I have two 2012 r2 domain controllers with passsync 1.6 x64 installed.
They're both targeting 389-ds-base-188.8.131.52-1.fc22.x86_64 . They're working
I dont know if it's been a software update or a change in the domain
settings. Thing is today, one of the controllers has stopped sync'ing.
Whenever I change one password in that controller, the following message is
logged in passsync.log:
08/29/16 11:30:07: Password list has 1 entries
08/29/16 11:30:07: Attempting to sync password for juankar
08/29/16 11:30:07: Searching for (ntuserdomainid=juankar)
08/29/16 11:30:07: Checking password failed for remote entry:
08/29/16 11:30:07: Deferring password change for juankar
and in the server access log I get ldap bind err=53 when the passsync user
tries to check the password:
[29/Aug/2016:11:30:07 +0200] conn=276 fd=67 slot=67 SSL connection from xxxx
[29/Aug/2016:11:30:07 +0200] conn=276 TLS1.2 128-bit AES
[29/Aug/2016:11:30:07 +0200] conn=276 op=0 BIND dn="uid=juankar,ou=xxx...."
[29/Aug/2016:11:30:07 +0200] conn=276 op=0 RESULT err=53 tag=97 nentries=0
[29/Aug/2016:11:30:07 +0200] conn=276 op=1 UNBIND
[29/Aug/2016:11:30:07 +0200] conn=276 op=1 fd=67 closed - U1
[29/Aug/2016:11:30:07 +0200] conn=275 op=2 UNBIND
Any hints? Could be a problem with certificates? They're both using the
same CA (windows CA Cert serv is installed in one of the DCs)
I am writing a simple app to let users change their own ldap password in go, using gopkg.in/ldap.v2
binding and searching works great. But when I try to change a password as a user, 389ds just crashes.
This happens on both 389-Directory/184.108.40.206 B2014.098.2147 on Ubuntu 14.04 and 389-Directory/220.127.116.11 B2016.132.835 on CentOS 6.
The only things I can see is the error log stating:
[21/Aug/2016:12:12:44 +0000] - 389-Directory/18.104.22.168 B2014.098.2147 starting up
[21/Aug/2016:12:12:44 +0000] - Detected Disorderly Shutdown last time Directory Server was running, recovering database.
[21/Aug/2016:12:12:45 +0000] - slapd started. Listening on All Interfaces port 389 for LDAP requests
[21/Aug/2016:12:12:45 +0000] - Listening on All Interfaces port 636 for LDAPS requests
I am looking into upgrading TLS to v1.2, This bi-directionally syncs with Active Directory and I am wondering if there are any caveats to following this article: http://directory.fedoraproject.org/docs/389ds/howto/howto-disable-sslv3.html for the 389ds side
Do i need to install a TLSv1.2 package onto my servers first?
~# openssl ciphers -s -tls1_2
Error in cipher list
140350244230984:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1314:
I am assuming that I do not have the supported ciphers.
# rpm -qa 389*
Thank you in advance for your time!
I received the announcement on Friday about 389-ds-base upgrade. below is the short excerpt from the email:
389 Directory Server 22.214.171.124
The 389 Directory Server team is proud to announce 389-ds-base version 126.96.36.199.
Fedora packages are available from the Fedora 24, 25 and Rawhide repositories.
The new packages and versions are:
However, since I am using Cent OS 6, I don't see the latest package available in epel. I tried to do 'yum upgrade 389-ds-base' but I just get the same version as my previous installation, not the newer version. What is the good way to upgrade on Cent OS 6?
I'm new to 389-ds and last week downloaded and installed the software.
I have a running instance of the server, and I've added TLS/SSL. I've configured a CentOS 7 client to be able to query
the server using TLS/SSL, and all appears working.
I've created users and groups on the 389-ds server successfully. For each user and group, I've enabled posix attributes and my client
can see the unix users and groups using the "getent password" or "getent group" commands.
Now, here's where I'm getting tripped up..........
I need to limit which users have access to which systems. I've been trying to do this via memberOf group limitations.
I found the following online resource (https://thornelabs.net/2013/01/28/aix-restrict-server-login-via-ldap-grou...)
which is close enough to CentOS that the initial commands worked.
I enabled the MemberOf plugin and changed the attributes per the link, and restarted the system.
I created a test group (that I didn't enable a posix GID) and tried to add a single user via:
Right click on group -- > click Properties --> then Members --> click Add --> Search for user --> click Add.
When I try to go this route (which worked before enabling the memberOf plugin) it worked. Now it seems I get the error:
"Cannot save to directory server.
netscape.ldap.LDAPException: error resiult(65): Object class violation"
And the messages file throws the error (/var/log/dirsrv/slapd-<instancename>/errors:
"Entry "uid=test,ou=People,dc=int,dc=com" -- attribute "memberOf" not allowed
[17/Feb/2016:11:22:58 -0700] memberof-plugin - memberof_postop_modify: failed to add dn (cn=testgroup,ou=Groups,dc=int,dc=com) to target. Error (65)"
So it seems my server isn't quite using the memberOf plugin properly, but I'm not sure what else to enable. I'll have to solve this issue before
I even try to filter login access via groups on my client system.
I should mention that if I go under the advanced tab for one of the groups I created, I can add the the attribute "uniquemember", but I'm not sure what I
should set the "value" to be.
I've tried creating new users to see if I could set their "uniquemember" attributes, but no luck. It seems that I don't have the ability to set this attribute
on individual users, only groups.
This might not be the right road to head down when trying to restrict access to servers via groups, so I'm open to any suggestions.
Any suggestions would be appreciated.
when I try to link the rancher.com to my 389ds for authentication, I get the following log entry:
[20/Aug/2016:14:42:02 +0000] connection - conn=160 fd=64 Incoming BER Element was 3 bytes, max allowable is 2097152 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase.
whatever I set nsslapd-maxbersize to, I always get that log entry.
I am using 389-Directory/188.8.131.52 B2014.098.2147 on Ubuntu 14.04
we are about to implement password expiration and I have the following
1) All my users are in ou=People,dc=domain,dc=com. Let's say, on
1.10.2016 via the GUI I will force password expiration on this OU. If
the expiration is set to 90 days, will the password expire on 1.1.2017
or it gets the last set date?
2) I have several service accounts in the OU, and I need to set
non-expire for their password, I see in the GUI it can be done per
user, is this correct?
3) Is there some script, which checks the password expiration date and
send the user warning via email?
Thanks in advance
I am not able to get the memberof attribute to update when I add a user to a group. I have added users to a group using CLI LDIF and via the 389 Console. Any thoughts on what I may be missing?
I have enabled the following plugins and have restarted the directory server:
Auto Membership Plugin
Referential Integrity postoperation
I am using the following 389 RPM's from RH:
Linux Support | Engineering Div.
389 Directory Server 184.108.40.206
The 389 Directory Server team is proud to announce 389-ds-base version
Fedora packages are available from the Fedora 23 repository.
The new packages and versions are:
Source tarballs are available for download at Download 389-ds-base
and Download nunc-stans Source
Highlights in 220.127.116.11
* Various bugs are fixed.
Installation and Upgrade
See Download <http://www.port389.org/docs/389ds/download.html> for
information about setting up your yum repositories.
To install, use *yum install 389-ds* yum install 389-ds After install
completes, run *setup-ds-admin.pl* to set up your directory
To upgrade, use *yum upgrade* yum upgrade After upgrade completes, run
*setup-ds-admin.pl -u* to update your directory server/admin
server/console information. setup-ds-admin.pl -u
<http://www.port389.org/docs/389ds/legacy/install-guide.html> for more
information about the initial installation, setup, and upgrade
See Source <http://www.port389.org/docs/389ds/development/source.html>
for information about source tarballs and SCM (git) access.
We are very interested in your feedback!
Please provide feedback and comments to the 389-users mailing list:
as well as
If you find a bug, or would like to see a new feature, file it in our
Trac instance: https://fedorahosted.org/389
Detailed Changelog since 18.104.22.168
* CVE-2016-4992 389-ds-base: Information disclosure via repeated use
of LDAP ADD operation, etc.
* Ticket 47538 - Fix repl-monitor color and lag times
* Ticket 47538 - repl-monitor.pl legend not properly sorted
* Ticket 47538 - repl-monitor.pl not displaying correct color code for
* Ticket 47819 - RFE - improve tombstone purging performance
* Ticket 47888 - DES to AES password conversion fails if a backend
* Ticket 47888 - Add CI test
* Ticket 48078 - CI test - paged_results - TET part
* Ticket 48109 - substring index with nssubstrbegin: 1 is not being
used with filters like (attr=x*)
* Ticket 48492 - heap corruption at schema replication.
* Ticket 48497 - uncomment pytest from CI test
* Ticket 48636 - Fix config validation check
* Ticket 48636 - Improve replication convergence
* Ticket 48752 - Page result search should return empty cookie if
there is no returned entry
* Ticket 48752 - Add CI test
* Ticket 48755 - moving an entry could make the online init fail
* Ticket 48766 - Replication changelog can incorrectly skip over updates
* Ticket 48767 - flow control in replication also blocks receiving results
* Ticket 48795 - Make various improvements to create_test.py
* Ticket 48798 - Enable DS to offer weaker DH params in NSS
* Ticket 48799 - objectclass values could be dropped on the consumer
* Ticket 48799 - Test cases for objectClass values being dropped.
* Ticket 48808 - Add test case
* Ticket 48808 - Paged results search returns the blank list of entries
* Ticket 48813 - password history is not updated when an admin resets
* Ticket 48848 - modrdn deleteoldrdn can fail to find old attribute
value, perhaps due to case folding
* Ticket 48854 - Running db2index with no options breaks replication
* Ticket 48862 - At startup DES to AES password conversion causes
timeout in start script
* Ticket 48889 - ldclt - fix man page and usage info
* Ticket 48898 - Crash during shutdown if nunc-stans is enabled
* Ticket 48900 - Add connection perf stats to logconv.pl
* Ticket 48922 - Fix crash when deleting backend while import is running
* Ticket 48924 - Fixup tombstone task needs to set proper flag when
* Ticket 48930 - Paged result search can hang the server
* Ticket 48935 - Update dirsrv.systemd file