Thursday, December 2, 2021

[389-users] Re: Replication Agreements

Hi jeremiah,

not a specialist of winsync but IMHO you can use the CLI to give you
a hint about the agreement parameters:
    dsconf <instance> repl-winsync-agmt set --help

Apparently all attributes are replicated except those specified in --frac-list

Regards
   Pierre

On Thu, Dec 2, 2021 at 3:11 PM Jeremiah Garmatter <j-garmatter@onu.edu> wrote:
Hello,

I have a Windows replication agreement between 389D and AD. However, I can not figure out what attributes are set to replicate between the two. I've looked within dse.ldif under the nsDSWindowsReplicationAgreement but there's no list of attributes. Can anyone help me track down the list of replicated attributes?

-Jeremiah Garmatter, Systems Administrator
-Ohio Northern University, Class of 2020
-Work: 419-772-1074
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure


--
--

389 Directory Server Development Team

[389-users] Replication Agreements

Hello,

I have a Windows replication agreement between 389D and AD. However, I can not figure out what attributes are set to replicate between the two. I've looked within dse.ldif under the nsDSWindowsReplicationAgreement but there's no list of attributes. Can anyone help me track down the list of replicated attributes?

-Jeremiah Garmatter, Systems Administrator
-Ohio Northern University, Class of 2020
-Work: 419-772-1074

[389-users] Re: Help - Missing nsAccount objectClass for WinSync users from AD

Sure,
this is the relative parts.

PAM PASS THROUGH

dn: cn=PAM Pass Through Auth,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
objectClass: pamConfig
cn: PAM Pass Through Auth
nsslapd-pluginPath: libpam-passthru-plugin
nsslapd-pluginInitfunc: pam_passthruauth_init
nsslapd-pluginType: betxnpreoperation
nsslapd-pluginEnabled: on
nsslapd-pluginloadglobal: true
nsslapd-plugin-depends-on-type: database
pamMissingSuffix: ALLOW
pamExcludeSuffix: cn=config
pamIncludeSuffix: ou=Internal Users,ou=people,dc=lab,dc=com
pamIDMapMethod: RDN ENTRY
pamIDAttr: uid
pamFallback: FALSE
pamSecure: FALSE
pamService: ldapserver
nsslapd-pluginId: pam_passthruauth
nsslapd-pluginVersion: 1.4.4.11
nsslapd-pluginVendor: 389 Project
nsslapd-pluginDescription: PAM pass through authentication plugin
modifiersName: cn=directory manager
modifyTimestamp: 20211126222824Z

dn: cn=Pass Through Authentication,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: Pass Through Authentication
nsslapd-pluginPath: libpassthru-plugin
nsslapd-pluginInitfunc: passthruauth_init
nsslapd-pluginType: preoperation
nsslapd-pluginEnabled: off
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: none
nsslapd-pluginVersion: none
nsslapd-pluginVendor: none
nsslapd-pluginDescription: none
modifiersName: cn=Directory Manager
modifyTimestamp: 20211126204904Z

WIN AGREEMENT

dn: cn=AD2D389,cn=replica,cn=dc\3Dlab\2Cdc\3Dcom,cn=mapping tree,cn=config
objectClass: top
objectClass: nsDSWindowsReplicationAgreement
cn: AD2D389
nsDS5ReplicaRoot: dc=lab,dc=com
description: AD2D389
nsDS5ReplicaHost: labdc1.lab.local
nsDS5ReplicaPort: 636
nsDS5ReplicaTransportInfo: LDAPS
nsDS5ReplicaBindDN: CN=cadroot,CN=Users,DC=lab,DC=local
nsds7WindowsReplicaSubtree: CN=D389Sync,DC=lab,DC=local
nsds7DirectoryReplicaSubtree: ou=testsync,dc=lab,dc=com
nsds7WindowsDomain: lab.local
nsds7NewWinUserSyncEnabled: on
oneWaySync: fromWindows
nsDS5ReplicaCredentials: {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG
RERBNEJDUmtOamt6TnpSbE9DMHlZelpsTXpFeA0KT0MwNU5UTXdZMk15WVMxalpUWTNNbVkyTkFBQ
0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQ01UWFd2dTBvVVA2L0
h5aE5xNlRhZA==}MzFOFTDpXeukpOmvxtf7fFlWjNB4LlKWM+Ldhzm/Ne4=
creatorsName: cn=Directory Manager
modifiersName: cn=Multimaster Replication Plugin,cn=plugins,cn=config
createTimestamp: 20211130085214Z
modifyTimestamp: 20211201203059Z
nsds5ReplicaEnabled: on
nsds7DirsyncCookie:: TVNEUwMAAABdO7uy8ebXAQAAAAAAAAAAKAAAAP3wAAAAAAAAAAAAAAAAA
AD98AAAAAAAAG0xgiTivNBHtESspvYhd58BAAAAAAAAAAEAAAAAAAAAbTGCJOK80Ee0RKym9iF3n/
3wAAAAAAAA
nsds50ruv: {replicageneration} 61a4ddd50000ffff0000
nsds50ruv: {replica 1 ldap://directory389.lab.local:389} 61a5e821000000010000
61a7da69000000010000
nsruvReplicaLastModified: {replica 1 ldap://directory389.lab.local:389} 61a7da
6a


EXAMPLE OF AD SYNCED USER(as you can see nsAccount is not present):

36 uid=test.user10,ou=testsync,dc=lab,dc=com
objectclass: top
objectclass: person
objectclass: organizationalperson
objectclass: inetOrgPerson
objectclass: ntUser
ntUserDeleteAccount: true
uid: test.user10
sn: User 10
givenName: Test
cn: Test User 10
ntUserCodePage: 0
ntUserAcctExpires: 9223372036854775807
ntUserDomainId: test.user10
ntUniqueId: 9658f59ce2a1d54cbeacb783c12a6de3


Once solved this issue, i think it would be better to sync AD user that belongs to specific AD Group in order to have a ore control over it instead of defining a specific OU.
I've seen a page wich reports the existence of "Support Filters": https://directory.fedoraproject.org/docs/389ds/design/winsync-rfe.html#2-support-filters-1
And it says:
new config parameters in windwows sync agreement:
winSyncWindowsFilter: additional_filter_on_AD
winSyncDirectoryFilter: additional_filter_on_DS
Example:
winSyncWindowsFilter: (|(cn=*user*)(cn=*group*))
winSyncDirectoryFilter: (|(uid=*user*)(cn=*group*))

Anyway it is not clear if my installed version support this feature

389-Directory/1.4.4.11 B2021.139.1122

Thanks for your support
Appreciate
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

[389-users] Re: Help - Missing nsAccount objectClass for WinSync users from AD

Sure,
this is the relative parts.

PAM PASS THROUGH

dn: cn=PAM Pass Through Auth,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
objectClass: pamConfig
cn: PAM Pass Through Auth
nsslapd-pluginPath: libpam-passthru-plugin
nsslapd-pluginInitfunc: pam_passthruauth_init
nsslapd-pluginType: betxnpreoperation
nsslapd-pluginEnabled: on
nsslapd-pluginloadglobal: true
nsslapd-plugin-depends-on-type: database
pamMissingSuffix: ALLOW
pamExcludeSuffix: cn=config
pamIncludeSuffix: ou=Internal Users,ou=people,dc=lab,dc=com
pamIDMapMethod: RDN ENTRY
pamIDAttr: uid
pamFallback: FALSE
pamSecure: FALSE
pamService: ldapserver
nsslapd-pluginId: pam_passthruauth
nsslapd-pluginVersion: 1.4.4.11
nsslapd-pluginVendor: 389 Project
nsslapd-pluginDescription: PAM pass through authentication plugin
modifiersName: cn=directory manager
modifyTimestamp: 20211126222824Z

dn: cn=Pass Through Authentication,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: Pass Through Authentication
nsslapd-pluginPath: libpassthru-plugin
nsslapd-pluginInitfunc: passthruauth_init
nsslapd-pluginType: preoperation
nsslapd-pluginEnabled: off
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: none
nsslapd-pluginVersion: none
nsslapd-pluginVendor: none
nsslapd-pluginDescription: none
modifiersName: cn=Directory Manager
modifyTimestamp: 20211126204904Z

WIN AGREEMENT

dn: cn=AD2D389,cn=replica,cn=dc\3Dlab\2Cdc\3Dcom,cn=mapping tree,cn=config
objectClass: top
objectClass: nsDSWindowsReplicationAgreement
cn: AD2D389
nsDS5ReplicaRoot: dc=lab,dc=com
description: AD2D389
nsDS5ReplicaHost: labdc1.lab.local
nsDS5ReplicaPort: 636
nsDS5ReplicaTransportInfo: LDAPS
nsDS5ReplicaBindDN: CN=cadroot,CN=Users,DC=lab,DC=local
nsds7WindowsReplicaSubtree: CN=D389Sync,DC=lab,DC=local
nsds7DirectoryReplicaSubtree: ou=testsync,dc=lab,dc=com
nsds7WindowsDomain: lab.local
nsds7NewWinUserSyncEnabled: on
oneWaySync: fromWindows
nsDS5ReplicaCredentials: {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG
 RERBNEJDUmtOamt6TnpSbE9DMHlZelpsTXpFeA0KT0MwNU5UTXdZMk15WVMxalpUWTNNbVkyTkFBQ
 0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQ01UWFd2dTBvVVA2L0
 h5aE5xNlRhZA==}MzFOFTDpXeukpOmvxtf7fFlWjNB4LlKWM+Ldhzm/Ne4=
creatorsName: cn=Directory Manager
modifiersName: cn=Multimaster Replication Plugin,cn=plugins,cn=config
createTimestamp: 20211130085214Z
modifyTimestamp: 20211201203059Z
nsds5ReplicaEnabled: on
nsds7DirsyncCookie:: TVNEUwMAAABdO7uy8ebXAQAAAAAAAAAAKAAAAP3wAAAAAAAAAAAAAAAAA
 AD98AAAAAAAAG0xgiTivNBHtESspvYhd58BAAAAAAAAAAEAAAAAAAAAbTGCJOK80Ee0RKym9iF3n/
 3wAAAAAAAA
nsds50ruv: {replicageneration} 61a4ddd50000ffff0000
nsds50ruv: {replica 1 ldap://directory389.lab.local:389} 61a5e821000000010000
 61a7da69000000010000
nsruvReplicaLastModified: {replica 1 ldap://directory389.lab.local:389} 61a7da
 6a


EXAMPLE OF AD SYNCED USER(as you can see nsAccount is not present):

36 uid=test.user10,ou=testsync,dc=lab,dc=com
objectclass: top
objectclass: person
objectclass: organizationalperson
objectclass: inetOrgPerson
objectclass: ntUser
ntUserDeleteAccount: true
uid: test.user10
sn: User 10
givenName: Test
cn: Test User 10
ntUserCodePage: 0
ntUserAcctExpires: 9223372036854775807
ntUserDomainId: test.user10
ntUniqueId: 9658f59ce2a1d54cbeacb783c12a6de3


Once solved this issue, i think it would be better to sync AD user that belongs to specific AD Group in order to have a ore control over it instead of defining a specific OU.
I've seen a page wich reports the existence of "Support Filters": https://directory.fedoraproject.org/docs/389ds/design/winsync-rfe.html#2-support-filters-1
And it says:
new config parameters in windwows sync agreement:
winSyncWindowsFilter: additional_filter_on_AD
winSyncDirectoryFilter: additional_filter_on_DS    
Example:
winSyncWindowsFilter: (|(cn=*user*)(cn=*group*))
winSyncDirectoryFilter: (|(uid=*user*)(cn=*group*))

Anyway it is not clear if my installed version support this feature

389-Directory/1.4.4.11 B2021.139.1122

Thanks for your support
Appreciate


[389-users] Re: el8 389ds replication to el7 389ds

Hi William,

the el8 is a new server, the el7 is an existing server which hosts some important stuff limiting it to be upgrading for a while.

on the el8 side we have:

cn=replication manager,cn=config

cn=directory manager,cn=config

ldaps port 636


over the lan, no firewalls in place, hosts can telnet on each other to the ports


On the el7 side we have Directory server still showing port: 389 from console, under encryption, ssl is enabled, port 636 is listening, is this a problem in itself? We have tried setting up the method with a pin file in the /etc/dirsrv/slap* folder, though it wasnt recognising the pin, even with chmod 400 and same owner as the dirsrv folder.

in replication on el7 side, we have replication > user root

current supplier dn, uid=Directory Manager,cn=config


On 01/12/2021 23:51, William Brown wrote:
    
On 2 Dec 2021, at 00:30, Lewis Robson <robsonl@conscious.co.uk> wrote:    Hello all,    I have a main ldap database on an alma el8 server, this works okay and we can replicate from 8 to 8 via the cockpit web manager.    We however, have a server that is on el7, we can install 389ds however the commands and setup is different and it uses the 389 ds console, our end goal is to replicate the stuff from the EL8 database to the el7 using master / slave.      is there any way to get the el8 version onto el7, and if not, how do i go about replicating everything? I have set up so that tls is enabled and can ping, telnet etc to the el7 server from the el8 however when i try to replicate after entering in the details, i get errors such as:      authentication mechanism [SIMPLE]: error -1 (Can't contact LDAP server), system error -5987 (Invalid function argument.), network error 0 (Unknown error, host "linux-el8:636") (same when trying to replicate over non tls, port 389)  
  I'd ask why do you want to mix el7 and el8 like this first and foremost?    To know more about why that error is happening we'll probably need to see the replication agreements on both sides.     
    thanks  _______________________________________________  389-users mailing list -- 389-users@lists.fedoraproject.org  To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org  Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/  List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines  List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org  Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure  
  --  Sincerely,    William Brown    Senior Software Engineer, Identity and Access Management  SUSE Labs, Australia  _______________________________________________  389-users mailing list -- 389-users@lists.fedoraproject.org  To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org  Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/  List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines  List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org  Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure  
--   Lewis Robson  Systems Administrator  Conscious Solutions Limited    Tel: 0117 325 0200  Web: https://www.conscious.co.uk

Wednesday, December 1, 2021

[389-users] Re: el8 389ds replication to el7 389ds

> On 2 Dec 2021, at 00:30, Lewis Robson <robsonl@conscious.co.uk> wrote:
>
> Hello all,
>
> I have a main ldap database on an alma el8 server, this works okay and we can replicate from 8 to 8 via the cockpit web manager.
>
> We however, have a server that is on el7, we can install 389ds however the commands and setup is different and it uses the 389 ds console, our end goal is to replicate the stuff from the EL8 database to the el7 using master / slave.
>
>
> is there any way to get the el8 version onto el7, and if not, how do i go about replicating everything? I have set up so that tls is enabled and can ping, telnet etc to the el7 server from the el8 however when i try to replicate after entering in the details, i get errors such as:
>
>
> authentication mechanism [SIMPLE]: error -1 (Can't contact LDAP server), system error -5987 (Invalid function argument.), network error 0 (Unknown error, host "linux-el8:636") (same when trying to replicate over non tls, port 389)

I'd ask why do you want to mix el7 and el8 like this first and foremost?

To know more about why that error is happening we'll probably need to see the replication agreements on both sides.

>
>
> thanks
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

--
Sincerely,

William Brown

Senior Software Engineer, Identity and Access Management
SUSE Labs, Australia
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

[389-users] Re: Help - Missing nsAccount objectClass for WinSync users from AD

> On 1 Dec 2021, at 18:51, Caderize Caderize <caderize@gmail.com> wrote:
>
> Hi to all,
> hope someone can help me on this.
> I am struggling with my last configuration step.
>
> Summary:
> I have configured D389 to sync One-Way from Active Directory.
> Everything is working fine and AD users is correctly synchronized in a specific OU of D389.
> Then i've configured PAM Pass Through in order to permit AD synced users in D389 to make login without exposing the User Password(Leave it empty, this will be a frontend for a web portal).
> The result would be:
> Web Portal login -> D389(AD synced users with no password)-> Pam PassThrough to AD that return back the login result.
>
> The only thing that is not working is regarding nsAccount objectClass that it is not present in synced D389 users.
> For example creating user with dsidm command will add nsAccount objectClass as expected and bind is successful.
>
> During my test i've seen that if nsAccount is not present, PAM PT return an error while if present everything is working well.

Can we see your pam PT configuration? dsconf instance plugins pass-thru show (I think ... I'm going from memory here).

Could also be useful to see an example of an adsynced user as well. I've been looking into adsync a bit lately, so I can investigate this further if needed later.

>
> So my question is:
> How can i set this objectClass during Winsync(in automatic way) in order to "Activate" synced users or am i missing anything?
>
> Many thanks for your help.
> Regards
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

--
Sincerely,

William Brown

Senior Software Engineer, Identity and Access Management
SUSE Labs, Australia
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure