I'm looking to query ldap to get all uid's that have lastlogintime>90
days. I'm able to get lastlogintime using the command below. What is the
the syntax to get it to search all users with lastlogintime>90 days?
# ldapsearch -xLLL uid=testuser "(objectclass=*)" lastlogintime
I'm running 389 ds-1.2.2 on CentOS 6.
I have been trying to add a schema to 389-ds based on this blog article
The article was based around generic openldap, I used it only as a general guide.
The schema listed in the article called postfix-book scheme <http://www.postfix-buch.com/downloads.php>. is what I was interested in.
In the openldap scenario I saw they converted the schema to a ldif file which I did dry run and the notes on converting it worked but when I looked at
duplicating it under 389-ds I saw that all the base schema's were already ldif's and I did not see the source schema's that the conversion notes said I would need.
I did add the Objectclass from the postfix book schema manually and then the attributes but I could not seem to figure out how to link the object class I
created to the users. I can see that a user has "posixAccount, inetorgperson, organizationalPerson, person, top" as Object class's. I wanted to add my Object
class PostfixBookMailAccount so the attributes used by that object class would be available to all user accounts.
If I am going about this the wrong way please feel free to enlighten me.
IT Support Analyst
+1 403.289.2177 ext.289
+1 866 USERFUL (1-866-873-7385)
Suite 300, 736 8th Ave. SW
Calgary AB T2P 1H4
Managed Desktops Done Right.
Does anyone know the specific limitations on the allowed characters for
passwords in 389-ds? I use the windows passsync agent on my domain
controllers and occasionally come across this problem. I am thinking there
might be a unicode problem, but I am having a hard time nailing it down, or
finding documentation on it for that matter.
Example event from 389-ds:
[24/Apr/2017:07:39:15 +0000] conn=268899 op=2 MOD
dn="uid=xxx,ou=yyy,dc=a,dc=b,dc=c", invalid password syntax
389 Directory Server 188.8.131.52
The 389 Directory Server team is proud to announce 389-ds-base
Fedora packages are available from the Fedora 26 and Rawhide repositories.
The new packages and versions are:
Source tarballs are available for download at Download
Highlights in 184.108.40.206
* Security fix, Bug fixes, and enhancements
Installation and Upgrade
See Download <http://www.port389.org/docs/389ds/download.html> for
information about setting up your yum repositories.
To install, use *yum install 389-ds* yum install 389-ds After install
completes, run *setup-ds-admin.pl* to set up your directory
To upgrade, use *yum upgrade* yum upgrade After upgrade completes, run
*setup-ds-admin.pl -u* to update your directory server/admin
server/console information. setup-ds-admin.pl -u
<http://www.port389.org/docs/389ds/legacy/install-guide.html> for more
information about the initial installation, setup, and upgrade
See Source <http://www.port389.org/docs/389ds/development/source.html>
for information about source tarballs and SCM (git) access.
We are very interested in your feedback!
Please provide feedback and comments to the 389-users mailing list:
If you find a bug, or would like to see a new feature, file it in our
Pagure project: https://pagure.io/389-ds-base
* Bump verson to 220.127.116.11-1
* Ticket 49228 - Fix SSE4.2 detection.
* Ticket 49229 - Correct issues in latest commits
* Ticket 49226 - Memory leak in ldap-agent-bin
* Ticket 49214 - Implement htree concept
* Ticket 49119 - Cleanup configure.ac options and defines
* Ticket 49097 - whitespace fixes for pblock change
* Ticket 49097 - Pblock get/set cleanup
* Ticket 49222 - Resolve various test issues on rawhide
* Issue 48978 - Fix the emergency logging functions severity levels
* Issue 49227 - ldapsearch for nsslapd-errorlog-level returns
* Ticket 49041 - nss won’t start if sql db type set
* Ticket 49223 - Fix sds queue locking
* Issue 49204 - Fix 32bit arch build failures
* Issue 49204 - Need to update function declaration
* Ticket 49204 - Fix lower bounds on import autosize + On small VM,
autotune breaks the access of the suffixes
* Issue 49221 - During an upgrade the provided localhost name is ignored
* Issue 49220 - Remote crash via crafted LDAP messages (SECURITY FIX)
* Ticket 49184 - Overflow in memberof
* Ticket 48050 - Add account policy tests to plugins test suite
* Ticket 49207 - Supply docker POC build for DS.
* Issue 47662 - CLI args get removed
* Issue 49210 - Fix regression when checking is password min age
should be checked
* Ticket 48864 - Add cgroup memory limit detection to 389-ds
* Issue 48085 - Expand the repl acceptance test suite
* Ticket 49209 - Hang due to omitted replica lock release
* Ticket 48864 - Cleanup memory detection before we add cgroup support
* Ticket 48864 - Cleanup up broken format macros and imports
* Ticket 49153 - Remove vacuum lock on transaction cleanup
* Ticket 49200 - provide minimal dse.ldif for python installer
* Issue 49205 - Fix logconv.pl man page
* Issue 49177 - Fix pkg-config file
* Issue 49035 - dbmon.sh shows pages-in-use that exceeds the cache size
* Ticket 48432 - Linux capabilities on ns-slapd
* Ticket 49196 - Autotune generates crit messages
* Ticket 49194 - Lower default ioblock timeout
* Ticket 49193 - gcc7 warning fixes
* Issue 49039 - password min age should be ignored if password needs
to be reset
* Ticket 48989 - Re-implement lock counter
* Issue 49192 - Deleting suffix can hang server
* Issue 49156 - Modify token :assert: to :expectedresults:
* Ticket 48989 - missing return in counter
* Ticket 48989 - Improve counter overflow fix
* Ticket 49190 - Upgrade lfds to 7.1.1
* Ticket 49187 - Fix attribute definition
* Ticket 49185 - Fix memleak in compute init
I'd like to migrate from ODSEE and PSW to 389 directory server with windows sync.
From my understanding after reading the redhat 10/9 Directory Server documentation,
existing user's password from AD will not be synced to LDAP.
This of course is normal since passwords are already hashed in AD.
However in SUN/Oracle ODSEE+PSW they were doing this:
A special attributed was added to new synced users in LDAP. On user bind to the LDAP server,
the password was caught (by the LDAP server plugin) and a second bind was tested from the LDAP server itself to the AD server.
If the 2nd bind was successful the userPassword was updated on the LDAP server, the attribute was removed and the 1st bind was ok.
Since I have a large AD forest (30K users) I don't want to do password reset on these old users.
What is the common practice with 389 server for such scenario?
Sun also had another nice feature: Uni directional sync Windows->LDAP for user create/delete but
bi-directional attribute/password change. I guess this also not supported in 389 correct?
thanks in advance,
Does anyone know, can the CRYPT plugin for 389-ds be passed a “crypt-algorithm” parameter? I came across some documentation* from the related Oracle Unified Directory / OpenDS which looks like it would do exactly what I’m looking for, but I wasn’t sure whether that was also true of 389-ds.
I have been building 389DS directory serves, and can automate most of the installation process to include creating my instances such as config. However, SSL enabling seems to be difficult. I tried the simple copy db files and pin.txt, but when I get into the console to enable the certs, there seems to be a problem opening the DB files and selecting the certificate to use for SSL.
If I go through the console, select Manage certificates, enter a new password, import a CA cert, then replace the DB files with the ones from an existing server, it works.
Is there something special that needs to be done to "initialize" the new DB files that can be scripted (ansible) that will set the password for the new server, then copy the DB files/pin.txt.?
Paul M. Whitney
Sent from my browser.
I am requesting your for ideas or how to.
I have several clients (100+) that authenticate against DS389 ldap. But some users have his account information in a active directory. I want to authenticate against the DS389 always, but if the account doesn't exit in DS389 I want it delegate the authentication to the active directory.
I think the solution is the "pass-through authentication plugin", but is it "compatible" with active directory? How can I do it?