profile
viewpoint
Firstyear Firstyear SUSE Australia/Brisbane https://fy.blackhats.net.au IDM Tech Debt Collector

Firstyear/office-card-protocol 5

Office Card Protocol - How to securely and correctly sign farewells to your favourite leaving staff members

Firstyear/ds_rust 4

Rust plugin wrapper for 389 Directory Server

Firstyear/purplecon_state_machines 4

✨STATE MACHINES✨

Firstyear/beerclub 3

The most amazing beerclub software for business and enterprise usage.

Firstyear/ansible-home 2

Home ansible infrastructure files

Firstyear/dockerfiles 1

Dockerfiles

Firstyear/ds_rust_experiments 1

A set of experiments to prove Rust is capable of usage in DS

Firstyear/lifx_ctl 1

Hacky but fun Actix based lifx controller

Firstyear/prd-blog 1

Blog contents from firstyear.id.au

dist-svc/dsf-core 0

DSF Core Object Definitions

issue commentkanidm/kanidm

Install: ERROR: Refusing to run - this process must not operate as root.

Thanks @vDorst for the report, if you have any other questions, usability issues, or comments, we'd love to hear them!

vDorst

comment created time in 7 hours

delete branch kanidm/kanidm

delete branch : 327-allow-kanidmd-as-root

delete time in 7 hours

PR merged kanidm/kanidm

Change root user check to warning due to container run times

Fixes #327 - In container run times, the default is to run as root. This may be user with virtualised containers or even to just smooth the "first run" process rather than requiring a user for the process and volumes.

  • [ - ] cargo fmt has been run
  • [ - ] cargo clippy has been run
  • [ x ] cargo test has been run and passes
  • [ x ] book chapter included (if relevant)
  • [ - ] design document included (if relevant)
+33 -2

0 comment

2 changed files

Firstyear

pr closed time in 7 hours

push eventkanidm/kanidm

Firstyear

commit sha dc319a98ac1e0be6fbafb2c77d052988c093e120

Change root user check to warning due to container run times (#328) Fixes #327 - In container run times, the default is to run as root. This may be user with virtualised containers or even to just smooth the "first run" process rather than requiring a user for the process and volumes.

view details

push time in 7 hours

issue closedkanidm/kanidm

Install: ERROR: Refusing to run - this process must not operate as root.

I am trying to setup kanidm by following this guide. https://github.com/kanidm/kanidm/blob/master/kanidm_book/src/installing_the_server.md

Instead of using docker I am using podman with kata runtime. Also the container has a full dual-stack network. Running on a Fedora 32 machine.

I get in trouble with this line.

podman run --rm -i -t -v kanidmd:/data kanidm/server:latest /sbin/kanidmd recover_account -c /data/server.toml -n admin

kanidmd refuses to run as root.

5790b7e3fc59:/ # /sbin/kanidmd recover_account -c /data/server.toml -n admin
ERROR: Refusing to run - this process must not operate as root.

Which is good, but the documentation doesn't mention that. Also the docker hub image doesn't have a user. But also missing the tools like adduser or useradd, for creating a newuser.

What I am doing wrong?

closed time in 7 hours

vDorst

issue commentkanidm/kanidm

Install: ERROR: Refusing to run - this process must not operate as root.

@vDorst can you please review the changes to https://github.com/kanidm/kanidm/pull/328/files for the book chapters based on this?

vDorst

comment created time in 8 hours

push eventkanidm/kanidm

William Brown

commit sha 402c72e748b466b288aa43ecee0d9521e3e20704

Update book

view details

push time in 8 hours

issue commentkanidm/kanidm

Install: ERROR: Refusing to run - this process must not operate as root.

-u 975:975. The gid is still 0, which is equivalent to root.

vDorst

comment created time in 8 hours

PR opened kanidm/kanidm

Change root user check to warning due to container run times

Fixes #327 - In container run times, the default is to run as root. This may be user with virtualised containers or even to just smooth the "first run" process rather than requiring a user for the process and volumes.

  • [ - ] cargo fmt has been run
  • [ - ] cargo clippy has been run
  • [ x ] cargo test has been run and passes
  • [ x ] book chapter included (if relevant)
  • [ - ] design document included (if relevant)
+3 -2

0 comment

1 changed file

pr created time in 8 hours

create barnchkanidm/kanidm

branch : 327-allow-kanidmd-as-root

created branch time in 8 hours

issue commentkanidm/kanidm

Install: ERROR: Refusing to run - this process must not operate as root.

Ohh also, you need to use --user <uidnumber> not the username, because the /etc/nsswitch.conf in the container can't see users from the host.

vDorst

comment created time in 8 hours

issue commentkanidm/kanidm

Install: ERROR: Refusing to run - this process must not operate as root.

well, docker lets you re-map the ports, so you should be able to bind port 443 from the container engine to 8443. Additionally, we could use capabilities to allow non-root binding to port 443 as well.

But I think that in this case allowing it to run as root would smooth this onboarding, but we should still warn about it.

vDorst

comment created time in 8 hours

issue closed389ds/389-ds-base

Lib389 dsrc should warn when tls cacertdir provided is a file, not a directory.

It's common for TLS cacert options to list a single file or a directory. This can confuse people because the naming is subtle, so in the case we are provided with a file (probably a ca.pem) then we should warn the user and provide the steps to rectify this ( change to dir, run c_rehash).

closed time in 8 hours

Firstyear

issue comment389ds/389-ds-base

Lib389 dsrc should warn when tls cacertdir provided is a file, not a directory.

   4fdf14c4f..4a8de7537  389-ds-base-1.4.2 -> 389-ds-base-1.4.2
   47fe10fbf..f3317020b  389-ds-base-1.4.3 -> 389-ds-base-1.4.3
Firstyear

comment created time in 8 hours

issue closed389ds/389-ds-base

Improvements to dsidm

Some minor issues were raised:

  • When group is set to none, ldap_access_filter = None is set which is not valid. We should emita comment in this case instead.
  • user status has no attribute is_locked. (fixed in master already)
  • warn on sssd config if uri is ldapi

closed time in 8 hours

Firstyear

issue comment389ds/389-ds-base

Improvements to dsidm

   4fdf14c4f..4a8de7537  389-ds-base-1.4.2 -> 389-ds-base-1.4.2
   47fe10fbf..f3317020b  389-ds-base-1.4.3 -> 389-ds-base-1.4.3
Firstyear

comment created time in 8 hours

push event389ds/389-ds-base

Firstyear

commit sha f20cf75432db6114f02caaaf79c3389b949e5178

Ticket 4351 - improve generated sssd.conf output (#4354) Bug Description: There were some subtle issues in the sssd.conf generator. When no group was specified, we'd generate an invalid config. When the config used ldapi, it may not work on remote servers. Fix Description: When the uri is ldapi, emit a warning for this parameter to be reviewed. When ldap filter is none provide the example as commented out. fixes: #4351 Author: William Brown <william@blackhats.net.au> Review by: spichugi (Thanks!)

view details

Firstyear

commit sha 63e2ba4dc206510e6218e9feb5622025ad0da734

Ticket 4350 - dsrc should warn when tls_cacertdir is invalid (#4353) Bug Description: When the cacertdir is not a directory or does not exist we should warn that this is not valid and provide recification steps. Fix Description: Check if the path exists or is a directory and report this, along with steps on how to run c_rehash fixes: #4350 Author: William Brown <william@blackhats.net.au> Review by: spichugi (Thanks!)

view details

Firstyear

commit sha f3317020b0b145593741631fded09f8409410d22

Ticket 4350 - One line, fix invalid type error in tls_cacertdir check (#4358) Bug Description: When the tls_cacertdir parameter was not present os.path fails with None not a str. Fix Description: Check if the path is None fixes: #4350 Author: William Brown <william@blackhats.net.au> Review by: @mreynolds389

view details

push time in 8 hours

push event389ds/389-ds-base

Firstyear

commit sha 2b944b118a9fba496f8f0fe8b1d6f75c178e9df6

Ticket 4351 - improve generated sssd.conf output (#4354) Bug Description: There were some subtle issues in the sssd.conf generator. When no group was specified, we'd generate an invalid config. When the config used ldapi, it may not work on remote servers. Fix Description: When the uri is ldapi, emit a warning for this parameter to be reviewed. When ldap filter is none provide the example as commented out. fixes: #4351 Author: William Brown <william@blackhats.net.au> Review by: spichugi (Thanks!)

view details

Firstyear

commit sha c42521dc4662de7439ca99ef5be621d8912374f5

Ticket 4350 - dsrc should warn when tls_cacertdir is invalid (#4353) Bug Description: When the cacertdir is not a directory or does not exist we should warn that this is not valid and provide recification steps. Fix Description: Check if the path exists or is a directory and report this, along with steps on how to run c_rehash fixes: #4350 Author: William Brown <william@blackhats.net.au> Review by: spichugi (Thanks!)

view details

Firstyear

commit sha 4a8de75376562cd89a5ec97370d74aa22024f9bc

Ticket 4350 - One line, fix invalid type error in tls_cacertdir check (#4358) Bug Description: When the tls_cacertdir parameter was not present os.path fails with None not a str. Fix Description: Check if the path is None fixes: #4350 Author: William Brown <william@blackhats.net.au> Review by: @mreynolds389

view details

push time in 8 hours

pull request comment389ds/389-ds-base

Issue 4403 RFE - OpenLDAP pw hash migration tests

Okay, @progier389 and @mreynolds389 I have been able to confirm that removing LD_BIND_NOW works provided that -lcrypt exists for libslapd when asan is enabled. Hopefully that should resolve the concerns re startup performance :)

Firstyear

comment created time in 8 hours

push eventFirstyear/389-ds-base

William Brown

commit sha 23bfdebe72187f2271aac41c1ace14a669a39ca4

Issue 4403 RFE - OpenLDAP pw hash migration tests Bug Description: As we want to support openldap to 389 password migration, we should check if we allow accounts to continue to bind. This involves testing different openldap authentication schemes to determine if they work. Fix Description: Add tests for different password and contrib password types that are supported in openldap. fixes: #4403 Author: William Brown <william@blackhats.net.au> Review by: ???

view details

push time in 8 hours

Pull request review comment389ds/389-ds-base

Issue 2058: create keep alive entry after on-line initialization

 multimaster_extop_EndNSDS50ReplicationRequest(Slapi_PBlock *pb)                 */                 if (replica_is_flag_set(r, REPLICA_LOG_CHANGES) && cldb_is_open(r)) {                     replica_log_ruv_elements(r);+                    /* now that the changelog is open and started, we can alos cretae the+                     * keep alive entry without risk that db and cl will not match+                     */+                    replica_subentry_check(replica_get_root(r), replica_get_rid(r));

That makes sense, and sounds good to me. I wonder if this (really good) explanation could be in the code comments somewhere? That way it's preserved for future-us to remember. Thank you!

progier389

comment created time in 8 hours

PullRequestReviewEvent

issue commentkanidm/kanidm

Install: ERROR: Refusing to run - this process must not operate as root.

This is a really good point, the changes to limit access to root user came in more recently. A choice here could be either to only warn when running as root rather than hard deny, or to improve that documentation clarity. I believe that there are some issues with permissions/ownership in volumes when running as non root, so that would need to be checked too. I'm keen to make sure that peoples "first run" is very seamless/smooth, so perhaps allowing root user is the way to go, and in hardening we suggest how to use the --user options and setup the volume permissions. What do you think?

vDorst

comment created time in 9 hours

Pull request review comment389ds/389-ds-base

Issue 2058: create keep alive entry after on-line initialization

+import logging+import pytest+import os+import subprocess+import time+import ldap+from lib389._constants import *+from lib389.topologies import topology_i2 as topo++DEBUGGING = os.getenv("DEBUGGING", default=False)+if DEBUGGING:+    logging.getLogger(__name__).setLevel(logging.DEBUG)+else:+    logging.getLogger(__name__).setLevel(logging.INFO)+log = logging.getLogger(__name__)++def run(cmd):+  rc = subprocess.run(cmd.split(), capture_output=True)+  if (rc.returncode != 0):+      log.error(f"Command {cmd} failed: {rc}")+      assert False+  return rc++def check_single_keep_alive(topo,instance,dn,expected):+    # check that keep alive entry does not exists on master1+    try:+        ent = topo.ins[instance].getEntry(dn, ldap.SCOPE_BASE, "(objectclass=ldapsubentry)", ['nsUniqueId', 'modifierTimestamp'])

Yeah, it's been asked about before, to have a way to get a single entry by dn, or to do an objectClass=* style search. Maybe I should let go of my ideals and create it :)

progier389

comment created time in 9 hours

PullRequestReviewEvent

Pull request review comment389ds/389-ds-base

Issue 2058: create keep alive entry after on-line initialization

+import logging+import pytest+import os+import subprocess+import time+import ldap+from lib389._constants import *+from lib389.topologies import topology_i2 as topo++DEBUGGING = os.getenv("DEBUGGING", default=False)+if DEBUGGING:+    logging.getLogger(__name__).setLevel(logging.DEBUG)+else:+    logging.getLogger(__name__).setLevel(logging.INFO)

Mark recently did a change to the template create that removes this too :)

progier389

comment created time in 9 hours

PullRequestReviewEvent

Pull request review comment389ds/389-ds-base

Issue 4403 RFE - OpenLDAP pw hash migration tests

 def start(self, timeout=120, post_open=True):                 self.log.info("INFO: ASAN options will be copied from your environment")                 env['ASAN_SYMBOLIZER_PATH'] = "/usr/bin/llvm-symbolizer"                 env['ASAN_OPTIONS'] = "symbolize=1 detect_deadlocks=1 log_path=%s/ns-slapd-%s.asan" % (self.ds_paths.run_dir, self.serverid)+                env['LD_BIND_NOW'] = "yes"

I can remove the LD_BIND_NOW, I think the change to linking in libslapd is actually enough to resolve the issue.

Firstyear

comment created time in 9 hours

PullRequestReviewEvent

pull request comment389ds/389-ds-base

Issue 4410 RFE - ndn cache with arc in rust

This also opens the door to and gives examples of how we can use rust datastructures like b+trees and hashmaps/sets in place of NSPR/C versions that have not been as performance optimised.

Firstyear

comment created time in a day

PR opened 389ds/389-ds-base

Issue 4410 RFE - ndn cache with arc in rust

Bug Description: As we move to LMDB and require a concurrently readable model, we need access to concurrently readable datastructures.

Fix Description: This is a poc of NDN cache in rust with a concurrently readable adaptive replacement cache.

fixes: #4410

Author: William Brown william@blackhats.net.au

Review by: ???

+756 -128

0 comment

6 changed files

pr created time in a day

create barnchFirstyear/389-ds-base

branch : 20200514-ndn-cache-trial

created branch time in a day

issue opened389ds/389-ds-base

Proof of Concept - NDN cache in Rust with adaptive replacement cache

As the author of a Rust adaptive replacement cache, that is concurrently readable, this is a proof of concept of it's use in 389-ds. This is beneficial to us because as we move to LMDB, we require a concurrently readable model which this cache fulfils, and this uses the more effective adaptive replacement cache algorithm (where LMDB relies on mmaped files, and uses the kernels VFS with LRU, and is subject to page reclaim that we can not control). This allows us to keep more relevant data, in a format we require, and with better algorithms.

https://github.com/kanidm/concread/blob/master/CACHE.md

created time in a day

PR opened 389ds/389-ds-base

Issue 4407 RFE - remove http client and presence plugin

Bug Description: The presence plugin has been disabled for a long time and relates to a defunct IM project. This also had a HTTP client that we no longer use in any capacity, but was enabled by default.

Fix Description: This removes the two un-used plugins, and adds handlers to allows deny-listing of the plugins to prevent them being loaded.

fixes: #4407

Author: William Brown william@blackhats.net.au

Review by: ???

+64 -2996

0 comment

19 changed files

pr created time in a day

create barnchFirstyear/389-ds-base

branch : 4407-remove-ds-httpd

created branch time in a day

pull request comment389ds/389-ds-base

Issue 4403 RFE - OpenLDAP pw hash migration tests

@mreynolds389 This also resolves a linking issue with asan that causes crypt to have a false negative in tests, but only under asan. :)

Firstyear

comment created time in a day

PR opened 389ds/389-ds-base

Issue 4403 RFE - OpenLDAP pw hash migration tests

Bug Description: As we want to support openldap to 389 password migration, we should check if we allow accounts to continue to bind. This involves testing different openldap authentication schemes to determine if they work.

Fix Description: Add tests for different password and contrib password types that are supported in openldap.

fixes: #4403

Author: William Brown william@blackhats.net.au

Review by: ???

+83 -1

0 comment

4 changed files

pr created time in a day

create barnchFirstyear/389-ds-base

branch : 4403-openldap-pw-migration-test

created branch time in a day

issue commentkanidm/webauthn-rs

Register doesn't work on Firefox because I need to enter a PIN!?

Yes, it may be that #32 is related in this case. I've been writing webauthn-authenticator-rs and that's what gave me the insight about ctap1/2 recently.

So now I'm curious about what happens with UserVerificationPolicy::Preferred. I think in Preferred authenticator-rs in firefox will continue as though "discouraged", but then if you use the same token in chrome it will use it as though "preferred". I'm wondering if that works .... I will do some of my own testing of this later, but if you want to test and confirm the behaviour for me too that would be great.

vDorst

comment created time in a day

issue comment389ds/389-ds-base

Remove un-used http client module

Okay, scratch that. I think we will need some special handling for this. It looks like we attempt to dlopen the plugin before upgrade_server (it's done in the dse_call_callback handlers for dse_read_one_file). Given we know what plugins we are removing, and where, what would you think about plugin_setup having a "deny list" of initfunction/libs that it won't process and skips past. We could have this as a fn call to put it into upgrade.c to keep it all localised, and then plugin_setup can check if the plugin is in that list or not, and just returns success and shortcuts the return so we never even create the plugin structure etc.

Firstyear

comment created time in 2 days

issue comment389ds/389-ds-base

Remove un-used http client module

Hmmm actually, I think it can work in upgrade.c. It looks like we call upgrade_server before we call plugin_startall, so actually it may work.

Firstyear

comment created time in 2 days

issue comment389ds/389-ds-base

Remove un-used http client module

Okay, so removing the http client plugin seems easy, and it means we can remove presence which is also defunct. The issue is that template-dse.ldif enables this by default, so we'll need a way to handle this removal in upgrades. Similar removing presence may be affected by space insensitive string being enabled by default too. Perhaps we need a skip-list of plugin paths in loading that we just silently ignore so that we can handle the .so being no longer present.

Firstyear

comment created time in 2 days

issue opened389ds/389-ds-base

Remove un-used dshttpd module

This plugin is no longer used or supported, we should remove it.

created time in 2 days

pull request comment389ds/389-ds-base

build problems at alpine linux

Thanks @kazimsarikaya this is much better! I don't see any issues with this, @mreynolds389 ?

kazimsarikaya

comment created time in 2 days

issue commentkanidm/webauthn-rs

Register doesn't work on Firefox because I need to enter a PIN!?

Hi there,

It would be good to see the output from RUST_LOG=webauthn=debug while running the example. I have a suspicion about what is occurring though. In the example we request the policy UserVerificationPolicy::Required. Firefox today I think only supports CTAP1, which is not capable of verification, so the UV Bit will be false (and these bits are part of the collected client data.).

I suspect then that chromium is using CTAP2 because it does support user verification (the pin), and that bit can then be true, and you see that the token only works in chromium.

If you want to check this, in examples/actix/actors.rs change .generate_challenge_register(&msg.username, Some(UserVerificationPolicy::Required))?; to .generate_challenge_register(&msg.username, Some(UserVerificationPolicy::Discouraged))?;

This in mind, I think the example/demo server needs a bit of a rework so this is a good reminder that I should undertake that work.

vDorst

comment created time in 2 days

pull request comment389ds/389-ds-base

alpine linux build errors

ok i found a git problem i will close this pr and refork and recreate pr. i dont know why i have mreynolds commits in this pr

No problem, if it happens again, I can probably checkout your branch and fix it for you. I'll keep an eye on how it goes. We are really happy to have you trying to help :) !

kazimsarikaya

comment created time in 3 days

pull request comment389ds/389-ds-base

alpine linux build errors

Ps if that doesn't help, it's maybe because you have pushed content into your master branch, which we generally don't do, so then you'd need to reset your fork and re-clone the repo at that point.

kazimsarikaya

comment created time in 3 days

pull request comment389ds/389-ds-base

alpine linux build errors

I don't know what's going on here @kazimsarikaya but I think that made it worse. We don't really use merge commits in the project, we generally rebase, and there are a lot of changes/commits that aren't related to your work.

You can probably get this cleaned up by something like:

git checkout master
git pull origin master
git branch alpine-build-cleanup
git checkout alpine-build-cleanup
git cherry-pick f4e78a50454cd2955f8d61b6f194be0f167c0f5a

That should lift out your single commit you have made into a new branch ontop of master, which you can then use for a PR. So then youd do say:

git push myfork alpine-build-cleanup

Then you can create a new PR with that branch, which should clean it up.

Hope that helps,

kazimsarikaya

comment created time in 3 days

issue opened389ds/389-ds-base

OpenLDAP migration - password hash support/tests

Add tests for various types of openldap password hash types, and implement any needed support code to make them function. This will help make openldap to 389 migrations smoother.

created time in 3 days

Pull request review comment389ds/389-ds-base

Issue 2058: create keep alive entry after on-line initialization

 multimaster_extop_EndNSDS50ReplicationRequest(Slapi_PBlock *pb)                 */                 if (replica_is_flag_set(r, REPLICA_LOG_CHANGES) && cldb_is_open(r)) {                     replica_log_ruv_elements(r);+                    /* now that the changelog is open and started, we can alos cretae the+                     * keep alive entry without risk that db and cl will not match+                     */+                    replica_subentry_check(replica_get_root(r), replica_get_rid(r));

When is this call normally made? What's the problem that this resolves? It would be good to understand what this fix is changing.

progier389

comment created time in 3 days

PullRequestReviewEvent

Pull request review comment389ds/389-ds-base

Issue 2058: create keep alive entry after on-line initialization

+import logging+import pytest+import os+import subprocess+import time+import ldap+from lib389._constants import *+from lib389.topologies import topology_i2 as topo++DEBUGGING = os.getenv("DEBUGGING", default=False)+if DEBUGGING:+    logging.getLogger(__name__).setLevel(logging.DEBUG)+else:+    logging.getLogger(__name__).setLevel(logging.INFO)+log = logging.getLogger(__name__)++def run(cmd):+  rc = subprocess.run(cmd.split(), capture_output=True)+  if (rc.returncode != 0):+      log.error(f"Command {cmd} failed: {rc}")+      assert False+  return rc++def check_single_keep_alive(topo,instance,dn,expected):+    # check that keep alive entry does not exists on master1+    try:+        ent = topo.ins[instance].getEntry(dn, ldap.SCOPE_BASE, "(objectclass=ldapsubentry)", ['nsUniqueId', 'modifierTimestamp'])+    except ldap.NO_SUCH_OBJECT:+        if (expected):+            log.error('Keepalive entry %s does not exists on instance %s' % (dn, instance))+            assert False+        else:+             log.debug('As expected, keepalive entry %s does not exists on instance %s' % (dn, instance))           +    except ldap.LDAPError as e:+        log.fatal('Failed to retrieve keepalive entry (%s) on instance %s: error %s' % (dn, instance, e.message['desc']))+        assert False+    else:+        if (expected):+            log.debug('Found keepalive entry %s on instance %s' % (dn, instance))+            log.debug('Keep alive entry  is: ' + str(ent));+        else:          +            log.error('Unexpectedly found keepalive entry %s on instance %s' % (dn, instance))+            log.info('Keep alive entry  is: ' + str(ent));+            assert False++def check_keep_alive(topo, expected):+    check_single_keep_alive(topo, "standalone1", f"cn=repl keep alive 1, {SUFFIX}", expected)+    check_single_keep_alive(topo, "standalone1", f"cn=repl keep alive 2, {SUFFIX}", expected)+    check_single_keep_alive(topo, "standalone2", f"cn=repl keep alive 1, {SUFFIX}", expected)+    check_single_keep_alive(topo, "standalone2", f"cn=repl keep alive 2, {SUFFIX}", expected)+++def test_ticket2058(topo):+    """Checks that replication keep alive entry are created after on line initialisations+       (without the fix, only the entry from master1 is created)++    :setup: 2 Instances+    :steps:+        1. Enable replication and creates agreements using dsconf+        2  Check that keep alive entries does not exists+        3. Initialize master2 from master1+        4. Check that keep alive entry exists+            (Note: without the fix only the master1 entry is created (and replicated)+    :expectedresults:+        1. No errors+        2. No keep alive entry exists (replication is not working because generationIds are differents)+        3. No errors+        4. 2 keep alive entries exists on both instances+    """++    # Note: nether 2 masters topology nor ReplicationManager class can be used for this test +    # Because the setup goes too far and the issue cannot be reproduced.+    # So the topology framework is used to create/remove/access the instances and+    # dsconf CLI to setup the replication++    master1=topo.ins["standalone1"]+    master2=topo.ins["standalone2"]++    master1.start()+    master2.start()+    REPLICATION_MANAGER_NAME="replmgr"+    REPLICATION_MANAGER_DN=f"cn={REPLICATION_MANAGER_NAME},cn=config"+    REPLICATION_MANAGER_PASSWORD="secret12"+    TIMEOUT=30+    +    #Step 1: setup replication: on both instances: enable replication, creates replication manager entry and agreement toward theother instance  +    run(f"dsconf standalone1 replication enable --suffix {SUFFIX} --role master "+        f"--replica-id 1 --bind-dn {REPLICATION_MANAGER_DN} "+        f"--bind-passwd {REPLICATION_MANAGER_PASSWORD}")+    run(f"dsconf standalone2 replication enable --suffix {SUFFIX} --role master "+        f"--replica-id 2 --bind-dn {REPLICATION_MANAGER_DN} "+        f"--bind-passwd {REPLICATION_MANAGER_PASSWORD}")+    run(f"dsconf standalone1 replication create-manager --name {REPLICATION_MANAGER_NAME} --passwd {REPLICATION_MANAGER_PASSWORD}")+    run(f"dsconf standalone2 replication create-manager --name {REPLICATION_MANAGER_NAME} --passwd {REPLICATION_MANAGER_PASSWORD}")+    run(f"dsconf standalone1 repl-agmt create --suffix {SUFFIX} "+        f"--conn-protocol LDAP --host {master2.host} --port {master2.port} "+        f"--bind-method SIMPLE --bind-dn {REPLICATION_MANAGER_DN} --bind-passwd {REPLICATION_MANAGER_PASSWORD}  agmt")+    run(f"dsconf standalone2 repl-agmt create --suffix {SUFFIX} "+        f"--conn-protocol LDAP --host {master1.host} --port {master1.port} "+        f"--bind-method SIMPLE --bind-dn {REPLICATION_MANAGER_DN} --bind-passwd {REPLICATION_MANAGER_PASSWORD}  agmt")

Yeah, I was going to say, don't you want a topology fixture here? There are some examples in the replication suite ....

progier389

comment created time in 3 days

PullRequestReviewEvent

Pull request review comment389ds/389-ds-base

Issue 2058: create keep alive entry after on-line initialization

+import logging+import pytest+import os+import subprocess+import time+import ldap+from lib389._constants import *+from lib389.topologies import topology_i2 as topo++DEBUGGING = os.getenv("DEBUGGING", default=False)+if DEBUGGING:+    logging.getLogger(__name__).setLevel(logging.DEBUG)+else:+    logging.getLogger(__name__).setLevel(logging.INFO)+log = logging.getLogger(__name__)++def run(cmd):+  rc = subprocess.run(cmd.split(), capture_output=True)+  if (rc.returncode != 0):+      log.error(f"Command {cmd} failed: {rc}")+      assert False+  return rc++def check_single_keep_alive(topo,instance,dn,expected):+    # check that keep alive entry does not exists on master1+    try:+        ent = topo.ins[instance].getEntry(dn, ldap.SCOPE_BASE, "(objectclass=ldapsubentry)", ['nsUniqueId', 'modifierTimestamp'])

Well, if we have a keepalive we want to be able to check, we probably could add a lib389 dsldapobject type for it to make this a bit clearer...

progier389

comment created time in 3 days

PullRequestReviewEvent

Pull request review comment389ds/389-ds-base

Issue 2058: create keep alive entry after on-line initialization

+import logging+import pytest+import os+import subprocess+import time+import ldap+from lib389._constants import *

@droideck This is probably from the create test template, I think @mreynolds389 has done a cleanup from it recently....

progier389

comment created time in 3 days

PullRequestReviewEvent

pull request comment389ds/389-ds-base

Verify the new wtime and optime access log keywords

All seems reasonable to me too :)

sgouvern

comment created time in 3 days

Pull request review comment389ds/389-ds-base

alpine linux build errors

 main(int argc, char **argv)             mallopt(M_MXFAST, val);         }     }+#endif

What happens when we have linux but not glibc?

kazimsarikaya

comment created time in 3 days

PullRequestReviewEvent

Pull request review comment389ds/389-ds-base

alpine linux build errors

 acl_be_state_change_fnc(void *handle __attribute__((unused)), char *be_name, int          * Just get the first suffix--if there are multiple XXX ?         */ -        if ((sdn = slapi_be_getsuffix(be)) == NULL) {+        if ((sdn = slapi_be_getsuffix(be, 0)) == NULL) {

I think there have been some changes around this, @mreynolds389 may know more. Either way, I don't think this change should be in this PR, I think that you may need to rebase to the latest commits.

kazimsarikaya

comment created time in 3 days

PullRequestReviewEvent

pull request comment389ds/389-ds-base

Issue 4262 - Remove legacy tools subpackage

Great work @mreynolds389, this is a huge change, and I'm so excited to see it complete :D

mreynolds389

comment created time in 3 days

created tagkanidm/webauthn-authenticator-rs

tagv0.1.2

A webauthn authenticator library for CLI tools (in place of a browser)

created time in 5 days

push eventkanidm/webauthn-authenticator-rs

William Brown

commit sha 893e515591977fd3dfc6dd908cf6678b618654d9

(cargo-release) version 0.1.2

view details

push time in 5 days

push eventkanidm/webauthn-authenticator-rs

William Brown

commit sha 376184850beaeb218f4407db6e9578137601a6d4

Refactor for softtoken

view details

William Brown

commit sha 18c5222db9d253b9f66b930d937a737a7de42be9

Start soft token

view details

William Brown

commit sha 9de37f0fe54e3e18e3dc4ae4b4a23f16d48f8264

Start soft token

view details

William Brown

commit sha 6757dd2309f2e133995d19c9f4a9a3f6c58f0e8e

Working u2f soft token

view details

push time in 5 days

issue comment389ds/389-ds-base

389-ds-base-1.4.4.5-1 segfaults after upgrading to Fedora 33

From that can you show the output of "thread apply bt full" and then add the output as a file attachment so we can look at?

On 25 Oct 2020, at 00:32, Kappa notifications@github.com wrote:

I had installed all the debuginfo packages requested by gdb. Below is the latest result:

gdb core.ns-slapd-27316-11-1603539451

GNU gdb (GDB) Fedora 9.2-7.fc33 Copyright (C) 2020 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-redhat-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: http://www.gnu.org/software/gdb/bugs/. Find the GDB manual and other documentation resources online at: http://www.gnu.org/software/gdb/documentation/.

For help, type "help". Type "apropos word" to search for commands related to "word"... [New LWP 27316] Reading symbols from /usr/lib64/samba/libiov-buf-samba4.so... Reading symbols from /usr/lib/debug/usr/lib64/samba/libiov-buf-samba4.so-4.13.0-11.fc33.x86_64.debug... [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Core was generated by `/usr/sbin/ns-slapd upgradednformat -D /etc/dirsrv/slapd-LOCAL-NONET -n userRoot'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x00007f1b6efc12e8 in ldbm_back_upgradednformat (pb=0x55b65e4eafd0) at ldap/servers/slapd/back-ldbm/ldif2ldbm.c:366 --Type for more, q to quit, c to continue without paging-- 366 return priv->dblayer_upgradedn_fn(pb); (gdb) bt #0 0x00007f1b6efc12e8 in ldbm_back_upgradednformat (pb=0x55b65e4eafd0) at ldap/servers/slapd/back-ldbm/ldif2ldbm.c:366 #1 0x000055b65daf409e in ?? () #2 0x0000000000000000 in ?? ()

I was using Fedora 33 beta just before that. Just now several package updates (including 389-ds) are available in the stable/release channel. So I updated all the packages just now. The segfaults occurs when it is upgrading the RPM.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.

— Sincerely,

William Brown

Senior Software Engineer, 389 Directory Server SUSE Labs, Australia

kappa-wingman

comment created time in 5 days

created tagkanidm/webauthn-authenticator-rs

tagv0.1.1

A webauthn authenticator library for CLI tools (in place of a browser)

created time in 6 days

push eventkanidm/webauthn-authenticator-rs

William Brown

commit sha 813579f3d862bde6c92867e7c3cc4da8fd58490d

(cargo-release) version 0.1.1

view details

push time in 6 days

push eventkanidm/webauthn-authenticator-rs

William Brown

commit sha bf7ff9ccfe640b51b9b045e1541881bdc77fb4c2

Add coc, lic, readme

view details

push time in 6 days

created tagkanidm/webauthn-rs

tagv0.2.5

An implementation of webauthn components for Rustlang servers

created time in 6 days

push eventkanidm/webauthn-rs

William Brown

commit sha f164cb0c38d14b5096b916405d7fd7b334db981d

(cargo-release) version 0.2.5

view details

push time in 6 days

create barnchkanidm/webauthn-authenticator-rs

branch : main

created branch time in 6 days

created repositorykanidm/webauthn-authenticator-rs

A webauthn authenticator library for CLI tools (in place of a browser)

created time in 6 days

push eventkanidm/webauthn-rs

William Brown

commit sha 69039a4a436050ddb927ad9f3a8211cba704c26f

Changes for webauthn-authenticator

view details

push time in 6 days

pull request comment389ds/389-ds-base

Issue 4373 - BUG - Mapping Tree nodes can be created that are invalid

@mreynolds389 This update adds extended testing as discussed on the mailing list, including deeper nesting, broad and many suffixes, different lengths, and some extra ideas I thought of too. They all pass as well :)

Firstyear

comment created time in 7 days

push eventFirstyear/389-ds-base

tbordaz

commit sha 43c69156983379638d4904b9ea86e505a85dfc0c

Issue 4329 - Sync repl - if a serie of updates target the same entry then the cookie get wrong changenumber (#4356) Bug description: In persist mode, sync_repl sends a matching updated entry with a sync state control containing a cookie. The cookie contains the changenumber related to the updated entry. If several consecutive updates targets the same entry, sync_repl will send for each update the same changenumber (the first of the set of updates). changenumber will resync as soon as another entry is sent. The reason why sync_repl sends several time the same entry is that the internal search looks for '(changenumber >= cookie_changenumber)' rather than '(changenumber > cookie_changenumber)'. Fix description: Change the filter to look for the next changenumber Fixes: #4329 Reviewed by: William Brown, Simon Pichugi Platforms tested: F31, F33

view details

tbordaz

commit sha b8b1691420e3d3895d65f3447ec2c49fa9d94072

Issue 4379 - allow more than 1 empty AttributeDescription for ldapsearch, without the risk of denial of service (#4380) Bug description: The fix #3028 enforces a strict limit of empty attributeDescription. The limit is low (1) and some application may failing. We can relax this limit to a higher value without reopening DOS risk Fix description: Change the max authorized empty attributesDescription from 1 to 10 relates: https://github.com/389ds/389-ds-base/issues/4379 Reviewed by: Mark Reynolds Platforms tested: F31

view details

Mark Reynolds

commit sha 141a5145a6ad009b3e0ecca1b067b50074cd018c

Issue 4159 - Healthcheck code DSBLE0002 not returned on disabled suffix Bug Description: The healthcheck tool was actually crashing when a suffix was disabled. We also were not correctly processing DSLdapObjects, where we would run all the lint tests even though we only asked to run one specific lint test. Fix Description: Make healthcheck more robust to handle exceptions. Fix the processing of DSLdapObjects by passing in the lint function name to DSLint(). Also added the health "check" that triggered the issue to the final report so you know which exact test to rerun. Fixes: https://github.com/389ds/389-ds-base/issues/4159 Reviewed by: firstyear & spichugi(Thanks!)

view details

Mark Reynolds

commit sha 9cfb5751552297d177a6c17d530224ae7a5062d3

Issue 4176 - import ldif2cl task should not close all changelogs Bug Description: With the new per-backend replication changelog, the ldif2cl task would incorrectly close all the backends. Fix Description: First, the global changelog struct (s_cl5Desc) was completely removed and merged with the replica changelog db handle struct. The dbState variable is used to sychronize access to the changelog db struct during shutdown, or ldif2cl tasks. The CLI was updated to handle setting changelog encryption, and importing/restoring a changelog ldif. The UI was updated to handle the new per-backlend changelog and its configuration. Also added the option to export/import the changelog and its various forms. Fixes: https://github.com/389ds/389-ds-base/issues/4176 Reviewed by: tbordaz, firstyear, and elkris (Thanks!!!) Remove unneeded LMDB changelog file name Apply requested changes Fix dbscan, adjust changelog format v6, and other cleanup... Prepare the CLI for changelog export/import

view details

Firstyear

commit sha 0a902cc8462dc70650264e0eb3b6c5d5d752ea9a

Issue #3600 - RFE - openldap migration tooling (#4318) Bug Description: A large number of enterprise customers are interested to move from OpenLDAP to 389 Directory Server. As this can be a difficult process, there are many parts that we can automate to make the process smoother, and to provide other information to assist admins in a successful migration. Fix Description: This adds the openldap_to_ds command, which given a backup of an OpenLDAP and it's configuration, is able to partially migrate the content and plugins to a running instance. Additionally this is able to provide a checklist of other migration tasks that may require administrator action and management. fixes: #3600 Author: William Brown <william@blackhats.net.au> Review by: @droideck @mreynolds389 (Thanks!)

view details

Jamie Chapman

commit sha d2c285f02af792e97493fbed1ada287ff15e8317

Issue 1199 - Misleading message in access log for idle timeout (#4385) Issue 1199 - Misleading message in access log for idle timeout Description: Update timeout error code in daemon. Add extra detail to idle and IO timeout error messaging. Typo in logconv.pl Relates: #1199 Reviewed by: mreynolds389, droideck, Firstyear (Thanks folks)

view details

Simon Pichugin

commit sha 95653e7461ce877b21384b65efe2d3918fa8765e

Issue 4295 - Fix a closing quote issue (#4386) Description: The "details" keyword in the access log does not have a closing quote. The issue happens because the quote was set in the wrong place. Fixes: #4295 Reviewed by: @mreynolds389

view details

Mark Reynolds

commit sha d5c5097b9cb6dcbba4b48a758dc1f31bd8565fae

Issue 4389 - errors log with incorrectly formatted message parent_update_on_childchange Description: The arguemtns were incorrect for the logging line Fixes: https://github.com/389ds/389-ds-base/issues/4389 Reviewed by: mreynolds(one line commit rule)

view details

Mark Reynolds

commit sha 266d87802bb60e05ccb4a40ae6453baaf49af61e

Issue 2526 - suffix management in backends incorrect Description: Previously the server used to support mutliple suffixes per backend and the server had to maintain and check a be list of suffixes. However, this is no longer supported, so all of this code can be cleaned up to support a single suffix per backend. Also added a check that when creating a mapping tree entry, that the backend entry must already exist and match the suffix. Relates: https://github.com/389ds/389-ds-base/issues/2526 Reviewed by: firstyear(Thanks!)

view details

William Brown

commit sha e54ec4d3b898474099adba71c3f22bd63cd8511f

Issue 4373 - BUG - Mapping Tree nodes can be created that are invalid Bug Description: The mapping tree is built and arranged based on the content of the nsslapd-parent-suffix attribute. However, it is possible that this value is invalid pointing at a non-existant suffix, or that it could be pointing at a suffix that is invalid in the suffix hierarchy that mapping trees expect. https://www.port389.org/docs/389ds/design/mapping_tree_assembly.html Fix Description: Rather than build the mapping tree by arranging nodes through the nsslapd-parent-suffix value, we should sort and build them through the known and defined suffix values in cn (which we already) rely upon to be correct. This allows stable ordering and avoids potential user and developer errors. fixes: #4373 Author: William Brown <william@blackhats.net.au> Review by: ???

view details

William Brown

commit sha e0bd1c63380724a179335c72ca41fde5bca5df7f

Add extended test cases

view details

push time in 7 days

issue opened389ds/389-ds-base

Memory leak in BE (minor)

=================================================================
==53701==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 40 byte(s) in 1 object(s) allocated from:
   #0 0x7fe2652ec27f in __interceptor_malloc (/usr/lib64/libasan.so.6+0xae27f)
   #1 0x7fe264e96b34 in slapi_ch_malloc /home/william/development/389ds/ds/ldap/servers/slapd/ch_malloc.c:95
   #2 0x7fe264eb41c9 in slapi_sdn_new /home/william/development/389ds/ds/ldap/servers/slapd/dn.c:1888
   #3 0x7fe264eb4a4b in slapi_sdn_new_normdn_byval /home/william/development/389ds/ds/ldap/servers/slapd/dn.c:2087
   #4 0x7fe264eb6871 in slapi_sdn_dup /home/william/development/389ds/ds/ldap/servers/slapd/dn.c:2474
   #5 0x7fe264e8eb25 in be_addsuffix /home/william/development/389ds/ds/ldap/servers/slapd/backend.c:176
   #6 0x444bae in setup_internal_backends /home/william/development/389ds/ds/ldap/servers/slapd/fedse.c:2887
   #7 0x448d11 in main /home/william/development/389ds/ds/ldap/servers/slapd/main.c:718
   #8 0x7fe264655e09 in __libc_start_main (/lib64/libc.so.6+0x27e09)

Direct leak of 40 byte(s) in 1 object(s) allocated from:
   #0 0x7fe2652ec27f in __interceptor_malloc (/usr/lib64/libasan.so.6+0xae27f)
   #1 0x7fe264e96b34 in slapi_ch_malloc /home/william/development/389ds/ds/ldap/servers/slapd/ch_malloc.c:95
   #2 0x7fe264eb41c9 in slapi_sdn_new /home/william/development/389ds/ds/ldap/servers/slapd/dn.c:1888
   #3 0x7fe264eb4a4b in slapi_sdn_new_normdn_byval /home/william/development/389ds/ds/ldap/servers/slapd/dn.c:2087
   #4 0x7fe264eb6871 in slapi_sdn_dup /home/william/development/389ds/ds/ldap/servers/slapd/dn.c:2474
   #5 0x7fe264e8eb25 in be_addsuffix /home/william/development/389ds/ds/ldap/servers/slapd/backend.c:176
   #6 0x444b95 in setup_internal_backends /home/william/development/389ds/ds/ldap/servers/slapd/fedse.c:2886
   #7 0x448d11 in main /home/william/development/389ds/ds/ldap/servers/slapd/main.c:718
   #8 0x7fe264655e09 in __libc_start_main (/lib64/libc.so.6+0x27e09)

Indirect leak of 11 byte(s) in 1 object(s) allocated from:
   #0 0x7fe2652993f7 in strdup (/usr/lib64/libasan.so.6+0x5b3f7)
   #1 0x7fe264e9701b in slapi_ch_strdup /home/william/development/389ds/ds/ldap/servers/slapd/ch_malloc.c:196
   #2 0x7fe264eb50d4 in slapi_sdn_set_normdn_byval /home/william/development/389ds/ds/ldap/servers/slapd/dn.c:2167
   #3 0x7fe264eb4a62 in slapi_sdn_new_normdn_byval /home/william/development/389ds/ds/ldap/servers/slapd/dn.c:2088
   #4 0x7fe264eb6871 in slapi_sdn_dup /home/william/development/389ds/ds/ldap/servers/slapd/dn.c:2474
   #5 0x7fe264e8eb25 in be_addsuffix /home/william/development/389ds/ds/ldap/servers/slapd/backend.c:176
   #6 0x444bae in setup_internal_backends /home/william/development/389ds/ds/ldap/servers/slapd/fedse.c:2887
   #7 0x448d11 in main /home/william/development/389ds/ds/ldap/servers/slapd/main.c:718
   #8 0x7fe264655e09 in __libc_start_main (/lib64/libc.so.6+0x27e09)

Indirect leak of 1 byte(s) in 1 object(s) allocated from:
   #0 0x7fe2652993f7 in strdup (/usr/lib64/libasan.so.6+0x5b3f7)
   #1 0x7fe264e9701b in slapi_ch_strdup /home/william/development/389ds/ds/ldap/servers/slapd/ch_malloc.c:196
   #2 0x7fe264eb50d4 in slapi_sdn_set_normdn_byval /home/william/development/389ds/ds/ldap/servers/slapd/dn.c:2167
   #3 0x7fe264eb4a62 in slapi_sdn_new_normdn_byval /home/william/development/389ds/ds/ldap/servers/slapd/dn.c:2088
   #4 0x7fe264eb6871 in slapi_sdn_dup /home/william/development/389ds/ds/ldap/servers/slapd/dn.c:2474
   #5 0x7fe264e8eb25 in be_addsuffix /home/william/development/389ds/ds/ldap/servers/slapd/backend.c:176
   #6 0x444b95 in setup_internal_backends /home/william/development/389ds/ds/ldap/servers/slapd/fedse.c:2886
   #7 0x448d11 in main /home/william/development/389ds/ds/ldap/servers/slapd/main.c:718
   #8 0x7fe264655e09 in __libc_start_main (/lib64/libc.so.6+0x27e09)

Found during execution of the mapping tree test suites. After talking to @mreynolds389 we think this may be related to backend monitor changes that were recently made. These appear to be minor/non-critical but always best to resolve these!

created time in 7 days

Pull request review comment389ds/389-ds-base

Issue 4391 - DSE config modify does not call be_postop

 dse_modify(Slapi_PBlock *pb) /* JCM There should only be one exit point from thi                 }             } +            plugin_call_plugins(pb, SLAPI_PLUGIN_BE_POST_MODIFY_FN);+            if (!returncode) {+                slapi_pblock_get(pb, SLAPI_RESULT_CODE, &returncode);+            }+        }+    } else {+        /* It should not happen but just be paranoiac, do not+         * forget to call the postop if needed+         */+        if (need_be_postop) {+            plugin_call_plugins(pb, SLAPI_PLUGIN_BE_TXN_POST_MODIFY_FN);

Don't these need plugin_rc = plugin_call_plugins?

tbordaz

comment created time in 7 days

PullRequestReviewEvent

Pull request review comment389ds/389-ds-base

Issue 4391 - DSE config modify does not call be_postop

 dse_modify(Slapi_PBlock *pb) /* JCM There should only be one exit point from thi                 }             } +            plugin_call_plugins(pb, SLAPI_PLUGIN_BE_POST_MODIFY_FN);+            if (!returncode) {+                slapi_pblock_get(pb, SLAPI_RESULT_CODE, &returncode);+            }+        }+    } else {+        /* It should not happen but just be paranoiac, do not+         * forget to call the postop if needed+         */+        if (need_be_postop) {

Is there a situation where this is false?

tbordaz

comment created time in 7 days

PullRequestReviewEvent

delete branch kanidm/kanidm

delete branch : 324-106-softlock-auth-parallel

delete time in 8 days

push eventkanidm/kanidm

Firstyear

commit sha 1a57aa9ea03de1033f6d9bcd69930e92b9c175f5

Fixes #324 account softlocking and rate limiting (#326) This provides bruteforce protection and ratelimiting to stop classes of attacks. This impacts all areas where a password or authentication is performed (unix, ldap, auth).

view details

push time in 8 days

PR merged kanidm/kanidm

Account softlocking and rate limiting

This provides bruteforce protection and ratelimiting to stop classes of attacks. This impacts all areas where a password or authentication is performed (unix, ldap, auth).

Fixes #324

  • [ x ] cargo fmt has been run
  • [ x ] cargo clippy has been run
  • [ x ] cargo test has been run and passes
  • [ - ] book chapter included (if relevant)
  • [ x ] design document included (if relevant)
+1409 -361

0 comment

16 changed files

Firstyear

pr closed time in 8 days

issue closedkanidm/kanidm

Account softlock-ratelimiting

This is related to #59, but we should softlock accounts during rate limits or other bruteforce attacks. This will depend on the type of credential in use to determine the nature of the locking of the credential.

closed time in 8 days

Firstyear

issue comment389ds/389-ds-base

Rewriter for member -> uniqueMember

The main issue I see is that uniqueMember is an attribute in schema, so an entry that has both uniqueMember and member, the rewriter could conflict or be unclear. We also need to choose if this would be a virtual rewrite, and how the rewrite occures (does the attribute need to be requested, or is it supplied with * or +?). Or do we extract member in the write path and duplicate the values since uniqueMember and member have different syntaxes IIRC

attributeTypes: ( 2.5.4.31 NAME 'member'
  SUP distinguishedName
  X-ORIGIN 'RFC 4519' )

attributeTypes: ( 2.5.4.50 NAME 'uniqueMember'
  EQUALITY uniqueMemberMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.34
  X-ORIGIN 'RFC 4519' )

https://ldapwiki.com/wiki/1.3.6.1.4.1.1466.115.121.1.34

I think there are some subtle and non-obvious traps we could land in here. Really, in a way what we want is not a rewriter, but an aliasing mechanism in this case to allow one attribute to map onto another when requested.

So I think some extra thought about the design and mechanics is needed, but expanding our application's we support is always a positive.

marknl

comment created time in 8 days

pull request comment389ds/389-ds-base

Issue 4392 - Update create_test.py

Ack, thank you!

mreynolds389

comment created time in 8 days

issue comment389ds/389-ds-base

DSE config modify does not call be_postop

Yeah, I agree, we should call the postops too to balance this.

tbordaz

comment created time in 8 days

Pull request review comment389ds/389-ds-base

Issue 4262 - Remove legacy tools subpackage

 def test_access_log_truncated_search_message(topology_st, clean_access_logs):     assert not topo.ds_access_log.match(r'.*cn500.*')  -

There are errors related to cn=config access on instance teardown, because it's done under non-DM user (lib389 reuses the open connection from the test).

Sounds like teardown should re-bind to be sure it's DM to avoid that class of problems.

mreynolds389

comment created time in 9 days

PullRequestReviewEvent

Pull request review comment389ds/389-ds-base

Issue 4262 - Remove legacy tools subpackage

 Core libraries for the 389 Directory Server base package.  These libraries are used by the main package and the -devel package.  This allows the -devel package to be installed with just the -libs package and without the main package. -%if %{use_legacy}-%package          legacy-tools-Summary:          Legacy utilities for 389 Directory Server (%{variant})-Group:            System Environment/Daemons-Obsoletes:        %{name} <= 1.4.0.9

We could make it an empty package, or having lib389/389-ds-base act as the obsoletes?

mreynolds389

comment created time in 9 days

PullRequestReviewEvent

Pull request review comment389ds/389-ds-base

Issue 4262 - Remove legacy tools subpackage

 def finofaci():         domain.remove_all('aci')         for i in aci_list:             domain.add("aci", i)-+            pass

One would hope "nothing". :)

mreynolds389

comment created time in 9 days

PullRequestReviewEvent

pull request comment389ds/389-ds-base

389 ds base 1.4.3

Something doesn't look right here, that's far too many commits in this branch ...

jchapma

comment created time in 9 days

delete branch Firstyear/389-ds-base

delete branch : 50544-openldap-migration

delete time in 10 days

push event389ds/389-ds-base

Firstyear

commit sha 0a902cc8462dc70650264e0eb3b6c5d5d752ea9a

Issue #3600 - RFE - openldap migration tooling (#4318) Bug Description: A large number of enterprise customers are interested to move from OpenLDAP to 389 Directory Server. As this can be a difficult process, there are many parts that we can automate to make the process smoother, and to provide other information to assist admins in a successful migration. Fix Description: This adds the openldap_to_ds command, which given a backup of an OpenLDAP and it's configuration, is able to partially migrate the content and plugins to a running instance. Additionally this is able to provide a checklist of other migration tasks that may require administrator action and management. fixes: #3600 Author: William Brown <william@blackhats.net.au> Review by: @droideck @mreynolds389 (Thanks!)

view details

push time in 10 days

issue closed389ds/389-ds-base

OpenLDAP to 389-ds migration tool

Cloned from Pagure issue: https://pagure.io/389-ds-base/issue/50544

  • Created at 2019-08-09 03:12:43 by firstyear (@Firstyear)
  • Assigned to nobody

Issue Description

Due to the changes made by SUSE and Red Hat, there are customers who are needing to move from OpenLDAP to 389-ds.

I think it's not possible to do a 1:1 migration but we can do as much as possible. I think an example of what we could achieve is:

  • Migrate schema to 99user.ldif
  • Migrate the database content, stripping olc* attributes that are specific
  • Document and display guides to ACI porting

I think we can't achieve a perfect migration but anything that helps makes this easier would be welcome.

We could draw inspiration from FreeIPA's ldap migration tool.

closed time in 10 days

389-ds-bot

PR merged 389ds/389-ds-base

50544 openldap migration work in progress

Work in progress of the openldap migration tooling. Not yet ready for review.

+3225 -1

11 comments

35 changed files

Firstyear

pr closed time in 10 days

more