[389-users] Re: SSO and 389

[Olivier JUDITH]

Hi ,

In my previous work , I have deployed a SSO solution based on Keyloack (
https://www.keycloak.org
)


   1.
   




 and 389 as backend ldap.
It Handles more than 3000 accounts and groups updated mostly from  an
ActiveDirectory.
The 389 was also used as Unix/Linux  ldap authentication.

Regards,



Le mer. 26 janv. 2022 à 12:05, N R  a écrit :

> Hi,
>
> I've done some SAML SSO integrations and work regularly with FreeIPA.
>
> SSO is usually handled via a protocol like SAML, OpenID or Shibboleth,
> FreeIPA only serves as LDAP Identity database in these architectures.
> Our deployments used a "proxy" to handle these authentications and link
> them with LDAP, SimpleSAMLPHP.
>
> The implementation also depends a lot on the way you want to do SSO,
> centralized, federated, or cooperative.
>
> I would recommend to take a look at simplesamlphp documentation as it
> supports almost every SSO protocols and can easily be integrated to proxy
> SSO web requests.
>
> Regards,
> Nicolas
>
>
>
> Le lun. 10 janv. 2022 à 19:50, Jonathan Aquilina 
> a écrit :
>
>> Good Evening,
>>
>>
>>
>> I am just wondering can 389 along side free ipa be used to offer SSO
>> capabilities?
>>
>>
>>
>> Regards,
>>
>> Jonathan
>> ___
>> 389-users mailing list -- 389-users@lists.fedoraproject.org
>> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>> Do not reply to spam on the list, report it:
>> https://pagure.io/fedora-infrastructure
>>
> ___
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[389-users] Re: Monitoring 389ds with telegraf

[Olivier JUDITH]

Hi ,

Thank for your support
Is it possible to have a version of your container from Dockerhub
(firstyear/389ds) with availability to set Directory Manager default
password ?
I need this for CircleCi testing phases after a push on Github.

Regards

Le ven. 6 sept. 2019 à 01:59, William Brown  a écrit :

>
>
> > On 6 Sep 2019, at 05:28, Olivier JUDITH  wrote:
> >
> > Hi all ,
> >
> > For all those who are interested , i started to develop with the help of
> Marco Favero  a monitoring solution based on  telegraf to gather
> metrics from my 389 instances .
> > All metrics are stored in influxdb ( timeseries db) and can be
> visualized on Grafana.
> >
> > The code source is available here  :
> https://github.com/influxdata/telegraf/pull/5691
> > Grafana Dashboard is here : https://grafana.com/grafana/dashboards/10587
>
> >
>
> That's super cool! Great work on this, it makes me want to setup Grafana
> now so I can play with this.
>
> Thanks!
>
>
> > Regards
> > ___
> > 389-users mailing list -- 389-users@lists.fedoraproject.org
> > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
> > Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>
> —
> Sincerely,
>
> William Brown
>
> Senior Software Engineer, 389 Directory Server
> SUSE Labs
> ___
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: Docker official image

[Olivier JUDITH]

Hi,

Great !!
Do you have documentation regarding this image ? i used  opensuse/leap:15
image in kubernetes deployment and i'm wondering if same variables are used
for this one.

Regards

Le lun. 9 sept. 2019 à 00:42, William Brown  a écrit :

>
>
> > On 7 Sep 2019, at 06:38, Olivier JUDITH  wrote:
> >
> > Hi William ,
> >
> > I'm running docker image FROM opensuse/leap:15 .
> > I launched the command :
> > dsconf ldap://localhost:3389 -D 'cn=directory manager' -w xx backend
> create --suffix dc=domain,dc=net --be-name UserData
> >
> > it finished successfully , but i still cannot see the suffix .
> >
> > So i added ACI
> >
> > dn: dc=thecos,dc=net
> > changetype: add
> > objectClass: domain
> > objectClass: top
> > dc: thecos
> > aci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous
> access"
> > ; allow (read, search, compare) userdn="ldap:///anyone;;)
> > aci: (targetattr ="*")(version 3.0;acl "Directory Administrators
> Group";allo
> > w (all) (groupdn = "ldap:///cn=Directory Administrators,
> dc=thecos,dc=net")
> > ;)
> >
> > Now i can see root suffix from Apache Directory Studio
> > Thanks for your help
>
> No problem. I think that using the opensuse/leap:15 image directly and
> installing 389 isn't the easiest way any more. We've had a lot of
> development in this space recently so you could try:
>
> https://hub.docker.com/r/389ds/dirsrv
>
> We have some other updates in the pipeline to smooth out some user
> experience details found in that release candidate.
>
> Othewise, glad to have helped get you working with ADS.
>
> >
> > Rgds
> > ___
> > 389-users mailing list -- 389-users@lists.fedoraproject.org
> > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
> > Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>
> —
> Sincerely,
>
> William Brown
>
> Senior Software Engineer, 389 Directory Server
> SUSE Labs
> ___
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: Docker official image

[Olivier JUDITH]

Hi William , 

I'm running docker image FROM opensuse/leap:15 . 
I launched the command :
dsconf ldap://localhost:3389 -D 'cn=directory manager' -w xx backend create 
--suffix dc=domain,dc=net --be-name UserData

it finished successfully , but i still cannot see the suffix . 

So i added ACI 

dn: dc=thecos,dc=net
changetype: add
objectClass: domain
objectClass: top
dc: thecos
aci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous access"
 ; allow (read, search, compare) userdn="ldap:///anyone;;)
aci: (targetattr ="*")(version 3.0;acl "Directory Administrators Group";allo
 w (all) (groupdn = "ldap:///cn=Directory Administrators, dc=thecos,dc=net")
 ;)

Now i can see root suffix from Apache Directory Studio
Thanks for your help

Rgds
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Monitoring 389ds with telegraf

[Olivier JUDITH]

Hi all , 

For all those who are interested , i started to develop with the help of Marco 
Favero  a monitoring solution based on  telegraf to gather metrics 
from my 389 instances . 
All metrics are stored in influxdb ( timeseries db) and can be visualized on 
Grafana. 

The code source is available here  : 
https://github.com/influxdata/telegraf/pull/5691
Grafana Dashboard is here : https://grafana.com/grafana/dashboards/10587  

Regards
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: Docker official image

[Olivier JUDITH]

Hi all,

I'm back on this topic,
Can you tell me with the docker image how to create the root suffix ?
I tried this step but othing appears on Apache Directory server IDE

ldapmodify -a -D "cn=Directory manager" -w mypass -p 3389 -h 10.109.139.63
-x
dn: cn="dc=domain,dc=net",cn=mapping tree,cn=config
changetype: add
cn: dc=domain,dc=net
objectclass: top
objectclass: extensibleObject
objectclass: nsMappingTree
nsslapd-state: backend
nsslapd-backend: UserData

Regards
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: NSX/F5 Load Balancing Health Checks

[Olivier JUDITH]

Hi ,

There's a ldap monitor for F5 but you need the right Big-IP version
see : https://support.f5.com/csp/article/K17472

On my side i use only tcp for the monitor on port 636/389

Cdlt

Le mar. 18 juin 2019 à 10:43, William Brown  a écrit :

>
>
> > On 17 Jun 2019, at 18:59, Mailvaganam, Hari 
> wrote:
> >
> > Hi:
> >
> > At the moment we perform TCP health check via F5 on ports 389/636
> (historical inheritance) – which isn’t sufficient for HA.
> >
> > We are moving to an env where NSX and F5 may co-exist – and have an
> opportunity to re-work the LB health check for HA (on existing F5 and
> upcoming NSX).
> >
> > If running NSX and/or F5 (or other load balancers) – how do you
> determine health on ldap node?
>
> What methods does the F5 support for checks? I think it could be valuable
> to understand this, because if we could supply some healthchecking systems
> or advice from upstream, this would help people like yourself.
>
>
>
> >
> > We have 2 read/write (1 active at given time) – replicating to N
> read-only nodes.
> > ___
> > 389-users mailing list -- 389-users@lists.fedoraproject.org
> > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
> > Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>
> —
> Sincerely,
>
> William Brown
>
> Senior Software Engineer, 389 Directory Server
> SUSE Labs
> ___
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: Docker official image

[Olivier JUDITH]

You can read more here

https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/

Le mar. 18 juin 2019 à 10:44, William Brown  a écrit :

>
>
> > On 17 Jun 2019, at 16:25, Olivier JUDITH  wrote:
> >
> > From my understanding readiness operates when the pod starts.
> > If it doesn't reach the replica your pods will never initialize.
> > An option (for k8s) can be another container (in the pod)
> "389-ds-headless" which will do all the steps required to enable
> replication.
> >
> > > Okay - how does the content of secrets.yaml get sent to the process
> running in the container?
> > By files or by variables but are always present in the container.
> >
> > To enable replicas , k8s provides StatefullSet controller which is
> better to manage multiple instances/replication.
>
> Is there some documentation on this I could have a look at? It would be
> good for me to understand to help advise on this, because dynamic scaling
> of replicas is something I'd really love to see supported in k8s and
> upstream so we can provide a really good experience for people :)
>
> I think it's time for me to setup k8s at home again to learn this .
>
> >
> > Regards
> >
> >
> > Le lun. 17 juin 2019 à 13:57, aravind gosukonda  a
> écrit :
> > >
> > > Is there also a way in k8s that when an event occurs (IE a new
> container is launched in a
> > > pod) that a program can be called in existing containers? (This way we
> can automate
> > > replica addition/removal)
> > >
> > What I'm planning to do is to use readiness probes, which can be
> scripts, to handle dynamic configuration of replicas. I haven't seen any
> way that enables existing containers to know when a new container has been
> launched or an old container deleted.
> >
> > Regards,
> > Aravind G
> > ___
> > 389-users mailing list -- 389-users@lists.fedoraproject.org
> > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
> > Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> > ___
> > 389-users mailing list -- 389-users@lists.fedoraproject.org
> > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
> > Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>
> —
> Sincerely,
>
> William Brown
>
> Senior Software Engineer, 389 Directory Server
> SUSE Labs
> ___
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: Docker official image

[Olivier JUDITH]

>From my understanding readiness operates when the pod starts.
If it doesn't reach the replica your pods will never initialize.
An option (for k8s) can be another container (in the pod) "389-ds-headless"
which will do all the steps required to enable replication.

> Okay - how does the content of secrets.yaml get sent to the process
running in the container?
By files or by variables but are always present in the container.

To enable replicas , k8s provides StatefullSet controller which is better
to manage multiple instances/replication.

Regards


Le lun. 17 juin 2019 à 13:57, aravind gosukonda  a
écrit :

> >
> > Is there also a way in k8s that when an event occurs (IE a new container
> is launched in a
> > pod) that a program can be called in existing containers? (This way we
> can automate
> > replica addition/removal)
> >
> What I'm planning to do is to use readiness probes, which can be scripts,
> to handle dynamic configuration of replicas. I haven't seen any way that
> enables existing containers to know when a new container has been launched
> or an old container deleted.
>
> Regards,
> Aravind G
> ___
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: Docker official image

[Olivier JUDITH]

Of course,

Yaml files are strictly dedicated to kubernetes object definition and
deployment (like deployment.yaml for service on docker). They are not to be
included in docker container.

In fact the better is to create a folder "k8s" and move them into .

In order to create the container/pod on kubernetes you have to launch :

kubectl create -f 389-ds-container/kube/* with all yaml files in kube folder

In interactive mode :

kubectl run -d --name 389-ds-container --image=r
egistry.opensuse.org/home/firstyear/containers/389-ds-container:latest
<http://registry.opensuse.org/home/firstyear/containers/389-ds-container:latest>
--port=3389


389-ds-container/

├── Dockerfile

├── other files/floders required for Docker image creation

└── k8s

   ├── 389-ds-container.yaml

   ├── secrets.yaml

   ├── service.yaml

   └── storage.yaml

389-ds-container => (i made a mistake the name should be
389-ds-container.yaml) is the kubernetes pod declaration on k8s. It defines
what volume, environment variables, resources limit and more required to
start the container on the kube cluster. This file will use the image
created and pushed on the registry of your choice

services.yaml => create a kube service which will allow external access to
 the pod (container). On kubernetes you can not access to you container/pod
directly. You have to implement a service. In my case I created a ClusterIP
which means that the service in only available inside kubernetes cluster
(Can be changed) . Other modes are NodePort or LoadBalancer (available only
when your k8s cluster is hosted on a CloudProvider). Service allow
loadbalancing natively if you have many pods up (ie with MMR) .

Secrets.yaml => all stuff like passwords or certificates that can be
defined like variable but are mounted in the pod/container and can be used
like files or variables. It’s an equivalent of secret in Docker. In defined
there my own fake certificate in order to inject them with certutil in the
pods instead of the self-signed one

Storage.yaml => Are the definition of my volume in k8s world. I created a
pv (Persistent volume)  which use a physical storage type as filesystem in
my case but can be another kind of storage (NFS,gluster,iscsi,FC…) the user
has to provide a pv with the same name whatever the kind of storage.

Then PVC (PersistentVolumeClaim) , which wil bind the volume defined with
the name and the size required.


> A better idea may be to have dscontainer take a set of PEM files and then
load them to your certificate store on startup instead rather than the
current method of certificate handling.

Yes i agree but if you want to read them at startup you have to provide
them somewhere accessible from the container. The better i think is the
secret.


Le jeu. 13 juin 2019 à 16:15, William Brown  a écrit :

> Most of those look pretty reasonable. Can you describe to be the work flow
> and how those yaml files interacte with k8s and how they are associated to
> the container? Do they need to be in the docker file? Or something else?
>
> Thanks!
>
>
> > On 13 Jun 2019, at 15:21, Olivier JUDITH  wrote:
> >
> > ___
>
> —
> Sincerely,
>
> William Brown
>
> Senior Software Engineer, 389 Directory Server
> SUSE Labs
> ___
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: Docker official image

[Olivier JUDITH]

Hi william ,

here is a tgz

cdlt

Le jeu. 13 juin 2019 à 10:43, William Brown  a écrit :

>
>
> > On 13 Jun 2019, at 00:12, Olivier JUDITH  wrote:
> >
> > Hi William,
> >
> > This is my first release (See attachment). Just a pod for the moment,
> statefulset for the future and perhaps helm package afterward.
>
> Sadly I'm not able to open your attachment - could you provide it as
> tar.xz or zip instead of 7z?
>
> > In my configuration i create a secret for directory manager and for
> certificates (not used yet)
> > Your python code is really what i was looking for. Indeed in my previous
> attempts, i was stuck because i'm seeking for a way to start DS create
> certificate, set SSL configuration before restart the container.
> > However in order to go futher, i would like to allow to set root
> password, root suffix, instance name and certificates from k8s secrets
> or/and configMap . To do that we need to change your current dscontainer
> python script and read values from variables/files (ie : see /certs folder
> in the container)
>
> Actually, I'd rather read these from environment variables so that docker
> -e DM_PW=... works as a syntax without needing *another* config file. But
> yes, the ability to set these from the environment is an open issue on the
> project, and one I really want to look at.
>
> There is no root suffix by default, by design, so that you have to
> configure one once the container is running. That's how the suffix is
> handled. Additionally, the instance name is static, and there is actually
> no benefit to allowing this to be configured, and would actually make
> container building harder (there are symlinks in the slapd-localhost folder
> of the docker image, so we assume the instance name). The instance name
> really really does nothing but allow human seperation, and in our case,
> docker is our seperation layer!
>
> Using certs and secrets from k8s would certainly be something the python
> tool can work with, and would be good to have these able to do it. A better
> idea may be to have dscontainer take a set of PEM files and then load them
> to your certificate store on startup instead rather than the current method
> of certificate handling.
>
> The python source is:
> https://pagure.io/389-ds-base/blob/master/f/src/lib389/cli/dscontainer
>
> >
> > Waiting for your wiki on lib386 python package.
>
> Great! I have just pushed an update to the git master dockerfile:
>
> https://pagure.io/389-ds-base/pull-request/50441
>
> I have updated the OBS image at docker pull
> registry.opensuse.org/home/firstyear/containers/389-ds-container:latest
> however it appears to require some code changes from master, so this will
> "start working" later, and we plan to start auto-building these images as
> network:ldap is updated in SUSE.
>
> The wiki page is here, and I'm updating it today to include details about
> the dscontainer tool.
>
> http://www.port389.org/docs/389ds/design/docker.html
>
>
>
> >
> > Regards
> >
> > Le mer. 12 juin 2019 à 10:19, William Brown  a écrit :
> >
> >
> > > On 12 Jun 2019, at 01:40, Olivier JUDITH  wrote:
> > >
> > > Hi,
> > >
> > > Thank for the link ,
> > > i tried to run your image but the container fails after few seconds .
> > > Seems that you forgot to create /var/run/dirsrv folder in Dockerfile .
> >
> > There are some other errors in it too which I have found :)
> >
> > >
> > > the server crashes with :
> > > DEBUG: DEBUG: starting with ['/usr/sbin/ns-slapd', '-D',
> '/etc/dirsrv/slapd-localhost', '-i', '/var/run/dirsrv/slapd-localhost.pid']
> > > CRITICAL: Error: Failed to start DS, removing incomplete
> installation...
> > > Failed to connect to bus: No such file or directory
> > > Failed to connect to bus: No such file or directory
> > > Traceback (most recent call last):
> > >  File "/usr/lib/python3.6/site-packages/lib389/instance/setup.py",
> line 654, in create_from_args
> > >self._install_ds(general, slapd, backends)
> > >  File "/usr/lib/python3.6/site-packages/lib389/instance/setup.py",
> line 862, in _install_ds
> > >ds_instance.start(timeout=60)
> > >  File "/usr/lib/python3.6/site-packages/lib389/__init__.py", line
> 1170, in start
> > >raise ValueError('Failed to start DS')
> > > ValueError: Failed to start DS
> > >
> > > It works fine now,
> > > I start to write my k8s configuration .
> >
> > Fantastic - can you post to me what you are doing with k8s so I can
> 

[389-users] Re: Docker official image

[Olivier JUDITH]

Hi William,

This is my first release (See attachment). Just a pod for the moment,
statefulset for the future and perhaps helm package afterward.
In my configuration i create a secret for directory manager and for
certificates (not used yet)
Your python code is really what i was looking for. Indeed in my previous
attempts, i was stuck because i'm seeking for a way to start DS create
certificate, set SSL configuration before restart the container.
However in order to go futher, i would like to allow to set root password,
root suffix, instance name and certificates from k8s secrets or/and
configMap . To do that we need to change your current dscontainer python
script and read values from variables/files (ie : see /certs folder in the
container)

Waiting for your wiki on lib386 python package.

Regards

Le mer. 12 juin 2019 à 10:19, William Brown  a écrit :

>
>
> > On 12 Jun 2019, at 01:40, Olivier JUDITH  wrote:
> >
> > Hi,
> >
> > Thank for the link ,
> > i tried to run your image but the container fails after few seconds .
> > Seems that you forgot to create /var/run/dirsrv folder in Dockerfile .
>
> There are some other errors in it too which I have found :)
>
> >
> > the server crashes with :
> > DEBUG: DEBUG: starting with ['/usr/sbin/ns-slapd', '-D',
> '/etc/dirsrv/slapd-localhost', '-i', '/var/run/dirsrv/slapd-localhost.pid']
> > CRITICAL: Error: Failed to start DS, removing incomplete installation...
> > Failed to connect to bus: No such file or directory
> > Failed to connect to bus: No such file or directory
> > Traceback (most recent call last):
> >  File "/usr/lib/python3.6/site-packages/lib389/instance/setup.py", line
> 654, in create_from_args
> >self._install_ds(general, slapd, backends)
> >  File "/usr/lib/python3.6/site-packages/lib389/instance/setup.py", line
> 862, in _install_ds
> >ds_instance.start(timeout=60)
> >  File "/usr/lib/python3.6/site-packages/lib389/__init__.py", line 1170,
> in start
> >raise ValueError('Failed to start DS')
> > ValueError: Failed to start DS
> >
> > It works fine now,
> > I start to write my k8s configuration .
>
> Fantastic - can you post to me what you are doing with k8s so I can
> review?
>
> > If you can just remind me where i can find documentation on lib389 used
> in your dscontainer python script ?
>
> There is not documentation today as it's designed for system integrators,
> and it's still a bit work in progress - I'm actually planning to work on it
> this week and I will resolve this issue and others ASAP.
>
> I can write something for the wiki this week to help :)
>
>
> >
> > Keep you informed
> > ___
> > 389-users mailing list -- 389-users@lists.fedoraproject.org
> > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>
> —
> Sincerely,
>
> William Brown
>
> Senior Software Engineer, 389 Directory Server
> SUSE Labs
> ___
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>


share.7z
Description: application/7z-compressed
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: What Do I Need?

[Olivier JUDITH]

Hi,

This is how i manage my servers .
Each host is a group in my ldap entries , i also create group of hosts as
groups in ldap (ie: cn=webservers ).
on each machine i have deployed sssd-ldap with a ldap_access_filter =
(|(cn=admgrp,...)(cn=webservers,ou=...)(cn=devops,ou=...))
admgrp group contains all admin users...

When i deploy a machine i launch an Ansible playbook that set the right
group in sssd.conf file regarding my inventory then create the group on my
ldap server.

You only have to declare users in group or nested groups

Hope that can help

Le mer. 12 juin 2019 à 10:17, William Brown  a écrit :

>
>
> > On 12 Jun 2019, at 04:25, Eugene Poole  wrote:
> >
> > I need to control users and groups of users to provide them access to
> specific machines.  Once our machine number went above 15 controlling who
> has access to what machines has become difficult.
>
> So you mention that you have some windows machines here too, is that
> correct? Are the machines workstations or servers? You have some linux
> machines too?
>
> >
> > Gene
> >
> > On 6/10/2019 4:11 AM, William Brown wrote:
> >>
> >>> On 7 Jun 2019, at 23:53, Eugene Poole  wrote:
> >>>
> >>> I'm trying to upgrade my environment and I've reinstalled my CentOS
> machines to CentOS 7 except for one.  I've got my DNS for my LAN working
> just fine.  So now it's time for Directory Server.
> >>>
> >>> What is a GOOD tutorial to follow? My environment includes 26 physical
> and KVM virtual machines; 4 Windows 7 machines and 1 ArcaOS (OS/2) machine.
> What is a DS configuration to go for?
> >> I think the better thing to ask is what do you want to achieve here?
> What's your ideal setup for integrating each of these clients, and what
> information do you want to make available to them? I think that would help
> me to advise on "what next" for you :)
> >>
> >>
> >>
> >>> TIA
> >>>
> >>> --
> >>> Eugene Poole
> >>> Woodstock, Georgia
> >>> ___
> >>> 389-users mailing list -- 389-users@lists.fedoraproject.org
> >>> To unsubscribe send an email to
> 389-users-le...@lists.fedoraproject.org
> >>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> >>> List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> >>> List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> >> —
> >> Sincerely,
> >>
> >> William Brown
> >>
> >> Senior Software Engineer, 389 Directory Server
> >> SUSE Labs
> >> ___
> >> 389-users mailing list -- 389-users@lists.fedoraproject.org
> >> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
> >> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> >> List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> >
> > --
> > Eugene Poole
> > Woodstock, Georgia
> > ___
> > 389-users mailing list -- 389-users@lists.fedoraproject.org
> > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>
> —
> Sincerely,
>
> William Brown
>
> Senior Software Engineer, 389 Directory Server
> SUSE Labs
> ___
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: Docker official image

[Olivier JUDITH]

Hi, 

Thank for the link , 
i tried to run your image but the container fails after few seconds . 
Seems that you forgot to create /var/run/dirsrv folder in Dockerfile .

the server crashes with :
DEBUG: DEBUG: starting with ['/usr/sbin/ns-slapd', '-D', 
'/etc/dirsrv/slapd-localhost', '-i', '/var/run/dirsrv/slapd-localhost.pid']
CRITICAL: Error: Failed to start DS, removing incomplete installation...
Failed to connect to bus: No such file or directory
Failed to connect to bus: No such file or directory
Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/lib389/instance/setup.py", line 654, 
in create_from_args
self._install_ds(general, slapd, backends)
  File "/usr/lib/python3.6/site-packages/lib389/instance/setup.py", line 862, 
in _install_ds
ds_instance.start(timeout=60)
  File "/usr/lib/python3.6/site-packages/lib389/__init__.py", line 1170, in 
start
raise ValueError('Failed to start DS')
ValueError: Failed to start DS

It works fine now, 
I start to write my k8s configuration . 
If you can just remind me where i can find documentation on lib389 used in your 
dscontainer python script ? 

Keep you informed  
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Docker official image

[Olivier JUDITH]

Hi all, 

Do you provide an official docker image for 389 ?
I plan to deploy MMR on Kubernetes .
Any advice/link ?
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: Referential Integrity and moving subtree to another parent fails

[Olivier JUDITH]

Hi , 

After several tests (disable replication /memeberof plugin activated on member 
and uniquemember attributes) , the problem is not bound to the number of 
entries . I encounter the same behavior when moving only one account . the 
problem occurs when an entry is attached to a group (has memberOf attribute).
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: Referential Integrity and moving subtree to another parent fails

[Olivier JUDITH]

Hi Williams

Can you check with MMR topology and memberOf plugin activated. Also i use
uniqueMember instead of member for groups.

Regards


Le jeu. 21 févr. 2019 à 05:19, William Brown  a écrit :

> Sorry, this formatted, poorly. Find attached,
>
>
>
> > On 21 Feb 2019, at 14:17, William Brown  wrote:
> >
> >
> >
> >> On 21 Feb 2019, at 13:12, William Brown  wrote:
> >>
> >>
> >>
> >>> On 21 Feb 2019, at 08:57, Olivier JUDITH  wrote:
> >>>
> >>> Hi,
> >>>
> >>> I'm moving many ou to one level up
> >>> ou=SITE1,ou=BU,ou=Account,dc=...
> >>> ou=SITE2,ou=BU,ou=Account,dc=...
> >>> to
> >>> ou=SITE1,ou=Account,dc=..
> >>> ou=SITE2,ou=Account,dc=...
> >>>
> >>> Don't want OU=BU anymore.
> >>>
> >>> ou=SITE1,ou=Account,dc=... has less than 100 entries it works fine
> >>> ou=SITE2,ou=Account,dc=... has more than 400 entries , works randomly.
> Today i succeeded to move it (after instance restart) . So i tried another
> OU with more than 1000 entries and i got the
> >>> same error.
> >>
> >> I am going to attempt to reproduce this, and I will report the results
> to you tomorrow :)
> >
> > Hey there,
> >
> > I can’t reproduce this. A likely explanation could be that it affects
> versions less than 1.4.x (which is what I was testing against).
> > Here is the test case. Can you check that it matches your expectations?
> It may look a bit foreign as it’s based on our python lib389 suite:
> >
> > # --- BEGIN COPYRIGHT BLOCK ---
> > # Copyright (C) 2019 William Brown 
> > # All rights reserved.
> > #
> > # License: GPL (version 3 or any later version).
> > # See LICENSE for details.
> > # --- END COPYRIGHT BLOCK ---
> > #
> >
> >
> > from lib389._constants import DEFAULT_SUFFIX
> > from lib389.topologies import topology_st
> >
> > from lib389.idm.group import Groups
> > from lib389.idm.user import nsUserAccounts
> > from lib389.idm.organizationalunit import OrganizationalUnit as
> OrganisationalUnit
> >
> > from lib389.plugins import AutoMembershipPlugin,
> ReferentialIntegrityPlugin, AutoMembershipDefinitions
> >
> >
> > def test_rename_large_subtree(topology_st):
> >"""
> >A report stated that the following configuration would lead
> >to an operation failure:
> >
> >ou=int,ou=account,dc=...
> >ou=s1,ou=int,ou=account,dc=...
> >ou=s2,ou=int,ou=account,dc=...
> >
> >rename ou=s1 to re-parent to ou=account, leaving:
> >
> >ou=int,ou=account,dc=...
> >ou=s1,ou=account,dc=...
> >ou=s2,ou=account,dc=...
> >
> >The ou=s1 if it has < 100 entries below, is able to be reparented.
> >
> >If ou=s1 has > 400 entries, it fails.
> >
> >Other conditions was the presence of referential integrity - so one
> would
> >assume that all users under s1 are a member of some group external to
> this.
> >
> >:id: 5915c38d-b3c2-4b7c-af76-8a1e002e27f7
> >
> >:setup: standalone instance
> >
> >:steps: 1. Enable automember plugin
> >2. Add < 500 users, and ensure they are members of a group.
> >3. Enable refer-int plugin
> >4. Move ou=s1 to a new parent
> >
> >:expectedresults:
> >1. The plugin is enabled
> >2. The users are members of the group
> >3. The plugin is enabled
> >4. The rename operation of ou=s1 succeeds
> >"""
> >
> >st = topology_st.standalone
> >
> ># Create a default group
> >gps = Groups(st, DEFAULT_SUFFIX)
> ># Keep the group so we can get it's DN out.
> >group = gps.create(properties={
> >'cn': 'default_group'
> >})
> >
> ># Enable automember
> >amp = AutoMembershipPlugin(st)
> >amp.enable()
> >
> ># Create the automember definition
> >automembers = AutoMembershipDefinitions(st)
> >
> >automember = automembers.create(properties={
> >'cn': 'testgroup_definition',
> >'autoMemberScope': DEFAULT_SUFFIX,
> >'autoMemberFilter': 'objectclass=nsAccount',
> >'autoMemberDefaultGroup': group.dn,
> >'autoMemberGroupingAttr': 'member:dn',
> >})
> >
> ># Enable referint
> >rip = ReferentialIntegrit

[389-users] Re: Referential Integrity and moving subtree to another parent fails

[Olivier JUDITH]

Hi,

I'm moving many ou to one level up
ou=SITE1,ou=BU,ou=Account,dc=...
ou=SITE2,ou=BU,ou=Account,dc=...
to
ou=SITE1,ou=Account,dc=..
ou=SITE2,ou=Account,dc=...

Don't want OU=BU anymore.

ou=SITE1,ou=Account,dc=... has less than 100 entries it works fine
ou=SITE2,ou=Account,dc=... has more than 400 entries , works randomly.
Today i succeeded to move it (after instance restart) . So i tried another
OU with more than 1000 entries and i got the
same error.

Regards

Le mer. 20 févr. 2019 à 23:44, William Brown  a écrit :

> We would need to test this scenario, but it could very likely be a bug in
> the server.
>
> To be sure the conditions you have here are:
>
> ou=start,dc=…
> ou=destination,dc=…
>
> In ou=start you have 800+ entries.
>
> Then you are doing a modrdn of ou=start to ou=start,ou=destination,dc=…,
> and the error condition occurs?
>
> Is this correct?
>
> > On 21 Feb 2019, at 02:49, Olivier JUDITH  wrote:
> >
> > Hi,
> >
> > I have activated Referential Integrity plugin on my instance in order to
> move several OU to a new parent subtree. Also to update automatically
> uniqueMember attribute defined in group member .
> > It works fine with few user entries under some OU but fails when the OU
> contains more than 400 entries or somtime more than 800.
> > The error from the 389-console is :
> > ou=UNITA, OU=Accounts,dc=mydomain,dc=com: netscape.ldap.LDAPException:
> error result (1); Operations error.
> > In error file
> > [20/Feb/2019:17:37:59.123749991 +0100] - ERR - ldbm_back_modrdn -
> SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN plugin returned error but did not set
> SLAPI_RESULT_CODE
> >
> > After this error the OU : UNITA, OU=Accounts,dc=mydomain,dc=com is not
> visible from 389-console . I have to restart the instance in order to
> recover the OU.
> >
> > Did i miss something in my configuration or do i have to set a specific
> parameter to support big entries ?
> >
> > My installation : 389DS 1.3.6 .
> > ___
> > 389-users mailing list -- 389-users@lists.fedoraproject.org
> > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>
> —
> Sincerely,
>
> William Brown
> Software Engineer, 389 Directory Server
> SUSE Labs
> ___
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Referential Integrity and moving subtree to another parent fails

[Olivier JUDITH]

Hi, 

I have activated Referential Integrity plugin on my instance in order to move 
several OU to a new parent subtree. Also to update automatically uniqueMember 
attribute defined in group member . 
It works fine with few user entries under some OU but fails when the OU 
contains more than 400 entries or somtime more than 800. 
The error from the 389-console is :
ou=UNITA, OU=Accounts,dc=mydomain,dc=com: netscape.ldap.LDAPException: error 
result (1); Operations error.
In error file
[20/Feb/2019:17:37:59.123749991 +0100] - ERR - ldbm_back_modrdn - 
SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN plugin returned error but did not set 
SLAPI_RESULT_CODE

After this error the OU : UNITA, OU=Accounts,dc=mydomain,dc=com is not visible 
from 389-console . I have to restart the instance in order to recover the OU.

Did i miss something in my configuration or do i have to set a specific 
parameter to support big entries ? 

My installation : 389DS 1.3.6 .
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: Setting an attribute value automatically according to some rule

[Olivier JUDITH]

Sorry , i forgot my makefile
To be honest i use the exemple provided in the documentation .
For testing, i've deployed the compiled  plugin on my local instance
# Makefile for Directory Server plug-in examples
#
CC = gcc
LD = gcc
CFLAGS = -fPIC -I /usr/include/nspr4 -Wall
LDFLAGS = -shared -z defs -L/usr/lib64/dirsrv -lslapd
OBJS = mycodesaslbind.o mycodeextendedop.o mycodepreop.o mycodepostop.o
mycodeentry.o
all: mycode-plugin.so
libtest-plugin.so: $(OBJS)
$(LD) $(LDFLAGS) -o $@ $(OBJS)
.c.o:
$(CC) $(CFLAGS) -c $<
clean:
-rm -f $(OBJS) mycode-plugin.so

Le mer. 20 févr. 2019 à 01:04, William Brown  a écrit :

>
>
> > On 20 Feb 2019, at 09:56, Olivier JUDITH  wrote:
> >
> > Hi William
> >
> > It's a simple testing code not finished yet but i think it could help
> beginners like me
> > Don't be cruel with me i'm not a C progorammer.
>
> We do our best here to be constructive and helpful, not cruel. Thanks for
> providing your code! I’ll review it and give feedback if you would like,
>
> > The goal here is to create 4 new attributes aCode, bCode,
> aCodeHas,bCodeHash everytime a new entry is added.
> > A step to add is how to filter by kind of entry or by DN .
>
> Great!
>
> When you were compiling it, what steps did you take? How did you perform
> testing?
>
> Thanks :)
>
> >
> > Le lun. 18 févr. 2019 à 02:26, William Brown  a écrit :
> > Yeah, I don’t think cos can do templating.
> >
> > If you would be willing Oliver, would you submit your code to the
> project, and allow it to be made generic? That could help quite a few
> people out with similar queries.
> >
> > > On 17 Feb 2019, at 00:20, Olivier JUDITH  wrote:
> > >
> > > Hi ,
> > >
> > > There is a way to add attribute to user entry automatically called CoS
> . You can take a look on this link
> > >
> https://access.redhat.com/documwanentation/en-us/red_hat_directory_server/9.0/html/administration_guide/advanced_entry_management-assigning_class_of_service
> > >
> > > But afaik you cannot add an email based on the uid except if CoS
> support macros like ACI. To do that you have to create your own plugin see :
> https://access.redhat.com/documentation/en-us/red_hat_directory_server/9.0/html/plug-in_guide/
> > > I did the same for another kind of attribute.
> > > It works fine for me
> > >
> > >
> > > Le sam. 16 févr. 2019 à 14:29, Rosario Esposito <
> rosario.espos...@na.infn.it> a écrit :
> > >
> > > Hello,
> > > let's say whenever I create a new entry:
> > >
> > > uid=myuser,ou=people,dc=example,dc=com
> > >
> > > I would like this entry to have the attribute:
> > >
> > > mail: myu...@example.com
> > >
> > > (i.e. the value of 'mail' should be automatically set to the value of
> > > 'uid' + '@example.com')
> > >
> > > Is there a way for 389ds to do this task automatically ?
> > >
> > >
> > > Thanks,
> > > --
> > > Rosario Esposito
> > > System Administrator
> > > INFN - Napoli
> > > Phone: +39 081 676170
> > > Email: rosario.espos...@na.infn.it
> > > ___
> > > 389-users mailing list -- 389-users@lists.fedoraproject.org
> > > To unsubscribe send an email to
> 389-users-le...@lists.fedoraproject.org
> > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > > List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> > > ___
> > > 389-users mailing list -- 389-users@lists.fedoraproject.org
> > > To unsubscribe send an email to
> 389-users-le...@lists.fedoraproject.org
> > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > > List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> >
> > —
> > Sincerely,
> >
> > William Brown
> > Software Engineer, 389 Directory Server
> > SUSE Labs
> > ___
> > 389-users mailing list -- 389-users@lists.fedoraproject.org
> > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>

[389-users] Re: Setting an attribute value automatically according to some rule

[Olivier JUDITH]

Hi William

It's a simple testing code not finished yet but i think it could help
beginners like me
Don't be cruel with me i'm not a C progorammer.
The goal here is to create 4 new attributes aCode, bCode,
aCodeHas,bCodeHash everytime a new entry is added.
A step to add is how to filter by kind of entry or by DN .

Le lun. 18 févr. 2019 à 02:26, William Brown  a écrit :

> Yeah, I don’t think cos can do templating.
>
> If you would be willing Oliver, would you submit your code to the project,
> and allow it to be made generic? That could help quite a few people out
> with similar queries.
>
> > On 17 Feb 2019, at 00:20, Olivier JUDITH  wrote:
> >
> > Hi ,
> >
> > There is a way to add attribute to user entry automatically called CoS .
> You can take a look on this link
> >
> https://access.redhat.com/documwanentation/en-us/red_hat_directory_server/9.0/html/administration_guide/advanced_entry_management-assigning_class_of_service
> >
> > But afaik you cannot add an email based on the uid except if CoS support
> macros like ACI. To do that you have to create your own plugin see :
> https://access.redhat.com/documentation/en-us/red_hat_directory_server/9.0/html/plug-in_guide/
> > I did the same for another kind of attribute.
> > It works fine for me
> >
> >
> > Le sam. 16 févr. 2019 à 14:29, Rosario Esposito <
> rosario.espos...@na.infn.it> a écrit :
> >
> > Hello,
> > let's say whenever I create a new entry:
> >
> > uid=myuser,ou=people,dc=example,dc=com
> >
> > I would like this entry to have the attribute:
> >
> > mail: myu...@example.com
> >
> > (i.e. the value of 'mail' should be automatically set to the value of
> > 'uid' + '@example.com')
> >
> > Is there a way for 389ds to do this task automatically ?
> >
> >
> > Thanks,
> > --
> > Rosario Esposito
> > System Administrator
> > INFN - Napoli
> > Phone: +39 081 676170
> > Email: rosario.espos...@na.infn.it
> > ___
> > 389-users mailing list -- 389-users@lists.fedoraproject.org
> > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> > ___
> > 389-users mailing list -- 389-users@lists.fedoraproject.org
> > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>
> —
> Sincerely,
>
> William Brown
> Software Engineer, 389 Directory Server
> SUSE Labs
> ___
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>
#include 
#include 
#include "dirsrv/slapi-plugin.h"
#include 

/* function prototypes */
int myCode_init( Slapi_PBlock *pb );
int myCode_setIdHash( Slapi_PBlock *pb );
int myCode_setHash( Slapi_PBlock *pb );

static const char *aCodeAttr = "aCode";
static const char *bCodeAttr = "bCode";
static const char *aCodeHashAttr = "aCodeHash";
static const char *bCodeHashAttr = "bCodeHash";

char *aCodeHashValue = "DuibLy8uRZ0I51bfOQA==";
char *bCodeHashValue = "DuibLy8uRZ0I51bfOQA==";


/* Description of the plug-in */
Slapi_PluginDesc plugindesc = { "Company-Code", "example.com", "0.1","pre-operation to add Code attributes" };

/* 
 * Initialization function
 *
 * This function registers your plug-in function as a
 * pre-operation search function in the Directory Server.
 * You need to specify this initialization function in the
 * server configuration file so that the server calls
 * this initialization function on startup. 
 */

#ifdef _WIN32
__declspec(dllexport)
#endif

int mySetCode_init( Slapi_PBlock *pb ) 
{
/* Specify the version of the plug-in ( "03" in this release ) */
if (slapi_pblock_set( pb, SLAPI_PLUGIN_VERSION, SLAPI_PLUGIN_VERSION_03 ) != 0 ||

/* Specify the 

[389-users] Re: Setting an attribute value automatically according to some rule

[Olivier JUDITH]

Hi ,

There is a way to add attribute to user entry automatically called CoS .
You can take a look on this link
https://access.redhat.com/documwanentation/en-us/red_hat_directory_server/9.0/html/administration_guide/advanced_entry_management-assigning_class_of_service

But afaik you cannot add an email based on the uid except if CoS support
macros like ACI. To do that you have to create your own plugin see :
https://access.redhat.com/documentation/en-us/red_hat_directory_server/9.0/html/plug-in_guide/
I did the same for another kind of attribute.
It works fine for me


Le sam. 16 févr. 2019 à 14:29, Rosario Esposito 
a écrit :

>
> Hello,
> let's say whenever I create a new entry:
>
> uid=myuser,ou=people,dc=example,dc=com
>
> I would like this entry to have the attribute:
>
> mail: myu...@example.com
>
> (i.e. the value of 'mail' should be automatically set to the value of
> 'uid' + '@example.com')
>
> Is there a way for 389ds to do this task automatically ?
>
>
> Thanks,
> --
> Rosario Esposito
> System Administrator
> INFN - Napoli
> Phone: +39 081 676170
> Email: rosario.espos...@na.infn.it
> ___
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: Change of IP on 389-server

[Olivier JUDITH]

Hi , you can make a grep your_old_ip in /etc/dirsrv/admin-serv directory .
Then change with the new ip .

look these files
console.conf: Listen XXX.XXX.XXX.XXX
local.conf: configuration.nsserveraddress:
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: Allow filters through PTA Plugin

[Olivier JUDITH]

Hi William,

I will be glad to help, it will just take some time to write as required
for your wiki page.
Will be done soon

Rgds
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: Allow filters through PTA Plugin

[Olivier JUDITH]

Hi all,

Here is my doc on how to enable Pam-PassThrough + SSSD :
https://drive.google.com/open?id=0B_f1ipCCCREXd0RqN09CRFFzNWh1UUZjR0RNaElJREVIX0RJ

Regards
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: Force users to modify their passwords

[Olivier JUDITH]

Hi,

I don't think that you can use this parameter to request your user to
change their password from Zimbra application .
I don't know how Zimbra manage user access but AFAIK Zimbra is php
application or something like this that query ldap through binding and
spécifique language ldap api.
To do what you requested, Zimbra ldap call must be able to check user
account expiration and request for change.

i used to set this option with Unix users with Pam that queries LDAP.

Hope that could be help

Le ven. 14 déc. 2018 à 18:38, wodel youchi  a
écrit :

> Hi,
>
> We have 389DS as our main directory server, and we use it with many
> applications.
> recently we moved our mail application to Zimbra. Zimbra can use an
> external LDAP server for authentication, and we did configure that and it
> works.
>
> In 389DS, in password policy configuration, there is the check-box to
> force a user to change his password on the first login, we did try it but,
> without success.
>
> Could this parameter be used to force users to change their passwords?
>
> Regards.
>
>
> 
>  Garanti
> sans virus. www.avast.com
> 
> <#m_-1286929758944121391_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
> ___
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: How to install an external certificate

[Olivier JUDITH]

Hi you can add your certificate by using certutil or via 389 console.
Look at these urls :

https://access.redhat.com/documentation/en-us/red_hat_directory_server/9.0/html/administration_guide/managing_ssl-using_certutil

https://directory.fedoraproject.org/docs/389ds/howto/howto-ssl-archive.html

Regards


Le ven. 14 déc. 2018 à 18:33, wodel youchi  a
écrit :

> Hi,
>
> Any suggestions?
>
> Regards.
>
>
> 
>  Garanti
> sans virus. www.avast.com
> 
> <#m_-488589242675131199_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>
> Le lun. 10 déc. 2018 à 00:01, wodel youchi  a
> écrit :
>
>> Hi,
>>
>> I have an external certificate : the certificate file, the key file and
>> CA file.
>>
>> How can I install this certificate on 389DS? especially how can I specify
>> to the dirsrv my key file?
>>
>> Regards.
>>
> ___
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: Allow filters through PTA Plugin

[Olivier JUDITH]

Hi William

Did you receive my doc on PAM PTA ?

rgds
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: cn or uid preferred in DNs?

[Olivier JUDITH]

Hello

Good news if it's working
I think that uid is mostly used.

Rgds

Le jeu. 29 nov. 2018 à 00:39, Alistair Cunningham 
a écrit :

> Is it best practice to use "cn=,ou=..." or
> "uid=,ou=..." in DNs? What are the advantages and
> disadvantages of each?
>
> --
> Alistair Cunningham
> +1 888 468 3111
> +44 20 799 39 799
> https://enswitch.com/
> ___
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: Limiting access to same ou

[Olivier JUDITH]

Hi,

I'm using the Redhat documentation on this link
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html-single/plug-in_guide/index


Regards

 lun. 26 nov. 2018 à 05:46, Alistair Cunningham 
a écrit :

> On 25/11/2018 11:44, Olivier JUDITH wrote:
> >  From my point of view , the easiest way to solve this is to set a
> search filter on the OU corresponding to the tenant on each phone.
> > Can you modify the software on the phone ?
>
> Unfortunately not. The telephone handset firmware is written by various
> third parties, and we have no access to it.
>
> This would also be insecure. Anyone with the username and password of a
> telephone and who could use an LDAP client such as LDAP search could
> bypass the filter to see all the users in all the tenants (i.e. every ou).
>
> > The other way could be by creating  a 389 plugin that add a filter on
> the good OU regarding the DN of user which make the call to the ldap.
>
> That might be an option. Do you know where I can find documentation on
> how to do this?
>
> --
> Alistair Cunningham
> +1 888 468 3111
> +44 20 799 39 799
> https://enswitch.com/
>
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: Limiting access to same ou

[Olivier JUDITH]

Hi , 

From my point of view , the easiest way to solve this is to set a search filter 
on the OU corresponding to the tenant on each phone.
Can you modify the software on the phone ?

The other way could be by creating  a 389 plugin that add a filter on the good 
OU regarding the DN of user which make the call to the ldap.

Rgds
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: User cannot change it's own password

[Olivier JUDITH]

Hi, 

Does your user has rights to write userPassword attribute ? 
What do you have in the server  log  /var/log/dirsrv/dirsrv@/errors 
file ?

rgds
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: Problem with replication over SSL

[Olivier JUDITH]

Hi, 

I think it is because the crl of my certificate has expired but i don't 
understand how the server control this  setting. 
I encountered the same problem on my production and staging systems .
Where the CRL is set in 389 server ? I have to renew it . But the graphical 
interface for certificate doesn't work. 

Regards 
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Problem with replication over SSL

[Olivier JUDITH]

Hi, 

I'm running two instances with master/master replication with SSL . 
It worked fine so far then recently i noticed errors like this : 

[21/Nov/2018:10:22:34.754594972 +0100] - DEBUG - NSMMReplicationPlugin - 
bind_and_check_pwp - agmt="cn=ReplicationAgreement" (ldap02srv:636) - 
Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP 
server) (error:14090086:SSL routines:ssl3_get_server_certificate:certificate 
verify failed (unable to get certificate CRL)).

I also have noticed that some attributes replication does not work correctly. 
I have checked my certificate and i have no CRL defined in server's certificate.

Does someone can help ?  
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: Allow filters through PTA Plugin

[Olivier JUDITH]

Hi ,

Ok i'll do that  soon. 
For the moment i try to finish my  plugin development

Cdlt.
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: Auto add attributes when entries are created

[Olivier JUDITH]

Hi, 

Sorry i read the documentation several times but still don't catch how i can 
gather values from new added user entries , generate new values from them then 
put it in CoS templates. 
Did i miss something ? 
For instance , i add a new user with an filled attribute employeeID . i want to 
gather it's value then concatenate it with another number and put it in another 
attribute already declared in my own schema.  
Are you sure i can do that with CoS ? 
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: Allow filters through PTA Plugin

[Olivier JUDITH]

Hi,

It is possible . i'm using Pam PTA to authenticate AD user from SSO 
application. 
it works perfectly. the configurationis SSO app +> 389 + SSSD -> AD 
As mentionned by Mark Reynolds use PAM PTA and filter with pamFilter . 

Contact me if you need more information.
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: Auto add attributes when entries are created

[Olivier JUDITH]

Thank you for your reply. 

I'm not a C developer and i prefer Python but i'll try to write my plugin.
It's a challenge for me I started to read plugins development documentation on 
Redhat page.
From  my understanding i have to call SLAPI_PLUGIN_POST_ADD_FN , right ?. 

If a use CoS template can i add a specific value.  I would like to add a 
generated value into this attributes.

I'll come back to you for your advises. 

Thank again !!
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Auto add attributes when entries are created

[Olivier JUDITH]

Hi , 

I would like to add 2 new attributes to every new created entries in my 389 
servers . In these attributes i would to add calculated values for initial 
users information .
Is it possible to do that without developping a new plugin ?
In case i have to write a new pluggins which languages 389 supports 
Does something like triggers in BDD exist in 389 ? 
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org