We set up a few 389 Directory Server instances and set up replication among
them. Each instance has its own internal logs. We need to centralize all the
logs to one place by using syslog-ng. I learned a new configuration
nsslapd-logging-backend -
Hi Mark,
You are right. I figure it out the ACI to add is:
(targetattr="userPassword") (version 3.0; acl "Allow proxyagent updating their
password"; allow (write)
userdn="ldap:///cn=proxyagent,ou=profile,dc=mycompany,dc=com;;)
I used LDIF file to add above to the ACI attribute for
I set up Self Service Password Tool.
https://ltb-project.org/documentation/self-service-password. I configured a
bind DN for password reset.
$ldap_binddn = "cn=proxyagent,ou=profile,dc=mycompany,dc=com";
$ldap_bindpw = "mypassword";
I'm getting "Password was refused by the LDAP directory
Does 389 directory server support Two Factor Authentication? Can it be
integrated with Google Authenticator?
- Xinhuan
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to
= 2debug_level = 5domains =
LOCAL,MYLDAPreconnection_retries = 3sbus_timeout = 30services = nss,pam,ssh
- Xinhuan
On Wednesday, February 27, 2019, 7:42:38 PM EST, William Brown
wrote:
> On 28 Feb 2019, at 05:22, xinhuan zheng wrote:
>
> Hello,
>
> I have been struggling wi
Hello,
I have been struggling with this problem for a while. When a user changed their
password, our 389 directory servers received new password and saved into
directory server. However, when user tries to login to a server whose
authentication is using 389 directory server, their new password
passwordMaxAge can be expressed by days. I set it to 60 (days) before and it
did work as expected. The only thing that blocks me is when password needs to
change. my hope is that upon user being prompted for changing password and
doing so, the passwordexpirationtime would be changed accordingly
Hello,
I have setup password policy for user account to enforce a few things:
passwordchange: on
passwordchecksyntax: on
passwordexp: on
passwordlockout: on
passwordlockoutduration: 180
passwordmaxage: 7
passwordmaxfailure: 3
passwordmustchange: on
passwordwarning: 518400
With that policy on a
I found that the admin console is using wrong host ip. I must use ldapmodify
command to change admin config then restart admin-server
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to
Hi All,
Today I just found when I click "Manage Certificate" in administration console,
I got an error. Below is the error message:
An error has occured.
Could not open file (null). File does not exist or filename is invalid. A
filename that exists in the server security directory must be
Hello,
I received the announcement on Friday about 389-ds-base upgrade. below is the
short excerpt from the email:
---
389 Directory Server 1.3.5.13
The 389 Directory Server team is proud to announce 389-ds-base version 1.3.5.13.
Fedora packages are available from the Fedora 24, 25 and
I finally found my problem. Our uid starts with a lower number so I have to
change system-auth and password-auth the uid number from 500 to ours. Password
policy worked as expected then.
--
389-users mailing list
389-users@lists.fedoraproject.org
I found more information today.
Frist -
I found
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/account-usability.html,
so I have added aci to the oid.
dn: oid=1.3.6.1.4.1.42.2.27.9.5.8,cn=features,cn=config
changetype: modify
add: aci
Good Afternoon William,
Yes, it does help a lot. Thanks.
- xinhuan
--
389-users mailing list
389-users@lists.fedoraproject.org
https://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
Later on I used command:
/usr/lib64/dirsrv/slapd-cbdds1/ns-newpwpolicy.pl -D "cn=directory manager" -w -
-U "uid=xinhuan,ou=people,dc=christianbook,dc=com"
The script works fine with below output:
adding new entry "cn=nsPwPolicyContainer,ou=people,dc=christianbook,dc=com"
adding new entry
Hi All,
I am having difficulty to make managing user password policy working. I want to
use local per-user based password policy. Here is the configuration I use:
containter configuration -
dn: cn=nsPwPolicyContainer,ou=people,dc=christianbook,dc=com
objectClass: top
objectClass: nsContainer
he 389 Directory server project.
<389-users@lists.fedoraproject.org>
Sent: Sunday, June 12, 2016 5:22 PM
Subject: [389-users] Re: 389 directory server wildcard certificate
On Sun, 2016-06-12 at 16:39 +0000, xinhuan zheng wrote:
> I need to deploy multiple 389 directory server instances
I need to deploy multiple 389 directory server instances into production
environment. I want to know if 389 directory server supports wildcard server
certificate. Currently the subject for my instance is:
Subject: "CN=dmdev1.christianbook.com,OU=389 Directory Server"
When using wildcard, it
Hello,
I need to create certificate signing request file that can be sent to
certificate authority vendors, like GoDaddy, etc. I have two questions:
1) The certutil command line output a CSR file which has different format than
the CSR file generated using 389-console the GUI. The main
With that explanation, if I install console into a server different than the
server the directory server instance runs on, while Admin Server (http) is
installed on the server the directory server runs on, is it possible? In
another words, can console be separate installation into another
I want to understand more about 389 directory server. There is a administrative
console, 389-console, appearing to be a complete GUI written in Java. There is
another process, httpd.worker. When I launch the 389-console, I need to type in
(3) information. The administrative cn, bind passwor,
Hello Mr. Brown,
I found that the procedure you give me is part of my problem. I ended up with
running remove-ds-admin.pl command then re-create my directory server instance
and admin server instance. Luckily I kept answers file and ldif data. I also
re-run the setupssl2.sh script. Since this
Hello Mr. Brown,
I used below ldapsearch command:
ldapsearch -d 5 -H ldaps://labd1.christianbook.com -x -D "cn=Directory
Manager" -w** -s base -b "" objectclass=*
I got below result:
ldap_url_parse_ext(ldaps://labd1.christianbook.com)
ldap_create
Hello,
I can't get my 389 directory server secure connection to work. The process is
started. But I can't do any ldapsearch, nor get 389 console to work. Can I get
my non-secure connection work then start all over again from scratch?
- xinhuan
--
389 users mailing list
389-users@%(host_name)s
Hello William,
The slapd was down by itself for some reason. Below is from error file this
afternoon.
[07/Apr/2016:13:36:33 -0400] - slapd started. Listening on All Interfaces port
389 for LDAP requests
[07/Apr/2016:13:36:33 -0400] - Listening on All Interfaces port 636 for LDAPS
requests
Hello All,
I screwed up my 389 directory server console authentication today because I
need to set up TLS secure connections. I first started reading this document:
http://directory.fedoraproject.org/docs/389ds/howto/howto-ssl.html. The
document refers to a nice shell script from github:
I have an old directory server running Sun One Java System Directory Service.
Yesterday I created top dcobject - dc=christianbook,dc=com, however, I don't
know what the best way is to import data from my old Sun Directory Server to
389 Directory Server. It appears the object structure is
I just upgraded java to 1.7. That appears to be working. However, I still don't
know how to delete root suffix that wasn't shown up in the console. How do I
delete a root suffix that wasn't shown in the console?
--
389 users mailing list
389-users@%(host_name)s
Today I installed the 389 Directory Server and Directory Console. However, the
console keeps crashing and dumping core. However, it failed to write core dump,
leaving a log file into root directory.
The first time when it dumps core:
1. Launch the 389-console
2. Login
3. Select Directory
29 matches
Mail list logo