Hey every one
I have a question I know at least once in the past i setup the admin
console so it could utilize Kerberos passwords based on a howto I
found once which after I changed jobs I could never find again.
today I was looking for something else and I saw a mention on the site
about httpd needing to be compiled with http auth support.
well I did a little digging and I found this file
in that file I found a lot of entries that look like this
AuthName "Admin Server"
Allow from all
when I checked /etc/dirsrv/admin-serv/admpw sure enough I found the
Password hash for the admin user.
So my question is before I wast time experimenting could it possibly
be as simple as changing the auth type to kerberos
keep in mind my Kerberos Servers do not use LDAP as the backend.
Hi 389 List,
we have a need to use an existing attribute ( do not know wich
one:nspentrydn ,nsbackendsufix) or create a new one use defined which
will act similar as sequence number( integer values, incremental by 1
,range values known) I understand we can not rely on nsUniqueId . Is
there such an existing attribute in 389 , need to be unique , LDAP
generate values with gap1 , range values can be controlled ?
All clients connecting to our 389-ds server showed up this vulnerability on
the scan. How do I fix this on my 389-ds server?
LDAP allows null bases
It is possible to disclose LDAP information.
Improperly configured LDAP servers will allow the directory BASE to be set
to NULL. This allows information to be culled without any prior knowledge
of the directory structure. Coupled with a NULL BIND, an anonymous user can
query your LDAP server using a tool such as 'LdapMiner'
Disable NULL BASE queries on your LDAP server
CVSS Base Score : 5.0
Family name: Remote file access
Copyright: Copyright (C) 2000 John Lampe....j_lampe(a)bellsouth.net
Summary: Check for LDAP null base
Version: $Revision: 128 $
I'd like to see an updated install/upgrade procedure for 389-ds. The info
on the web page is outdated, links for coprs are not working either , maybe
they are not valid anymore. As a user of Centos6x I'm somehow lost when I
see versions of the product coming out whereas my servers are stuck with
the older ones. Should I make the move to Fedora?
*Tfn: 957-211157 / 650932877*
389 Directory Server 184.108.40.206
The 389 Directory Server team is proud to announce 389-ds-base version
Fedora packages are available from the Fedora 21, 22 and
The new packages and versions are:
A source tarball is available for download at Download Source
Highlights in 220.127.116.11
* Several bugs are fixed including 2 security bugs
Installation and Upgrade
See Download <http://www.port389.org/docs/389ds/download.html> for
information about setting up your yum repositories.
To install, use *yum install 389-ds* yum install 389-ds After install
completes, run *setup-ds-admin.pl* to set up your directory
To upgrade, use *yum upgrade* yum upgrade After upgrade completes, run
*setup-ds-admin.pl -u* to update your directory server/admin
server/console information. setup-ds-admin.pl -u
<http://www.port389.org/docs/389ds/legacy/install-guide.html> for more
information about the initial installation, setup, and upgrade
See Source <http://www.port389.org/docs/389ds/development/source.html>
for information about source tarballs and SCM (git) access.
We are very interested in your feedback!
Please provide feedback and comments to the 389-users mailing list:
https://admin.fedoraproject.org/mailman/listinfo/389-users as well as
If you find a bug, or would like to see a new feature, file it in our
Trac instance: https://fedorahosted.org/389
Detailed Changelog since 18.104.22.168
* Bug 1199675 - CVE-2014-8112 CVE-2014-8105 389-ds-base: various
* Ticket 47431 - Duplicate values for the attribute nsslapd-pluginarg
are not handled correctly
* Ticket 47451 - dynamic plugins - fix crash caused by invalid
* Ticket 47728 - compilation failed with ‘ incomplete
struct/union/enum’ if not set USE_POSIX_RWLOCKS
* Ticket 47742 - 64bit problem on big endian: auth method not supported
* Ticket 47801 - RHDS keeps on logging write_changelog_and_ruv: failed
to update RUV for unknown
* Ticket 47828 - DNA scope: allow to exlude some subtrees
* Ticket 47836 - Do not return ‘0’ as empty fallback value of
nsds5replicalastupdatestart and nsds5replicalastupdatestart
* Ticket 47901 - After total init, nsds5replicaLastInitStatus can
report an erroneous error status (like ‘Referral’)
* Ticket 47936 - Create a global lock to serialize write operations
over several backends
* Ticket 47957 - Make ReplicaWaitForAsyncResults configurable
* Ticket 48001 - ns-activate.pl fails to activate account if it was
disabled on AD
* Ticket 48003 - add template scripts
* Ticket 48003 - build “suite” framework
* Ticket 48005 - ns-slapd crash in shutdown phase
* Ticket 48021 - nsDS5ReplicaBindDNGroup checkinterval not
* Ticket 48027 - revise the rootdn plugin configuration validation
* Ticket 48030 - spec file should run “systemctl stop” against each
running instance instead of dirsrv.target
* Ticket 48048 - Fix coverity issues - 2015/2/24
* Ticket 48048 - Fix coverity issues - 2015/3/1
* Ticket 48109 - substring index with nssubstrbegin: 1 is not being
used with filters like (attr=x*)
So I've bumped into an issue on my IPA install (debian), where the
package tries to run an offline upgrade when it's updated, but fails:
[15/03/05:01:13:10] - [Setup] Info Error adding entry
'cn=entryusn,cn=default indexes, cn=config,cn=ldbm
database,cn=plugins,cn=config'. Error: No such object
[15/03/05:01:13:10] - [Setup] Fatal Error: could not update the
[15/03/05:01:13:10] - [Setup] Fatal Exiting . . .
any ideas what's wrong?
I am using 389-ds version 22.214.171.124-1 (shipped with kolab).
Trying to delete a domain gives the following error: ldap_delete:
Operation not allowed on non-leaf (66)
Is this a (known) bug, or am I doing something wrong?
I tried to delete the domain using:
ldapdelete -c -x -D "cn=Directory Manager" -W -r
When I am looking for entries, there seems to be no remaining element:
ldapsearch -D "cn=Directory Manager" -b "dc=test,dc=mydomain,dc=tld"
# extended LDIF
# base <dc=test,dc=mydomain,dc=tld> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
# search result
result: 0 Success
# numResponses: 2
# numEntries: 1
I replaced my real domain-name with test.mydomain.tld
The installation is a single ldap-host with no synchronization or so...
Can anyone help?