In my 389-ds setup, I have a password policy in place where the user must
change their password after a reset, they are allowed to change their
password, and it expires after 90 days. However, I cannot find where the
Directory Manager can actually RESET a user's password. The docs are very
vague in this area IMO, so I'm sure I overlooked it.
Where do I go in the console to reset a particular user's password so they
will be prompted to change it when they log in again?
Common ARTS Software Development
I am looking for simple AD password sync solution.
I think there was once one as part of this project. It was to be installed on
all DCs and would send password updates to any LDAP server. Now this project
seems to use one that requires a replication agreement and it only supports
While I may be interested in switching to the 389 server at some point, we are
currently using the Sun directory server (5.2) and I need more time to
evaluate what that will entail. In the mean time I need to get password
syncing working as we want to pull the plug on Oracle's Identity Management
Suite (OIM) which is currently doing this function along with lots of other
Can anyone point me to where to find the old password sync tool? Or is there
a way to use the current one without replication, etc?
Gary Algier, WB2FWZ gaa at ulticom.com +1 856 787 2758
Ulticom Inc., 1020 Briggs Rd, Mt. Laurel, NJ 08054 Fax:+1 856 866 2033
Nielsen's First Law of Computer Manuals:
People don't read documentation voluntarily.
We are planning out how we are going to move from Active Directory to
389-ds. We can add users to our test environment successfully, and give
the accounts the proper information (uid, shell, etc.). However, 1 area
that we are getting stumped at is groups. In our Active Directory
currently, we have several groups that we put our users into based on
Those groups have unique group IDs. However, when I make a group on
389-ds, I don't have any way of specifying a group ID. I can make a new
user and give it a group ID by default, but that group ID doesn't exist
anywhere and I can't find where to assign it or create it. Any ideas on
Common ARTS Software Development
Or just create your own schema extension to cover what you need. Its very easy to accomplish as long as you plan it right. Coming from AD land you're probably convinced to stay in the "box" that ms constrains you into but its very doable. If your converting just use the same or near the same data type for group ID and naming. it makes it that much easier to port your app over to the new environment. There are differences in the way 389 and AD behave but its not that big and can be overcome easily to ease app migration.
From: Angel Bosch Mora <angbosch(a)conselldemallorca.net>
To: General discussion list for the 389 Directory server project. <389-users(a)lists.fedoraproject.org>
Sent: Friday, January 7, 2011 7:57:00 PM
Subject: Re: [389-users] Questions about groups and group IDs
----- Missatge original -----
> We are planning out how we are going to move from Active Directory to
> 389-ds. We can add users to our test environment successfully, and
> give the accounts the proper information (uid, shell, etc.). However,
> 1 area that we are getting stumped at is groups. In our Active
> Directory currently, we have several groups that we put our users into
> based on their function.
> Those groups have unique group IDs. However, when I make a group on
> 389-ds, I don't have any way of specifying a group ID. I can make a
> new user and give it a group ID by default, but that group ID doesn't
> exist anywhere and I can't find where to assign it or create it. Any
> ideas on this?
you need to use objectClass: posixGroup in your group template. in theory posixGroup and groupOfNames are structural object classes and cannot be combined, but in practice there's a variation of the RFC that allows to use posixGroup as auxiliar.
389 users mailing list
We've recently run yum upgrade to update the 389 packages from EPEL.
Using Centos 5.5 i386.
Previous package versions were:
The new package versions are:
After upgrading packages we ran
After trying to restart the services, the admin server times out and
will not start.
The directory server itself seems to be working ok. Connecting to it
using an ldap browser shows that the data is there as we expected.
The only errors we seem to be getting in the admin logs are:
[Fri Jan 07 12:24:43 2011] [notice] Access Host filter is: *.domain.com
[Fri Jan 07 12:24:43 2011] [notice] Access Address filter is: *
[Fri Jan 07 12:24:43 2011] [notice] Unable to shutdown NSS - still busy
- assume mod_nss is holding references - continuing
[Fri Jan 07 12:24:43 2011] [error] NSS_Shutdown failed: -8038
[Fri Jan 07 12:24:44 2011] [error] NSS initialization failed.
Certificate database: /etc/dirsrv/admin-serv.
[Fri Jan 07 12:24:44 2011] [error] SSL Library Error: -8038 Unknown
Any help would be appreciated.
In 389-console, my auto.master folder entry does not appear on the left pane
so I can't edit the entries in it. It does appear as a folder icon on the
right. Any ideas why this would be? File a bug?
Technical Manager 303-415-9701 x222
NWRA/CoRA Division FAX: 303-415-9702
3380 Mitchell Lane orion(a)cora.nwra.com
Boulder, CO 80301 http://www.cora.nwra.com
I've been away from my 389-ds admin for a few months (I'm just starting to
get familiar with it), and I can't login using the user ID "cn=Directory
Manager". A few months ago I could using the GUI 389-console application.
But today I can't. It keeps saying:
"Can't login because of an incorrect User ID, Incorrect password, or
The error log shows: "[error] [client 127.0.0.1] user cn=Directory Manager
not found: /admin-serv/authenticate"
I am able to get data back when I enter: "ldapsearch -x -b o=netscaperoot
-D "cn=Directory Manager" -w <password> "objectclass=nsAdminConfig"" from
the command line, so I know that the password is correct.
Any thoughts on what to do to fix this?
Common ARTS Software Development
On 01/04/2011 11:27 PM, mahao wrote:
> Thanks for your letter.
> This fedora-ds version is :
> nsslapd-versionstring: Fedora-Directory/1.0.4.
> And platform :
> LSB Version:
> Distributor ID: RedHatEnterpriseServer
> Description: Red Hat Enterprise Linux Server release 5.5 (Tikanga)
> Release: 5.5
> Codename: Tikanga
> Linux esjirp64.emea.nsn-net.net 2.6.18-164.6.1.el5 #1 SMP Tue Oct 27
> 11:28:30 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux
> I have pasted config.ldif of my fedora-ds server in attachment.
> You said its ran out of memory, but the next day morning after
> fedora-ds was crashed, I checked cacti monitor of memory, memory and
> cpu usage rate was on a normal level , far from exhausted.
> And after I restart fedora-ds server 2 hours without changing any
> configuration, there was no response from ldap server but the process
> was running and 389 port was listened. And this time no errors were
> written into error log. I had to restart it again and it have been
> working fine from then on.
> Do you have any idea of this?
> Thank you for your advice.
Not sure. Looks like all of your cache settings are the default values.
I suppose it could be a memory leak.
I suggest upgrading to 389 126.96.36.199 available from EPEL. Even if that
does not solve your problem, it will be much easier to support.
> Best Regards
> Ma Hao
> *From:*Rich Megginson [mailto:firstname.lastname@example.org]
> *Sent:* 2011年1月5日1:07
> *To:* mahao
> *Cc:* 389-users(a)lists.fedoraproject.org
> *Subject:* Re: memory allocator - calloc of 4098 elems of 4 bytes
> failed; OS error 12 (Cannot allocate memory)
> On 12/24/2010 12:15 AM, mahao wrote:
> Hi all,
> Fedora-ds was down for some reason,
> And I got these logs:
> [23/Dec/2010:18:59:32 +0200] - libdb: User-specified malloc function
> returned NULL
> [23/Dec/2010:18:59:32 +0200] - id2entry error 12
> [23/Dec/2010:18:59:32 +0200] - id2entry get error 12
> [23/Dec/2010:18:59:32 +0200] - next_search_entry db err 12
> [23/Dec/2010:18:59:32 +0200] memory allocator - calloc of 4098 elems
> of 4 bytes failed; OS error 12 (Cannot allocate memory)
> The server has probably allocated all available virtual memory. To solve
> this problem, make more virtual memory available to your server, or reduce
> one or more of the following server configuration settings:
> nsslapd-cachesize (Database Settings - Maximum entries in cache)
> nsslapd-cachememsize (Database Settings - Memory available for cache)
> nsslapd-dbcachesize (LDBM Plug-in Settings - Maximum cache size)
> nsslapd-import-cachesize (LDBM Plug-in Settings - Import cache size).
> Can't recover; calling exit(1).
> It looks like no more available virtual memory to use, so should I set
> a lager nsslapd-dbcachesize?
> I don't know if it will down again, and please give me some advice .
> its important to me. Thanks a lot
> What version of fedora-ds or 389-ds-base?
> What platform?
> This usually means you have run out of memory. The usual thing is to
> reduce your cache sizes (as specified above). Start with
> nsslapd-dbcachesize as the minimum. Set nsslapd-cachememsize to be
> large enough to cache all of your entries, but no larger.
> Ma Hao
I am trying to setup a test environment where each database should
contain multiple suffixes. I have 6 organizations:
a1 and a2, should belong to userRoot, which is "mastered" in server1,
b1 and b2 should belog to database px02, which is mastered in server2,
and so with c1 and c2. Is this possible to do? I am trying to do it,
creating a new sub-suffix b1, allowing the console to autocreate
database px02. Then I create a new sub-suffix b2, without creating any
database. Then, i try to assing the database px02 previously created,
but i get an error in the console, and in the logs: "ERROR: backend
px_02 is already pointed to by a mapping tree node. Only one mapping
tree node can point to a backend", so I think this is not possible.
CentOS 5.5 + 389-ds-base-188.8.131.52-2.el5
I have a simple question i guess... How do i find out wich character encoding
it's been in my DS(utf-8,latin1, etc..)?
Francisco José Pérez González
CCNA Exploration Netacad V 4.0 Pass