Hi
I am currently testing this but would like to double up my testing with any
other experiences in the list.
A security scan has shown my test LDAP server to be vulnerable to weak SSL
encryption. I have turned off all encryption levels below 128 bits in the
Cipher Preference Dialog box for bot
Hi Daniel,
I am getting 1200 conn/sec on very old hardware so maybe something else is
wrong.
The very first thing to do is to run logconv.pl script which will come
installed with 389. It has a flag for recommendations which I suggest you
enable or just enable every flag.
Sample command:
logco
Hi
I was wondering if there is a universal "trigger" system that I could use in
389 to for example let me know when a group gets a new member, or loses a
member.
The admin guide
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html
has only
identical as far as I am
aware.
Regards
> -Original Message-
> From: 389-users-boun...@lists.fedoraproject.org [mailto:389-users-
> boun...@lists.fedoraproject.org] On Behalf Of Gerrard Geldenhuis
> Sent: 24 November 2010 14:09
> To: 'General discussion list for the
: [389-users] Slow response from server
>
> Gerrard Geldenhuis wrote:
> >> -Original Message-
> >> From: 389-users-boun...@lists.fedoraproject.org [mailto:389-users-
> >> boun...@lists.fedoraproject.org] On Behalf Of Rich Megginson
> >> Sent: 12 Nove
>
> Creating directory server . . .
> Your new DS instance 'dmz' was successfully created.
> Creating the configuration directory server . . .
> Beginning Admin Server creation . . .
> Creating Admin Server files and directories . . .
> Updating adm.conf . . .
> Updating admpw . . .
> Registering
> -Original Message-
> From: 389-users-boun...@lists.fedoraproject.org [mailto:389-users-
> boun...@lists.fedoraproject.org] On Behalf Of Rich Megginson
> Sent: 12 November 2010 18:22
> To: General discussion list for the 389 Directory server project.
> Subject: Re: [389-users] Bind to cons
> >
> > When I do a bind to the consumer(slave) I also see a bind to the
> > provider(master) this seems really silly. My understanding is that
> > this behaviour is caused by needing to centrally store login attempts.
> > I have raised this matter previously but just wanted to double check
> > tha
ject.
>Subject: Re: [389-users] Chaining woes again v2 - solutions
>
>Gerrard Geldenhuis wrote:
>> Hi
>> Just a quick follow-up regarding this thread.
>>
>> We discovered the real problem encryption of the password.
>>
>> We have the follow
Hi
Not strictly a 389 question but maybe 389 offers a solution.
I have a tree structure as follows:
dc=company
ou=people,dc=company
ou=groups,dc=company
On my client the I have the following searchbase in /etc/ldap.conf
dc=company
If I login as user gerrard and look at the network traffic then e
t.
>Subject: Re: [389-users] Magic required for subtree password policy?
>
>Gerrard Geldenhuis wrote:
> Hi
> The admin guide says that one should use ns-newpwpolicy.pl script to set
> subtree password policies on the command line. Can we also set this using
> ldifs or is there
Hi
Adding a user with the following ldif file:
dn: uid=SystemAuthentication,ou=Service Accounts,dc=mycompany
givenName: System
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: Authentication
cn: SystemAuthentication
uid: SystemAuthentication
use
Hi
I have seen similar problems... in my case the database became corrupt if I
changed it while dirsrv were running.
Also check permissions:
-rw--- 1 nobody root 65536 Aug 12 12:18 cert8.db
-rw--- 1 nobody root 16384 Aug 12 12:18 key3.db
-rw--- 1 nobody root 16384 Sep 28 17:08 secmo
Hi
I am in the midsts of debugging this but am hoping anyone can shed some light
on the issue or point me in the right direction.
A certain combination of changes to the global password policy seems to break
the abbility to change a user's password.
us...@client01.example's password:
You are r
Hi
This is probably OT but I am not having much luck with google. How can I create
SSHA512 strings? I have been using either a php script or slappasswd to create
SSHA password but not sure how to do SSHA512. openssl can create the SHA512
digest but I am not sure how to add the random seed bit. M
Hi,
Is there a way of forcing a single user to change his/her password in a
multi-master environment.
The only way it seems possible is to enable per user password policy and then
set the passwordMustChange flag. However since password policy is not
replicated that does not seem like a very goo
> I have an issue with our Fedora Consumers running 1.2.0 on Fedora 10 in
> that they don't seem to be closing old connections and so the open
> connections are building up until performance is impacted and
> eventually
> we run out of file handles.
>
... cut
>
> tcp_keepalive_time = 600
> tcp_ke
Hi
As far as I can see the documentation does not make mention of backups other
than the userdb, netscapedb and dse.ldif.
With regards to the certificate databases and admin server configuration is
there any specific strategies, recommendations or readmade scripts?
I am looking at scenarios whe
> >
> Replication uses an exponential backoff strategy if the consumer is
> down. That is, it will wait 1 second, try again, then wait 2 seconds,
> try again, then wait 4 seconds, try again, etc. until it hits 5
> minutes.
> >
> >
hmmm, I probably did not wait long enough...
I have enabled repli
Hi
I have not been able to get ldclt working. I suspect I am not using it
correctly and would appreciate anyone just giving my options a sanity check.
Running the following:
ldclt -h testserver.example.com -p 389 -e bindeach,bindonly -Z
/etc/dirsrv/slapd-testserver -e
cltcertname=certname,keydb
Hi Prashanth,
I have not seen similar issues but I would suggest adding a debug entry in PAM
setup. This gives a lot of extra information.
Also since you are debugging disable log caching to enable you to see bind
attempts immediately
dn: cn=config
changetype: modify
replace: nsslapd-accesslog-l
Hi
Just wanted to double check; We have not created replication agreements between
all masters and in some instances it might take 2 hops for a change to be
replicated everywhere. We are happy with this trade-off in delay for
simplicity. Are we breaking some cardinal rule regarding multi-master
Hi
We ran into a very interesting problem...
We can't run 389-console directly from the server on which it is running
because it is just to slow to use. It takes almost 5 minutes just to login. We
have thus resorted to running the console locally and doing port forwarding
with ssh as 389 and 6
Hi Stefan,
GOsa² uses its own combination of objectClasses to store information plus its
own set of ACL's to control access to the GUI but this ACL's does not translate
into protection for other access methods that does not go through the GUI.
I think you will get much better support from the GO
Hi
Is there any standard script that comes with 389 that can take a set of
parameters and replace those parameters in a ldif file? For example the
parameters specified in
/usr/share/dirsrv/data/template-suffix-db.ldif
dn: cn=%ds_bename%,cn=ldbm database,cn=plugins,cn=config
I can write my own b
>>
>> What is also frustrating is that the script is so quiet about why it failed.
>> I was running setup-ds-admin with -ddd It appears that the script used to
>> configure the >>admin server does net get passed the debug flags.
>>
>> Any further ideas?
>>
>I was afraid of that. The admin server
Hi
This is going to seem obvious but is the Replica ID unique to a server or
unique to a database and server. What I mean is that if I setup both
NetscapeRoot and UserRoot to replicate can I use Replica ID of x for both
because they are on the same server or does it need to be x and x+1?
Regard
>> I understand that on a (physical/virtual) server there can be multiple
>> directory server instances but only one admin server instance.
>> However, what I'm wondering is whether it is possible for an instance
>> of the admin server to manage directory servers on different boxes.
>> For example,
Hi
I was hoping someone can share a methodology of finding the ldif changes that
happens when doing changes in the GUI. I would like to create equivalent ldif
files for all changes that I do in the GUI. Thus far I have been doing before
and after diffs of dse.ldif. I have not done that yet for n
>
>From: 389-users-boun...@lists.fedoraproject.org
>[389-users-boun...@lists.fedoraproject.org] on behalf of Gerrard Geldenhuis
>[gerrard.geldenh...@betfair.com]
>Sent: 10 August 2010 16:00
>To: 389-us...@lists.fedoraproject.org
&g
Hi
If I set
nsslapd-allow-anonymous-access: off
I am not able to login to the 389-console. I can remedy this by checking the
checkbox "Use SSL in Console" in the Encryption tab on the Directory Server
console. This seems a strange solution to the problem. Why would disabing
anonymous access bre
Hi Brandon,
It seems to me that the password policy is being applied to your Directory
Manager user. I recall that you can disable password policy for cn=config users
but can't find that in the documentation now. It is also worth while reading
the second paragraph of 7.1.1.5 in the Admin guide w
Hi
In the management console there is a Security level: domestic
I found no reference to this in the documentation and a quick google revealed
this page:
http://docs.sun.com/source/816-5567-10/3_consol.htm
which suggest that this has to do with the type and level of encryption used.
Thus this
Snip snip
>> Any thoughts or steering in the right direction would be appreciated.
>>
>
>run logconv.pl
>
>> The documentation states a few default indexes that gets created and I would
>> have thought that these would be adequate for effectively finding a user in
>> a >larger database.
>>
run
Hi
I have just created 20 000 users each with a private group on two masters 10
000 on each master, with the purpose of testing replication between two masters.
I did not observe any errors in access log and there is no errors logged in the
error log for either of the servers.
I am seeing stran
project.
>Subject: Re: [389-users] Preventing ssh keys from granting a user access when
>LDAP account is disabled.
>
>On 07/20/2010 09:45 AM, Gerrard Geldenhuis wrote:
>> Hi There is a bugzilla raised concerns users still being able to
>> login if they have ssh keys even
Hi
In my lab system I am seeing quite a long delay(10+seconds) between the actual
ldap request and the logging of the request in the access log. Is this normal
behavior? and can it be speeded up? Admittedly I have not investigated this
much yet but noticed it and thought I would ask quickly. Usi
Hi
The documentation clearly states that password modification history is not
replicated including account lockout counters. To me that seems a bit pointless
to have if your servers are authenticating against a cluster of 4 machines.
There is no guarantee that next time when you change your pass
38 matches
Mail list logo
