (attributeA=App1) or 
(objectClass=App1User). 
- OU=App2,DC=domain,DC=com contains users with (attributeA=App2) or 
(objectClass=App1User). 


In this case I can tell app1 to authenticate UserA against its own 
OU=App1,DC=domain,DC=com contains users, and app2 against 
OU=App2,DC=domain,DC=com. 




I'm wondering if anyone has any idea or had been in the same place. 


Thanks ___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org

Meet PoisonTap, the $5 tool that ransacks password-protected computers

[Neal Becker]

http://arstechnica.com/security/2016/11/meet-poisontap-the-5-tool-that-ransacks-password-protected-computers/

wonder if fedora/linux is vulnerable?
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

[389-users] Re: subtree password policy problems

[Mark Reynolds]

On 11/16/2016 07:06 AM, Alberto Viana wrote:
> Hi,
>
> Anyone? I really need some help on this.
All you should need to do is setup a subtree policy on those OU's, and
those should override the global policy. 

There was bug, that I can not seem to find anymore, where this was not
working: Subtree policy was not overriding the global policy.  It was
fixed, but I don't know if the version of 389 that you have has that fix
or not.  Make sure you are on the latest version of 389 that your
platform supports.

If this does not work please file a ticket with the exact steps to
reproduce the problem:

https://fedorahosted.org/389/newticket

Regards,
Mark


> Thanks
>
> On Fri, Nov 4, 2016 at 1:01 PM, Alberto Viana  > wrote:
>
> Hi,
>
> Just to explain better what I need:
>
> Enforce a global password policy with password expiration but
> disable for some specifics OUs (just disable the password expiration).
>
>
>
>
> On Fri, Nov 4, 2016 at 12:54 PM, Alberto Viana
> > wrote:
>
> Hi,
>
> 389-ds: 1.3.4.11
>
> What I Need:
>
> Enforce a global password policy but disable for some
> specifics OUs.
>
> Doc:
> 
> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html-single/Administration_Guide/index.html#User_Account_Management-Managing_the_Password_Policy
> 
> 
>
> Everything was working fine but I realized for that specific
> OU that I created a local policy started to storage user
> password as plaintext:
>
> I created the local policy using the script ns-newpwpolicy.pl
>  as below:
>
> /opt/dirsrv/sbin/ns-newpwpolicy.pl 
> -v -D "cn=Directory Manager" -w my_manager_pass -S
> OU=testing,dc=homolog,dc=rnp
>
>  Here's my config:
>
> nsslapd-pwpolicy-local: on (under cn=config)
>
> Double checked using 389 console that under this OU,
> "Fine-grained subtree policy enabled" is set on.
>
>
> ldapsearch  -b
> 
> 'cn="cn=nsPwTemplateEntry,OU=testing,dc=homolog,dc=rnp",cn=nsPwPolicyContainer,OU=testing,dc=homolog,dc=rnp'
> -D "cn=Directory Manager" -x -W '(objectclass=ldapsubentry)'
> # extended LDIF
> #
> # LDAPv3
> # base
> 
> 

[389-users] Re: subtree password policy problems

[Alberto Viana]

Hi,

Anyone? I really need some help on this.

Thanks

On Fri, Nov 4, 2016 at 1:01 PM, Alberto Viana  wrote:

> Hi,
>
> Just to explain better what I need:
>
> Enforce a global password policy with password expiration but disable for
> some specifics OUs (just disable the password expiration).
>
>
>
>
> On Fri, Nov 4, 2016 at 12:54 PM, Alberto Viana 
> wrote:
>
>> Hi,
>>
>> 389-ds: 1.3.4.11
>>
>> What I Need:
>>
>> Enforce a global password policy but disable for some specifics OUs.
>>
>> Doc: https://access.redhat.com/documentation/en-US/Red_Hat_Direct
>> ory_Server/10/html-single/Administration_Guide/index.
>> html#User_Account_Management-Managing_the_Password_Policy
>>
>> Everything was working fine but I realized for that specific OU that I
>> created a local policy started to storage user password as plaintext:
>>
>> I created the local policy using the script ns-newpwpolicy.pl as below:
>>
>> /opt/dirsrv/sbin/ns-newpwpolicy.pl -v -D "cn=Directory Manager" -w
>> my_manager_pass -S OU=testing,dc=homolog,dc=rnp
>>
>>  Here's my config:
>>
>> nsslapd-pwpolicy-local: on (under cn=config)
>>
>> Double checked using 389 console that under this OU, "Fine-grained
>> subtree policy enabled" is set on.
>>
>>
>> ldapsearch  -b 'cn="cn=nsPwTemplateEntry,OU=t
>> esting,dc=homolog,dc=rnp",cn=nsPwPolicyContainer,OU=testing,dc=homolog,dc=rnp'
>> -D "cn=Directory Manager" -x -W '(objectclass=ldapsubentry)'
>> # extended LDIF
>> #
>> # LDAPv3
>> # base