I have two 389 directory servers up and running with Multi Master
replication without SSL/TLS with simple authentication.
After battling through the SSL for client authentication I am not able to
configure StartTLS/Simple Authentication based Multi-Master replication.
When I change the connection type from plain text to StartTLS I get "SSL
Peer cannot verify your cerficate".
I am using the Admin GUI for all configuration work.
I am using self signed certificate. I generated the self sign cerification
using certutil and imported it into another server.
I used the same Self Signed Certs for client Authentication (I know it may
not be best practice, but I will be happy if it works in this way, at least
I would appreciate any help.
Trying to use this tool to do an openldap to 389 import. It seems to go
well importing the schema and users, but does not import any of the
groups and I don't really know why or what to look for. I looked
through the import log it created but frankly I don't understand what
I'm looking for. I could just take an ldif of the groups from the
openldap but I can't find a way to import them into 389 using the
console. Any enlightenment would be appreciated.
Is it possible to synchronize password expiration times between AD and LDAP?
We're just discovering that the AD sync to LDAP doesn't update
shadowLastChange which we are currently using on the LDAP side. Should we use
a different scheme for password expiration?
Technical Manager 303-415-9701 x222
NWRA, Boulder Office FAX: 303-415-9702
3380 Mitchell Lane orion(a)nwra.com
Boulder, CO 80301 http://www.nwra.com
After updating the directory as follows in order to make 389ds listen to localhost:389 and external.ip.address:636 (with SSL), the server refuses to start complaining as follows:
[22/Dec/2012:09:32:26 +0000] createprlistensockets - PR_Bind() on 172.20.10.6 port 636 failed: Netscape Portable Runtime error -5982 (Local Network address is in use.)
I have checked, nothing is listening to port 636 before the server restart, so the most likely explanation is that 389ds is trying to bind to port 636 twice, and failing on the second go.
# set the IP address for unencrypted access
# set the IP address for encrypted access
Can anyone point out what I am doing wrong above?
I'm trying to set up an LDAP server for our website but we have a couple of
client companies who wish to use their own LDAP authentication.
Firstly does anyone know of a simple howto on proxying? I think that's the
easiest way to support this.
Secondly and the killer question, one of those clients needs to
authenticate against their AD domain, but the permissions attributes are in
a separate LDAP server which contains the same users. How on earth do I
make that work?
We are using 389 LDAP server which is having around <1000 objects. We have a control script which is running as a separate process to perform the search operation in the particular DN.. From the access log around 98% Percentage the search operation estimation timeout value as 0 second. The remaining 2% percentage we got different estimation timeout values like (1-18) seconds. We did n't observe any log error message in log file. Also we have some other java process running on the same machine.
Any idea what could be possible reason for search operation taking more time? And how to debug this issue.
Thanks in advance,
I am facing problems configuring a CentOS 6 server to act as an ldap client
to my DS389 server. Does anyone know about a valid howto or can you please
paste the sample configs to get it working ?
I have read various documents (including Redhat ones) about ACI
implementation. But still the following basic scenario confuses me.
* anonymous bind disabled
* each client server is authenticated with a unique username (e.g.
* "ou=Projects,dc=domain,dc=com" holds confidential data
"uid=serveruser1,ou=ServerUsers,dc=domain,dc=com" should only be able to
see one or several entries under "ou=Projects,dc=domain,dc=com"
QUESTION: in order to minimize amount of ACIs, how should I setup the
I have come up with the following options:
What is the correct way to use allow/deny because if I use default deny
on ou=Projects..., it overrides allows.
2. custom attribute
Add a custom attribute somewhere and use that for ACI?
I could use some concrete examples. I couldn't find any relevant guides
or I'm just blind. :) Thanks for help.
I have passed the lofconv.pl script and get a difference between the Start
and End Replication Request. Does it make sense?
----- Extended Operations -----
11874 2.16.840.1.113718.104.22.168 Start Replication Request
7962 2.16.840.1.113722.214.171.124 End Replication Request