How to modify the attribute nsslapd-encryptionalgorithm in Centos?
Stop Master servers and set nsslapd-encryptionalgorithm. The allowed value is AES or 3DES.
--- Em ter, 4/6/13, Rich Megginson <rmeggins(a)redhat.com> escreveu:
De: Rich Megginson <rmeggins(a)redhat.com>
Assunto: Re: [389-users] changelog
Para: "Denise Cosso" <guanaes51(a)yahoo.com.br>
Data: Terça-feira, 4 de Junho de 2013, 16:34
On 06/04/2013 01:26 PM, Denise Cosso
CentOS release 6.3 (Final)
As far as replication goes - you will need to use a security layer
(SSL, TLS, or GSSAPI) to protect the clear text password on the wire
As far as encrypting it in the changelog - not sure
--- Em ter, 4/6/13, Rich Megginson <rmeggins(a)redhat.com>
De: Rich Megginson <rmeggins(a)redhat.com>
Assunto: Re: [389-users] changelog
Para: "General discussion list for the 389 Directory
Cc: "Denise Cosso" <guanaes51(a)yahoo.com.br>
Data: Terça-feira, 4 de Junho de 2013, 16:11
06/04/2013 12:39 PM, Denise Cosso wrote:
Description of problem:
When a userPassword is changed in a server with changelog, the hashed password
is logged and also a cleartext pseudo-attribute version. It looks like this:
This unhashed version is used in winsync where the cleartext version of the
password must be written to the AD.
Now if the DS is involved in replication with another DS, the change will be
replayed exactly as it is logged to the other DS replicas, including the
cleartext pseudo-attribute password.
What platform? What version of 389-ds-base are you
389 users mailing list
We have a master - master replication agreement. When we initialize the replication it works perfectly we can see changes to a test user we have set up go up and down from the two servers. However at some point the replication stops and we cannot get replication to start once again. The only way we can get replication to start once again is to recreate the replication agreement and then it fails again. Can anyone please point us in a direction. I am relatively new to 389 so any help would be greatly appreciated.
Santos U. Ramirez
Linux Systems Administrator
National DCP, LLC
150 Depot Street
Bellingham, Ma. 02019
This email and any attachments are intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, do not copy or forward to any unauthorized persons, permanently delete the original and notify the sender by replying to this email.
After a while I start again to work on 389 ds.
389ds last released from epel, is installed on a rhel 6.5, that host also other services (bind, dhcpd, radius.....). Such server is configured with some virtual nic.
I noticed starting 389ds the following error:
intranet5...[14/Feb/2014:08:30:20 +0100] createprlistensockets - PR_Bind() on All Interfaces port 636 failed: Netscape Portable Runtime error -5982 (Local Network address is in use.)
I've tried to insert in dse.ldif directives like
but it comes a more "IP specific" error :
intranet5...[14/Feb/2014:10:01:34 +0100] createprlistensockets - PR_Bind() on 192.168.60.23 port 636 failed: Netscape Portable Runtime error -5982 (Local Network address is in use.)
finally I noticed:
[root@intranet5 dirsrv]# netstat -anp | grep 636
udp 0 0 0.0.0.0:636 0.0.0.0:* 1342/portreserve
such service clearly conflict with 389ds ldaps
It seems I'm facing bug https://bugzilla.redhat.com/show_bug.cgi?id=848414
since I really have tested also openldap
[root@intranet5 dirsrv]# more /etc/portreserve/slapd
from portreserve man I read
For each service configuration file, a socket is created and bound to the appropriate port. A service wishing to bind to its port must first run portrelease, which instructs
portreserve to release the port associated with the service.
It seems so that 389ds be not aware of portreserve . Shoud I simply remove /etc/portreserve/slapd and restart portreserve ?
corso Stati Uniti,4
35127 Padova - Italy
phone: +39 049 8295097 fax: +39 049 8700718
Just upgraded my packages from:
After that I ran "setup-ds-admin.pl -u". Now I'm having problems starting dirsrv-admin:
# service dirsrv-admin start
httpd.worker: Syntax error on line 136 of /etc/dirsrv/admin-serv/httpd.conf: Cannot load /usr/lib64/dirsrv/modules/mod_admserv.so into server: /usr/lib64/libadminutil.so.0: undefined symbol: ldap_explode
Server failed to start !!! Please check errors log for problems
# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.9 (Tikanga)
I checked any error logs I could think of but found nothing.
Thanks in advance for the help!
This communication, including any attached documentation, is intended only for the person or entity to which it is addressed, and may contain confidential, personal and/or privileged information. Any unauthorized disclosure, copying, or taking action on the contents is strictly prohibited. If you have received this message in error, please contact us immediately so we may correct our records. Please then delete or destroy the original transmission and any subsequent reply.
We've just set up monster-sized server nodes to run 389 as a replacement to Sun DS. I've been running my tests and I am pleased to report that the memory issue seems to be in check with growth only up to double the initial memory usage after large quantities of ldapmodify calls. We have plenty of room in these boxes to accommodate caching the entire database.
The key blocker on this is still the ACL processing times for which I have been unable to find a decent resolution. We have 135 ACIs at the root of the suffix. When I comment out most of them but leave one service account active, processing times are very nicely fast. When I leave them all on, that same service account takes 2.5 seconds to respond when only one request is pending. A new kink in the puzzle here which is probably going to be a deal breaker is that if I run the same request on multiple threads, each thread takes proportionately longer to respond depending on the number of threads. If I have 12 threads going doing a simple lookup, each thread responds in 45-55 seconds. If I have 24 threads going, each thread takes 1m45s - 1m55s to respond. The box has 32 cores available. While processing, each thread is burning 100% of an available CPU thread for the entire time. Theoretically when up to 32 requests are simultaneously processing, each thread should return in 2.5 seconds just as if it were one thread.
Since all threads are burning 100% the entire time, it doesn't seem like that would be caused by simple thread locking where some threads are waiting for others.
I'm thinking the system is not properly configured in some way and there is a system bottleneck blocking the processing. When burning the CPU there is very little percentage allocated to the user percentage, most of the CPU usage is listed under the system CPU usage. Is this normal, or is this indicative of some system layer that is bottlenecking the processing?
Another question I posed earlier is whether or not it is possible to replicate three subtrees independently and then keep the aci entry at the root suffix independent so it can be set separately for multiple downstream replicants. That way we could possibly subdivide the service accounts across different nodes. Is that possible?
Systems Programmer IV
Enterprise Identity Management
University of Southern California
We are making some test in order to synchronize 389 Directory with an Active Directory. We don't install pass sync because we need only to synchronize password from the 389 Directory instance. Everything works well, but when we analyze the user on Active Directory that were synchronized from the 389 Directory, we notice that the AccountUserControl value was 544, that's mean NORMAL ACCOUNT + PASSWD_NOTREQD. Due to security reason it is not acceptable for us, at least it must be 514 (only NORMAL_ACCOUNT).
We search a way to modify this behavior, but we cannot find anything. Is there any way to force this value for new user synchronize to the Active Directory ?
OS : CentOS 6.5
389 Directory version : 389-Directory/22.214.171.124 B2013.357.177
Active Directory on Windows 2008R2
I tried asking this on the developer list and didn't get an answer so
im trying the user list now
So here is my goal I am about to write a plugin for Heimdal KDC's to
update matching password fields in LDAP servers.
In the case of 389 server it will also allow 389 server to manage
password quality checks.
Ive been looking over the 389 servers docs and there is something I'm
How do I pass the password to 389 server to trigger the quality check
Is it simply just a bind as an administrator then update the users
password field with clear text password and let 389 server check and
hash it from there, or is there more to it like a C API call?
If any one can point me to the appropriate doc or even better section
of the appropriate doc that would be very helpful.
If any one just happens to knows the answer I would appreciate that too.
Note: The resulting plugin will be posted on Github with a GPL license
when I'm done.
I'm planning to use 389ds from SD-Card. So I would like to minimise write I/O.
It's absolutely fine if there's only a consistent state saved once a day.
For example via some cronjob running ns-slapd db2archive (which I've done so far).
I do not need any database-logs to have even the last seconds in a disaster recovery.
Any hints to tune it for this use case?
There are files constantly written, AFAIK by the Berkeley DB:
Can I get rid of those files? Move them to a Ram Disk?
I want the account lockout policy of all 3 servers to be the same, and the account lockout status of a given bind-dn to be the same across all 3.
I made the config shown below, but when I locked an account via purposely failed bind attempts to one of the consumers, neither the supplier nor the other consumer got informed that the account was locked. Any ideas?
I ran this on the supplier and both consumers:
ldapmodify -h localhost -cax -D "cn=directory manager" -y ~/pword <<BYE
And this on each of the 2 consumers:
ldapmodify -h localhost -D cn="Directory Manager" -y ~/pword <<BYE
Sr. Systems Administrator