Issue with LDAP and posixAccount vs posixaccount - ldap

Recently had an issue in an environment where we use ldap to update our system with groups / users. The LDAP system is not in our control, we can only run queries against it, and done within our code. The LDAP is part of the orgs single-sign on. The UI for this was upgraded and LDAP apparently untouched. Our system has a ldap member criteria that was set to "user, posixAccount" and "hard-coded", so not easy to change. Things stopped working and eventually identified that if we changed the case to posixaccount, things returned back to normal.
It's an absolute mystery how something that has worked for years suddenly stops working because from our side it was expecting posixAccount and not posixaccount, and we're told the upgrade didn't touch LDAP side of things.
Any ideas of what could've changed to have this effect?
(We are unable to get any info on the LDAP system or what was actually done. We can use ldapsearch for example which actually doesn't worry about the case and understand that it should be case insensitive, but that's secondary for now).

Related

My IBM Directory Server P2P replication blocks on add new entry and changes to operational attributes by the pwdpolicy mechanism. How do I avoid this?

I setup a peer-to-peer replication topology on 2 IBM LDAP servers (Version 6.4). It works, both ways, with simple attribute modifications like changing description or displayName attributes. But it blocks when I add a new entry on either server. I checked the logs and see an error 50 (insufficient access) for the change. The audit logs show an "extra" operational attribute, ibm-entryuuid, are added to the other server, which maybe causes the error.
It also blocks when I try to login on an account with an invalid password. I get an error 65 (object class violation). This is maybe because the password policy mechanism modifies/adds/deletes certain operational attributes(e.g. PWDFAILURETIME)
The schema files are the same for both servers. And both servers are cryptographically synched.
I use JXplorer to test. I use admin credentials.
What should I do to allow these operations to replicate? Thanks in advance for any help.
Update:
I have checked the supplier credentials and when I tried to change the ibm-slapdmasterdn and ibm-slapdmasterpw, I get an Already Exists error. What do I do?
I found the problem. I didn't quite understand what the credentials attributes meant until I re-read the IBM tutorial. I was trying to modify the replica DN to the admin DN, that's why I got the error.
It replicates smoothly now.

MySQL error 1449 reappearing even though definer was set to resolve initial error?

On Monday I messed up with a database.
We have an application running on a VPS, using cPanel and phpmyadmin, and I informed the developers I will be doing some queries on the DB to extract information.
So, I did a few large queries using the "Visual Builder" query tool and the web-application got stuck. The queries weren't loading and even refreshing the page did not work. The website wasn't loading and users couldn't log in. So I used WHM to log in as root and kill the queries manually. After I did this, the system was still not running.
Then, the database completely freaked out and I got these error messages:
After doing this, the DB somehow fixed itself and the web application was working again. However, we saw that we could not update some jobs or add new jobs in the system. If you pressed the "SAVE" button on a job, the system just gave an "undefined" message.
The developers had a look and discovered this was causing the issue:
[
The devs went ahead and added the definer and the issue was resolved. The blacked out "user"#1.0.0.0" is the actual cPanel account username.
However, this did not last as yesterday evening the exact same situation was occurring. The web-application was running fine on Tuesday and most of Wednesday, then all of a sudden users couldn't update their jobs again which means the definer user was removed once again even though nobody did anything in the database.
Has anyone encountered this issue before? I read this thread on the topic and even though what they say makes sense, I believe the developers did this but the error still occurred.
When I log into phpmyadmin via cPanel, I get a weird user called "cpses_234ikjih#localhost.com". Does this perhaps have something to do with this error? I believe before the server went crazy, this user was only the name of the cPanel account (for example: "cPanelAccountName#localhost.com".
To summarize your post, what I'm seeing is that you have a MySQL user, the user disappeared, you recreated the user, and it went away again.
There must be some external factor here. Someone could have access to your database and is deleting the user maliciously or out of misunderstanding, there could be a scheduled job, or it could be something to do with your web host.
I'd start by auditing the database accounts, and restricting access as much as possible. Check any interface that's exposed to the web, such as WordPress, Joomla, or other applications.
You should enable logging, there are several degrees of logging that MySQL can allow. I think the most useful for you would be the audit log, although honestly I've never used that specifically. You'd enable that to log future events. The binary log may contain record of what has already occurred.
SOLVED
I managed to solve this by changing MySQL database password and cPanel account password.
I read one post by someone saying that there was a session file which perhaps stored an old session and that changing passwords could resolve this. Luckily it did, have not had the error 1449 appearing for 5 days now.

ldap client on aix systems - why does /etc/passwd need to finish with '+' one some systems

I need to integrate a couple of AIX servers into an existing LDAP directory for user authentication and authorization. Versions range from 5 to 7.1.
On some systems (I have yet failed to recognize a pattern) I need to finish the '/etc/passwd' with a line containing a single '+' character for commands line id, login and automount to work. This procedure I took from the IBM Redbook "Integrating AIX into Heterogenous LDAP Environments", p. 125.
I'd be prepared to just accept that. However, I have systems which are integrated perfectly fine into the LDAP without that line in '/etc/passwd', i.e., which just work. I would like to understand exactly what that '+' does and what other files exist to configure the system to use LDAP for authentication and authorization. I have yet failed to graps the difference between systems which require '+' and those that do not.
Frankly, I am kind of afraid to mess with a facility like '/etc/passwd' without understanding what that '+' does exactly and what other options I have to enable LDAP lookup (apparently, others need to exist.)
Grateful for any help, cheers, Christopher

msdeploy returning unauthorized when using the admin account and correct username / password

I am trying to use msdeploy on my web servers using the /MSDEPLOYAGENTSERVICE method and it is continually saying i am not an admin and not authorized but i am using the administrator account and am using the correct password. Internally if i try the webdeploy.axd it works but that method is not an option for me due to port concerns.
Here is one of the command strings i use
"%ProgramFiles(x86)%\MSBuild\12.0\Bin\amd64\msbuild.exe" ..\mysolution.sln /t:Clean;Rebuild /p:Configuration=%CONFIG% /verbosity:m /fileLogger /maxcpucount:4 /p:DeployOnBuild=true /p:PublishProfile=%CONFIG% /p:MSDeployServiceURL=http://%SERVER% /p:UserName=Administrator /p:Password=%PWORD%
Here is another one that is returning the same issue:
msdeploy -verb:sync -source:webserver,computername=%MACHINE%,username=Administrator,password=%PASSWORD% -dest:webserver 2<&1
This happened after i updated msdeploy to version 3.5 and moved my development environment to vs2013. Unfortunately i can not downgrade either of these. Aside from those changes nothing else has been changed.
As always asking the question has reveled the answer.
If this group policy key is set to 'Guest Only' msdeploy will NOT work.
I switched it back to 'Classic' and now it works properly.
Computer Configuration\Windows Settings\ Security Settings\Local Policies\Security Options\Network Access: Sharing and security model for local accounts.
I know i said nothing changed but my admin seemed to have forgotten about that change. He has since been feed to the sharks with laser beams on their foreheads.

Getting login failed for sa when I haven't changed the password

I've been developing a winforms app tied to sql server. I haven't rebooted in a while. Today i rebooted and now I can't log into sql. I used every account I know and their passwords including one that was working just before i rebooted and i get a 'Login failed' . I did take the database I use offline just before starting and I do have backups before then.
thoughts on what happened? Is there a way to bring the database back online OR somehow find out what passwords are? I even tried using windows authenication with me as an admin on the box AND sa (Yes, bad) and still no dice.
:-/ That's a rough place to be ... I wish you luck. Check out this blog post, not sure if you're using sql 2k5 or not, but if so, it may be helpful:
http://blogs.msdn.com/raulga/archive/2007/07/12/disaster-recovery-what-to-do-when-the-sa-account-password-is-lost-in-sql-server-2005.aspx
Have you checked to make sure that the service is actually running? Also are you trying to connect using IPC, TCPIP or named pipes? Whichever way make sure it's enabled in the configuration tools.
Since admin's on the box are SQL admins the only thing I can think of is that the service is not running.