From basile.mathieu at siris.sorbonne.fr Mon Oct 3 13:14:16 2005 From: basile.mathieu at siris.sorbonne.fr (basile au siris) Date: Mon, 03 Oct 2005 15:14:16 +0200 Subject: [Fedora-directory-users] strange problem with group of more than 2000 users Message-ID: <43412EA8.8030101@siris.sorbonne.fr> hi i have fds 7.1 on solaris 9 and users and group stored in the directory all works fine except for a group of more than 2000 users when i use id or getent system did not recognize the group maybe it s not a fds problem but if someone can give me an idea thanks basile From gholbert at broadcom.com Mon Oct 3 14:42:34 2005 From: gholbert at broadcom.com (George Holbert) Date: Mon, 03 Oct 2005 07:42:34 -0700 Subject: [Fedora-directory-users] strange problem with group of more than 2000 users In-Reply-To: <43412EA8.8030101@siris.sorbonne.fr> References: <43412EA8.8030101@siris.sorbonne.fr> Message-ID: <4341435A.3030304@broadcom.com> Basile, This might be a limitation of the client operating systems, and not the directory server. I believe the maximum size for a group in Solaris 8 is 4096 characters, regardless of whether the group is coming from /etc/group, LDAP, or wherever else. I'm not sure what the limit is for recent Linuxes or Solaris > 8, but it may well also be around 4096 chars. So, while your LDAP directory is capable of storing much larger groups, you may need to break them up into chunks to appease your client OSes. -- George basile au siris wrote: > hi > i have fds 7.1 on solaris 9 and users and group stored in the directory > all works fine except for a group of more than 2000 users > when i use id or getent system did not recognize the group > maybe it s not a fds problem but if someone can give me an idea > thanks > basile > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From basile.mathieu at siris.sorbonne.fr Mon Oct 3 14:46:55 2005 From: basile.mathieu at siris.sorbonne.fr (basile au siris) Date: Mon, 03 Oct 2005 16:46:55 +0200 Subject: [Fedora-directory-users] strange problem with group of more than 2000 users In-Reply-To: <4341435A.3030304@broadcom.com> References: <43412EA8.8030101@siris.sorbonne.fr> <4341435A.3030304@broadcom.com> Message-ID: <4341445F.5010702@siris.sorbonne.fr> thanks just another question could it be a problem with the timers ( ns_search_limit and ns_bind_limit ) of ldap.client ? basile George Holbert wrote: > Basile, > This might be a limitation of the client operating systems, and not > the directory server. > I believe the maximum size for a group in Solaris 8 is 4096 > characters, regardless of whether the group is coming from /etc/group, > LDAP, or wherever else. > > I'm not sure what the limit is for recent Linuxes or Solaris > 8, but > it may well also be around 4096 chars. > > So, while your LDAP directory is capable of storing much larger > groups, you may need to break them up into chunks to appease your > client OSes. > > -- George > > basile au siris wrote: > >> hi >> i have fds 7.1 on solaris 9 and users and group stored in the directory >> all works fine except for a group of more than 2000 users >> when i use id or getent system did not recognize the group >> maybe it s not a fds problem but if someone can give me an idea >> thanks >> basile >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From jclowser at unitedmessaging.com Mon Oct 3 15:05:33 2005 From: jclowser at unitedmessaging.com (Jeff Clowser) Date: Mon, 03 Oct 2005 11:05:33 -0400 Subject: [Fedora-directory-users] strange problem with group of more than 2000 users In-Reply-To: <43412EA8.8030101@siris.sorbonne.fr> References: <43412EA8.8030101@siris.sorbonne.fr> Message-ID: <434148BD.6070606@unitedmessaging.com> It could be a limit on the sizes of groups, etc in Solaris. To check to see if it's LDAP related, look at the ldap access logs for queries related to that group or coming from that machine. Anyway, 2000 I believe is the default sizelimit for searches, so look for entries with 2000 results, if it's consistently failing at 2000 users. If it's just reading the group with 2000+ static members (1 entry), then maybe reading each user individually (1 entry/search), it shouldn't hit a resource limit. But... if it reads the group, then searches for all users with that group id, or something similar, it may hit the administrative limits. For a simple test, you could up the sizelimit (say to 10000 or -1) on the directory server and see if the problem goes away. If you find something like this, there are a couple ways to fix it: 1. Up your server administrative sizelimit (to a higher number, or -1 for unlimited). This should be a last resort, since it allows anyone (even anonymous) to make unlimited size searches against your directory. If your directory is large, that could cause problems. 2. If the solaris box is binding as a particular DN to search, you can add the nsSizeLimit to that entry, and set it to a higher value (or -1 for unlimited). 3. If it binds as the end user, you can add nsSizelimit to each user that can log in. This is a bit more of a pain to do since you have to do it for all users, but is better than increasing the limit for the entire server, in general. - Jeff basile au siris wrote: > hi > i have fds 7.1 on solaris 9 and users and group stored in the directory > all works fine except for a group of more than 2000 users > when i use id or getent system did not recognize the group > maybe it s not a fds problem but if someone can give me an idea > thanks > basile > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From basile.mathieu at siris.sorbonne.fr Mon Oct 3 15:38:49 2005 From: basile.mathieu at siris.sorbonne.fr (basile au siris) Date: Mon, 03 Oct 2005 17:38:49 +0200 Subject: [Fedora-directory-users] strange problem with group of more than 2000 users In-Reply-To: <434148BD.6070606@unitedmessaging.com> References: <43412EA8.8030101@siris.sorbonne.fr> <434148BD.6070606@unitedmessaging.com> Message-ID: <43415089.1060203@siris.sorbonne.fr> thanks i set the sizelimit to -1 but it don t works better i set nssizelimit to -1 of the proxyagent which is used to bind to the directory but same result i look at the logs and when i use id or getent there is directory query it seems crazy i can t have more than 2000 users in a group i search the limit of users i can have basile Jeff Clowser wrote: > It could be a limit on the sizes of groups, etc in Solaris. > > To check to see if it's LDAP related, look at the ldap access logs for > queries related to that group or coming from that machine. Anyway, > 2000 I believe is the default sizelimit for searches, so look for > entries with 2000 results, if it's consistently failing at 2000 > users. If it's just reading the group with 2000+ static members (1 > entry), then maybe reading each user individually (1 entry/search), it > shouldn't hit a resource limit. But... if it reads the group, then > searches for all users with that group id, or something similar, it > may hit the administrative limits. > > For a simple test, you could up the sizelimit (say to 10000 or -1) on > the directory server and see if the problem goes away. > > If you find something like this, there are a couple ways to fix it: > 1. Up your server administrative sizelimit (to a higher number, or -1 > for unlimited). This should be a last resort, since it allows anyone > (even anonymous) to make unlimited size searches against your > directory. If your directory is large, that could cause problems. > 2. If the solaris box is binding as a particular DN to search, you > can add the nsSizeLimit to that entry, and set it to a higher value > (or -1 for unlimited). > 3. If it binds as the end user, you can add nsSizelimit to each user > that can log in. This is a bit more of a pain to do since you have to > do it for all users, but is better than increasing the limit for the > entire server, in general. > > - Jeff > > basile au siris wrote: > >> hi >> i have fds 7.1 on solaris 9 and users and group stored in the directory >> all works fine except for a group of more than 2000 users >> when i use id or getent system did not recognize the group >> maybe it s not a fds problem but if someone can give me an idea >> thanks >> basile >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From basile.mathieu at siris.sorbonne.fr Mon Oct 3 16:08:50 2005 From: basile.mathieu at siris.sorbonne.fr (basile au siris) Date: Mon, 03 Oct 2005 18:08:50 +0200 Subject: [Fedora-directory-users] strange problem with group of more than 2000 users In-Reply-To: <43415089.1060203@siris.sorbonne.fr> References: <43412EA8.8030101@siris.sorbonne.fr> <434148BD.6070606@unitedmessaging.com> <43415089.1060203@siris.sorbonne.fr> Message-ID: <43415792.8090600@siris.sorbonne.fr> i did a test with 643 users it works with 800 users it don t works could it be timers problem ( time_search_limit or time_bind_limit for proxyagent wich is used to query directory ) basile basile au siris wrote: > thanks > i set the sizelimit to -1 but it don t works better > i set nssizelimit to -1 of the proxyagent which is used to bind to the > directory but same result > i look at the logs and when i use id or getent there is directory query > it seems crazy i can t have more than 2000 users in a group > i search the limit of users i can have > basile > > Jeff Clowser wrote: > >> It could be a limit on the sizes of groups, etc in Solaris. >> >> To check to see if it's LDAP related, look at the ldap access logs >> for queries related to that group or coming from that machine. >> Anyway, 2000 I believe is the default sizelimit for searches, so look >> for entries with 2000 results, if it's consistently failing at 2000 >> users. If it's just reading the group with 2000+ static members (1 >> entry), then maybe reading each user individually (1 entry/search), >> it shouldn't hit a resource limit. But... if it reads the group, >> then searches for all users with that group id, or something similar, >> it may hit the administrative limits. >> >> For a simple test, you could up the sizelimit (say to 10000 or -1) on >> the directory server and see if the problem goes away. >> >> If you find something like this, there are a couple ways to fix it: >> 1. Up your server administrative sizelimit (to a higher number, or >> -1 for unlimited). This should be a last resort, since it allows >> anyone (even anonymous) to make unlimited size searches against your >> directory. If your directory is large, that could cause problems. >> 2. If the solaris box is binding as a particular DN to search, you >> can add the nsSizeLimit to that entry, and set it to a higher value >> (or -1 for unlimited). >> 3. If it binds as the end user, you can add nsSizelimit to each user >> that can log in. This is a bit more of a pain to do since you have >> to do it for all users, but is better than increasing the limit for >> the entire server, in general. >> >> - Jeff >> >> basile au siris wrote: >> >>> hi >>> i have fds 7.1 on solaris 9 and users and group stored in the directory >>> all works fine except for a group of more than 2000 users >>> when i use id or getent system did not recognize the group >>> maybe it s not a fds problem but if someone can give me an idea >>> thanks >>> basile >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From gholbert at broadcom.com Mon Oct 3 16:34:41 2005 From: gholbert at broadcom.com (George Holbert) Date: Mon, 03 Oct 2005 09:34:41 -0700 Subject: [Fedora-directory-users] strange problem with group of more than 2000 users In-Reply-To: <43415792.8090600@siris.sorbonne.fr> References: <43412EA8.8030101@siris.sorbonne.fr> <434148BD.6070606@unitedmessaging.com> <43415089.1060203@siris.sorbonne.fr> <43415792.8090600@siris.sorbonne.fr> Message-ID: <43415DA1.8090709@broadcom.com> Basile, It is probably not an issue of the bind time limit, since this limit defines how long to wait when attempting to connect to your directory server. It sounds like your client is able to connect. I doubt it's the search time limit, since 800 is not a huge number of entries. It would be easy to confirm this by increasing the search time limit to something big (say 300 seconds). Your results make me think you are bumping into a 4096 character limit for posix groups on your client OS. Assume your average username is 6 characters long. Then: 643 * 6 = 3858 chars (works) 800 * 6 = 4800 chars (doesn't work) What client OS are you using for your tests? -- George basile au siris wrote: > i did a test > with 643 users it works > with 800 users it don t works > could it be timers problem ( time_search_limit or time_bind_limit for > proxyagent wich is used > to query directory ) > basile > > basile au siris wrote: > >> thanks >> i set the sizelimit to -1 but it don t works better >> i set nssizelimit to -1 of the proxyagent which is used to bind to >> the directory but same result >> i look at the logs and when i use id or getent there is directory query >> it seems crazy i can t have more than 2000 users in a group >> i search the limit of users i can have >> basile >> >> Jeff Clowser wrote: >> >>> It could be a limit on the sizes of groups, etc in Solaris. >>> >>> To check to see if it's LDAP related, look at the ldap access logs >>> for queries related to that group or coming from that machine. >>> Anyway, 2000 I believe is the default sizelimit for searches, so >>> look for entries with 2000 results, if it's consistently failing at >>> 2000 users. If it's just reading the group with 2000+ static >>> members (1 entry), then maybe reading each user individually (1 >>> entry/search), it shouldn't hit a resource limit. But... if it >>> reads the group, then searches for all users with that group id, or >>> something similar, it may hit the administrative limits. >>> >>> For a simple test, you could up the sizelimit (say to 10000 or -1) >>> on the directory server and see if the problem goes away. >>> >>> If you find something like this, there are a couple ways to fix it: >>> 1. Up your server administrative sizelimit (to a higher number, or >>> -1 for unlimited). This should be a last resort, since it allows >>> anyone (even anonymous) to make unlimited size searches against your >>> directory. If your directory is large, that could cause problems. >>> 2. If the solaris box is binding as a particular DN to search, you >>> can add the nsSizeLimit to that entry, and set it to a higher value >>> (or -1 for unlimited). >>> 3. If it binds as the end user, you can add nsSizelimit to each >>> user that can log in. This is a bit more of a pain to do since you >>> have to do it for all users, but is better than increasing the limit >>> for the entire server, in general. >>> >>> - Jeff >>> >>> basile au siris wrote: >>> >>>> hi >>>> i have fds 7.1 on solaris 9 and users and group stored in the >>>> directory >>>> all works fine except for a group of more than 2000 users >>>> when i use id or getent system did not recognize the group >>>> maybe it s not a fds problem but if someone can give me an idea >>>> thanks >>>> basile >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From jclowser at unitedmessaging.com Mon Oct 3 17:26:27 2005 From: jclowser at unitedmessaging.com (Jeff Clowser) Date: Mon, 03 Oct 2005 13:26:27 -0400 Subject: [Fedora-directory-users] strange problem with group of more than 2000 users In-Reply-To: <43415792.8090600@siris.sorbonne.fr> References: <43412EA8.8030101@siris.sorbonne.fr> <434148BD.6070606@unitedmessaging.com> <43415089.1060203@siris.sorbonne.fr> <43415792.8090600@siris.sorbonne.fr> Message-ID: <434169C3.7040308@unitedmessaging.com> If it is hitting any type of administrative limit, it should show some type of error in the logs. Look at the searches it is doing, and make sure you have appropriate indexes on attributes it is searching against - if the appropriate stuff is indexed, searches should be fast enough to not run into a timeout issue in most cases. Look in the access log for Notes=U - that should be there on an unindexed search. If you don't see any of this in the logs, I'd say it's more a limit on the Solaris side (as someone else mentioned) than the LDAP side. How big is your directory (how many entries, approximately)? - Jeff basile au siris wrote: > i did a test > with 643 users it works > with 800 users it don t works > could it be timers problem ( time_search_limit or time_bind_limit for > proxyagent wich is used > to query directory ) > basile > > basile au siris wrote: > >> thanks >> i set the sizelimit to -1 but it don t works better >> i set nssizelimit to -1 of the proxyagent which is used to bind to >> the directory but same result >> i look at the logs and when i use id or getent there is directory query >> it seems crazy i can t have more than 2000 users in a group >> i search the limit of users i can have >> basile >> >> Jeff Clowser wrote: >> >>> It could be a limit on the sizes of groups, etc in Solaris. >>> >>> To check to see if it's LDAP related, look at the ldap access logs >>> for queries related to that group or coming from that machine. >>> Anyway, 2000 I believe is the default sizelimit for searches, so >>> look for entries with 2000 results, if it's consistently failing at >>> 2000 users. If it's just reading the group with 2000+ static >>> members (1 entry), then maybe reading each user individually (1 >>> entry/search), it shouldn't hit a resource limit. But... if it >>> reads the group, then searches for all users with that group id, or >>> something similar, it may hit the administrative limits. >>> >>> For a simple test, you could up the sizelimit (say to 10000 or -1) >>> on the directory server and see if the problem goes away. >>> >>> If you find something like this, there are a couple ways to fix it: >>> 1. Up your server administrative sizelimit (to a higher number, or >>> -1 for unlimited). This should be a last resort, since it allows >>> anyone (even anonymous) to make unlimited size searches against your >>> directory. If your directory is large, that could cause problems. >>> 2. If the solaris box is binding as a particular DN to search, you >>> can add the nsSizeLimit to that entry, and set it to a higher value >>> (or -1 for unlimited). >>> 3. If it binds as the end user, you can add nsSizelimit to each >>> user that can log in. This is a bit more of a pain to do since you >>> have to do it for all users, but is better than increasing the limit >>> for the entire server, in general. >>> >>> - Jeff >>> >>> basile au siris wrote: >>> >>>> hi >>>> i have fds 7.1 on solaris 9 and users and group stored in the >>>> directory >>>> all works fine except for a group of more than 2000 users >>>> when i use id or getent system did not recognize the group >>>> maybe it s not a fds problem but if someone can give me an idea >>>> thanks >>>> basile >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From thierry.lanfranchi at wanadoo.fr Tue Oct 4 07:50:30 2005 From: thierry.lanfranchi at wanadoo.fr (Thierry Lanfranchi) Date: Tue, 04 Oct 2005 09:50:30 +0200 Subject: [Fedora-directory-users] About the password sync feature Message-ID: <43423446.5010706@wanadoo.fr> Hello there, I'm in the process of installing a new LDAP directory using FDS, and am willing to synchronize the password modifications between AD domains and the corresponding users in the LDAP directory. These users are not synchronized, but the ntUserDomain attribute is set to the corresponding AD account. After reading the RH admin guide, I still have a few questions, which are : 1_ Can the Password Sync feature be implemented without having to implement synchronization of the accounts between AD and FDS ? 2_ When you have multiple AD servers per domain, and multiple AD domains, how many copies of the PassSync service do you need to install ? Can the service be installed on only one server per domain, or do I need to install it on every server ? (I'm no AD guru, so I'm not sure how and when the password is definitly encoded on AD). Thanks in advance for your answers, Regards, Thierry From david_list at boreham.org Wed Oct 5 03:44:19 2005 From: david_list at boreham.org (David Boreham) Date: Tue, 04 Oct 2005 21:44:19 -0600 Subject: [Fedora-directory-users] About the password sync feature In-Reply-To: <43423446.5010706@wanadoo.fr> References: <43423446.5010706@wanadoo.fr> Message-ID: <43434C13.7020300@boreham.org> Thierry Lanfranchi wrote: > I'm in the process of installing a new LDAP directory using FDS, and > am willing to synchronize the password modifications between AD > domains and the corresponding users in the LDAP directory. These users > are not synchronized, but the ntUserDomain attribute is set to the > corresponding AD account. Yes, this should work in the AD->FDS direction. I don't believe that it's a 'supported' configuration, but I think it should work ok. > After reading the RH admin guide, I still have a few questions, which > are : > 1_ Can the Password Sync feature be implemented without having to > implement synchronization of the accounts between AD and FDS ? In the AD->FDS direction, yes I think so. > 2_ When you have multiple AD servers per domain, and multiple AD > domains, how many copies of the PassSync service do you need to > install ? Can the service be installed on only one server per domain, > or do I need to install it on every server ? (I'm no AD guru, so I'm > not sure how and when the password is definitly encoded on AD). You only need to install passsync in one place. From bpeters at teleformix.com Wed Oct 5 14:41:12 2005 From: bpeters at teleformix.com (Brian Peters) Date: Wed, 05 Oct 2005 09:41:12 -0500 Subject: [Fedora-directory-users] Password Sync Search Scope In-Reply-To: <433D9245.2080206@teleformix.com> References: <433D9245.2080206@teleformix.com> Message-ID: <4343E608.5040401@teleformix.com> Well, I got impatient and did a little digging through the source and found out the bad news for myself, but then I found some good news at least. It looks like the current release has the search scope hardcoded as one-level, but the bug had already been located and fixed as of this commit in June: https://www.redhat.com/archives/fedora-directory-commits/2005-June/msg00000.html So, I guess anyone else with this problem needs to wait for the next release (or recompile if they are impatient). Brian Brian Peters wrote: > Hi, > > I have a user directory structure in AD that mimics a typical org > chart such that my ou=People directory contains additional ou's as > subtrees that represent different departments. I have a windows sync > agreement in FDS set up, and after manually adding the various ou's on > the FDS side, all the users sync over properly in all the subtrees. > > My problem is with the password sync service for windows. Upon > changing a user's password that has already been replicated to FDS > from AD, I see in the access logs a search along these lines: > > SRCH base="ou=People,dc=my,dc=domain" scope=1 > filter="(ntUserDomainId=myUser)" attrs=ALL > > with the result indicating no entries found: > > RESULT err=0 tag=101 nentries=0 etime=0 > > The myUser account is at ou=MyDept,ou=People,dc=my,dc=domain, but the > password sync service issues a search request to only search the > ou=People directory non-recursively (i.e. scope=1). I don't see any > options in either the PassSync.msi setup or in the registry keys to > force the service to do a scope=2 recursive search. I tried to use > the syntax "ou=People,dc=my,dc=domain?sub", but it doesn't seem to > recognize that either. Is there any workaround for this besides to > synchronize all of my users to a single directory on FDS? > > Thanks, > Brian > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From Bkosick at mxlogic.com Thu Oct 6 19:04:16 2005 From: Bkosick at mxlogic.com (Brian Kosick) Date: Thu, 06 Oct 2005 13:04:16 -0600 Subject: [Fedora-directory-users] Issues with SSL/Admin console Message-ID: <1128625457.3716.14.camel@mxlrmt-130.corp.mxlogic.com> Hi All, I have a quick question. I had SSL all setup and running on both the admin server, and the directory server. My manager wanted it setup on his windows box, so I followed the WindowsConsole HOWTO, and kept getting stuck in the Mozilla libs not being able to make the SSL socket connection, returning with class not found. I disabled SSL on the admin server and was able to connect to that, and then disabled SSL on the directory server, but couldn't get it to work. Now on my linux admin console, which worked beautifully before, It keeps trying to connect to port 636, rather than 389. I have tried re-enabling SSL in the directory server by following the SSL Howto, but I keep getting ldapadd -f /tmp/ssl_enable.ldif -xv -D "cn=Directory Manager" -h qapxe.corp.mxlogic.com -w ldap_initialize( ldap://qapxe.corp.mxlogic.com ) ldapadd: invalid format (line 8) entry: "cn=encryption,cn=config" Based on a list thread that I found, I removed all the newlines in cipher list and still have the same issue. Here's my enable_ssl.ldif dn: cn=encryption,cn=config changetype: modify replace: nsSSL3 nsSSL3: on - replace: nsSSLClientAuth nsSSLClientAuth: allowed - add: nsSSL3Ciphers nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5, +rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha, +rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null, +tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha - add: nsKeyfile nsKeyfile: alias/slapd-qapxe-key3.db - add: nsCertfile nsCertfile: alias/slapd-qapxe-cert8.db dn: cn=config changetype: modify add: nsslapd-security nsslapd-security: on - replace: nsslapd-ssl-check-hostname nsslapd-ssl-check-hostname: off My question is how do I either get the admin console to try to connect via 389, rather than 636, or get SSL re-enabled on the directory server. Thanks in advance Brian -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2846 bytes Desc: not available URL: From rmeggins at redhat.com Thu Oct 6 19:22:15 2005 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 06 Oct 2005 13:22:15 -0600 Subject: [Fedora-directory-users] Issues with SSL/Admin console In-Reply-To: <1128625457.3716.14.camel@mxlrmt-130.corp.mxlogic.com> References: <1128625457.3716.14.camel@mxlrmt-130.corp.mxlogic.com> Message-ID: <43457967.80905@redhat.com> I'm not sure. Are you sure you have no extraneous or trailing white spaces anywhere? It might help if you could post the raw file. Brian Kosick wrote: >Hi All, > >I have a quick question. I had SSL all setup and running on both the >admin server, and the directory server. My manager wanted it setup on >his windows box, so I followed the WindowsConsole HOWTO, and kept >getting stuck in the Mozilla libs not being able to make the SSL socket >connection, returning with class not found. I disabled SSL on the >admin server and was able to connect to that, and then disabled SSL on >the directory server, but couldn't get it to work. Now on my linux >admin console, which worked beautifully before, It keeps trying to >connect to port 636, rather than 389. > >I have tried re-enabling SSL in the directory server by following the >SSL Howto, but I keep getting > >ldapadd -f /tmp/ssl_enable.ldif -xv -D "cn=Directory Manager" -h >qapxe.corp.mxlogic.com -w >ldap_initialize( ldap://qapxe.corp.mxlogic.com ) >ldapadd: invalid format (line 8) entry: "cn=encryption,cn=config" > >Based on a list thread that I found, I removed all the newlines in >cipher list and still have the same issue. > >Here's my enable_ssl.ldif >dn: cn=encryption,cn=config >changetype: modify >replace: nsSSL3 >nsSSL3: on >- >replace: nsSSLClientAuth >nsSSLClientAuth: allowed >- >add: nsSSL3Ciphers >nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5, >+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha, >+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null, >+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha >- >add: nsKeyfile >nsKeyfile: alias/slapd-qapxe-key3.db >- >add: nsCertfile >nsCertfile: alias/slapd-qapxe-cert8.db > >dn: cn=config >changetype: modify >add: nsslapd-security >nsslapd-security: on >- >replace: nsslapd-ssl-check-hostname >nsslapd-ssl-check-hostname: off > >My question is how do I either get the admin console to try to connect >via 389, rather than 636, or get SSL re-enabled on the directory server. > >Thanks in advance >Brian > > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3312 bytes Desc: S/MIME Cryptographic Signature URL: From Bkosick at mxlogic.com Thu Oct 6 20:05:04 2005 From: Bkosick at mxlogic.com (Brian Kosick) Date: Thu, 06 Oct 2005 14:05:04 -0600 Subject: [Fedora-directory-users] Issues with SSL/Admin console Message-ID: <1128629104.3716.20.camel@mxlrmt-130.corp.mxlogic.com> Here it is. Thanks Brian On Thu, 2005-10-06 at 13:22 -0600, Rich Megginson wrote: > I'm not sure. Are you sure you have no extraneous or trailing white > spaces anywhere? It might help if you could post the raw file. > > Brian Kosick wrote: > > >Hi All, > > > >I have a quick question. I had SSL all setup and running on both the > >admin server, and the directory server. My manager wanted it setup on > >his windows box, so I followed the WindowsConsole HOWTO, and kept > >getting stuck in the Mozilla libs not being able to make the SSL socket > >connection, returning with class not found. I disabled SSL on the > >admin server and was able to connect to that, and then disabled SSL on > >the directory server, but couldn't get it to work. Now on my linux > >admin console, which worked beautifully before, It keeps trying to > >connect to port 636, rather than 389. > > > >I have tried re-enabling SSL in the directory server by following the > >SSL Howto, but I keep getting > > > >ldapadd -f /tmp/ssl_enable.ldif -xv -D "cn=Directory Manager" -h > >qapxe.corp.mxlogic.com -w > >ldap_initialize( ldap://qapxe.corp.mxlogic.com ) > >ldapadd: invalid format (line 8) entry: "cn=encryption,cn=config" > > > >Based on a list thread that I found, I removed all the newlines in > >cipher list and still have the same issue. > > > >Here's my enable_ssl.ldif > >dn: cn=encryption,cn=config > >changetype: modify > >replace: nsSSL3 > >nsSSL3: on > >- > >replace: nsSSLClientAuth > >nsSSLClientAuth: allowed > >- > >add: nsSSL3Ciphers > >nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5, > >+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha, > >+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null, > >+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha > >- > >add: nsKeyfile > >nsKeyfile: alias/slapd-qapxe-key3.db > >- > >add: nsCertfile > >nsCertfile: alias/slapd-qapxe-cert8.db > > > >dn: cn=config > >changetype: modify > >add: nsslapd-security > >nsslapd-security: on > >- > >replace: nsslapd-ssl-check-hostname > >nsslapd-ssl-check-hostname: off > > > >My question is how do I either get the admin console to try to connect > >via 389, rather than 636, or get SSL re-enabled on the directory server. > > > >Thanks in advance > >Brian > > > > > >------------------------------------------------------------------------ > > > >-- > >Fedora-directory-users mailing list > >Fedora-directory-users at redhat.com > >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- dn: cn=encryption,cn=config changetype: modify replace: nsSSL3 nsSSL3: on - replace: nsSSLClientAuth nsSSLClientAuth: allowed - add: nsSSL3Ciphers nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha - add: nsKeyfile nsKeyfile: alias/slapd-qapxe-key3.db - add: nsCertfile nsCertfile: alias/slapd-qapxe-cert8.db dn: cn=config changetype: modify add: nsslapd-security nsslapd-security: on - replace: nsslapd-ssl-check-hostname nsslapd-ssl-check-hostname: off -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2846 bytes Desc: not available URL: From bmadsen at ecbridges.com Thu Oct 6 21:09:39 2005 From: bmadsen at ecbridges.com (Ben Madsen - Mailing List) Date: Thu, 06 Oct 2005 14:09:39 -0700 Subject: [Fedora-directory-users] Password Sync Search Scope In-Reply-To: <4343E608.5040401@teleformix.com> References: <433D9245.2080206@teleformix.com> <4343E608.5040401@teleformix.com> Message-ID: <43459293.6020605@ecbridges.com> Anybody know when the next release is going to be for this particular tool? Or any of if for that matter? -Ben Brian Peters wrote: > Well, I got impatient and did a little digging through the source and > found out the bad news for myself, but then I found some good news at > least. It looks like the current release has the search scope > hardcoded as one-level, but the bug had already been located and fixed > as of this commit in June: > > https://www.redhat.com/archives/fedora-directory-commits/2005-June/msg00000.html > > > So, I guess anyone else with this problem needs to wait for the next > release (or recompile if they are impatient). > > Brian > > Brian Peters wrote: > >> Hi, >> >> I have a user directory structure in AD that mimics a typical org >> chart such that my ou=People directory contains additional ou's as >> subtrees that represent different departments. I have a windows sync >> agreement in FDS set up, and after manually adding the various ou's >> on the FDS side, all the users sync over properly in all the subtrees. >> >> My problem is with the password sync service for windows. Upon >> changing a user's password that has already been replicated to FDS >> from AD, I see in the access logs a search along these lines: >> >> SRCH base="ou=People,dc=my,dc=domain" scope=1 >> filter="(ntUserDomainId=myUser)" attrs=ALL >> >> with the result indicating no entries found: >> >> RESULT err=0 tag=101 nentries=0 etime=0 >> >> The myUser account is at ou=MyDept,ou=People,dc=my,dc=domain, but the >> password sync service issues a search request to only search the >> ou=People directory non-recursively (i.e. scope=1). I don't see any >> options in either the PassSync.msi setup or in the registry keys to >> force the service to do a scope=2 recursive search. I tried to use >> the syntax "ou=People,dc=my,dc=domain?sub", but it doesn't seem to >> recognize that either. Is there any workaround for this besides to >> synchronize all of my users to a single directory on FDS? >> >> Thanks, >> Brian > From rmeggins at redhat.com Thu Oct 6 21:46:11 2005 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 06 Oct 2005 15:46:11 -0600 Subject: [Fedora-directory-users] Password Sync Search Scope In-Reply-To: <43459293.6020605@ecbridges.com> References: <433D9245.2080206@teleformix.com> <4343E608.5040401@teleformix.com> <43459293.6020605@ecbridges.com> Message-ID: <43459B23.8020002@redhat.com> Ben Madsen - Mailing List wrote: > Anybody know when the next release is going to be for this particular > tool? Or any of if for that matter? Pretty soon. > -Ben > > Brian Peters wrote: > >> Well, I got impatient and did a little digging through the source and >> found out the bad news for myself, but then I found some good news at >> least. It looks like the current release has the search scope >> hardcoded as one-level, but the bug had already been located and >> fixed as of this commit in June: >> >> https://www.redhat.com/archives/fedora-directory-commits/2005-June/msg00000.html >> >> >> So, I guess anyone else with this problem needs to wait for the next >> release (or recompile if they are impatient). >> >> Brian >> >> Brian Peters wrote: >> >>> Hi, >>> >>> I have a user directory structure in AD that mimics a typical org >>> chart such that my ou=People directory contains additional ou's as >>> subtrees that represent different departments. I have a windows >>> sync agreement in FDS set up, and after manually adding the various >>> ou's on the FDS side, all the users sync over properly in all the >>> subtrees. >>> >>> My problem is with the password sync service for windows. Upon >>> changing a user's password that has already been replicated to FDS >>> from AD, I see in the access logs a search along these lines: >>> >>> SRCH base="ou=People,dc=my,dc=domain" scope=1 >>> filter="(ntUserDomainId=myUser)" attrs=ALL >>> >>> with the result indicating no entries found: >>> >>> RESULT err=0 tag=101 nentries=0 etime=0 >>> >>> The myUser account is at ou=MyDept,ou=People,dc=my,dc=domain, but >>> the password sync service issues a search request to only search the >>> ou=People directory non-recursively (i.e. scope=1). I don't see any >>> options in either the PassSync.msi setup or in the registry keys to >>> force the service to do a scope=2 recursive search. I tried to use >>> the syntax "ou=People,dc=my,dc=domain?sub", but it doesn't seem to >>> recognize that either. Is there any workaround for this besides to >>> synchronize all of my users to a single directory on FDS? >>> >>> Thanks, >>> Brian >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3312 bytes Desc: S/MIME Cryptographic Signature URL: From uffe at loop.to Fri Oct 7 01:06:38 2005 From: uffe at loop.to (uffe at loop.to) Date: Thu, 06 Oct 2005 18:06:38 -0700 Subject: [Fedora-directory-users] Issues with SSL/Admin console In-Reply-To: <1128629104.3716.20.camel@mxlrmt-130.corp.mxlogic.com> References: <1128629104.3716.20.camel@mxlrmt-130.corp.mxlogic.com> Message-ID: <4345CA1E.7030707@loop.to> The instructions were probably tested with the tools that accompany FDS, can you try with ldapmodify instead of ldapadd? cd /opt/fedora/shared/bin ./ldapmodify -f /tmp/ssl_enable.ldif -v -D "cn=Directory Manager" -h qapxe.corp.mxlogic.com -w For the Windows Console SSL problem, do you recall what class the exception mentioned wasn't found? I'm guessing it was a jss class, the jar might have had the wrong filename, like jss33.jar instead of jss3.jar... Brian Kosick wrote: >Here it is. > >Thanks >Brian > >On Thu, 2005-10-06 at 13:22 -0600, Rich Megginson wrote: > > >>I'm not sure. Are you sure you have no extraneous or trailing white >>spaces anywhere? It might help if you could post the raw file. >> >>Brian Kosick wrote: >> >> >> >>>Hi All, >>> >>>I have a quick question. I had SSL all setup and running on both the >>>admin server, and the directory server. My manager wanted it setup on >>>his windows box, so I followed the WindowsConsole HOWTO, and kept >>>getting stuck in the Mozilla libs not being able to make the SSL socket >>>connection, returning with class not found. I disabled SSL on the >>>admin server and was able to connect to that, and then disabled SSL on >>>the directory server, but couldn't get it to work. Now on my linux >>>admin console, which worked beautifully before, It keeps trying to >>>connect to port 636, rather than 389. >>> >>>I have tried re-enabling SSL in the directory server by following the >>>SSL Howto, but I keep getting >>> >>>ldapadd -f /tmp/ssl_enable.ldif -xv -D "cn=Directory Manager" -h >>>qapxe.corp.mxlogic.com -w >>>ldap_initialize( ldap://qapxe.corp.mxlogic.com ) >>>ldapadd: invalid format (line 8) entry: "cn=encryption,cn=config" >>> >>>Based on a list thread that I found, I removed all the newlines in >>>cipher list and still have the same issue. >>> >>>Here's my enable_ssl.ldif >>>dn: cn=encryption,cn=config >>>changetype: modify >>>replace: nsSSL3 >>>nsSSL3: on >>>- >>>replace: nsSSLClientAuth >>>nsSSLClientAuth: allowed >>>- >>>add: nsSSL3Ciphers >>>nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5, >>>+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha, >>>+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null, >>>+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha >>>- >>>add: nsKeyfile >>>nsKeyfile: alias/slapd-qapxe-key3.db >>>- >>>add: nsCertfile >>>nsCertfile: alias/slapd-qapxe-cert8.db >>> >>>dn: cn=config >>>changetype: modify >>>add: nsslapd-security >>>nsslapd-security: on >>>- >>>replace: nsslapd-ssl-check-hostname >>>nsslapd-ssl-check-hostname: off >>> >>>My question is how do I either get the admin console to try to connect >>>via 389, rather than 636, or get SSL re-enabled on the directory server. >>> >>>Thanks in advance >>>Brian >>> >>> >>>------------------------------------------------------------------------ >>> >>>-- >>>Fedora-directory-users mailing list >>>Fedora-directory-users at redhat.com >>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >>> >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >>------------------------------------------------------------------------ >> >>dn: cn=encryption,cn=config >>changetype: modify >>replace: nsSSL3 >>nsSSL3: on >>- >>replace: nsSSLClientAuth >>nsSSLClientAuth: allowed >>- >>add: nsSSL3Ciphers >>nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha >>- >>add: nsKeyfile >>nsKeyfile: alias/slapd-qapxe-key3.db >>- >>add: nsCertfile >>nsCertfile: alias/slapd-qapxe-cert8.db >> >>dn: cn=config >>changetype: modify >>add: nsslapd-security >>nsslapd-security: on >>- >>replace: nsslapd-ssl-check-hostname >>nsslapd-ssl-check-hostname: off >> >> >>------------------------------------------------------------------------ >> >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> From rmeggins at redhat.com Fri Oct 7 02:25:28 2005 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 06 Oct 2005 20:25:28 -0600 Subject: [Fedora-directory-users] Issues with SSL/Admin console In-Reply-To: <1128629104.3716.20.camel@mxlrmt-130.corp.mxlogic.com> References: <1128629104.3716.20.camel@mxlrmt-130.corp.mxlogic.com> Message-ID: <4345DC98.8010409@redhat.com> Try using ldapmodify instead of ldapadd. Brian Kosick wrote: >Here it is. > >Thanks >Brian > >On Thu, 2005-10-06 at 13:22 -0600, Rich Megginson wrote: > > >>I'm not sure. Are you sure you have no extraneous or trailing white >>spaces anywhere? It might help if you could post the raw file. >> >>Brian Kosick wrote: >> >> >> >>>Hi All, >>> >>>I have a quick question. I had SSL all setup and running on both the >>>admin server, and the directory server. My manager wanted it setup on >>>his windows box, so I followed the WindowsConsole HOWTO, and kept >>>getting stuck in the Mozilla libs not being able to make the SSL socket >>>connection, returning with class not found. I disabled SSL on the >>>admin server and was able to connect to that, and then disabled SSL on >>>the directory server, but couldn't get it to work. Now on my linux >>>admin console, which worked beautifully before, It keeps trying to >>>connect to port 636, rather than 389. >>> >>>I have tried re-enabling SSL in the directory server by following the >>>SSL Howto, but I keep getting >>> >>>ldapadd -f /tmp/ssl_enable.ldif -xv -D "cn=Directory Manager" -h >>>qapxe.corp.mxlogic.com -w >>>ldap_initialize( ldap://qapxe.corp.mxlogic.com ) >>>ldapadd: invalid format (line 8) entry: "cn=encryption,cn=config" >>> >>>Based on a list thread that I found, I removed all the newlines in >>>cipher list and still have the same issue. >>> >>>Here's my enable_ssl.ldif >>>dn: cn=encryption,cn=config >>>changetype: modify >>>replace: nsSSL3 >>>nsSSL3: on >>>- >>>replace: nsSSLClientAuth >>>nsSSLClientAuth: allowed >>>- >>>add: nsSSL3Ciphers >>>nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5, >>>+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha, >>>+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null, >>>+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha >>>- >>>add: nsKeyfile >>>nsKeyfile: alias/slapd-qapxe-key3.db >>>- >>>add: nsCertfile >>>nsCertfile: alias/slapd-qapxe-cert8.db >>> >>>dn: cn=config >>>changetype: modify >>>add: nsslapd-security >>>nsslapd-security: on >>>- >>>replace: nsslapd-ssl-check-hostname >>>nsslapd-ssl-check-hostname: off >>> >>>My question is how do I either get the admin console to try to connect >>>via 389, rather than 636, or get SSL re-enabled on the directory server. >>> >>>Thanks in advance >>>Brian >>> >>> >>>------------------------------------------------------------------------ >>> >>>-- >>>Fedora-directory-users mailing list >>>Fedora-directory-users at redhat.com >>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >>> >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >>------------------------------------------------------------------------ >> >>dn: cn=encryption,cn=config >>changetype: modify >>replace: nsSSL3 >>nsSSL3: on >>- >>replace: nsSSLClientAuth >>nsSSLClientAuth: allowed >>- >>add: nsSSL3Ciphers >>nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha >>- >>add: nsKeyfile >>nsKeyfile: alias/slapd-qapxe-key3.db >>- >>add: nsCertfile >>nsCertfile: alias/slapd-qapxe-cert8.db >> >>dn: cn=config >>changetype: modify >>add: nsslapd-security >>nsslapd-security: on >>- >>replace: nsslapd-ssl-check-hostname >>nsslapd-ssl-check-hostname: off >> >> >>------------------------------------------------------------------------ >> >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3312 bytes Desc: S/MIME Cryptographic Signature URL: From Bkosick at mxlogic.com Fri Oct 7 14:14:50 2005 From: Bkosick at mxlogic.com (Brian Kosick) Date: Fri, 07 Oct 2005 08:14:50 -0600 Subject: [Fedora-directory-users] Issues with SSL/Admin console Message-ID: <1128694490.3268.21.camel@mxlrmt-130.corp.mxlogic.com> Thanks Everyone, I got it working. ldapmodify was the right one, along with making a few modifications to the enable_ssl and addrsa files. For instance, the values for the cert db's were all ready in there, as I had all ready had it enabled, and getting the "Server-Cert" name right. As for the windows issue, it was an issue with the jss3.jar/dll, I was using jre 1.5.0_04. I followed the instructions in the Windows Console HOWTO, including DL'ing the additional files required for SSL, and no luck, it kept dieing trying to make the SSL connection. Right now, I don't have enough time to try setting up Admin Console on Windows again. I'll get back with the list when I have time to try again. Thanks, Brian On Thu, 2005-10-06 at 18:06 -0700, uffe at loop.to wrote: > The instructions were probably tested with the tools that accompany FDS, > can you try with ldapmodify instead of ldapadd? > cd /opt/fedora/shared/bin > ./ldapmodify -f /tmp/ssl_enable.ldif -v -D "cn=Directory Manager" -h > qapxe.corp.mxlogic.com -w > > For the Windows Console SSL problem, do you recall what class the > exception mentioned wasn't found? I'm guessing it was a jss class, the > jar might have had the wrong filename, like jss33.jar instead of jss3.jar... > > Brian Kosick wrote: > > >Here it is. > > > >Thanks > >Brian > > > >On Thu, 2005-10-06 at 13:22 -0600, Rich Megginson wrote: > > > > > >>I'm not sure. Are you sure you have no extraneous or trailing white > >>spaces anywhere? It might help if you could post the raw file. > >> > >>Brian Kosick wrote: > >> > >> > >> > >>>Hi All, > >>> > >>>I have a quick question. I had SSL all setup and running on both the > >>>admin server, and the directory server. My manager wanted it setup on > >>>his windows box, so I followed the WindowsConsole HOWTO, and kept > >>>getting stuck in the Mozilla libs not being able to make the SSL socket > >>>connection, returning with class not found. I disabled SSL on the > >>>admin server and was able to connect to that, and then disabled SSL on > >>>the directory server, but couldn't get it to work. Now on my linux > >>>admin console, which worked beautifully before, It keeps trying to > >>>connect to port 636, rather than 389. > >>> > >>>I have tried re-enabling SSL in the directory server by following the > >>>SSL Howto, but I keep getting > >>> > >>>ldapadd -f /tmp/ssl_enable.ldif -xv -D "cn=Directory Manager" -h > >>>qapxe.corp.mxlogic.com -w > >>>ldap_initialize( ldap://qapxe.corp.mxlogic.com ) > >>>ldapadd: invalid format (line 8) entry: "cn=encryption,cn=config" > >>> > >>>Based on a list thread that I found, I removed all the newlines in > >>>cipher list and still have the same issue. > >>> > >>>Here's my enable_ssl.ldif > >>>dn: cn=encryption,cn=config > >>>changetype: modify > >>>replace: nsSSL3 > >>>nsSSL3: on > >>>- > >>>replace: nsSSLClientAuth > >>>nsSSLClientAuth: allowed > >>>- > >>>add: nsSSL3Ciphers > >>>nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5, > >>>+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha, > >>>+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null, > >>>+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha > >>>- > >>>add: nsKeyfile > >>>nsKeyfile: alias/slapd-qapxe-key3.db > >>>- > >>>add: nsCertfile > >>>nsCertfile: alias/slapd-qapxe-cert8.db > >>> > >>>dn: cn=config > >>>changetype: modify > >>>add: nsslapd-security > >>>nsslapd-security: on > >>>- > >>>replace: nsslapd-ssl-check-hostname > >>>nsslapd-ssl-check-hostname: off > >>> > >>>My question is how do I either get the admin console to try to connect > >>>via 389, rather than 636, or get SSL re-enabled on the directory server. > >>> > >>>Thanks in advance > >>>Brian > >>> > >>> > >>>------------------------------------------------------------------------ > >>> > >>>-- > >>>Fedora-directory-users mailing list > >>>Fedora-directory-users at redhat.com > >>>https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>> > >>> > >>> > >>> > >>-- > >>Fedora-directory-users mailing list > >>Fedora-directory-users at redhat.com > >>https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > >> > >>------------------------------------------------------------------------ > >> > >>dn: cn=encryption,cn=config > >>changetype: modify > >>replace: nsSSL3 > >>nsSSL3: on > >>- > >>replace: nsSSLClientAuth > >>nsSSLClientAuth: allowed > >>- > >>add: nsSSL3Ciphers > >>nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha > >>- > >>add: nsKeyfile > >>nsKeyfile: alias/slapd-qapxe-key3.db > >>- > >>add: nsCertfile > >>nsCertfile: alias/slapd-qapxe-cert8.db > >> > >>dn: cn=config > >>changetype: modify > >>add: nsslapd-security > >>nsslapd-security: on > >>- > >>replace: nsslapd-ssl-check-hostname > >>nsslapd-ssl-check-hostname: off > >> > >> > >>------------------------------------------------------------------------ > >> > >>-- > >>Fedora-directory-users mailing list > >>Fedora-directory-users at redhat.com > >>https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2846 bytes Desc: not available URL: From jonbjorn at hi.is Fri Oct 7 15:28:59 2005 From: jonbjorn at hi.is (Jon Bjorn Njalsson) Date: Fri, 07 Oct 2005 15:28:59 +0000 Subject: [Fedora-directory-users] Winsync issues Message-ID: <1128698940.4851.7.camel@viper.rhi.hi.is> Hi all. After setting up FSD and windows 2003 AD server, I have a problem with winsync. I am trying to synchronize users from FDS to AD. Users are replicated to the Domain Controller but all user accounts are disabled and have the "User must change password on logon" set. Is there a reason for this ? regards Jon Bjorn From david_list at boreham.org Fri Oct 7 16:00:48 2005 From: david_list at boreham.org (David Boreham) Date: Fri, 07 Oct 2005 10:00:48 -0600 Subject: [Fedora-directory-users] Winsync issues In-Reply-To: <1128698940.4851.7.camel@viper.rhi.hi.is> References: <1128698940.4851.7.camel@viper.rhi.hi.is> Message-ID: <43469BB0.5090102@boreham.org> Jon Bjorn Njalsson wrote: >After setting up FSD and windows 2003 AD server, I have a problem with >winsync. I am trying to synchronize users from FDS to AD. Users are >replicated to the Domain Controller but all user accounts are disabled >and have the "User must change password on logon" set. Is there a >reason for this ? > > There are a few potential reasons. One would be not using SSL for the connection between FDS and AD. Another would be not using a bind identity to AD that had the rights to change passwords. From JURGEN.KOBIERCZYNSKI at nationale-loterij.be Tue Oct 11 12:13:21 2005 From: JURGEN.KOBIERCZYNSKI at nationale-loterij.be (JURGEN KOBIERCZYNSKI) Date: Tue, 11 Oct 2005 14:13:21 +0200 Subject: [Fedora-directory-users] Consumer directory server crashes during configuring Single-Master replication in Console ("Unable to contact LDAP Server") Message-ID: Hi, Are there issues known with configuring replication? I try to configure the read-only replica for a Single-Master replication. Therefore I've deleted the original root-suffix on the consumer(,because I will replicate this from the supplier), recreated a new suffix, create a replication entry, and then enable the replica checkbox on the suffix' database in the replication folder under the configuration tab. Then I check dedicated consumer, fill in the bind DN, and the supplier url. When I try to save this configuration the directory server console looses all connection to the ldap server (message "can not connect to LDAP server", and the ldap process terminates. I tried this in 2 configurations: a Single-Master replication between 2 servers, and a Single-Master replication between 2 directory instances on the same server, and in both scenarios the ldap server terminates. What did I wrong? Should I leave the original root-suffix intact on the consumer and do I need to define 2 different root-suffixes on the servers? I've used the same root suffix on both servers. Thanks in advance. Jurgen Kobierczynski Assistant Network & Security Engineer Nationale Loterij Departement Operations & ICT Tel. : +32 (0)2 238.47.42 Fax : +32 (0)2 238.47.18 GSM : +32 (0) 477 43.68.31 E-mail : jurgen.kobierczynski at nationale-loterij.be This email and any attachments thereto may contain confidential and/or privileged information intended for the sole use of the recipient(s). Any review, use, retention, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and delete all copies of this message. This email and any attachments are susceptible to data corruption, interception, tampering, unauthorized amendment and viruses. The National Lottery accepts no liability in connection therewith. From rmeggins at redhat.com Tue Oct 11 23:47:05 2005 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 11 Oct 2005 17:47:05 -0600 Subject: [Fedora-directory-users] Consumer directory server crashes during configuring Single-Master replication in Console ("Unable to contact LDAP Server") In-Reply-To: References: Message-ID: <434C4EF9.3040000@redhat.com> JURGEN KOBIERCZYNSKI wrote: > Hi, > > Are there issues known with configuring replication? > > I try to configure the read-only replica for a Single-Master > replication. Therefore I've deleted the original root-suffix on the > consumer(,because I will replicate this from the supplier), recreated a > new suffix, You don't need to do this - replica initialization will do basically the same thing. > create a replication entry, What is a replication entry? > and then enable the replica > checkbox on the suffix' database in the replication folder under the > configuration tab. Then I check dedicated consumer, fill in the bind DN, > and the supplier url. When I try to save this configuration the > directory server console looses all connection to the ldap server > (message "can not connect to LDAP server", and the ldap process > terminates. > What messages do you see in the error log? Access log? Was the master already configured to replicate? Was the master attempting to replicate when the crash occurred? > I tried this in 2 configurations: a Single-Master replication between 2 > servers, and a Single-Master replication between 2 directory instances > on the same server, and in both scenarios the ldap server terminates. > What did I wrong? Should I leave the original root-suffix intact on the > consumer and do I need to define 2 different root-suffixes on the > servers? I've used the same root suffix on both servers. > > Thanks in advance. > > Jurgen Kobierczynski > Assistant Network & Security Engineer > Nationale Loterij > Departement Operations & ICT > Tel. : +32 (0)2 238.47.42 > Fax : +32 (0)2 238.47.18 > GSM : +32 (0) 477 43.68.31 > E-mail : jurgen.kobierczynski at nationale-loterij.be > > > This email and any attachments thereto may contain confidential and/or privileged information intended for the sole use of the recipient(s). > Any review, use, retention, distribution or disclosure by others is strictly prohibited. > If you are not the intended recipient, please contact the sender by reply email and delete all copies of this message. > This email and any attachments are susceptible to data corruption, interception, tampering, unauthorized amendment and viruses. > The National Lottery accepts no liability in connection therewith. > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3312 bytes Desc: S/MIME Cryptographic Signature URL: From basile.mathieu at siris.sorbonne.fr Wed Oct 12 10:54:44 2005 From: basile.mathieu at siris.sorbonne.fr (basile au siris) Date: Wed, 12 Oct 2005 12:54:44 +0200 Subject: [Fedora-directory-users] strange problem with group of more than 2000 users In-Reply-To: <434169C3.7040308@unitedmessaging.com> References: <43412EA8.8030101@siris.sorbonne.fr> <434148BD.6070606@unitedmessaging.com> <43415089.1060203@siris.sorbonne.fr> <43415792.8090600@siris.sorbonne.fr> <434169C3.7040308@unitedmessaging.com> Message-ID: <434CEB74.2060509@siris.sorbonne.fr> hi back with new infos :) i exactly can have 726 member in my group ( 5232 login caracters 5958 with end line ) what kind of solaris limirtation could it be ? i ve 3146 people in the directory in 10 groups and just one with more than 726 users here are ldap logs for 726 users in group when doing a getent group toto [12/Oct/2005:12:37:39 +0200] conn=1 fd=64 slot=64 connection from xxx.xxx.xxx.4 to xxx.xxx.xxx.4 [12/Oct/2005:12:37:39 +0200] conn=1 op=0 BIND dn="cn=proxyagent,ou=profile,dc=example,dc=fr" method=128 version=3 [12/Oct/2005:12:37:39 +0200] conn=1 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=proxyagent,ou=profile,dc=example,dc=fr" [12/Oct/2005:12:37:39 +0200] conn=1 op=1 SRCH base=" ou=groups,dc=example,dc=fr" scope=1 filter="(&(objectClass=posixGroup)(cn=toto))" attrs="cn gidNumber userPassword memberUid" [12/Oct/2005:12:37:39 +0200] conn=1 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [12/Oct/2005:12:37:39 +0200] conn=1 op=2 UNBIND [12/Oct/2005:12:37:39 +0200] conn=1 op=2 fd=64 closed - U1 and here with 727 users when it don t works [12/Oct/2005:12:46:24 +0200] conn=1 fd=64 slot=64 connection from xxx.xxx.xxx.4 to xxx.xxx.xxx.4 [12/Oct/2005:12:46:24 +0200] conn=1 op=0 BIND dn="cn=proxyagent,ou=profile,dc=example,dc=fr" method=128 version=3 [12/Oct/2005:12:46:24 +0200] conn=1 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=proxyagent,ou=profile,dc=example,dc=fr" [12/Oct/2005:12:46:24 +0200] conn=1 op=1 SRCH base=" ou=groups,dc=example,dc=fr" scope=1 filter="(&(objectClass=posixGroup)(cn=toto))" attrs="cn gidNumber userPassword memberUid" [12/Oct/2005:12:46:24 +0200] conn=1 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [12/Oct/2005:12:46:24 +0200] conn=1 op=2 UNBIND [12/Oct/2005:12:46:24 +0200] conn=1 op=2 fd=64 closed - U1 thanks basile Jeff Clowser wrote: > If it is hitting any type of administrative limit, it should show some > type of error in the logs. > Look at the searches it is doing, and make sure you have appropriate > indexes on attributes it is searching against - if the appropriate > stuff is indexed, searches should be fast enough to not run into a > timeout issue in most cases. Look in the access log for Notes=U - > that should be there on an unindexed search. > > If you don't see any of this in the logs, I'd say it's more a limit on > the Solaris side (as someone else mentioned) than the LDAP side. > > How big is your directory (how many entries, approximately)? > > - Jeff > > basile au siris wrote: > >> i did a test >> with 643 users it works >> with 800 users it don t works >> could it be timers problem ( time_search_limit or time_bind_limit for >> proxyagent wich is used >> to query directory ) >> basile >> >> basile au siris wrote: >> >>> thanks >>> i set the sizelimit to -1 but it don t works better >>> i set nssizelimit to -1 of the proxyagent which is used to bind to >>> the directory but same result >>> i look at the logs and when i use id or getent there is directory query >>> it seems crazy i can t have more than 2000 users in a group >>> i search the limit of users i can have >>> basile >>> >>> Jeff Clowser wrote: >>> >>>> It could be a limit on the sizes of groups, etc in Solaris. >>>> >>>> To check to see if it's LDAP related, look at the ldap access logs >>>> for queries related to that group or coming from that machine. >>>> Anyway, 2000 I believe is the default sizelimit for searches, so >>>> look for entries with 2000 results, if it's consistently failing at >>>> 2000 users. If it's just reading the group with 2000+ static >>>> members (1 entry), then maybe reading each user individually (1 >>>> entry/search), it shouldn't hit a resource limit. But... if it >>>> reads the group, then searches for all users with that group id, or >>>> something similar, it may hit the administrative limits. >>>> >>>> For a simple test, you could up the sizelimit (say to 10000 or -1) >>>> on the directory server and see if the problem goes away. >>>> >>>> If you find something like this, there are a couple ways to fix it: >>>> 1. Up your server administrative sizelimit (to a higher number, or >>>> -1 for unlimited). This should be a last resort, since it allows >>>> anyone (even anonymous) to make unlimited size searches against >>>> your directory. If your directory is large, that could cause >>>> problems. >>>> 2. If the solaris box is binding as a particular DN to search, you >>>> can add the nsSizeLimit to that entry, and set it to a higher value >>>> (or -1 for unlimited). >>>> 3. If it binds as the end user, you can add nsSizelimit to each >>>> user that can log in. This is a bit more of a pain to do since you >>>> have to do it for all users, but is better than increasing the >>>> limit for the entire server, in general. >>>> >>>> - Jeff >>>> >>>> basile au siris wrote: >>>> >>>>> hi >>>>> i have fds 7.1 on solaris 9 and users and group stored in the >>>>> directory >>>>> all works fine except for a group of more than 2000 users >>>>> when i use id or getent system did not recognize the group >>>>> maybe it s not a fds problem but if someone can give me an idea >>>>> thanks >>>>> basile >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>>> >>>> >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From david_list at boreham.org Wed Oct 12 15:50:15 2005 From: david_list at boreham.org (David Boreham) Date: Wed, 12 Oct 2005 09:50:15 -0600 Subject: [Fedora-directory-users] strange problem with group of more than 2000 users In-Reply-To: <434CEB74.2060509@siris.sorbonne.fr> References: <43412EA8.8030101@siris.sorbonne.fr> <434148BD.6070606@unitedmessaging.com> <43415089.1060203@siris.sorbonne.fr> <43415792.8090600@siris.sorbonne.fr> <434169C3.7040308@unitedmessaging.com> <434CEB74.2060509@siris.sorbonne.fr> Message-ID: <434D30B7.7010109@boreham.org> basile au siris wrote: > back with new infos :) > i exactly can have 726 member in my group ( 5232 login caracters 5958 > with end line ) > what kind of solaris limirtation could it be ? George Holbert already provided a very plausible analysis of your problem. Did you read his posts ? The DS is working just fine : the bug is in the LDAP client (in this case: Solaris). From gholbert at broadcom.com Wed Oct 12 18:00:18 2005 From: gholbert at broadcom.com (George Holbert) Date: Wed, 12 Oct 2005 11:00:18 -0700 Subject: [Fedora-directory-users] strange problem with group of more than 2000 users In-Reply-To: <434CEB74.2060509@siris.sorbonne.fr> References: <43412EA8.8030101@siris.sorbonne.fr> <434148BD.6070606@unitedmessaging.com> <43415089.1060203@siris.sorbonne.fr> <43415792.8090600@siris.sorbonne.fr> <434169C3.7040308@unitedmessaging.com> <434CEB74.2060509@siris.sorbonne.fr> Message-ID: <434D4F32.9040307@broadcom.com> Hi Basile, > i exactly can have 726 member in my group ( 5232 login caracters 5958 > with end line ) So it doesn't break at exactly 4096, as I suggested earlier. Hmm... perhaps the limit is larger than I thought? I still would guess the problem is in the client OS rather than the directory server. Note that the before/after logs you posted are nigh-identical. This suggests the directory server isn't doing anything different when the group size increases. It might be a good test to create the same large group in the local /etc/group file on a client, and see if it works that way. This should help confirm if the problem is LDAP-related or group length-related. Good luck, -- George basile au siris wrote: > hi > back with new infos :) > i exactly can have 726 member in my group ( 5232 login caracters 5958 > with end line ) > what kind of solaris limirtation could it be ? > i ve 3146 people in the directory in 10 groups and just one with more > than 726 users > > here are ldap logs for 726 users in group when doing a getent group toto > > [12/Oct/2005:12:37:39 +0200] conn=1 fd=64 slot=64 connection from > xxx.xxx.xxx.4 to xxx.xxx.xxx.4 > [12/Oct/2005:12:37:39 +0200] conn=1 op=0 BIND > dn="cn=proxyagent,ou=profile,dc=example,dc=fr" method=128 version=3 > [12/Oct/2005:12:37:39 +0200] conn=1 op=0 RESULT err=0 tag=97 > nentries=0 etime=0 dn="cn=proxyagent,ou=profile,dc=example,dc=fr" > [12/Oct/2005:12:37:39 +0200] conn=1 op=1 SRCH base=" > ou=groups,dc=example,dc=fr" scope=1 > filter="(&(objectClass=posixGroup)(cn=toto))" attrs="cn gidNumber > userPassword memberUid" > [12/Oct/2005:12:37:39 +0200] conn=1 op=1 RESULT err=0 tag=101 > nentries=1 etime=0 > [12/Oct/2005:12:37:39 +0200] conn=1 op=2 UNBIND > [12/Oct/2005:12:37:39 +0200] conn=1 op=2 fd=64 closed - U1 > > > and here with 727 users when it don t works > > [12/Oct/2005:12:46:24 +0200] conn=1 fd=64 slot=64 connection from > xxx.xxx.xxx.4 to xxx.xxx.xxx.4 > [12/Oct/2005:12:46:24 +0200] conn=1 op=0 BIND > dn="cn=proxyagent,ou=profile,dc=example,dc=fr" method=128 version=3 > [12/Oct/2005:12:46:24 +0200] conn=1 op=0 RESULT err=0 tag=97 > nentries=0 etime=0 dn="cn=proxyagent,ou=profile,dc=example,dc=fr" > [12/Oct/2005:12:46:24 +0200] conn=1 op=1 SRCH base=" > ou=groups,dc=example,dc=fr" scope=1 > filter="(&(objectClass=posixGroup)(cn=toto))" attrs="cn gidNumber > userPassword memberUid" > [12/Oct/2005:12:46:24 +0200] conn=1 op=1 RESULT err=0 tag=101 > nentries=1 etime=0 > [12/Oct/2005:12:46:24 +0200] conn=1 op=2 UNBIND > [12/Oct/2005:12:46:24 +0200] conn=1 op=2 fd=64 closed - U1 > > thanks > basile > > > Jeff Clowser wrote: > >> If it is hitting any type of administrative limit, it should show >> some type of error in the logs. >> Look at the searches it is doing, and make sure you have appropriate >> indexes on attributes it is searching against - if the appropriate >> stuff is indexed, searches should be fast enough to not run into a >> timeout issue in most cases. Look in the access log for Notes=U - >> that should be there on an unindexed search. >> >> If you don't see any of this in the logs, I'd say it's more a limit >> on the Solaris side (as someone else mentioned) than the LDAP side. >> >> How big is your directory (how many entries, approximately)? >> >> - Jeff >> >> basile au siris wrote: >> >>> i did a test >>> with 643 users it works >>> with 800 users it don t works >>> could it be timers problem ( time_search_limit or time_bind_limit >>> for proxyagent wich is used >>> to query directory ) >>> basile >>> >>> basile au siris wrote: >>> >>>> thanks >>>> i set the sizelimit to -1 but it don t works better >>>> i set nssizelimit to -1 of the proxyagent which is used to bind to >>>> the directory but same result >>>> i look at the logs and when i use id or getent there is directory >>>> query >>>> it seems crazy i can t have more than 2000 users in a group >>>> i search the limit of users i can have >>>> basile >>>> >>>> Jeff Clowser wrote: >>>> >>>>> It could be a limit on the sizes of groups, etc in Solaris. >>>>> >>>>> To check to see if it's LDAP related, look at the ldap access logs >>>>> for queries related to that group or coming from that machine. >>>>> Anyway, 2000 I believe is the default sizelimit for searches, so >>>>> look for entries with 2000 results, if it's consistently failing >>>>> at 2000 users. If it's just reading the group with 2000+ static >>>>> members (1 entry), then maybe reading each user individually (1 >>>>> entry/search), it shouldn't hit a resource limit. But... if it >>>>> reads the group, then searches for all users with that group id, >>>>> or something similar, it may hit the administrative limits. >>>>> >>>>> For a simple test, you could up the sizelimit (say to 10000 or -1) >>>>> on the directory server and see if the problem goes away. >>>>> >>>>> If you find something like this, there are a couple ways to fix it: >>>>> 1. Up your server administrative sizelimit (to a higher number, >>>>> or -1 for unlimited). This should be a last resort, since it >>>>> allows anyone (even anonymous) to make unlimited size searches >>>>> against your directory. If your directory is large, that could >>>>> cause problems. >>>>> 2. If the solaris box is binding as a particular DN to search, >>>>> you can add the nsSizeLimit to that entry, and set it to a higher >>>>> value (or -1 for unlimited). >>>>> 3. If it binds as the end user, you can add nsSizelimit to each >>>>> user that can log in. This is a bit more of a pain to do since >>>>> you have to do it for all users, but is better than increasing the >>>>> limit for the entire server, in general. >>>>> >>>>> - Jeff >>>>> >>>>> basile au siris wrote: >>>>> >>>>>> hi >>>>>> i have fds 7.1 on solaris 9 and users and group stored in the >>>>>> directory >>>>>> all works fine except for a group of more than 2000 users >>>>>> when i use id or getent system did not recognize the group >>>>>> maybe it s not a fds problem but if someone can give me an idea >>>>>> thanks >>>>>> basile >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>>> >>>> >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From jonbjorn at hi.is Wed Oct 12 19:56:30 2005 From: jonbjorn at hi.is (=?iso-8859-1?Q?J=F3n_Bj=F6rn_Nj=E1lsson?=) Date: Wed, 12 Oct 2005 19:56:30 -0000 (GMT) Subject: [Fedora-directory-users] windows sync problem Message-ID: <13725.130.208.138.21.1129146990.squirrel@webmail.hi.is> Hi all. I have managed to set up FDS with SSL and I am able to sync users from FDS to windows 2003 AD, but I have a problem syncing groups. I have created a group called staff but I am unable to sync that group. The error message I get in the error log is : NSMMReplicationPlugin - agmt="cn=Active dir" (badabing:636): windows_replay_update: failed to fetch local entry for add operatio n dn="cn=rhi_staff,dc=rhi,dc=hi,dc=is" Can anyone tell me what this error means and how to fix it ? regards Jon From david_list at boreham.org Wed Oct 12 20:02:01 2005 From: david_list at boreham.org (David Boreham) Date: Wed, 12 Oct 2005 14:02:01 -0600 Subject: [Fedora-directory-users] windows sync problem In-Reply-To: <13725.130.208.138.21.1129146990.squirrel@webmail.hi.is> References: <13725.130.208.138.21.1129146990.squirrel@webmail.hi.is> Message-ID: <434D6BB9.8090307@boreham.org> J?n Bj?rn Nj?lsson wrote: > NSMMReplicationPlugin - agmt="cn=Active dir" (badabing:636): >windows_replay_update: failed to fetch local entry for add operatio >n dn="cn=rhi_staff,dc=rhi,dc=hi,dc=is" > >Can anyone tell me what this error means and how to fix it ? > > This is rather strange. It's saying that the add operation for your group was found in the changelog, but when the sync code tried to fetch the entry from the database, it failed. I'm not sure how that could have happened (it can't even happen if the entry is deleted because its tombstone remains). Did anything out of the ordinary happen between adding the group entry and the message ? (power outage, restored database from backup, that kind of thing) ? From jonbjorn at hi.is Wed Oct 12 21:02:34 2005 From: jonbjorn at hi.is (=?iso-8859-1?Q?J=F3n_Bj=F6rn_Nj=E1lsson?=) Date: Wed, 12 Oct 2005 21:02:34 -0000 (GMT) Subject: [Fedora-directory-users] windows sync problem In-Reply-To: <434D6BB9.8090307@boreham.org> References: <13725.130.208.138.21.1129146990.squirrel@webmail.hi.is> <434D6BB9.8090307@boreham.org> Message-ID: <13814.130.208.138.21.1129150954.squirrel@webmail.hi.is> No nothing like that. I was wondering how can I create a group with nt-attributes ? I noticed that this group doesn?t have an NT attribute. Could that be the problem ? > J?n Bj?rn Nj?lsson wrote: > >> NSMMReplicationPlugin - agmt="cn=Active dir" (badabing:636): >>windows_replay_update: failed to fetch local entry for add operatio >>n dn="cn=rhi_staff,dc=rhi,dc=hi,dc=is" >> >>Can anyone tell me what this error means and how to fix it ? >> >> > This is rather strange. It's saying that the add operation for > your group was found in the changelog, but when the sync > code tried to fetch the entry from the database, it failed. > I'm not sure how that could have happened (it can't even > happen if the entry is deleted because its tombstone remains). > > Did anything out of the ordinary happen between adding > the group entry and the message ? (power outage, restored > database from backup, that kind of thing) ? > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From tngan at redhat.com Wed Oct 12 21:48:42 2005 From: tngan at redhat.com (To Ngan) Date: Wed, 12 Oct 2005 14:48:42 -0700 Subject: [Fedora-directory-users] windows sync problem In-Reply-To: <13814.130.208.138.21.1129150954.squirrel@webmail.hi.is> References: <13725.130.208.138.21.1129146990.squirrel@webmail.hi.is> <434D6BB9.8090307@boreham.org> <13814.130.208.138.21.1129150954.squirrel@webmail.hi.is> Message-ID: <434D84BA.3090208@redhat.com> J?n Bj?rn Nj?lsson wrote: >No nothing like that. I was wondering how can I create a group with >nt-attributes ? > >I noticed that this group doesn?t have an NT attribute. >Could that be the problem ? > > From GUI, create new group, go to Advanced, add the objectclasses ntgroup and mailgroup. Also, add attributes "ntgroupcreatenewgroup" and "ntgroupdeletegroup". Set these attributes to "true" if you want create/delete to sycn to Windows, "false" otherwise. Command line tools like ldapmodify would work too. >>J?n Bj?rn Nj?lsson wrote: >> >> >> >>>NSMMReplicationPlugin - agmt="cn=Active dir" (badabing:636): >>>windows_replay_update: failed to fetch local entry for add operatio >>>n dn="cn=rhi_staff,dc=rhi,dc=hi,dc=is" >>> >>>Can anyone tell me what this error means and how to fix it ? >>> >>> >>> >>> >>This is rather strange. It's saying that the add operation for >>your group was found in the changelog, but when the sync >>code tried to fetch the entry from the database, it failed. >>I'm not sure how that could have happened (it can't even >>happen if the entry is deleted because its tombstone remains). >> >>Did anything out of the ordinary happen between adding >>the group entry and the message ? (power outage, restored >>database from backup, that kind of thing) ? >> >> >> >> >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3166 bytes Desc: S/MIME Cryptographic Signature URL: From david_list at boreham.org Wed Oct 12 22:09:45 2005 From: david_list at boreham.org (David Boreham) Date: Wed, 12 Oct 2005 16:09:45 -0600 Subject: [Fedora-directory-users] windows sync problem In-Reply-To: <13814.130.208.138.21.1129150954.squirrel@webmail.hi.is> References: <13725.130.208.138.21.1129146990.squirrel@webmail.hi.is> <434D6BB9.8090307@boreham.org> <13814.130.208.138.21.1129150954.squirrel@webmail.hi.is> Message-ID: <434D89A9.5040206@boreham.org> J?n Bj?rn Nj?lsson wrote: >No nothing like that. I was wondering how can I create a group with >nt-attributes ? > >I noticed that this group doesn?t have an NT attribute. >Could that be the problem ? > > Ah, yes. The error message is therefore a bit misleading. It means that the entry didn't match the critera for a windows group. If you create the group first and then add the nt attributes, you will need to initiate a full sync in order to get it over to AD (because otherwise it'll fail in the same way and then the modify will not get propagated because the entry doesn't already exist in AD). From gholbert at broadcom.com Thu Oct 13 01:50:29 2005 From: gholbert at broadcom.com (George Holbert) Date: Wed, 12 Oct 2005 18:50:29 -0700 Subject: [Fedora-directory-users] VLV search filter granularity Message-ID: <434DBD65.5060307@broadcom.com> If I set up a VLV index with a simple filter like this: vlvFilter: (objectClass=posixAccount) ...then will the VLV mechanism benefit searches that use a superset of this filter? e.g., if a ldapsearch is run with a filter like: (&(objectClass=posixAccount)(location=California)) ...will the vlv index help, even though the search also has a location specified in the filter? OR, must I create separate vlv indexes with every possible search filter combination? Thanks, -- George From david_list at boreham.org Thu Oct 13 02:24:18 2005 From: david_list at boreham.org (David Boreham) Date: Wed, 12 Oct 2005 20:24:18 -0600 Subject: [Fedora-directory-users] VLV search filter granularity In-Reply-To: <434DBD65.5060307@broadcom.com> References: <434DBD65.5060307@broadcom.com> Message-ID: <434DC552.8090207@boreham.org> George Holbert wrote: > If I set up a VLV index with a simple filter like this: > > vlvFilter: (objectClass=posixAccount) > > > ...then will the VLV mechanism benefit searches that use a superset of > this filter? > e.g., if a ldapsearch is run with a filter like: > > (&(objectClass=posixAccount)(location=California)) > > ...will the vlv index help, even though the search also has a location > specified in the filter? Nope. > OR, must I create separate vlv indexes with every possible search > filter combination? Yes, and sort keys. I think there might be an optimization for forward and reverse sorting in there, not sure though : I'd need to read the code to be certain. From jclowser at unitedmessaging.com Fri Oct 14 13:55:59 2005 From: jclowser at unitedmessaging.com (Jeff Clowser) Date: Fri, 14 Oct 2005 09:55:59 -0400 Subject: [Fedora-directory-users] strange problem with group of more than 2000 users In-Reply-To: <434CEB74.2060509@siris.sorbonne.fr> References: <43412EA8.8030101@siris.sorbonne.fr> <434148BD.6070606@unitedmessaging.com> <43415089.1060203@siris.sorbonne.fr> <43415792.8090600@siris.sorbonne.fr> <434169C3.7040308@unitedmessaging.com> <434CEB74.2060509@siris.sorbonne.fr> Message-ID: <434FB8EF.2060607@unitedmessaging.com> From the logs you included, it doesn't look like anything on the directory server side - the client binds, searches, results are returned, and results all show no errors, etc. I'm in agreement with others that it's a client (i.e. solaris) issue/limitation. Your group might be 5232 characters, but see in the logs that it is only returning cn, gidnumber, userpassword, and memberuid, so you have to see how big just that part of the group is. Also, Solaris may have some wierd, non-bit-boundary limit. Don't expect to see exactly 4096 or such, since n uid's might be slightly under it, and n+1 uid's might be slightly over it. Next question - are there any errors in any solaris logs? In messages, syslog, etc? - Jeff basile au siris wrote: > hi > back with new infos :) > i exactly can have 726 member in my group ( 5232 login caracters 5958 > with end line ) > what kind of solaris limirtation could it be ? > i ve 3146 people in the directory in 10 groups and just one with more > than 726 users > > here are ldap logs for 726 users in group when doing a getent group toto > > [12/Oct/2005:12:37:39 +0200] conn=1 fd=64 slot=64 connection from > xxx.xxx.xxx.4 to xxx.xxx.xxx.4 > [12/Oct/2005:12:37:39 +0200] conn=1 op=0 BIND > dn="cn=proxyagent,ou=profile,dc=example,dc=fr" method=128 version=3 > [12/Oct/2005:12:37:39 +0200] conn=1 op=0 RESULT err=0 tag=97 > nentries=0 etime=0 dn="cn=proxyagent,ou=profile,dc=example,dc=fr" > [12/Oct/2005:12:37:39 +0200] conn=1 op=1 SRCH base=" > ou=groups,dc=example,dc=fr" scope=1 > filter="(&(objectClass=posixGroup)(cn=toto))" attrs="cn gidNumber > userPassword memberUid" > [12/Oct/2005:12:37:39 +0200] conn=1 op=1 RESULT err=0 tag=101 > nentries=1 etime=0 > [12/Oct/2005:12:37:39 +0200] conn=1 op=2 UNBIND > [12/Oct/2005:12:37:39 +0200] conn=1 op=2 fd=64 closed - U1 > > > and here with 727 users when it don t works > > [12/Oct/2005:12:46:24 +0200] conn=1 fd=64 slot=64 connection from > xxx.xxx.xxx.4 to xxx.xxx.xxx.4 > [12/Oct/2005:12:46:24 +0200] conn=1 op=0 BIND > dn="cn=proxyagent,ou=profile,dc=example,dc=fr" method=128 version=3 > [12/Oct/2005:12:46:24 +0200] conn=1 op=0 RESULT err=0 tag=97 > nentries=0 etime=0 dn="cn=proxyagent,ou=profile,dc=example,dc=fr" > [12/Oct/2005:12:46:24 +0200] conn=1 op=1 SRCH base=" > ou=groups,dc=example,dc=fr" scope=1 > filter="(&(objectClass=posixGroup)(cn=toto))" attrs="cn gidNumber > userPassword memberUid" > [12/Oct/2005:12:46:24 +0200] conn=1 op=1 RESULT err=0 tag=101 > nentries=1 etime=0 > [12/Oct/2005:12:46:24 +0200] conn=1 op=2 UNBIND > [12/Oct/2005:12:46:24 +0200] conn=1 op=2 fd=64 closed - U1 > > thanks > basile > > > Jeff Clowser wrote: > >> If it is hitting any type of administrative limit, it should show >> some type of error in the logs. >> Look at the searches it is doing, and make sure you have appropriate >> indexes on attributes it is searching against - if the appropriate >> stuff is indexed, searches should be fast enough to not run into a >> timeout issue in most cases. Look in the access log for Notes=U - >> that should be there on an unindexed search. >> >> If you don't see any of this in the logs, I'd say it's more a limit >> on the Solaris side (as someone else mentioned) than the LDAP side. >> >> How big is your directory (how many entries, approximately)? >> >> - Jeff >> >> basile au siris wrote: >> >>> i did a test >>> with 643 users it works >>> with 800 users it don t works >>> could it be timers problem ( time_search_limit or time_bind_limit >>> for proxyagent wich is used >>> to query directory ) >>> basile >>> >>> basile au siris wrote: >>> >>>> thanks >>>> i set the sizelimit to -1 but it don t works better >>>> i set nssizelimit to -1 of the proxyagent which is used to bind to >>>> the directory but same result >>>> i look at the logs and when i use id or getent there is directory >>>> query >>>> it seems crazy i can t have more than 2000 users in a group >>>> i search the limit of users i can have >>>> basile >>>> >>>> Jeff Clowser wrote: >>>> >>>>> It could be a limit on the sizes of groups, etc in Solaris. >>>>> >>>>> To check to see if it's LDAP related, look at the ldap access logs >>>>> for queries related to that group or coming from that machine. >>>>> Anyway, 2000 I believe is the default sizelimit for searches, so >>>>> look for entries with 2000 results, if it's consistently failing >>>>> at 2000 users. If it's just reading the group with 2000+ static >>>>> members (1 entry), then maybe reading each user individually (1 >>>>> entry/search), it shouldn't hit a resource limit. But... if it >>>>> reads the group, then searches for all users with that group id, >>>>> or something similar, it may hit the administrative limits. >>>>> >>>>> For a simple test, you could up the sizelimit (say to 10000 or -1) >>>>> on the directory server and see if the problem goes away. >>>>> >>>>> If you find something like this, there are a couple ways to fix it: >>>>> 1. Up your server administrative sizelimit (to a higher number, >>>>> or -1 for unlimited). This should be a last resort, since it >>>>> allows anyone (even anonymous) to make unlimited size searches >>>>> against your directory. If your directory is large, that could >>>>> cause problems. >>>>> 2. If the solaris box is binding as a particular DN to search, >>>>> you can add the nsSizeLimit to that entry, and set it to a higher >>>>> value (or -1 for unlimited). >>>>> 3. If it binds as the end user, you can add nsSizelimit to each >>>>> user that can log in. This is a bit more of a pain to do since >>>>> you have to do it for all users, but is better than increasing the >>>>> limit for the entire server, in general. >>>>> >>>>> - Jeff >>>>> >>>>> basile au siris wrote: >>>>> >>>>>> hi >>>>>> i have fds 7.1 on solaris 9 and users and group stored in the >>>>>> directory >>>>>> all works fine except for a group of more than 2000 users >>>>>> when i use id or getent system did not recognize the group >>>>>> maybe it s not a fds problem but if someone can give me an idea >>>>>> thanks >>>>>> basile >>>>>> From amaca2 at hotmail.it Thu Oct 13 22:09:50 2005 From: amaca2 at hotmail.it (mario rossi) Date: Fri, 14 Oct 2005 00:09:50 +0200 Subject: [Fedora-directory-users] Install FC4 in Fujitsu Siemens Amilo M1437G In-Reply-To: Message-ID: I have a notebook: Fujitsu Siemens Amilo M1437G. I'd like to install Fedora Core 4, but I'm not sure it's possible. Fedora DVD doesn't detect the Samsung 80GB SCSI hard disk and, I think,VIA VT6421 RAID controller (name from Windows Control Panel). The installation failure after the boot, where check the root partition. Are there any boot parameter for this notebook? Thank you, and excuse-me for my english. Mario Rossi _________________________________________________________________ Ricerche online pi? semplici e veloci con MSN Toolbar! http://toolbar.msn.it/ From gholbert at broadcom.com Fri Oct 14 17:49:39 2005 From: gholbert at broadcom.com (George Holbert) Date: Fri, 14 Oct 2005 10:49:39 -0700 Subject: [Fedora-directory-users] Install FC4 in Fujitsu Siemens Amilo M1437G In-Reply-To: References: Message-ID: <434FEFB3.1060904@broadcom.com> Hi Mario, Try the Fedora Users list: https://www.redhat.com/mailman/listinfo/fedora-list This list is Fedora Directory Users, for the Fedora Directory Server project. mario rossi wrote: > I have a notebook: Fujitsu Siemens Amilo M1437G. I'd like to install > Fedora Core 4, but I'm not sure it's possible. > Fedora DVD doesn't detect the Samsung 80GB SCSI hard disk and, I > think,VIA VT6421 RAID controller (name from Windows Control Panel). > The installation failure after the boot, where check the root > partition. Are there any boot parameter for this notebook? > > Thank you, and excuse-me for my english. > Mario Rossi > > _________________________________________________________________ > Ricerche online pi? semplici e veloci con MSN Toolbar! > http://toolbar.msn.it/ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From simonf at cshl.edu Mon Oct 17 18:42:46 2005 From: simonf at cshl.edu (Vsevolod (Simon) Ilyushchenko) Date: Mon, 17 Oct 2005 14:42:46 -0400 Subject: [Fedora-directory-users] Settings remembered? Message-ID: <4353F0A6.2060609@cshl.edu> Hi, I've noticed that if you remove and reinstall FDS, the admin console tries to connect by default to the port that the admin server was running during the previous installation. So the settings are stored somewhere, I guess. I've run into a problem when I've moved a server behind a firewall. Even though I've reinstalled the RPM, the LDAP server still tries to connect to a replication slave which is no more accessible, I suppose due to some settings being stored somewhere. So the startup is hanging. I've looked for hidden files in root's home dir, but there are none. I'm removing the /opt/fedora-ds directory each time after removing the RPM, so that's not it either. Where else could the settings be stored? Thanks, Simon -- Simon (Vsevolod ILyushchenko) simonf at cshl.edu http://www.simonf.com Terrorism is a tactic and so to declare war on terrorism is equivalent to Roosevelt's declaring war on blitzkrieg. Zbigniew Brzezinski, U.S. national security advisor, 1977-81 From rmeggins at redhat.com Mon Oct 17 18:54:31 2005 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 17 Oct 2005 12:54:31 -0600 Subject: [Fedora-directory-users] Settings remembered? In-Reply-To: <4353F0A6.2060609@cshl.edu> References: <4353F0A6.2060609@cshl.edu> Message-ID: <4353F367.2060600@redhat.com> Look under $HOME/.mcc Vsevolod (Simon) Ilyushchenko wrote: > Hi, > > I've noticed that if you remove and reinstall FDS, the admin console > tries to connect by default to the port that the admin server was > running during the previous installation. So the settings are stored > somewhere, I guess. > > I've run into a problem when I've moved a server behind a firewall. > Even though I've reinstalled the RPM, the LDAP server still tries to > connect to a replication slave which is no more accessible, I suppose > due to some settings being stored somewhere. So the startup is hanging. > > I've looked for hidden files in root's home dir, but there are none. > I'm removing the /opt/fedora-ds directory each time after removing the > RPM, so that's not it either. Where else could the settings be stored? > > Thanks, > Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3312 bytes Desc: S/MIME Cryptographic Signature URL: From speedy_zinc at yahoo.com Tue Oct 18 02:14:34 2005 From: speedy_zinc at yahoo.com (speedy zinc) Date: Mon, 17 Oct 2005 19:14:34 -0700 (PDT) Subject: [Fedora-directory-users] How is access control done? Message-ID: <20051018021435.81746.qmail@web36303.mail.mud.yahoo.com> Hi all, Sorry if the question is not FDS-specific. I'm a university student and trying to learn how LDAP is used in managing access control. I can setup FDS, create basic schema (mostly user information), setup postfix to use FDS as authentication server, set up PAM on linux to use FDS as authentication server, etc. But that's only limited to user authentication. Everyone is talking about how LDAP can be used to manage access, in fact, it is on every vendor's features list. But I've never seen a real example of how it is used. Maybe I'm dumb, but I just couldn't imagine how it is set up and used. Let's take the following scenario. I have a network of servers, running different services and applications. Let's say, I called my machines M1, M2, M3, and called the services S1, S2, S3. All machines runs all 3 services. I have 3 groups of users, G1, G2, G3. Now, the question is, how can use LDAP to manage access control of my users? Let's say, I want to let users in G1 to access S1 and S2 on M1 only. And here are the requirements: G1 -> M1(S1, S2) G2 -> M1(S3), M2(S1, S2, S3) G3 -> M3(S1, S2, S3) Maybe I'm not understanding the meaning of "access control" correctly. But I just could not figure out how to set up to achieve this goal. What I want to know, besides the standard schema for storing user information, how do I: - define the schema for storing access control information? - tell the servers and services that specific user has what access permissions? - define extensible schema, so that if I add more servers and applications to my network, I can add new access control information without having to re-design the schema? If I have to use any features that are specific to FDS (ie. non-standard), so be it. Gurus on this list, mind giving any hint on that? Or if anyone could give a real life example, that would great. Thanks in advance sz __________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com From speedy_zinc at yahoo.com Tue Oct 18 02:23:19 2005 From: speedy_zinc at yahoo.com (speedy zinc) Date: Mon, 17 Oct 2005 19:23:19 -0700 (PDT) Subject: [Fedora-directory-users] Question about Kerberos and FDS Message-ID: <20051018022319.80686.qmail@web36314.mail.mud.yahoo.com> Hi, I've read the white paper "Red Hat Identity Management and Security Solutions", and on page 13, it said that Red Hat Directory Server supports a variety of authentication standards and technologies, including: - ... - Kerberos tickets via SASL/GSSAPI - ... What does that exactly mean? Does that mean RHDS can issue kerberos ticket out of the box? Or does that mean I need to setup a kerberos server and use RHDS as the backend for user information? And this one: - Impersonation (proxy) for multi-tier client applications. Could someone explain what does it mean and how can it be used? Thanks a lot sz __________________________________ Yahoo! Music Unlimited Access over 1 million songs. Try it free. http://music.yahoo.com/unlimited/ From rmeggins at redhat.com Tue Oct 18 03:22:11 2005 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 17 Oct 2005 21:22:11 -0600 Subject: [Fedora-directory-users] Question about Kerberos and FDS In-Reply-To: <20051018022319.80686.qmail@web36314.mail.mud.yahoo.com> References: <20051018022319.80686.qmail@web36314.mail.mud.yahoo.com> Message-ID: <43546A63.5000904@redhat.com> speedy zinc wrote: >Hi, > >I've read the white paper "Red Hat Identity Management >and Security Solutions", and on page 13, it said that >Red Hat Directory Server supports a variety of >authentication standards and technologies, including: > >- ... >- Kerberos tickets via SASL/GSSAPI >- ... > >What does that exactly mean? Does that mean RHDS can >issue kerberos ticket out of the box? > No. >Or does that >mean I need to setup a kerberos server and use RHDS as >the backend for user information? > > Yes. When you use kinit to acquire your ticket, you can use that ticket to authenticate to the directory server. >And this one: >- Impersonation (proxy) for multi-tier client >applications. > >Could someone explain what does it mean and how can it >be used? > > Sure. This is most often used with web apps or other apps that set up a pool of connections to the directory server. Each connection in the pool is bound as a proxy user. When a real user wants to authenticate, the proxy connection passes the real user's bind credentials to the directory server using the proxy auth control. >Thanks a lot > >sz > > > > >__________________________________ >Yahoo! Music Unlimited >Access over 1 million songs. Try it free. >http://music.yahoo.com/unlimited/ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3312 bytes Desc: S/MIME Cryptographic Signature URL: From speedy_zinc at yahoo.com Tue Oct 18 03:40:25 2005 From: speedy_zinc at yahoo.com (speedy zinc) Date: Mon, 17 Oct 2005 20:40:25 -0700 (PDT) Subject: [Fedora-directory-users] Question about Kerberos and FDS In-Reply-To: <43546A63.5000904@redhat.com> Message-ID: <20051018034025.91691.qmail@web36313.mail.mud.yahoo.com> Thanks for replying. --- Rich Megginson wrote: > >Or does that > >mean I need to setup a kerberos server and use RHDS > as > >the backend for user information? > > > > > Yes. When you use kinit to acquire your ticket, you > can use that ticket > to authenticate to the directory server. > So, if I understand what you're saying, the directory server is acting as the TGS? I'm going to setup a kerberos tonight. Which one works better with FDS? MIT or Heimdal? > >And this one: > >- Impersonation (proxy) for multi-tier client > >applications. > > > >Could someone explain what does it mean and how can > it > >be used? > > > > > Sure. This is most often used with web apps or > other apps that set up a > pool of connections to the directory server. Each > connection in the > pool is bound as a proxy user. When a real user > wants to authenticate, > the proxy connection passes the real user's bind > credentials to the > directory server using the proxy auth control. > Oh, ok. I was thinking about something else :) sz __________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com From rmeggins at redhat.com Tue Oct 18 03:45:43 2005 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 17 Oct 2005 21:45:43 -0600 Subject: [Fedora-directory-users] Question about Kerberos and FDS In-Reply-To: <20051018034025.91691.qmail@web36313.mail.mud.yahoo.com> References: <20051018034025.91691.qmail@web36313.mail.mud.yahoo.com> Message-ID: <43546FE7.5010603@redhat.com> speedy zinc wrote: >Thanks for replying. > >--- Rich Megginson wrote: > > > >>>Or does that >>>mean I need to setup a kerberos server and use RHDS >>> >>> >>as >> >> >>>the backend for user information? >>> >>> >>> >>> >>Yes. When you use kinit to acquire your ticket, you >>can use that ticket >>to authenticate to the directory server. >> >> >> > >So, if I understand what you're saying, the directory >server is acting as the TGS? > > No. You have to set up the usual Kerberos TGS. The directory server merely uses the tickets, like any other server/service. >I'm going to setup a kerberos tonight. Which one works >better with FDS? MIT or Heimdal? > > I'm not sure. The instructions we have in our docs are geared towards MIT, but Heimdal may work just fine. > > > >>>And this one: >>>- Impersonation (proxy) for multi-tier client >>>applications. >>> >>>Could someone explain what does it mean and how can >>> >>> >>it >> >> >>>be used? >>> >>> >>> >>> >>Sure. This is most often used with web apps or >>other apps that set up a >>pool of connections to the directory server. Each >>connection in the >>pool is bound as a proxy user. When a real user >>wants to authenticate, >>the proxy connection passes the real user's bind >>credentials to the >>directory server using the proxy auth control. >> >> >> > >Oh, ok. I was thinking about something else :) > > It can also mean chaining. You can set up the directory server to use another directory server as a database - what we refer to as a chaining backend or database in our docs. The use of a directory server to act as a "front-end" to another directory server is also called a proxy. >sz > > > > > >__________________________________ >Yahoo! Mail - PC Magazine Editors' Choice 2005 >http://mail.yahoo.com > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3312 bytes Desc: S/MIME Cryptographic Signature URL: From speedy_zinc at yahoo.com Tue Oct 18 03:52:14 2005 From: speedy_zinc at yahoo.com (speedy zinc) Date: Mon, 17 Oct 2005 20:52:14 -0700 (PDT) Subject: [Fedora-directory-users] Question about Kerberos and FDS In-Reply-To: <43546FE7.5010603@redhat.com> Message-ID: <20051018035214.95384.qmail@web36304.mail.mud.yahoo.com> --- Rich Megginson wrote: > No. You have to set up the usual Kerberos TGS. The > directory server > merely uses the tickets, like any other > server/service. > Got it. > >Oh, ok. I was thinking about something else :) > > > > > It can also mean chaining. You can set up the > directory server to use > another directory server as a database - what we > refer to as a chaining > backend or database in our docs. The use of a > directory server to act > as a "front-end" to another directory server is also > called a proxy. > Hmm... so what's the purpose of chaining directory server? Wouldn't use a read-only replica better in this case? thanks sz __________________________________ Yahoo! Music Unlimited Access over 1 million songs. Try it free. http://music.yahoo.com/unlimited/ From david_list at boreham.org Tue Oct 18 05:17:50 2005 From: david_list at boreham.org (David Boreham) Date: Mon, 17 Oct 2005 23:17:50 -0600 Subject: [Fedora-directory-users] Question about Kerberos and FDS In-Reply-To: <20051018035214.95384.qmail@web36304.mail.mud.yahoo.com> References: <20051018035214.95384.qmail@web36304.mail.mud.yahoo.com> Message-ID: <4354857E.3070503@boreham.org> >>Hmm... so what's the purpose of chaining directory >>server? Wouldn't use a read-only replica better >>in this case? >> >> >> Chaining is complementary to replication : chaining allows you to leave the data where it is and take the query to the data, which might be more efficient than moving the data. It's also possible (by possible, I mean you might need to write code) to play various proxy tricks when chaining : multiplex operations onto a cluster of storage servers; re-write the operations as they pass through; aggregate results from multiple source servers; and so on. Mind you, proxying and chaining are not commonly used in my experience, compared to replication. From nabeelmoidu at gmail.com Tue Oct 18 08:26:39 2005 From: nabeelmoidu at gmail.com (Nabeel Moidu) Date: Tue, 18 Oct 2005 13:56:39 +0530 Subject: [Fedora-directory-users] IIS Authentication on FDS Message-ID: <3fd6d7cc0510180126v3019fdc4r9a6976112e11840a@mail.gmail.com> Hi I am not sure if this is the right forum to ask the question but..... Has anyone successfully done IIS authentication on Fedora Directory Server ?The only method i find on STfG is one given for Novel eDirectory?Will that work for FDS? Regards Nabeel Moidu System Administrator OnMobile Systems Inc www.onmobile.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From chen_shaopeng at idsignet.com Tue Oct 18 08:31:00 2005 From: chen_shaopeng at idsignet.com (Chen Shaopeng) Date: Tue, 18 Oct 2005 16:31:00 +0800 Subject: [Fedora-directory-users] How is access control done? In-Reply-To: <20051018021435.81746.qmail@web36303.mail.mud.yahoo.com> References: <20051018021435.81746.qmail@web36303.mail.mud.yahoo.com> Message-ID: <4354B2C4.2050709@idsignet.com> speedy zinc wrote: > Hi all, > > Sorry if the question is not FDS-specific. I'm a > university student and trying to learn how LDAP is > used in managing access control. I can setup FDS, > create basic schema (mostly user information), setup > postfix to use FDS as authentication server, set up > PAM on linux to use FDS as authentication server, etc. > But that's only limited to user authentication. > > Everyone is talking about how LDAP can be used to > manage access, in fact, it is on every vendor's > features list. But I've never seen a real example of > how it is used. Maybe I'm dumb, but I just couldn't > imagine how it is set up and used. > You should download the FDS documentation, especially the admin guide. There is a whole chapter (chapter 6) on the topic of access control. > Let's take the following scenario. > > I have a network of servers, running different > services and applications. Let's say, I called my > machines M1, M2, M3, and called the services S1, S2, > S3. All machines runs all 3 services. I have 3 groups > of users, G1, G2, G3. > > Now, the question is, how can use LDAP to manage > access control of my users? Let's say, I want to let > users in G1 to access S1 and S2 on M1 only. And here > are the requirements: > > G1 -> M1(S1, S2) > G2 -> M1(S3), M2(S1, S2, S3) > G3 -> M3(S1, S2, S3) > > Maybe I'm not understanding the meaning of "access > control" correctly. But I just could not figure out > how to set up to achieve this goal. > > What I want to know, besides the standard schema for > storing user information, how do I: > > - define the schema for storing access control > information? > - tell the servers and services that specific user has > what access permissions? > - define extensible schema, so that if I add more > servers and applications to my network, I can add new > access control information without having to re-design > the schema? If I have to use any features that are > specific to FDS (ie. non-standard), so be it. > > Gurus on this list, mind giving any hint on that? Or > if anyone could give a real life example, that would > great. > Again, read the chapter on access control in the admin guide. I think your understanding of access control is not totally correct, not when you refer to access control in LDAP. The concept of access control refers to access to the information _in_ the LDAP DIT. In your case above, you first have to make sure how your machines or applications are going to reject access request from unauthorized users. And if you are going to use LDAP to keep your "permissions" information, you need to make sure that all your apps are LDAP-enabled. You can have your apps act as a proxy to LDAP, then query user's "permission" to operate your applications. Then the apps would act accordingly. Maybe someone here has better idea. csp -- Chen Shaopeng http://www.idsignet.com From speedy_zinc at yahoo.com Tue Oct 18 11:25:05 2005 From: speedy_zinc at yahoo.com (speedy zinc) Date: Tue, 18 Oct 2005 04:25:05 -0700 (PDT) Subject: [Fedora-directory-users] set of attributes? Message-ID: <20051018112505.71810.qmail@web36303.mail.mud.yahoo.com> Hi, Is it possible to add a set of attribute to an entry, instead of adding one by one? That would be like a struct in C, for example myattr { departmentnumber, manager } and I would access it (myattr.manager=john) or something like that. thanks sz __________________________________ Yahoo! Music Unlimited Access over 1 million songs. Try it free. http://music.yahoo.com/unlimited/ From rmeggins at redhat.com Tue Oct 18 13:43:14 2005 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 18 Oct 2005 07:43:14 -0600 Subject: [Fedora-directory-users] IIS Authentication on FDS In-Reply-To: <3fd6d7cc0510180126v3019fdc4r9a6976112e11840a@mail.gmail.com> References: <3fd6d7cc0510180126v3019fdc4r9a6976112e11840a@mail.gmail.com> Message-ID: <4354FBF2.1030805@redhat.com> Nabeel Moidu wrote: > Hi > I am not sure if this is the right forum to ask the question but..... > Has anyone successfully done IIS authentication on Fedora Directory > Server ?The only method i find on STfG is one given for Novel > eDirectory?Will that work for FDS? If it uses standard LDAPv3 authentication, then it should work fine with FDS. > Regards > Nabeel Moidu > System Administrator > OnMobile Systems Inc > www.onmobile.com > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3312 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Oct 18 13:46:44 2005 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 18 Oct 2005 07:46:44 -0600 Subject: [Fedora-directory-users] How is access control done? In-Reply-To: <4354B2C4.2050709@idsignet.com> References: <20051018021435.81746.qmail@web36303.mail.mud.yahoo.com> <4354B2C4.2050709@idsignet.com> Message-ID: <4354FCC4.6070603@redhat.com> Chen Shaopeng wrote: >speedy zinc wrote: > > >>Hi all, >> >>Sorry if the question is not FDS-specific. I'm a >>university student and trying to learn how LDAP is >>used in managing access control. I can setup FDS, >>create basic schema (mostly user information), setup >>postfix to use FDS as authentication server, set up >>PAM on linux to use FDS as authentication server, etc. >>But that's only limited to user authentication. >> >>Everyone is talking about how LDAP can be used to >>manage access, in fact, it is on every vendor's >>features list. But I've never seen a real example of >>how it is used. Maybe I'm dumb, but I just couldn't >>imagine how it is set up and used. >> >> >> > >You should download the FDS documentation, especially the admin >guide. There is a whole chapter (chapter 6) on the topic >of access control. > > > >>Let's take the following scenario. >> >>I have a network of servers, running different >>services and applications. Let's say, I called my >>machines M1, M2, M3, and called the services S1, S2, >>S3. All machines runs all 3 services. I have 3 groups >>of users, G1, G2, G3. >> >>Now, the question is, how can use LDAP to manage >>access control of my users? Let's say, I want to let >>users in G1 to access S1 and S2 on M1 only. And here >>are the requirements: >> >>G1 -> M1(S1, S2) >>G2 -> M1(S3), M2(S1, S2, S3) >>G3 -> M3(S1, S2, S3) >> >>Maybe I'm not understanding the meaning of "access >>control" correctly. But I just could not figure out >>how to set up to achieve this goal. >> >>What I want to know, besides the standard schema for >>storing user information, how do I: >> >>- define the schema for storing access control >>information? >>- tell the servers and services that specific user has >>what access permissions? >>- define extensible schema, so that if I add more >>servers and applications to my network, I can add new >>access control information without having to re-design >>the schema? If I have to use any features that are >>specific to FDS (ie. non-standard), so be it. >> >>Gurus on this list, mind giving any hint on that? Or >>if anyone could give a real life example, that would >>great. >> >> >> > >Again, read the chapter on access control in the admin guide. > >I think your understanding of access control is not totally correct, >not when you refer to access control in LDAP. The concept of >access control refers to access to the information _in_ the >LDAP DIT. > > Right. So the trick is modeling the objects and services _external_ to the DIT with entries _inside_ the DIT. This requires not only schema in the LDAP server but also application support. For example, many different types of users are already modeled (e.g. inetOrgPerson, posixUser, etc.) as well as groups and other NIS information. The PAM modules must know about this LDAP schema information in order to use it e.g. for host based access control, PAM and NSS must know that the "host" attribute in the user's entry holds a list of hostnames which that user is allowed access to. >In your case above, you first have to make sure how your machines >or applications are going to reject access request from >unauthorized users. And if you are going to use LDAP to >keep your "permissions" information, you need to make sure >that all your apps are LDAP-enabled. > >You can have your apps act as a proxy to LDAP, then query user's >"permission" to operate your applications. Then the apps would >act accordingly. > >Maybe someone here has better idea. > >csp > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3312 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Oct 18 13:47:06 2005 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 18 Oct 2005 07:47:06 -0600 Subject: [Fedora-directory-users] set of attributes? In-Reply-To: <20051018112505.71810.qmail@web36303.mail.mud.yahoo.com> References: <20051018112505.71810.qmail@web36303.mail.mud.yahoo.com> Message-ID: <4354FCDA.2020807@redhat.com> What programming language are you using? speedy zinc wrote: >Hi, > >Is it possible to add a set of attribute to an entry, >instead of adding one by one? That would be like a >struct in C, for example > >myattr { departmentnumber, manager } > >and I would access it > >(myattr.manager=john) > >or something like that. > >thanks > >sz > > > > >__________________________________ >Yahoo! Music Unlimited >Access over 1 million songs. Try it free. >http://music.yahoo.com/unlimited/ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3312 bytes Desc: S/MIME Cryptographic Signature URL: From jclowser at unitedmessaging.com Tue Oct 18 13:46:55 2005 From: jclowser at unitedmessaging.com (Jeff Clowser) Date: Tue, 18 Oct 2005 09:46:55 -0400 Subject: [Fedora-directory-users] How is access control done? In-Reply-To: <20051018021435.81746.qmail@web36303.mail.mud.yahoo.com> References: <20051018021435.81746.qmail@web36303.mail.mud.yahoo.com> Message-ID: <4354FCCF.9060202@unitedmessaging.com> You can look at this from 2 perspectives. One is LDAP access control, and the other is application level access control stored in LDAP. Access control within LDAP is simply setting up ACI's that restrict access to LDAP data based on certain rules. Note that LDAP access control is implementation specific - there is no standard, and each server does it differently. Also, LDAP ACI's have certain limitations - you can limit who can write to an attribute, for example, but it's hard to limit _what_ they can write to an attribute they have write access to. Application level access control is done by the application being able to see data in LDAP, and making decisions about what access to give based on that data. An example of using LDAP ACI's for access control: - Define write access to a branch of your ldap tree based on an admin group in ldap. Only members of that group can write to that branch, so only those users can create entries in that branch. An example of application level access control: - A VPN server looks to LDAP for users and groups. It authenticates a user against the user entry (say with a username/password or certificate in the users LDAP entry). It then looks at a template entry (which may be an extension of a groupofuniquenames group, for example) that defines privileges (such as what hosts a user can get to, what time of day they can access things via the VPN, etc). If the user is a member of that template/group, they have the access defined in that template. What is used is heavily dependent on the application/service you are trying to tie to LDAP. It really comes down to what the application expects to be in LDAP and how it interprets it, and each application is likely to do something a little different. Some applications are more flexible about what you can configure it to look at, while others require you to install specific schema extensions and populate entries with data around that. As a third example, consider an application that uses both aci's and app level access control: - an admin tool that allows you to manage users. You can define LDAP aci's on a branch of your ldap tree that contains users. The acis limit write access to that branch based on an admin group in ldap. - The application only offers the user admin page if you are a member of this group. Furthermore, it only allows you to create _users_ in that branch - no groups, etc. These are application level restrictions. As a forth example (and one similar to what you proposed), you can sometimes combine aci's and application level access control to get around some limitations in the service that is using ldap: Say we have a server that looks at ldap for user authentication. If it finds the user, it allows it in, and that's all it can handle. However, we want to limit users to certain machines, but the application doesn't provide for this kind of limitation. We can extend a users entry - say we define objectclass appx, with one multivalued attribute called appxhosts. In a users entry, we add objectclass appx, and populate appxhosts with the list of hosts we want that user to access. We then create appropriate aci's for each server such that the server can only see entries with appxhosts=hostname of the server looking up users for authentication. If the server can't "see" the user in LDAP when it looks up their uid, it can't authenticate them, and you effectively limit which servers a given user can log into. This example is a bit oversimplified - if you allow anonymous access, you have to prevent that access from allowing the server to see these users, etc, but it gives a reasonable basis to work from. BTW - this is not the only way of doing this - with FDS, you can also use roles, you can probably do similar things with groups, etc - sometimes you have to be creative, and different apps will limit what you can do in different ways. Anyway, what you'll find in the end is that you'll have to figure this out for each service you integrate against your ldap service - every one works a little bit different. There is no generic, universal answer :) - Jeff speedy zinc wrote: >Hi all, > >Sorry if the question is not FDS-specific. I'm a >university student and trying to learn how LDAP is >used in managing access control. I can setup FDS, >create basic schema (mostly user information), setup >postfix to use FDS as authentication server, set up >PAM on linux to use FDS as authentication server, etc. >But that's only limited to user authentication. > >Everyone is talking about how LDAP can be used to >manage access, in fact, it is on every vendor's >features list. But I've never seen a real example of >how it is used. Maybe I'm dumb, but I just couldn't >imagine how it is set up and used. > >Let's take the following scenario. > >I have a network of servers, running different >services and applications. Let's say, I called my >machines M1, M2, M3, and called the services S1, S2, >S3. All machines runs all 3 services. I have 3 groups >of users, G1, G2, G3. > >Now, the question is, how can use LDAP to manage >access control of my users? Let's say, I want to let >users in G1 to access S1 and S2 on M1 only. And here >are the requirements: > >G1 -> M1(S1, S2) >G2 -> M1(S3), M2(S1, S2, S3) >G3 -> M3(S1, S2, S3) > >Maybe I'm not understanding the meaning of "access >control" correctly. But I just could not figure out >how to set up to achieve this goal. > >What I want to know, besides the standard schema for >storing user information, how do I: > >- define the schema for storing access control >information? >- tell the servers and services that specific user has >what access permissions? >- define extensible schema, so that if I add more >servers and applications to my network, I can add new >access control information without having to re-design >the schema? If I have to use any features that are >specific to FDS (ie. non-standard), so be it. > >Gurus on this list, mind giving any hint on that? Or >if anyone could give a real life example, that would >great. > >Thanks in advance > >sz > > > > > >__________________________________ >Yahoo! Mail - PC Magazine Editors' Choice 2005 >http://mail.yahoo.com > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From speedy_zinc at yahoo.com Wed Oct 19 00:27:52 2005 From: speedy_zinc at yahoo.com (speedy zinc) Date: Tue, 18 Oct 2005 17:27:52 -0700 (PDT) Subject: [Fedora-directory-users] How is access control done? In-Reply-To: <4354FCCF.9060202@unitedmessaging.com> Message-ID: <20051019002753.24855.qmail@web36311.mail.mud.yahoo.com> Thanks all for replying and suggestion. --- Jeff Clowser wrote: > As a forth example (and one similar to what you > proposed), you can > sometimes combine aci's and application level access > control to get > around some limitations in the service that is using > ldap: > Say we have a server that looks at ldap for user > authentication. If it > finds the user, it allows it in, and that's all it > can handle. However, > we want to limit users to certain machines, but the > application doesn't > provide for this kind of limitation. > We can extend a users entry - say we define > objectclass appx, with one > multivalued attribute called appxhosts. > In a users entry, we add objectclass appx, and > populate appxhosts with > the list of hosts we want that user to access. > We then create appropriate aci's for each server > such that the server > can only see entries with appxhosts=hostname of the > server looking up > users for authentication. > If the server can't "see" the user in LDAP when it > looks up their uid, > it can't authenticate them, and you effectively > limit which servers a > given user can log into. > Let's say, my apps have some specific needs for data, which is not covered by existing standard schema. So, I create extended schema. Let's say I have 3 apps right now, and I can't forsee what future apps will need in terms of schema definition. And let's say I've been using the FDS for 2 years, and have 20K users. Then I want to add new apps, which require to extend schema again. Assuming that I don't have to change any existing schema, do I have to rebuild the whole ldap directory, or can I just add the new schema, and tell the server that the new attributes are now allowed in inetOrgPerson/Person/posixAccount/etc? The important thing is, I don't want to rebuild anything, not to interrupt any service. I see there are quite a few of Netscape schema, for specific apps, such as Collabra Server, etc. How do I add app-specific schema like that without rebuilding the directory? Or do I have to rebuild it everytime a new schema is added? Please bear with me, I have no real life experience with LDAP, just learning here, and throw in the questions that I can't figure out from googling :) Again, thanks for all. sz __________________________________ Yahoo! Music Unlimited Access over 1 million songs. Try it free. http://music.yahoo.com/unlimited/ From speedy_zinc at yahoo.com Wed Oct 19 00:38:19 2005 From: speedy_zinc at yahoo.com (speedy zinc) Date: Tue, 18 Oct 2005 17:38:19 -0700 (PDT) Subject: [Fedora-directory-users] set of attributes? In-Reply-To: <4354FCDA.2020807@redhat.com> Message-ID: <20051019003819.59924.qmail@web36301.mail.mud.yahoo.com> Actually, I'm asking this not from a programming language point of view, but from a schema point of view. Right now, each attribute seems to be independent of each other. I have to add them one at a time. I'm looking to group related attributes into a higher level object, and add it to an entry. So, when my app is looking into the entry, it can look into that set of attributes. For example, I have my HR app, let's say I create a schema, and I want to call my set of attr hrApp, which contains departmentnumber, manager, ... So when I do ldapsearch, instead of using (manager=john) I can do (hrApp.manager=john) that would be used as "standard" ldap query syntax :) I'm looking at the CoS, but really don't know how to use it. The concept of CoS seems like aspect programming to me, but my understanding from the manual is that, the value of attributes in CoS is shared by the entries, and not the definition. How could I define a CoS, where the value of attributes is not set, and apply it to entries, or set of entries, and each entry may set a different value to the CoS? thanks sz --- Rich Megginson wrote: > What programming language are you using? > > speedy zinc wrote: > > >Hi, > > > >Is it possible to add a set of attribute to an > entry, > >instead of adding one by one? That would be like a > >struct in C, for example > > > >myattr { departmentnumber, manager } > > > >and I would access it > > > >(myattr.manager=john) > > > >or something like that. > > > >thanks > > > >sz > > > > > > > > > >__________________________________ > >Yahoo! Music Unlimited > >Access over 1 million songs. Try it free. > >http://music.yahoo.com/unlimited/ > > > >-- > >Fedora-directory-users mailing list > >Fedora-directory-users at redhat.com > >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > __________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com From pete at openrowley.com Wed Oct 19 00:53:10 2005 From: pete at openrowley.com (Pete Rowley) Date: Tue, 18 Oct 2005 17:53:10 -0700 Subject: [Fedora-directory-users] set of attributes? In-Reply-To: <20051019003819.59924.qmail@web36301.mail.mud.yahoo.com> Message-ID: <200510190119.j9J1JWmp023338@mx3.redhat.com> > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf > Of speedy zinc > Sent: Tuesday, October 18, 2005 5:38 PM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] set of attributes? > > For example, I have my HR app, let's say I create a schema, > and I want to call my set of attr hrApp, which contains > departmentnumber, manager, ... > > So when I do ldapsearch, instead of using > > (manager=john) > > I can do > > (hrApp.manager=john) > > that would be used as "standard" ldap query syntax :) OK I think I understand what you don't understand :) The objectclass attribute values are like your hrApp, in that they are what determine which attributes an entry _must_ have and which attributes an entry _may_ have. So, taking the inetorgperson objectclass, which happens to allow the manager attribute (which is dn syntax so it points to the manager entry itself) your filter would be: (&(objectclass=inetorgperson)(manager=uid=john,dc=my,dc=org)) > > I'm looking at the CoS, but really don't know how to use it. > The concept of CoS seems like aspect programming to me, but > my understanding from the manual is that, the value of > attributes in CoS is shared by the entries, and not the definition. > Yes it is a way to share common attribute/value pairs among many entries - not really what you are after. From pete at openrowley.com Wed Oct 19 00:39:02 2005 From: pete at openrowley.com (Pete Rowley) Date: Tue, 18 Oct 2005 17:39:02 -0700 Subject: [Fedora-directory-users] How is access control done? In-Reply-To: <20051019002753.24855.qmail@web36311.mail.mud.yahoo.com> Message-ID: <200510190138.j9J1ckNA026939@mx3.redhat.com> > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf > Of speedy zinc > Sent: Tuesday, October 18, 2005 5:28 PM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] How is access control done? > > directory, or can I just add the new schema, and tell the > server that the new attributes are now allowed in > inetOrgPerson/Person/posixAccount/etc? You _can_ do that but it highly discouraged. Schema (particularly standard schema) is intended to remain static so that all clients know what they are dealing with. > > The important thing is, I don't want to rebuild anything, not > to interrupt any service. > You can create new schema for an auxillary objectclass that represents your application and add that objectclass to the users that need it. > I see there are quite a few of Netscape schema, for specific > apps, such as Collabra Server, etc. How do I add app-specific > schema like that without rebuilding the directory? Or do I > have to rebuild it everytime a new schema is added? As mentioned above, simply add the objectclass to an existing user entry. You should never have to rebuild anything. From speedy_zinc at yahoo.com Wed Oct 19 02:42:14 2005 From: speedy_zinc at yahoo.com (speedy zinc) Date: Tue, 18 Oct 2005 19:42:14 -0700 (PDT) Subject: [Fedora-directory-users] How is access control done? In-Reply-To: <200510190138.j9J1ckNA026939@mx3.redhat.com> Message-ID: <20051019024214.98539.qmail@web36301.mail.mud.yahoo.com> Ok, thanks,I got the idea. --- Pete Rowley wrote: > > You can create new schema for an auxillary > objectclass that represents your > application and add that objectclass to the users > that need it. > Ok, I've created an object in the console, with the attributes I want. Now do I add an object class to a user, from the console? :) thanks sz __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From rmeggins at redhat.com Wed Oct 19 02:49:01 2005 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 18 Oct 2005 20:49:01 -0600 Subject: [Fedora-directory-users] How is access control done? In-Reply-To: <20051019024214.98539.qmail@web36301.mail.mud.yahoo.com> References: <20051019024214.98539.qmail@web36301.mail.mud.yahoo.com> Message-ID: <4355B41D.7060403@redhat.com> speedy zinc wrote: >Ok, thanks,I got the idea. > >--- Pete Rowley wrote: > > > >>You can create new schema for an auxillary >>objectclass that represents your >>application and add that objectclass to the users >>that need it. >> >> >> > >Ok, I've created an object in the console, with the >attributes I want. Now do I add an object class to a >user, from the console? :) > > Edit the user's entry. Press the Advanced... button. Select the objectclass field and press Add Value. From the popup list, select your new objectclass. You may have to save and exit the window before the next step, which is to Add Attribute... to add your new attributes to your entry. >thanks > >sz > > >__________________________________________________ >Do You Yahoo!? >Tired of spam? Yahoo! Mail has the best spam protection around >http://mail.yahoo.com > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3312 bytes Desc: S/MIME Cryptographic Signature URL: From speedy_zinc at yahoo.com Wed Oct 19 03:02:56 2005 From: speedy_zinc at yahoo.com (speedy zinc) Date: Tue, 18 Oct 2005 20:02:56 -0700 (PDT) Subject: [Fedora-directory-users] How is access control done? In-Reply-To: <4355B41D.7060403@redhat.com> Message-ID: <20051019030256.66638.qmail@web36315.mail.mud.yahoo.com> --- Rich Megginson wrote: > >Ok, I've created an object in the console, with the > >attributes I want. Now do I add an object class to > a > >user, from the console? :) > > > > > Edit the user's entry. Press the Advanced... > button. Select the > objectclass field and press Add Value. From the > popup list, select your > new objectclass. You may have to save and exit the > window before the > next step, which is to Add Attribute... to add your > new attributes to > your entry. > Stupid me, I was clicking on the label part (left side), and was wondering why the Add Value button is still disabled. I have to click on the right side... I don't see my objectclass on the list of available objectclass. I used the following to create it: 1. Click on the Configuration tab 2. Select Schema 3. Click Create to create a new object class 4. Add all the attributes I want, to the must and may lists When I tried to add the new objectclass to a user, I don't see my objectclass on the list. What did I do wrong? thanks for all sz __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From rmeggins at redhat.com Wed Oct 19 03:04:36 2005 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 18 Oct 2005 21:04:36 -0600 Subject: [Fedora-directory-users] How is access control done? In-Reply-To: <20051019030256.66638.qmail@web36315.mail.mud.yahoo.com> References: <20051019030256.66638.qmail@web36315.mail.mud.yahoo.com> Message-ID: <4355B7C4.3060905@redhat.com> Hm - sounds like a bug. You may have to restart the console in order for it to pick up your new schema. speedy zinc wrote: >--- Rich Megginson wrote: > > > >>>Ok, I've created an object in the console, with the >>>attributes I want. Now do I add an object class to >>> >>> >>a >> >> >>>user, from the console? :) >>> >>> >>> >>> >>Edit the user's entry. Press the Advanced... >>button. Select the >>objectclass field and press Add Value. From the >>popup list, select your >>new objectclass. You may have to save and exit the >>window before the >>next step, which is to Add Attribute... to add your >>new attributes to >>your entry. >> >> >> > >Stupid me, I was clicking on the label part (left >side), and was wondering why the Add Value button is >still disabled. I have to click on the right side... > >I don't see my objectclass on the list of available >objectclass. I used the following to create it: > >1. Click on the Configuration tab >2. Select Schema >3. Click Create to create a new object class >4. Add all the attributes I want, to the must and may >lists > >When I tried to add the new objectclass to a user, I >don't see my objectclass on the list. > >What did I do wrong? > >thanks for all > >sz > > >__________________________________________________ >Do You Yahoo!? >Tired of spam? Yahoo! Mail has the best spam protection around >http://mail.yahoo.com > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3312 bytes Desc: S/MIME Cryptographic Signature URL: From speedy_zinc at yahoo.com Wed Oct 19 03:38:09 2005 From: speedy_zinc at yahoo.com (speedy zinc) Date: Tue, 18 Oct 2005 20:38:09 -0700 (PDT) Subject: [Fedora-directory-users] How is access control done? In-Reply-To: <4355B7C4.3060905@redhat.com> Message-ID: <20051019033810.79780.qmail@web36311.mail.mud.yahoo.com> --- Rich Megginson wrote: > Hm - sounds like a bug. You may have to restart the > console in order > for it to pick up your new schema. > Got it, thanks all for answering the questions. One question though, if I add a new schema file in the slapd-serverid/config/schema directory, how can I tell FDS to reload the scheme files without restarting the server? thanks sz __________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com From darjo.gregoric at hit.si Wed Oct 19 08:36:06 2005 From: darjo.gregoric at hit.si (Darjo Gregoric) Date: Wed, 19 Oct 2005 10:36:06 +0200 Subject: [Fedora-directory-users] AD sync Message-ID: Hi, I have a problem with AD sync. I have established synchronization without SSL and works fine, but when I use SSL, connection is not established and I receive error: Simple bind failed, LDAP sdk error 81 (Can't contact LDAP server), Netscape Portable Runtime error -8179 (Peer's Certificate issuer is not recognized.) AD machine name is suzy. I have exported CA and imported it on Directory server. Certutil -L -d . gives: CA certificate CTu,u,u suzy CT,, Server-Cert u,u,u Did i miss something? Is there any HOW TO for this type of configuration? Regards Darjo From jclowser at unitedmessaging.com Wed Oct 19 13:34:42 2005 From: jclowser at unitedmessaging.com (Jeff Clowser) Date: Wed, 19 Oct 2005 09:34:42 -0400 Subject: [Fedora-directory-users] How is access control done? In-Reply-To: <20051019002753.24855.qmail@web36311.mail.mud.yahoo.com> References: <20051019002753.24855.qmail@web36311.mail.mud.yahoo.com> Message-ID: <43564B72.4040207@unitedmessaging.com> speedy zinc wrote: >Let's say, my apps have some specific needs for data, >which is not covered by existing standard schema. So, >I create extended schema. Let's say I have 3 apps >right now, and I can't forsee what future apps will >need in terms of schema definition. > >And let's say I've been using the FDS for 2 years, and >have 20K users. Then I want to add new apps, which >require to extend schema again. Assuming that I don't >have to change any existing schema, do I have to >rebuild the whole ldap directory, or can I just add >the new schema, and tell the server that the new >attributes are now allowed in >inetOrgPerson/Person/posixAccount/etc? > > If you are _extending_ your schema, you can add the new schema elements, then populate new and existing entries with the new fields and such. You do not have to rebuild your directory. If you change the schema such that you remove some attributes, or change their type, etc, things get a little trickier, but in general, you shouldn't need to do this to add support for new apps. I would recommend strongly against modifying existing objectclasses, especially standardized ones. Instead, create a new objectclass that is inherited from the one you want to extend (or from objectclass top if it's something truely new) >The important thing is, I don't want to rebuild >anything, not to interrupt any service. > > If you make the changes via console, they should take affect without even having to restart the server. I you edit the schema files by hand, you have to restart the server for it to take effect. Note that if your schema files are not just right, the server may not start. >I see there are quite a few of Netscape schema, for >specific apps, such as Collabra Server, etc. How do I >add app-specific schema like that without rebuilding >the directory? Or do I have to rebuild it everytime a >new schema is added? > > If you add things via console, it adds to 99user.ldif. But... if you want to organize things a bit better, you can create separate files (say, 99appx.ldif for appx specific schema, etc). You can craft these by hand, but it might be easier to create the schema in console on a test server, then copy/paste the appropriate definitions into a new file and drop that onto your production server. You'll need a restart for this to take effect. Somewhere along the line, schema in 99user.ldif started being replicated to replicas to keep the schema in sync. Not sure if this happened before or after the Sun/Netscape split of the server. Any custom files you create, plus the 99user.ldif (if it's not replicated) will have to be copied to replica servers. >Please bear with me, I have no real life experience >with LDAP, just learning here, and throw in the >questions that I can't figure out from googling :) > > Sure - everyone has to start somewhere :) - Jeff From rmeggins at redhat.com Wed Oct 19 13:49:54 2005 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 19 Oct 2005 07:49:54 -0600 Subject: [Fedora-directory-users] How is access control done? In-Reply-To: <20051019033810.79780.qmail@web36311.mail.mud.yahoo.com> References: <20051019033810.79780.qmail@web36311.mail.mud.yahoo.com> Message-ID: <43564F02.9020600@redhat.com> speedy zinc wrote: >--- Rich Megginson wrote: > > > >>Hm - sounds like a bug. You may have to restart the >>console in order >>for it to pick up your new schema. >> >> >> > >Got it, thanks all for answering the questions. > >One question though, if I add a new schema file in the > > > slapd-serverid/config/schema > >directory, how can I tell FDS to reload the scheme >files without restarting the server? > > You can't. We will hopefully address this problem in an upcoming release (probably not 7.2). >thanks > >sz > > > > > >__________________________________ >Yahoo! Mail - PC Magazine Editors' Choice 2005 >http://mail.yahoo.com > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3312 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Oct 19 13:52:22 2005 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 19 Oct 2005 07:52:22 -0600 Subject: [Fedora-directory-users] AD sync In-Reply-To: References: Message-ID: <43564F96.7080009@redhat.com> Short answer: You are using an invalid SSL certificate. Longer Answer: SSL server certificates must be capable of key exchange. The cert you are using may be a signing only certificate. This would make it a perfectly good cert for client authentication. It would also make it an acceptable certificate for DHE_ type diffie Hellman server operations. It does not work for RSA SSL server operations. You need to either 1) don't the key usage extension, or 2) specify Key Encipherment (or Key Exchange). The problem is that the MSADCA by default issues these types of certificates, presumably because all of the MS clients are configured to "just work" with them. Darjo Gregoric wrote: >Hi, > > > >I have a problem with AD sync. I have established synchronization without >SSL and works fine, but when I use SSL, connection is not established and I >receive error: > > > >Simple bind failed, LDAP sdk error 81 (Can't contact LDAP server), Netscape >Portable Runtime error -8179 (Peer's Certificate issuer is not recognized.) > > > >AD machine name is suzy. > > > >I have exported CA and imported it on Directory server. > > > >Certutil -L -d . gives: > > > >CA certificate CTu,u,u > >suzy CT,, > >Server-Cert u,u,u > > > > > >Did i miss something? > > > >Is there any HOW TO for this type of configuration? > > > >Regards >Darjo > > > > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3312 bytes Desc: S/MIME Cryptographic Signature URL: From jclowser at unitedmessaging.com Wed Oct 19 14:37:52 2005 From: jclowser at unitedmessaging.com (Jeff Clowser) Date: Wed, 19 Oct 2005 10:37:52 -0400 Subject: [Fedora-directory-users] How is access control done? In-Reply-To: <4355B7C4.3060905@redhat.com> References: <20051019030256.66638.qmail@web36315.mail.mud.yahoo.com> <4355B7C4.3060905@redhat.com> Message-ID: <43565A40.5080509@unitedmessaging.com> Yeah - I think console caches some of this stuff. You don't have to restart ldap or admin server, just console. - Jeff Rich Megginson wrote: > Hm - sounds like a bug. You may have to restart the console in order > for it to pick up your new schema. > > speedy zinc wrote: > >> --- Rich Megginson wrote: >> >> >> >>>> Ok, I've created an object in the console, with the >>>> attributes I want. Now do I add an object class to >>>> >>> >>> a >>> >>> >>>> user, from the console? :) >>>> >>>> >>>> >>> >>> Edit the user's entry. Press the Advanced... >>> button. Select the objectclass field and press Add Value. From the >>> popup list, select your new objectclass. You may have to save and >>> exit the >>> window before the next step, which is to Add Attribute... to add your >>> new attributes to your entry. >>> >>> >> >> >> Stupid me, I was clicking on the label part (left >> side), and was wondering why the Add Value button is >> still disabled. I have to click on the right side... >> >> I don't see my objectclass on the list of available >> objectclass. I used the following to create it: >> >> 1. Click on the Configuration tab >> 2. Select Schema >> 3. Click Create to create a new object class >> 4. Add all the attributes I want, to the must and may >> lists >> >> When I tried to add the new objectclass to a user, I >> don't see my objectclass on the list. >> >> What did I do wrong? >> >> thanks for all >> >> sz > From speedy_zinc at yahoo.com Thu Oct 20 01:05:04 2005 From: speedy_zinc at yahoo.com (speedy zinc) Date: Wed, 19 Oct 2005 18:05:04 -0700 (PDT) Subject: [Fedora-directory-users] where is the API and library? Message-ID: <20051020010505.65581.qmail@web36313.mail.mud.yahoo.com> Sorry if this question should be directed to the dev list. I want to write some programs that can use the FDS API to manipulate entries in the directory, but where can I find the API and libraries for FDS? The include directory is empty. thanks sz __________________________________ Start your day with Yahoo! - Make it your home page! http://www.yahoo.com/r/hs From rmeggins at redhat.com Thu Oct 20 01:17:56 2005 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 19 Oct 2005 19:17:56 -0600 Subject: [Fedora-directory-users] where is the API and library? In-Reply-To: <20051020010505.65581.qmail@web36313.mail.mud.yahoo.com> References: <20051020010505.65581.qmail@web36313.mail.mud.yahoo.com> Message-ID: <4356F044.8050004@redhat.com> speedy zinc wrote: >Sorry if this question should be directed to the dev >list. > >I want to write some programs that can use the FDS API >to manipulate entries in the directory, but where can >I find the API and libraries for FDS? > >The include directory is empty. > > There are several APIs included with the product, for C, perl, and java. The C API include files are in plugins/slapd/slapi/include. The shared libs are in shared/lib. The documentation is here - http://www.mozilla.org/directory/csdk-docs/ See the file slapd-yourhost/ns-newpwpolicy.pl for an example of how to use the perl api. The java api is in java/ldapjdk.jar - docs - http://www.mozilla.org/directory/javasdk.html >thanks > >sz > > > > >__________________________________ >Start your day with Yahoo! - Make it your home page! >http://www.yahoo.com/r/hs > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3312 bytes Desc: S/MIME Cryptographic Signature URL: From speedy_zinc at yahoo.com Thu Oct 20 01:39:34 2005 From: speedy_zinc at yahoo.com (speedy zinc) Date: Wed, 19 Oct 2005 18:39:34 -0700 (PDT) Subject: [Fedora-directory-users] help for building FDS Message-ID: <20051020013934.75630.qmail@web36309.mail.mud.yahoo.com> Sorry to direct this question on this list. I've been trying to subscribe to the dev list 3 times in the last 3 days, but have never received the confirmation. Stupid yahoo email... I'm trying to build FDS on my Ubuntu 5.10 machine using dsbuild, I've installed on the required packages (db4-dev, krb5-dev, ncurses-dev, etc). But I got the following error: gmake[4]: Entering directory `/home/csp/redhat/dsbuild/ds/mozilla/work/mozilla/security/nss/lib/pki' gcc -o Linux2.6_x86_glibc_PTH_OPT.OBJ/asymmkey.o -c -O2 -fPIC -DLINUX1_2 -Di386 -D_XOPEN_SOURCE -DLINUX2_1 -ansi -Wall -pipe -DLINUX -Dlinux -D_POSIX_SOURCE -D_BSD_SOURCE -DHAVE_STRERROR -DXP_UNIX -DNSS_3_4_CODE -UDEBUG -DNDEBUG -D_REENTRANT -I../../../../dist/Linux2.6_x86_glibc_PTH_OPT.OBJ/include -I../../../../dist/public/nss -I../../../../dist/private/nss -I../../../../dist/public/nspr asymmkey.c In file included from ../../../../dist/private/nss/nsspki1.h:57, from nsspki.h:56, from asymmkey.c:39: ../../../../dist/private/nss/oiddata.h:46: error: array type has incomplete element type gmake[4]: *** [Linux2.6_x86_glibc_PTH_OPT.OBJ/asymmkey.o] Error 1 gmake[4]: Leaving directory `/home/csp/redhat/dsbuild/ds/mozilla/work/mozilla/security/nss/lib/pki' gmake[3]: *** [libs] Error 2 gmake[3]: Leaving directory `/home/csp/redhat/dsbuild/ds/mozilla/work/mozilla/security/nss/lib' gmake[2]: *** [libs] Error 2 gmake[2]: Leaving directory `/home/csp/redhat/dsbuild/ds/mozilla/work/mozilla/security/nss' make[1]: *** [build-custom] Error 2 make[1]: Leaving directory `/home/csp/redhat/dsbuild/ds/mozilla' make: *** [dep-../../ds/mozilla] Error 2 Somehow, looks like the file where nss_builtin_oids is defined was not included. Could someone give a hint on solving this problem? I have no problem running FDS on this machine, by converting the rpm package into a deb package with alien and installing it. Distro: Ubuntu 5.10 2.6.12-9-386 gcc/g++: gcc (GCC) 4.0.2 20050808 (prerelease) (Ubuntu 4.0.1-4ubuntu9) thanks a lot. sz __________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com From rcritten at redhat.com Thu Oct 20 02:21:54 2005 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 19 Oct 2005 22:21:54 -0400 Subject: [Fedora-directory-users] help for building FDS In-Reply-To: <20051020013934.75630.qmail@web36309.mail.mud.yahoo.com> References: <20051020013934.75630.qmail@web36309.mail.mud.yahoo.com> Message-ID: <4356FF42.9040706@redhat.com> With gcc 4.0 you need the patch https://bugzilla.mozilla.org/attachment.cgi?id=176366 from this bug https://bugzilla.mozilla.org/show_bug.cgi?id=284386 rob speedy zinc wrote: > Sorry to direct this question on this list. I've been > trying to subscribe to the dev list 3 times in the > last 3 days, but have never received the confirmation. > Stupid yahoo email... > > I'm trying to build FDS on my Ubuntu 5.10 machine > using dsbuild, I've installed on the required > packages (db4-dev, krb5-dev, ncurses-dev, etc). > > But I got the following error: > > gmake[4]: Entering directory > `/home/csp/redhat/dsbuild/ds/mozilla/work/mozilla/security/nss/lib/pki' > gcc -o Linux2.6_x86_glibc_PTH_OPT.OBJ/asymmkey.o -c > -O2 -fPIC -DLINUX1_2 -Di386 -D_XOPEN_SOURCE -DLINUX2_1 > -ansi -Wall -pipe -DLINUX -Dlinux -D_POSIX_SOURCE > -D_BSD_SOURCE -DHAVE_STRERROR -DXP_UNIX -DNSS_3_4_CODE > -UDEBUG -DNDEBUG -D_REENTRANT > -I../../../../dist/Linux2.6_x86_glibc_PTH_OPT.OBJ/include > -I../../../../dist/public/nss > -I../../../../dist/private/nss > -I../../../../dist/public/nspr asymmkey.c > In file included from > ../../../../dist/private/nss/nsspki1.h:57, > from nsspki.h:56, > from asymmkey.c:39: > ../../../../dist/private/nss/oiddata.h:46: error: > array type has incomplete element type > gmake[4]: *** > [Linux2.6_x86_glibc_PTH_OPT.OBJ/asymmkey.o] Error 1 > gmake[4]: Leaving directory > `/home/csp/redhat/dsbuild/ds/mozilla/work/mozilla/security/nss/lib/pki' > gmake[3]: *** [libs] Error 2 > gmake[3]: Leaving directory > `/home/csp/redhat/dsbuild/ds/mozilla/work/mozilla/security/nss/lib' > gmake[2]: *** [libs] Error 2 > gmake[2]: Leaving directory > `/home/csp/redhat/dsbuild/ds/mozilla/work/mozilla/security/nss' > make[1]: *** [build-custom] Error 2 > make[1]: Leaving directory > `/home/csp/redhat/dsbuild/ds/mozilla' > make: *** [dep-../../ds/mozilla] Error 2 > > > Somehow, looks like the file where nss_builtin_oids is > defined was not included. > > Could someone give a hint on solving this problem? I > have no problem running FDS on this machine, by > converting the rpm package into a deb package with > alien and installing it. > > Distro: Ubuntu 5.10 2.6.12-9-386 > gcc/g++: gcc (GCC) 4.0.2 20050808 (prerelease) (Ubuntu > 4.0.1-4ubuntu9) > > thanks a lot. > > sz > > > > > > > > __________________________________ > Yahoo! Mail - PC Magazine Editors' Choice 2005 > http://mail.yahoo.com > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Oct 20 02:25:08 2005 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 19 Oct 2005 20:25:08 -0600 Subject: [Fedora-directory-users] help for building FDS In-Reply-To: <20051020013934.75630.qmail@web36309.mail.mud.yahoo.com> References: <20051020013934.75630.qmail@web36309.mail.mud.yahoo.com> Message-ID: <43570004.4010702@redhat.com> speedy zinc wrote: >Sorry to direct this question on this list. I've been >trying to subscribe to the dev list 3 times in the >last 3 days, but have never received the confirmation. >Stupid yahoo email... > >I'm trying to build FDS on my Ubuntu 5.10 machine >using dsbuild, I've installed on the required >packages (db4-dev, krb5-dev, ncurses-dev, etc). > >But I got the following error: > >gmake[4]: Entering directory >`/home/csp/redhat/dsbuild/ds/mozilla/work/mozilla/security/nss/lib/pki' >gcc -o Linux2.6_x86_glibc_PTH_OPT.OBJ/asymmkey.o -c >-O2 -fPIC -DLINUX1_2 -Di386 -D_XOPEN_SOURCE -DLINUX2_1 >-ansi -Wall -pipe -DLINUX -Dlinux -D_POSIX_SOURCE >-D_BSD_SOURCE -DHAVE_STRERROR -DXP_UNIX -DNSS_3_4_CODE >-UDEBUG -DNDEBUG -D_REENTRANT >-I../../../../dist/Linux2.6_x86_glibc_PTH_OPT.OBJ/include > -I../../../../dist/public/nss >-I../../../../dist/private/nss >-I../../../../dist/public/nspr asymmkey.c >In file included from >../../../../dist/private/nss/nsspki1.h:57, > from nsspki.h:56, > from asymmkey.c:39: >../../../../dist/private/nss/oiddata.h:46: error: >array type has incomplete element type >gmake[4]: *** >[Linux2.6_x86_glibc_PTH_OPT.OBJ/asymmkey.o] Error 1 >gmake[4]: Leaving directory >`/home/csp/redhat/dsbuild/ds/mozilla/work/mozilla/security/nss/lib/pki' >gmake[3]: *** [libs] Error 2 >gmake[3]: Leaving directory >`/home/csp/redhat/dsbuild/ds/mozilla/work/mozilla/security/nss/lib' >gmake[2]: *** [libs] Error 2 >gmake[2]: Leaving directory >`/home/csp/redhat/dsbuild/ds/mozilla/work/mozilla/security/nss' >make[1]: *** [build-custom] Error 2 >make[1]: Leaving directory >`/home/csp/redhat/dsbuild/ds/mozilla' >make: *** [dep-../../ds/mozilla] Error 2 > > >Somehow, looks like the file where nss_builtin_oids is >defined was not included. > > It looks as though it's complaining about a missing NSSOID which is defined in nsspki1t.h. I'm not sure why it's missing. The file oiddata.h is generated by the perl script oidgen.perl. You might check to see if that file was generated correctly and if perl is in your path. >Could someone give a hint on solving this problem? I >have no problem running FDS on this machine, by >converting the rpm package into a deb package with >alien and installing it. > > There is a nice cross reference tool available for nspr and nss - http://lxr.mozilla.org/security/ >Distro: Ubuntu 5.10 2.6.12-9-386 >gcc/g++: gcc (GCC) 4.0.2 20050808 (prerelease) (Ubuntu >4.0.1-4ubuntu9) > >thanks a lot. > >sz > > > > > > > >__________________________________ >Yahoo! Mail - PC Magazine Editors' Choice 2005 >http://mail.yahoo.com > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3312 bytes Desc: S/MIME Cryptographic Signature URL: From speedy_zinc at yahoo.com Thu Oct 20 03:44:08 2005 From: speedy_zinc at yahoo.com (speedy zinc) Date: Wed, 19 Oct 2005 20:44:08 -0700 (PDT) Subject: [Fedora-directory-users] Re: help for building FDS Message-ID: <20051020034408.17207.qmail@web36301.mail.mud.yahoo.com> Whoa, your replies already showed up in the archive, and I haven't received yet. What kind of email server does yahoo have??? Anyway, following Rob's suggestion, I did the patch, and it can get pass that issue. Rich, I have perl in my path (perl v5.8.3), but I don't think the build script actually generated the files oiddata.h/c. Both files are there, but the last modify time seems to date back to 2002-01-04. And the oidgen.perl is there too. Now, I'm getting a new problem: rm -f .libs/client.lo cc -DHAVE_CONFIG_H -I. -I. -I.. -I../include -I../plugins -I../include -I/tmp/fedora-ds-build/include -I/tmp/fedora-ds-build/include -I/tmp/fedora-ds-build/include -Wall -W -I/tmp/fedora-ds-build/include -L/tmp/fedora-ds-build/lib -O2 -pipe -I/tmp/fedora-ds-build/include -L/tmp/fedora-ds-build/lib -O2 -pipe -I/tmp/fedora-ds-build/include -L/tmp/fedora-ds-build/lib -O2 -pipe -MT client.lo -MD -MP -MF .deps/client.Tpo -c client.c -fPIC -DPIC -o .libs/client.lo client.c:64: error: static declaration of 'global_callbacks' follows non-static declaration saslint.h:112: error: previous declaration of 'global_callbacks' was here make[4]: *** [client.lo] Error 1 make[4]: Leaving directory `/home/csp/redhat/dsbuild/ds/cyrus-sasl/work/cyrus-sasl-2.1.20/lib' make[3]: *** [all-recursive] Error 1 make[3]: Leaving directory `/home/csp/redhat/dsbuild/ds/cyrus-sasl/work/cyrus-sasl-2.1.20' make[2]: *** [all] Error 2 make[2]: Leaving directory `/home/csp/redhat/dsbuild/ds/cyrus-sasl/work/cyrus-sasl-2.1.20' make[1]: *** [build-work/cyrus-sasl-2.1.20/Makefile] Error 2 make[1]: Leaving directory `/home/csp/redhat/dsbuild/ds/cyrus-sasl' make: *** [dep-../../ds/cyrus-sasl] Error 2 :( thx sz __________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com From rmeggins at redhat.com Thu Oct 20 13:40:59 2005 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 20 Oct 2005 07:40:59 -0600 Subject: [Fedora-directory-users] Re: help for building FDS In-Reply-To: <20051020034408.17207.qmail@web36301.mail.mud.yahoo.com> References: <20051020034408.17207.qmail@web36301.mail.mud.yahoo.com> Message-ID: <43579E6B.5060202@redhat.com> Hmm - not sure. Looks like it could also be compiler related. Perhaps there is some other config option? I'm not really sure how the compiler/linker is supposed to handle the case where you have a variable declared as an external global and defined as a static in the same compilation unit e.g. saslint.h:112 extern sasl_global_callbacks_t global_callbacks; client.c:64 static sasl_global_callbacks_t global_callbacks; And client.c includes saslint.h. There don't appear to be any ifdefs that protect one or the other. I wonder if there is some gcc4 compiler flag to allow this? In server.c, global_callbacks is defined as a _global_, not as a static, so I think the intention is that the definition of global_callbacks as a static in client.c is supposed to be a different variable than the one that is declared as global in saslint.h . . . weird. speedy zinc wrote: >Whoa, your replies already showed up in the archive, >and I haven't received yet. What kind of email server >does yahoo have??? > >Anyway, following Rob's suggestion, I did the patch, >and it can get pass that issue. > >Rich, I have perl in my path (perl v5.8.3), but I >don't think the build script actually generated the >files oiddata.h/c. Both files are there, but the last >modify time seems to date back to 2002-01-04. And the >oidgen.perl is there too. > >Now, I'm getting a new problem: > >rm -f .libs/client.lo >cc -DHAVE_CONFIG_H -I. -I. -I.. -I../include >-I../plugins -I../include >-I/tmp/fedora-ds-build/include >-I/tmp/fedora-ds-build/include >-I/tmp/fedora-ds-build/include -Wall -W >-I/tmp/fedora-ds-build/include >-L/tmp/fedora-ds-build/lib -O2 -pipe >-I/tmp/fedora-ds-build/include >-L/tmp/fedora-ds-build/lib -O2 -pipe >-I/tmp/fedora-ds-build/include >-L/tmp/fedora-ds-build/lib -O2 -pipe -MT client.lo -MD >-MP -MF .deps/client.Tpo -c client.c -fPIC -DPIC -o >.libs/client.lo >client.c:64: error: static declaration of >'global_callbacks' follows non-static declaration >saslint.h:112: error: previous declaration of >'global_callbacks' was here >make[4]: *** [client.lo] Error 1 >make[4]: Leaving directory >`/home/csp/redhat/dsbuild/ds/cyrus-sasl/work/cyrus-sasl-2.1.20/lib' >make[3]: *** [all-recursive] Error 1 >make[3]: Leaving directory >`/home/csp/redhat/dsbuild/ds/cyrus-sasl/work/cyrus-sasl-2.1.20' >make[2]: *** [all] Error 2 >make[2]: Leaving directory >`/home/csp/redhat/dsbuild/ds/cyrus-sasl/work/cyrus-sasl-2.1.20' >make[1]: *** [build-work/cyrus-sasl-2.1.20/Makefile] >Error 2 >make[1]: Leaving directory >`/home/csp/redhat/dsbuild/ds/cyrus-sasl' >make: *** [dep-../../ds/cyrus-sasl] Error 2 > >:( > >thx > >sz > > > > > >__________________________________ >Yahoo! Mail - PC Magazine Editors' Choice 2005 >http://mail.yahoo.com > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3312 bytes Desc: S/MIME Cryptographic Signature URL: From del at babel.com.au Mon Oct 24 06:23:06 2005 From: del at babel.com.au (Del) Date: Mon, 24 Oct 2005 16:23:06 +1000 Subject: [Fedora-directory-users] MD5 for password hashes In-Reply-To: <4337FC34.20104@redhat.com> References: <43354EDE.4000306@babel.com.au> <43354FE9.4090807@babel.com.au> <4337FC34.20104@redhat.com> Message-ID: <435C7DCA.8070104@babel.com.au> Rich Megginson wrote: > Any chance of some RPMs for the latest edition with the MD5 support >> please guys? > > > We're working on it. Hi, I hate to be a pest with this but I now have 3 clients with fairly large FDS / RHDS implementations planned, which are now on hold waiting for this release. Is there a planned release date for this? I've foolishly suggested to one of them that it could take no longer than the end of next month, so I need to know if I'm likely to have to do some backpedalling on that date. Thanx, -- Del From rmeggins at redhat.com Mon Oct 24 14:31:48 2005 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 24 Oct 2005 08:31:48 -0600 Subject: [Fedora-directory-users] MD5 for password hashes In-Reply-To: <435C7DCA.8070104@babel.com.au> References: <43354EDE.4000306@babel.com.au> <43354FE9.4090807@babel.com.au> <4337FC34.20104@redhat.com> <435C7DCA.8070104@babel.com.au> Message-ID: <435CF054.1050209@redhat.com> We hope to have another binary release by the end of the week. We've just got a couple of bug fixes to go. Del wrote: > Rich Megginson wrote: > >> Any chance of some RPMs for the latest edition with the MD5 support >> >>> please guys? >> >> >> >> We're working on it. > > > Hi, > > I hate to be a pest with this but I now have 3 clients with fairly large > FDS / RHDS implementations planned, which are now on hold waiting for > this > release. > > Is there a planned release date for this? I've foolishly suggested to > one of them that it could take no longer than the end of next month, so > I need to know if I'm likely to have to do some backpedalling on that > date. > > Thanx, > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3312 bytes Desc: S/MIME Cryptographic Signature URL: From sboggs at trustedcs.com Tue Oct 25 19:18:39 2005 From: sboggs at trustedcs.com (Scott Boggs) Date: Tue, 25 Oct 2005 14:18:39 -0500 Subject: [Fedora-directory-users] Available Revisions Message-ID: <435E850F.3030301@trustedcs.com> I have just started using the Fedora-DS. I have to say that I am very impressed. I currently am turning my attention towards working with the server on a SE Linux platform. However, I was wondering if it is best to keep with the current static version that is provided via the source download site, or could I get the latest and greatest to see how in integrates. Thanks in advance and I look forward to my participation with all of you on this project.. From rmeggins at redhat.com Tue Oct 25 19:23:31 2005 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 25 Oct 2005 13:23:31 -0600 Subject: [Fedora-directory-users] Available Revisions In-Reply-To: <435E850F.3030301@trustedcs.com> References: <435E850F.3030301@trustedcs.com> Message-ID: <435E8633.5080808@redhat.com> Scott Boggs wrote: > I have just started using the Fedora-DS. I have to say that I am very > impressed. I currently am turning my attention towards working with > the server on a SE Linux platform. However, I was wondering if it is > best to keep with the current static version that is provided via the > source download site, or could I get the latest and greatest to see > how in integrates. We will be releasing a new binary version very soon. > > Thanks in advance and I look forward to my participation with all of > you on this project.. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3312 bytes Desc: S/MIME Cryptographic Signature URL: From jonbjorn at hi.is Tue Oct 25 23:35:05 2005 From: jonbjorn at hi.is (=?iso-8859-1?Q?J=F3n_Bj=F6rn_Nj=E1lsson?=) Date: Tue, 25 Oct 2005 23:35:05 -0000 (GMT) Subject: [Fedora-directory-users] crypt password with AD ? Message-ID: <20695.130.208.138.21.1130283305.squirrel@webmail.hi.is> Hi. Is there any way to sync FDS crypt passwords with Active Directory or do they have to be encrypted with SSHA ? Jon From gholbert at broadcom.com Tue Oct 25 23:44:54 2005 From: gholbert at broadcom.com (George Holbert) Date: Tue, 25 Oct 2005 16:44:54 -0700 Subject: [Fedora-directory-users] crypt password with AD ? In-Reply-To: <20695.130.208.138.21.1130283305.squirrel@webmail.hi.is> References: <20695.130.208.138.21.1130283305.squirrel@webmail.hi.is> Message-ID: <435EC376.3050805@broadcom.com> Unfortunately, the Microsoft AD password hash isn't a supported password hash in FDS (or any other directory server, except AD of course). I think this is because Microsoft's hash is proprietary. This means neither SSHA or crypt can directly be synced with AD. To sync passwords, you have to use something that can catch the password while it's in clear text (i.e., when the user changes it). There is a Fedora "Winsync" package which I believe can help with this. J?n Bj?rn Nj?lsson wrote: >Hi. > >Is there any way to sync FDS crypt passwords with Active Directory or do >they have to be encrypted with SSHA ? > >Jon > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > From david_list at boreham.org Wed Oct 26 03:01:27 2005 From: david_list at boreham.org (David Boreham) Date: Tue, 25 Oct 2005 21:01:27 -0600 Subject: [Fedora-directory-users] crypt password with AD ? In-Reply-To: <20695.130.208.138.21.1130283305.squirrel@webmail.hi.is> References: <20695.130.208.138.21.1130283305.squirrel@webmail.hi.is> Message-ID: <435EF187.2060303@boreham.org> J?n Bj?rn Nj?lsson wrote: >Is there any way to sync FDS crypt passwords with Active Directory or do >they have to be encrypted with SSHA ? > > Winsync doesn't care what hash type you use. It hooks the plaintext password (on both ends) and sends that (via an SSL protected session, of course). From chen_shaopeng at idsignet.com Wed Oct 26 03:22:19 2005 From: chen_shaopeng at idsignet.com (Chen Shaopeng) Date: Wed, 26 Oct 2005 11:22:19 +0800 Subject: [Fedora-directory-users] Available Revisions In-Reply-To: <435E8633.5080808@redhat.com> References: <435E850F.3030301@trustedcs.com> <435E8633.5080808@redhat.com> Message-ID: <435EF66B.6010805@idsignet.com> Rich Megginson wrote: > Scott Boggs wrote: > >> I have just started using the Fedora-DS. I have to say that I am very >> impressed. I currently am turning my attention towards working with >> the server on a SE Linux platform. However, I was wondering if it is >> best to keep with the current static version that is provided via the >> source download site, or could I get the latest and greatest to see >> how in integrates. > > > We will be releasing a new binary version very soon. > Could you tell what will be in the new build? and a date? It would be cool if the build process could be cleanly separated. For example, it should be easy to build the directory server alone, and build the admin and console alone. That would be easier for other people to participate too. It's not too scary that way, coz the whole thing is pretty big. rgds csp -- Chen Shaopeng http://www.idsignet.com From joe at openpower.com.tw Wed Oct 26 08:31:02 2005 From: joe at openpower.com.tw (joe) Date: Wed, 26 Oct 2005 16:31:02 +0800 Subject: [Fedora-directory-users] Aboout Winsync Message-ID: <1130315462.13861.6.camel@mrjnote> Hi! I followed the steps of Red Hat document to implement Windows 2000 sync with FDS. After my "initial re-synchronization" process was done, I checked my directory tree. I saw some entries like "cn=Domain Admins, ou=People, dc=example, dc=com", and it contained "Members/Static Group - uid=Administrator, , ou=People, dc=example, dc=com" in its properties. But I could not find the real entry dn named "uid=Administrator, , ou=People, dc=example, dc=com" in my ds tree. Is it the correct result? Or I did something wrong with configuration. Please tell me how to fix the problem. Thanks a lot. Regards Joe Yu -------------- next part -------------- An HTML attachment was scrubbed... URL: From nabeelmoidu at gmail.com Wed Oct 26 13:02:51 2005 From: nabeelmoidu at gmail.com (Nabeel Moidu) Date: Wed, 26 Oct 2005 18:32:51 +0530 Subject: [Fedora-directory-users] Aboout Winsync In-Reply-To: <1130315462.13861.6.camel@mrjnote> References: <1130315462.13861.6.camel@mrjnote> Message-ID: <3fd6d7cc0510260602w7bedc8e4s15a1123c47dae53c@mail.gmail.com> I got the same result when i did it .I guess its normal On 10/26/05, joe wrote: > > Hi! > > I followed the steps of Red Hat document to implement Windows 2000 sync > with FDS. After my "initial re-synchronization" process was done, I checked > my directory tree. > > I saw some entries like "cn=Domain Admins, ou=People, dc=example, dc=com", > and it contained "Members/Static Group - uid=Administrator, , ou=People, > dc=example, dc=com" > > in its properties. But I could not find the real entry dn named > "uid=Administrator, , ou=People, dc=example, dc=com" in my ds tree. Is it > the correct result? Or I did > > something wrong with configuration. Please tell me how to fix the problem. > Thanks a lot. > > > Regards > Joe Yu > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -- Thanks and Regards Nabeel Moidu System Administrator OnMobile System Inc Bangalore, India www.onmobile.com If we don't believe in freedom of expression for people we despise, we don't believe in it at all. Noam Chomsky -------------- next part -------------- An HTML attachment was scrubbed... URL: From david_list at boreham.org Wed Oct 26 14:06:49 2005 From: david_list at boreham.org (David Boreham) Date: Wed, 26 Oct 2005 08:06:49 -0600 Subject: [Fedora-directory-users] Aboout Winsync In-Reply-To: <1130315462.13861.6.camel@mrjnote> References: <1130315462.13861.6.camel@mrjnote> Message-ID: <435F8D79.6030100@boreham.org> joe wrote: > I followed the steps of Red Hat document to implement Windows 2000 > sync with FDS. After my "initial re-synchronization" process was done, > I checked my directory tree. > > I saw some entries like "cn=Domain Admins, ou=People, dc=example, > dc=com", and it contained "Members/Static Group - uid=Administrator, , > ou=People, dc=example, dc=com" > > in its properties. But I could not find the real entry dn named > "uid=Administrator, , ou=People, dc=example, dc=com" in my ds tree. Is > it the correct result? Or I did This looks wrong. The double comma in the DN should be illegal. I don't believe this is a known problem -- I've never seen this particular issue reported before. Do you otherwise get correct sync results ? i.e. do your regular users and groups get sync'ed ok ? If you enable replication logging, then run a re-sync, there will probably be something in the error log pertaining to this entry. That might tell us what's going wrong. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Oct 26 13:53:59 2005 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 26 Oct 2005 07:53:59 -0600 Subject: [Fedora-directory-users] Aboout Winsync In-Reply-To: <1130315462.13861.6.camel@mrjnote> References: <1130315462.13861.6.camel@mrjnote> Message-ID: <435F8A77.6040901@redhat.com> joe wrote: > Hi! > > I followed the steps of Red Hat document to implement Windows 2000 > sync with FDS. After my "initial re-synchronization" process was done, > I checked my directory tree. > > I saw some entries like "cn=Domain Admins, ou=People, dc=example, > dc=com", and it contained "Members/Static Group - uid=Administrator, , > ou=People, dc=example, dc=com" > > in its properties. But I could not find the real entry dn named > "uid=Administrator, , ou=People, dc=example, dc=com" in my ds tree. Is > it the correct result? Or I did > > something wrong with configuration. Please tell me how to fix the > problem. Thanks a lot. I think it's ok. Administrator is a "pseudo" user - it's only used for Windows domain administration. I don't think it follows the schema for a user. Does the Administrator entry have a full name or a surname? There are other pseudo users that fall into this category, such as the kerberos kdc user. You could probably fill in the missing attributes and make it sync over, but it doesn't really matter unless you want to use the Administrator entry on unix. > > > Regards > Joe Yu > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3312 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Oct 26 14:31:53 2005 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 26 Oct 2005 08:31:53 -0600 Subject: [Fedora-directory-users] Available Revisions In-Reply-To: <435EF66B.6010805@idsignet.com> References: <435E850F.3030301@trustedcs.com> <435E8633.5080808@redhat.com> <435EF66B.6010805@idsignet.com> Message-ID: <435F9359.5090608@redhat.com> Chen Shaopeng wrote: >Rich Megginson wrote: > > >>Scott Boggs wrote: >> >> >> >>>I have just started using the Fedora-DS. I have to say that I am very >>>impressed. I currently am turning my attention towards working with >>>the server on a SE Linux platform. However, I was wondering if it is >>>best to keep with the current static version that is provided via the >>>source download site, or could I get the latest and greatest to see >>>how in integrates. >>> >>> >>We will be releasing a new binary version very soon. >> >> >> > >Could you tell what will be in the new build? and a date? > > We will be making an official announcement within the week, but the new build will have MD5, SHA-256, SHA-384, SHA-512 password support. It will also contain lots of bug fixes, many of which are in the windows sync component. >It would be cool if the build process could be cleanly separated. >For example, it should be easy to build the directory server >alone, and build the admin and console alone. > > The build right now builds the directory server alone, and you can build the console alone as well. See the http://directory.fedora.redhat.com/Building for more information. >That would be easier for other people to participate too. >It's not too scary that way, coz the whole thing is pretty >big. > >rgds > >csp > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3312 bytes Desc: S/MIME Cryptographic Signature URL: From david_list at boreham.org Wed Oct 26 14:44:06 2005 From: david_list at boreham.org (David Boreham) Date: Wed, 26 Oct 2005 08:44:06 -0600 Subject: [Fedora-directory-users] Aboout Winsync In-Reply-To: <435F8A77.6040901@redhat.com> References: <1130315462.13861.6.camel@mrjnote> <435F8A77.6040901@redhat.com> Message-ID: <435F9636.7070907@boreham.org> Rich Megginson wrote: > I think it's ok. Administrator is a "pseudo" user - it's only used > for Windows domain administration. I don't think it follows the > schema for a user. Does the Administrator entry have a full name or a > surname? There are other pseudo users that fall into this category, > such as the kerberos kdc user. You could probably fill in the missing > attributes and make it sync over, but it doesn't really matter unless > you want to use the Administrator entry on unix. True (in fact, the special users in AD are not supposed to get sync'ed at all), but I'm puzzled about the group member being sync'ed. By design, only group members that are also already present in the peer directory should be sync'ed. Therefore, if things are working to plan, the Administrator user should not be sync'ed, and neither should any group member that has its DN. From nathan.benson at sourcefire.com Wed Oct 26 15:59:48 2005 From: nathan.benson at sourcefire.com (Nathan Benson) Date: Wed, 26 Oct 2005 11:59:48 -0400 Subject: [Fedora-directory-users] Schema Conversion In-Reply-To: <42A8A2E9.1020107@sourcefire.com> References: <42A78491.9010206@uindy.edu> <42A8A2E9.1020107@sourcefire.com> Message-ID: <435FA7F4.2050604@sourcefire.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hi, i've updated my perl script to do RFC 2252 ordering as well as formatting. Steven Bonneville (RedHat) brought it to my attention that RHDS/FDS was very strict about following the RFC while OpenLDAP was not. ~ so, if an OL schema was out of order, it caused problems when being converted to RHDS/FDS. anyway, i've attached my script. it should also be useful for reordering already converted schemas just in case the order might not be correct. i hope everyone finds it useful, please let me know how it works out. thanks, nathan Nathan Benson thus spake on 06/09/2005 04:13 PM: | DC / list, | | i have a quick and dirty perl script i had cooked up to do this. it was | enough to allow me to convert some openldap schema to FDS. i was able | to successfully start FDS after converting a few of them (samba3, etc). | | i probably went about it all wrong. for instance the dn: line is | probably written out incorrectly (i just did what i could to make it | work). i haven't even tried importing a database using the newly | converted schemas, so your milage will almost certainly vary. | | anyway, i've pasted it in the message below because i'm not sure if the | list allows attachments. i hope it's of some use to people trying to | make the switch from openldap to FDS. | | ------------- SNIP ------------------ | | #!/usr/bin/perl -w | # | # this is a quick perl script to convert OpenLDAP schema files | # to FDS ldif (schema) files. it is probably not anywhere near | # useful, but it did allow me to convert a few of my .schema | # files and have FDS successfully start with them. | # | # -Nathan Benson (nathan.benson at sourcefire.com) | # | | | use strict; | | | die "usage: $0 \n" unless my $file = $ARGV[0]; | die "$! '$file'\n" unless -e $file; | | | my $start; | | | print "dn: cn=schema\n"; | | | open SCHEMA, $file; | while () | { | ~ next if /^(#|$)/; | | | ~ if (/^(objectclass|attributetype)\s/) | ~ { | ~ print "\n" if ($start); | ~ chomp; | | | ~ $_ =~ s/^objectclass/objectclasses:/i; | ~ $_ =~ s/^attributetype/attributetypes:/i; | ~ $_ =~ s/(\t|\s)/ /; | | | ~ $start = 1; | ~ print; | ~ } | ~ elsif ((/^\s*\w/) && ($start)) | ~ { | ~ chomp; | ~ $_ =~ s/^(\s*)/ /; | ~ print; | ~ } | } | close SCHEMA; | | ------------- SNIP ------------------ | | D Canfield thus spake on 06/08/2005 07:51 PM: | | I don't suppose anyone has found an easy way to convert OpenLDAP schema | | into fedora-ds compatible ldif files? We've got about 100 attributes | | defined, and I'm really not looking forward to entering them all by | hand... | | | | Thanks | | DC | | | | -- | | Fedora-directory-users mailing list | | Fedora-directory-users at redhat.com | | https://www.redhat.com/mailman/listinfo/fedora-directory-users | | | - -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users - -- Nathan Benson http://sourcefire.com/ 1C1A F2C1 82AD F75F 9B6B E501 0D73 DC9B E96B DD96 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFDX6f0DXPcm+lr3ZYRAlmAAJ9CgySM8J7KCTdbfhgUQYNPNkrjfACgiNex saZih7lWJKsgHwCq5z8V5zk= =Dhr5 -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: ol2rhds.pl Type: application/x-perl Size: 12847 bytes Desc: not available URL: From wfrancis at anticlockwise.com Thu Oct 27 00:08:47 2005 From: wfrancis at anticlockwise.com (William Francis) Date: Wed, 26 Oct 2005 17:08:47 -0700 Subject: [Fedora-directory-users] FDS bug #163064 In-Reply-To: <4331BF2C.20204@boreham.org> References: <43303C9A.1090702@centimfe.com> <200509211246.07945.dyioulos@firstbhph.com> <4331918D.4020903@boreham.org> <200509211612.48659.dyioulos@firstbhph.com> <4331BF2C.20204@boreham.org> Message-ID: <43601A8F.2050309@anticlockwise.com> in the Red Hat bugbase and not visable to me ... Has this been fixed? Is there a build available somewhere that I can download? Thanks. From rmeggins at redhat.com Thu Oct 27 02:22:16 2005 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 26 Oct 2005 20:22:16 -0600 Subject: [Fedora-directory-users] FDS bug #163064 In-Reply-To: <43601A8F.2050309@anticlockwise.com> References: <43303C9A.1090702@centimfe.com> <200509211246.07945.dyioulos@firstbhph.com> <4331918D.4020903@boreham.org> <200509211612.48659.dyioulos@firstbhph.com> <4331BF2C.20204@boreham.org> <43601A8F.2050309@anticlockwise.com> Message-ID: <436039D8.30306@redhat.com> William Francis wrote: > > in the Red Hat bugbase and not visable to me ... I'm not sure. It was entered as a Red Hat DS bug and not a Fedora DS bug. > > Has this been fixed? Not yet. > Is there a build available somewhere that I can download? Not yet, but very soon. > > Thanks. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3312 bytes Desc: S/MIME Cryptographic Signature URL: From elwartowski at gmail.com Thu Oct 27 10:00:40 2005 From: elwartowski at gmail.com (Chad Elwartowski) Date: Thu, 27 Oct 2005 13:00:40 +0300 Subject: [Fedora-directory-users] libdb problem on setup Message-ID: <332a4c70510270300r235a7e44p2aa6858d4c33986@mail.gmail.com> I'm trying to install the Fedora Directory and run into errors after executing the setup program. I'm running Redhat Linux: %uname -a Linux myhostname 2.6.9-5.ELsmp #1 SMP Wed Jan 5 19:30:39 EST 2005 i686 i686 i386 GNU/Linux I've downloaded the rpm: fedora-ds-7.1-2.RHEL4.i386.opt.rpm and installed it (rpm -iv ...). I cd into /opt/fedora-ds and run: ./setup/setup After entering my information in any of the three installation levels I get the error: - Fedora-Directory/7.1 B2005.146.2010 starting up - libdb: unable to initialize mutex: Function not implemented - libdb: /opt/fedora-ds/slapd-myhostname/db/__db.001: unable to initialize environment lock: Function not implemented - start: Failed to init database, err=38 Function not implemented etc...(I can't cut and paste into email so I'd have to type the rest, which is quite a bit) I've gone the route of re-installing the RPM then running the perl ds_newinst.pl /opt/fedora-ds/setup/install.inf (with the install.inf edited for my settings) That resulted in a "Success", but then looking in the fedora logs it shows the same error above as far as the libdb:... Neither allow me to get access using startconsole. My LD_LIBRARY_PATH includes /opt/fedora-ds/lib My PATH includes /opt/fedora-ds/bin/base/jre/bin My CLASSPATH includes /opt/fedora-ds/bin/base/jre/bin:/opt/fedora-ds/java:/opt/fedora-ds/java/jars:/opt/fedora-ds/bin/base/jre/lib:/opt/fedora-ds/bin/base/jre/lib/ext:/opt/fedora-ds/bin/base/jre/bin/classic My JAVA_HOME is /opt/fedora-ds/java Can anyone point me in the right direction to get past this problem? Thanks, Chad -------------- next part -------------- An HTML attachment was scrubbed... URL: From admin at hostyle.it Thu Oct 27 13:15:36 2005 From: admin at hostyle.it (Enrico Valsecchi) Date: Thu, 27 Oct 2005 15:15:36 +0200 Subject: [Fedora-directory-users] Very NewBye Message-ID: <200510271515.36798.admin@hostyle.it> Dear All, I'm a very newbye user of fedora-directory .... To start, I have a big problem! :-( Well, I have downloaded and installed from rpm package. O.K., I'm creat a .inf file, wit this content: [General] FullMachineName= localhost.localdomain SuiteSpotUserID= ldap ServerRoot= /opt/ldapserver [slapd] ServerPort= 389 ServerIdentifier= localhost Suffix= dc=localhost,dc=localdomain RootDN= cn=Directory Manager RootDNPwd= password and I'm go to /opt/fedora-ds/bin/slapd/admin/bin. Run perl ds_newinst.pl my_new_inf_file O.K., Perl script run and at console I retry this message: CGI /opt/ldapserver/bin/slapd/admin/bin/ds_newinst failed with 1: here is the output: Content-type: text/plain error:could not create server localhost - Could not write /opt/ldapserver/bin/slapd/admin/scripts/template-ldif2db.pl to /opt/ldapserver/slapd-localhost/ldif2db.pl (No such file or director). NMC_Status: 1 Error: could not run /opt/ldapserver/bin/slapd/admin/bin/ds_newinst: 1 Error: Could not create new directory server instance User "nobody" are o.k. into my system, and permission /opt/ldapserver is nobody.root with write permission on user, group and read to all Some people have a solutions? Many thanks, Enrico From rmeggins at redhat.com Thu Oct 27 13:58:09 2005 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 27 Oct 2005 07:58:09 -0600 Subject: [Fedora-directory-users] Very NewBye In-Reply-To: <200510271515.36798.admin@hostyle.it> References: <200510271515.36798.admin@hostyle.it> Message-ID: <4360DCF1.1070007@redhat.com> Change /opt/ldapserver to /opt/fedora-ds. Enrico Valsecchi wrote: >Dear All, > >I'm a very newbye user of fedora-directory .... >To start, I have a big problem! >:-( > >Well, I have downloaded and installed from rpm package. >O.K., I'm creat a .inf file, wit this content: > >[General] >FullMachineName= localhost.localdomain >SuiteSpotUserID= ldap >ServerRoot= /opt/ldapserver >[slapd] >ServerPort= 389 >ServerIdentifier= localhost >Suffix= dc=localhost,dc=localdomain >RootDN= cn=Directory Manager >RootDNPwd= password > >and I'm go to /opt/fedora-ds/bin/slapd/admin/bin. >Run perl ds_newinst.pl my_new_inf_file > >O.K., Perl script run and at console I retry this message: > >CGI /opt/ldapserver/bin/slapd/admin/bin/ds_newinst failed with 1: here is the >output: >Content-type: text/plain > >error:could not create server localhost - Could not >write /opt/ldapserver/bin/slapd/admin/scripts/template-ldif2db.pl >to /opt/ldapserver/slapd-localhost/ldif2db.pl (No such file or director). >NMC_Status: 1 >Error: could not run /opt/ldapserver/bin/slapd/admin/bin/ds_newinst: 1 >Error: Could not create new directory server instance > >User "nobody" are o.k. into my system, and permission /opt/ldapserver is >nobody.root with write permission on user, group and read to all > >Some people have a solutions? > >Many thanks, > >Enrico > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3312 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Oct 27 13:59:03 2005 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 27 Oct 2005 07:59:03 -0600 Subject: [Fedora-directory-users] libdb problem on setup In-Reply-To: <332a4c70510270300r235a7e44p2aa6858d4c33986@mail.gmail.com> References: <332a4c70510270300r235a7e44p2aa6858d4c33986@mail.gmail.com> Message-ID: <4360DD27.8090507@redhat.com> Chad Elwartowski wrote: > I'm trying to install the Fedora Directory and run into errors after > executing the setup program. > > I'm running Redhat Linux: > %uname -a > Linux myhostname 2.6.9-5.ELsmp #1 SMP Wed Jan 5 19:30:39 EST 2005 i686 > i686 i386 GNU/Linux Is this FC3 or RHEL4? What is your LD_LIBRARY_PATH set to? > > I've downloaded the rpm: fedora-ds-7.1-2.RHEL4.i386.opt.rpm and > installed it (rpm -iv ...). > > I cd into /opt/fedora-ds and run: ./setup/setup > > After entering my information in any of the three installation levels > I get the error: > - Fedora-Directory/7.1 B2005.146.2010 starting up > - libdb: unable to initialize mutex: Function not implemented > - libdb: /opt/fedora-ds/slapd-myhostname/db/__db.001: unable to > initialize environment lock: Function not implemented > - start: Failed to init database, err=38 Function not implemented > > etc...(I can't cut and paste into email so I'd have to type the rest, > which is quite a bit) > > I've gone the route of re-installing the RPM then running the perl > ds_newinst.pl /opt/fedora-ds/setup/install.inf (with the install.inf > edited for my settings) > That resulted in a "Success", but then looking in the fedora logs it > shows the same error above as far as the libdb:... > > Neither allow me to get access using startconsole. > > My LD_LIBRARY_PATH includes /opt/fedora-ds/lib > My PATH includes /opt/fedora-ds/bin/base/jre/bin > My CLASSPATH includes > /opt/fedora-ds/bin/base/jre/bin:/opt/fedora-ds/java:/opt/fedora-ds/java/jars:/opt/fedora-ds/bin/base/jre/lib:/opt/fedora-ds/bin/base/jre/lib/ext:/opt/fedora-ds/bin/base/jre/bin/classic > My JAVA_HOME is /opt/fedora-ds/java > > Can anyone point me in the right direction to get past this problem? > > Thanks, > Chad > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3312 bytes Desc: S/MIME Cryptographic Signature URL: From david_list at boreham.org Thu Oct 27 14:15:16 2005 From: david_list at boreham.org (David Boreham) Date: Thu, 27 Oct 2005 08:15:16 -0600 Subject: [Fedora-directory-users] libdb problem on setup In-Reply-To: <332a4c70510270300r235a7e44p2aa6858d4c33986@mail.gmail.com> References: <332a4c70510270300r235a7e44p2aa6858d4c33986@mail.gmail.com> Message-ID: <4360E0F4.4010307@boreham.org> > - libdb: unable to initialize mutex: Function not implemented This is caused by haivng the wrong threading library linked with the process at runtime. Typically it happens when LD_ASSUME_KERNEL is set (which it should not be). From elwartowski at gmail.com Thu Oct 27 14:18:25 2005 From: elwartowski at gmail.com (Chad Elwartowski) Date: Thu, 27 Oct 2005 17:18:25 +0300 Subject: [Fedora-directory-users] libdb problem on setup In-Reply-To: <4360DD27.8090507@redhat.com> References: <332a4c70510270300r235a7e44p2aa6858d4c33986@mail.gmail.com> <4360DD27.8090507@redhat.com> Message-ID: <332a4c70510270718r8a9dca4k306a430c901aa500@mail.gmail.com> Rich, It's RHEL4 and my LD_LIBRARY_PATH is: /usr/local/geotrans/lib:/lib:/usr/lib:/usr/local/lib:/usr/local/las/binaries/gnu32linux:/opt/fedora-ds/lib On 10/27/05, Rich Megginson wrote: > > > > Chad Elwartowski wrote: > > > I'm trying to install the Fedora Directory and run into errors after > > executing the setup program. > > > > I'm running Redhat Linux: > > %uname -a > > Linux myhostname 2.6.9-5.ELsmp #1 SMP Wed Jan 5 19:30:39 EST 2005 i686 > > i686 i386 GNU/Linux > > Is this FC3 or RHEL4? What is your LD_LIBRARY_PATH set to? > > > > > I've downloaded the rpm: fedora-ds-7.1-2.RHEL4.i386.opt.rpm and > > installed it (rpm -iv ...). > > > > I cd into /opt/fedora-ds and run: ./setup/setup > > > > After entering my information in any of the three installation levels > > I get the error: > > - Fedora-Directory/7.1 B2005.146.2010 starting up > > - libdb: unable to initialize mutex: Function not implemented > > - libdb: /opt/fedora-ds/slapd-myhostname/db/__db.001: unable to > > initialize environment lock: Function not implemented > > - start: Failed to init database, err=38 Function not implemented > > > > etc...(I can't cut and paste into email so I'd have to type the rest, > > which is quite a bit) > > > > I've gone the route of re-installing the RPM then running the perl > > ds_newinst.pl /opt/fedora-ds/setup/install.inf (with the install.inf > > edited for my settings) > > That resulted in a "Success", but then looking in the fedora logs it > > shows the same error above as far as the libdb:... > > > > Neither allow me to get access using startconsole. > > > > My LD_LIBRARY_PATH includes /opt/fedora-ds/lib > > My PATH includes /opt/fedora-ds/bin/base/jre/bin > > My CLASSPATH includes > > > /opt/fedora-ds/bin/base/jre/bin:/opt/fedora-ds/java:/opt/fedora-ds/java/jars:/opt/fedora-ds/bin/base/jre/lib:/opt/fedora-ds/bin/base/jre/lib/ext:/opt/fedora-ds/bin/base/jre/bin/classic > > My JAVA_HOME is /opt/fedora-ds/java > > > > Can anyone point me in the right direction to get past this problem? > > > > Thanks, > > Chad > > > >------------------------------------------------------------------------ > > > >-- > >Fedora-directory-users mailing list > >Fedora-directory-users at redhat.com > >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From admin at hostyle.it Thu Oct 27 15:20:08 2005 From: admin at hostyle.it (Enrico Valsecchi) Date: Thu, 27 Oct 2005 17:20:08 +0200 Subject: [Fedora-directory-users] Very NewBye In-Reply-To: <4360DCF1.1070007@redhat.com> References: <200510271515.36798.admin@hostyle.it> <4360DCF1.1070007@redhat.com> Message-ID: <200510271720.09001.admin@hostyle.it> Many Many thanks, I'm very stupid .... :-) With this settings, all start successfully! Well, with fedora-ds are an admin console. I'm start with: ./startconsole, and appear a login/password window. I insert my Admin Directory user and password. But, where is a Administration Url? I have install my fedora-ds in localhost context (127.0.0.1) Bye, Enrico > Change /opt/ldapserver to /opt/fedora-ds. > > Enrico Valsecchi wrote: > >Dear All, > > > >I'm a very newbye user of fedora-directory .... > >To start, I have a big problem! > > > >:-( > > > >Well, I have downloaded and installed from rpm package. > >O.K., I'm creat a .inf file, wit this content: > > > >[General] > >FullMachineName= localhost.localdomain > >SuiteSpotUserID= ldap > >ServerRoot= /opt/ldapserver > >[slapd] > >ServerPort= 389 > >ServerIdentifier= localhost > >Suffix= dc=localhost,dc=localdomain > >RootDN= cn=Directory Manager > >RootDNPwd= password > > > >and I'm go to /opt/fedora-ds/bin/slapd/admin/bin. > >Run perl ds_newinst.pl my_new_inf_file > > > >O.K., Perl script run and at console I retry this message: > > > >CGI /opt/ldapserver/bin/slapd/admin/bin/ds_newinst failed with 1: here is > > the output: > >Content-type: text/plain > > > >error:could not create server localhost - Could not > >write /opt/ldapserver/bin/slapd/admin/scripts/template-ldif2db.pl > >to /opt/ldapserver/slapd-localhost/ldif2db.pl (No such file or director). > >NMC_Status: 1 > >Error: could not run /opt/ldapserver/bin/slapd/admin/bin/ds_newinst: 1 > >Error: Could not create new directory server instance > > > >User "nobody" are o.k. into my system, and permission /opt/ldapserver is > >nobody.root with write permission on user, group and read to all > > > >Some people have a solutions? > > > >Many thanks, > > > >Enrico > > > >-- > >Fedora-directory-users mailing list > >Fedora-directory-users at redhat.com > >https://www.redhat.com/mailman/listinfo/fedora-directory-users From rmeggins at redhat.com Thu Oct 27 15:22:39 2005 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 27 Oct 2005 09:22:39 -0600 Subject: [Fedora-directory-users] Very NewBye In-Reply-To: <200510271720.09001.admin@hostyle.it> References: <200510271515.36798.admin@hostyle.it> <4360DCF1.1070007@redhat.com> <200510271720.09001.admin@hostyle.it> Message-ID: <4360F0BF.6070706@redhat.com> Enrico Valsecchi wrote: >Many Many thanks, >I'm very stupid .... >:-) > >With this settings, all start successfully! > >Well, with fedora-ds are an admin console. >I'm start with: ./startconsole, and appear a login/password window. > >I insert my Admin Directory user and password. >But, where is a Administration Url? >I have install my fedora-ds in localhost context (127.0.0.1) > > When you ran setup, it asked you what port number you wanted to use for your admin server. The default is some random high port number. If you don't know what it is, you can look at admin-serv/config/adm.conf - it is the port: attribute. Then, you can do startconsole -a http://localhost:port/ >Bye, > >Enrico > > > >>Change /opt/ldapserver to /opt/fedora-ds. >> >>Enrico Valsecchi wrote: >> >> >>>Dear All, >>> >>>I'm a very newbye user of fedora-directory .... >>>To start, I have a big problem! >>> >>>:-( >>> >>>Well, I have downloaded and installed from rpm package. >>>O.K., I'm creat a .inf file, wit this content: >>> >>>[General] >>>FullMachineName= localhost.localdomain >>>SuiteSpotUserID= ldap >>>ServerRoot= /opt/ldapserver >>>[slapd] >>>ServerPort= 389 >>>ServerIdentifier= localhost >>>Suffix= dc=localhost,dc=localdomain >>>RootDN= cn=Directory Manager >>>RootDNPwd= password >>> >>>and I'm go to /opt/fedora-ds/bin/slapd/admin/bin. >>>Run perl ds_newinst.pl my_new_inf_file >>> >>>O.K., Perl script run and at console I retry this message: >>> >>>CGI /opt/ldapserver/bin/slapd/admin/bin/ds_newinst failed with 1: here is >>>the output: >>>Content-type: text/plain >>> >>>error:could not create server localhost - Could not >>>write /opt/ldapserver/bin/slapd/admin/scripts/template-ldif2db.pl >>>to /opt/ldapserver/slapd-localhost/ldif2db.pl (No such file or director). >>>NMC_Status: 1 >>>Error: could not run /opt/ldapserver/bin/slapd/admin/bin/ds_newinst: 1 >>>Error: Could not create new directory server instance >>> >>>User "nobody" are o.k. into my system, and permission /opt/ldapserver is >>>nobody.root with write permission on user, group and read to all >>> >>>Some people have a solutions? >>> >>>Many thanks, >>> >>>Enrico >>> >>>-- >>>Fedora-directory-users mailing list >>>Fedora-directory-users at redhat.com >>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3312 bytes Desc: S/MIME Cryptographic Signature URL: From elwartowski at gmail.com Thu Oct 27 15:28:46 2005 From: elwartowski at gmail.com (Chad Elwartowski) Date: Thu, 27 Oct 2005 18:28:46 +0300 Subject: [Fedora-directory-users] libdb problem on setup In-Reply-To: <332a4c70510270718r8a9dca4k306a430c901aa500@mail.gmail.com> References: <332a4c70510270300r235a7e44p2aa6858d4c33986@mail.gmail.com> <4360DD27.8090507@redhat.com> <332a4c70510270718r8a9dca4k306a430c901aa500@mail.gmail.com> Message-ID: <332a4c70510270828o6acf58e0hdd5018558c505f74@mail.gmail.com> Yep, that's exactly what is was. LD_ASSUME_KERNEL was set to 2.4.1 Thanks a lot. -Chad On 10/27/05, Chad Elwartowski wrote: > > Rich, > It's RHEL4 and my LD_LIBRARY_PATH is: > > /usr/local/geotrans/lib:/lib:/usr/lib:/usr/local/lib:/usr/local/las/binaries/gnu32linux:/opt/fedora-ds/lib > > On 10/27/05, Rich Megginson wrote: > > > > > > > Chad Elwartowski wrote: > > > > > I'm trying to install the Fedora Directory and run into errors after > > > executing the setup program. > > > > > > I'm running Redhat Linux: > > > %uname -a > > > Linux myhostname 2.6.9-5.ELsmp #1 SMP Wed Jan 5 19:30:39 EST 2005 i686 > > > i686 i386 GNU/Linux > > > > Is this FC3 or RHEL4? What is your LD_LIBRARY_PATH set to? > > > > > > > > I've downloaded the rpm: fedora-ds-7.1-2.RHEL4.i386.opt.rpm and > > > installed it (rpm -iv ...). > > > > > > I cd into /opt/fedora-ds and run: ./setup/setup > > > > > > After entering my information in any of the three installation levels > > > I get the error: > > > - Fedora-Directory/7.1 B2005.146.2010 starting up > > > - libdb: unable to initialize mutex: Function not implemented > > > - libdb: /opt/fedora-ds/slapd-myhostname/db/__db.001: unable to > > > initialize environment lock: Function not implemented > > > - start: Failed to init database, err=38 Function not implemented > > > > > > etc...(I can't cut and paste into email so I'd have to type the rest, > > > which is quite a bit) > > > > > > I've gone the route of re-installing the RPM then running the perl > > > ds_newinst.pl /opt/fedora-ds/setup/install.inf (with the install.inf > > > edited for my settings) > > > That resulted in a "Success", but then looking in the fedora logs it > > > shows the same error above as far as the libdb:... > > > > > > Neither allow me to get access using startconsole. > > > > > > My LD_LIBRARY_PATH includes /opt/fedora-ds/lib > > > My PATH includes /opt/fedora-ds/bin/base/jre/bin > > > My CLASSPATH includes > > > > > /opt/fedora-ds/bin/base/jre/bin:/opt/fedora-ds/java:/opt/fedora-ds/java/jars:/opt/fedora-ds/bin/base/jre/lib:/opt/fedora-ds/bin/base/jre/lib/ext:/opt/fedora-ds/bin/base/jre/bin/classic > > > > > My JAVA_HOME is /opt/fedora-ds/java > > > > > > Can anyone point me in the right direction to get past this problem? > > > > > > Thanks, > > > Chad > > > > > >------------------------------------------------------------------------ > > > > > > > >-- > > >Fedora-directory-users mailing list > > >Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From admin at hostyle.it Thu Oct 27 16:39:09 2005 From: admin at hostyle.it (Enrico Valsecchi) Date: Thu, 27 Oct 2005 18:39:09 +0200 Subject: [Fedora-directory-users] Very NewBye In-Reply-To: <4360F0BF.6070706@redhat.com> References: <200510271515.36798.admin@hostyle.it> <200510271720.09001.admin@hostyle.it> <4360F0BF.6070706@redhat.com> Message-ID: <200510271839.09190.admin@hostyle.it> > When you ran setup, it asked you what port number you wanted to use for > your admin server. The default is some random high port number. If you > don't know what it is, you can look at admin-serv/config/adm.conf - it > is the port: attribute. Then, you can do > startconsole -a http://localhost:port/ Well, I have run a setup utility. I retry this error: Your new directory server has been started. Created new Directory Server Start Slapd Starting Slapd server configuration. Success Slapd Added Directory Server information to Configuration Server. Configuring Administration Server... Setting up Administration Server Instance... Configuring Administration Tasks in Directory Server... Configuring Global Parameters in Directory Server... Can't start Admin server [/opt/fedora-ds/start-admin > /tmp/file0505sF 2>&1] (error: No such file or directory) INFO Finished with setup, logfile is setup/setup.log O.K., I have read into Ml Archive, and response are "Check your DNS settings. This type of error is almost always DNS-related. Make sure your hostname/IP is in /etc/hosts at least." All settings during install are "localhost", and this value are o.k. into /etc/host When I retry to start admin-console with "start-admin", I have: "Netscape-Enterprise/6.2 B04/18/2005 13:49 warning: daemon is running as super-user" But, after some second, Netscape-Enterprise appear dead .... :-( Bye, Enrico From vestrum at msi.umn.edu Thu Oct 27 16:46:42 2005 From: vestrum at msi.umn.edu (John Vestrum) Date: Thu, 27 Oct 2005 11:46:42 -0500 Subject: [Fedora-directory-users] Very NewBye In-Reply-To: <200510271839.09190.admin@hostyle.it> References: <200510271515.36798.admin@hostyle.it> <200510271720.09001.admin@hostyle.it> <4360F0BF.6070706@redhat.com> <200510271839.09190.admin@hostyle.it> Message-ID: <20051027164642.GB3473@tsunami.msi.umn.edu> On Thu, Oct 27, 2005 at 06:39:09PM +0200, Enrico Valsecchi wrote: > Can't start Admin server [/opt/fedora-ds/start-admin > /tmp/file0505sF 2>&1] > (error: No such file or directory) > INFO Finished with setup, logfile is setup/setup.log > http://directory.fedora.redhat.com/wiki/FAQ#Troubleshooting_Admin_Server -- John Vestrum Unix Systems Administrator Univ. of MN Supercomputing Institute 612-624-2212 vestrum at msi.umn.edu From admin at hostyle.it Thu Oct 27 16:57:54 2005 From: admin at hostyle.it (Enrico Valsecchi) Date: Thu, 27 Oct 2005 18:57:54 +0200 Subject: [Fedora-directory-users] Very NewBye In-Reply-To: <20051027164642.GB3473@tsunami.msi.umn.edu> References: <200510271515.36798.admin@hostyle.it> <200510271839.09190.admin@hostyle.it> <20051027164642.GB3473@tsunami.msi.umn.edu> Message-ID: <200510271857.54661.admin@hostyle.it> Alle 18:46, gioved? 27 ottobre 2005, John Vestrum ha scritto: > On Thu, Oct 27, 2005 at 06:39:09PM +0200, Enrico Valsecchi wrote: > > Can't start Admin server [/opt/fedora-ds/start-admin > /tmp/file0505sF > > 2>&1] (error: No such file or directory) > > INFO Finished with setup, logfile is setup/setup.log > > http://directory.fedora.redhat.com/wiki/FAQ#Troubleshooting_Admin_Server O.K., I start with ./startconsole -a http://localhost:15555 When insert my username and Password, appear an error window, with "Cannot connect to the Admin Server "http://localhost:15555/" The url is not correct or the server is not running." :-( Bye, Enrico From david_list at boreham.org Thu Oct 27 17:00:46 2005 From: david_list at boreham.org (David Boreham) Date: Thu, 27 Oct 2005 11:00:46 -0600 Subject: [Fedora-directory-users] Very NewBye In-Reply-To: <200510271857.54661.admin@hostyle.it> References: <200510271515.36798.admin@hostyle.it> <200510271839.09190.admin@hostyle.it> <20051027164642.GB3473@tsunami.msi.umn.edu> <200510271857.54661.admin@hostyle.it> Message-ID: <436107BE.9080406@boreham.org> Enrico Valsecchi wrote: >>http://directory.fedora.redhat.com/wiki/FAQ#Troubleshooting_Admin_Server >> >> > >O.K., >I start with ./startconsole -a http://localhost:15555 >When insert my username and Password, appear an error window, >with "Cannot connect to the Admin Server "http://localhost:15555/" >The url is not correct or the server is not running." > > You're messing with the console. Your problem in with the admin server (which the console tries to connect to, and obviously it can't). Did you read the admin server troubleshooting page cited above yet ? -------------- next part -------------- An HTML attachment was scrubbed... URL: From gholbert at broadcom.com Thu Oct 27 21:54:52 2005 From: gholbert at broadcom.com (George Holbert) Date: Thu, 27 Oct 2005 14:54:52 -0700 Subject: [Fedora-directory-users] Using 'localhost' for configuration directory Message-ID: <43614CAC.9080700@broadcom.com> If each directory server in an environment will be acting as its own configuration directory (i.e., for o=NetscapeRoot stuff), is it ok to just use 'localhost' as the value for the configuration directory server? Or, is it better/required to use the FQDN of the public network interface (e.g., ldaphost.example.com)? Thanks, -- George From rmeggins at redhat.com Thu Oct 27 22:08:26 2005 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 27 Oct 2005 16:08:26 -0600 Subject: [Fedora-directory-users] Using 'localhost' for configuration directory In-Reply-To: <43614CAC.9080700@broadcom.com> References: <43614CAC.9080700@broadcom.com> Message-ID: <43614FDA.9040705@redhat.com> George Holbert wrote: > If each directory server in an environment will be acting as its own > configuration directory (i.e., for o=NetscapeRoot stuff), is it ok to > just use 'localhost' as the value for the configuration directory > server? Or, is it better/required to use the FQDN of the public > network interface (e.g., ldaphost.example.com)? It just depends. Where are you setting the value for the configuration directory server host? Is it different that the hostname which will be used for other settings? > > Thanks, > -- George > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3312 bytes Desc: S/MIME Cryptographic Signature URL: From joe at openpower.com.tw Fri Oct 28 02:53:02 2005 From: joe at openpower.com.tw (joe) Date: Fri, 28 Oct 2005 10:53:02 +0800 Subject: [Fedora-directory-users] Re: Aboout Winsync In-Reply-To: <435F9636.7070907@boreham.org> References: <1130315462.13861.6.camel@mrjnote> <435F8A77.6040901@redhat.com> <435F9636.7070907@boreham.org> Message-ID: <1130467982.3976.11.camel@mrjnote> ? ??2005-10-26 ? 08:44 -0600?David Boreham ??? > Rich Megginson wrote: > > > I think it's ok. Administrator is a "pseudo" user - it's only used > > for Windows domain administration. I don't think it follows the > > schema for a user. Does the Administrator entry have a full name or a > > surname? There are other pseudo users that fall into this category, > > such as the kerberos kdc user. You could probably fill in the missing > > attributes and make it sync over, but it doesn't really matter unless > > you want to use the Administrator entry on unix. > > True (in fact, the special users in AD are not supposed to get sync'ed > at all), > but I'm puzzled about the group member being sync'ed. By design, only > group members that are also already present in the peer directory should > be sync'ed. Therefore, if things are working to plan, the Administrator user > should not be sync'ed, and neither should any group member that has its > DN. > Thanks for all of these answers. But I still have a problem with it. I try to add some users in my AD and fill their property values, such as full name, surname. Then I invoke sync process again and check my directory tree in my FDS. It still have no user sync from AD. What's wrong with it? Do I miss something important? Regards Joe -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri Oct 28 03:04:11 2005 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 27 Oct 2005 21:04:11 -0600 Subject: [Fedora-directory-users] Re: Aboout Winsync In-Reply-To: <1130467982.3976.11.camel@mrjnote> References: <1130315462.13861.6.camel@mrjnote> <435F8A77.6040901@redhat.com> <435F9636.7070907@boreham.org> <1130467982.3976.11.camel@mrjnote> Message-ID: <4361952B.6070801@redhat.com> You did the full synchronization first? Did it go to completion? If not, were there any errors in the error log? If so, did you wait 5 minutes (the default) for the users to be sync'd from AD to FDS after making the updates on AD? You should also be able to do the Send Updates Now from the console to pick up the changes. joe wrote: > ? ??2005-10-26 ? 08:44 -0600?David Boreham ??? > >>Rich Megginson wrote: >> >>> I think it's ok. Administrator is a "pseudo" user - it's only used >>> for Windows domain administration. I don't think it follows the >>> schema for a user. Does the Administrator entry have a full name or a >>> surname? There are other pseudo users that fall into this category, >>> such as the kerberos kdc user. You could probably fill in the missing >>> attributes and make it sync over, but it doesn't really matter unless >>> you want to use the Administrator entry on unix. >> >>True (in fact, the special users in AD are not supposed to get sync'ed >>at all), >>but I'm puzzled about the group member being sync'ed. By design, only >>group members that are also already present in the peer directory should >>be sync'ed. Therefore, if things are working to plan, the Administrator user >>should not be sync'ed, and neither should any group member that has its >>DN. >> >> >> > Thanks for all of these answers. But I still have a problem with it. I > try to add some users in > my AD and fill their property values, such as full name, surname. Then > I invoke sync process > again and check my directory tree in my FDS. It still have no user > sync from AD. What's wrong > with it? Do I miss something important? > > Regards > Joe > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3312 bytes Desc: S/MIME Cryptographic Signature URL: From admin at hostyle.it Fri Oct 28 18:16:21 2005 From: admin at hostyle.it (Enrico Valsecchi) Date: Fri, 28 Oct 2005 20:16:21 +0200 Subject: [Fedora-directory-users] openlda client and fedora-ds Message-ID: <200510282016.21450.admin@hostyle.it> Dear All, I'm install with your help my fedora-ds. Many thanks! Well, into my linux box are installed openldapclient, and I want browse my ldap dir content. O.K., i type: ldapsearch -L -b "dc=chiccomara,dc=org" -W "(objectclass=*)" LDAP server request a password. I type LDAP password, and result is: SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: Where is a problem? Many thanks, Enrico Valsecchi From admin at hostyle.it Fri Oct 28 18:16:52 2005 From: admin at hostyle.it (Enrico Valsecchi) Date: Fri, 28 Oct 2005 20:16:52 +0200 Subject: [Fedora-directory-users] openlda client and fedora-ds Message-ID: <200510282016.52719.admin@hostyle.it> Dear All, I'm install with your help my fedora-ds. Many thanks! Well, into my linux box are installed openldapclient, and I want browse my ldap dir content. O.K., i type: ldapsearch -L -b "dc=chiccomara,dc=org" -W "(objectclass=*)" LDAP server request a password. I type LDAP password, and result is: SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: Where is a problem? Many thanks, Enrico Valsecchi From nhosoi at redhat.com Fri Oct 28 18:25:10 2005 From: nhosoi at redhat.com (Noriko Hosoi) Date: Fri, 28 Oct 2005 11:25:10 -0700 Subject: [Fedora-directory-users] openlda client and fedora-ds In-Reply-To: <200510282016.21450.admin@hostyle.it> References: <200510282016.21450.admin@hostyle.it> Message-ID: <43626D06.3080806@redhat.com> Could you please try the command line with '-x'? usage: ldapsearch [options] [filter [attributes...]] [...] -x Simple authentication --noriko Enrico Valsecchi wrote: >Dear All, > >I'm install with your help my fedora-ds. >Many thanks! > >Well, into my linux box are installed openldapclient, >and I want browse my ldap dir content. > >O.K., i type: > >ldapsearch -L -b "dc=chiccomara,dc=org" -W "(objectclass=*)" >LDAP server request a password. >I type LDAP password, and result is: >SASL/EXTERNAL authentication started >ldap_sasl_interactive_bind_s: Unknown authentication method (-6) >additional info: SASL(-4): no mechanism available: > >Where is a problem? > >Many thanks, > >Enrico Valsecchi > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From gholbert at broadcom.com Fri Oct 28 18:23:56 2005 From: gholbert at broadcom.com (George Holbert) Date: Fri, 28 Oct 2005 11:23:56 -0700 Subject: [Fedora-directory-users] openlda client and fedora-ds In-Reply-To: <200510282016.52719.admin@hostyle.it> References: <200510282016.52719.admin@hostyle.it> Message-ID: <43626CBC.6010509@broadcom.com> Enrico, ldapsearch on Linux (built with OpenLDAP libs) defaults to SASL authentication. Add the -x switch to use simple authentication: ldapsearch -x -L -b "dc=chiccomara,dc=org" -W "(objectclass=*)" Enrico Valsecchi wrote: >Dear All, > >I'm install with your help my fedora-ds. >Many thanks! > >Well, into my linux box are installed openldapclient, >and I want browse my ldap dir content. > >O.K., i type: > >ldapsearch -L -b "dc=chiccomara,dc=org" -W "(objectclass=*)" >LDAP server request a password. >I type LDAP password, and result is: >SASL/EXTERNAL authentication started >ldap_sasl_interactive_bind_s: Unknown authentication method (-6) >additional info: SASL(-4): no mechanism available: > >Where is a problem? > >Many thanks, > >Enrico Valsecchi > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > From agabila at con.mdsnews.com Mon Oct 31 02:56:02 2005 From: agabila at con.mdsnews.com (Anthony Gabila) Date: Mon, 31 Oct 2005 13:56:02 +1100 Subject: [Fedora-directory-users] Fedora Management Console 7.0 Message-ID: Hi, Not quite sure how to solve this problem, I'm trying to add a user via Fedora Management Console, but I am not able to log in to my Win2k Pro machine using that username. I manage to get around this problem by entering the command "smbpasswd -a testuser" I was wondering if I could skip this extra step by doing all these in the Management Console app? agabila -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Oct 31 15:57:18 2005 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 31 Oct 2005 08:57:18 -0700 Subject: [Fedora-directory-users] Fedora Management Console 7.0 In-Reply-To: References: Message-ID: <43663EDE.1080304@redhat.com> Anthony Gabila wrote: > Hi, > > Not quite sure how to solve this problem, I'm trying to add a user > via Fedora Management Console, > but I am not able to log in to my Win2k Pro machine using that username. > > I manage to get around this problem by entering the command "smbpasswd > -a testuser" > > I was wondering if I could skip this extra step by doing all these in > the Management Console app? No, the Management Console is not integrated with Samba. But that's a good wishlist item. If you use the FDS Win Sync feature with Active Directory, you can add users to FDS which will automatically be added to AD, and vice versa. > > agabila > > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3312 bytes Desc: S/MIME Cryptographic Signature URL: