[389-users] Re: Admin Gateway over https

[Eric Wheeler]

Thanks for the confirmation regarding secure connections and the clarification 
regarding dsgw. I will focus on other alternatives. I would be interested in 
exploring cli tools and the API. Any resources to which you could point me 
would be appreciated. Thanks for the help.

-Original message-
From: William Brown
Sent: Wednesday, March 7 2018, 1:47 pm
To: General discussion list for the 389 Directory server project.
Subject: [389-users] Re: Admin Gateway over https
 
On Wed, 2018-03-07 at 01:18 +, Eric Wheeler wrote:
> How does one properly configure the Directory Server Gateway to run
> over https? Is such a setup necessary for secure connections if ldaps
> over 636 is active?

Yes, because you have:

client -> https -> ldaps

So you have to protect each stage of the communication.

>  I edited dsgw-httpd.conf until I was able to connect to the gateway
> via https, but the setup was pretty buggy. Afterwards, I came across
> a page in the documentation stating this file shouldn’t be touched.
> 
> My goal is to use the DS Gateway to edit the directory using secure
> connections without resorting to other tools such as phpLDAPadmin
> which I’ve read is really designed for OpenLDAP.

While I understand your desire, the dsgw software hasn't been touched
by us in a long time - and I highly suspect it won't be supported for
much longer. Sadly though, as far as a "web tool" we've had some delays
building this up but it is on the way!

Instead for 1.4.x we plan to release better cli tools with much more
functionality that should be able to do everything you want. 

If you want to know more about these tools and our API for server
interaction, I'm happy to provide you resources about this to help you
and get it fit for your requirements,

Hope that helps,


> ___
> 389-users mailing list -- 389-users@lists.fedoraproject.org 
>  
> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.o
> rg
-- 
Thanks,

William Brown
___
389-users mailing list -- 389-users@lists.fedoraproject.org 
 
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org 
 


___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org

[389-users] Re: How to containerize 389DS using Docker in production systems

[William Brown]

On Wed, 2018-03-07 at 23:50 +, tda...@email.arizona.edu wrote:
> > On Wed, 2018-03-07 at 08:52 +0100, Alberto García Sola wrote:
> > 
> > Hi there,
> > 
> > I'm currently working on docker support in 389-ds.
> 
> William, I'm really glad to hear this. We've been running 389 server
> in docker in EC2 instances for months now and it works great. We have
> home grown scripts for automating the DS installation and replication
> between 2 DS instances, but it would be awesome to use a supported
> setup instead, so I'd really like to try what you have. Our setup
> uses mounted EBS volumes that contain all the necessary DS folders so
> that the EC2s can be blown away and recreated any time we want.

Hope you don't mind, but this is a bit of a brain dump. we have some
open tickets about this. Currently we have LOADS of support here for
containers, like detection of container memory and process limits,
support for containerised installs in dscreate, and more.

But first I want to describe the general picture and situation.

It would be great to have a temporary demo instance like:

docker run 389ds:1.4.0

And that *works*.

Now, when you want to really use it in production something more like:

docker run -v /etc/dirsrv:/etc/dirsrv -v
/var/lib/dirsrv:/var/lib/dirsrv 389ds:1.4.0

And now you have persistance, and can pull, upgrade, destroy,
everything.

If you want a readonly ephemeral replica, something maybe like:

docker run -e replication_manager=12345 389ds:1.4.0

Which would trigger the replica ID to become 65535 and set the
replication manager password (which could now be pushed to from another
instance).

So what are the challenges to these scenarios? 

Well, the first scenario "kinda works" today, but you don't get
persistence, and we have to ship a known password. The barrier here is
that ns-slapd (our server binary) needs assistance from dscreate/setup-
ds.pl to create dse.ldif and it's related instance parts.

So we need to move the *SETUP* logic of DS out of python and INTO an
early runtime part of ns-slapd, to be able to process a .inf +
envvariables to create dse.ldif on startup if it does not exist.

Thankfully this also solves the second case with a persistant image,
with backed storage.

The challenge here is the inplace upgrade. When you do say:

docker run -v ... 389ds:1.4.0
docker kill ...
docker run -v ... 389ds:1.5.0

Because our current upgrade scripts run in perl at RPM upgrade time,
when we launch the 1.5.0 container, it would NOT have the upgraded
configuration/plugin/other data that we may need.

Thankfully, this is in the process of being fixed via some patches that
are currently underreview, so this concern is "mostly" fixed, and the
team is pretty aware that upgrade perl scripts aren't a future
acceptable thing.


Finally, is the stateless instance - again, this requires more
interaction at start up to get the replica setup like this, but it also
requires us to coordinate docker networking / others for "what IP do we
replicate to?". This is a tougher challenge. Today we could solve this
externally by just reconfiguring our various instances, but this
automation would be nice to achieve.


Now there are still other issues - certificates and load balancing is a
big one. We have the concept of "SSF" in the server (despite ssf's
flaws). We won't let you do password changes or other operations
WITHOUT a secure connection, but today that means putting cert and key
material INTO the container.

So another area we need to improve is load balancer support for
haproxy. There is an open ticket for parsing HAproxy metadata for
proper log data, but we need to have an "SSF override" value so that DS
on plaintext 389 "treats it" like it's a secure connection, and haproxy
ONLY advertises 636 (ldaps). 


Another concern is backups and how to take them effectively, or how to
do datarestore correctly. I haven't decided on a good method for this
yet (we could have different containers thatj ust use the same volumes
and handle it correctly, or we could rely on the online tasks)


 But william, show me the code!!! 

Okay, okay. Today, you can build and test our docker container from git
master ONLY. We rely on a few too many things that are only in 1.4.0
and this is a fast-ish moving target today. I won't promise we have a
stable solution for you, but I'd love to hear your thoughts on how we
can improve.

If you want to test this today:

http://www.port389.org/docs/389ds/contributing.html#get-the-code

git clone https://pagure.io/389-ds-base.git
cd 389-ds-base
make -f docker.mk poc

This builds a container called "389-poc:latest", which functions like
the "demo" instance. We statically create an instance in the container
called "localhost" with the dm password of "directory manager
password". There is an updated to this poc in pagure in the following
ticket: https://pagure.io/389-ds-base/issue/49570

There is still quite a bit of integration work to go, but I'd love some
feedback and review of 

[389-users] Re: How to containerize 389DS using Docker in production systems

[tdarby]

> On Wed, 2018-03-07 at 08:52 +0100, Alberto García Sola wrote:
> 
> Hi there,
> 
> I'm currently working on docker support in 389-ds.

William, I'm really glad to hear this. We've been running 389 server in docker 
in EC2 instances for months now and it works great. We have home grown scripts 
for automating the DS installation and replication between 2 DS instances, but 
it would be awesome to use a supported setup instead, so I'd really like to try 
what you have. Our setup uses mounted EBS volumes that contain all the 
necessary DS folders so that the EC2s can be blown away and recreated any time 
we want.
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org

[389-users] Re: Admin Gateway over https

[William Brown]

On Wed, 2018-03-07 at 01:18 +, Eric Wheeler wrote:
> How does one properly configure the Directory Server Gateway to run
> over https? Is such a setup necessary for secure connections if ldaps
> over 636 is active?

Yes, because you have:

client -> https -> ldaps

So you have to protect each stage of the communication.

>  I edited dsgw-httpd.conf until I was able to connect to the gateway
> via https, but the setup was pretty buggy. Afterwards, I came across
> a page in the documentation stating this file shouldn’t be touched.
> 
> My goal is to use the DS Gateway to edit the directory using secure
> connections without resorting to other tools such as phpLDAPadmin
> which I’ve read is really designed for OpenLDAP.

While I understand your desire, the dsgw software hasn't been touched
by us in a long time - and I highly suspect it won't be supported for
much longer. Sadly though, as far as a "web tool" we've had some delays
building this up but it is on the way!

Instead for 1.4.x we plan to release better cli tools with much more
functionality that should be able to do everything you want. 

If you want to know more about these tools and our API for server
interaction, I'm happy to provide you resources about this to help you
and get it fit for your requirements,

Hope that helps,


> ___
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.o
> rg
-- 
Thanks,

William Brown
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org

[389-users] Re: How to containerize 389DS using Docker in production systems

[William Brown]

On Wed, 2018-03-07 at 08:52 +0100, Alberto García Sola wrote:
> Reading the documentation I find little or none information regarding
> containers and Docker, but I've found a few comments in the changelog
> regarding Docker. I plan to use them in a highly scalable and elastic
> environment.
> I wonder, what's the best way to containerize 389DS using Docker to
> use in production systems? 
> Any considerations regarding storage (beyond being persistent)? 
> Any experiences using Docker and 389DS in production systems?

Hi there,

I'm currently working on docker support in 389-ds.

The current status is "almost there", but before I approve it for use I
have a high standard I want to meet. I want our support to be the best
possible. 

I want to be able to redefine root password via envariables, and I want
to be able to configure the server via environment or some other means
that would work nicely in something like kubernetes so you can then
have scripted scaling for replicas.

We also have some plans for inplace upgrades (rather than the perl
scripts) so that containers can upgrade at run time rather than relying
on rpm/deb to run upgrade scripts. 

Today, you can run ds in a container, but you need to build the
/etc/dirsrv/slapd- directory "seperately" and then bring that
to the container.

If you are interested in testing the current image, I can provide steps
on using it, and if you have some use cases or ideas, I'd love to hear
them. I really want our docker support ready in the next few months.

Thanks!


> Regards,
> Alberto.
> ___
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.o
> rg
-- 
Thanks,

William Brown
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org

[389-users](re)enabling a password policy

[Kirk MacDonald]

Hello,

Looking for some guidance with password policies.

About a year ago I migrated a very old instance of Red Hat Directory server to 
389-ds version 1.3.5.10. I did this with a db export and import. I did not 
enable the password policy which was active on the old Red Hat Directory 
instance.

It has come time to (re)enable a password policy on the 389-ds instance and I 
am hoping for some guidance on how to proceed. The policy would be one of 
syntax and expiration requirements. All the applicable users appear to have the 
require attributes (passwordexpirationtime, passwordexpwarned, 
passwordgracetimeuser, passwordhistory, passwordretrycount, retrycoutresettime)

Questions:


1.   All the users on which the password policy should apply are under 
ou=People,dc=sub,dc=domain,dc=tld

o   It should therefore be safe to apply the password policy here for subtree?

2.   What is the best way to set individual users who should be exempt from 
the policy?

3.   Some of the users who should be exempt are within nsPwPolicyContainer 
under ou=People. Does this relate to question #2?

4.   Given that there has been a long time passed where the password policy 
has not been active, it probably makes sense to set applicable user’s 
passwordexpirationtime attribute to sometime in the future so there isn’t a 
flood of “password lockout” complaints?


[cid:EL-logo_7ba48a57-966c-4a07-b478-7857c99d9581.png]  Kirk MacDonald | System 
Analyst II
Eastlink | Internet
kirk.macdon...@corp.eastlink.caT: 902.406.4969


___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org