Commit Graph

15 Commits

Author SHA1 Message Date
Christian Heimes
aa341020c8 Disable password schema update on LDAP bind
389-DS 1.4.1+ attempts to update passwords to new schema on LDAP bind. IPA
blocks hashed password updates and requires password changes to go through
proper APIs. This option disables password hashing schema updates on bind.

See: https://pagure.io/freeipa/issue/8315
See: https://bugzilla.redhat.com/show_bug.cgi?id=1833266
See: https://pagure.io/389-ds-base/issue/49421
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-05-11 14:36:39 +02:00
François Cami
6f5042cd87 10-config.update: remove nsslapd-sasl-max-buffer-size override as https://pagure.io/389-ds-base/issue/47457 was fixed directly in 389 Directory Server.
The patch addresses:
https://bugzilla.redhat.com/show_bug.cgi?id=1527020
"nsslapd-sasl-max-buffer-size is hardcoded to '2097152' during
install even if another value was provided in an LDIF
( --dirsrv-config-file )"

Fixes: https://pagure.io/freeipa/issue/7341

Tested against RHEL 7.4, the nsslapd-sasl-max-buffer-size parameter
is still 2097152 after this change and the change allows overriding
its value using --dirsrv-config-file properly.

Fix suggested by Florence Blanc-Renaud.

Signed-off-by: François Cami <fcami@fedoraproject.org>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-01-04 16:36:54 +01:00
Stanislav Laznicka
e9f0e9d8fa Decreased timeout for IO blocking for DS
Should fix the DS from going unresponsive in some cases

https://fedorahosted.org/freeipa/ticket/5383

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-02 20:20:28 +02:00
Martin Basti
5783d0c832 Server Upgrade: remove CSV from upgrade files
CSV values are not supported in upgrade files anymore

Instead of

   add:attribute: 'first, part', second

please use

  add:attribute: firts, part
  add:attribute: second

Required for ticket: https://fedorahosted.org/freeipa/ticket/4984

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-05-11 16:08:01 +00:00
Martin Kosek
15eb343b9c Allow hashed passwords in DS
Without nsslapd-allow-hashed-passwords being turned on, user password
migration fails.

https://fedorahosted.org/freeipa/ticket/4450

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-07-25 10:36:47 +02:00
Martin Kosek
f5ef2fb146 Increase default SASL buffer size
Default SASL buffer size was too small and could lead for example to
migration errors.

https://fedorahosted.org/freeipa/ticket/3826
2013-08-07 14:13:56 +02:00
Jan Cholasta
ea7db35b62 Enable SASL mapping fallback.
Assign a default priority of 10 to our SASL mappings.

https://fedorahosted.org/freeipa/ticket/3330
2013-06-27 17:06:51 +02:00
Rob Crittenden
71f9008906 Support the new Winsync POSIX API.
This will sync down the POSIX attributes from AD so we need to be careful
to not mess with them when they are already set. This includes
uidNumber, gidNumber, homeDirectory, loginShell and gecos.

http://port389.org/wiki/WinSync_Posix
http://port389.org/wiki/Windows_Sync_Plugin_API#Version_3_API_functions

https://fedorahosted.org/freeipa/ticket/3007
2012-09-06 14:29:14 +02:00
Rob Crittenden
a735420a9b Set nsslapd-minssf-exclude-rootdse to on so the DSE is always available.
If minssf is set in configuration and this is not set then clients won't
be able to detect the available namingContexts, defaultNamingContext,
capabilities, etc.

https://fedorahosted.org/freeipa/ticket/2542
2012-03-26 14:26:10 +02:00
Rob Crittenden
f5e5bf8f82 Fix nsslapd-anonlimitsdn dn in cn=config
The dn value needs to be quoted otherwise it is interpreted to be a
multi-value.

This will replace whatever value is currently set.

https://fedorahosted.org/freeipa/ticket/2452
2012-03-13 08:34:07 +01:00
Rob Crittenden
e889b82599 Add support defaultNamingContext and add --basedn to migrate-ds
There are two sides to this, the server and client side.

On the server side we attempt to add a defaultNamingContext on already
installed servers. This will fail on older 389-ds instances but the
failure is not fatal. New installations on versions of 389-ds that
support this attribute will have it already defined.

On the client side we need to look for both defaultNamingContext and
namingContexts. We still need to check that the defaultNamingContext
is an IPA server (info=IPAV2).

The migration change also takes advantage of this and adds a new
option which allows one to provide a basedn to use instead of trying
to detect it.

https://fedorahosted.org/freeipa/ticket/1919
https://fedorahosted.org/freeipa/ticket/2314
2012-02-29 15:28:13 +01:00
Simo Sorce
9724251292 updates: Change default limits on ldap searches
Fixes: https://fedorahosted.org/freeipa/ticket/1867
       https://fedorahosted.org/freeipa/ticket/1888
2011-10-12 22:42:03 -04:00
Rob Crittenden
5371c03c93 The precendence on the modrdn plugin was set in the wrong location.
https://fedorahosted.org/freeipa/ticket/1370
2011-09-13 17:36:59 +02:00
Rob Crittenden
a48a84a5ea Set the ipa-modrdn plugin precedence to 60 so it runs last
The default precedence for plugins is 50 and the run in more or less
alphabetical order (but not guaranteed). This plugin needs to run after
the others have already done their work.

https://fedorahosted.org/freeipa/ticket/1370
2011-07-17 22:24:30 -04:00
Rob Crittenden
00abd47de4 Enable 389-ds SSL host checking by defauilt
Enforce that the remote hostname matches the remote SSL server certificate
when 389-ds operates as an SSL client.

Also add an update file to turn this off for existing installations.

This also changes the way the ldapupdater modlist is generated to be more
like the framework. Single-value attributes are done as replacements
and there is a list of force-replacement attributes.

ticket 1069
2011-05-20 10:08:11 -04:00