I'm looking to deploy 389 Directory in my environment to replace an
existing iPlanet installation. I would be using it primarily to store
user account data for authentication purposes. I have two physically
separate data centers that I would like to share the same directory
tree. My initial thinking is to setup 389 DS as follows:
-A Master/Consumer in DataCenter A
-A Master/Consumer in DataCenter B
-Replication agreement between both masters, to mirror the directory
tree in both environments.
Does this sound like a reasonable approach? Is there a better way to do
it? (ie: four masters?) Is there documentation for best practices when
setting up 389 DS in situations such as this?
First big thanks for all people developing and maintaining 389ds! I've
been learning LDAP for a while and one question which I haven't been
able to figure out.
There are bunch of Debian servers authenticating against 389ds. I
started with anonymous bind to get the basic setup working. Now I would
like to limit access to 389ds. What is the best/recommended way to
achieve this? I have stuff under ou=Groups,dc=domain,dc=com (e.g.
ou=Sales,ou=Groups,dc=domain,dc=com) which I don't want to be visible
* Create an entry under people ou=People,dc=domain,dc=com and use that
for credentials on all servers? Create an ACI based on this?
* Create e.g. ou=Servers,dc=domain,dc=com, put an entry there for each
server separately and create an ACI based on this?
Thanks for answering my probably simple question!
Mr. Matti Alho
Is it possible to customise the behaviour of the "Create a new user"
menu item so that it used a predefined set of classes and presented the
set of attributes that I wanted to record in LDAP?. If so, how?
I have been running 389 dir server for around 8 months now, recently
whenever I restart or setup a new machine and connect it to the 389 server
using the same settings as the other servers it will freeze during startup
at INIT, I am using an IP in my config files.
Once I remove ldap from nsswitch.conf the servers all boot normally, I did
restart the ldap server and I am sure it is not a firewall issue.
Any input please ?
I am trying to grant a specific group the ability to edit one attribute. I have the following ACI in place with no success:
(targetattr ="description")(version 3.0;acl "evolvadmins description modify";allow(all) (groupdn = "ldap:///cn=evolvadmins,ou=Groups,dc=evolv,dc=com");)
Any ideas what I need to do? Any good guides to troubleshooting and writing ACIs?
Senior Systems Administrator, Primatics Financial
Thanks for your kind reply. I want to use 389 DS for my web
application. As per the user name and password authentication,
application will access the complete detail of
authenticated user for DS like Home Address, Phone Number, Image, PAN
Card, ID Number, Current Address, Nationality etc.
Is there any one in the list who can clear my doubt to explore the DS
according to my requirement.
With warm regards,
On Saturday 15 September 2012 05:30 PM,
> Send 389-users mailing list submissions to
> To subscribe or unsubscribe via the World Wide Web, visit
> or, via email, send a message with subject or body 'help' to
> You can reach the person managing the list at
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of 389-users digest..."
> Today's Topics:
> 1. Re: 389 DS Authentication (Grzegorz Dwornicki)
> Message: 1
> Date: Fri, 14 Sep 2012 23:24:11 +0200
> From: Grzegorz Dwornicki <gd1100(a)gmail.com>
> To: "General discussion list for the 389 Directory server project."
> Subject: Re: [389-users] 389 DS Authentication
> Content-Type: text/plain; charset="iso-8859-2"
> I tried using samba with ldap backend for windows authentication. I wass
> able to login but I didn't try to do more then logging. I was just curious
> about this.
> In this way accounts can have normal linux attributes too. Only problem
> will be with password sync.
> But if you chosse only normal ldap there were some projects like pgina. But
> i don't know how this work. I heard from friend once about problems but I
> don't remember the ugly details.
> I hope this will help you
> 14 wrz 2012 09:19, "Vijay Thakur" <vijay.thakur(a)loopmethods.com> napisał(a):
>> All Experts,
>> I have posted my query on many places, but got no satisfactory reply. So i
>> am here for help.
>> I have configured 389 Directory Server in Centos 5.8. I have added some
>> users and groups with DS Console. Now i want to authenticate my windows and
>> linux systems with 389-DS. I have found no information to get system login
>> (Authenticated) by googling it. How can i add systems in Directory server.
>> Kindly suggest that what changes are required at server and client end
>> (Widnows or Linux) to be authenticated by Directory Server.
>> Thanks in advance.
>> 389 users mailing list
>> 389-users(a)lists.fedoraproject.**org <389-users(a)lists.fedoraproject.org>
I have posted my query on many places, but got no satisfactory reply. So
i am here for help.
I have configured 389 Directory Server in Centos 5.8. I have added some
users and groups with DS Console. Now i want to authenticate my windows
and linux systems with 389-DS. I have found no information to get system
login (Authenticated) by googling it. How can i add systems in Directory
Kindly suggest that what changes are required at server and client end
(Widnows or Linux) to be authenticated by Directory Server.
Thanks in advance.
is it possible to extract/export the CA certificate stored on a 389
directory server? If so, how so?
Greg Matthews 01235 778658
Scientific Computing Group Leader
Diamond Light Source Ltd. OXON UK
This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail.
Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd.
Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message.
Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom
Can an admin server manage remote directory servers? The docs always seems to
refer to running an admin server alongside the directory server, but in the
case of running a slave directory server, it would be nice to be able to
manage that from the admin server on our main directory server machine. Is
Also, should the instance name of the slave server be different than the
instance name of the primary server? It doesn't seem to be a requirement, and
I'm not sure what is more or less confusing.
Technical Manager 303-415-9701 x222
NWRA, Boulder Office FAX: 303-415-9702
3380 Mitchell Lane orion(a)nwra.com
Boulder, CO 80301 http://www.nwra.com