[389-users] Re: FileDescriptors exhausted

It sounds like you may have stale client connections. There are a lot of bad LDAP clients that never close their connections properly. the way to work around this is to set a TCP keepalive to a shorter than default. here is a good article on the subject

[389-users] Re: Forward LDAP Auth SASL or SSSD

well saslauthd has to do with the SASL layer itself not the LDAP server itself It can work but what it does is not related to SSSD at all. essentially it is used to translate between one sasl auth mech and an other its primarily for backwards compatibility. for example a common use case for

[389-users] Re: OpenLDAP import into 389 Directory Server failing

This is just an educated guess but It looks like you may be missing some schemas On Tue, Feb 22, 2022, 4:00 PM Jason W. Lewis wrote: > After RHEL, etc dropped OpenLDAP, I’ve begun testing with 389 Directory > Server. Currently, I’m trying to use openldap_to_ds to import slapd.d > config and an

[389-users] Re: Database and OS tuning. (open files)

actually thats 5 minutes for the first probe then 75 seconds on subsequent failed probes up to 9 failures so it's actually 900 seconds i usually set it to time = 120 intv = 30 probes = 4 keep in mind this just gets rid of Zombie connections. if the first probe after 300 seconds of the connection

[389-users] Re: Database and OS tuning. (open files)

I would also tune the TCP heartbeat in sysctl to make it shorter rather than the idle timeout. the default is 2 hours and not to cut it off if heartbeats are missed. I prefer to make it 2 minutes and kill on the second missed heartbeat for LDAP servers. the reason for this is that there are a lot

[389-users] Re: 389DS console with HTTPS

One more minor correction that path on windows is C :\windows\system32\drivers\etc\hostsSent from my BlackBerry - the most

[389-users] Re: 389DS console with HTTPS

Sorry spell checker on my phone did some thing going strange it replaced CNAME with came.So in the alternative CNAME scenario the subject can match a CNAME in the DNS but that CNAME must match an A record with a matching reverse lookup record for the forward A record.You can also use /etc /

[389-users] Re: 389DS console with HTTPS

This is a general SSL TLS thing.In general the host must be resolvable Via a A record in the DNS which matches both a forward and reverse lookup. Alternatively you can use a came for the forward lookup but it must map to a A record which has a matching reverse lookup record to the A record the

[389-users] Re: 389 Roadmap?

I don't see 389 server going any where because it's at the core of other Red Hat supported project's which are built on it. RHDS 9 is EOL in favor of 10 which is just built on a newer version of 389 server on RHEL 7 as opposed to 6. Upgrades between versions of 389 server are pretty transparent

[389-users] Re: add user ldif via ldapadmin

I personally would not recommend using phpldapadmin. It is a very sloppy implementation and and really was written for openldap in LDAP version 2 mode. Also the admin console for 389 server does a better job if you configure it correctly. On Feb 13, 2017 7:11 PM, "William Brown"

[389-users] Re: SIEM Audit Data

user authentication errors are usually recorded on the client end. On Thu, Oct 13, 2016 at 4:47 PM, Jason Nielsen wrote: > Im looking for ways to pull a number of audit events from 389. Such as: > > -User authentication success and failures. > -Group additions, removals and

Re: [389-users] GUI console and Kerberos

. On Sun, Mar 15, 2015 at 4:52 PM, Paul Robert Marino prmari...@gmail.com wrote: I got it working Kerberos 5 authentication in 389-console for standard user accounts. none of the users Ive tested with have password fields in the LDAP database they are only authenticating via Kerberos through PAM

Re: [389-users] GUI console and Kerberos

it will require a litle more research but I may be able to write a simple to implement RFE so it can attempt GSSAPI auth possibly based on a configuration parameter. Sent from my BlackBerry 10 smartphone. Original Message From: Paul Robert Marino Sent: Wednesday, March 11, 2015 15:06

Re: [389-users] GUI console and Kerberos

using mod_restartd AdminSDK off On Sun, Mar 15, 2015 at 12:39 PM, Paul Robert Marino prmari...@gmail.com wrote: No thats not it at all. that already works for users authenticating via SASL GSSAPI This is a legacy LDAPv2 simple bind with TLS instead of SSL. SASL does not apply here from

Re: [389-users] GUI console and Kerberos

ldap error 48: Inappropriate authentication this is making me wonder if saslauthd may help On Wed, Mar 11, 2015 at 2:34 PM, Paul Robert Marino prmari...@gmail.com wrote: I know it will probably be a little more complex than that but I think it logically should be one of the steps. although

Re: [389-users] GUI console and Kerberos

. On Wed, Mar 11, 2015 at 2:51 PM, Paul Robert Marino prmari...@gmail.com wrote: Ok so here is some progress i manually added my user name and password in /etc/dirsrv/admin-serv/admpw using the htpassword command if i put cn=username I get ldap error 32: No such object in the admin server

Re: [389-users] GUI console and Kerberos

Megginson rmegg...@redhat.com wrote: On 03/11/2015 11:54 AM, Paul Robert Marino wrote: Hey every one I have a question I know at least once in the past i setup the admin console so it could utilize Kerberos passwords based on a howto I found once which after I changed jobs I could never find

[389-users] GUI console and Kerberos

Hey every one I have a question I know at least once in the past i setup the admin console so it could utilize Kerberos passwords based on a howto I found once which after I changed jobs I could never find again. today I was looking for something else and I saw a mention on the site about httpd

Re: [389-users] Lots of abandoned connections from sssd

take a look at bugzilla ticket https://bugzilla.redhat.com/show_bug.cgi?id=1156577 by the way I was incorrect about it being POODLE update related It turns out there has been a change to the SASL GSSAPI module that has caused some chaos. On Mon, Nov 10, 2014 at 8:16 PM, Paul Robert Marino prmari

Re: [389-users] Lots of abandoned connections from sssd

When did this start?The reason I ask is I've noticed a lot of problems with RHEV since the recent updates to nss and openssl to deal with the POODLE vulnerability.The workaround for a loot of them is to ensure minssf is set to a value higher than 0.I'm wondering if this might be something similar.

Re: [389-users] Lots of abandoned connections from sssd

night also applies to RHEV (ovirt) 3.3 and 3.4-- Sent from my HP Pre3On Nov 10, 2014 7:58 PM, Rich Megginson rmegg...@redhat.com wrote: On 11/10/2014 05:44 PM, Paul Robert Marino wrote: When did this start? The reason I ask is I've noticed a lot of problems with RHEV since

Re: [389-users] Sync from RDBMS to LDAP

Sorry that kind of thing is always a custom scripting job.-- Sent from my HP Pre3On Apr 28, 2014 13:27, Fong, Trevor trevor.f...@ubc.ca wrote: *Bump* Surely we cant be the only ones who want to this? Trev From: Fong, Trevor Sent: April-22-14 3:33 PM To: '389-users@lists.fedoraproject.org'

Re: [389-users] sasl/gssapi issue

This is an issue with the LDAP search command which is part of the openldap project not 389 server.That said I think it ignores the -X if you only have one cached credential and are using it in combination with the -Y GSSAPI option further more if you want it to prompt you for a password you need

[389-users] intermittent issues with the DNA plugin

I'm trying the DNA plugin for the first time based on the document here http://directory.fedoraproject.org/wiki/Howto:DNA usually it works well but occasionally it doesnt seem to work correctly for GID numbers. Ive noticed that if I add a user via the ldapadd command and set the following

[389-users] Kerberized admin server

hello I know there use to be a document on doing this because I did it several years ago at a previous job but I cant seem to find it in the documentation now. I'm trying to make the the admin server accept Kerberos authentication. my kerberos servers are separate from my LDAP servers so this

Re: [389-users] Kerberized admin server

On Tue, Mar 4, 2014 at 12:13 PM, Rich Megginson rmegg...@redhat.com wrote: On 03/04/2014 09:16 AM, Paul Robert Marino wrote: hello I know there use to be a document on doing this because I did it several years ago at a previous job but I cant seem to find it in the documentation now. I'm

Re: [389-users] Kerberized admin server

it. On Tue, Mar 4, 2014 at 12:58 PM, Rich Megginson rmegg...@redhat.com wrote: On 03/04/2014 10:26 AM, Paul Robert Marino wrote: On Tue, Mar 4, 2014 at 12:13 PM, Rich Megginson rmegg...@redhat.com wrote: On 03/04/2014 09:16 AM, Paul Robert Marino wrote: hello I know there use

Re: [389-users] Fwd: I'm about to start coding a plugin for Heimdal Kerberos V and have a question

...@redhat.com wrote: On 02/26/2014 11:01 PM, Paul Robert Marino wrote: sorry for the delayed response I'm on vacation so I haven't been checking my email regularly. On Thu, Feb 20, 2014 at 5:15 PM, Rich Megginson rmegg...@redhat.com wrote: On 02/20/2014 03:11 PM, Paul Robert Marino wrote: I

Re: [389-users] Fwd: I'm about to start coding a plugin for Heimdal Kerberos V and have a question

sorry for the delayed response I'm on vacation so I haven't been checking my email regularly. On Thu, Feb 20, 2014 at 5:15 PM, Rich Megginson rmegg...@redhat.com wrote: On 02/20/2014 03:11 PM, Paul Robert Marino wrote: I tried asking this on the developer list and didn't get an answer

[389-users] Fwd: I'm about to start coding a plugin for Heimdal Kerberos V and have a question

I tried asking this on the developer list and didn't get an answer so im trying the user list now So here is my goal I am about to write a plugin for Heimdal KDC's to update matching password fields in LDAP servers. In the case of 389 server it will also allow 389 server to manage password

Re: [389-users] Reset Password as Root if User Forgets Password

sorry thats not possible. If you are using Kerberos then you can do it via the kadmin command. If not then you have to use one of several other tools like the admin console or ldapmodify for example. On Wed, Jan 22, 2014 at 9:06 AM, Chaudhari, Rohit K. rohit.chaudh...@jhuapl.edu wrote: Hello,

Re: [389-users] Reset Password as Root if User Forgets Password

password change after reset checkbox built into the password policy in 389? On 1/22/14 10:49 AM, Paul Robert Marino prmari...@gmail.com wrote: sorry thats not possible. If you are using Kerberos then you can do it via the kadmin command. If not then you have to use one of several other tools like

Re: [389-users] The admin server: failed to get a socket for 0.0.0.0

Sounds like something was holding on to the port.when you rebooted chances are whatever was holding on to the port didn't come back after the reboot.For future reference netstat -tnp can be very helpful in these cases-- Sent from my HP Pre3On Jan 19, 2014 11:49, Jan Tomasek j...@tomasek.cz wrote:

Re: [389-users] non-unique UID

its possible most LDAP servers don't put a unique constraint on that field. in fact it's occasionally done intentionally in LDAP servers that handle multiple OU's where hosts are only expected to look at one of them. The problem is it messes up your systems permissions if you have overlaps. On

Re: [389-users] SSH Public keys

and LDAP together with a 389-ds backend you may want to look at the FreeIPA project which handles a lot of the integration for you. It also supports storing SSH keys. rob On Thu, Jan 9, 2014 at 12:42 PM, Paul Robert Marino prmari...@gmail.com mailto:prmari...@gmail.com wrote: have you

Re: [389-users] SSH Public keys

have you considered using Kerberos instead of ssh keys? its fairly transparent and doesn't require any patches. On Thu, Jan 9, 2014 at 1:10 PM, Vesa Alho lis...@alho.fi wrote: I'm just wondering if anyone has experience storing public keys in 389 directory server to allow a user to login using

Re: [389-users] slapi_ldap_init segmentation fault

Unfortunately posix threading on SUN OS is not identical to Linux.That was the idea behind Posix threads but there is enough wiggle room in the standard that porting is always a problem.What's worse is I've never seen a good code porting guide or even a good book or guide about Posix threads on

Re: [389-users] Authentication method not supported

Solaris was one of the original platforms and has been both 64 bit space and AMD along with 32 bit Intel and IBM Power arc since long ago so I find your assertion somewhat doubtful. On the other hand how can you expect a desk top 32 bit (workstation version of the IBM power) architecture which was

Re: [389-users] Console window problems

The resize issue is an old one its one of the few things that's never been fixed since the old Netscape days. Try using the native windows installer version of the client.It still will have the same issue but will fit better on the screen-- Sent from my HP Pre3On Jun 7, 2013 2:00 PM, Herb

Re: [389-users] AIX

Its been a long time since I used an AIX box but I don't think AIX uses Pam, so it would be different, that said it should be possible but I'm not sure of the details on how to set it up. Worse come to worse look at some of the old sun one and Netscape docs they would cover AIX clients and should

Re: [389-users] 389DS Certificates

The Windows CA cert is what you need to import not the cert used for the AD server.If that doesn't work you have three choices1) fix the certificate authority on your AD server.2) get a wild card cert from a external "reputable" source such as VeriSign or godaddy and use that for all your SSL and

Re: [389-users] Support for apple OS X schema?

its been a long time since I played with this but generally you can exclude the apple version of the field, because if its not included in the mapping on the Apple client then the client will ignore it. I did this back in 2002 with a SuSE Open Exchange server running OpenLDAP and ran into more

Re: [389-users] MMR issue ...

Hey I'm comming into this conversation a little late but could there be a max open file handle issue on server B. That's the first thing that poped into my mind when I read the description of the issue. On Nov 13, 2012 3:57 PM, Reinhard Nappert rnapp...@juniper.net wrote: There are a lot of RST

Re: [389-users] what is the best way to a new user and put him in to few groups?

well that really depends on what you are comfortable doing as far as code an ldif piped the the ldap modify command is probably the easiest to write however you could make something far more robust with the NET::LDAP Perl module. The one bad note about the Net::Ldap Perl module is it tends to take

[389-users] Question about users and groups in sub suffixes

Hello every one I have a strange problem Im trying to use 389 server in a large organization and i have to break the directory into several sub suffixes or root suffixes. there is the scenario I work for Large company A Large company A owns 1) subsidiary b 2) subsidiary c 3) subsidiary d Large

Re: [389-users] Question about users and groups in sub suffixes

never mind I found the answer apparently you have to go into the Directory tab in the directory server and create a domain object because its not automatically created when you create the database under the sub dn On Fri, Jul 27, 2012 at 7:03 PM, Paul Robert Marino prmari...@gmail.com wrote

Re: [389-users] Question about users and groups in sub suffixes

to the documentation. The way I figured it out is I just tried to add a new subdomain without adding a sub suffix and I got a warning message saying I may wan to add the sub suffix first On Jul 27, 2012 8:50 PM, Noriko Hosoi nho...@redhat.com wrote: Paul Robert Marino wrote: Hello every one I have

[389-users] please re-review bug id 588480

I figured out how to reproduce the bug in https://bugzilla.redhat.com/show_bug.cgi?id=588480 Please re-review it it was closed as works for me but i found there was a vital piece of information missing to reproduce it I have just been able to reproduce it on RHEL 6.3 I've added the details on

Re: [389-users] Import Apple Open Directory Schema

The apple open directory schema is reliant on several other schemas that are disstibuted wit openldap including the one for nis if I remember correctly. A simple grep -R for the objects its erroring on should give you a clue. First check if there is a pre existing schema distributed with 389 that

Re: [389-users] password expiration warnings

Further more this can become more complicated when you get kerberos involved because in the case of a kerberized implementaion the passwords and password policies are managed by the kerberos server so this is a much more difficult thing to implement than you might think. On May 30, 2012 4:48 PM,

Re: [389-users] Strange Disk IO issue

By the way despite the recomendation against reducing the timer on cleaning out the tombstones I would do it any way. My experience with many other database platforms is that if the cleanups of stale entries is taking too long it means you aren't doing them often enough for your environment. If

Re: [389-users] Strange Disk IO issue

That is odd behavior. Do all of the replcas have the same applications connecting to them? Not nessisarily the same instances but the same applcations configured in a simmilar way. The reason I ask is I'm wondering if there might be a rouge app sending heavy queries repeatedly to the servers. Is

Re: [389-users] idle_timelimit 60

Its gennerally a goot idea on the server to set a shorter tcp keepalive interval in /etc/sysctl.conf The default is 2 hours. Set it to slightly more than the idle time limit on your clients. On May 9, 2012 4:05 AM, Ali Jawad ali.ja...@splendor.net wrote: Hi I know this is not a strictly 389 DS

Re: [389-users] 389 and Samba integration on Centos 6

procedure which are not well documented and I see there is not much experience yet on the Web. And, of course, my lack of previous experience with 389... Kind regards, Alberto Suarez. Paul Robert Marino wrote: For clarity are you planing to use samba 3 or 4? There is a huge difference between

Re: [389-users] how to keep in sync centos-ds in a dr scenario

Well that's not a great way to set that up but its workable. You will need to sync without ssl and do a destination nat betwean them On Apr 26, 2012 4:05 AM, Maurizio Marini mau...@cost.it wrote: I have a disaster recovery scenario: on a remote location I have the same servers with the same

Re: [389-users] how to keep in sync centos-ds in a dr scenario

.  This entirely depends on your network topology, but may be a step in the right direction. Having servers with the same IPs doens't seem to be the most elegant solution; same with rsync'ing your database instead of using replication. Jim On Thu, Apr 26, 2012 at 7:03 AM, Paul Robert Marino prmari

Re: [389-users] Best way to sync ldap and samba passwords

I use kerberos with my 389 server so that kind of password syncing isn't a problem. plus the kerberos auth module for Apache is way more efficient than the ldap auth module. On 10/5/2011 3:13 PM, Rich Megginson wrote: On 10/05/2011 01:07 PM, David Hoskinson wrote: I am trying to find out

Re: [389-users] java error on 389-console command

On 9/9/2011 3:40 PM, Rich Megginson wrote: On 09/09/2011 12:54 PM, Paul Robert Marino wrote: On 9/9/2011 2:51 PM, Rich Megginson wrote: On 09/09/2011 12:50 PM, Paul Robert Marino wrote: On 9/9/2011 2:42 PM, Rich Megginson wrote: On 09/09/2011 12:38 PM, Paul Robert Marino wrote: On 9/9/2011 2

Re: [389-users] java error on 389-console command

On 9/9/2011 2:31 PM, Rich Megginson wrote: On 09/09/2011 12:11 PM, Paul Robert Marino wrote: a couple of days a ago I did a yum update on one of my boxes. one of the thing that updated was the 389-console rpm now every time i try to run it i get an error The java class could not be loaded

Re: [389-users] java error on 389-console command

On 9/9/2011 2:42 PM, Rich Megginson wrote: On 09/09/2011 12:38 PM, Paul Robert Marino wrote: On 9/9/2011 2:31 PM, Rich Megginson wrote: On 09/09/2011 12:11 PM, Paul Robert Marino wrote: a couple of days a ago I did a yum update on one of my boxes. one of the thing that updated was the 389

Re: [389-users] java error on 389-console command

On 9/9/2011 2:50 PM, Paul Robert Marino wrote: On 9/9/2011 2:42 PM, Rich Megginson wrote: On 09/09/2011 12:38 PM, Paul Robert Marino wrote: On 9/9/2011 2:31 PM, Rich Megginson wrote: On 09/09/2011 12:11 PM, Paul Robert Marino wrote: a couple of days a ago I did a yum update on one of my boxes

Re: [389-users] java error on 389-console command

On 9/9/2011 2:51 PM, Rich Megginson wrote: On 09/09/2011 12:50 PM, Paul Robert Marino wrote: On 9/9/2011 2:42 PM, Rich Megginson wrote: On 09/09/2011 12:38 PM, Paul Robert Marino wrote: On 9/9/2011 2:31 PM, Rich Megginson wrote: On 09/09/2011 12:11 PM, Paul Robert Marino wrote: a couple

Re: [389-users] PAM Pass Through- PAM succeeds but 389 fails?

Just out of curiosity if you are using Kerberos why are you using pam instead of GSSAPI On 8/30/2011 1:19 PM, Sam Harmon wrote: Hello, I'm trying to configure a 389 instance to pass authentication to our Kerberos server using the PAM Pass Through plugin. As far as I can tell, the

Re: [389-users] too many fds open

you need to edit /etc/security/limits.conf add an entry for nofile the the default is 1024 the max is 65536 (1024 * 64 ) here is an extreme example setting it to the max for all users * hardnofile 65536 * soft nofile 65536 after you have

Re: [389-users] too many fds open

. On Fri, Aug 26, 2011 at 10:28 AM, Paul Robert Marino pmar...@snap-interactive.com wrote: you need to edit /etc/security/limits.conf add an entry for nofile the the default is 1024 the max is 65536 (1024 * 64 ) here is an extreme example setting it to the max for all users

Re: [389-users] 389-ds apparently listens only on loopback

out put from 'sudo netstat -tlnp' please followed by the the out put of 'sudo /sbin/iptables -L' feel free to obscure the ip's it they are internet visible replace the first 2 octets with 192.168 On 7/8/2011 10:01 AM, Arian Sanusi wrote: Hi all, I set up a host with centos 5.6 and 389-ds

Re: [389-users] 389-ds apparently listens only on loopback

you need to do an iptables update now you can temporally flush the rules with 'sudo /sbin/service iptables stop' you will need to add a rule to /etc/sysconfig/iptables and restart the iptables service On 7/8/2011 11:27 AM, Arian Sanusi wrote: I just disabled IPv6 completely - the network is v4

[389-users] issues installing in RHEL6.1

Ive been trying to install on 389 RHEL 6.1 and i keep geting dependency errors This is the last error thats hanging me up and i know its just an incorrect dependency in the spec file or a package that has not updated in the repo yet see below yum install 389-ds