From dshackel at arbor.edu Sat Apr 1 18:52:40 2006 From: dshackel at arbor.edu (Daniel Shackelford) Date: Sat, 01 Apr 2006 13:52:40 -0500 Subject: [Fedora-directory-users] FDS AD Sync Message-ID: <442ECBF8.20405@arbor.edu> Another possible problem is incompatible password policies that keep the passwords from replicating. Your passwords must adhere to both policies (if you are enforcing password policies) in order for them to replicate. From ahamino at gmail.com Sun Apr 2 11:19:24 2006 From: ahamino at gmail.com (Abdelrahman) Date: Sun, 2 Apr 2006 13:19:24 +0200 Subject: [Fedora-directory-users] FDS AD Sync In-Reply-To: <442ECBF8.20405@arbor.edu> References: <442ECBF8.20405@arbor.edu> Message-ID: I have tried to disable all of the password policies on the AD to get rid of this problem. where do i have to check if the AD policy disables new users by default?! regards, Abdelrahman On 4/1/06, Daniel Shackelford wrote: > > Another possible problem is incompatible password policies that keep the > passwords from replicating. Your passwords must adhere to both policies > (if you are enforcing password policies) in order for them to replicate. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Sun Apr 2 21:45:10 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Sun, 02 Apr 2006 15:45:10 -0600 Subject: [Fedora-directory-users] FDS AD Sync In-Reply-To: References: <442ECBF8.20405@arbor.edu> Message-ID: <443045E6.40607@redhat.com> Abdelrahman wrote: > I have tried to disable all of the password policies on the AD to get > rid of this problem. > > where do i have to check if the AD policy disables new users by default?! I'm not exactly sure where - I don't have an AD installed. It may not be in the password policy section, or it may be called something different, like "Users must change password upon initial login" or something like that. > > regards, > Abdelrahman > > > On 4/1/06, *Daniel Shackelford* > wrote: > > Another possible problem is incompatible password policies that > keep the > passwords from replicating. Your passwords must adhere to both > policies > (if you are enforcing password policies) in order for them to > replicate. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From mohdzainal.abidin at gmail.com Mon Apr 3 01:37:23 2006 From: mohdzainal.abidin at gmail.com (mohdzainal.abidin at gmail.com) Date: Sun, 2 Apr 2006 20:37:23 -0500 Subject: [Fedora-directory-users] Check it out Message-ID: <200604030137.k331bNsD026636@imc05.net> An HTML attachment was scrubbed... URL: From magobin at gmail.com Mon Apr 3 12:28:45 2006 From: magobin at gmail.com (Alex aka Magobin) Date: Mon, 03 Apr 2006 14:28:45 +0200 Subject: [Fedora-directory-users] Hostname does not match CN.... Message-ID: <1144067325.8024.25.camel@localhost.localdomain> Hi, After with your help, succesfully configured replication between server I take a look to configure client's authentication through ldap server...I have 2 question: 1) Is it possible add a user directly from fedora ds as posix user using groups from server?..I don't know is groups is integrated with system...is it possible to add server groups to Fedora DS groups? 2) Reading ssl howto I export CA certificate to client(fedora core5) in /etc/openldap/cacerts....(some of steps in ssl howto are automatically generated from fedora core 5 as installing in cacerts directory in x509 mode) but when I try to check if ssl is enable the answer is: [root at test]# ldapsearch -x -ZZ '(uid=testuser)' ldap_start_tls: Connect error (-11) additional info: TLS:hostname does not match CN in peer certificate How can I solve ? Alex From dshackel at arbor.edu Mon Apr 3 12:44:03 2006 From: dshackel at arbor.edu (Daniel Shackelford) Date: Mon, 03 Apr 2006 08:44:03 -0400 Subject: [Fedora-directory-users] FDS AD Sync Message-ID: <44311893.40600@arbor.edu> I don't think it is an issue with settings in AD. Server 2003 will automatically disable an account that is created with a blank password. This seems to fit with what you are seeing, since the account is immediately disabled in AD and the user is required to change their password. Is your SSL setup working? You can use ssltap (in /opt/fedora-ds/shared/bin if you used the installed defaults) to proxy the connections and see what is going (or not going) back and forth. Replication requires SSL in order to sync passwords, and unless it is set up correctly on both FDS and the DC with PassSync, you will not get any passwords, period. What do your logs in FDS say when you add a user? Are there any errors? If the logs are not very informative, use the console to increase the log level. Passwords are the trickiest part of this setup, simply because they require SSL/certificates and an extra app on the DC. The wiki has detailed instructions. If you need more help, posting error messages and log info would be very helpful. From hariharan at lantana.cs.iitm.ernet.in Sat Apr 1 04:52:21 2006 From: hariharan at lantana.cs.iitm.ernet.in (Hariharan R) Date: Sat, 1 Apr 2006 10:22:21 +0530 (IST) Subject: [Fedora-directory-users] Consumer initiated replication Message-ID: Hi, Thanks for your reply. Let us take the scenario in which the consumer server is taken off line for maintenance purpose. When the consumer server comes back online, how does it initialize (update) it's replica? Because in the mean time supplier server may have been updated. If only supplier initiated replication is supported by Fedora Directory Server, how does the supplier know that the consumer has come back online ? Regards, Hariharan R >Hi, > Does the Fedora Directory Server support consumer initiated >replication. If not, is there any work around for this ? >No Fedora DS does not support consumer initiated replication. For what >reasons do you require CIR? >Please advise. --- Hariharan.R From dschibeci at ccg.murdoch.edu.au Mon Apr 3 01:17:01 2006 From: dschibeci at ccg.murdoch.edu.au (David Schibeci) Date: Mon, 3 Apr 2006 09:17:01 +0800 Subject: [Fedora-directory-users] Mac OS X Client authenticating against Fedora Directory Server In-Reply-To: <442DA390.4070607@cs.ou.edu> References: <442DA390.4070607@cs.ou.edu> Message-ID: For the record, I could only get MacOS 10.4 to authenticate against FDS, but this could be because I am using a non-standard port (390 + 637 for LDAP and LDAPS respectively). The only trick I needed was when configuring your LDAP source, under the Security tab I needed to enable "Encrypt all packers (requires SSL or Kerberos). It seems DirectoryServices was trying to initiate a SASL connected over SSL which would fail, but this could be to due to a non-standard port. Cheers, David On 01/04/2006, at 5:48 AM, Jim Summers wrote: > Hello List, > > I am following up on a thread that was initiated by David Schibeci > a few weeks back. He was trying to configure os/x machines to > authenticate against fds. > > I to will have to authenticate some os/x machines when I migrate > over to fds. So I thought I should test it out. > > Unfortunately I was not able to get it to work. All I am seeing in > the system.log file are entries such as: > > DSOpenNode(): dsOpenDirNode("/LDAPv3/ipaddress") == -14002 > DSGetCurrentConfigInfo(): dsGetRecordEntry() == -14061 > > Not to informative. > > Any ideas or suggestions will be greatly appreciated. > > Thanks > -- > Jim Summers > School of Computer Science-University of Oklahoma > ------------------------------------------------- > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From hariharan at lantana.cs.iitm.ernet.in Mon Apr 3 04:35:18 2006 From: hariharan at lantana.cs.iitm.ernet.in (Hariharan R) Date: Mon, 3 Apr 2006 10:05:18 +0530 (IST) Subject: [Fedora-directory-users] Consumer initiated replication Message-ID: Hi, Thanks for your reply. Let us take the scenario in which the consumer server is taken off line for maintenance purpose. When the consumer server comes back online, how does it initialize (update) it's replica? Because in the mean time supplier server may have been updated. If only supplier initiated replication is supported by Fedora Directory Server, how does the supplier know that the consumer has come back online ? Regards, Hariharan R > Hi, > Does the Fedora Directory Server support consumer initiated replication. If > not, is there any work around for this ? > No Fedora DS does not support consumer initiated replication. For what > reasons do you require CIR? > Please advise. --- Hariharan.R From rmeggins at redhat.com Mon Apr 3 12:58:33 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 03 Apr 2006 06:58:33 -0600 Subject: [Fedora-directory-users] Consumer initiated replication In-Reply-To: References: Message-ID: <44311BF9.2080604@redhat.com> Hariharan R wrote: > > Hi, > > Thanks for your reply. > > Let us take the scenario in which the consumer server is taken off > line for maintenance purpose. When the consumer server comes back > online, how does it initialize (update) it's replica? Because in the > mean time supplier server may have been updated. The supplier will automatically update the consumer when it contacts the consumer. The supplier attempts to contact the consumer periodically. It uses a backoff strategy that has a maximum time of 5 minutes. So at most, the consumer will be about 5 minutes behind the supplier. > > If only supplier initiated replication is supported by Fedora > Directory Server, how does the supplier know that the consumer has > come back online ? It doesn't. There is no way for the consumer to contact the supplier directly. If 5 minutes is too long, there is a way for an operator to force sending updates. You can do this using ldapmodify - modify the replication schedule in the replication agreement entry to "close the window" e.g. use something like 0000-0001 0 (i.e. replicate between midnight and 12:01 Sunday morning). Then, immediately change the schedule back to what it was (usually 0000-2359 * or "* *"). This will have the effect of forcing the supplier to send all of its updates immediately. > > Regards, > Hariharan R > > >> Hi, > >> Does the Fedora Directory Server support consumer initiated >> replication. If not, is there any work around for this ? > >> No Fedora DS does not support consumer initiated replication. For >> what reasons do you require CIR? > >> Please advise. > > --- > Hariharan.R > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From jsummers at bachman.cs.ou.edu Mon Apr 3 14:00:55 2006 From: jsummers at bachman.cs.ou.edu (Jim Summers) Date: Mon, 03 Apr 2006 09:00:55 -0500 Subject: [Fedora-directory-users] Mac OS X Client authenticating against Fedora Directory Server In-Reply-To: References: <442DA390.4070607@cs.ou.edu> Message-ID: <44312A97.5030800@cs.ou.edu> David Schibeci wrote: > For the record, I could only get MacOS 10.4 to authenticate against FDS, > but this could be because I am using a non-standard port (390 + 637 for > LDAP and LDAPS respectively). > At least you got it going. I am using standard ports. Here is something I found in my logs on the fds server: [31/Mar/2006:13:56:42 -0600] conn=10197 fd=82 slot=82 SSL connection from 129.15.xx.xx to 129.15.xx.xx [31/Mar/2006:13:56:42 -0600] conn=10197 op=-1 fd=82 closed - Encountered end of file. This only shows up when I edit the entry in DirectoryServices and commit the changes. Then I try an id command, which fails and I see the above message. Any ideas what the eof means? My ssl works between fds and other linux machines. > The only trick I needed was when configuring your LDAP source, under the > Security tab I needed to enable "Encrypt all packers (requires SSL or > Kerberos). I will look for that. Thanks Will post results. Thanks again. > > It seems DirectoryServices was trying to initiate a SASL connected over > SSL which would fail, but this could be to due to a non-standard port. > > Cheers, > David > > On 01/04/2006, at 5:48 AM, Jim Summers wrote: > >> Hello List, >> >> I am following up on a thread that was initiated by David Schibeci a >> few weeks back. He was trying to configure os/x machines to >> authenticate against fds. >> >> I to will have to authenticate some os/x machines when I migrate over >> to fds. So I thought I should test it out. >> >> Unfortunately I was not able to get it to work. All I am seeing in >> the system.log file are entries such as: >> >> DSOpenNode(): dsOpenDirNode("/LDAPv3/ipaddress") == -14002 >> DSGetCurrentConfigInfo(): dsGetRecordEntry() == -14061 >> >> Not to informative. >> >> Any ideas or suggestions will be greatly appreciated. >> >> Thanks >> --Jim Summers >> School of Computer Science-University of Oklahoma >> ------------------------------------------------- >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Jim Summers School of Computer Science-University of Oklahoma ------------------------------------------------- From gholbert at broadcom.com Mon Apr 3 15:33:40 2006 From: gholbert at broadcom.com (George Holbert) Date: Mon, 03 Apr 2006 08:33:40 -0700 Subject: [Fedora-directory-users] Hostname does not match CN.... In-Reply-To: <1144067325.8024.25.camel@localhost.localdomain> References: <1144067325.8024.25.camel@localhost.localdomain> Message-ID: <44314054.8000103@broadcom.com> > > [root at test]# ldapsearch -x -ZZ '(uid=testuser)' > ldap_start_tls: Connect error (-11) > additional info: TLS:hostname does not match CN in peer > certificate > > > How can I solve ? The server hostname you pass to ldapsearch must exactly match the CN in the certificate you signed for the server. So, if you signed the certificate with a fully-qualified domainname (e.g. ldaphost.example.com), use "-h ldaphost.example.com" instead of "-h ldaphost". Alex aka Magobin wrote: > Hi, > After with your help, succesfully configured replication between server > I take a look to configure client's authentication through ldap > server...I have 2 question: > > 1) Is it possible add a user directly from fedora ds as posix user using > groups from server?..I don't know is groups is integrated with > system...is it possible to add server groups to Fedora DS groups? > > 2) Reading ssl howto I export CA certificate to client(fedora core5) > in /etc/openldap/cacerts....(some of steps in ssl howto are > automatically generated from fedora core 5 as installing in cacerts > directory in x509 mode) but when I try to check if ssl is enable the > answer is: > > [root at test]# ldapsearch -x -ZZ '(uid=testuser)' > ldap_start_tls: Connect error (-11) > additional info: TLS:hostname does not match CN in peer > certificate > > > How can I solve ? > > Alex > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From magobin at gmail.com Mon Apr 3 20:27:22 2006 From: magobin at gmail.com (Alessandro Binarelli) Date: Mon, 3 Apr 2006 22:27:22 +0200 Subject: [Fedora-directory-users] Hostname does not match CN.... In-Reply-To: <44314054.8000103@broadcom.com> References: <1144067325.8024.25.camel@localhost.localdomain> <44314054.8000103@broadcom.com> Message-ID: <108b923c0604031327wdc1bcafl8afb88afc635ddeb@mail.gmail.com> 2006/4/3, George Holbert : > > > > > [root at test]# ldapsearch -x -ZZ '(uid=testuser)' > > ldap_start_tls: Connect error (-11) > > additional info: TLS:hostname does not match CN in peer > > certificate > > > > > > How can I solve ? > > The server hostname you pass to ldapsearch must exactly match the CN in > the certificate you signed for the server. > > So, if you signed the certificate with a fully-qualified domainname > (e.g. ldaphost.example.com), > use "-h ldaphost.example.com" instead of "-h ldaphost". Sigh...I found the problem...so: I set up Fedora DS in cluster scenario with two node..nodo1 and nodo2...with their real ip address and I make a multimaster replication; taking advantage of ldap protocol I set up an floating ip address and an entry to dns that point to ldap.domain.example.com with that ip...therefore if I make a query to ldap.domain.example.com, depending if floating ip is up on nodo1 or nodo2 the DS server answer to query taking advantage to multimaster replication...this scenario works very well in clear mode....but I saw that if I set up ssl encryption and try to verify it, the answer is: [root at test]# ldapsearch -h ldap.domain.example.com -x -ZZ '(ObjectClass=*:)' -d 1 -CUT- TLS: hostname(ldap.domain.example.com) does not match common name in certificate (nodo1.domain.example.com) ...now...how can I solve it?? -------------- next part -------------- An HTML attachment was scrubbed... URL: From gholbert at broadcom.com Mon Apr 3 20:36:39 2006 From: gholbert at broadcom.com (George Holbert) Date: Mon, 03 Apr 2006 13:36:39 -0700 Subject: [Fedora-directory-users] Hostname does not match CN.... In-Reply-To: <108b923c0604031327wdc1bcafl8afb88afc635ddeb@mail.gmail.com> References: <1144067325.8024.25.camel@localhost.localdomain> <44314054.8000103@broadcom.com> <108b923c0604031327wdc1bcafl8afb88afc635ddeb@mail.gmail.com> Message-ID: <44318757.7070904@broadcom.com> > > > TLS: hostname(ldap.domain.example.com > ) does not match common name in > > certificate (nodo1.domain.example.com ) > > ...now...how can I solve it?? > For the setup you described, you'd probably want to use a single certificate, signed with a CN of 'ldap.domain.example.com'. This will make it possible for your server cert CNs and hostnames to match consistently, regardless of which machine (nodo1 or nodo2) the clients end up talking to. Alessandro Binarelli wrote: > > > 2006/4/3, George Holbert >: > > > > > [root at test]# ldapsearch -x -ZZ '(uid=testuser)' > > ldap_start_tls: Connect error (-11) > > additional info: TLS:hostname does not match CN in peer > > certificate > > > > > > How can I solve ? > > The server hostname you pass to ldapsearch must exactly match the > CN in > the certificate you signed for the server. > > So, if you signed the certificate with a fully-qualified domainname > (e.g. ldaphost.example.com ), > use "-h ldaphost.example.com " > instead of "-h ldaphost". > > > > > Sigh...I found the problem...so: > > I set up Fedora DS in cluster scenario with two node..nodo1 and > nodo2...with their real ip address and I make a multimaster > replication; taking advantage of ldap protocol I set up an floating ip > address and an entry to dns that point to ldap.domain.example.com > with that ip...therefore if I make a > query to ldap.domain.example.com , > depending if floating ip is up on nodo1 or nodo2 the DS server answer > to query taking advantage to multimaster replication...this scenario > works very well in clear mode....but I saw that if I set up ssl > encryption and try to verify it, the answer is: > > [root at test]# ldapsearch -h ldap.domain.example.com > -x -ZZ '(ObjectClass=*:)' -d 1 > > -CUT- > > TLS: hostname(ldap.domain.example.com > ) does not match common name in > > certificate (nodo1.domain.example.com ) > > > > ...now...how can I solve it?? > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From magobin at gmail.com Mon Apr 3 21:12:36 2006 From: magobin at gmail.com (Alessandro Binarelli) Date: Mon, 3 Apr 2006 23:12:36 +0200 Subject: [Fedora-directory-users] Hostname does not match CN.... In-Reply-To: <44318757.7070904@broadcom.com> References: <1144067325.8024.25.camel@localhost.localdomain> <44314054.8000103@broadcom.com> <108b923c0604031327wdc1bcafl8afb88afc635ddeb@mail.gmail.com> <44318757.7070904@broadcom.com> Message-ID: <108b923c0604031412g78c6347fp951841dcacf8cf46@mail.gmail.com> > For the setup you described, you'd probably want to use a > single certificate, signed with a CN of 'ldap.domain.example.com'. > > This will make it possible for your server cert CNs and > hostnames to match consistently, regardless of which machine > (nodo1 or nodo2) the clients end up talking to. > Uhm...I can try, but in that case, is it possible that I've a problem with replication ? Nodes use server ca with only difference....CN I maked 2 server CA with the same CA Thanks Alex -------------- next part -------------- An HTML attachment was scrubbed... URL: From gholbert at broadcom.com Mon Apr 3 21:18:33 2006 From: gholbert at broadcom.com (George Holbert) Date: Mon, 03 Apr 2006 14:18:33 -0700 Subject: [Fedora-directory-users] Hostname does not match CN.... In-Reply-To: <108b923c0604031412g78c6347fp951841dcacf8cf46@mail.gmail.com> References: <1144067325.8024.25.camel@localhost.localdomain> <44314054.8000103@broadcom.com> <108b923c0604031327wdc1bcafl8afb88afc635ddeb@mail.gmail.com> <44318757.7070904@broadcom.com> <108b923c0604031412g78c6347fp951841dcacf8cf46@mail.gmail.com> Message-ID: <44319129.3080604@broadcom.com> > Uhm...I can try, but in that case, is it possible that I've a problem > with replication ? I don't think so. I've noticed that replication agreements over SSL don't seem to care about hostname / CN matching, although they do check that the CA is trusted. If I have the wrong impression on this, someone please say so :). In your replication agreements, you'd still want to use the 'nodo1.domain.example.com' or 'nodo2.domain.example.com' names, as 'ldap.domain.example.com' would obviously not be specific enough. Alessandro Binarelli wrote: > > > > For the setup you described, you'd probably want to use a > > > single certificate, signed with a CN of 'ldap.domain.example.com > '. > > > > > > This will make it possible for your server cert CNs and > > > hostnames to match consistently, regardless of which machine > > > (nodo1 or nodo2) the clients end up talking to. > > > > > Uhm...I can try, but in that case, is it possible that I've a problem > with replication ? > > Nodes use server ca with only difference....CN > > I maked 2 server CA with the same CA > > Thanks > > Alex > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From magobin at gmail.com Tue Apr 4 08:19:34 2006 From: magobin at gmail.com (Alex aka Magobin) Date: Tue, 04 Apr 2006 10:19:34 +0200 Subject: [Fedora-directory-users] Hostname does not match CN.... In-Reply-To: <44319129.3080604@broadcom.com> References: <1144067325.8024.25.camel@localhost.localdomain> <44314054.8000103@broadcom.com> <108b923c0604031327wdc1bcafl8afb88afc635ddeb@mail.gmail.com> <44318757.7070904@broadcom.com> <108b923c0604031412g78c6347fp951841dcacf8cf46@mail.gmail.com> <44319129.3080604@broadcom.com> Message-ID: <1144138774.7699.12.camel@localhost.localdomain> On lun, 2006-04-03 at 14:18 -0700, George Holbert wrote: > > Uhm...I can try, but in that case, is it possible that I've a problem > > with replication ? > > I don't think so. I've noticed that replication agreements over SSL > don't seem to care about hostname / CN matching, although they do check > that the CA is trusted. If I have the wrong impression on this, someone > please say so :). > > In your replication agreements, you'd still want to use the > 'nodo1.domain.example.com' or 'nodo2.domain.example.com' names, as > 'ldap.domain.example.com' would obviously not be specific enough. > today I tried to issue 2 server certs using the same CA...using the same CN...I can make correctly the certs and in Manage Certificate I can see both server certs with the same name...but when I try to establish ssl encryption between servers: NSMMReplicationPlugin -agmt="cn="Replication to nodo1.domain.example.com""(nodo1:636): Simple bind failed, LDAP sdk error 81 (Can't contact LDAP server), Netscape Portable Runtime error- 12276 (Unable to communicate securely with peer: requested domain name does not match the server's certificate.) Is there someone that use two server Fedora DS to authenticate clients? Even if I can browse in clear mode FDS both on nodo1 and nodo2...in encrypt mode only one can certificate my clients? alex From magobin at gmail.com Tue Apr 4 13:17:43 2006 From: magobin at gmail.com (Alex aka Magobin) Date: Tue, 04 Apr 2006 15:17:43 +0200 Subject: [Fedora-directory-users] Hostname does not match CN.... In-Reply-To: <44319129.3080604@broadcom.com> References: <1144067325.8024.25.camel@localhost.localdomain> <44314054.8000103@broadcom.com> <108b923c0604031327wdc1bcafl8afb88afc635ddeb@mail.gmail.com> <44318757.7070904@broadcom.com> <108b923c0604031412g78c6347fp951841dcacf8cf46@mail.gmail.com> <44319129.3080604@broadcom.com> Message-ID: <1144156663.7699.25.camel@localhost.localdomain> I make an ssl fresh install and I rename nodo1 CN in ldap.domain.example.com...now, exporting CA to test client, it works..but only if I put floating ip where CA was maked...obviously. Now, How can I set up SSL so that it works to prescind from which server I 'm connected? My goal is authenticate clients with SSl using fedora DS...using both server indifferently Thanks in advance Alex From rcritten at redhat.com Tue Apr 4 13:27:40 2006 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 04 Apr 2006 09:27:40 -0400 Subject: [Fedora-directory-users] Hostname does not match CN.... In-Reply-To: <1144138774.7699.12.camel@localhost.localdomain> References: <1144067325.8024.25.camel@localhost.localdomain> <44314054.8000103@broadcom.com> <108b923c0604031327wdc1bcafl8afb88afc635ddeb@mail.gmail.com> <44318757.7070904@broadcom.com> <108b923c0604031412g78c6347fp951841dcacf8cf46@mail.gmail.com> <44319129.3080604@broadcom.com> <1144138774.7699.12.camel@localhost.localdomain> Message-ID: <4432744C.1090600@redhat.com> Alex aka Magobin wrote: > On lun, 2006-04-03 at 14:18 -0700, George Holbert wrote: > >>>Uhm...I can try, but in that case, is it possible that I've a problem >>>with replication ? >> >>I don't think so. I've noticed that replication agreements over SSL >>don't seem to care about hostname / CN matching, although they do check >>that the CA is trusted. If I have the wrong impression on this, someone >>please say so :). >> >>In your replication agreements, you'd still want to use the >>'nodo1.domain.example.com' or 'nodo2.domain.example.com' names, as >>'ldap.domain.example.com' would obviously not be specific enough. >> > > > today I tried to issue 2 server certs using the same CA...using the same > CN...I can make correctly the certs and in Manage Certificate I can see > both server certs with the same name...but when I try to establish ssl > encryption between servers: > > NSMMReplicationPlugin -agmt="cn="Replication to > nodo1.domain.example.com""(nodo1:636): Simple bind failed, LDAP sdk > error 81 (Can't contact LDAP server), Netscape Portable Runtime error- > 12276 (Unable to communicate securely with peer: requested domain name > does not match the server's certificate.) > > Is there someone that use two server Fedora DS to authenticate clients? > Even if I can browse in clear mode FDS both on nodo1 and nodo2...in > encrypt mode only one can certificate my clients? This isn't an SSL problem, it's a problem with the way you are trying to use it. You are trying to present the world with a single directory server and behind the scenes have 2 physical servers. Nothing wrong with this but you were told a while back that this could be a problem. You basically need your machine to answer to 2 separate things: its "real" hostname and the "cluster" hostname. As I see it, there are 2 ways to resolve this. I'm not a DS engineer so I can't say which one is more plausible/possible, and there may be other ways that I'm not seeing. 1. The easiest solution is to use a wildcard in the SSL server certificate hostname: CN=*.example.com. This is super ugly but should work. Note that you'll never get a CA like Verisign to issue you a wildcard server certificate. So if you are using your own self-signed CA during testing and plan to get server certs later from another CA beware. 2. I wonder if it is possible to set up multiple listeners and assign a separate SSL certificate to each one. Then you could have CN=host1.example.com on say port 638 for replication and CN=ldap.example.com on 636 for general use. I don't know of #2 is even possible right now. #1 definitely is but has issues. One of the reasons for SSL is to prevent man-in-the-middle attacks. This is preceisely the problem you are having. SSL is detecting that things aren't lining up like they should and preventing you from continuing. While a wildcard certificate will get around this you must understand that you are also giving up a certain amount of security. It makes no difference if the data on the wire is encrypted if it is going to be decrypted at the wrong place on the other end. Just remember that there is a trade-off between security and convenience. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From logastellus at yahoo.com Tue Apr 4 13:37:50 2006 From: logastellus at yahoo.com (Susan) Date: Tue, 4 Apr 2006 06:37:50 -0700 (PDT) Subject: [Fedora-directory-users] Hostname does not match CN.... In-Reply-To: <44319129.3080604@broadcom.com> Message-ID: <20060404133750.78234.qmail@web52901.mail.yahoo.com> --- George Holbert wrote: > > Uhm...I can try, but in that case, is it possible that I've a problem > > with replication ? > > I don't think so. I've noticed that replication agreements over SSL > don't seem to care about hostname / CN matching, although they do check > that the CA is trusted. If I have the wrong impression on this, someone > please say so :). Guys, you shouldn't have to do this. This is what I have in my cert DB: [root at cnyldap01 alias]# ../shared/bin/certutil -L -d . CA certificate CTu,u,u NJ-Server-Cert u,u,u NJ-admin-server-cert u,u,u NY-Server-Cert u,u,u NY-admin-server-cert u,u,u I then sent the cert8.db & key3.db over to the other server, setup the replication agreements back & forth and voila! Basically, I shoved all my certs in 1 DB and blasted that everywhere. Now, for the floating IP. If you've two nodes, node1 & node2 and a VIP, ldap.com and your outside clients talk to ldap.com and your certs are signed with node1 & node2 then I'm guessing SSL verification will fail. You're trying to talk to ldap.com but your certs are signed with node1/2 -- no go. For this end to end SSL to work, you'd need an SSL terminator IN FRONT of the FDS servers, something that will impersonate ldap.com, return a cert for ldap.com and then turn around and encrypt the traffic again, passing it to either node1 or node2. A cute little problem is what to do when the ssl proxy fails? :) The thing is like this. What is the problem you are trying to solve? Why have two FDS servers in 1 location? Why have the virtual IP? It really doesn't buy you a whole lot. Have 2 FDSs if you insist but then list all of them in the clients' ldap.conf -- no problem. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From magobin at gmail.com Tue Apr 4 13:44:53 2006 From: magobin at gmail.com (Alex aka Magobin) Date: Tue, 04 Apr 2006 15:44:53 +0200 Subject: [Fedora-directory-users] Hostname does not match CN.... In-Reply-To: <4432744C.1090600@redhat.com> References: <1144067325.8024.25.camel@localhost.localdomain> <44314054.8000103@broadcom.com> <108b923c0604031327wdc1bcafl8afb88afc635ddeb@mail.gmail.com> <44318757.7070904@broadcom.com> <108b923c0604031412g78c6347fp951841dcacf8cf46@mail.gmail.com> <44319129.3080604@broadcom.com> <1144138774.7699.12.camel@localhost.localdomain> <4432744C.1090600@redhat.com> Message-ID: <1144158293.7699.38.camel@localhost.localdomain> > This isn't an SSL problem, it's a problem with the way you are trying to > use it. You are trying to present the world with a single directory > server and behind the scenes have 2 physical servers. Nothing wrong with > this but you were told a while back that this could be a problem. Yes...but I thought that someone have implemented 2 ldap server on a cluster system; > 1. The easiest solution is to use a wildcard in the SSL server > certificate hostname: CN=*.example.com. This is super ugly but should > work. Note that you'll never get a CA like Verisign to issue you a > wildcard server certificate. So if you are using your own self-signed CA > during testing and plan to get server certs later from another CA beware. > uhm..very dangerous > 2. I wonder if it is possible to set up multiple listeners and assign a > separate SSL certificate to each one. Then you could have > CN=host1.example.com on say port 638 for replication and > CN=ldap.example.com on 636 for general use. > This maybe a solution...if it's possible...but I'm a newbe about SSL Ok...omit cluster...if I have a server Fedora DS (A) that it's ssl server too...until A is alone I configure my clients to point at this server for authentication and I tested it works perfectly..now I want another server for load balancing replicated in multimaster(B)...now...how can I set up ssl for this scenario ? This scenario is normal for example in windows Active Directory...I think that it's impossible that nobody has never made a test like this or implemented something like this From logastellus at yahoo.com Tue Apr 4 13:59:19 2006 From: logastellus at yahoo.com (Susan) Date: Tue, 4 Apr 2006 06:59:19 -0700 (PDT) Subject: [Fedora-directory-users] Hostname does not match CN.... In-Reply-To: <1144158293.7699.38.camel@localhost.localdomain> Message-ID: <20060404135919.24287.qmail@web52903.mail.yahoo.com> --- Alex aka Magobin wrote: > Ok...omit cluster...if I have a server Fedora DS (A) that it's ssl > server too...until A is alone I configure my clients to point at this > server for authentication and I tested it works perfectly..now I want > another server for load balancing replicated in > multimaster(B)...now...how can I set up ssl for this scenario ? This I have this exact setup. 2 FDSs, MMR over SSL. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From magobin at gmail.com Tue Apr 4 14:02:53 2006 From: magobin at gmail.com (Alex aka Magobin) Date: Tue, 04 Apr 2006 16:02:53 +0200 Subject: [Fedora-directory-users] Hostname does not match CN.... In-Reply-To: <20060404133750.78234.qmail@web52901.mail.yahoo.com> References: <20060404133750.78234.qmail@web52901.mail.yahoo.com> Message-ID: <1144159373.7699.55.camel@localhost.localdomain> > [root at cnyldap01 alias]# ../shared/bin/certutil -L -d . > CA certificate CTu,u,u > NJ-Server-Cert u,u,u > NJ-admin-server-cert u,u,u > NY-Server-Cert u,u,u > NY-admin-server-cert u,u,u > yes, more or less like me..I didn't configure admin > Now, for the floating IP. If you've two nodes, node1 & node2 and a VIP, ldap.com and your outside > clients talk to ldap.com and your certs are signed with node1 & node2 then I'm guessing SSL > verification will fail. You're trying to talk to ldap.com but your certs are signed with node1/2 > -- no go. For this end to end SSL to work, you'd need an SSL terminator IN FRONT of the FDS > servers, something that will impersonate ldap.com, return a cert for ldap.com and then turn around > and encrypt the traffic again, passing it to either node1 or node2. A cute little problem is what > to do when the ssl proxy fails? :) Unfortunately too much complicated for me at this moment :-( > The thing is like this. What is the problem you are trying to solve? Why have two FDS servers in > 1 location? Why have the virtual IP? It really doesn't buy you a whole lot. > Ok Susan..the problem is configuring Fedora DS in cluster scenario; I have two options: 1) Configuring Fedora DS in GFS file system so I can move DS from nodo1 to nodo2 if it for some reason fails 2) Taking advantage to multi master replication to make the same thing...but in this case I have to configure floating IP and an entry in dns that point to ip because I don't want that client points directly to nodes ...Second option is better because in this way I can make a load balancing...but even if I use real name and real ip address of nodo1 and nodo2 the problem is SSL....of course, I can use wildcards as Rob says...but in that case is a whole security > Have 2 FDSs insist but then list all of them in the clients' ldap.conf -- no problem. Please can U explain this?...how can I configure clients' ldap.conf to listen both server in SSL mode? thanks...like always Alex From magobin at gmail.com Tue Apr 4 14:07:06 2006 From: magobin at gmail.com (Alex aka Magobin) Date: Tue, 04 Apr 2006 16:07:06 +0200 Subject: [Fedora-directory-users] Hostname does not match CN.... In-Reply-To: <20060404135919.24287.qmail@web52903.mail.yahoo.com> References: <20060404135919.24287.qmail@web52903.mail.yahoo.com> Message-ID: <1144159626.7699.59.camel@localhost.localdomain> On mar, 2006-04-04 at 06:59 -0700, Susan wrote: > > --- Alex aka Magobin wrote: > > Ok...omit cluster...if I have a server Fedora DS (A) that it's ssl > > server too...until A is alone I configure my clients to point at this > > server for authentication and I tested it works perfectly..now I want > > another server for load balancing replicated in > > multimaster(B)...now...how can I set up ssl for this scenario ? This > > I have this exact setup. 2 FDSs, MMR over SSL. > yes, you have this scenario like me...I maked my test with your help too...but how can you authenticate clients?....They always point to cn that exports CA...so if you maked CA on A...and you shutdown it DS is still up in B but clients never login using B because CN is different and they report that hostname does not match CN in peer certificate... Alex From logastellus at yahoo.com Tue Apr 4 14:32:52 2006 From: logastellus at yahoo.com (Susan) Date: Tue, 4 Apr 2006 07:32:52 -0700 (PDT) Subject: [Fedora-directory-users] Hostname does not match CN.... In-Reply-To: <1144159626.7699.59.camel@localhost.localdomain> Message-ID: <20060404143252.39534.qmail@web52915.mail.yahoo.com> --- Alex aka Magobin wrote: > On mar, 2006-04-04 at 06:59 -0700, Susan wrote: > > > > --- Alex aka Magobin wrote: > > > Ok...omit cluster...if I have a server Fedora DS (A) that it's ssl > > > server too...until A is alone I configure my clients to point at this > > > server for authentication and I tested it works perfectly..now I want > > > another server for load balancing replicated in > > > multimaster(B)...now...how can I set up ssl for this scenario ? This > > > > I have this exact setup. 2 FDSs, MMR over SSL. > > > > yes, you have this scenario like me...I maked my test with your help > too...but how can you authenticate clients?....They always point to cn > that exports CA...so if you maked CA on A...and you shutdown it DS is > still up in B but clients never login using B because CN is different > and they report that hostname does not match CN in peer certificate... If A is down, the clients go to B because of this entry: (in the client's /etc/openldap/ldap.conf): HOST cnyldap01 cnjldap01 Now, I'm not verifying the FDS identity so I'm not using FQDN but that's a minor point. If cnyldap01 is down, it goes to cnjldap01 immediately. There's about a half a second delay. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From sbonnevi at redhat.com Tue Apr 4 14:40:40 2006 From: sbonnevi at redhat.com (Steven Bonneville) Date: Tue, 4 Apr 2006 10:40:40 -0400 Subject: [Fedora-directory-users] Re: Hostname does not match CN In-Reply-To: <20060404140715.EDF6173817@hormel.redhat.com>; from fedora-directory-users-request@redhat.com on Tue, Apr 04, 2006 at 10:07:15AM -0400 References: <20060404140715.EDF6173817@hormel.redhat.com> Message-ID: <20060404104040.A4373@lacrosse.corp.redhat.com> Rob Crittenden wrote: > Alex aka Magobin wrote: [...] > > today I tried to issue 2 server certs using the same CA...using the same > > CN...I can make correctly the certs and in Manage Certificate I can see > > both server certs with the same name...but when I try to establish ssl > > encryption between servers: > > > > NSMMReplicationPlugin -agmt="cn="Replication to > > nodo1.domain.example.com""(nodo1:636): Simple bind failed, LDAP sdk > > error 81 (Can't contact LDAP server), Netscape Portable Runtime error- > > 12276 (Unable to communicate securely with peer: requested domain name > > does not match the server's certificate.) > > > > Is there someone that use two server Fedora DS to authenticate clients? > > Even if I can browse in clear mode FDS both on nodo1 and nodo2...in > > encrypt mode only one can certificate my clients? > > This isn't an SSL problem, it's a problem with the way you are trying to > use it. You are trying to present the world with a single directory > server and behind the scenes have 2 physical servers. Nothing wrong with > this but you were told a while back that this could be a problem. > > You basically need your machine to answer to 2 separate things: its > "real" hostname and the "cluster" hostname. > > As I see it, there are 2 ways to resolve this. I'm not a DS engineer so > I can't say which one is more plausible/possible, and there may be other > ways that I'm not seeing. > > 1. The easiest solution is to use a wildcard in the SSL server > certificate hostname: CN=*.example.com. This is super ugly but should > work. Note that you'll never get a CA like Verisign to issue you a > wildcard server certificate. So if you are using your own self-signed CA > during testing and plan to get server certs later from another CA beware. > > 2. I wonder if it is possible to set up multiple listeners and assign a > separate SSL certificate to each one. Then you could have > CN=host1.example.com on say port 638 for replication and > CN=ldap.example.com on 636 for general use. > > I don't know of #2 is even possible right now. #1 definitely is but has > issues. One of the reasons for SSL is to prevent man-in-the-middle > attacks. This is preceisely the problem you are having. SSL is detecting > that things aren't lining up like they should and preventing you from > continuing. While a wildcard certificate will get around this you must > understand that you are also giving up a certain amount of security. Does Directory Server support the subjectAltName extension on SSL certs? If it does, then you could create a certificate with a subject of cn=ldap.domain.example.com,... and a subjectAltName of something like DNS:nodo1.domain.example.com. I think you can have multiple subjectAltName extensions on one certificate. See /usr/share/doc/openssl-0.9.7a/openssl.txt for some more details. I'm not a DS engineer either, and while it's on my "to do" list, I haven't tried this myself yet. -- Steve Bonneville From ahamino at gmail.com Tue Apr 4 15:16:07 2006 From: ahamino at gmail.com (Abdelrahman) Date: Tue, 4 Apr 2006 17:16:07 +0200 Subject: [Fedora-directory-users] FDS AD Sync In-Reply-To: <44311893.40600@arbor.edu> Message-ID: <001b01c657fa$b8254a90$0200a8c0@abdodesktop> Sorry for my late reply... I checked the logs both on the AD server and FDS server. Although I was able to change a password from AD to FDS, I still can't sync new accounts from FDS to AD without having to enable and reset the password on the account at the first time May be this error means something "NSMMReplicationPlugin - failed to send dirsync search request: 2" As for ssltap, I don't know how to use it?! What should I get?! I have attached the logs of the 2 servers regards abdelrahman This is the log on AD (passsync.log) 04/08/06 15:13:36: PassSync service started 04/08/06 15:13:36: 1 new entries loaded from data file 04/08/06 15:13:36: Cleared contents of data file 04/08/06 15:13:36: Password list has 1 entries 04/08/06 15:13:36: Attempting to sync password for __VMWARE_USER__ 04/08/06 15:13:36: Searching for (ntuserdomainid=__VMWARE_USER__) 04/08/06 15:13:37: Password modified for remote entry: uid=__VMWARE_USER__,ou=People,dc=mycompany,dc=com 04/08/06 15:13:37: Removing password change from list 04/08/06 15:13:37: Password list is empty. Waiting for passhook event 04/09/06 16:40:11: Received passhook event. Attempting sync 04/09/06 16:40:11: 1 new entries loaded from data file 04/09/06 16:40:11: Cleared contents of data file 04/09/06 16:40:11: Password list has 1 entries 04/09/06 16:40:11: Attempting to sync password for testr 04/09/06 16:40:11: Searching for (ntuserdomainid=testr) 04/09/06 16:40:11: Password modified for remote entry: uid=testr,ou=People,dc=mycompany,dc=com 04/09/06 16:40:11: Removing password change from list 04/09/06 16:40:11: Password list is empty. Waiting for passhook event 04/09/06 16:40:12: Received passhook event. Attempting sync 04/09/06 16:40:12: 1 new entries loaded from data file 04/09/06 16:40:12: Cleared contents of data file 04/09/06 16:40:12: Password list has 1 entries 04/09/06 16:40:12: Attempting to sync password for testr 04/09/06 16:40:12: Searching for (ntuserdomainid=testr) 04/09/06 16:40:12: Password match, no modify performed: testr 04/09/06 16:40:12: Removing password change from list 04/09/06 16:40:12: Password list is empty. Waiting for passhook event 04/09/06 16:40:55: Received passhook event. Attempting sync 04/09/06 16:40:55: 1 new entries loaded from data file 04/09/06 16:40:55: Cleared contents of data file 04/09/06 16:40:55: Password list has 1 entries 04/09/06 16:40:55: Attempting to sync password for testr 04/09/06 16:40:55: Searching for (ntuserdomainid=testr) 04/09/06 16:40:55: Password modified for remote entry: uid=testr,ou=People,dc=mycompany,dc=com 04/09/06 16:40:55: Removing password change from list 04/09/06 16:40:55: Password list is empty. Waiting for passhook event 04/09/06 16:40:55: Received passhook event. Attempting sync 04/09/06 16:40:55: 1 new entries loaded from data file 04/09/06 16:40:55: Cleared contents of data file 04/09/06 16:40:55: Password list has 1 entries 04/09/06 16:40:55: Attempting to sync password for testr 04/09/06 16:40:55: Searching for (ntuserdomainid=testr) 04/09/06 16:40:55: Password match, no modify performed: testr 04/09/06 16:40:55: Removing password change from list 04/09/06 16:40:55: Password list is empty. Waiting for passhook event 04/09/06 16:43:28: Received passhook event. Attempting sync 04/09/06 16:43:28: 1 new entries loaded from data file 04/09/06 16:43:28: Cleared contents of data file 04/09/06 16:43:28: Password list has 1 entries 04/09/06 16:43:28: Attempting to sync password for testr 04/09/06 16:43:28: Searching for (ntuserdomainid=testr) 04/09/06 16:43:28: Password modified for remote entry: uid=testr,ou=People,dc=mycompany,dc=com 04/09/06 16:43:28: Removing password change from list 04/09/06 16:43:28: Password list is empty. Waiting for passhook event 04/09/06 16:43:28: Received passhook event. Attempting sync 04/09/06 16:43:28: 1 new entries loaded from data file 04/09/06 16:43:28: Cleared contents of data file 04/09/06 16:43:28: Password list has 1 entries 04/09/06 16:43:28: Attempting to sync password for testr 04/09/06 16:43:28: Searching for (ntuserdomainid=testr) 04/09/06 16:43:28: Password match, no modify performed: testr 04/09/06 16:43:28: Removing password change from list 04/09/06 16:43:28: Password list is empty. Waiting for passhook event ------------------------------------------------------------------------ This is Errors log on FDS Fedora-Directory/1.0.1 B2005.342.165 rhnk:636 (/opt/fedora-ds/slapd-rhnk) [08/Apr/2006:13:26:17 +0200] - slapd shutting down - signaling operation threads [08/Apr/2006:13:26:17 +0200] - slapd shutting down - waiting for 30 threads to terminate [08/Apr/2006:13:26:17 +0200] - slapd shutting down - closing down internal subsystems and plugins [08/Apr/2006:13:26:19 +0200] - Waiting for 4 database threads to stop [08/Apr/2006:13:26:20 +0200] - All database threads now stopped [08/Apr/2006:13:26:20 +0200] - slapd stopped. [08/Apr/2006:13:26:22 +0200] - Fedora-Directory/1.0.1 B2005.342.165 starting up [08/Apr/2006:13:26:23 +0200] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: data for replica dc=mycompany,dc=com was reloaded and it no longer matches the data in the changelog (replica data > changelog). Recreating the changelog file. This could affect replication with replica's consumers in which case the consumers should be reinitialized. [08/Apr/2006:13:26:23 +0200] - slapd started. Listening on All Interfaces port 389 for LDAP requests [08/Apr/2006:13:26:23 +0200] - Listening on All Interfaces port 636 for LDAPS requests [08/Apr/2006:13:26:56 +0200] agmt="cn=Metranknew" (metrank:636) - Can't locate CSN 4431a289000000020000 in the changelog (DB rc=-30990). The consumer may need to be reinitialized. [08/Apr/2006:13:27:06 +0200] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=Metranknew" (metrank:636)". [08/Apr/2006:13:27:07 +0200] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=Metranknew" (metrank:636)". Sent 10 entries. [08/Apr/2006:13:36:23 +0200] NSMMReplicationPlugin - agmt="cn=Metranknew" (metrank:636): Simple bind resumed [08/Apr/2006:14:16:23 +0200] NSMMReplicationPlugin - failed to send dirsync search request: 2 [08/Apr/2006:14:31:23 +0200] NSMMReplicationPlugin - failed to send dirsync search request: 2 [08/Apr/2006:15:06:23 +0200] NSMMReplicationPlugin - failed to send dirsync search request: 2 [08/Apr/2006:15:26:23 +0200] NSMMReplicationPlugin - failed to send dirsync search request: 2 [08/Apr/2006:15:46:23 +0200] NSMMReplicationPlugin - failed to send dirsync search request: 2 [08/Apr/2006:15:56:23 +0200] NSMMReplicationPlugin - failed to send dirsync search request: 2 [08/Apr/2006:17:31:23 +0200] NSMMReplicationPlugin - failed to send dirsync search request: 2 [08/Apr/2006:18:01:23 +0200] NSMMReplicationPlugin - failed to send dirsync search request: 2 [08/Apr/2006:22:36:23 +0200] NSMMReplicationPlugin - failed to send dirsync search request: 2 [08/Apr/2006:22:56:23 +0200] NSMMReplicationPlugin - failed to send dirsync search request: 2 [09/Apr/2006:01:01:23 +0200] NSMMReplicationPlugin - failed to send dirsync search request: 2 [09/Apr/2006:02:21:23 +0200] NSMMReplicationPlugin - failed to send dirsync search request: 2 [09/Apr/2006:02:31:23 +0200] NSMMReplicationPlugin - failed to send dirsync search request: 2 [09/Apr/2006:02:56:23 +0200] NSMMReplicationPlugin - failed to send dirsync search request: 2 [09/Apr/2006:03:21:23 +0200] NSMMReplicationPlugin - failed to send dirsync search request: 2 [09/Apr/2006:03:31:23 +0200] NSMMReplicationPlugin - failed to send dirsync search request: 2 [09/Apr/2006:04:11:23 +0200] NSMMReplicationPlugin - failed to send dirsync search request: 2 [09/Apr/2006:04:21:23 +0200] NSMMReplicationPlugin - failed to send dirsync search request: 2 [09/Apr/2006:04:36:23 +0200] NSMMReplicationPlugin - failed to send dirsync search request: 2 [09/Apr/2006:04:46:23 +0200] NSMMReplicationPlugin - failed to send dirsync search request: 2 [09/Apr/2006:05:11:23 +0200] NSMMReplicationPlugin - failed to send dirsync search request: 2 [09/Apr/2006:05:36:23 +0200] NSMMReplicationPlugin - failed to send dirsync search request: 2 [09/Apr/2006:06:26:23 +0200] NSMMReplicationPlugin - failed to send dirsync search request: 2 [09/Apr/2006:07:06:23 +0200] NSMMReplicationPlugin - failed to send dirsync search request: 2 [09/Apr/2006:07:21:23 +0200] NSMMReplicationPlugin - failed to send dirsync search request: 2 [09/Apr/2006:07:31:23 +0200] NSMMReplicationPlugin - failed to send dirsync search request: 2 [09/Apr/2006:07:41:23 +0200] NSMMReplicationPlugin - failed to send dirsync search request: 2 [09/Apr/2006:07:51:23 +0200] NSMMReplicationPlugin - failed to send dirsync search request: 2 [09/Apr/2006:09:06:23 +0200] NSMMReplicationPlugin - failed to send dirsync search request: 2 [09/Apr/2006:09:26:23 +0200] NSMMReplicationPlugin - failed to send dirsync search request: 2 [09/Apr/2006:09:36:23 +0200] NSMMReplicationPlugin - failed to send dirsync search request: 2 [09/Apr/2006:10:11:23 +0200] NSMMReplicationPlugin - failed to send dirsync search request: 2 [09/Apr/2006:11:06:23 +0200] NSMMReplicationPlugin - failed to send dirsync search request: 2 [09/Apr/2006:11:41:23 +0200] NSMMReplicationPlugin - failed to send dirsync search request: 2 [09/Apr/2006:12:06:23 +0200] NSMMReplicationPlugin - failed to send dirsync search request: 2 [09/Apr/2006:12:16:23 +0200] NSMMReplicationPlugin - failed to send dirsync search request: 2 [09/Apr/2006:12:56:23 +0200] NSMMReplicationPlugin - failed to send dirsync search request: 2 [09/Apr/2006:13:11:23 +0200] NSMMReplicationPlugin - failed to send dirsync search request: 2 [09/Apr/2006:13:21:23 +0200] NSMMReplicationPlugin - failed to send dirsync search request: 2 [09/Apr/2006:14:16:23 +0200] NSMMReplicationPlugin - failed to send dirsync search request: 2 [09/Apr/2006:14:31:23 +0200] NSMMReplicationPlugin - failed to send dirsync search request: 2 [09/Apr/2006:14:51:23 +0200] NSMMReplicationPlugin - failed to send dirsync search request: 2 [09/Apr/2006:15:11:23 +0200] NSMMReplicationPlugin - failed to send dirsync search request: 2 [09/Apr/2006:15:26:23 +0200] NSMMReplicationPlugin - failed to send dirsync search request: 2 [09/Apr/2006:16:11:23 +0200] NSMMReplicationPlugin - failed to send dirsync search request: 2 [09/Apr/2006:16:26:23 +0200] NSMMReplicationPlugin - failed to send dirsync search request: 2 --------------------------------------------------------------------------- -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Daniel Shackelford Sent: Monday, April 03, 2006 2:44 PM To: fedora-directory-users at redhat.com Subject: [Fedora-directory-users] FDS AD Sync I don't think it is an issue with settings in AD. Server 2003 will automatically disable an account that is created with a blank password. This seems to fit with what you are seeing, since the account is immediately disabled in AD and the user is required to change their password. Is your SSL setup working? You can use ssltap (in /opt/fedora-ds/shared/bin if you used the installed defaults) to proxy the connections and see what is going (or not going) back and forth. Replication requires SSL in order to sync passwords, and unless it is set up correctly on both FDS and the DC with PassSync, you will not get any passwords, period. What do your logs in FDS say when you add a user? Are there any errors? If the logs are not very informative, use the console to increase the log level. Passwords are the trickiest part of this setup, simply because they require SSL/certificates and an extra app on the DC. The wiki has detailed instructions. If you need more help, posting error messages and log info would be very helpful. -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From gholbert at broadcom.com Tue Apr 4 18:30:30 2006 From: gholbert at broadcom.com (George Holbert) Date: Tue, 04 Apr 2006 11:30:30 -0700 Subject: [Fedora-directory-users] Re: Hostname does not match CN In-Reply-To: <20060404104040.A4373@lacrosse.corp.redhat.com> References: <20060404140715.EDF6173817@hormel.redhat.com> <20060404104040.A4373@lacrosse.corp.redhat.com> Message-ID: <4432BB46.4040506@broadcom.com> > > Does Directory Server support the subjectAltName extension on SSL certs? > Yes, the NSS toolkit which Directory Server uses can handle these certs. The next question is, do your SSL-enabled LDAP clients support these certs? I need to support both Solaris and RedHat Linux LDAP name service clients (i.e., passwd, group, automount, etc.). I've found that: - Solaris clients can handle wildcard certs. RHEL 3 clients can't. - RHEL 3 clients can handle subjectAltName certs. Solaris clients can't. So, while the server can present either of these cert types, your clients' limitations will also influence how you sign your certs. Steven Bonneville wrote: > Rob Crittenden wrote: > >> Alex aka Magobin wrote: >> > [...] > >>> today I tried to issue 2 server certs using the same CA...using the same >>> CN...I can make correctly the certs and in Manage Certificate I can see >>> both server certs with the same name...but when I try to establish ssl >>> encryption between servers: >>> >>> NSMMReplicationPlugin -agmt="cn="Replication to >>> nodo1.domain.example.com""(nodo1:636): Simple bind failed, LDAP sdk >>> error 81 (Can't contact LDAP server), Netscape Portable Runtime error- >>> 12276 (Unable to communicate securely with peer: requested domain name >>> does not match the server's certificate.) >>> >>> Is there someone that use two server Fedora DS to authenticate clients? >>> Even if I can browse in clear mode FDS both on nodo1 and nodo2...in >>> encrypt mode only one can certificate my clients? >>> >> This isn't an SSL problem, it's a problem with the way you are trying to >> use it. You are trying to present the world with a single directory >> server and behind the scenes have 2 physical servers. Nothing wrong with >> this but you were told a while back that this could be a problem. >> >> You basically need your machine to answer to 2 separate things: its >> "real" hostname and the "cluster" hostname. >> >> As I see it, there are 2 ways to resolve this. I'm not a DS engineer so >> I can't say which one is more plausible/possible, and there may be other >> ways that I'm not seeing. >> >> 1. The easiest solution is to use a wildcard in the SSL server >> certificate hostname: CN=*.example.com. This is super ugly but should >> work. Note that you'll never get a CA like Verisign to issue you a >> wildcard server certificate. So if you are using your own self-signed CA >> during testing and plan to get server certs later from another CA beware. >> >> 2. I wonder if it is possible to set up multiple listeners and assign a >> separate SSL certificate to each one. Then you could have >> CN=host1.example.com on say port 638 for replication and >> CN=ldap.example.com on 636 for general use. >> >> I don't know of #2 is even possible right now. #1 definitely is but has >> issues. One of the reasons for SSL is to prevent man-in-the-middle >> attacks. This is preceisely the problem you are having. SSL is detecting >> that things aren't lining up like they should and preventing you from >> continuing. While a wildcard certificate will get around this you must >> understand that you are also giving up a certain amount of security. >> > > Does Directory Server support the subjectAltName extension on SSL certs? > If it does, then you could create a certificate with a subject of > cn=ldap.domain.example.com,... and a subjectAltName of something like > DNS:nodo1.domain.example.com. I think you can have multiple subjectAltName > extensions on one certificate. > > See /usr/share/doc/openssl-0.9.7a/openssl.txt for some more details. I'm > not a DS engineer either, and while it's on my "to do" list, I haven't > tried this myself yet. > > -- Steve Bonneville > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From dshackel at arbor.edu Tue Apr 4 20:32:38 2006 From: dshackel at arbor.edu (Daniel Shackelford) Date: Tue, 04 Apr 2006 16:32:38 -0400 Subject: [Fedora-directory-users] Re: FDS AD Sync Message-ID: <4432D7E6.7040408@arbor.edu> It looks like your PassSync setup is working well. We should focus on the FDS side of things. In your replication agreement, are you using SSL and connecting to AD using port 636? Have you verified that you can connect to AD via SSL using another LDAP client like JXplorer? You will probably want to increase your logging level to include more replication info. In the console, you should change the settings for your error log to include replication info: 1. Log into console 2. Open your directory server 3. Click on the Config tab 4. Expand the Logs tree on the left 5. Select Error Log 6. Scroll down the form on the right until you see the Log Level list 7. Ctl-click on the Replication entry 8. Click Save Now you should be getting all replication data in your logs, in addition to errors. The following command will set up a ssl proxy on port 8638 that forwards connections to ADServer.domain.com. In the process it will decode the ssl traffic, dump extra info, and continue listening after the first connection, and dump everything into ~/ssltap.log ssltap -sxl -p 8636 ADServer.domain.com:636 > ~/ssltap.log In order to use this to debug replication you may have to set up a dummy replication agreement, dummy OU and dummy users. Point to the local host and port 8636 for the port, and then see what comes out. This is totally and completely experimental on my part, and I have not done this exact setup. -- Daniel Shackelford Systems Administrator Technology Services Spring Arbor University 517 750-6648 "For even the Son of Man did not come to be served, but to serve, and to give His life a ransom for many" Mark 10:45 From ahamino at gmail.com Wed Apr 5 18:09:54 2006 From: ahamino at gmail.com (Abdelrahman) Date: Wed, 5 Apr 2006 20:09:54 +0200 Subject: [Fedora-directory-users] Re: FDS AD Sync In-Reply-To: <4432D7E6.7040408@arbor.edu> Message-ID: <000f01c658dc$27f38d00$0200a8c0@abdodesktop> After reviewing the debugging logs I realized the following, When I create a new account, it isn't sync correctly to AD unless a select "create new NT account" in the NT User form. Other than that, accounts aren't added to the AD even if I ran the process "reinitialized AD"! The problem I am facing now is how to add the new three fields for all of my 10000 user accounts before migrating to FDS and making sure that NT-Username is as the same as Username! Any body has ideas! By the way, Daniel Thanks for your help :) Regards, Abdelrahman -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Daniel Shackelford Sent: Tuesday, April 04, 2006 10:33 PM To: FedoraUsers Subject: [Fedora-directory-users] Re: FDS AD Sync It looks like your PassSync setup is working well. We should focus on the FDS side of things. In your replication agreement, are you using SSL and connecting to AD using port 636? Have you verified that you can connect to AD via SSL using another LDAP client like JXplorer? You will probably want to increase your logging level to include more replication info. In the console, you should change the settings for your error log to include replication info: 1. Log into console 2. Open your directory server 3. Click on the Config tab 4. Expand the Logs tree on the left 5. Select Error Log 6. Scroll down the form on the right until you see the Log Level list 7. Ctl-click on the Replication entry 8. Click Save Now you should be getting all replication data in your logs, in addition to errors. The following command will set up a ssl proxy on port 8638 that forwards connections to ADServer.domain.com. In the process it will decode the ssl traffic, dump extra info, and continue listening after the first connection, and dump everything into ~/ssltap.log ssltap -sxl -p 8636 ADServer.domain.com:636 > ~/ssltap.log In order to use this to debug replication you may have to set up a dummy replication agreement, dummy OU and dummy users. Point to the local host and port 8636 for the port, and then see what comes out. This is totally and completely experimental on my part, and I have not done this exact setup. -- Daniel Shackelford Systems Administrator Technology Services Spring Arbor University 517 750-6648 "For even the Son of Man did not come to be served, but to serve, and to give His life a ransom for many" Mark 10:45 -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From khaledus at caramail.com Wed Apr 5 17:12:10 2006 From: khaledus at caramail.com (khaledus .) Date: Wed, 5 Apr 2006 17:12:10 +0000 (GMT) Subject: [Fedora-directory-users] FDS 1.0.2 on FC5 : unable to start the admin server Message-ID: <54121605130826@lycos-europe.com> I have a problem with fedora directory server 1.0.2 installed en FC5 at the beginning of the installation, i get this message : " NOTICE : System is i686-unknown-linux2.6.15-1.2054_FC5xen0 (1 processor). WARNING: 463MB of physical memory is available on the system. 1024MB is recommended for best performance on large production system. NOTICE : The net.ipv4.tcp_keepalive_time is set to 7200000 milliseconds (120 minutes). This may cause temporary server congestion from lost client connections. WARNING: There are only 1024 file descriptors (hard limit) available, which limit the number of simultaneous connections. WARNING: There are only 1024 file descriptors (soft limit) available, which limit the number of simultaneous connections. " install : OK setup : OK after setup i get this " [slapd-dahmer]: [04/Apr/2006:18:09:50 +0200] - Fedora-Directory/1.0.2 B2006.060.1951 starting up [slapd-dahmer]: [04/Apr/2006:18:09:51 +0200] - slapd started. Listening on All Interfaces port 389 for LDAP requests Your new directory server has been started. Created new Directory Server Start Slapd Starting Slapd server configuration. Success Slapd Added Directory Server information to Configuration Server. Configuring Administration Server... Setting up Administration Server Instance... Configuring Administration Tasks in Directory Server... Configuring Global Parameters in Directory Server... Can't start Admin server [/opt/fedora-ds/start-admin > /tmp/fileH9SeEW 2>&1] (error: No such file or directory) You can now use the console. Here is the command to use to start the console: " why it "Can't start Admin server [/opt/fedora-ds/start-admin > /tmp/fileH9SeEW 2>&1] (error: No such file or directory)" ?? the ns-slapd is lunched but I get the following error when I attempt to start the admin server "httpd.worker: Syntax error on line 151 of /opt/fedora-ds/admin-serv/config/httpd.conf: Cannot load /opt/fedora-ds/bin/admin/lib/libmodrestartd.so into server: /opt/fedora-ds/bin/admin/lib/libmodrestartd.so: undefined symbol: apr_filename_of_pathname" I can start the console management, but i can't log in because the admin server is not started I also saw this post : https://www.redhat.com/archives/fedora-directory-users/2005-December/msg00077.html Sexy Like Us : Tu veux savoir si tu as la cote ? http://www.sexy.lycos.fr From rcritten at redhat.com Wed Apr 5 19:19:22 2006 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 05 Apr 2006 15:19:22 -0400 Subject: [Fedora-directory-users] FDS 1.0.2 on FC5 : unable to start the admin server In-Reply-To: <54121605130826@lycos-europe.com> References: <54121605130826@lycos-europe.com> Message-ID: <4434183A.3070004@redhat.com> khaledus . wrote: > I have a problem with fedora directory server 1.0.2 installed en FC5 > > at the beginning of the installation, i get this message : > " > NOTICE : System is i686-unknown-linux2.6.15-1.2054_FC5xen0 (1 processor). > > WARNING: 463MB of physical memory is available on the system. 1024MB is recommended for best performance on large production system. > > NOTICE : The net.ipv4.tcp_keepalive_time is set to 7200000 milliseconds > (120 minutes). This may cause temporary server congestion from lost > client connections. > > WARNING: There are only 1024 file descriptors (hard limit) available, which > limit the number of simultaneous connections. > > WARNING: There are only 1024 file descriptors (soft limit) available, which > limit the number of simultaneous connections. > " > install : OK > setup : OK > > after setup i get this > " > [slapd-dahmer]: [04/Apr/2006:18:09:50 +0200] - Fedora-Directory/1.0.2 B2006.060.1951 starting up > [slapd-dahmer]: [04/Apr/2006:18:09:51 +0200] - slapd started. Listening on All Interfaces port 389 for LDAP requests > Your new directory server has been started. > Created new Directory Server > Start Slapd Starting Slapd server configuration. > Success Slapd Added Directory Server information to Configuration Server. > Configuring Administration Server... > Setting up Administration Server Instance... > Configuring Administration Tasks in Directory Server... > Configuring Global Parameters in Directory Server... > Can't start Admin server [/opt/fedora-ds/start-admin > /tmp/fileH9SeEW 2>&1] (error: No such file or directory) > You can now use the console. Here is the command to use to start the console: > " > why it "Can't start Admin server [/opt/fedora-ds/start-admin > /tmp/fileH9SeEW 2>&1] (error: No such file or directory)" ?? > > the ns-slapd is lunched > > > but I get the following error when I attempt to start the admin server > > "httpd.worker: Syntax error on line 151 of /opt/fedora-ds/admin-serv/config/httpd.conf: Cannot load /opt/fedora-ds/bin/admin/lib/libmodrestartd.so into server: /opt/fedora-ds/bin/admin/lib/libmodrestartd.so: undefined symbol: apr_filename_of_pathname" > > > I can start the console management, but i can't log in because the admin server is not started > > I also saw this post : https://www.redhat.com/archives/fedora-directory-users/2005-December/msg00077.html > FC4 uses Apache 2.0, FC5 uses Apache 2.2 and the modules are not binary compatible. The API changed so they need to be recompiled. The only workaround for this currently is to build the modules yourself, though this does require a fair amount of work. There is documentation on building the server at http://directory.fedora.redhat.com/ and you can find specific instructions for the Apache modules there as well. The thing is you need to compile a bunch of libraries before you can build the modules. One option may to be to try the one-step build method and then just pull out the Apache modules from that and replace the ones from the FC4 RPM. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From hyc at symas.com Wed Apr 5 19:34:12 2006 From: hyc at symas.com (Howard Chu) Date: Wed, 05 Apr 2006 12:34:12 -0700 Subject: [Fedora-directory-users] Re: Hostname does not match CN In-Reply-To: <20060405160007.530E573823@hormel.redhat.com> References: <20060405160007.530E573823@hormel.redhat.com> Message-ID: <44341BB4.1050807@symas.com> > Date: Tue, 04 Apr 2006 11:30:30 -0700 > From: "George Holbert" > > >> Does Directory Server support the subjectAltName extension on SSL certs? >> >> > > Yes, the NSS toolkit which Directory Server uses can handle these certs. > > The next question is, do your SSL-enabled LDAP clients support these certs? > I need to support both Solaris and RedHat Linux LDAP name service > clients (i.e., passwd, group, automount, etc.). I've found that: > - Solaris clients can handle wildcard certs. RHEL 3 clients can't. > - RHEL 3 clients can handle subjectAltName certs. Solaris clients can't. > > So, while the server can present either of these cert types, your > clients' limitations will also influence how you sign your certs. > > Someone should file a bug report with Sun then, since LDAP RFC2830 defines support for subjectAltName and not for wildcard certs. The LDAPbis specifications will be pretty much the same here. I.e., Sun's LDAP library is not LDAPv3 compliant. RHEL uses OpenLDAP libraries, which are fully LDAPv3 compliant. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/ From gholbert at broadcom.com Wed Apr 5 19:51:37 2006 From: gholbert at broadcom.com (George Holbert) Date: Wed, 05 Apr 2006 12:51:37 -0700 Subject: [Fedora-directory-users] Re: Hostname does not match CN In-Reply-To: <44341BB4.1050807@symas.com> References: <20060405160007.530E573823@hormel.redhat.com> <44341BB4.1050807@symas.com> Message-ID: <44341FC9.7000309@broadcom.com> > Someone should file a bug report with Sun then, since LDAP RFC2830 > defines support for subjectAltName and not for wildcard certs. The > LDAPbis specifications will be pretty much the same here. I.e., Sun's > LDAP library is not LDAPv3 compliant. RHEL uses OpenLDAP libraries, > which are fully LDAPv3 compliant. I think 2830 does mention wildcards as acceptable, but I would prefer to use subjectAltNames if possible. So I agree it would be great if Sun would add this support to their Solaris LDAP name service client. I believe part of the problem is that the Solaris client uses a fairly ancient version of the NSS toolkit (although Sun DS, like Fedora DS, uses a much more recent version). Howard Chu wrote: > >> Date: Tue, 04 Apr 2006 11:30:30 -0700 >> From: "George Holbert" >> >> >>> Does Directory Server support the subjectAltName extension on SSL >>> certs? >>> >> >> Yes, the NSS toolkit which Directory Server uses can handle these certs. >> >> The next question is, do your SSL-enabled LDAP clients support these >> certs? >> I need to support both Solaris and RedHat Linux LDAP name service >> clients (i.e., passwd, group, automount, etc.). I've found that: >> - Solaris clients can handle wildcard certs. RHEL 3 clients can't. >> - RHEL 3 clients can handle subjectAltName certs. Solaris clients >> can't. >> >> So, while the server can present either of these cert types, your >> clients' limitations will also influence how you sign your certs. >> >> > Someone should file a bug report with Sun then, since LDAP RFC2830 > defines support for subjectAltName and not for wildcard certs. The > LDAPbis specifications will be pretty much the same here. I.e., Sun's > LDAP library is not LDAPv3 compliant. RHEL uses OpenLDAP libraries, > which are fully LDAPv3 compliant. > From magobin at gmail.com Thu Apr 6 10:47:53 2006 From: magobin at gmail.com (Alex aka Magobin) Date: Thu, 06 Apr 2006 12:47:53 +0200 Subject: [Fedora-directory-users] SubjectAltName how does it work? In-Reply-To: <44341BB4.1050807@symas.com> References: <20060405160007.530E573823@hormel.redhat.com> <44341BB4.1050807@symas.com> Message-ID: <1144320473.8246.13.camel@localhost.localdomain> Hi, I'm reading openssl.txt to use subjectAltName, but I'm confused....I setup openssl.cnf with subjectAltName in this way: subjectAltName=DNS:ldap.domain.example.com ...after that I maked certificate like suggested from Rob, but it seems doesn't work. I also find this in Sun documentation: certutil -R ...-CUT-... -a -8 amserv1.example.com,amserv2.example.com but if I use this method, when I try to import server certificate: ./shared/bin/certutil -A -d . -n "nodo1.example.com" -t u,u,u -i tmpcert.der return an error about adding certificate to token or database. How can I procede to make certificate with subjectAltName?... Alex From Esquivelv at uhd.edu Thu Apr 6 13:23:49 2006 From: Esquivelv at uhd.edu (Esquivel, Vicente) Date: Thu, 6 Apr 2006 08:23:49 -0500 Subject: [Fedora-directory-users] GUI Console Message-ID: <9F92B51F2F581A4EAEC46C84759BE79D01F65D68@BALI.uhd.campus> Hello all, I am new to the list and new to RH Directory. I have installed fedora-ds-1.0.2.RHEL4.i386.opt.rpm and j2SDK-1_4_2_11 on a RHEL 4 Update 2. I did an express install of the Directory and was able to get the slapd and admin to start successfully but when I try to start the console I get no gui console and get the following message below. Can anyone tell me what I need to do to get the gui console up and running? [diradmin at linole fedora-ds]$ ./startconsole -u admin -a http://linole.uhd.edu:36971/ Warning: -ms8m not understood. Ignoring. Warning: -mx64m not understood. Ignoring. Exception in thread "main" java.lang.NoSuchMethodError: method com.netscape.management.client.util.RemoteImage.setImage was not found. at _Jv_ResolvePoolEntry(java.lang.Class, int) (/usr/lib/libgcj.so.5.0.0) at com.netscape.management.client.util.RemoteImage.RemoteImage(java.lang.St ring) (Unknown Source) at com.netscape.management.nmclf.SuiLookAndFeel.initComponentDefaults(javax .swing.UIDefaults) (Unknown Source) at com.netscape.management.nmclf.SuiLookAndFeel.getDefaults() (Unknown Source) at javax.swing.UIManager.put(java.lang.Object, java.lang.Object) (/usr/lib/libgcj.so.5.0.0) at com.netscape.management.client.components.FontFactory.initializeLFFonts( ) (Unknown Source) at com.netscape.management.client.console.Console.common_init(java.lang.Str ing) (Unknown Source) at com.netscape.management.client.console.Console.Console(java.lang.String, java.lang.String, java.lang.String, java.lang.String, java.lang.String, java.lang.String) (Unknown Source) at com.netscape.management.client.console.Console.main(java.lang.String[]) (Unknown Source) Thanks Vince -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Apr 6 13:30:10 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 06 Apr 2006 09:30:10 -0400 Subject: [Fedora-directory-users] GUI Console In-Reply-To: <9F92B51F2F581A4EAEC46C84759BE79D01F65D68@BALI.uhd.campus> References: <9F92B51F2F581A4EAEC46C84759BE79D01F65D68@BALI.uhd.campus> Message-ID: <443517E2.8070708@redhat.com> Esquivel, Vicente wrote: > Hello all, > > I am new to the list and new to RH Directory. I have installed > fedora-ds-1.0.2.RHEL4.i386.opt.rpm and j2SDK-1_4_2_11 on a RHEL 4 > Update 2. I did an express install of the Directory and was able to > get the slapd and admin to start successfully but when I try to start > the console I get no gui console and get the following message below. > Can anyone tell me what I need to do to get the gui console up and > running? > > > > [diradmin at linole fedora-ds]$ ./startconsole -u admin -a > _http://linole.uhd.edu:36971/_ > > Warning: -ms8m not understood. Ignoring. > > Warning: -mx64m not understood. Ignoring. > > Exception in thread "main" java.lang.NoSuchMethodError: method > com.netscape.management.client.util.RemoteImage.setImage was not found. > > at _Jv_ResolvePoolEntry(java.lang.Class, int) (/usr/lib/libgcj.so.5.0.0) > You are not using the Sun or IBM JRE. Make sure the correct java command is in your PATH. > at > com.netscape.management.client.util.RemoteImage.RemoteImage(java.lang.String) > (Unknown Source) > > at > com.netscape.management.nmclf.SuiLookAndFeel.initComponentDefaults(javax.swing.UIDefaults) > (Unknown Source) > > at com.netscape.management.nmclf.SuiLookAndFeel.getDefaults() (Unknown > Source) > > at javax.swing.UIManager.put(java.lang.Object, java.lang.Object) > (/usr/lib/libgcj.so.5.0.0) > > at > com.netscape.management.client.components.FontFactory.initializeLFFonts() > (Unknown Source) > > at > com.netscape.management.client.console.Console.common_init(java.lang.String) > (Unknown Source) > > at > com.netscape.management.client.console.Console.Console(java.lang.String, > java.lang.String, java.lang.String, java.lang.String, > java.lang.String, java.lang.String) (Unknown Source) > > at > com.netscape.management.client.console.Console.main(java.lang.String[]) > (Unknown Source) > > > > Thanks > > Vince > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From magobin at gmail.com Thu Apr 6 13:34:05 2006 From: magobin at gmail.com (Alex aka Magobin) Date: Thu, 06 Apr 2006 15:34:05 +0200 Subject: [Fedora-directory-users] GUI Console In-Reply-To: <9F92B51F2F581A4EAEC46C84759BE79D01F65D68@BALI.uhd.campus> References: <9F92B51F2F581A4EAEC46C84759BE79D01F65D68@BALI.uhd.campus> Message-ID: <1144330445.8246.16.camel@localhost.localdomain> On gio, 2006-04-06 at 08:23 -0500, Esquivel, Vicente wrote: > Hello all, > > I am new to the list and new to RH Directory. I have installed > fedora-ds-1.0.2.RHEL4.i386.opt.rpm and j2SDK-1_4_2_11 on a RHEL 4 > Update 2. I did an express install of the Directory and was able to > get the slapd and admin to start successfully but when I try to start > the console I get no gui console and get the following message below. > Can anyone tell me what I need to do to get the gui console up and > running? > > May be useful to look in previous post :-) I had this problem more on less 20 days ago... http://www.mail-archive.com/fedora-directory-users at redhat.com/msg02302.html Regards Alex From magobin at gmail.com Thu Apr 6 13:36:49 2006 From: magobin at gmail.com (Alex aka Magobin) Date: Thu, 06 Apr 2006 15:36:49 +0200 Subject: [Fedora-directory-users] GUI Console In-Reply-To: <443517E2.8070708@redhat.com> References: <9F92B51F2F581A4EAEC46C84759BE79D01F65D68@BALI.uhd.campus> <443517E2.8070708@redhat.com> Message-ID: <1144330610.8246.19.camel@localhost.localdomain> On gio, 2006-04-06 at 09:30 -0400, Richard Megginson wrote: > Esquivel, Vicente wrote: > > > Hello all, > > > > I am new to the list and new to RH Directory. I have installed > > fedora-ds-1.0.2.RHEL4.i386.opt.rpm and j2SDK-1_4_2_11 on a RHEL 4 > > Update 2. I did an express install of the Directory and was able to > > get the slapd and admin to start successfully but when I try to start > > the console I get no gui console and get the following message below. > > Can anyone tell me what I need to do to get the gui console up and > > running? > > I don't know why in Redhat this link and this problem is not mentionated...this is step by step intruction to upgrade jre that solve your problem! http://fedoranews.org/mediawiki/index.php/JPackage_Java_for_FC4 Alex From rmeggins at redhat.com Thu Apr 6 13:50:22 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 06 Apr 2006 09:50:22 -0400 Subject: [Fedora-directory-users] GUI Console In-Reply-To: <1144330610.8246.19.camel@localhost.localdomain> References: <9F92B51F2F581A4EAEC46C84759BE79D01F65D68@BALI.uhd.campus> <443517E2.8070708@redhat.com> <1144330610.8246.19.camel@localhost.localdomain> Message-ID: <44351C9E.5080200@redhat.com> Alex aka Magobin wrote: >On gio, 2006-04-06 at 09:30 -0400, Richard Megginson wrote: > > >>Esquivel, Vicente wrote: >> >> >> >>>Hello all, >>> >>>I am new to the list and new to RH Directory. I have installed >>>fedora-ds-1.0.2.RHEL4.i386.opt.rpm and j2SDK-1_4_2_11 on a RHEL 4 >>>Update 2. I did an express install of the Directory and was able to >>>get the slapd and admin to start successfully but when I try to start >>>the console I get no gui console and get the following message below. >>>Can anyone tell me what I need to do to get the gui console up and >>>running? >>> >>> >>> > > >I don't know why in Redhat this link and this problem is not >mentionated > http://directory.fedora.redhat.com/wiki/Install_Guide which is linked from the Release Notes as well. >...this is step by step intruction to upgrade jre that solve >your problem! > > >http://fedoranews.org/mediawiki/index.php/JPackage_Java_for_FC4 > > > Alex > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From magobin at gmail.com Thu Apr 6 14:05:10 2006 From: magobin at gmail.com (Alex aka Magobin) Date: Thu, 06 Apr 2006 16:05:10 +0200 Subject: [Fedora-directory-users] Re: SubjectAltName how does it work? In-Reply-To: <1144320473.8246.13.camel@localhost.localdomain> References: <20060405160007.530E573823@hormel.redhat.com> <44341BB4.1050807@symas.com> <1144320473.8246.13.camel@localhost.localdomain> Message-ID: <1144332310.8246.31.camel@localhost.localdomain> > I also find this in Sun documentation: > > certutil -R ...-CUT-... -a -8 amserv1.example.com,amserv2.example.com > Ok, after reading document I see that certutil that cames with FDS support subjectAltName...so I tried to make server certificate with this extension but unfortunately doesn't work; I used the following # ../shared/bin/certutil -R -d . -s 'CN=nodo1.domain.example.com -o tmpcertreq -g 1024 -8 ldap.domain.example.com # ../shared/bin/certutil -C -d . -c "CA Certificate" -i tmpcertreq -o tmpcert.der -m 3 -v 120 -1 -5 -8 ldap.domain.example.com # ../shared/bin/certutil -A -d . -n "nodo1.domain.example.com" -t u,u,u -i tmpcert.der ...I supposed that it was correctly but I'm not sure...I don't find anything about configuration certificate with subjectAltName extention. Could someone suggest me the right way? THANKS Alex From rmeggins at redhat.com Thu Apr 6 14:13:21 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 06 Apr 2006 10:13:21 -0400 Subject: [Fedora-directory-users] Re: SubjectAltName how does it work? In-Reply-To: <1144332310.8246.31.camel@localhost.localdomain> References: <20060405160007.530E573823@hormel.redhat.com> <44341BB4.1050807@symas.com> <1144320473.8246.13.camel@localhost.localdomain> <1144332310.8246.31.camel@localhost.localdomain> Message-ID: <44352201.8020303@redhat.com> Alex aka Magobin wrote: >>I also find this in Sun documentation: >> >>certutil -R ...-CUT-... -a -8 amserv1.example.com,amserv2.example.com >> >> >> > >Ok, after reading document I see that certutil that cames with FDS >support subjectAltName...so I tried to make server certificate with this >extension but unfortunately doesn't work; I used the following > ># ../shared/bin/certutil -R -d . -s 'CN=nodo1.domain.example.com -o >tmpcertreq -g 1024 -8 ldap.domain.example.com ># ../shared/bin/certutil -C -d . -c "CA Certificate" -i tmpcertreq -o >tmpcert.der -m 3 -v 120 -1 -5 -8 ldap.domain.example.com > ># ../shared/bin/certutil -A -d . -n "nodo1.domain.example.com" -t u,u,u >-i tmpcert.der > > What errors did you get? > > >...I supposed that it was correctly but I'm not sure...I don't find >anything about configuration certificate with subjectAltName extention. > >Could someone suggest me the right way? > >THANKS >Alex > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From Esquivelv at uhd.edu Thu Apr 6 14:21:46 2006 From: Esquivelv at uhd.edu (Esquivel, Vicente) Date: Thu, 6 Apr 2006 09:21:46 -0500 Subject: [Fedora-directory-users] GUI Console Message-ID: <9F92B51F2F581A4EAEC46C84759BE79D01F65D69@BALI.uhd.campus> Thanks all for the help. I went with the IBM version and all went well. Thanks again > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf > Of Richard Megginson > Sent: Thursday, April 06, 2006 8:50 AM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] GUI Console > > Alex aka Magobin wrote: > > >On gio, 2006-04-06 at 09:30 -0400, Richard Megginson wrote: > > > > > >>Esquivel, Vicente wrote: > >> > >> > >> > >>>Hello all, > >>> > >>>I am new to the list and new to RH Directory. I have installed > >>>fedora-ds-1.0.2.RHEL4.i386.opt.rpm and j2SDK-1_4_2_11 on a RHEL 4 > >>>Update 2. I did an express install of the Directory and > was able to > >>>get the slapd and admin to start successfully but when I > try to start > >>>the console I get no gui console and get the following > message below. > >>>Can anyone tell me what I need to do to get the gui console up and > >>>running? > >>> > >>> > >>> > > > > > >I don't know why in Redhat this link and this problem is not > >mentionated > > > http://directory.fedora.redhat.com/wiki/Install_Guide which > is linked from the Release Notes as well. > > >...this is step by step intruction to upgrade jre that solve your > >problem! > > > > > >http://fedoranews.org/mediawiki/index.php/JPackage_Java_for_FC4 > > > > > > Alex > > > >-- > >Fedora-directory-users mailing list > >Fedora-directory-users at redhat.com > >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > From rcritten at redhat.com Thu Apr 6 14:38:15 2006 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 06 Apr 2006 10:38:15 -0400 Subject: [Fedora-directory-users] Re: SubjectAltName how does it work? In-Reply-To: <1144332310.8246.31.camel@localhost.localdomain> References: <20060405160007.530E573823@hormel.redhat.com> <44341BB4.1050807@symas.com> <1144320473.8246.13.camel@localhost.localdomain> <1144332310.8246.31.camel@localhost.localdomain> Message-ID: <443527D7.1010605@redhat.com> Alex aka Magobin wrote: >>I also find this in Sun documentation: >> >>certutil -R ...-CUT-... -a -8 amserv1.example.com,amserv2.example.com >> > > > Ok, after reading document I see that certutil that cames with FDS > support subjectAltName...so I tried to make server certificate with this > extension but unfortunately doesn't work; I used the following > > # ../shared/bin/certutil -R -d . -s 'CN=nodo1.domain.example.com -o > tmpcertreq -g 1024 -8 ldap.domain.example.com > # ../shared/bin/certutil -C -d . -c "CA Certificate" -i tmpcertreq -o > tmpcert.der -m 3 -v 120 -1 -5 -8 ldap.domain.example.com > > # ../shared/bin/certutil -A -d . -n "nodo1.domain.example.com" -t u,u,u > -i tmpcert.der > > > > ...I supposed that it was correctly but I'm not sure...I don't find > anything about configuration certificate with subjectAltName extention. > > Could someone suggest me the right way? Assuming you already have a CA nicknamed 'cacert' and your database is in the directory named 'foo': % certutil -R -d foo -s "cn=localhost,dc=example,dc=com" -o tmpcertreq -g 1024 % certutil -C -d foo -c cacert -i tmpcertreq -o tmpcert.der -m 9 -v 12 -1 -5 -8 foo.example.com % certutil -A -d foo -n Alt-Cert -t u,u,u -i tmpcert.der % certutil -L -d foo -n Alt-Cert % rm -f tmpcert.der tmpcertreq -- Cut -- Signed Extensions: Name: Certificate Subject Alt Name Data: Sequence { [1] foo.example.com } Name: Certificate Type Data: -- Cut -- rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From Esquivelv at uhd.edu Thu Apr 6 14:49:48 2006 From: Esquivelv at uhd.edu (Esquivel, Vicente) Date: Thu, 6 Apr 2006 09:49:48 -0500 Subject: [Fedora-directory-users] Existing User Accounts Message-ID: <9F92B51F2F581A4EAEC46C84759BE79D01F65D6A@BALI.uhd.campus> Hello all, I have the Directory server up and running. My question is how to get the user accounts from one of my servers into the directory? I do not have an existing ldap or nis server, we are using local systems account creation and authentication. I did a search through the archives but wasn't able to come up with anything. Any insight would be very helpful and appreciated. Thanks Vince -------------- next part -------------- An HTML attachment was scrubbed... URL: From oscar.valdez at duraflex-politex.com Thu Apr 6 15:37:39 2006 From: oscar.valdez at duraflex-politex.com (Oscar A. Valdez) Date: Thu, 06 Apr 2006 09:37:39 -0600 Subject: [Fedora-directory-users] Existing User Accounts In-Reply-To: <9F92B51F2F581A4EAEC46C84759BE79D01F65D6A@BALI.uhd.campus> References: <9F92B51F2F581A4EAEC46C84759BE79D01F65D6A@BALI.uhd.campus> Message-ID: <1144337860.2124.12.camel@wzowski.duraflex-politex.com> El jue, 06-04-2006 a las 09:49 -0500, Esquivel, Vicente escribi?: > I have the Directory server up and running. My question is how to get > the user accounts from one of my servers into the directory? I do not > have an existing ldap or nis server, we are using local systems > account creation and authentication. I did a search through the > archives but wasn't able to come up with anything. Any insight would > be very helpful and appreciated. Try the Migration Tools from PADL software (they are also the creators of the nss_ldap and pam_ldap modules): http://www.padl.com/OSS/MigrationTools.html You first have to edit migrate_base.pl for your organization's naming context. The scripts migrate_passwd.pl, migrate_group.pl, migrate_aliases.pl, etc., will do what their names suggest. They output in ldif format to standard output, so you can tweak the results before importing into your DS server. After importing my existing users, I wrote my own script for new user creation that generates the ldif stuff. -- Oscar A. Valdez From jsummers at bachman.cs.ou.edu Thu Apr 6 20:41:59 2006 From: jsummers at bachman.cs.ou.edu (Jim Summers) Date: Thu, 06 Apr 2006 15:41:59 -0500 Subject: [Fedora-directory-users] Mac OS X Client authenticating against Fedora Directory Server In-Reply-To: <44312A97.5030800@cs.ou.edu> References: <442DA390.4070607@cs.ou.edu> <44312A97.5030800@cs.ou.edu> Message-ID: <44357D17.20503@cs.ou.edu> Jim Summers wrote: > > > David Schibeci wrote: >> For the record, I could only get MacOS 10.4 to authenticate against >> FDS, but this could be because I am using a non-standard port (390 + >> 637 for LDAP and LDAPS respectively). >> > At least you got it going. I am using standard ports. Here is > something I found in my logs on the fds server: > > [31/Mar/2006:13:56:42 -0600] conn=10197 fd=82 slot=82 SSL connection > from 129.15.xx.xx to 129.15.xx.xx > [31/Mar/2006:13:56:42 -0600] conn=10197 op=-1 fd=82 closed - Encountered > end of file. > > This only shows up when I edit the entry in DirectoryServices and commit > the changes. Then I try an id command, which fails and I see the above > message. > > Any ideas what the eof means? > > My ssl works between fds and other linux machines. > >> The only trick I needed was when configuring your LDAP source, under >> the Security tab I needed to enable "Encrypt all packers (requires SSL >> or Kerberos). > > I will look for that. Thanks > > Will post results. Finally got back to this machine. By enabling the "Encrypt all packers", I was able to successfully authenticate against the FDS. Many Thanks! > > Thanks again. >> >> It seems DirectoryServices was trying to initiate a SASL connected >> over SSL which would fail, but this could be to due to a non-standard >> port. >> >> Cheers, >> David >> >> On 01/04/2006, at 5:48 AM, Jim Summers wrote: >> >>> Hello List, >>> >>> I am following up on a thread that was initiated by David Schibeci a >>> few weeks back. He was trying to configure os/x machines to >>> authenticate against fds. >>> >>> I to will have to authenticate some os/x machines when I migrate over >>> to fds. So I thought I should test it out. >>> >>> Unfortunately I was not able to get it to work. All I am seeing in >>> the system.log file are entries such as: >>> >>> DSOpenNode(): dsOpenDirNode("/LDAPv3/ipaddress") == -14002 >>> DSGetCurrentConfigInfo(): dsGetRecordEntry() == -14061 >>> >>> Not to informative. >>> >>> Any ideas or suggestions will be greatly appreciated. >>> >>> Thanks >>> --Jim Summers >>> School of Computer Science-University of Oklahoma >>> ------------------------------------------------- >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Jim Summers School of Computer Science-University of Oklahoma ------------------------------------------------- From robert.sanders at ipov.net Thu Apr 6 21:51:26 2006 From: robert.sanders at ipov.net (Robert r. Sanders) Date: Thu, 06 Apr 2006 16:51:26 -0500 Subject: [Fedora-directory-users] Schema Conversion (again). Message-ID: <44358D5E.70203@ipov.net> We're trying to get the Zimbra Collaboration Suite to talk to a Fedora Directory Server (Zimbra by default uses its own version of OpenLDAP). Zimbra includes LDAP schema files, and we've tried to use Mike Jackson's schema migration tool ol-schema-migrate.pl as well as the ol2rhds.pl script. The problem appears to be that the schema in question makes heavy use of the OpenLDAP OID Macros (see http://www.openldap.org/doc/admin23/schema.html , the "OID Macros" section at the bottom of the page). Does anyone know of any tools which would help? A sample of the original schema is: objectIdentifier ZimbraRoot 1.3.6.1.4.1.19348 objectIdentifier ZimbraLDAP ZimbraRoot:2 ... objectIdentifier ZimbraAttrType ZimbraLDAP:1 ... objectIdentifier zimbraComponentAvailable ZimbraAttrType:242 ... attributetype ( zimbraComponentAvailable NAME 'zimbraComponentAvailable' DESC 'Names of additonal components that have been installed' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64} ) The complete schema can be viewed at - http://cvs.zimbra.com:8080/viewrep/~raw,r=1.48/zimbra_main/ZimbraServer/conf/ldap/zimbra.schema My understanding is that OpenLDAP knows to replace the "attributetype ( zimbraComponentAvailable" with "attributetype ( 1.3.6.1.4.1.19348.2.242" (or something similar). The referenced perl scripts output: attributeTypes: ( zimbraComponentAvailable NAME 'zimbraComponentAvailable' DESC 'Names of additonal components that have been installed' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64} ) which fails to load properly as the symbolic name "zimbraComponentAvailable" is not replaced by the actual value. Anyway, any help would be very appreciated. Thanks, -- Robert r. Sanders Chief Technologist iPOV (334) 821-5412 www.ipov.net -------------- next part -------------- An HTML attachment was scrubbed... URL: From mj at sci.fi Thu Apr 6 21:50:50 2006 From: mj at sci.fi (Mike Jackson) Date: Fri, 07 Apr 2006 00:50:50 +0300 Subject: [Fedora-directory-users] Schema Conversion (again). In-Reply-To: <44358D5E.70203@ipov.net> References: <44358D5E.70203@ipov.net> Message-ID: <44358D3A.1010601@sci.fi> Robert r. Sanders wrote: > We're trying to get the Zimbra Collaboration Suite to talk to a Fedora > Directory Server (Zimbra by default uses its own version of OpenLDAP). > Zimbra includes LDAP schema files, and we've tried to use Mike Jackson's > schema migration tool ol-schema-migrate.pl as well as the ol2rhds.pl > script. The problem appears to be that the schema in question makes > heavy use of the OpenLDAP OID Macros (see > http://www.openldap.org/doc/admin23/schema.html , the "OID Macros" > section at the bottom of the page). Hi, Somebody contributed an OID macro patch once, but it did not work very well and I had to reverse it. If you are in a hurry, just go through the file and replace the macros, then run the migration tool. BR, -- mike From del at babel.com.au Fri Apr 7 03:53:36 2006 From: del at babel.com.au (Del) Date: Fri, 07 Apr 2006 13:53:36 +1000 Subject: [Fedora-directory-users] Schema Conversion (again). In-Reply-To: <44358D5E.70203@ipov.net> References: <44358D5E.70203@ipov.net> Message-ID: <4435E240.2060905@babel.com.au> Robert r. Sanders wrote: > We're trying to get the Zimbra Collaboration Suite to talk to a Fedora > Directory Server (Zimbra by default uses its own version of OpenLDAP). > Zimbra includes LDAP schema files, and we've tried to use Mike Jackson's > schema migration tool ol-schema-migrate.pl as well as the ol2rhds.pl > script. The problem appears to be that the schema in question makes > heavy use of the OpenLDAP OID Macros (see > http://www.openldap.org/doc/admin23/schema.html , the "OID Macros" > section at the bottom of the page). > > Does anyone know of any tools which would help? If your OpenLDAP schema is readable via LDAP, then the LdapImport.pl tool should be able to read your schema from OpenLDAP and write it directly to a running FDS server: http://wiki.babel.com.au/index.php?area=Linux_Projects&page=LdapImport -- Del Babel Com Australia http://www.babel.com.au/ ph: 02 9368 0728 fax: 02 9368 0758 From magobin at gmail.com Fri Apr 7 06:46:54 2006 From: magobin at gmail.com (Alessandro Binarelli) Date: Fri, 7 Apr 2006 08:46:54 +0200 Subject: [Fedora-directory-users] Re: SubjectAltName how does it work? In-Reply-To: <443527D7.1010605@redhat.com> References: <20060405160007.530E573823@hormel.redhat.com> <44341BB4.1050807@symas.com> <1144320473.8246.13.camel@localhost.localdomain> <1144332310.8246.31.camel@localhost.localdomain> <443527D7.1010605@redhat.com> Message-ID: <108b923c0604062346h5899fdafyba7217683dd2897e@mail.gmail.com> > > >Assuming you already have a CA nicknamed 'cacert' and your database is > >in the directory named 'foo': > > > >% certutil -R -d foo -s "cn=localhost,dc=example,dc=com" -o tmpcertreq > >-g 1024 > >% certutil -C -d foo -c cacert -i tmpcertreq -o tmpcert.der -m 9 -v 12 > >-1 -5 -8 foo.example.com > >% certutil -A -d foo -n Alt-Cert -t u,u,u -i tmpcert.der > >% certutil -L -d foo -n Alt-Cert > >% rm -f tmpcert.der tmpcertreq Thanks as always....at this moment I can't try because I'm traveling for job...but, reading what you have post....I missed in my commands "-n Alt-Cert"...I want try as soon as possible....but where did you have find that? :-) Thanks Alex -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Apr 7 12:51:04 2006 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 07 Apr 2006 08:51:04 -0400 Subject: [Fedora-directory-users] Re: SubjectAltName how does it work? In-Reply-To: <108b923c0604062346h5899fdafyba7217683dd2897e@mail.gmail.com> References: <20060405160007.530E573823@hormel.redhat.com> <44341BB4.1050807@symas.com> <1144320473.8246.13.camel@localhost.localdomain> <1144332310.8246.31.camel@localhost.localdomain> <443527D7.1010605@redhat.com> <108b923c0604062346h5899fdafyba7217683dd2897e@mail.gmail.com> Message-ID: <44366038.7050108@redhat.com> Alessandro Binarelli wrote: > >Assuming you already have a CA nicknamed 'cacert' and your database is > >in the directory named 'foo': > > > >% certutil -R -d foo -s "cn=localhost,dc=example,dc=com" -o tmpcertreq > >-g 1024 > >% certutil -C -d foo -c cacert -i tmpcertreq -o tmpcert.der -m 9 -v 12 > >-1 -5 -8 foo.example.com > >% certutil -A -d foo -n Alt-Cert -t u,u,u -i tmpcert.der > >% certutil -L -d foo -n Alt-Cert > >% rm -f tmpcert.der tmpcertreq > > > > Thanks as always....at this moment I can't try because I'm traveling for > job...but, reading what you have post....I missed in my commands "-n > Alt-Cert"...I want try as soon as possible....but where did you have > find that? :-) Nothing magical, -n is just the certificate nickname and I Server-Cert was already used, so I chose Alt-Cert. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From oscar.valdez at duraflex-politex.com Fri Apr 7 15:54:24 2006 From: oscar.valdez at duraflex-politex.com (Oscar A. Valdez) Date: Fri, 07 Apr 2006 09:54:24 -0600 Subject: [Fedora-directory-users] Dovecot and FDS Message-ID: <1144425265.2105.21.camel@wzowski.duraflex-politex.com> The Howto at http://directory.fedora.redhat.com/wiki/Howto:Dovecot is really very skimpy (two lines that refer you offsite, to a Howto based on OpenLDAP). I spent most of yesterday banging my head, making dovecot authenticate against FDS. The mail server on which dovecot is installed has the nss_ldap and pam_ldap packages installed, and /etc/dovecot.conf has the following two lines: auth_userdb = ldap /etc/dovecot-ldap.conf auth_passdb = pam In other words, dovecot should use LDAP to access the user database, but PAM for authentication. This part is working, since users authenticate and get their mails through dovecot. /etc/dovecot-ldap.conf contains the following: hosts = 192.168.0.2 ldap_version = 3 base = ou=People, dc=duraflex, dc=com, dc=sv deref = never scope = subtree user_attrs = uid,homeDirectory,,,uidNumber,gidNumber user_filter = (&(objectClass=posixAccount)(uid=%u)) I haven't specified a dn or dnpass, since all I need is that dovecot perform an anonymous query for the uid, homeDirectory, uidNumber and gidNumber fields of its users, which are publically viewable. However, my FDS server's access log has entries like these: conn=3266227 fd=138 slot=138 connection from 192.168.0.100 to 192.168.0.2 conn=3266227 op=0 BIND dn="" method=128 version=3 conn=3266227 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" conn=3266227 op=1 SRCH base="ou=People,dc=duraflex,dc=com,dc=sv" scope=1 filter="(&(objectClass=posixAccount)(uid=dovecot))" attrs=ALL conn=3266227 op=1 RESULT err=0 tag=101 nentries=0 etime=0 conn=3266227 op=2 SRCH base="ou=Groups,dc=duraflex,dc=com,dc=sv" scope=1 filter="(&(objectClass=posixGroup)(memberUid=dovecot))" attrs="gidNumber" conn=3266227 op=2 RESULT err=0 tag=101 nentries=0 etime=0 conn=3266227 op=-1 fd=138 closed - B1 Dovecot tries binding with an empty dn, fails, the queries FDS for a user or group called dovecot (which don't exist on the DS), and fails. Is there a way to tell dovecot to query anonymously? -- Oscar A. Valdez From rmeggins at redhat.com Fri Apr 7 16:08:53 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 07 Apr 2006 10:08:53 -0600 Subject: [Fedora-directory-users] Dovecot and FDS In-Reply-To: <1144425265.2105.21.camel@wzowski.duraflex-politex.com> References: <1144425265.2105.21.camel@wzowski.duraflex-politex.com> Message-ID: <44368E95.1080504@redhat.com> Oscar A. Valdez wrote: > The Howto at http://directory.fedora.redhat.com/wiki/Howto:Dovecot is > really very skimpy (two lines that refer you offsite, to a Howto based > on OpenLDAP). > > I spent most of yesterday banging my head, making dovecot authenticate > against FDS. The mail server on which dovecot is installed has the > nss_ldap and pam_ldap packages installed, and /etc/dovecot.conf has the > following two lines: > > auth_userdb = ldap /etc/dovecot-ldap.conf > auth_passdb = pam > > In other words, dovecot should use LDAP to access the user database, but > PAM for authentication. This part is working, since users authenticate > and get their mails through dovecot. > > /etc/dovecot-ldap.conf contains the following: > > hosts = 192.168.0.2 > ldap_version = 3 > base = ou=People, dc=duraflex, dc=com, dc=sv > deref = never > scope = subtree > user_attrs = uid,homeDirectory,,,uidNumber,gidNumber > user_filter = (&(objectClass=posixAccount)(uid=%u)) > > I haven't specified a dn or dnpass, since all I need is that dovecot > perform an anonymous query for the uid, homeDirectory, uidNumber and > gidNumber fields of its users, which are publically viewable. However, > my FDS server's access log has entries like these: > > conn=3266227 fd=138 slot=138 connection from 192.168.0.100 to > 192.168.0.2 > conn=3266227 op=0 BIND dn="" method=128 version=3 > conn=3266227 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" > conn=3266227 op=1 SRCH base="ou=People,dc=duraflex,dc=com,dc=sv" scope=1 > filter="(&(objectClass=posixAccount)(uid=dovecot))" attrs=ALL > conn=3266227 op=1 RESULT err=0 tag=101 nentries=0 etime=0 > conn=3266227 op=2 SRCH base="ou=Groups,dc=duraflex,dc=com,dc=sv" scope=1 > filter="(&(objectClass=posixGroup)(memberUid=dovecot))" > attrs="gidNumber" > conn=3266227 op=2 RESULT err=0 tag=101 nentries=0 etime=0 > conn=3266227 op=-1 fd=138 closed - B1 > > Dovecot tries binding with an empty dn, fails, It doesn't fail, according to the log - the result of the BIND request is err=0 i.e. success. In LDAP, dn="" is an anonymous BIND. So, two possible problems: 1) Did you try that same search from the command line using ldapsearch? Same results? 2) Did you set up your ACIs to allow anonymous read/search/compare access to those entries and attributes? > the queries FDS for a > user or group called dovecot (which don't exist on the DS), and fails. > > Is there a way to tell dovecot to query anonymously? > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From oscar.valdez at duraflex-politex.com Fri Apr 7 16:30:07 2006 From: oscar.valdez at duraflex-politex.com (Oscar A. Valdez) Date: Fri, 07 Apr 2006 10:30:07 -0600 Subject: [Fedora-directory-users] Dovecot and FDS In-Reply-To: <44368E95.1080504@redhat.com> References: <1144425265.2105.21.camel@wzowski.duraflex-politex.com> <44368E95.1080504@redhat.com> Message-ID: <1144427407.2105.23.camel@wzowski.duraflex-politex.com> El vie, 07-04-2006 a las 10:08 -0600, Richard Megginson escribi?: > Oscar A. Valdez wrote: > > > > my FDS server's access log has entries like these: > > > > conn=3266227 fd=138 slot=138 connection from 192.168.0.100 to > > 192.168.0.2 > > conn=3266227 op=0 BIND dn="" method=128 version=3 > > conn=3266227 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" > > conn=3266227 op=1 SRCH base="ou=People,dc=duraflex,dc=com,dc=sv" scope=1 > > filter="(&(objectClass=posixAccount)(uid=dovecot))" attrs=ALL > > conn=3266227 op=1 RESULT err=0 tag=101 nentries=0 etime=0 > > conn=3266227 op=2 SRCH base="ou=Groups,dc=duraflex,dc=com,dc=sv" scope=1 > > filter="(&(objectClass=posixGroup)(memberUid=dovecot))" > > attrs="gidNumber" > > conn=3266227 op=2 RESULT err=0 tag=101 nentries=0 etime=0 > > conn=3266227 op=-1 fd=138 closed - B1 > > > > Dovecot tries binding with an empty dn, fails, > It doesn't fail, according to the log - the result of the BIND request > is err=0 i.e. success. > In LDAP, dn="" is an anonymous BIND. So, two possible problems: > 1) Did you try that same search from the command line using ldapsearch? > Same results? > 2) Did you set up your ACIs to allow anonymous read/search/compare > access to those entries and attributes? Thanks for the answer. Why the search for a dovecot user and group? -- Oscar A. Valdez From rmeggins at redhat.com Fri Apr 7 16:23:08 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 07 Apr 2006 10:23:08 -0600 Subject: [Fedora-directory-users] Dovecot and FDS In-Reply-To: <1144427407.2105.23.camel@wzowski.duraflex-politex.com> References: <1144425265.2105.21.camel@wzowski.duraflex-politex.com> <44368E95.1080504@redhat.com> <1144427407.2105.23.camel@wzowski.duraflex-politex.com> Message-ID: <443691EC.10508@redhat.com> Oscar A. Valdez wrote: > El vie, 07-04-2006 a las 10:08 -0600, Richard Megginson escribi?: > >> Oscar A. Valdez wrote: >> >>> my FDS server's access log has entries like these: >>> >>> conn=3266227 fd=138 slot=138 connection from 192.168.0.100 to >>> 192.168.0.2 >>> conn=3266227 op=0 BIND dn="" method=128 version=3 >>> conn=3266227 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" >>> conn=3266227 op=1 SRCH base="ou=People,dc=duraflex,dc=com,dc=sv" scope=1 >>> filter="(&(objectClass=posixAccount)(uid=dovecot))" attrs=ALL >>> conn=3266227 op=1 RESULT err=0 tag=101 nentries=0 etime=0 >>> conn=3266227 op=2 SRCH base="ou=Groups,dc=duraflex,dc=com,dc=sv" scope=1 >>> filter="(&(objectClass=posixGroup)(memberUid=dovecot))" >>> attrs="gidNumber" >>> conn=3266227 op=2 RESULT err=0 tag=101 nentries=0 etime=0 >>> conn=3266227 op=-1 fd=138 closed - B1 >>> >>> Dovecot tries binding with an empty dn, fails, >>> >> It doesn't fail, according to the log - the result of the BIND request >> is err=0 i.e. success. >> In LDAP, dn="" is an anonymous BIND. So, two possible problems: >> 1) Did you try that same search from the command line using ldapsearch? >> Same results? >> 2) Did you set up your ACIs to allow anonymous read/search/compare >> access to those entries and attributes? >> > > Thanks for the answer. Why the search for a dovecot user and group? > I don't know. You might try asking on a dovecot list. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From Esquivelv at uhd.edu Fri Apr 7 20:16:52 2006 From: Esquivelv at uhd.edu (Esquivel, Vicente) Date: Fri, 7 Apr 2006 15:16:52 -0500 Subject: [Fedora-directory-users] Existing User Accounts Message-ID: <9F92B51F2F581A4EAEC46C84759BE79D01F65D76@BALI.uhd.campus> Thanks for the reply. I ran the scripts and was able to get all of the users imported into the Directory server. The only question is how do I get their email address into the Directory of the passwd and shadow file information? Thanks Vince > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf > Of Oscar A. Valdez > Sent: Thursday, April 06, 2006 10:38 AM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Existing User Accounts > > El jue, 06-04-2006 a las 09:49 -0500, Esquivel, Vicente escribi?: > > I have the Directory server up and running. My question is > how to get > > the user accounts from one of my servers into the > directory? I do not > > have an existing ldap or nis server, we are using local systems > > account creation and authentication. I did a search through the > > archives but wasn't able to come up with anything. Any > insight would > > be very helpful and appreciated. > > Try the Migration Tools from PADL software (they are also the > creators of the nss_ldap and pam_ldap modules): > > http://www.padl.com/OSS/MigrationTools.html > > You first have to edit migrate_base.pl for your > organization's naming context. The scripts migrate_passwd.pl, > migrate_group.pl, migrate_aliases.pl, etc., will do what > their names suggest. They output in ldif format to standard > output, so you can tweak the results before importing into > your DS server. > > After importing my existing users, I wrote my own script for > new user creation that generates the ldif stuff. > > -- > Oscar A. Valdez > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From gholbert at broadcom.com Fri Apr 7 20:21:42 2006 From: gholbert at broadcom.com (George Holbert) Date: Fri, 07 Apr 2006 13:21:42 -0700 Subject: [Fedora-directory-users] Existing User Accounts In-Reply-To: <9F92B51F2F581A4EAEC46C84759BE79D01F65D76@BALI.uhd.campus> References: <9F92B51F2F581A4EAEC46C84759BE79D01F65D76@BALI.uhd.campus> Message-ID: <4436C9D6.6000003@broadcom.com> The usual attribute for email addresses is "mail". You may need to add another objectclass (like inetOrgPerson) to your objects in order for the mail attribute to be available. Esquivel, Vicente wrote: > Thanks for the reply. > > I ran the scripts and was able to get all of the users imported into the Directory server. The only question is how do I get their email address into the Directory of the passwd and shadow file information? > > Thanks > Vince > > >> -----Original Message----- >> From: fedora-directory-users-bounces at redhat.com >> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf >> Of Oscar A. Valdez >> Sent: Thursday, April 06, 2006 10:38 AM >> To: General discussion list for the Fedora Directory server project. >> Subject: Re: [Fedora-directory-users] Existing User Accounts >> >> El jue, 06-04-2006 a las 09:49 -0500, Esquivel, Vicente escribi?: >> >>> I have the Directory server up and running. My question is >>> >> how to get >> >>> the user accounts from one of my servers into the >>> >> directory? I do not >> >>> have an existing ldap or nis server, we are using local systems >>> account creation and authentication. I did a search through the >>> archives but wasn't able to come up with anything. Any >>> >> insight would >> >>> be very helpful and appreciated. >>> >> Try the Migration Tools from PADL software (they are also the >> creators of the nss_ldap and pam_ldap modules): >> >> http://www.padl.com/OSS/MigrationTools.html >> >> You first have to edit migrate_base.pl for your >> organization's naming context. The scripts migrate_passwd.pl, >> migrate_group.pl, migrate_aliases.pl, etc., will do what >> their names suggest. They output in ldif format to standard >> output, so you can tweak the results before importing into >> your DS server. >> >> After importing my existing users, I wrote my own script for >> new user creation that generates the ldif stuff. >> >> -- >> Oscar A. Valdez >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From Esquivelv at uhd.edu Fri Apr 7 20:33:36 2006 From: Esquivelv at uhd.edu (Esquivel, Vicente) Date: Fri, 7 Apr 2006 15:33:36 -0500 Subject: [Fedora-directory-users] Existing User Accounts Message-ID: <9F92B51F2F581A4EAEC46C84759BE79D01F65D77@BALI.uhd.campus> Ok I am a total newbie to the Directory so bear with me. Do you accomplish this by going to the configuration tab then selecting schema? Vince > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf > Of George Holbert > Sent: Friday, April 07, 2006 3:22 PM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Existing User Accounts > > The usual attribute for email addresses is "mail". > You may need to add another objectclass (like inetOrgPerson) > to your objects in order for the mail attribute to be available. > > Esquivel, Vicente wrote: > > Thanks for the reply. > > > > I ran the scripts and was able to get all of the users > imported into the Directory server. The only question is how > do I get their email address into the Directory of the passwd > and shadow file information? > > > > Thanks > > Vince > > > > > >> -----Original Message----- > >> From: fedora-directory-users-bounces at redhat.com > >> [mailto:fedora-directory-users-bounces at redhat.com] On > Behalf Of Oscar > >> A. Valdez > >> Sent: Thursday, April 06, 2006 10:38 AM > >> To: General discussion list for the Fedora Directory > server project. > >> Subject: Re: [Fedora-directory-users] Existing User Accounts > >> > >> El jue, 06-04-2006 a las 09:49 -0500, Esquivel, Vicente escribi?: > >> > >>> I have the Directory server up and running. My question is > >>> > >> how to get > >> > >>> the user accounts from one of my servers into the > >>> > >> directory? I do not > >> > >>> have an existing ldap or nis server, we are using local systems > >>> account creation and authentication. I did a search through the > >>> archives but wasn't able to come up with anything. Any > >>> > >> insight would > >> > >>> be very helpful and appreciated. > >>> > >> Try the Migration Tools from PADL software (they are also the > >> creators of the nss_ldap and pam_ldap modules): > >> > >> http://www.padl.com/OSS/MigrationTools.html > >> > >> You first have to edit migrate_base.pl for your > organization's naming > >> context. The scripts migrate_passwd.pl, migrate_group.pl, > >> migrate_aliases.pl, etc., will do what their names suggest. They > >> output in ldif format to standard output, so you can tweak the > >> results before importing into your DS server. > >> > >> After importing my existing users, I wrote my own script > for new user > >> creation that generates the ldif stuff. > >> > >> -- > >> Oscar A. Valdez > >> > >> -- > >> Fedora-directory-users mailing list > >> Fedora-directory-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > >> > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From gholbert at broadcom.com Fri Apr 7 20:44:20 2006 From: gholbert at broadcom.com (George Holbert) Date: Fri, 07 Apr 2006 13:44:20 -0700 Subject: [Fedora-directory-users] Existing User Accounts In-Reply-To: <9F92B51F2F581A4EAEC46C84759BE79D01F65D77@BALI.uhd.campus> References: <9F92B51F2F581A4EAEC46C84759BE79D01F65D77@BALI.uhd.campus> Message-ID: <4436CF24.2050907@broadcom.com> You would add a new objectclass to the objects that were created when you imported the passwd file. For example, if your account objects were created with the following objectclasses: objectClass: top objectClass: account objectClass: posixAccount objectClass: shadowAccount ...then they will have no mail attribute. So, you could add: objectClass: inetOrgPerson for each, and then you can also populate "mail" for each. You can make these changes with ldapmodify, or the console, or whatever you prefer. You could also tweak the migrate_passwd.pl script and re-import everything, if you want. There are other ways you could store email addresses in your directory, but the above example is probably what you're trying to do. Esquivel, Vicente wrote: > Ok I am a total newbie to the Directory so bear with me. Do you accomplish this by going to the configuration tab then selecting schema? > > Vince > > >> -----Original Message----- >> From: fedora-directory-users-bounces at redhat.com >> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf >> Of George Holbert >> Sent: Friday, April 07, 2006 3:22 PM >> To: General discussion list for the Fedora Directory server project. >> Subject: Re: [Fedora-directory-users] Existing User Accounts >> >> The usual attribute for email addresses is "mail". >> You may need to add another objectclass (like inetOrgPerson) >> to your objects in order for the mail attribute to be available. >> >> Esquivel, Vicente wrote: >> >>> Thanks for the reply. >>> >>> I ran the scripts and was able to get all of the users >>> >> imported into the Directory server. The only question is how >> do I get their email address into the Directory of the passwd >> and shadow file information? >> >>> Thanks >>> Vince >>> >>> >>> >>>> -----Original Message----- >>>> From: fedora-directory-users-bounces at redhat.com >>>> [mailto:fedora-directory-users-bounces at redhat.com] On >>>> >> Behalf Of Oscar >> >>>> A. Valdez >>>> Sent: Thursday, April 06, 2006 10:38 AM >>>> To: General discussion list for the Fedora Directory >>>> >> server project. >> >>>> Subject: Re: [Fedora-directory-users] Existing User Accounts >>>> >>>> El jue, 06-04-2006 a las 09:49 -0500, Esquivel, Vicente escribi?: >>>> >>>> >>>>> I have the Directory server up and running. My question is >>>>> >>>>> >>>> how to get >>>> >>>> >>>>> the user accounts from one of my servers into the >>>>> >>>>> >>>> directory? I do not >>>> >>>> >>>>> have an existing ldap or nis server, we are using local systems >>>>> account creation and authentication. I did a search through the >>>>> archives but wasn't able to come up with anything. Any >>>>> >>>>> >>>> insight would >>>> >>>> >>>>> be very helpful and appreciated. >>>>> >>>>> >>>> Try the Migration Tools from PADL software (they are also the >>>> creators of the nss_ldap and pam_ldap modules): >>>> >>>> http://www.padl.com/OSS/MigrationTools.html >>>> >>>> You first have to edit migrate_base.pl for your >>>> >> organization's naming >> >>>> context. The scripts migrate_passwd.pl, migrate_group.pl, >>>> migrate_aliases.pl, etc., will do what their names suggest. They >>>> output in ldif format to standard output, so you can tweak the >>>> results before importing into your DS server. >>>> >>>> After importing my existing users, I wrote my own script >>>> >> for new user >> >>>> creation that generates the ldif stuff. >>>> >>>> -- >>>> Oscar A. Valdez >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From bmoyles at playboy.com Fri Apr 7 21:13:57 2006 From: bmoyles at playboy.com (Brian Moyles) Date: Fri, 07 Apr 2006 16:13:57 -0500 Subject: [Fedora-directory-users] Odd admin console problem Message-ID: We're in the process of evaluating FDS, but have run into a small problem. I'm forwarding X from the server back to my OS X box running Apple's X11. When I run startconsole, I get a half-drawn login window. I've tried a few different jvms from different vendors, no luck. http://mirrors.playboy.com/~bmoyles/fds-console.png I'm sure I'm missing something simple here... Any thoughts? Thanks for your time, Brian Moyles Sr. Systems Administrator Playboy Enterprises, Inc. From bmoyles at playboy.com Fri Apr 7 21:16:11 2006 From: bmoyles at playboy.com (Brian Moyles) Date: Fri, 07 Apr 2006 16:16:11 -0500 Subject: [Fedora-directory-users] Odd admin console problem In-Reply-To: Message-ID: Forgot to mention--this box is a Dell PE1850 running RHEL4 ES update 3. > From: Brian Moyles > Reply-To: "General discussion list for the Fedora Directory server project." > > Date: Fri, 07 Apr 2006 16:13:57 -0500 > To: > Conversation: Odd admin console problem > Subject: [Fedora-directory-users] Odd admin console problem > > We're in the process of evaluating FDS, but have run into a small problem. > I'm forwarding X from the server back to my OS X box running Apple's X11. > When I run startconsole, I get a half-drawn login window. I've tried a few > different jvms from different vendors, no luck. > http://mirrors.playboy.com/~bmoyles/fds-console.png > I'm sure I'm missing something simple here... Any thoughts? > > Thanks for your time, > Brian Moyles > Sr. Systems Administrator > Playboy Enterprises, Inc. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From nkinder at redhat.com Fri Apr 7 21:25:04 2006 From: nkinder at redhat.com (Nathan Kinder) Date: Fri, 07 Apr 2006 14:25:04 -0700 Subject: [Fedora-directory-users] Odd admin console problem In-Reply-To: References: Message-ID: <4436D8B0.70905@redhat.com> Brian Moyles wrote: >We're in the process of evaluating FDS, but have run into a small problem. >I'm forwarding X from the server back to my OS X box running Apple's X11. >When I run startconsole, I get a half-drawn login window. I've tried a few >different jvms from different vendors, no luck. > > Which JVM's have you tried? I would recommend the 1.4 IBM or Sun JVM. 1.5 should work as well. I would also make sure that you are really using the Java you think you are. In FDS 1.0.2, startconsole doesn't use your $JAVA_HOME setting. It simply uses the first java binary in finds in $PATH. >http://mirrors.playboy.com/~bmoyles/fds-console.png >I'm sure I'm missing something simple here... Any thoughts? > > I've been able to redirect to my OS X box before, but that was with an earlier Directory Server version. I don't have my OS X laptop with me right now, but I'll give this a try with FDS 1.0.2 later and let you know if it works. -NGK >Thanks for your time, >Brian Moyles >Sr. Systems Administrator >Playboy Enterprises, Inc. > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From bmoyles at playboy.com Fri Apr 7 21:28:40 2006 From: bmoyles at playboy.com (Brian Moyles) Date: Fri, 07 Apr 2006 16:28:40 -0500 Subject: [Fedora-directory-users] Odd admin console problem In-Reply-To: <4436D8B0.70905@redhat.com> Message-ID: > Which JVM's have you tried? I would recommend the 1.4 IBM or Sun JVM. > 1.5 should work as well. I would also make sure that you are really > using the Java you think you are. In FDS 1.0.2, startconsole doesn't > use your $JAVA_HOME setting. It simply uses the first java binary in > finds in $PATH. Thanks for the reply. I've tried 1.4.2 and 1.5 from Sun as well as 1.5 from IBM. Same deal. Right now, I don't even have JAVA_HOME configured--I've got java in the path right, though, and set up with alternatives so it's technically the only one that should be found. > I've been able to redirect to my OS X box before, but that was with an > earlier Directory Server version. I don't have my OS X laptop with me > right now, but I'll give this a try with FDS 1.0.2 later and let you > know if it works. Thanks for that. I'm sure it's something weird I'm missing. From oscar.valdez at duraflex-politex.com Fri Apr 7 21:04:04 2006 From: oscar.valdez at duraflex-politex.com (Oscar A. Valdez) Date: Fri, 07 Apr 2006 15:04:04 -0600 Subject: [Fedora-directory-users] Existing User Accounts In-Reply-To: <9F92B51F2F581A4EAEC46C84759BE79D01F65D76@BALI.uhd.campus> References: <9F92B51F2F581A4EAEC46C84759BE79D01F65D76@BALI.uhd.campus> Message-ID: <1144443845.2105.35.camel@wzowski.duraflex-politex.com> El vie, 07-04-2006 a las 15:16 -0500, Esquivel, Vicente escribi?: > I ran the scripts and was able to get all of the users imported into the Directory server. The only question is how do I get their email address into the Directory of the passwd and shadow file information? If you have the inetOrgPerson objectclass, the "mail" field should be available. You can add email addresses via an ldif file and the ldapmodify command: dn: uid=ovaldez,ou=People,dc=duraflex,dc=com,dc=sv changetype: add mail: mymail at mydomain.com A bash script could help you reading uid's and gecos fields off the passwd file and into the ldif file. -- Oscar A. Valdez From ahamino at gmail.com Fri Apr 7 23:10:02 2006 From: ahamino at gmail.com (Abdelrahman) Date: Sat, 8 Apr 2006 01:10:02 +0200 Subject: [Fedora-directory-users] Moving All Users to FDS Message-ID: <003401c65a98$692be110$0200a8c0@abdodesktop> Dear all, I want to migrate all my users (about 10000) from OpenLDAP to FDS. The problem is that I need to add a couple of fields to each user and set a default value for these fields! Is there a way to do that? Regards, Abdelrahman -------------- next part -------------- An HTML attachment was scrubbed... URL: From prowley at redhat.com Fri Apr 7 23:38:23 2006 From: prowley at redhat.com (Pete Rowley) Date: Fri, 07 Apr 2006 16:38:23 -0700 Subject: [Fedora-directory-users] Moving All Users to FDS In-Reply-To: <003401c65a98$692be110$0200a8c0@abdodesktop> References: <003401c65a98$692be110$0200a8c0@abdodesktop> Message-ID: <4436F7EF.4050207@redhat.com> Abdelrahman wrote: > Dear all, > > > > I want to migrate all my users (about 10000) from OpenLDAP to FDS. The > problem is that I need to add a couple of fields to each user and set > a default value for these fields! > > > > Is there a way to do that? > There are three ways to do that. 1. Migrate the users, then add the attributes via ldap - slow 2. Write a script to directly modify the entries on your migration LDIF - posibly less slow, but you have to write the script 3. Use the FDS Class of Service feature to add the attribute values - fast, requires you to create two CoS configuration entries and all users instantly have the default values. See here http://www.redhat.com/docs/manuals/dir-server/ag/7.1/roles.html#1115605 -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From bmoyles at playboy.com Sun Apr 9 22:32:37 2006 From: bmoyles at playboy.com (Brian Moyles) Date: Sun, 09 Apr 2006 17:32:37 -0500 Subject: [Fedora-directory-users] Odd admin console problem In-Reply-To: Message-ID: >> I've been able to redirect to my OS X box before, but that was with an >> earlier Directory Server version. I don't have my OS X laptop with me >> right now, but I'll give this a try with FDS 1.0.2 later and let you >> know if it works. > > Thanks for that. I'm sure it's something weird I'm missing. Tried this to my iMac G5 at home today--same deal. The login window fails to complete drawing. I'm going to try forwarding to Cygwin on a Windows box in a minute. From magobin at gmail.com Mon Apr 10 07:15:34 2006 From: magobin at gmail.com (Alessandro Binarelli) Date: Mon, 10 Apr 2006 09:15:34 +0200 Subject: [Fedora-directory-users] Re: SubjectAltName how does it work? Message-ID: <108b923c0604100015y1d727c69ha621cf811252f90f@mail.gmail.com> Hi, today, I'm trying to solve ssl issue to comunicate from DS Fedora to both client and another DS server for replication..after many test, with your help I catched up this point: I'm always in alias directory. Create my CA database: # ../shared/bin/certutil -N -d . Make my self CA: # ../shared/bin/certutil -S -d . -n 'CA Certificate' -s 'cn=CAcert' -x -t CTu,CTu,CTu -g 1024 -m 1 -v 120 -2 -1 -5 Create server key and certificate for server1: # ../shared/bin/certutil -R -d . -s "cn=nodo1,dc=domain,dc=example,dc=com" -o tmpcertreq -g 1024 # ../shares/bin/certutil -C -d . -c "CA Certificate" -i tmpcertreq -o tmpcert.der -m 3 -v 12 -1 -5 -8 domain.example.com # ../shared/bin/certutil -A -d . -n nodo1.domain.example.com -t u,u,u -i tmpcert.der #rm -f tmpcert.der tmpcertreq Create server key and certificate for server2: # ../shared/bin/certutil -R -d . -s "cn=nodo2,dc=domain,dc=example,dc=com" -o tmpcertreq -g 1024 # ../shares/bin/certutil -C -d . -c "CA Certificate" -i tmpcertreq -o tmpcert.der -m 4 -v 12 -1 -5 -8 domain.example.com # ../shared/bin/certutil -A -d . -n Alt-Cert -t u,u,u -i tmpcert.der #rm -f tmpcert.der tmpcertreq After that I copy database on server 2 and rename it to match with correct server...finally I enable ssl encrypt on both servers and I try to establish Multi Master Replication via mmr.pl script...so: ./mmr.pl --host1 nodo1.domain.example.com --host2 nodo2.domain.example.com --host1_id 1 --host2_id 2 --bindpw secret --repmanpw secret --create --with-ssl unfortunately consulting logs I find: NSMMReplicationPlugin - agmt="cn="Replication to nodo2.domain.example.com"" (nodo2:636): Simple bind failed, LDAP sdk error 91 (Can't connect to the LDAP server), Netscape Portable Runtime error -5961 (TCP connection reset by peer.) It's incredible that when I find solution for something, at the same time I find problem in another point :-) Thanks in advance for support Alex -------------- next part -------------- An HTML attachment was scrubbed... URL: From bharath at testingczars.com Mon Apr 10 07:12:53 2006 From: bharath at testingczars.com (Bharath Ramakrishna) Date: Mon, 10 Apr 2006 12:42:53 +0530 Subject: [Fedora-directory-users] how to add client to the my domain Message-ID: <443A0575.3060208@testingczars.com> hi , I am bharath . I have already installed and deployed the directory server,but i am not able to add my windows client to this domain and authenicate. I changed the domain name of my windows client to "testingczars.com" but it is not authenicating .Please tell me hoe to do this. -- Bharath Ramakrishna Network Admnistrator TestingCzars Phone: +91.80.26722100, +91.80.26727234 TeleFax: +91.80.26727234 Email: bharath at testingczars.com URL: www.testingczars.com This email may contain material that is confidential, privileged and/or attorney work product for the sole use of the intended recipient. Any review, reliance or distribution by others or forwarding without express permission is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies. From jsummers at bachman.cs.ou.edu Mon Apr 10 15:29:12 2006 From: jsummers at bachman.cs.ou.edu (Jim Summers) Date: Mon, 10 Apr 2006 10:29:12 -0500 Subject: [Fedora-directory-users] OS Migration Message-ID: <443A79C8.80403@cs.ou.edu> Hello List, I am closing in on my target date to switch over to FDS. On my test machines I have been running with FC4. I need to re-install the operating system and when I do I will have to use RHEL4. My plan was to shutdown the DS. Then make a tarball of /opt/fedora-ds and several other directories. Next re-install with RHEL4 Drop in my iptables Install fedora-ds and verify the OS / performance settings. Then extract my fedora-ds tarball and then hold my breath and start the DS service(s) and presto all is well??? Does this sound like a feasible approach? I am a little unsure if it will break any of my configured ssl stuff. Which is a basic self-signed scenario using the /opt/fedora-ds/shared/bin/certutil for the key generation. TIA -- Jim Summers School of Computer Science-University of Oklahoma ------------------------------------------------- From rmeggins at redhat.com Mon Apr 10 15:48:21 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 10 Apr 2006 09:48:21 -0600 Subject: [Fedora-directory-users] OS Migration In-Reply-To: <443A79C8.80403@cs.ou.edu> References: <443A79C8.80403@cs.ou.edu> Message-ID: <443A7E45.7000309@redhat.com> Jim Summers wrote: > Hello List, > > I am closing in on my target date to switch over to FDS. On my test > machines I have been running with FC4. I need to re-install the > operating system and when I do I will have to use RHEL4. > > My plan was to shutdown the DS. > Then make a tarball of /opt/fedora-ds and several other directories. > Next re-install with RHEL4 > Drop in my iptables > Install fedora-ds and verify the OS / performance settings. > Then extract my fedora-ds tarball > and then hold my breath and start the DS service(s) and presto all is > well??? I have no idea. It should work, but I really don't know if there are any runtime dependencies in the FDS FC4 RPM binaries that will break when run on RHEL4. > > Does this sound like a feasible approach? > > I am a little unsure if it will break any of my configured ssl stuff. > Which is a basic self-signed scenario using the > /opt/fedora-ds/shared/bin/certutil for the key generation. I don't think that will be a problem as long as you don't change the hostname of the machine. > > TIA -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Mon Apr 10 15:55:13 2006 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 10 Apr 2006 11:55:13 -0400 Subject: [Fedora-directory-users] OS Migration In-Reply-To: <443A7E45.7000309@redhat.com> References: <443A79C8.80403@cs.ou.edu> <443A7E45.7000309@redhat.com> Message-ID: <443A7FE1.8040101@redhat.com> Richard Megginson wrote: > Jim Summers wrote: > >> Hello List, >> >> I am closing in on my target date to switch over to FDS. On my test >> machines I have been running with FC4. I need to re-install the >> operating system and when I do I will have to use RHEL4. >> >> My plan was to shutdown the DS. >> Then make a tarball of /opt/fedora-ds and several other directories. >> Next re-install with RHEL4 >> Drop in my iptables >> Install fedora-ds and verify the OS / performance settings. >> Then extract my fedora-ds tarball >> and then hold my breath and start the DS service(s) and presto all is >> well??? > > I have no idea. It should work, but I really don't know if there are > any runtime dependencies in the FDS FC4 RPM binaries that will break > when run on RHEL4. > >> >> Does this sound like a feasible approach? >> >> I am a little unsure if it will break any of my configured ssl stuff. >> Which is a basic self-signed scenario using the >> /opt/fedora-ds/shared/bin/certutil for the key generation. > > I don't think that will be a problem as long as you don't change the > hostname of the machine. Also note that upgrading could be a problem since you aren't doing a standard RPM installation to begin with. You might be able to "trick" it by installing the Fedora RPM and then untarring over top of that. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Apr 10 16:04:23 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 10 Apr 2006 10:04:23 -0600 Subject: [Fedora-directory-users] Re: SubjectAltName how does it work? In-Reply-To: <108b923c0604100015y1d727c69ha621cf811252f90f@mail.gmail.com> References: <108b923c0604100015y1d727c69ha621cf811252f90f@mail.gmail.com> Message-ID: <443A8207.7080709@redhat.com> Alessandro Binarelli wrote: > Hi, > today, I'm trying to solve ssl issue to comunicate from DS Fedora to > both client and another DS server for replication..after many test, > with your help I catched up this point: > > I'm always in alias directory. > > Create my CA database: > # ../shared/bin/certutil -N -d . > > Make my self CA: > > # ../shared/bin/certutil -S -d . -n 'CA Certificate' -s 'cn=CAcert' -x > -t CTu,CTu,CTu -g 1024 -m 1 -v 120 -2 -1 -5 > > > Create server key and certificate for server1: > > # ../shared/bin/certutil -R -d . -s "cn=nodo1,dc=domain,dc=example,dc=com" -o tmpcertreq > -g 1024 > # ../shares/bin/certutil -C -d . -c "CA Certificate" -i tmpcertreq -o > tmpcert.der -m 3 -v 12 > -1 -5 -8 domain.example.com > # ../shared/bin/certutil -A -d . -n nodo1.domain.example.com -t u,u,u -i > tmpcert.der > #rm -f tmpcert.der tmpcertreq > > Create server key and certificate for server2: > > # ../shared/bin/certutil -R -d . -s "cn=nodo2,dc=domain,dc=example,dc=com" -o tmpcertreq > > -g 1024 > # ../shares/bin/certutil -C -d . -c "CA Certificate" -i tmpcertreq -o tmpcert.der -m 4 -v 12 > -1 -5 -8 domain.example.com > > # ../shared/bin/certutil -A -d . -n Alt-Cert -t u,u,u -i tmpcert.der > #rm -f tmpcert.der tmpcertreq > > After that I copy database on server 2 and rename it to match with correct server...finally I enable ssl encrypt on both servers > On server2 - did you change Alt-Cert to Server-Cert in the cert database, or did you change the attribute nsSSLPersonalitySSL in entry cn=RSA,cn=encryption,cn=config to be Alt-Cert instead of Server-Cert? > and I try to establish Multi Master Replication via mmr.pl script...so: > > ./mmr.pl --host1 nodo1.domain.example.com --host2 > nodo2.domain.example.com --host1_id 1 --host2_id 2 --bindpw secret > --repmanpw secret --create --with-ssl > > unfortunately consulting logs I find: > In which log is this? > NSMMReplicationPlugin - agmt="cn="Replication > > to nodo2.domain.example.com "" (nodo2:636): Simple bind failed, LDAP sdk > error 91 (Can't connect to the LDAP server), Netscape Portable Runtime error > -5961 (TCP connection reset by peer.) > > > > It's incredible that when I find solution for something, at the same > time I find problem in another point :-) > > Thanks in advance for support > > Alex > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From jsummers at bachman.cs.ou.edu Mon Apr 10 16:12:30 2006 From: jsummers at bachman.cs.ou.edu (Jim Summers) Date: Mon, 10 Apr 2006 11:12:30 -0500 Subject: [Fedora-directory-users] OS Migration In-Reply-To: <443A7FE1.8040101@redhat.com> References: <443A79C8.80403@cs.ou.edu> <443A7E45.7000309@redhat.com> <443A7FE1.8040101@redhat.com> Message-ID: <443A83EE.3030209@cs.ou.edu> Rob Crittenden wrote: > Richard Megginson wrote: >> Jim Summers wrote: >> >>> Hello List, >>> >>> I am closing in on my target date to switch over to FDS. On my test >>> machines I have been running with FC4. I need to re-install the >>> operating system and when I do I will have to use RHEL4. >>> >>> My plan was to shutdown the DS. >>> Then make a tarball of /opt/fedora-ds and several other directories. >>> Next re-install with RHEL4 >>> Drop in my iptables >>> Install fedora-ds and verify the OS / performance settings. >>> Then extract my fedora-ds tarball >>> and then hold my breath and start the DS service(s) and presto all is >>> well??? >> >> I have no idea. It should work, but I really don't know if there are >> any runtime dependencies in the FDS FC4 RPM binaries that will break >> when run on RHEL4. I plan on installing the FDS with the rpm from: http://directory.fedora.redhat.com/wiki/Download and use the fedora-ds-1.0.2-1.RHEL4.i386.opt.rpm >> >>> >>> Does this sound like a feasible approach? >>> >>> I am a little unsure if it will break any of my configured ssl >>> stuff. Which is a basic self-signed scenario using the >>> /opt/fedora-ds/shared/bin/certutil for the key generation. >> >> I don't think that will be a problem as long as you don't change the >> hostname of the machine. > > Also note that upgrading could be a problem since you aren't doing a > standard RPM installation to begin with. You might be able to "trick" it > by installing the Fedora RPM and then untarring over top of that. Ah, Now I see the problem. What about only untarring the following directories from my backed up DS from /opt/fedora-ds: admin-serv alias slapd-[hostname] Then I should have my config, ssl, and directory with my 99user schema. Would this be cleaner? Thanks again. > > rob > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Jim Summers School of Computer Science-University of Oklahoma ------------------------------------------------- From rmeggins at redhat.com Mon Apr 10 16:36:22 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 10 Apr 2006 10:36:22 -0600 Subject: [Fedora-directory-users] OS Migration In-Reply-To: <443A83EE.3030209@cs.ou.edu> References: <443A79C8.80403@cs.ou.edu> <443A7E45.7000309@redhat.com> <443A7FE1.8040101@redhat.com> <443A83EE.3030209@cs.ou.edu> Message-ID: <443A8986.1080900@redhat.com> Jim Summers wrote: > Rob Crittenden wrote: >> Richard Megginson wrote: >>> Jim Summers wrote: >>> >>>> Hello List, >>>> >>>> I am closing in on my target date to switch over to FDS. On my >>>> test machines I have been running with FC4. I need to re-install >>>> the operating system and when I do I will have to use RHEL4. >>>> >>>> My plan was to shutdown the DS. >>>> Then make a tarball of /opt/fedora-ds and several other directories. >>>> Next re-install with RHEL4 >>>> Drop in my iptables >>>> Install fedora-ds and verify the OS / performance settings. >>>> Then extract my fedora-ds tarball >>>> and then hold my breath and start the DS service(s) and presto all >>>> is well??? >>> >>> I have no idea. It should work, but I really don't know if there >>> are any runtime dependencies in the FDS FC4 RPM binaries that will >>> break when run on RHEL4. > > I plan on installing the FDS with the rpm from: > > http://directory.fedora.redhat.com/wiki/Download > and use the fedora-ds-1.0.2-1.RHEL4.i386.opt.rpm > >>> >>>> >>>> Does this sound like a feasible approach? >>>> >>>> I am a little unsure if it will break any of my configured ssl >>>> stuff. Which is a basic self-signed scenario using the >>>> /opt/fedora-ds/shared/bin/certutil for the key generation. >>> >>> I don't think that will be a problem as long as you don't change the >>> hostname of the machine. >> >> Also note that upgrading could be a problem since you aren't doing a >> standard RPM installation to begin with. You might be able to "trick" >> it by installing the Fedora RPM and then untarring over top of that. > > Ah, Now I see the problem. What about only untarring the following > directories from my backed up DS from /opt/fedora-ds: > > admin-serv > alias > slapd-[hostname] Add shared/config, clients/orgchart/config.txt, clients/dsgw/context, clients/dsgw/pbconfig, and clients/dsgw/config to that list as well. > > Then I should have my config, ssl, and directory with my 99user schema. > > Would this be cleaner? > > Thanks again. > >> >> rob >> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From magobin at gmail.com Mon Apr 10 17:07:10 2006 From: magobin at gmail.com (Alex) Date: Mon, 10 Apr 2006 19:07:10 +0200 Subject: [Fedora-directory-users] Re: SubjectAltName how does it work? In-Reply-To: <443A8207.7080709@redhat.com> Message-ID: <443a90c9.17859a6c.2766.581f@mx.gmail.com> > On server2 - did you change Alt-Cert to Server-Cert in the > cert database, or did you change the attribute > nsSSLPersonalitySSL in entry cn=RSA,cn=encryption,cn=config > to be Alt-Cert instead of Server-Cert? I did exactly that I wrote..so, after maked a certificates, I exported db on server2 and in console I enabled encryption ssl using....on the first server(nodo1) nodo1.domain.example.com and on second server(nodo2) Alt-Cert > > ./mmr.pl --host1 nodo1.domain.example.com > --host2 > > nodo2.domain.example.com > --host1_id 1 --host2_id 2 --bindpw secret > > --repmanpw secret --create --with-ssl Trying to run replacing nodo1.domain.example.com with http://nodo1.domain.example.com and nodo2.domain.example.com with http://nodo2.domain.example.com the script says: Died at ./mmr.pl line 418, line 339 Today I remade certificate and I used Alt-Cert nick for server1 and nodo2 for server2...now running script it says: [10/Apr/2006:12:24:11 +0000] NSMMReplicationPlugin - agmt="cn="Replication to nodo2.domain.example.com"" (nodo2:636): Simple bind failed, LDAP sdk error 81 (Can't contact LDAP server), Netscape Portable Runtime error -12276 (Unable to communicate securely with peer: requested domain name does not match the server's certificate.) Thanks Alex From simonf at cshl.edu Mon Apr 10 20:02:09 2006 From: simonf at cshl.edu (Vsevolod (Simon) Ilyushchenko) Date: Mon, 10 Apr 2006 16:02:09 -0400 Subject: [Fedora-directory-users] Search optimization? Message-ID: <443AB9C1.2040305@cshl.edu> Hi, I've noticed that FDS is significantly slower in answering queries than openldap. If I run 'ls -l /home' on the list of 64 home directories whose owners are all different, I get the list back in 1 second if I use openldap. Version 7 of FDS took 16 seconds, and FDS 1.0.2 takes 12 seconds. The docs mention increasing cache sides to improve performance, but my cache is set to 10 M, which seems to be large enough, and the timing does not improve if I run 'ls -l' repeatedly. Is there anything else I can tune? Thanks, Simon -- Simon (Vsevolod ILyushchenko) simonf at cshl.edu http://www.simonf.com "Think like a man of action, act like a man of thought." Henri Bergson From nkinder at redhat.com Mon Apr 10 20:07:43 2006 From: nkinder at redhat.com (Nathan Kinder) Date: Mon, 10 Apr 2006 13:07:43 -0700 Subject: [Fedora-directory-users] Search optimization? In-Reply-To: <443AB9C1.2040305@cshl.edu> References: <443AB9C1.2040305@cshl.edu> Message-ID: <443ABB0F.8050202@redhat.com> Vsevolod (Simon) Ilyushchenko wrote: > Hi, > > I've noticed that FDS is significantly slower in answering queries > than openldap. If I run 'ls -l /home' on the list of 64 home > directories whose owners are all different, I get the list back in 1 > second if I use openldap. Version 7 of FDS took 16 seconds, and FDS > 1.0.2 takes 12 seconds. > > The docs mention increasing cache sides to improve performance, but my > cache is set to 10 M, which seems to be large enough, and the timing > does not improve if I run 'ls -l' repeatedly. Is there anything else I > can tune? It sounds like the search is against an unindexed attribute. I'd take a look at the search in your access log and check if it says "NOTES=U". If so, that means that it is an unindexed search. You would need to create the proper indexes for the search to improve the performance. -NGK > > Thanks, > Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From gholbert at broadcom.com Mon Apr 10 20:06:13 2006 From: gholbert at broadcom.com (George Holbert) Date: Mon, 10 Apr 2006 13:06:13 -0700 Subject: [Fedora-directory-users] Search optimization? In-Reply-To: <443AB9C1.2040305@cshl.edu> References: <443AB9C1.2040305@cshl.edu> Message-ID: <443ABAB5.9010601@broadcom.com> It sounds like you might have some unindexed searches. You should be able to confirm by examining the FDS log files after doing your ls runs. Vsevolod (Simon) Ilyushchenko wrote: > Hi, > > I've noticed that FDS is significantly slower in answering queries > than openldap. If I run 'ls -l /home' on the list of 64 home > directories whose owners are all different, I get the list back in 1 > second if I use openldap. Version 7 of FDS took 16 seconds, and FDS > 1.0.2 takes 12 seconds. > > The docs mention increasing cache sides to improve performance, but my > cache is set to 10 M, which seems to be large enough, and the timing > does not improve if I run 'ls -l' repeatedly. Is there anything else I > can tune? > > Thanks, > Simon From simonf at cshl.edu Mon Apr 10 20:57:00 2006 From: simonf at cshl.edu (Vsevolod (Simon) Ilyushchenko) Date: Mon, 10 Apr 2006 16:57:00 -0400 Subject: [Fedora-directory-users] Search optimization? In-Reply-To: <443ABB0F.8050202@redhat.com> References: <443AB9C1.2040305@cshl.edu> <443ABB0F.8050202@redhat.com> Message-ID: <443AC69C.5030103@cshl.edu> Bingo! Down to 2 seconds! I had to add indexes on uidNumber and gidNumber. Thanks, Simon Nathan Kinder wrote on 04/10/2006 04:07 PM: > Vsevolod (Simon) Ilyushchenko wrote: > >> Hi, >> >> I've noticed that FDS is significantly slower in answering queries >> than openldap. If I run 'ls -l /home' on the list of 64 home >> directories whose owners are all different, I get the list back in 1 >> second if I use openldap. Version 7 of FDS took 16 seconds, and FDS >> 1.0.2 takes 12 seconds. >> >> The docs mention increasing cache sides to improve performance, but my >> cache is set to 10 M, which seems to be large enough, and the timing >> does not improve if I run 'ls -l' repeatedly. Is there anything else I >> can tune? > > > It sounds like the search is against an unindexed attribute. I'd take a > look at the search in your access log and check if it says "NOTES=U". > If so, that means that it is an unindexed search. You would need to > create the proper indexes for the search to improve the performance. > > -NGK > >> >> Thanks, >> Simon > > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Simon (Vsevolod ILyushchenko) simonf at cshl.edu http://www.simonf.com "Think like a man of action, act like a man of thought." Henri Bergson From mj at sci.fi Mon Apr 10 21:02:44 2006 From: mj at sci.fi (Mike Jackson) Date: Tue, 11 Apr 2006 00:02:44 +0300 Subject: [Fedora-directory-users] Search optimization? In-Reply-To: <443AC69C.5030103@cshl.edu> References: <443AB9C1.2040305@cshl.edu> <443ABB0F.8050202@redhat.com> <443AC69C.5030103@cshl.edu> Message-ID: <443AC7F4.9080604@sci.fi> Vsevolod (Simon) Ilyushchenko wrote: > Bingo! Down to 2 seconds! I had to add indexes on uidNumber and gidNumber. Those two should be default indexes, IMO. -- mike From hatimad at gmail.com Tue Apr 11 02:52:32 2006 From: hatimad at gmail.com (Hatim Daginawala) Date: Mon, 10 Apr 2006 21:52:32 -0500 Subject: [Fedora-directory-users] how to add client to the my domain In-Reply-To: <443A0575.3060208@testingczars.com> References: <443A0575.3060208@testingczars.com> Message-ID: Bharath, First, you will have to create a posix account for machine with $ at the end of the ID. Second, add the machine account to samba, smbpasswd -a -m HTH On 4/10/06, Bharath Ramakrishna wrote: > > hi , > I am bharath . I have already installed and deployed the directory > server,but i am not able to add my windows client to this domain and > authenicate. I changed the domain name of my windows client to > "testingczars.com" but it is not authenicating .Please tell me hoe to do > this. > > -- > Bharath Ramakrishna > Network Admnistrator > TestingCzars > Phone: +91.80.26722100, +91.80.26727234 > TeleFax: +91.80.26727234 > Email: bharath at testingczars.com > URL: www.testingczars.com > > This email may contain material that is confidential, privileged and/or > attorney work product for the sole use of the intended recipient. Any > review, reliance or distribution by others or forwarding without express > permission is strictly prohibited. If you are not the intended recipient, > please contact the sender and delete all copies. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From logastellus at yahoo.com Tue Apr 11 13:47:19 2006 From: logastellus at yahoo.com (Susan) Date: Tue, 11 Apr 2006 06:47:19 -0700 (PDT) Subject: [Fedora-directory-users] Re: SubjectAltName how does it work? In-Reply-To: <443A8207.7080709@redhat.com> Message-ID: <20060411134720.19382.qmail@web52906.mail.yahoo.com> > Alessandro Binarelli wrote: > > Hi, > > today, I'm trying to solve ssl issue to comunicate from DS Fedora to > > both client and another DS server for replication..after many test, > > with your help I catched up this point: what happens when you run certutil -L -d . on both servers? in alias directory? try keeping the cert names consistent, that'll help in troubleshooting. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From magobin at gmail.com Tue Apr 11 14:10:03 2006 From: magobin at gmail.com (Alessandro Binarelli) Date: Tue, 11 Apr 2006 16:10:03 +0200 Subject: [Fedora-directory-users] Re: SubjectAltName how does it work? In-Reply-To: <20060411134720.19382.qmail@web52906.mail.yahoo.com> References: <443A8207.7080709@redhat.com> <20060411134720.19382.qmail@web52906.mail.yahoo.com> Message-ID: <108b923c0604110710y5347ad49yc3c5ed9b81c08eaf@mail.gmail.com> > what happens when you run certutil -L -d . on both servers? in alias > directory? > > try keeping the cert names consistent, that'll help in troubleshooting. > > ok...I try it in about one hour...more or less...but the command above could be list certificates and, if I remember it was Ca Certificate Alt-Cert nodo2.domain.example.com ..I '' be more accurate later...when I came back Thanks in advance Alex -------------- next part -------------- An HTML attachment was scrubbed... URL: From logastellus at yahoo.com Tue Apr 11 16:10:03 2006 From: logastellus at yahoo.com (Susan) Date: Tue, 11 Apr 2006 09:10:03 -0700 (PDT) Subject: [Fedora-directory-users] storing RSA public keys in FDS Message-ID: <20060411161003.70620.qmail@web52905.mail.yahoo.com> Hi, all. This may be slightly off topic but here goes anyway. I've a small client/server app in perl that publishes msgs in multicast, cleartext. There's now a concern about replay attacks, so we need to encrypt every msg and maybe sign it. (Crypt::RSA, I'm thinking) Since there's only 1 server but a large number of clients, I'm thinking of storing clients' public keys in FDS, where the server can retrieve them. Has anybody successfully implemented this? I know I can install OpenPGP Key Server and use that but I don't want to have another directory when FDS is working fine already. Thank you. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From magobin at gmail.com Tue Apr 11 16:32:44 2006 From: magobin at gmail.com (Alex) Date: Tue, 11 Apr 2006 18:32:44 +0200 Subject: [Fedora-directory-users] Re: SubjectAltName how does it work? In-Reply-To: <20060411134720.19382.qmail@web52906.mail.yahoo.com> Message-ID: <443bda25.5097b935.49ed.ffff91e2@mx.gmail.com> > what happens when you run certutil -L -d . on both servers? > in alias directory? > > try keeping the cert names consistent, that'll help in > troubleshooting. > Ok...after these commands: ******CA********* # ../shared/bin/certutil -N -d . # ../shared/bin/certutil -S -d . -n 'CA Certificate' -s 'cn=CAcert' -x -t CTu,CTu,CTu -g 1024 -m 1 -v 120 -2 -1 -5 ********Server 1******** # ../shared/bin/certutil -R -d . -s "cn=nodo1,dc=domain,dc=example,dc=com" -o tmpcertreq -g 1024 # ../shares/bin/certutil -C -d . -c "CA Certificate" -i tmpcertreq -o tmpcert.der -m 3 -v 120 -1 -5 -8 domain.example.com # ../shared/bin/certutil -A -d . -n nodo1.domain.example.com -t u,u,u -i tmpcert.der *****Server 2******* # ../shared/bin/certutil -R -d . -s "cn=nodo2,dc=domain,dc=example,dc=com" -o tmpcertreq -g 1024 # ../shared/bin/certutil -C -d . -c "CA Certificate" -i tmpcertreq -o tmpcert.der -m 9 -v 120 -1 -5 -8 domain.example.com # ../shared/bin/certutil -A -d . -n Alt-Cert -t u,u,u -i tmpcert.der # certutil -L -d . CA Certificate Ctu,Ctu,CTu Nodo1.domain.example.com u,u,u Alt-Cert u,u,u *****MULTI MASTER REPLICATION***** ..after enabling ssl encrypt on both server...running mmr.pl script: ./mmr.pl --host1 nodo1.domain.example.com --host2 nodo2.domain.example.com --host1_id 1 --host2_id 2 --bindpw secret --repmanpw secret --create --with-ssl ******LOGS***** ..in nodo1 in logs: [11/Apr/2006:17:56:58 +0000] NSMMReplicationPlugin - agmt="cn="Replication to nodo2.domain.example.com"" (nodo2:636): Simple bind failed, LDAP sdk error 81 (Can't contact LDAP server), Netscape Portable Runtime error -12276 (Unable to communicate securely with peer: requested domain name does not match the server's certificate.) [11/Apr/2006:17:56:58 +0000] NSMMReplicationPlugin - agmt="cn="Replication to nodo2.domain.example.com"" (nodo2:636): Simple bind failed, LDAP sdk error 81 (Can't contact LDAP server), Netscape Portable Runtime error -12276 (Unable to communicate securely with peer: requested domain name does not match the server's certificate.) [11/Apr/2006:17:57:01 +0000] NSMMReplicationPlugin - agmt="cn="Replication to nodo2"" (nodo2:636): Simple bind failed, LDAP sdk error 81 (Can't contact LDAP server), Netscape Portable Runtime error -12276 (Unable to communicate securely with peer: requested domain name does not match the server's certificate.) ************CONSIDERATIONS**************** Modifing as suggested from Richard: ../shares/bin/certutil -C -d . -c "CA Certificate" -i tmpcertreq -o tmpcert.der -m 3 -v 120 -1 -5 -8 domain.example.com It says: Bash: syntax error near unexpected token 'newline' ....I understood that the problem is how I wrote http , but I don't know how to change it Thanks in advance for your support ALex From logastellus at yahoo.com Tue Apr 11 17:03:51 2006 From: logastellus at yahoo.com (Susan) Date: Tue, 11 Apr 2006 10:03:51 -0700 (PDT) Subject: [Fedora-directory-users] Re: SubjectAltName how does it work? In-Reply-To: <443bda25.5097b935.49ed.ffff91e2@mx.gmail.com> Message-ID: <20060411170352.58311.qmail@web52901.mail.yahoo.com> --- Alex wrote: > [11/Apr/2006:17:56:58 +0000] NSMMReplicationPlugin - agmt="cn="Replication > to nodo2.domain.example.com"" (nodo2:636): Simple bind failed, LDAP sdk > error 81 (Can't contact LDAP server), Netscape Portable Runtime error -12276 Like Richard said, what is nsSSLPersonalitySSL set to in dse.ldif on the nodes? you should keep the names consistent. I mean, how do you know whether alt-server refers to nodo1 or nodo2?? You know now but what about 5 months from now?? also, can you do ldapsearch -ZZ against both nodo1/2 without problems? __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From magobin at gmail.com Tue Apr 11 17:50:44 2006 From: magobin at gmail.com (Alex) Date: Tue, 11 Apr 2006 19:50:44 +0200 Subject: [Fedora-directory-users] Re: SubjectAltName how does it work? In-Reply-To: <20060411170352.58311.qmail@web52901.mail.yahoo.com> Message-ID: <443bec6c.4a388c98.70ae.ffff9304@mx.gmail.com> > Like Richard said, what is nsSSLPersonalitySSL set to in > dse.ldif on the nodes? > > you should keep the names consistent. I mean, how do you > know whether alt-server refers to nodo1 or nodo2?? You know > now but what about 5 months from now?? > > also, can you do ldapsearch -ZZ against both nodo1/2 without problems? > I'm apologize but I'don't understand what you want to say...and no....at this point I can't do ldapsearch -zz I only follow your instructions to enable encryption on both server and trying to make a query from a client on both server using a floating ip with ssl enable....I understood that the solution was SubjectAltName and I asked in which way was possible to implement it...following Rob tips seems doesn't working and last post is the last step on my configuration for testing it. Regards Alex From rcritten at redhat.com Tue Apr 11 18:00:11 2006 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 11 Apr 2006 14:00:11 -0400 Subject: [Fedora-directory-users] Re: SubjectAltName how does it work? In-Reply-To: <443bec6c.4a388c98.70ae.ffff9304@mx.gmail.com> References: <443bec6c.4a388c98.70ae.ffff9304@mx.gmail.com> Message-ID: <443BEEAB.9090108@redhat.com> Alex wrote: > > >>Like Richard said, what is nsSSLPersonalitySSL set to in >>dse.ldif on the nodes? >> >>you should keep the names consistent. I mean, how do you >>know whether alt-server refers to nodo1 or nodo2?? You know >>now but what about 5 months from now?? >> >>also, can you do ldapsearch -ZZ against both nodo1/2 without problems? >> > > > I'm apologize but I'don't understand what you want to say...and no....at > this point I can't do ldapsearch -zz > > I only follow your instructions to enable encryption on both server and > trying to make a query from a client on both server using a floating ip with > ssl enable....I understood that the solution was SubjectAltName and I asked > in which way was possible to implement it...following Rob tips seems doesn't > working and last post is the last step on my configuration for testing it. > You are doing a couple of odd things: 1. Why does nodo1 get it's own nickname but nodo2 is named Alt-Cert? As I've said before, the nicknames aren't important, but you should have some sort of naming policy. 2. You may need to fully qualify the cn in the certificates: nodo1.domain.example.com. This alone could explain the -12276 error. I don't know if NSS will reconstitute the domain from it's dc components. Does ldapsearch work against each fully-qualified host? Get ldapsearch working for the CN and for the alt subject first before trying to do MMR. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From logastellus at yahoo.com Tue Apr 11 18:56:34 2006 From: logastellus at yahoo.com (Susan) Date: Tue, 11 Apr 2006 11:56:34 -0700 (PDT) Subject: [Fedora-directory-users] Re: SubjectAltName how does it work? In-Reply-To: <443BEEAB.9090108@redhat.com> Message-ID: <20060411185634.50508.qmail@web52909.mail.yahoo.com> > Alex wrote: > > I'm apologize but I'don't understand what you want to say...and no....at > > this point I can't do ldapsearch -zz then obviously mmr over ssl will not work. seriously, why do you keep doing this floating IP setup? it's not buying you anything. It __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From magobin at gmail.com Tue Apr 11 19:52:37 2006 From: magobin at gmail.com (Alex) Date: Tue, 11 Apr 2006 21:52:37 +0200 Subject: [Fedora-directory-users] Re: SubjectAltName how does it work? In-Reply-To: <443BEEAB.9090108@redhat.com> Message-ID: <443c090d.6ddf5d51.6ba9.ffffbd2c@mx.gmail.com> > You are doing a couple of odd things: > > 1. Why does nodo1 get it's own nickname but nodo2 is named > Alt-Cert? As I've said before, the nicknames aren't > important, but you should have some sort of naming policy. > 2. You may need to fully qualify the cn in the certificates: > nodo1.domain.example.com. This alone could explain the -12276 > error. I don't know if NSS will reconstitute the domain from > it's dc components. > > Does ldapsearch work against each fully-qualified host? Get > ldapsearch working for the CN and for the alt subject first > before trying to do MMR. > > rob > Alt-Cert is only for tips from you ...tomorrow I'll try to make a certificate for nodo2 as nodo2.domain.example.com Sincerely I still don't understand where is the problem; At this point I think that I explained in bad way what is my goal. I follow your tip, assuming that -n Alt-Cert was something more that only a nickname for cert. Plus....in my last post I used fqdn for nodo1 and Alt-Cert for reason above, do U think that all problems are from an error about -n statement? Susan....I explained why floating ip...give me another solution that permit to have 2 DS in Replication where clients can query/authenticate in encrypt mode on both server...even if a server is shutted or crashed...of course...say me how to implement too ;-) At this point I think that we are very (how do you say vicino??....closed??) to the solution....when finally DS replicating and client can authenticate with ssl on both server...other problem such as postfix integration and samba integration is only a time issue! Thanks for your support Alex From logastellus at yahoo.com Tue Apr 11 20:02:49 2006 From: logastellus at yahoo.com (Susan) Date: Tue, 11 Apr 2006 13:02:49 -0700 (PDT) Subject: [Fedora-directory-users] Re: SubjectAltName how does it work? In-Reply-To: <443c090d.6ddf5d51.6ba9.ffffbd2c@mx.gmail.com> Message-ID: <20060411200249.34429.qmail@web52908.mail.yahoo.com> --- Alex wrote: > Susan....I explained why floating ip...give me another solution that permit > to have 2 DS in Replication where clients can query/authenticate in encrypt > mode on both server...even if a server is shutted or crashed...of > course...say me how to implement too ;-) I did give you another solution -- simply list all your FDS servers in the client's /etc/openldap/ldap.conf. That's it. None of this floating IP business. If the first one on the list fails, it'll go to the next one. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From magobin at gmail.com Tue Apr 11 22:01:49 2006 From: magobin at gmail.com (Alex) Date: Wed, 12 Apr 2006 00:01:49 +0200 Subject: [Fedora-directory-users] Re: SubjectAltName how does it work? In-Reply-To: <20060411200249.34429.qmail@web52908.mail.yahoo.com> Message-ID: <443c2746.6f43cd48.717d.19bd@mx.gmail.com> > I did give you another solution -- simply list all your FDS > servers in the client's /etc/openldap/ldap.conf. That's it. > None of this floating IP business. If the first one on the > list fails, it'll go to the next one. > Ok..tomorrow I'll try to solve in this way...thank you! At this point "floating Ip" became too much complicated ! Regards (good night) Alex From mikael.kermorgant at gmail.com Wed Apr 12 09:22:07 2006 From: mikael.kermorgant at gmail.com (Mikael Kermorgant) Date: Wed, 12 Apr 2006 11:22:07 +0200 Subject: [Fedora-directory-users] mass delete : size limit problem Message-ID: <9711147e0604120222t63d1de2dt6c1cc8053f8cb4f0@mail.gmail.com> Hello, I'd like to run a script that deletes everything from ou=People (~ 5000 users). The problem is that I first run a search and the result size is limited by the server. Increasing thiis limit would surely work but I don't find it very elegant. Do you see another solution ? Thanks in advance, -- Mikael Kermorgant PS : My script does the following : retrieveAttributes = [ "entrydn" ] searchFilter = "(uid=*)" ldap_result_id = l.search(baseDN, searchScope, searchFilter, retrieveAttributes) while 1: result_type, result_data = l.result(ldap_result_id, 0) if (result_data == []): break else: if result_type == ldap.RES_SEARCH_ENTRY: print result_data[0][1]['entrydn'][0] + ' deleted' l.delete_s(result_data[0][1]['entrydn'][0]) -------------- next part -------------- An HTML attachment was scrubbed... URL: From womble at zaniyah.org Wed Apr 12 09:33:21 2006 From: womble at zaniyah.org (womble) Date: Wed, 12 Apr 2006 10:33:21 +0100 Subject: [Fedora-directory-users] Admin password stored in plain text Message-ID: <443CC961.1080607@zaniyah.org> I installed Fedora-DS recently and I've been fairly pleased with it. There is just one thing that I've noticed that I really dislike - the password for the admin user that is created during setup is stored in plain text in /opt/fedora-ds/admin-serv/config/adm.conf. A friend who uses Sun's DS has the same issue, but says it doesn't bother him because "it's not entirely obvious that it's a password", which I think is rather lame. Is it likely that this will get changed in the near future so that it is for example stored in an encrypted format? Jess From Gary_Tay at platts.com Wed Apr 12 10:08:41 2006 From: Gary_Tay at platts.com (Tay, Gary) Date: Wed, 12 Apr 2006 18:08:41 +0800 Subject: [Fedora-directory-users] Are these messages in errors log critical? Message-ID: I have managed to setup SSL config and started slapd, the followings appear in errors log, may I know if they are critical errors? Gary [12/Apr/2006:05:58:12 -0400] - Fedora-Directory/1.0.2 B2006.060.1925 starting up [12/Apr/2006:05:58:12 -0400] - attrcrypt_unwrap_key: failed to unwrap key for ci pher AES [12/Apr/2006:05:58:12 -0400] - Failed to retrieve key for cipher AES in attrcryp t_cipher_init [12/Apr/2006:05:58:12 -0400] - Failed to initialize cipher AES in attrcrypt_init [12/Apr/2006:05:58:12 -0400] - attrcrypt_unwrap_key: failed to unwrap key for ci pher AES [12/Apr/2006:05:58:12 -0400] - Failed to retrieve key for cipher AES in attrcryp t_cipher_init [12/Apr/2006:05:58:12 -0400] - Failed to initialize cipher AES in attrcrypt_init [12/Apr/2006:05:58:12 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [12/Apr/2006:05:58:12 -0400] - Listening on All Interfaces port 636 for LDAPS re quests -------------- next part -------------- An HTML attachment was scrubbed... URL: From Gary_Tay at platts.com Wed Apr 12 10:20:20 2006 From: Gary_Tay at platts.com (Tay, Gary) Date: Wed, 12 Apr 2006 18:20:20 +0800 Subject: [Fedora-directory-users] Automated script for complementing SSL HowTo Message-ID: FDS Folks, I wrote this script for the benefits of all. Gary > Content of cr_ssl_certs_fds1ldap.sh > > #! /bin/sh > # > # cr_ssl_certs_fds1ldap.sh > # > # 1) Make sure 'root' is used to run this script > # 2) Make sure /home/ldap/dirmgr.pwd contains password of cn=Direcyory > Manager > # > #set -vx > IS_ROOT_UID=`id | grep "uid=0(root)"` > if [ ! -n "$IS_ROOT_UID" ]; then > echo "Please run this script as root" > exit 1 > fi > if [ ! -f /home/ldap/dirmgr.pwd ]; then > echo "Please setup /home/ldap/dirmgr.pwd." > exit 1 > else > chmod 600 /home/ldap/dirmgr.pwd > fi > # Pls customize the followings > HOST="ldap1" > DOMAIN="example.com" > BASEDN="dc=example,dc=com" > FQDN="$HOST.$DOMAIN" > ORG="Example Companies" > LOCALITY="NewYork City" > STATE="NewYork" > COUNTRY="US" > SLAPD_OWNER="nobody" > SLAPD_GROUP="nobody" > FDS1_PATH=/opt/fedora-ds > LD_LIBRARY_PATH=$FDS1_PATH/shared/lib:$FDS1_PATH/lib > export LD_LIBRARY_PATH > PATH=$FDS1_PATH/shared/bin:$PATH; export PATH > cd $FDS1_PATH/alias > DOW=`date | cut -d' ' -f1` > echo "Backing up existing *.db (if any) to backup_$DOW." > mkdir -p backup_$DOW >/dev/null 2>/dev/null > cp -p *.db backup_$DOW >/dev/null 2>/dev/null > /bin/rm -f *.db >/dev/null 2>/dev/null > echo "secretpwd" >pwdfile.txt > chmod 600 pwdfile.txt > echo "dsadasdasdasdadasdasdasdasdsadfwerwerjfdksdjfksdlfhjsdk" > >noise.txt > echo "Creating new security key3.db/cert8.db pair." > ../shared/bin/certutil -N -d . -f pwdfile.txt > echo "Generating encryption key." > ../shared/bin/certutil -G -d . -z noise.txt -f pwdfile.txt > echo "Generating self-signed CA certificate." > ../shared/bin/certutil -S -n "CA certificate" -s "cn=CAcert" -x \ > -t "CT,," -m 1000 -v 120 -d . -z noise.txt -f pwdfile.txt > echo "Generating self-signed Server certificate." > ../shared/bin/certutil -S -n "Server-Cert" -s \ > "cn=$FQDN,O=$ORG,L=$LOCALITY,ST=$STATE,C=$COUNTRY" -c "CA > certificate" \ > -t "u,u,u" -m 1001 -v 120 -d . -z noise.txt -f pwdfile.txt > echo "Renaming and linking modified security DBs." > mv -f key3.db slapd-$HOST-key3.db > mv -f cert8.db slapd-$HOST-cert8.db > ln -s slapd-$HOST-key3.db key3.db > ln -s slapd-$HOST-cert8.db cert8.db > echo "Setting the correct ownership of security DBs" > chown $SLAPD_OWNER:$SLAPD_GROUP *.db > echo "Self-signed CA and SSL Server certs generated." > echo "" > echo "The following commands are OPTIONAL." > echo "They are for backing up CA and Server Certs in PK12 format," > echo "exporting the CA Cert in ASCII format or DER format, and" > echo "importing the CA Cert into the Admin Server" > echo "" > echo "---Start of OPTIONAL commands---" > cat <optional_cmds.txt > ../shared/bin/pk12util -d . -P slapd-$HOST- -o cacert.pfx -n "CA > certificate" > ../shared/bin/pk12util -d . -P slapd-$HOST- -o servercert.pfx -n > "Server-Cert" > ../shared/bin/certutil -L -d . -P slapd-$HOST- -n "CA certificate" \ > -a > cacert.asc > ../shared/bin/certutil -L -d . -P slapd-$HOST- -n "CA certificate" \ > -r > cacert.der > ../shared/bin/certutil -A -d . -P admin-serv-$HOST- -n "CA > certificate" \ > -t "CT,," -a -i cacert.asc > EOF > cat optional_cmds.txt > echo "---End of OPTIONAL commands---" > echo "" > echo "Modifying server SSL configurations." > echo "NOTE: changes will be saved to config/dse.ldif when slapd is > shutdown" > cat </tmp/ssl_enable.ldif > dn: cn=encryption,cn=config > changetype: modify > replace: nsSSL3 > nsSSL3: on > - > replace: nsSSLClientAuth > nsSSLClientAuth: allowed > - > add: nsSSL3Ciphers > nsSSL3Ciphers: > -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, > > +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+forte > zza, > > +fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_s > ha, > +tls_rsa_export1024_with_des_cbc_sha > - > add: nsKeyfile > nsKeyfile: alias/slapd-$HOST-key3.db > - > add: nsCertfile > nsCertfile: alias/slapd-$HOST-cert8.db > > dn: cn=config > changetype: modify > add: nsslapd-security > nsslapd-security: on > - > replace: nsslapd-ssl-check-hostname > nsslapd-ssl-check-hostname: off > > EOF > ../shared/bin/ldapmodify -D "cn=Directory Manager" -w `cat > /home/ldap/dirmgr.pwd` -f /tmp/ssl_enable.ldif > cat </tmp/delRSA.ldif > cn=RSA,cn=encryption,cn=config > > EOF > ../shared/bin/ldapdelete -c -D "cn=Directory Manager" -w `cat > /home/ldap/dirmgr.pwd` -f /tmp/delRSA.ldif > [ $? -eq 0 ] && echo "deleting cn=RSA,cn=encryption,cn=config" > cat </tmp/addRSA.ldif > dn: cn=RSA,cn=encryption,cn=config > objectclass: top > objectclass: nsEncryptionModule > cn: RSA > nsSSLPersonalitySSL: Server-Cert > nsSSLToken: internal (software) > nsSSLActivation: on > > EOF > ../shared/bin/ldapmodify -a -c -D "cn=Directory Manager" -w `cat > /home/ldap/dirmgr.pwd` -f /tmp/addRSA.ldif > echo "Creating a pin.txt for auto-starting of slapd." > echo "Internal (Software) Token:`cat pwdfile.txt`" > >slapd-$HOST-pin.txt > chown $SLAPD_OWNER:$SLAPD_GROUP slapd-$HOST-pin.txt > chmod 400 slapd-$HOST-pin.txt > echo "" > echo "IMPORTANT NOTES:" > echo "" > echo "1. How to check if SSL Configurations are done properly?" > echo "You may view config/dse.ldif after shutting down slapd" > echo "to verify all the required SSL configurations are there." > echo "" > echo "2. How to fix slapd startup issue due to mis-configuration of > SSL?" > echo "If for any reason slapd fails to start due to SSL issue," > echo "you may edit config/dse.ldif after shutting down slapd" > echo "and revert back to non-SSL configs." > echo "i.e. set nsSSL3: off, nsslapd-security: off" > echo "and then try to restart slapd." > echo "" > > =======Sample run. > > # ./cr_ssl_certs_fds1ldap.sh > Backing up existing *.db (if any) to backup_Wed. > Creating new security key3.db/cert8.db pair. > Generating encryption key. > > > Generating key. This may take a few moments... > > Generating self-signed CA certificate. > > > Generating key. This may take a few moments... > > Generating self-signed Server certificate. > > > Generating key. This may take a few moments... > > Renaming and linking modified security DBs. > Setting the correct ownership of security DBs > Self-signed CA and SSL Server certs generated. > > The following commands are OPTIONAL. > They are for backing up CA and Server Certs in PK12 format, > exporting the CA Cert in ASCII format or DER format, and > importing the CA Cert into the Admin Server > > ---Start of OPTIONAL commands--- > ../shared/bin/pk12util -d . -P slapd-nj1net200plmon- -o cacert.pfx -n > "CA certificate" > ../shared/bin/pk12util -d . -P slapd-nj1net200plmon- -o servercert.pfx > -n "Server-Cert" > ../shared/bin/certutil -L -d . -P slapd-nj1net200plmon- -n "CA > certificate" -a > cacert.asc > ../shared/bin/certutil -L -d . -P slapd-nj1net200plmon- -n "CA > certificate" -r > cacert.der > ../shared/bin/certutil -A -d . -P admin-serv-nj1net200plmon- -n "CA > certificate" -t "CT,," -a -i cacert.asc > ---End of OPTIONAL commands--- > > Modifying server SSL configurations. > NOTE: changes will be saved to config/dse.ldif when slapd is shutdown > modifying entry cn=encryption,cn=config > ldap_modify: Type or value exists > > deleting cn=RSA,cn=encryption,cn=config > adding new entry cn=RSA,cn=encryption,cn=config > > Creating a pin.txt for auto-starting of slapd. > > IMPORTANT NOTES: > > 1. How to check if SSL Configurations are done properly? > You may view config/dse.ldif after shutting down slapd > to verify all the required SSL configurations are there. > > 2. How to fix slapd startup issue due to mis-configuration of SSL? > If for any reason slapd fails to start due to SSL issue, > you may edit config/dse.ldif after shutting down slapd > and revert back to non-SSL configs. > i.e. set nsSSL3: off, nsslapd-security: off > and then try to restart slapd. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From david_list at boreham.org Wed Apr 12 13:12:42 2006 From: david_list at boreham.org (David Boreham) Date: Wed, 12 Apr 2006 07:12:42 -0600 Subject: [Fedora-directory-users] Are these messages in errors log critical? In-Reply-To: References: Message-ID: <443CFCCA.8090408@boreham.org> An HTML attachment was scrubbed... URL: From david_list at boreham.org Wed Apr 12 13:13:40 2006 From: david_list at boreham.org (David Boreham) Date: Wed, 12 Apr 2006 07:13:40 -0600 Subject: [Fedora-directory-users] mass delete : size limit problem In-Reply-To: <9711147e0604120222t63d1de2dt6c1cc8053f8cb4f0@mail.gmail.com> References: <9711147e0604120222t63d1de2dt6c1cc8053f8cb4f0@mail.gmail.com> Message-ID: <443CFD04.5000301@boreham.org> Mikael Kermorgant wrote: > Hello, > > I'd like to run a script that deletes everything from ou=People (~ > 5000 users). > The problem is that I first run a search and the result size is > limited by the server. > > Increasing thiis limit would surely work but I don't find it very > elegant. Do you see another solution ? Re-try the operation until you have deleted all the entries (in chunks of size sizelimit at a time). From jsummers at bachman.cs.ou.edu Wed Apr 12 13:46:29 2006 From: jsummers at bachman.cs.ou.edu (Jim Summers) Date: Wed, 12 Apr 2006 08:46:29 -0500 Subject: [Fedora-directory-users] OS Migration In-Reply-To: <443A8986.1080900@redhat.com> References: <443A79C8.80403@cs.ou.edu> <443A7E45.7000309@redhat.com> <443A7FE1.8040101@redhat.com> <443A83EE.3030209@cs.ou.edu> <443A8986.1080900@redhat.com> Message-ID: <443D04B5.1020506@cs.ou.edu> Richard Megginson wrote: > Jim Summers wrote: >> Rob Crittenden wrote: >>> Richard Megginson wrote: >>>> Jim Summers wrote: >>>> >>>>> Hello List, >>>>> >>>>> I am closing in on my target date to switch over to FDS. On my >>>>> test machines I have been running with FC4. I need to re-install >>>>> the operating system and when I do I will have to use RHEL4. >>>>> >>>>> My plan was to shutdown the DS. >>>>> Then make a tarball of /opt/fedora-ds and several other directories. >>>>> Next re-install with RHEL4 >>>>> Drop in my iptables >>>>> Install fedora-ds and verify the OS / performance settings. >>>>> Then extract my fedora-ds tarball >>>>> and then hold my breath and start the DS service(s) and presto all >>>>> is well??? >>>> >>>> I have no idea. It should work, but I really don't know if there >>>> are any runtime dependencies in the FDS FC4 RPM binaries that will >>>> break when run on RHEL4. >> >> I plan on installing the FDS with the rpm from: >> >> http://directory.fedora.redhat.com/wiki/Download >> and use the fedora-ds-1.0.2-1.RHEL4.i386.opt.rpm >> >>>> >>>>> >>>>> Does this sound like a feasible approach? >>>>> >>>>> I am a little unsure if it will break any of my configured ssl >>>>> stuff. Which is a basic self-signed scenario using the >>>>> /opt/fedora-ds/shared/bin/certutil for the key generation. >>>> >>>> I don't think that will be a problem as long as you don't change the >>>> hostname of the machine. >>> >>> Also note that upgrading could be a problem since you aren't doing a >>> standard RPM installation to begin with. You might be able to "trick" >>> it by installing the Fedora RPM and then untarring over top of that. >> >> Ah, Now I see the problem. What about only untarring the following >> directories from my backed up DS from /opt/fedora-ds: >> >> admin-serv >> alias >> slapd-[hostname] > Add shared/config, clients/orgchart/config.txt, clients/dsgw/context, > clients/dsgw/pbconfig, and clients/dsgw/config to that list as well. This worked. The only snag I ran into was the pid file in the slapd-[host]/logs directory. Permissions looked ok, but until I actually removed it did it fire up and run. Replicaton and all seems to be working. I still have my other replica to redo so I will have a chance to double verify this migration path. Will post if anything bad happens. Thanks Again, -- Jim Summers School of Computer Science-University of Oklahoma ------------------------------------------------- From jclowser at unitedmessaging.com Wed Apr 12 13:56:42 2006 From: jclowser at unitedmessaging.com (Jeff Clowser) Date: Wed, 12 Apr 2006 09:56:42 -0400 Subject: [Fedora-directory-users] mass delete : size limit problem In-Reply-To: <443CFD04.5000301@boreham.org> References: <9711147e0604120222t63d1de2dt6c1cc8053f8cb4f0@mail.gmail.com> <443CFD04.5000301@boreham.org> Message-ID: <443D071A.5020200@unitedmessaging.com> David Boreham wrote: > Mikael Kermorgant wrote: > >> Hello, >> >> I'd like to run a script that deletes everything from ou=People (~ >> 5000 users). >> The problem is that I first run a search and the result size is >> limited by the server. >> >> Increasing thiis limit would surely work but I don't find it very >> elegant. Do you see another solution ? > > > Re-try the operation until you have deleted all the entries (in chunks > of size sizelimit at a time). I take it you are not running the deletes as Directory Manager, because administrative server limits won't apply if you are. One thing you can do is remove or increase the administrative limits just on the entry you are binding as to do the deletes. Adding the following to the entry you are binding as should do this: nsLookThroughLimit: -1 nsSizeLimit: -1 nsTimeLimit: -1 bsIdleTimeout: -1 -1 sets this to unlimited. You can sub this with other reasonable values if that fits your needs better. You might only want some of these (i.e. nsSizeLimit). BTW, this is based on my knowledge of the Sun DS, and it's possible FDS is different, but I think this is in both servers. - Jeff From kwm27 at cornell.edu Wed Apr 12 14:16:52 2006 From: kwm27 at cornell.edu (Ken Morehouse) Date: Wed, 12 Apr 2006 10:16:52 -0400 Subject: [Fedora-directory-users] Startconsole issues on Windows Message-ID: <000c01c65e3b$bf3e2440$d0a4ec84@ornith.cornell.edu> Hello all. I just recently installed Fedora Directory Server v1.0.2-1. I'm able to get the startconsole script to start up without an issue on the RedHat server, but have been having considerable issues trying to get the code to run on my workstation. I get lost with Java pretty easily, and this is most likely user error, but I can't seem to get a resolution. Any help will be greatly appreciated. If I could get the Java to load, I can work through any connectivity to the admin server. Here are some of the details of my attempts. 1) Tried to run ./startconsole -D on the server, but only get "Fedora-Management-Console/1.0 B2006.060.198" on stdout. 2) Used the HOWTO at http://directory.fedora.redhat.com/wiki/Howto:WindowsConsole to build the fedora folder and script on my XP workstation. 3) No SSL setup on the server until the basics are working. 4) When running the batch file on my machine, I get the following error. "Exception in thread "main" java.lang.NoClassDefFoundError: /com/netscape/management/client/console/Console" - Output from java -version on my workstation: java version "1.5.0_06" Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_06-b05) Java HotSpot(TM) Client VM (build 1.5.0_06-b05, mixed mode) - Contents of my batch file @echo off set PATH=c:\fedora\lib\jss;c:\fedora\java;c:\fedora\lib;c:\program files\Java\jre1.5.0_06\bin;%PATH% "C:\Program files\Java\jre1.5.0_06\bin\java" -ms8m -mx64m -cp .;.\java\fedora-nmclf-1.0.jar;.\java\fedora-base.jar;.\java\ldapjdk.jar;.\ja va\fedora-mcc-1.0.jar;.\java\fedora-nmclf-1.0_en.jar;.\java\fedora-mcc-1.0_e n.jar;.\java\jss3.jar; -Djava.library.path=c:\fedora\lib -Djava.util.prefs.systemRoot=.\.java -Djava.util.prefs.userRoot= .com.netscape.management.client.console.Console -D -a http://adminsserver:port - Contents of my c:\fedora\java directory 04/12/2006 10:24 AM 37,364 fedora-base-1.0.jar 04/12/2006 10:24 AM 1,004,998 fedora-mcc-1.0.jar 04/12/2006 10:24 AM 109,407 fedora-mcc-1.0_en.jar 04/12/2006 10:24 AM 26,242 fedora-nmclf-1.0.jar 04/12/2006 10:24 AM 10,306 fedora-nmclf-1.0_en.jar 04/12/2006 09:26 AM html 04/12/2006 09:26 AM jars 04/12/2006 10:24 AM 611,431 jss3.jar 04/12/2006 10:24 AM 264,659 ldapjdk.jar - Contents of my c:\fedora\lib directory 04/12/2006 10:24 AM 123,480 acl-plugin.so 04/12/2006 10:24 AM 17,824 attr-unique-plugin.so 04/12/2006 10:24 AM 74,160 chainingdb-plugin.so 04/12/2006 10:24 AM 33,612 cos-plugin.so 04/12/2006 10:24 AM 9,488 des-plugin.so 04/12/2006 10:24 AM 23,808 http-client-plugin.so 04/11/2006 04:20 PM jss 04/12/2006 10:24 AM 379,800 libback-ldbm.so 04/12/2006 10:24 AM 174,613 libjss3.so 04/12/2006 10:24 AM 22,536 liblcoll.so 04/12/2006 10:24 AM 13,036 passthru-plugin.so 04/12/2006 09:26 AM perl 04/12/2006 10:24 AM 18,980 pwdstorage-plugin.so 04/12/2006 10:24 AM 16,956 referint-plugin.so 04/12/2006 10:24 AM 387,172 replication-plugin.so 04/12/2006 10:24 AM 32,384 retrocl-plugin.so 04/12/2006 10:24 AM 24,512 roles-plugin.so 04/12/2006 10:24 AM 7,432 statechange-plugin.so 04/12/2006 10:24 AM 24,736 syntax-plugin.so 04/12/2006 10:24 AM 15,736 views-plugin.so From kimmo.koivisto at surfeu.fi Wed Apr 12 19:20:14 2006 From: kimmo.koivisto at surfeu.fi (Kimmo Koivisto) Date: Wed, 12 Apr 2006 22:20:14 +0300 Subject: [Fedora-directory-users] Startconsole issues on Windows In-Reply-To: <000c01c65e3b$bf3e2440$d0a4ec84@ornith.cornell.edu> References: <000c01c65e3b$bf3e2440$d0a4ec84@ornith.cornell.edu> Message-ID: <200604122220.14626.kimmo.koivisto@surfeu.fi> Ken Morehouse kirjoitti viestiss??n (l?hetysaika Wednesday 12 April 2006 17:16): > Hello all. I just recently installed Fedora Directory Server v1.0.2-1. I'm > able to get the startconsole script to start up without an issue on the > RedHat server, but have been having considerable issues trying to get the > code to run on my workstation. Hello Ken I had troubles too when I tried to use java and lib directories from FDS 1.0.2. Then I copied those dirs from 1.0.1 and got it working. My .bat file @echo off set ADMINUSER=admin set ADMINURL=http://repository:9000/ echo Starting Console java -ms8m -mx64m -cp .;.\nmclf10.jar;.\base.jar;.\ldapjdk.jar;.\mcc10.jar;. \nmclf10_en.jar;.\mcc10_en.jar;.\jss3.jar -Djava.library.path=..\lib\jss -Djava.util.prefs.systemRoot=.\.java -Djava.util.prefs.userRoot=. com.netscape.management.client.console.Console -D -u %ADMINUSER% -a %ADMINURL% Maybe this helps you? Regards Kimmo From kwm27 at cornell.edu Wed Apr 12 19:22:42 2006 From: kwm27 at cornell.edu (Ken Morehouse) Date: Wed, 12 Apr 2006 15:22:42 -0400 Subject: [Fedora-directory-users] Startconsole issues on Windows In-Reply-To: <200604122220.14626.kimmo.koivisto@surfeu.fi> Message-ID: <002501c65e66$785ec630$d0a4ec84@ornith.cornell.edu> Finally got this to work today. After discussing the issues with one of our onsite Java specialists, we determined the problem. The names of the .jar files did not all match what was in the java folder. Thank you for the information. Ken -----Original Message----- From: Kimmo Koivisto [mailto:kimmo.koivisto at surfeu.fi] Sent: Wednesday, April 12, 2006 3:20 PM To: fedora-directory-users at redhat.com Cc: Ken Morehouse Subject: Re: [Fedora-directory-users] Startconsole issues on Windows Ken Morehouse kirjoitti viestiss??n (l?hetysaika Wednesday 12 April 2006 17:16): > Hello all. I just recently installed Fedora Directory Server v1.0.2-1. > I'm able to get the startconsole script to start up without an issue > on the RedHat server, but have been having considerable issues trying > to get the code to run on my workstation. Hello Ken I had troubles too when I tried to use java and lib directories from FDS 1.0.2. Then I copied those dirs from 1.0.1 and got it working. My .bat file @echo off set ADMINUSER=admin set ADMINURL=http://repository:9000/ echo Starting Console java -ms8m -mx64m -cp .;.\nmclf10.jar;.\base.jar;.\ldapjdk.jar;.\mcc10.jar;. \nmclf10_en.jar;.\mcc10_en.jar;.\jss3.jar -Djava.library.path=..\lib\jss -Djava.util.prefs.systemRoot=.\.java -Djava.util.prefs.userRoot=. com.netscape.management.client.console.Console -D -u %ADMINUSER% -a %ADMINURL% Maybe this helps you? Regards Kimmo From Gary_Tay at platts.com Thu Apr 13 10:24:36 2006 From: Gary_Tay at platts.com (Tay, Gary) Date: Thu, 13 Apr 2006 18:24:36 +0800 Subject: [Fedora-directory-users] Another one-button script - rebuild_fds.sh Message-ID: FDS Folks, Another automated script from me. Gary > #! /bin/sh > # > # rebuild_fds.sh - ReBuild Fedora Directory Server > # > # Gary Tay > # > # NOTE: This script will rebuild a FDS Server compatible with BOTH > # RedHat and Solaris LDAP Clients > # > # 1) Make sure 'root' is used to run this script > # 2) Make sure /home/ldap/dirmgr.pwd contains password of cn=Direcyory > Manager > # > #set -vx > IS_ROOT_UID=`id | grep "uid=0(root)"` > if [ ! -n "$IS_ROOT_UID" ]; then > echo "Please run this script as root" > exit 1 > fi > if [ ! -f /home/ldap/dirmgr.pwd ]; then > echo "Please setup /home/ldap/dirmgr.pwd." > exit 1 > else > chmod 600 /home/ldap/dirmgr.pwd > fi > # Pls customize the followings > FDS1_PATH=/opt/fedora-ds > HOST=ldap1 > DOMAIN="example.com" > BASEDN="dc=example,dc=com" > SLAPD_OWNER=nobody > SLAPD_GROUP=nobody > LD_LIBRARY_PATH=$FDS1_PATH/shared/lib:$FDS1_PATH/lib > export LD_LIBRARY_PATH > PATH=$FDS1_PATH/shared/bin:$PATH; export PATH > echo "ASSUMPTION: This script assumes that you have performed" > echo "'rpm -e' and then 'rpm -ivh' to reinstall Fedora Directory > Server" > echo "and you have re-run the setup program" > echo "ns-slapd should be running" > echo "Press [Ctrl-C] to abort, enter [Yes] to continue..." > read a_key > [ "$a_key" != "Yes" ] && exit 1 > # Load schemas > cat </tmp/61DUAConfigProfile.ldif > dn: cn=schema > attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.0 NAME 'defaultServerList' > DESC 'Default LDAP server host address used by a DUA' EQUALITY > caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) > attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.1 NAME 'defaultSearchBase' > DESC 'Default LDAP base DN used by a DUA' EQUALITY > distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 > SINGLE-VALUE ) > attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.2 NAME 'preferredServerList' > DESC 'Preferred LDAP server host addresses to be used by a DUA' > EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 > SINGLE-VALUE ) > attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.3 NAME 'searchTimeLimit' DESC > 'Maximum time in seconds a DUA should allow for a search to complete' > EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 > SINGLE-VALUE ) > attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.4 NAME 'bindTimeLimit' DESC > 'Maximum time in seconds a DUA should allow for the bind operation to > complete' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 > SINGLE-VALUE ) > attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.5 NAME 'followReferrals' DESC > 'Tells DUA if it should follow referrals returned by a DSA search > result' EQUALITY caseIgnoreIA5Match SYNTAX > 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) > attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.6 NAME 'authenticationMethod' > DESC 'A keystring which identifies the type of authentication method > used to contact the DSA' EQUALITY caseIgnoreMatch SYNTAX > 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) > attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.7 NAME 'profileTTL' DESC > 'Time to live, in seconds, before a client DUA should re-read this > configuration profile' EQUALITY integerMatch SYNTAX > 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) > attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.14 NAME > 'serviceSearchDescriptor' DESC 'LDAP search descriptor list used by a > DUA' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) > attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.9 NAME 'attributeMap' DESC > 'Attribute mappings used by a DUA' EQUALITY caseIgnoreIA5Match SYNTAX > 1.3.6.1.4.1.1466.115.121.1.26 ) > attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.10 NAME 'credentialLevel' > DESC 'Identifies type of credentials a DUA should use when binding to > the LDAP server' EQUALITY caseIgnoreIA5Match SYNTAX > 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) > attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.11 NAME 'objectclassMap' DESC > 'Objectclass mappings used by a DUA' EQUALITY caseIgnoreIA5Match > SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) > attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.12 NAME 'defaultSearchScope' > DESC 'Default search scope used by a DUA' EQUALITY caseIgnoreIA5Match > SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) > attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.13 NAME > 'serviceCredentialLevel' DESC 'Identifies type of credentials a DUA > should use when binding to the LDAP server for a specific service' > EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) > attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.15 NAME > 'serviceAuthenticationMethod' DESC 'Authentication method used by a > service of the DUA' EQUALITY caseIgnoreMatch SYNTAX > 1.3.6.1.4.1.1466.115.121.1.15 ) > objectClasses: ( 1.3.6.1.4.1.11.1.3.1.2.4 NAME 'DUAConfigProfile' SUP > top STRUCTURAL DESC 'Abstraction of a base configuration for a DUA' > MUST ( cn ) MAY ( defaultServerList $ preferredServerList $ > defaultSearchBase $ defaultSearchScope $ searchTimeLimit $ > bindTimeLimit $ credentialLevel $ authenticationMethod $ > followReferrals $ serviceSearchDescriptor $ serviceCredentialLevel $ > serviceAuthenticationMethod $ objectclassMap $ attributeMap $ > profileTTL ) ) > EOF > cat </tmp/62nisDomain.ldif > dn: cn=schema > attributeTypes: ( 1.3.6.1.1.1.1.30 NAME 'nisDomain' DESC 'NIS domain' > SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) > objectClasses: ( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' SUP top > STRUCTURAL MUST nisDomain X-ORIGIN 'user defined' ) > EOF > /bin/cp -f /tmp/61DUAConfigProfile.ldif > $FDS1_PATH/slapd-$HOST/config/schema > /bin/cp -f /tmp/62nisDomain.ldif $FDS1_PATH/slapd-$HOST/config/schema > chown $SLAPD_OWNER:$SLAPD_GROUP > $FDS1_PATH/slapd-$HOST/config/schema/61DUAConfigProfile.ldif > chown $SLAPD_OWNER:$SLAPD_GROUP > $FDS1_PATH/slapd-$HOST/config/schema/62nisDomain.ldif > $FDS1_PATH/slapd-$HOST/stop-slapd > $FDS1_PATH/slapd-$HOST/start-slapd > # Add nisDomainObject > cat </tmp/add_nisDomainObject.ldif > dn: $BASEDN > changetype: modify > add: objectclass > objectclass: nisdomainobject > - > replace: nisdomain > nisdomain: $DOMAIN > > EOF > ldapmodify -D "cn=Directory Manager" -w `cat /home/ldap/dirmgr.pwd` -f > /tmp/add_nisDomainObject.ldif > # Add two ACIs > cat </tmp/add_two_ACIs.ldif > dn: $BASEDN > changetype: modify > add: aci > aci: (targetattr = > "cn||uid||uidNumber||gidNumber||homeDirectory||shadowLastChange||shado > wMin||shadowMax||shadowWarning||shadowInactive||shadowExpire||shadowFl > ag||memberUid")(version 3.0; acl > LDAP_Naming_Services_deny_write_access;deny (write) userdn = > "ldap:///self";) > - > add: aci > aci: (target="ldap:///$BASEDN")(targetattr="userPassword")(version > 3.0; acl LDAP_Naming_Services_proxy_password_read; allow > (compare,search) userdn = "ldap:///cn=proxyagent,ou=profile,$BASEDN";) > > EOF > ldapmodify -D "cn=Directory Manager" -w `cat /home/ldap/dirmgr.pwd` -f > /tmp/add_two_ACIs.ldif > # Modify default password storage scheme > cat </tmp/mod_passwordStorageScheme.ldif > dn: cn=config > changetype: modify > replace: passwordStorageScheme > passwordStorageScheme: CRYPT > EOF > ldapmodify -D "cn=Directory Manager" -w `cat /home/ldap/dirmgr.pwd` -f > /tmp/mod_passwordStorageScheme.ldif > # Create ou=group, proxyAgent and ldapclient profiles > cat </tmp/People.ldif > dn: uid=gtay, ou=People, $BASEDN > givenName: Gary > sn: Tay > loginShell: /bin/bash > uidNumber: 6167 > gidNumber: 102 > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetorgperson > objectClass: posixAccount > objectClass: shadowAccount > uid: gtay > cn: Gary Tay > homeDirectory: /home/gtay > userPassword: {CRYPT}U8bo2twhJ9Kkg > > dn: uid=tuser, ou=People, $BASEDN > givenName: Test > sn: User > loginShell: /bin/bash > uidNumber: 9999 > gidNumber: 102 > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetorgperson > objectClass: posixAccount > objectClass: shadowAccount > uid: tuser > cn: Test User > homeDirectory: /home/tuser > userPassword: {SHA}MWxHz/4F3kXGXlfK4EvIJUo2C2U= > > EOF > $FDS1_PATH/shared/bin/ldapmodify -a -c -D "cn=Directory Manager" -w > `cat /home/ldap/dirmgr.pwd` -f /tmp/People.ldif > cat </tmp/group_and_other_OUs.ldif > dn: ou=group,$BASEDN > objectClass: organizationalUnit > objectClass: top > ou: group > > dn: cn=Users,ou=group,$BASEDN > cn: Users > gidNumber: 102 > objectClass: top > objectClass: posixGroup > memberUid: gtay > memberUid: tuser > > dn: ou=netgroup,$BASEDN > objectClass: organizationalUnit > objectClass: top > ou: netgroup > > dn: ou=sudoers,$BASEDN > objectClass: organizationalUnit > objectClass: top > ou: sudoers > > EOF > $FDS1_PATH/shared/bin/ldapmodify -a -c -D "cn=Directory Manager" -w > `cat /home/ldap/dirmgr.pwd` -f /tmp/group_and_other_OUs.ldif > cat </tmp/proxyAgent_and_profiles.ldif > dn: ou=profile,$BASEDN > objectClass: top > objectClass: organizationalUnit > ou: profile > > dn: cn=proxyAgent,ou=profile,$BASEDN > objectClass: top > objectClass: person > cn: proxyAgent > sn: proxyAgent > userPassword: {CRYPT}l14aeXtphVSUg > > dn: cn=default,ou=profile,$BASEDN > objectClass: top > objectClass: DUAConfigProfile > defaultServerList: $HOST.$DOMAIN > defaultSearchBase: $BASEDN > authenticationMethod: simple > followReferrals: TRUE > defaultSearchScope: one > searchTimeLimit: 30 > profileTTL: 43200 > cn: default > credentialLevel: proxy > bindTimeLimit: 2 > serviceSearchDescriptor: passwd: ou=People,$BASEDN?one > serviceSearchDescriptor: group: ou=group,$BASEDN?one > serviceSearchDescriptor: shadow: ou=People,$BASEDN?one > serviceSearchDescriptor: netgroup: ou=netgroup,$BASEDN?one > serviceSearchDescriptor: sudoers: ou=sudoers,$BASEDN?one > > dn: cn=tls_profile,ou=profile,$BASEDN > ObjectClass: top > ObjectClass: DUAConfigProfile > defaultServerList: $HOST.$DOMAIN > defaultSearchBase: $BASEDN > authenticationMethod: tls:simple > followReferrals: FALSE > defaultSearchScope: one > searchTimeLimit: 30 > profileTTL: 43200 > bindTimeLimit: 10 > cn: tls_profile > credentialLevel: proxy > serviceSearchDescriptor: passwd: ou=People,$BASEDN?one > serviceSearchDescriptor: group: ou=group,$BASEDN?one > serviceSearchDescriptor: shadow: ou=People,$BASEDN?one > serviceSearchDescriptor: netgroup: ou=netgroup,$BASEDN?one > serviceSearchDescriptor: sudoers: ou=sudoers,$BASEDN?one > > EOF > $FDS1_PATH/shared/bin/ldapmodify -a -c -D "cn=Directory Manager" -w > `cat /home/ldap/dirmgr.pwd` -f /tmp/proxyAgent_and_profiles.ldif > echo "Rebuild done." > > ===Sample Run=== > > # ./rebuild_fds.sh > ASSUMPTION: This script assumes that you have performed > 'rpm -e' and then 'rpm -ivh' to reinstall Fedora Directory Server > and you have re-run the setup program > ns-slapd should be running > Press [Ctrl-C] to abort, enter [Yes] to continue... > Yes > modifying entry dc=example,dc=com > > modifying entry dc=example,dc=com > ldap_modify: Type or value exists > > modifying entry cn=config > > adding new entry uid=gtay, ou=People, dc=example,dc=com > > adding new entry uid=tuser, ou=People, dc=example,dc=com > > adding new entry ou=group,dc=example,dc=com > > adding new entry cn=Users,ou=group,dc=example,dc=com > > adding new entry ou=netgroup,dc=example,dc=com > > adding new entry ou=sudoers,dc=example,dc=com > > adding new entry ou=profile,dc=example,dc=com > > adding new entry cn=proxyAgent,ou=profile,dc=example,dc=com > > adding new entry cn=default,ou=profile,dc=example,dc=com > > adding new entry cn=tls_profile,ou=profile,dc=example,dc=com > > Rebuild done. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mikael.kermorgant at gmail.com Thu Apr 13 13:24:57 2006 From: mikael.kermorgant at gmail.com (Mikael Kermorgant) Date: Thu, 13 Apr 2006 15:24:57 +0200 Subject: [Fedora-directory-users] import schema from openldap : syntax oid problem Message-ID: <9711147e0604130624j3ef48f3dg56c4c3fcdd37feb0@mail.gmail.com> Hello, I've converted a schema from openldap ( http://www.cru.fr/ldap/supann/schema/supann.schema) which causes this error when starting fds : # /opt/fedora-ds/slapd-afed/start-slapd [13/Apr/2006:14:17:09 +0200] dse - The entry cn=schema in file /opt/fedora-ds/slapd-afed/config/schema/98supann.ldif is invalid, error code 21 (Invalid syntax) - attribute type supannCivilite: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.44" [13/Apr/2006:14:17:09 +0200] dse - Please edit the file to correct the reported problems and then restart the server. It seems to be related to rfc2252. Do you know a workaround for this situation ? Thanks in advance, -- Mikael Kermorgant -------------- next part -------------- An HTML attachment was scrubbed... URL: From mj at sci.fi Thu Apr 13 15:53:41 2006 From: mj at sci.fi (Mike Jackson) Date: Thu, 13 Apr 2006 18:53:41 +0300 Subject: [Fedora-directory-users] import schema from openldap : syntax oid problem In-Reply-To: <9711147e0604130624j3ef48f3dg56c4c3fcdd37feb0@mail.gmail.com> References: <9711147e0604130624j3ef48f3dg56c4c3fcdd37feb0@mail.gmail.com> Message-ID: <443E7405.4060204@sci.fi> Mikael Kermorgant wrote: > Hello, > > I've converted a schema from openldap > (http://www.cru.fr/ldap/supann/schema/supann.schema) which causes this > error when starting fds : > > # /opt/fedora-ds/slapd-afed/start-slapd > [13/Apr/2006:14:17:09 +0200] dse - The entry cn=schema in file > /opt/fedora-ds/slapd-afed/config/schema/98supann.ldif is invalid, error > code 21 (Invalid syntax) - attribute type supannCivilite: Unknown > attribute syntax OID " 1.3.6.1.4.1.1466.115.121.1.44" > [13/Apr/2006:14:17:09 +0200] dse - Please edit the file to correct the > reported problems and then restart the server. Change the attribute syntax oid for those two attributes to be: 1.3.6.1.4.1.1466.115.121.1.15 and file a bug report at https://bugzilla.redhat.com/bugzilla/index.cgi -- mike From mikael.kermorgant at gmail.com Fri Apr 14 08:35:17 2006 From: mikael.kermorgant at gmail.com (Mikael Kermorgant) Date: Fri, 14 Apr 2006 10:35:17 +0200 Subject: [Fedora-directory-users] import schema from openldap : syntax oid problem In-Reply-To: <443E7405.4060204@sci.fi> References: <9711147e0604130624j3ef48f3dg56c4c3fcdd37feb0@mail.gmail.com> <443E7405.4060204@sci.fi> Message-ID: <9711147e0604140135y7a0de966i8521ffaf6cabcf5@mail.gmail.com> Thanks, it worked. I filed a bug et https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188984 -- Mikael Kermorgant -------------- next part -------------- An HTML attachment was scrubbed... URL: From mont.rothstein at gmail.com Fri Apr 14 20:57:53 2006 From: mont.rothstein at gmail.com (Mont Rothstein) Date: Fri, 14 Apr 2006 13:57:53 -0700 Subject: [Fedora-directory-users] How interhangeable are ldap server? Message-ID: <467a83630604141357q739a37a7t5e3e64743d616c5e@mail.gmail.com> We have a windows app that uses an LDAP server for authentication. For our clients that don't already have an LDAP server we provide FDS. However many of our clients already have an LDAP server (AD, Novell, IBM, Oracle). How interchangeable are LDAP servers? Are we likely to be able to just talk to any server, or will we need custom code for each? In addition to authentication we plan to create and assign roles, and possibly use a small custom schema. Any information or pointers to information on this would be appreciated. I couldn't find anything via Google. Thanks, -Mont -------------- next part -------------- An HTML attachment was scrubbed... URL: From felipe.alfaro at gmail.com Fri Apr 14 21:08:29 2006 From: felipe.alfaro at gmail.com (Felipe Alfaro Solana) Date: Fri, 14 Apr 2006 23:08:29 +0200 Subject: [Fedora-directory-users] How interhangeable are ldap server? In-Reply-To: <467a83630604141357q739a37a7t5e3e64743d616c5e@mail.gmail.com> References: <467a83630604141357q739a37a7t5e3e64743d616c5e@mail.gmail.com> Message-ID: <6f6293f10604141408g53a7e087wdfc9fb9554552690@mail.gmail.com> > For our clients that don't already have an LDAP server we provide FDS. > However many of our clients already have an LDAP server (AD, Novell, > IBM, Oracle). I guess the answer is it depends. Does you application use standard LDAPv3 methods and operations? Does your application use some wrapping APIs or classes? From gholbert at broadcom.com Fri Apr 14 21:18:27 2006 From: gholbert at broadcom.com (George Holbert) Date: Fri, 14 Apr 2006 14:18:27 -0700 Subject: [Fedora-directory-users] How interhangeable are ldap server? In-Reply-To: <467a83630604141357q739a37a7t5e3e64743d616c5e@mail.gmail.com> References: <467a83630604141357q739a37a7t5e3e64743d616c5e@mail.gmail.com> Message-ID: <444011A3.2050702@broadcom.com> I doubt you'll need much custom code for the basics. But you'll need to be aware of vendor-specific features and schema, and not rely on those in your app, if you want it to work the same on any server. Mont Rothstein wrote: > We have a windows app that uses an LDAP server for authentication. > > For our clients that don't already have an LDAP server we provide > FDS. However many of our clients already have an LDAP server (AD, > Novell, IBM, Oracle). > > How interchangeable are LDAP servers? Are we likely to be able to > just talk to any server, or will we need custom code for each? > > In addition to authentication we plan to create and assign roles, and > possibly use a small custom schema. > > Any information or pointers to information on this would be > appreciated. I couldn't find anything via Google. > > Thanks, > -Mont > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From mont.rothstein at gmail.com Fri Apr 14 23:32:29 2006 From: mont.rothstein at gmail.com (Mont Rothstein) Date: Fri, 14 Apr 2006 16:32:29 -0700 Subject: [Fedora-directory-users] How interhangeable are ldap server? In-Reply-To: <6f6293f10604141408g53a7e087wdfc9fb9554552690@mail.gmail.com> References: <467a83630604141357q739a37a7t5e3e64743d616c5e@mail.gmail.com> <6f6293f10604141408g53a7e087wdfc9fb9554552690@mail.gmail.com> Message-ID: <467a83630604141632w48a52bb9xb50f08ec95c9d719@mail.gmail.com> The short answer is that the directory server integration portion of our app is not yet written, I should have said "will use". The app is written in C#.NET, so we'll be using some sort of .NET wrapper. We had not planned on writting raw LDAP. -Mont On 4/14/06, Felipe Alfaro Solana wrote: > > > For our clients that don't already have an LDAP server we provide FDS. > > However many of our clients already have an LDAP server (AD, Novell, > > IBM, Oracle). > > I guess the answer is it depends. Does you application use standard > LDAPv3 methods and operations? Does your application use some wrapping > APIs or classes? > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mont.rothstein at gmail.com Fri Apr 14 23:35:05 2006 From: mont.rothstein at gmail.com (Mont Rothstein) Date: Fri, 14 Apr 2006 16:35:05 -0700 Subject: [Fedora-directory-users] How interhangeable are ldap server? In-Reply-To: <444011A3.2050702@broadcom.com> References: <467a83630604141357q739a37a7t5e3e64743d616c5e@mail.gmail.com> <444011A3.2050702@broadcom.com> Message-ID: <467a83630604141635w36efe297y9ca934f149a3aa08@mail.gmail.com> Just to be clear, when you say "much custom code" do you mean none if I am careful, or a little? This can obviously be a big difference since even testing a small number of changes against all the LDAP servers we might have to talk to could be a large task. Thanks, -Mont On 4/14/06, George Holbert wrote: > > I doubt you'll need much custom code for the basics. > But you'll need to be aware of vendor-specific features and schema, and > not rely on those in your app, if you want it to work the same on any > server. > > Mont Rothstein wrote: > > We have a windows app that uses an LDAP server for authentication. > > > > For our clients that don't already have an LDAP server we provide > > FDS. However many of our clients already have an LDAP server (AD, > > Novell, IBM, Oracle). > > > > How interchangeable are LDAP servers? Are we likely to be able to > > just talk to any server, or will we need custom code for each? > > > > In addition to authentication we plan to create and assign roles, and > > possibly use a small custom schema. > > > > Any information or pointers to information on this would be > > appreciated. I couldn't find anything via Google. > > > > Thanks, > > -Mont > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From david_list at boreham.org Sat Apr 15 01:50:04 2006 From: david_list at boreham.org (David Boreham) Date: Fri, 14 Apr 2006 19:50:04 -0600 Subject: [Fedora-directory-users] How interhangeable are ldap server? In-Reply-To: <467a83630604141635w36efe297y9ca934f149a3aa08@mail.gmail.com> References: <467a83630604141357q739a37a7t5e3e64743d616c5e@mail.gmail.com> <444011A3.2050702@broadcom.com> <467a83630604141635w36efe297y9ca934f149a3aa08@mail.gmail.com> Message-ID: <4440514C.3050709@boreham.org> Mont Rothstein wrote: > Just to be clear, when you say "much custom code" do you mean none if > I am careful, or a little? This can obviously be a big difference > since even testing a small number of changes against all the LDAP > servers we might have to talk to could be a large task. It's a bit like the situation with RDBMS servers, but quite a bit better (because the on-the-wire protocol and a significant proportion of schema are standardized). The differences primarily are in things like how to create indices, extend schema (those are different for each server). Many applications don't need to do those things, and they tend to 'just work' with all LDAP servers. If you're serious about your product's quality I _would_ advise doing some testing with every LDAP server that you intend to claim support for. Active Directory is often the most oddball. Many of the other LDAP servers share a common heritage and therefore the differences are less pronounced. From mont.rothstein at gmail.com Sat Apr 15 02:38:00 2006 From: mont.rothstein at gmail.com (Mont Rothstein) Date: Fri, 14 Apr 2006 19:38:00 -0700 Subject: [Fedora-directory-users] How interhangeable are ldap server? In-Reply-To: <4440514C.3050709@boreham.org> References: <467a83630604141357q739a37a7t5e3e64743d616c5e@mail.gmail.com> <444011A3.2050702@broadcom.com> <467a83630604141635w36efe297y9ca934f149a3aa08@mail.gmail.com> <4440514C.3050709@boreham.org> Message-ID: <467a83630604141938l68eb4ecfre9c3ebdfa7d0af83@mail.gmail.com> Thanks for the insight. Unfortunately in a small company it doesn't always come down to how "serious" you are about quality, but I harsh reality of limited resources. We would of course choose to test every LDAP server out there (because our clients will surely have them all), but that will not be a reality in the near future. We will be actively using and testing FDS and AD, so hopefully if we work with those two generically we won't get bit by one of the others. -Mont On 4/14/06, David Boreham wrote: > Mont Rothstein wrote: > > > Just to be clear, when you say "much custom code" do you mean none if > > I am careful, or a little? This can obviously be a big difference > > since even testing a small number of changes against all the LDAP > > servers we might have to talk to could be a large task. > > It's a bit like the situation with RDBMS servers, but quite a bit better > (because the on-the-wire protocol and a significant proportion of schema > are standardized). > The differences primarily are in things like how to create indices, extend > schema (those are different for each server). Many applications don't need > to do those things, and they tend to 'just work' with all LDAP servers. > > If you're serious about your product's quality I _would_ advise doing some > testing with every LDAP server that you intend to claim support for. > > Active Directory is often the most oddball. Many of the other LDAP > servers share a common heritage and therefore the differences are > less pronounced. > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From magobin at gmail.com Sat Apr 15 09:58:37 2006 From: magobin at gmail.com (Alex) Date: Sat, 15 Apr 2006 11:58:37 +0200 Subject: [Fedora-directory-users] NSS_ldap....(was... SubjectAltName how does it work?) Message-ID: <4440c3ca.0c52c721.309d.5d5f@mx.gmail.com> Hi, following Susan's council...I leave out my purpose about floating ip and I set up two server ldap in client's configuration...int this way everything works, but I have two question: 1) After set up via authconfig in a fedora 5 client ldap configuration I reboot client but on booting seems that something doesn't work...I have to wait a lot of time..after this time X doens't work and I remake Xconfiguration..but, after that I succesfully log in in client and query on ldap servers...I found in logs this: Xfs: nfs_ldap: reconnetting to ldap server (sleeping 4 seconds)... -CUT- Xfs: nfs_ldap: reconnecting to ldap server (sleeping 40 seconds)... And so on...but repeat...after X reconfiguration everything works..the problem is every time I reboot client I have to configure X :-( 2) When for test I shutted nodo1 query and authentication was made correctly from nodo2, but I saw that in this case it was slower than with nodo1...for every query I ave to wait about 3 seconds....while with nodo1 it was istantaneous. Thanks for help Alex From mikael.kermorgant at gmail.com Sat Apr 15 13:40:43 2006 From: mikael.kermorgant at gmail.com (Mikael Kermorgant) Date: Sat, 15 Apr 2006 15:40:43 +0200 Subject: [Fedora-directory-users] user creation template : uid generation modification Message-ID: <9711147e0604150640gbc34ee8kf00e1d58ce014366@mail.gmail.com> Hello, Is it possible to change the way the user creation template generates the uid ? I'd like to have it lowercase and limited to a fixed number of characters. Thanks in advance, -- Mikael Kermorgant -------------- next part -------------- An HTML attachment was scrubbed... URL: From phil.lembo at gmail.com Sat Apr 15 17:18:21 2006 From: phil.lembo at gmail.com (Philip Lembo) Date: Sat, 15 Apr 2006 13:18:21 -0400 Subject: [Fedora-directory-users] Fedora-directory-users] How interhangeable are ldap, server? In-Reply-To: <20060415160009.9F3E573484@hormel.redhat.com> References: <20060415160009.9F3E573484@hormel.redhat.com> Message-ID: <44412ADD.2050402@gmail.com> Very important point made about knowing the extended features of each directory product. For example, Active Directory sets a hard limit on the number of entries returned by a search. The way around this is to use the Paged Results control extension (good feature). Problem is that while this control is supported on AD and OpenLDAP it *is not* thus far supported by any of the Netscape derived directory products (i.e. Sun, Fedora/Red Hat). Another extension with uneven support is Server Side Sort (not my favorite feature). This is available on Sun/Fedora/Red Hat *but not* on Active Directory or OpenLDAP. The foregoing brings up another point. Although programming to the LDAP protocol itself (apart from various vendor extensions) is pretty uniform the configuration of each individual directory may not necessarily be. Maximum number of results returned, restrictions on access to the root dsn or schema dn can differ based on the administrator's preference. So besides knowing the different directory products and what they can do, you should also invest some time in getting to know the admins for the directories you'll be querying and find out how they've been configured. Phil Lembo From gholbert at broadcom.com Mon Apr 17 04:09:55 2006 From: gholbert at broadcom.com (George Holbert) Date: Sun, 16 Apr 2006 21:09:55 -0700 Subject: [Fedora-directory-users] NSS_ldap....(was... SubjectAltName how does it work?) References: <4440c3ca.0c52c721.309d.5d5f@mx.gmail.com> Message-ID: <001601c661d4$c9151180$1efdf00a@chunky> > 2) When for test I shutted nodo1 query and authentication was made > > correctly from nodo2, but I saw that in this case it was slower than with > > nodo1...for > every query I ave to wait about 3 seconds....while with nodo1 it was > istantaneous. This is currently how PADL nss_ldap works. Whenever it needs to talk to a ldap server, it tries the server list in order. It doesn't maintain state about which servers in the list are down. If the first server in the list is up, you'll get the fastest response. The bind timelimit specifies how long it will try binding to each server in the list. Setting this lower will give you better response time if the first server is down. There are some comments in the notes for PADL's latest nss_ldap release about "more robust failover support". If you like, you could try the latest nss_ldap version instead of the RedHat/Fedora bundled version and see what's changed. LDAP client support for server lists/failover varies a lot. Several client apps don't implement it at all. So depending on what apps you need to support, it often makes more sense to provide redundancy at the server (e.g., with a load balancer). ----- Original Message ----- From: "Alex" To: "'General discussion list for the Fedora Directory server project.'" Sent: Saturday, April 15, 2006 2:58 AM Subject: [Fedora-directory-users] NSS_ldap....(was... SubjectAltName how does it work?) > Hi, following Susan's council...I leave out my purpose about floating ip > and > I set up two server ldap in client's configuration...int this way > everything > works, but I have two question: > > 1) After set up via authconfig in a fedora 5 client ldap configuration I > reboot client but on booting seems that something doesn't work...I have to > wait a lot of time..after this time X doens't work and I remake > Xconfiguration..but, after that I succesfully log in in client and query > on > ldap servers...I found in logs this: > > Xfs: nfs_ldap: reconnetting to ldap server (sleeping 4 seconds)... > -CUT- > Xfs: nfs_ldap: reconnecting to ldap server (sleeping 40 seconds)... > > And so on...but repeat...after X reconfiguration everything works..the > problem is every time I reboot client I have to configure X :-( > > > 2) When for test I shutted nodo1 query and authentication was made > correctly > from nodo2, but I saw that in this case it was slower than with > nodo1...for > every query I ave to wait about 3 seconds....while with nodo1 it was > istantaneous. > > > > Thanks for help > > > Alex > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From rcritten at redhat.com Mon Apr 17 13:20:33 2006 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 17 Apr 2006 09:20:33 -0400 Subject: [Fedora-directory-users] Fedora-directory-users] How interhangeable are ldap, server? In-Reply-To: <44412ADD.2050402@gmail.com> References: <20060415160009.9F3E573484@hormel.redhat.com> <44412ADD.2050402@gmail.com> Message-ID: <44439621.8080608@redhat.com> Philip Lembo wrote: > Very important point made about knowing the extended features of each > directory product. For example, Active Directory sets a hard limit on > the number of entries returned by a search. The way around this is to > use the Paged Results control extension (good feature). Problem is that > while this control is supported on AD and OpenLDAP it *is not* thus far > supported by any of the Netscape derived directory products (i.e. Sun, > Fedora/Red Hat). Another extension with uneven support is Server Side > Sort (not my favorite feature). This is available on Sun/Fedora/Red Hat > *but not* on Active Directory or OpenLDAP. You can limit the size of searches (and a few other things). I'm not a FDS developer but I remember this in the Netscape days so unless Sun has removed it, it applies to the Sun/Fedora/Red Hat servers. The documentation shows how to do it per-user. http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#1085603 In a quick search of the docs I didn't see how to do it on a global basis but in the console you can do this from Configuration->Performance. rob > > The foregoing brings up another point. Although programming to the LDAP > protocol itself (apart from various vendor extensions) is pretty uniform > the configuration of each individual directory may not necessarily be. > Maximum number of results returned, restrictions on access to the root > dsn or schema dn can differ based on the administrator's preference. So > besides knowing the different directory products and what they can do, > you should also invest some time in getting to know the admins for the > directories you'll be querying and find out how they've been configured. > > Phil Lembo > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From david_list at boreham.org Mon Apr 17 13:55:11 2006 From: david_list at boreham.org (David Boreham) Date: Mon, 17 Apr 2006 07:55:11 -0600 Subject: [Fedora-directory-users] Fedora-directory-users] How interhangeable are ldap, server? In-Reply-To: <44412ADD.2050402@gmail.com> References: <20060415160009.9F3E573484@hormel.redhat.com> <44412ADD.2050402@gmail.com> Message-ID: <44439E3F.3020401@boreham.org> Philip Lembo wrote: > Very important point made about knowing the extended features of each > directory product. For example, Active Directory sets a hard limit on > the number of entries returned by a search. The way around this is to > use the Paged Results control extension (good feature). Problem is > that while this control is supported on AD and OpenLDAP it *is not* > thus far supported by any of the Netscape derived directory products BTW, another way to look at this is that AD is broken in that it can't return all the results for a search to the client, and hence has to have the paged results control mis-feature. Netscape (and all UMich -derived products) aren't broken in this respect and hence do not need the paged results control. ;) From rmeggins at redhat.com Mon Apr 17 13:57:53 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 17 Apr 2006 07:57:53 -0600 Subject: [Fedora-directory-users] user creation template : uid generation modification In-Reply-To: <9711147e0604150640gbc34ee8kf00e1d58ce014366@mail.gmail.com> References: <9711147e0604150640gbc34ee8kf00e1d58ce014366@mail.gmail.com> Message-ID: <44439EE1.4080603@redhat.com> Mikael Kermorgant wrote: > Hello, > > Is it possible to change the way the user creation template generates > the uid ? Only by hacking the console Java code and building it yourself. > > I'd like to have it lowercase and limited to a fixed number of characters. Please file a bug/enhancement request for Fedora DS at bugzilla.redhat.com. Thanks! > > Thanks in advance, > > -- > Mikael Kermorgant > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From mont.rothstein at gmail.com Mon Apr 17 15:50:26 2006 From: mont.rothstein at gmail.com (Mont Rothstein) Date: Mon, 17 Apr 2006 08:50:26 -0700 Subject: [Fedora-directory-users] Fedora-directory-users] How interhangeable are ldap, server? In-Reply-To: <44412ADD.2050402@gmail.com> References: <20060415160009.9F3E573484@hormel.redhat.com> <44412ADD.2050402@gmail.com> Message-ID: <467a83630604170850l3ea0ef4fy14e7b29bb3a465b1@mail.gmail.com> Does anyone know of a list documenting differences/incompatibilities between directory servers? I realize that some of this knowledge is only going to come with experience, testing, and communication with our client's IT people, but we need to do everything we can to play seamless with various directory servers. Our needs may or may not allow us to stick to a 100% generic model, but if we can we have to try to. Thanks, -Mont On 4/15/06, Philip Lembo wrote: > > Very important point made about knowing the extended features of each > directory product. For example, Active Directory sets a hard limit on > the number of entries returned by a search. The way around this is to > use the Paged Results control extension (good feature). Problem is that > while this control is supported on AD and OpenLDAP it *is not* thus far > supported by any of the Netscape derived directory products (i.e. Sun, > Fedora/Red Hat). Another extension with uneven support is Server Side > Sort (not my favorite feature). This is available on Sun/Fedora/Red Hat > *but not* on Active Directory or OpenLDAP. > > The foregoing brings up another point. Although programming to the LDAP > protocol itself (apart from various vendor extensions) is pretty uniform > the configuration of each individual directory may not necessarily be. > Maximum number of results returned, restrictions on access to the root > dsn or schema dn can differ based on the administrator's preference. So > besides knowing the different directory products and what they can do, > you should also invest some time in getting to know the admins for the > directories you'll be querying and find out how they've been configured. > > Phil Lembo > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Apr 17 22:10:04 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 17 Apr 2006 16:10:04 -0600 Subject: [Fedora-directory-users] Admin password stored in plain text In-Reply-To: <443CC961.1080607@zaniyah.org> References: <443CC961.1080607@zaniyah.org> Message-ID: <4444123C.90207@redhat.com> womble wrote: > I installed Fedora-DS recently and I've been fairly pleased with it. > There is just one thing that I've noticed that I really dislike - the > password for the admin user that is created during setup is stored in > plain text in /opt/fedora-ds/admin-serv/config/adm.conf. > > A friend who uses Sun's DS has the same issue, but says it doesn't > bother him because "it's not entirely obvious that it's a password", > which I think is rather lame. > > Is it likely that this will get changed in the near future so that it > is for example stored in an encrypted format? The problem is that for the moment, the admin server needs the clear text password in order to bind to the directory server. We have filed this bug about the problem - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=161099 > > Jess > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From dennis at demarco.com Mon Apr 17 21:47:34 2006 From: dennis at demarco.com (dennis at demarco.com) Date: Mon, 17 Apr 2006 17:47:34 -0400 (EDT) Subject: [Fedora-directory-users] Exporting MD5 Hash from FD-DS into /etc/shadow Message-ID: I would like to export the MD5 hash from the Fedora directory user's password attribute into /etc/shadow of a Linux machine not in LDAP (Redhat). It appears this isn't working, is there a way for me to do this? Not all machines are using ldap but I would like to export from ldap. Thanks, Dennis From hariharan at lantana.cs.iitm.ernet.in Tue Apr 18 07:23:43 2006 From: hariharan at lantana.cs.iitm.ernet.in (Hariharan R) Date: Tue, 18 Apr 2006 12:53:43 +0530 (IST) Subject: [Fedora-directory-users] Fedora Directory Server 7.1 with CentOS 4.2 Message-ID: Hai, I am trying to install Fedora DS 7.1 on CentOS4.2. At the End of the installation,the Admin server is not able to run. After starting the console i tried to login using admin ID but i am getting error like "URL not found or server not running" Any one pls advice me. --- Thanks. Hariharan.R From jsummers at bachman.cs.ou.edu Tue Apr 18 12:39:28 2006 From: jsummers at bachman.cs.ou.edu (Jim Summers) Date: Tue, 18 Apr 2006 07:39:28 -0500 Subject: [Fedora-directory-users] Fedora Directory Server 7.1 with CentOS 4.2 In-Reply-To: References: Message-ID: <4444DE00.7080600@cs.ou.edu> Hariharan R wrote: > Hai, > I am trying to install Fedora DS 7.1 on CentOS4.2. > At the End of the installation,the Admin server is not able to run. > After starting the console i tried to login using admin ID but i am > getting error like "URL not found or server not running" When I first started with FDS I hit this also. It seemed like the suggestion that worked for me was to have all of the servers (dir and admin) run as the same user. HTH > > > Any one pls advice me. > > --- > Thanks. > Hariharan.R > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Jim Summers School of Computer Science-University of Oklahoma ------------------------------------------------- From mj at sci.fi Tue Apr 18 17:14:31 2006 From: mj at sci.fi (Mike Jackson) Date: Tue, 18 Apr 2006 20:14:31 +0300 Subject: [Fedora-directory-users] Exporting MD5 Hash from FD-DS into /etc/shadow In-Reply-To: References: Message-ID: <44451E77.9060103@sci.fi> dennis at demarco.com wrote: > > I would like to export the MD5 hash from the Fedora directory user's > password attribute into /etc/shadow of a Linux machine not in LDAP > (Redhat). > > It appears this isn't working, is there a way for me to do this? Not all > machines are using ldap but I would like to export from ldap. Hi, I haven't tried this, but here's an idea just off the top of my head which _might_ work: 1. take away the {MD5} from the string 2. base64 decode the rest of the string 3. convert the string to hex 4. put the $1$ at the front of the hex string 5. put the whole string into the password field in /etc/shadow and test If that works, you could write a perl script to automate the procedure. And report back to the list as well :-) BR, -- mike From DDeMarco at seisint.com Tue Apr 18 17:36:48 2006 From: DDeMarco at seisint.com (DeMarco, Dennis) Date: Tue, 18 Apr 2006 13:36:48 -0400 Subject: [Fedora-directory-users] Exporting MD5 Hash from FD-DS into /etc/shadow Message-ID: <6787F2E069C33C4982195219A7DF54D76EA5AF@seisintmx02.seisint.inc> I'll give this a try, but looking at /etc/shadow right now does not look like HEX characters after the $1$. Does anyone know if this is a standard algorithm? Or if /etc/pam can use SHA or another encryption I can easily export out of the directory server? So far my searches seem only MD5 or crypt is what is normal for Redhat. >dennis demarco com wrote: >I would like to export the MD5 hash from the Fedora directory user's password attribute into /etc/shadow of a Linux machine not in LDAP (Redhat). >It appears this isn't working, is there a way for me to do this? Not all machines are using >ldap but I would like to export from ldap. >Hi, >I haven't tried this, but here's an idea just off the top of my head which _might_ work: >1. take away the {MD5} from the string >2. base64 decode the rest of the string >3. convert the string to hex >4. put the $1$ at the front of the hex string >5. put the whole string into the password field in /etc/shadow and test >If that works, you could write a perl script to automate the procedure. And report back to >the list as well :-) BR, -- mike This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. -------------- next part -------------- An HTML attachment was scrubbed... URL: From john at jlgodfrey.myrf.net Tue Apr 18 17:49:29 2006 From: john at jlgodfrey.myrf.net (John F. Godfrey, Pastor) Date: Tue, 18 Apr 2006 11:49:29 -0600 Subject: [Fedora-directory-users] evolutionperson.schema Message-ID: <1145382569.27669.2.camel@church.spirit.org> I've got 2 requests: 1. Anyone written a sysvinit script that works at starting slapd early enough that it can be used for ldap authentication. I'm running FC5, and FDS 1.0.2. 2. Anyone converted evolutionperson.schema to ldif format? Thanks a bunch! john -- John F. Godfrey, Pastor Valley Christian Center, Hazelton, Idaho USA "Jesus said to him, 'I am the Way, the Truth, and the Life; no one comes to the Father, except through Me'" (John 14:6). -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 191 bytes Desc: This is a digitally signed message part URL: From DDeMarco at seisint.com Tue Apr 18 20:15:27 2006 From: DDeMarco at seisint.com (DeMarco, Dennis) Date: Tue, 18 Apr 2006 16:15:27 -0400 Subject: [Fedora-directory-users] Idle timeout recommendation Message-ID: <6787F2E069C33C4982195219A7DF54D76EA5B2@seisintmx02.seisint.inc> Under the performance tab, there is an idle timeout. Does anyone have any recommendations on this? I am not sure keeping it a 0 is good practice. You wouldn't want to keep idle connections open and run out of file descriptors correct? Would 30 seconds seem reasonable? Idle timeout. The time (in seconds) the server maintains an idle connection before terminating the connection. A value of 0 indicates no limit. Thanks, Dennis This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Apr 18 20:21:14 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 18 Apr 2006 14:21:14 -0600 Subject: [Fedora-directory-users] Idle timeout recommendation In-Reply-To: <6787F2E069C33C4982195219A7DF54D76EA5B2@seisintmx02.seisint.inc> References: <6787F2E069C33C4982195219A7DF54D76EA5B2@seisintmx02.seisint.inc> Message-ID: <44454A3A.9030609@redhat.com> DeMarco, Dennis wrote: > Under the performance tab, there is an idle timeout. Does anyone have > any recommendations on this? I am not sure keeping it a 0 is good > practice. You wouldn?t want to keep idle connections open and run out > of file descriptors correct? Would 30 seconds seem reasonable? > It depends on your network. Are all of your clients going to be accessing the directory server via fast (100MB or 1GB) network connections? If so, then you could probably drop the idle timeout down to a few seconds (or lower). But if you have older networks or WAN/Dialup connections, you may have to make it longer. > Idle timeout. The time (in seconds) the server maintains an idle > connection before terminating the connection. A value of 0 indicates > no limit. > > Thanks, > > Dennis > > *This message (including any attachments) contains confidential > information intended for a specific individual and purpose, and is > protected by law. If you are not the intended recipient, you should > delete this message. Any disclosure, copying, or distribution of this > message, or the taking of any action based on it, is strictly prohibited.* > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Apr 19 12:50:18 2006 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 19 Apr 2006 08:50:18 -0400 Subject: [Fedora-directory-users] Fedora Directory Server 7.1 with CentOS 4.2 In-Reply-To: <4444DE00.7080600@cs.ou.edu> References: <4444DE00.7080600@cs.ou.edu> Message-ID: <4446320A.90903@redhat.com> Jim Summers wrote: > > > Hariharan R wrote: > >> Hai, >> I am trying to install Fedora DS 7.1 on CentOS4.2. >> At the End of the installation,the Admin server is not able to run. >> After starting the console i tried to login using admin ID but i am >> getting error like "URL not found or server not running" > > > When I first started with FDS I hit this also. It seemed like the > suggestion that worked for me was to have all of the servers (dir and > admin) run as the same user. Well, without any error messages there is no way to know what isn't working. Hariharan, can you paste the end of /opt/fedora-ds/admin-serv/logs/error? rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From hariharan at lantana.cs.iitm.ernet.in Wed Apr 19 12:10:06 2006 From: hariharan at lantana.cs.iitm.ernet.in (Hariharan R) Date: Wed, 19 Apr 2006 17:40:06 +0530 (IST) Subject: [Fedora-directory-users] Fedora Directory Server 7.1 with CentOS 4.2 Message-ID: Thanks for your reply. As Jim summers said, i am running all the server instances as a same user(root).But still i am not able to run my admin server.When i try to run it it shows the following "server is ready to accept requests at 1800" suddenly the process get detatched.There is no process listening on port 1800. I looked into the "/opt/fedora-ds/start-admin" script.There they are running the following command "./uxwdog -d /opt/fedora-ds/admin-serv/config/ $@" I think this is the place the process get struck. My admin-server/log/error file has the following [19/Apr/2006:17:09:59] info ( 9431): successful server startup [19/Apr/2006:17:09:59] info ( 9431): Netscape-Enterprise/6.2 B04/18/2005 13:49 [19/Apr/2006:17:09:59] info ( 9431): Access Host filter is: *.cs.iitm.ernet.in [19/Apr/2006:17:09:59] info ( 9431): Access Address filter is: * [19/Apr/2006:17:09:59] info ( 9432): Installing a new configuration [19/Apr/2006:17:09:59] info ( 9432): [LS ls1] http://lilac.cs.iitm.ernet.in, port 1800 ready to accept requests [19/Apr/2006:17:09:59] info ( 9432): A new configuration was successfully installed Can any one pls guide me. --- Regards, Hariharan.R Hariharan R wrote: Hai, I am trying to install Fedora DS 7.1 on CentOS4.2. At the End of the installation,the Admin server is not able to run. After starting the console i tried to login using admin ID but i am getting error like "URL not found or server not running" When I first started with FDS I hit this also. It seemed like the suggestion that worked for me was to have all of the servers (dir and admin) run as the same user. From rcritten at redhat.com Wed Apr 19 13:34:14 2006 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 19 Apr 2006 09:34:14 -0400 Subject: [Fedora-directory-users] Fedora Directory Server 7.1 with CentOS 4.2 In-Reply-To: References: Message-ID: <44463C56.5020201@redhat.com> Hariharan R wrote: > > Thanks for your reply. > > As Jim summers said, i am running all the server instances as a same > user(root).But still i am not able to run my admin server.When i try to > run it it shows the following > > "server is ready to accept requests at 1800" suddenly the process get > detatched.There is no process listening on port 1800. > > I looked into the "/opt/fedora-ds/start-admin" script.There they are > running the following command > > "./uxwdog -d /opt/fedora-ds/admin-serv/config/ $@" > > I think this is the place the process get struck. > > My admin-server/log/error file has the following > > [19/Apr/2006:17:09:59] info ( 9431): successful server startup > [19/Apr/2006:17:09:59] info ( 9431): Netscape-Enterprise/6.2 B04/18/2005 > 13:49 > [19/Apr/2006:17:09:59] info ( 9431): Access Host filter is: > *.cs.iitm.ernet.in > [19/Apr/2006:17:09:59] info ( 9431): Access Address filter is: * > [19/Apr/2006:17:09:59] info ( 9432): Installing a new configuration > [19/Apr/2006:17:09:59] info ( 9432): [LS ls1] > http://lilac.cs.iitm.ernet.in, port 1800 ready to accept requests > [19/Apr/2006:17:09:59] info ( 9432): A new configuration was > successfully installed > > > Can any one pls guide me. http://directory.fedora.redhat.com/wiki/FAQ#Admin_Server_fails_to_start_on_MP_Linux_kernel_or_on_x86_64 Is there a reason you aren't using FDS 1.0.2? rob > > > Hariharan R wrote: > > Hai, > I am trying to install Fedora DS 7.1 on CentOS4.2. > At the End of the installation,the Admin server is not able to run. > > After starting the console i tried to login using admin ID but i am > getting error like "URL not found or server not running" > > When I first started with FDS I hit this also. It seemed like the > suggestion that worked for me was to have all of the servers (dir and > admin) run as the same user. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From jo.de.troy at gmail.com Wed Apr 19 14:26:04 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Wed, 19 Apr 2006 16:26:04 +0200 Subject: [Fedora-directory-users] upperlimit on uidNumber Message-ID: Hello, I was wondering if there is an upper limit on the uid or the gidNumber in fds. Or is there a limit on OS level? Does anyone know what it is? Is this different between the RedHat releases? Is it different from other Unixes? Thanks in advance, Jo -------------- next part -------------- An HTML attachment was scrubbed... URL: From mj at sci.fi Wed Apr 19 16:18:48 2006 From: mj at sci.fi (mj at sci.fi) Date: Wed, 19 Apr 2006 19:18:48 +0300 (EEST) Subject: [Fedora-directory-users] upperlimit on uidNumber Message-ID: <8667415.832591145463528950.JavaMail.mj@sci.fi> > I was wondering if there is an upper limit on the uid or the gidNumber in > fds. > Or is there a limit on OS level? Does anyone know what it is? Is this > different between the RedHat releases? > Is it different from other Unixes? I have personally loaded 10 million user accounts into FDS as a performance test (on a measly 2.4Ghz P4 machine with 512MB of RAM), and it worked just fine; not sure how many it could theoretically hold. The linux kernel has officially had support for 32-bit uidnumbers since kernel v2.4, so the maximum user id number is 4294967295, or approximately 4.3 billion. This is the same on any distribution using kernel 2.4 or newer. I am not sure about UNIX... -- mike From gholbert at broadcom.com Wed Apr 19 17:27:47 2006 From: gholbert at broadcom.com (George Holbert) Date: Wed, 19 Apr 2006 10:27:47 -0700 Subject: [Fedora-directory-users] upperlimit on uidNumber In-Reply-To: <8667415.832591145463528950.JavaMail.mj@sci.fi> References: <8667415.832591145463528950.JavaMail.mj@sci.fi> Message-ID: <44467313.3030400@broadcom.com> http://kbase.redhat.com/faq/FAQ_80_6231.shtm I think Solaris also supports 32-bit uids, not sure about other OSes. mj at sci.fi wrote: >> I was wondering if there is an upper limit on the uid or the >> gidNumber in >> fds. >> Or is there a limit on OS level? Does anyone know what it is? Is this >> different between the RedHat releases? >> Is it different from other Unixes? > > I have personally loaded 10 million user accounts into FDS as a > performance test (on a measly 2.4Ghz P4 machine with 512MB of RAM), > and it worked just fine; not sure how many it could theoretically hold. > > The linux kernel has officially had support for 32-bit uidnumbers > since kernel v2.4, so the maximum user id number is 4294967295, or > approximately 4.3 billion. This is the same on any distribution using > kernel 2.4 or newer. I am not sure about UNIX... > > -- > mike > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From mj at sci.fi Wed Apr 19 17:39:47 2006 From: mj at sci.fi (mj at sci.fi) Date: Wed, 19 Apr 2006 20:39:47 +0300 (EEST) Subject: [Fedora-directory-users] upperlimit on uidNumber Message-ID: <18907384.865211145468387700.JavaMail.mj@sci.fi> > http://kbase.redhat.com/faq/FAQ_80_6231.shtm Aha, they are stored as signed integers, so the actual number is in the 2 billion range... For some reason, I just assumed that they would be unsigned integers. Thanks for the pointer! -- mike From gholbert at broadcom.com Wed Apr 19 17:41:22 2006 From: gholbert at broadcom.com (George Holbert) Date: Wed, 19 Apr 2006 10:41:22 -0700 Subject: [Fedora-directory-users] upperlimit on uidNumber In-Reply-To: <18907384.865211145468387700.JavaMail.mj@sci.fi> References: <18907384.865211145468387700.JavaMail.mj@sci.fi> Message-ID: <44467642.5080406@broadcom.com> > For some reason, I just assumed that they would be unsigned integers. That would make more sense to me too... since uid numbers can't be negative (as far as I know)? oh well :) mj at sci.fi wrote: >> http://kbase.redhat.com/faq/FAQ_80_6231.shtm > > Aha, they are stored as signed integers, so the actual number is in > the 2 billion range... For some reason, I just assumed that they would > be unsigned integers. > > Thanks for the pointer! > > -- > mike > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From hyc at symas.com Wed Apr 19 20:04:36 2006 From: hyc at symas.com (Howard Chu) Date: Wed, 19 Apr 2006 13:04:36 -0700 Subject: [Fedora-directory-users] Exporting MD5 Hash from FD-DS into /etc/shadow In-Reply-To: <20060419160007.A420D7362D@hormel.redhat.com> References: <20060419160007.A420D7362D@hormel.redhat.com> Message-ID: <444697D4.1030509@symas.com> fedora-directory-users-request at redhat.com wrote: > Date: Tue, 18 Apr 2006 20:14:31 +0300 > From: Mike Jackson > > dennis at demarco.com wrote: > >> I would like to export the MD5 hash from the Fedora directory user's >> password attribute into /etc/shadow of a Linux machine not in LDAP >> (Redhat). >> >> It appears this isn't working, is there a way for me to do this? Not all >> machines are using ldap but I would like to export from ldap. >> > > > Hi, > I haven't tried this, but here's an idea just off the top of my head > which _might_ work: > > > 1. take away the {MD5} from the string > > 2. base64 decode the rest of the string > > 3. convert the string to hex > > 4. put the $1$ at the front of the hex string > > 5. put the whole string into the password field in /etc/shadow and test > > > If that works, you could write a perl script to automate the procedure. > And report back to the list as well :-) > > No, the password field is not in hex, it uses the same 6-bit encoding that DES crypt() uses, which is different from base64. base64 uses the characters [A-Z][a-z][0-9]+/ while crypt uses the characters ./[0-9][A-Z][a-z] (in those exact orders). -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/ From DDeMarco at seisint.com Wed Apr 19 20:12:15 2006 From: DDeMarco at seisint.com (DeMarco, Dennis) Date: Wed, 19 Apr 2006 16:12:15 -0400 Subject: [Fedora-directory-users] Exporting MD5 Hash from FD-DS into/etc/shadow Message-ID: <6787F2E069C33C4982195219A7DF54D76EA5BC@seisintmx02.seisint.inc> I had some time to play with this. I do not believe it can be done easily unless another password storage mechanism is made as a plug-in. The GNU-MD5 password format for /etc/shadow I believe is: $1$, followed by an 8 character salt, $, 22 character hash. Seems like something that could be very useful though. I have some servers in which are considered super 'production' not in LDAP but liked to export users from LDAP to make /etc/passwd/shadows. - Dennis -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Howard Chu Sent: Wednesday, April 19, 2006 4:05 PM To: fedora-directory-users at redhat.com Subject: Re: [Fedora-directory-users] Exporting MD5 Hash from FD-DS into/etc/shadow fedora-directory-users-request at redhat.com wrote: > Date: Tue, 18 Apr 2006 20:14:31 +0300 > From: Mike Jackson > > dennis at demarco.com wrote: > >> I would like to export the MD5 hash from the Fedora directory user's >> password attribute into /etc/shadow of a Linux machine not in LDAP >> (Redhat). >> >> It appears this isn't working, is there a way for me to do this? Not all >> machines are using ldap but I would like to export from ldap. >> > > > Hi, > I haven't tried this, but here's an idea just off the top of my head > which _might_ work: > > > 1. take away the {MD5} from the string > > 2. base64 decode the rest of the string > > 3. convert the string to hex > > 4. put the $1$ at the front of the hex string > > 5. put the whole string into the password field in /etc/shadow and test > > > If that works, you could write a perl script to automate the procedure. > And report back to the list as well :-) > > No, the password field is not in hex, it uses the same 6-bit encoding that DES crypt() uses, which is different from base64. base64 uses the characters [A-Z][a-z][0-9]+/ while crypt uses the characters ./[0-9][A-Z][a-z] (in those exact orders). -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/ -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. From jrussler at helix.nih.gov Wed Apr 19 20:14:43 2006 From: jrussler at helix.nih.gov (Jason Russler) Date: Wed, 19 Apr 2006 16:14:43 -0400 Subject: [Fedora-directory-users] SSL directory server gateway Message-ID: <44469A33.6060903@helix.nih.gov> Hi all, I'm pretty uncertain about the best way to go about configuring the admin server to use SSL (FDS1.0.2) . All of the docs I'm finding are pretty shaky. Ultimately, I want users to manage their passwords and info via the web-based Directory Server Gateway over SSL. This would appear to be the same thing as enabling SSL for the admin server. The setupssl.sh script provided by the SSL howto, generates the keys/certs for the admin server and imports them into the appropriate cert db (I guess, I've performed the process by hand as well, based on RedHat's docs and the script itself). This would imply to me that the admin console would find the generated certs and present them in the admin server's console (under the Configuration -> Encryption tab) in much the same way that it does in the directory server's console. I can't tell if something that's suppose to work isn't or if I'm misunderstanding something. I'd like to know before I try to generate new SSL certificates and import them. Thanks much, Jason From oscar.valdez at duraflex-politex.com Wed Apr 19 23:55:02 2006 From: oscar.valdez at duraflex-politex.com (Oscar A. Valdez) Date: Wed, 19 Apr 2006 17:55:02 -0600 Subject: [Fedora-directory-users] Exporting MD5 Hash from FD-DS into/etc/shadow In-Reply-To: <6787F2E069C33C4982195219A7DF54D76EA5BC@seisintmx02.seisint.inc> References: <6787F2E069C33C4982195219A7DF54D76EA5BC@seisintmx02.seisint.inc> Message-ID: <1145490902.2165.64.camel@wzowski.duraflex-politex.com> El mi?, 19-04-2006 a las 16:12 -0400, DeMarco, Dennis escribi?: > I had some time to play with this. I do not believe it can be done > easily unless another password storage mechanism is made as a plug-in. > > The GNU-MD5 password format for /etc/shadow I believe is: > > $1$, followed by an 8 character salt, $, 22 character hash. I upload my users into the FDS via ldif files with content like the following: dn: uid=oswaldof,ou=People,dc=duraflex,dc=com,dc=sv changetype: add uid: oswaldof cn: Oswaldo Flores givenName: Oswaldo sn: Flores objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: account objectClass: shadowAccount userPassword: {crypt}$1$PTSfaHrm$lo4r6RXB9rBB15SPX1e.O1 shadowLastChange: 13246 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 589 gidNumber: 589 homeDirectory: /home/oswaldof gecos: Oswaldo Flores The userPassword data is practically out of an /etc/shadow file. Does FDS store this data in plaintext (so that it could be exported), or is it somehow hashed again? -- Oscar A. Valdez From Gary_Tay at platts.com Thu Apr 20 08:45:55 2006 From: Gary_Tay at platts.com (Tay, Gary) Date: Thu, 20 Apr 2006 16:45:55 +0800 Subject: [Fedora-directory-users]: SSL directory server gateway, one-button SSL Certs (slapd + Admin Server) generation script Message-ID: I couldn't find setupssl.sh anywhere on the HowTo SSL link. Anyway, I have written cr_ssl_certs.sh which works for both FDS and SUN-ONE DS, and this script will create also the Admin Server SSL Cert (the same as slapd), once you have used Admin Console to enable SSL for Admin Server at "Encryption" TAB, you would see a few .conf files including console.conf get updated at $SERVER_ROOT/admin-serv/config, the rest is history. Note that it is not a MUST to create different CA Certs for different FDS Servers, they are so for testing purposes only, for production usage, you would most likely purchase signed SSL Server Certs for your different FDS Servers HTH. Gary Content of cr_ssl_certs.sh #! /bin/sh # # cr_ssl_certs.sh - This script works for either Fedora or SUN-ONE DS # # Gary Tay # # 1) Make sure 'root' is used to run this script # 2) Make sure /home/ldap/dirmgr.pwd contains password of cn=Direcyory Manager # #set -vx IS_ROOT_UID=`id | grep "uid=0(root)"` if [ ! -n "$IS_ROOT_UID" ]; then echo "Please run this script as root" exit 1 fi chmod 700 $0 if [ ! -f /home/ldap/dirmgr.pwd ]; then echo "Please setup /home/ldap/dirmgr.pwd." exit 1 else chmod 600 /home/ldap/dirmgr.pwd fi # Pls customize the followings HOST=`hostname` DOMAIN="example.com" BASEDN="dc=example,dc=com" FQDN="$HOST.$DOMAIN" ORG="Example Companies" LOCALITY="NewYork City" STATE="NewYork" COUNTRY="US" # Uncomment for Fedora/RedHat Directory Server SERVER_ROOT="/opt/fedora-ds" # Uncomment for SUN-ONE/Java System Directory Server #SERVER_ROOT="/var/Sun/mps" if [ "$SERVER_ROOT" = "/opt/fedora-ds" ]; then LD_LIBRARY_PATH=$SERVER_ROOT/lib:$SERVER_ROOT/shared/lib SLAPD_OWNER="ldap" SLAPD_GROUP="ldap" TAR_CVF="tar -Pcvf" TAR_XVF="tar -Pxvf" fi if [ "$SERVER_ROOT" = "/var/Sun/mps" ]; then LD_LIBRARY_PATH=$SERVER_ROOT/lib SLAPD_OWNER="root" SLAPD_GROUP="root" TAR_CVF="tar -cvf" TAR_XVF="tar -xvf" fi export LD_LIBRARY_PATH PATH=$SERVER_ROOT/shared/bin:$PATH; export PATH echo "Please shutdown slapd and Admin Server and perform a tar backup" echo "and db2ldif backup of currently working system, and restart them again." echo "Example of tar command: $TAR_CVF /var/tmp/ds_backup.tar $SERVER_ROOT" echo "When you are ready, answer Yes and press Enter to continue." echo "Press Ctrl-C to cancel." read READY [ "$READY" != "Yes" ] && exit 1 echo "Enter an UNIQUE SERIAL NUMBER for CA Cert." echo "Eg: 1000 for ldap1, 2000 for ldap2, 3000 for ldap3, etc..." read UNIQUE_SN_CA echo "Enter an UNIQUE SERIAL NUMBER for LDAP Server Cert." echo "Eg: 1001 for ldap1, 1002 for ldap2, 1003 for ldap3." read UNIQUE_SN_LDAP cd $SERVER_ROOT/alias echo "Backing up existing *.db (if any) to backup_$$." mkdir -p backup_$$ >/dev/null 2>/dev/null cp -p *.db backup_$$ >/dev/null 2>/dev/null /bin/rm -f *.db >/dev/null 2>/dev/null echo "secretpwd" >pwdfile.txt chmod 600 pwdfile.txt echo "dsadasdasdasdadasdasdasdasdsadfwerwerjfdksdjfksdlfhjsdk" >noise.txt echo "Creating new security key3.db/cert8.db pair." ../shared/bin/certutil -N -d . -f pwdfile.txt echo "Generating encryption key." ../shared/bin/certutil -G -d . -z noise.txt -f pwdfile.txt echo "Generating self-signed CA certificate." ../shared/bin/certutil -S -n "CA certificate" \ -s "cn=CAcert $HOST" -x \ -t "CT,," -m $UNIQUE_SN_CA -v 120 -d . -z noise.txt -f pwdfile.txt echo "Generating self-signed Server certificate." ../shared/bin/certutil -S -n "Server-Cert" \ -s "cn=$FQDN,O=$ORG,L=$LOCALITY,ST=$STATE,C=$COUNTRY" -c "CA certificate" \ -t "u,u,u" -m $UNIQUE_SN_LDAP -v 120 -d . -z noise.txt -f pwdfile.txt echo "Renaming and linking modified security DBs." mv -f key3.db slapd-$HOST-key3.db mv -f cert8.db slapd-$HOST-cert8.db ln -s slapd-$HOST-key3.db key3.db ln -s slapd-$HOST-cert8.db cert8.db echo "Setting the correct ownership of security DBs" chown $SLAPD_OWNER:$SLAPD_GROUP *.db echo "Self-signed CA and SSL Server certs generated." echo "" echo "The following commands are OPTIONAL." echo "They are for backing up CA and Server Certs in PK12 format." echo "" echo "---Start of OPTIONAL commands---" cat <optional_cmds.txt ../shared/bin/pk12util -d . -P slapd-$HOST- -o cacert.pfx -n "CA certificate" ../shared/bin/pk12util -d . -P slapd-$HOST- -o servercert.pfx -n "Server-Cert" EOF cat optional_cmds.txt echo "---End of OPTIONAL commands---" echo "" # echo "Enabling SSL." echo "NOTE: changes will be saved to config/dse.ldif when slapd is shutdown" cat </tmp/ssl_enable.ldif dn: cn=encryption,cn=config changetype: modify replace: nsSSL3 nsSSL3: on - replace: nsSSLClientAuth nsSSLClientAuth: allowed dn: cn=config changetype: modify add: nsslapd-security nsslapd-security: on EOF if [ "$SERVER_ROOT" = "/opt/fedora-ds" ]; then cat <>/tmp/ssl_enable.ldif dn: cn=config replace: nsslapd-ssl-check-hostname nsslapd-ssl-check-hostname: off EOF fi ../shared/bin/ldapmodify -D "cn=Directory Manager" -w `cat /home/ldap/dirmgr.pwd` -f /tmp/ssl_enable.ldif [ $? -eq 0 ] && \ echo "Enabling SSL in cn=encryption,cn=config and cn=config done." [ $? -ne 0 ] && \ echo "Enabling SSL in cn=encryption,cn=config and cn=config failed." # cat </tmp/add_ssl_configs.ldif dn: cn=encryption,cn=config changetype: modify add: nsSSL3Ciphers nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezz a, +fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha , +tls_rsa_export1024_with_des_cbc_sha - add: nsKeyfile nsKeyfile: alias/slapd-$HOST-key3.db - add: nsCertfile nsCertfile: alias/slapd-$HOST-cert8.db EOF ../shared/bin/ldapmodify -D "cn=Directory Manager" -w `cat /home/ldap/dirmgr.pwd` -f /tmp/add_ssl_configs.ldif [ $? -eq 0 ] && echo "Adding SSL configs in cn=encryption,cn=config done." [ $? -ne 0 ] && echo "Adding SSL configs in cn=encryption,cn=config failed." # cat </tmp/addRSA.ldif dn: cn=RSA,cn=encryption,cn=config objectclass: top objectclass: nsEncryptionModule cn: RSA nsSSLPersonalitySSL: Server-Cert nsSSLToken: internal (software) nsSSLActivation: on EOF ../shared/bin/ldapmodify -a -c -D "cn=Directory Manager" -w `cat /home/ldap/dirmgr.pwd` -f /tmp/addRSA.ldif [ $? -eq 0 ] && echo "Adding cn=RSA,cn=encryption,cn=config done." [ $? -ne 0 ] && echo "Adding cn=RSA,cn=encryption,cn=config failed." # echo "Creating a pin.txt for auto-starting of slapd." echo "Internal (Software) Token:`cat pwdfile.txt`" >slapd-$HOST-pin.txt chown $SLAPD_OWNER:$SLAPD_GROUP slapd-$HOST-pin.txt chmod 400 slapd-$HOST-pin.txt echo "Exporting the CA Cert in ASCII format or DER format" ../shared/bin/certutil -L -d . -P slapd-$HOST- -n "CA certificate" \ -a > cacert.asc ../shared/bin/certutil -L -d . -P slapd-$HOST- -n "CA certificate" \ -r > cacert.der echo "Copying Server-Cert to Admin Server for Admin Server SSL connection." cp slapd-$HOST-key3.db admin-serv-$HOST-key3.db cp slapd-$HOST-cert8.db admin-serv-$HOST-cert8.db echo "Setting the correct ownership of Admin Server security DBs" chown $SLAPD_OWNER:$SLAPD_GROUP admin-serv-$HOST-*.db echo "Remember to enable SSL in Admin Server later." echo "Remember to select 'Server-Cert' as the Certificate and click OK." echo "Remember to restart Admin Server after that." echo "Creating a pin.txt for auto-starting of Admin Server." echo "`cat pwdfile.txt`" >admin-serv-$HOST-pin.txt chown $SLAPD_OWNER:$SLAPD_GROUP admin-serv-$HOST-pin.txt chmod 400 admin-serv-$HOST-pin.txt echo "Patching start-admin and creating start-admin.auto." if [ "$SERVER_ROOT" = "/opt/fedora-ds" ]; then sed -e \ '/^\$HTTPD/s/$/ \<"$SERVER_ROOT"\/alias\/admin-serv-`hostname`-pin.txt/' \ $SERVER_ROOT/start-admin >$SERVER_ROOT/start-admin.auto fi if [ "$SERVER_ROOT" = "/var/Sun/mps" ]; then sed -e \ '/uxwdog/s/$/ \<"$SERVER_ROOT"\/alias\/admin-serv-`hostname`-pin.txt/' \ $SERVER_ROOT/start-admin >$SERVER_ROOT/start-admin.auto fi chmod 755 $SERVER_ROOT/start-admin.auto echo "Please use $SERVER_ROOT/start-admin.auto in rc3.d as autostart script." echo "" echo "IMPORTANT NOTES:" echo "" echo "1. How to check if SSL Configurations are done properly?" echo "You may view config/dse.ldif after shutting down slapd" echo "to verify all the required SSL configurations are there." echo "" echo "2. How to fix slapd startup issue due to mis-configuration of SSL?" echo "If for any reason slapd fails to start due to SSL issue," echo "you may edit config/dse.ldif after shutting down slapd" echo "and revert back to non-SSL configs." echo "i.e. set nsSSL3: off, nsSSLActivation: off and nsslapd-security: off" echo "and then try to restart slapd." echo "" echo "3. How to fix Admin Server login issue due to mis-configuration of SSL?" echo "If for any reason Admin Server login fails and you wish to give up," echo "simply stop slapd and admin-serv and restore using the tar backup" echo "i.e. rm -f $SERVER_ROOT/alias/*.db;$TAR_XVF /var/tmp/ds_backup.tar" echo "" ===Sample Run=== # ./cr_ssl_certs.sh Please shutdown slapd and Admin Server and perform a tar backup and db2ldif backup of currently working system, and restart them again. Example of tar command: tar -cvf /var/tmp/ds_backup.tar /var/Sun/mps When you are ready, answer Yes and press Enter to continue. Press Ctrl-C to cancel. Yes Enter an UNIQUE SERIAL NUMBER for CA Cert. Eg: 1000 for ldap1, 2000 for ldap2, 3000 for ldap3, etc... 1000 Enter an UNIQUE SERIAL NUMBER for LDAP Server Cert. Eg: 1001 for ldap1, 1002 for ldap2, 1003 for ldap3. 1001 Backing up existing *.db (if any) to backup_24872. Creating new security key3.db/cert8.db pair. Generating encryption key. Generating key. This may take a few moments... Generating self-signed CA certificate. Generating key. This may take a few moments... Generating self-signed Server certificate. Generating key. This may take a few moments... Renaming and linking modified security DBs. Setting the correct ownership of security DBs Self-signed CA and SSL Server certs generated. The following commands are OPTIONAL. They are for backing up CA and Server Certs in PK12 format. ---Start of OPTIONAL commands--- ../shared/bin/pk12util -d . -P slapd-ldap1- -o cacert.pfx -n "CA certificate" ../shared/bin/pk12util -d . -P slapd-ldap1- -o servercert.pfx -n "Server-Cert" ---End of OPTIONAL commands--- Enabling SSL. NOTE: changes will be saved to config/dse.ldif when slapd is shutdown modifying entry cn=encryption,cn=config modifying entry cn=config Enabling SSL in cn=encryption,cn=config and cn=config done. modifying entry cn=encryption,cn=config Adding SSL configs in cn=encryption,cn=config done. adding new entry cn=RSA,cn=encryption,cn=config Adding cn=RSA,cn=encryption,cn=config done. Creating a pin.txt for auto-starting of slapd. Exporting the CA Cert in ASCII format or DER format Copying Server-Cert to Admin Server for Admin Server SSL connection. Setting the correct ownership of Admin Server security DBs Remember to enable SSL in Admin Server later. Remember to select 'Server-Cert' as the Certificate and click OK. Remember to restart Admin Server after that. Creating a pin.txt for auto-starting of Admin Server. Patching start-admin and creating start-admin.auto. Please use /var/Sun/mps/start-admin.auto in rc3.d as autostart script. IMPORTANT NOTES: 1. How to check if SSL Configurations are done properly? You may view config/dse.ldif after shutting down slapd to verify all the required SSL configurations are there. 2. How to fix slapd startup issue due to mis-configuration of SSL? If for any reason slapd fails to start due to SSL issue, you may edit config/dse.ldif after shutting down slapd and revert back to non-SSL configs. i.e. set nsSSL3: off, nsSSLActivation: off and nsslapd-security: off and then try to restart slapd. 3. How to fix Admin Server login issue due to mis-configuration of SSL? If for any reason Admin Server login fails and you wish to give up, simply stop slapd and admin-serv and restore using the tar backup i.e. rm -f /var/Sun/mps/alias/*.db;tar -xvf /var/tmp/ds_backup.tar -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Jason Russler Sent: Thursday, April 20, 2006 4:15 AM To: General discussion list for the Fedora Directory server project. Subject: [Fedora-directory-users] SSL directory server gateway Hi all, I'm pretty uncertain about the best way to go about configuring the admin server to use SSL (FDS1.0.2) . All of the docs I'm finding are pretty shaky. Ultimately, I want users to manage their passwords and info via the web-based Directory Server Gateway over SSL. This would appear to be the same thing as enabling SSL for the admin server. The setupssl.sh script provided by the SSL howto, generates the keys/certs for the admin server and imports them into the appropriate cert db (I guess, I've performed the process by hand as well, based on RedHat's docs and the script itself). This would imply to me that the admin console would find the generated certs and present them in the admin server's console (under the Configuration -> Encryption tab) in much the same way that it does in the directory server's console. I can't tell if something that's suppose to work isn't or if I'm misunderstanding something. I'd like to know before I try to generate new SSL certificates and import them. Thanks much, Jason -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From Gary_Tay at platts.com Thu Apr 20 08:55:07 2006 From: Gary_Tay at platts.com (Tay, Gary) Date: Thu, 20 Apr 2006 16:55:07 +0800 Subject: **Caution-External**: RE: [Fedora-directory-users]: SSL directory server gateway, one-button SSL Certs (slapd + Admin Server) generation script Message-ID: Sorry for being "blind", I found the script at the very first "This" word. May be "This" should be changed to "This setupssl.sh", just to help people like me. Gary -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Tay, Gary Sent: Thursday, April 20, 2006 4:46 PM To: General discussion list for the Fedora Directory server project. Subject: **Caution-External**: RE: [Fedora-directory-users]: SSL directory server gateway,one-button SSL Certs (slapd + Admin Server) generation script I couldn't find setupssl.sh anywhere on the HowTo SSL link. Anyway, I have written cr_ssl_certs.sh which works for both FDS and SUN-ONE DS, and this script will create also the Admin Server SSL Cert (the same as slapd), once you have used Admin Console to enable SSL for Admin Server at "Encryption" TAB, you would see a few .conf files including console.conf get updated at $SERVER_ROOT/admin-serv/config, the rest is history. Note that it is not a MUST to create different CA Certs for different FDS Servers, they are so for testing purposes only, for production usage, you would most likely purchase signed SSL Server Certs for your different FDS Servers HTH. Gary Content of cr_ssl_certs.sh #! /bin/sh # # cr_ssl_certs.sh - This script works for either Fedora or SUN-ONE DS # # Gary Tay # # 1) Make sure 'root' is used to run this script # 2) Make sure /home/ldap/dirmgr.pwd contains password of cn=Direcyory Manager # #set -vx IS_ROOT_UID=`id | grep "uid=0(root)"` if [ ! -n "$IS_ROOT_UID" ]; then echo "Please run this script as root" exit 1 fi chmod 700 $0 if [ ! -f /home/ldap/dirmgr.pwd ]; then echo "Please setup /home/ldap/dirmgr.pwd." exit 1 else chmod 600 /home/ldap/dirmgr.pwd fi # Pls customize the followings HOST=`hostname` DOMAIN="example.com" BASEDN="dc=example,dc=com" FQDN="$HOST.$DOMAIN" ORG="Example Companies" LOCALITY="NewYork City" STATE="NewYork" COUNTRY="US" # Uncomment for Fedora/RedHat Directory Server SERVER_ROOT="/opt/fedora-ds" # Uncomment for SUN-ONE/Java System Directory Server #SERVER_ROOT="/var/Sun/mps" if [ "$SERVER_ROOT" = "/opt/fedora-ds" ]; then LD_LIBRARY_PATH=$SERVER_ROOT/lib:$SERVER_ROOT/shared/lib SLAPD_OWNER="ldap" SLAPD_GROUP="ldap" TAR_CVF="tar -Pcvf" TAR_XVF="tar -Pxvf" fi if [ "$SERVER_ROOT" = "/var/Sun/mps" ]; then LD_LIBRARY_PATH=$SERVER_ROOT/lib SLAPD_OWNER="root" SLAPD_GROUP="root" TAR_CVF="tar -cvf" TAR_XVF="tar -xvf" fi export LD_LIBRARY_PATH PATH=$SERVER_ROOT/shared/bin:$PATH; export PATH echo "Please shutdown slapd and Admin Server and perform a tar backup" echo "and db2ldif backup of currently working system, and restart them again." echo "Example of tar command: $TAR_CVF /var/tmp/ds_backup.tar $SERVER_ROOT" echo "When you are ready, answer Yes and press Enter to continue." echo "Press Ctrl-C to cancel." read READY [ "$READY" != "Yes" ] && exit 1 echo "Enter an UNIQUE SERIAL NUMBER for CA Cert." echo "Eg: 1000 for ldap1, 2000 for ldap2, 3000 for ldap3, etc..." read UNIQUE_SN_CA echo "Enter an UNIQUE SERIAL NUMBER for LDAP Server Cert." echo "Eg: 1001 for ldap1, 1002 for ldap2, 1003 for ldap3." read UNIQUE_SN_LDAP cd $SERVER_ROOT/alias echo "Backing up existing *.db (if any) to backup_$$." mkdir -p backup_$$ >/dev/null 2>/dev/null cp -p *.db backup_$$ >/dev/null 2>/dev/null /bin/rm -f *.db >/dev/null 2>/dev/null echo "secretpwd" >pwdfile.txt chmod 600 pwdfile.txt echo "dsadasdasdasdadasdasdasdasdsadfwerwerjfdksdjfksdlfhjsdk" >noise.txt echo "Creating new security key3.db/cert8.db pair." ../shared/bin/certutil -N -d . -f pwdfile.txt echo "Generating encryption key." ../shared/bin/certutil -G -d . -z noise.txt -f pwdfile.txt echo "Generating self-signed CA certificate." ../shared/bin/certutil -S -n "CA certificate" \ -s "cn=CAcert $HOST" -x \ -t "CT,," -m $UNIQUE_SN_CA -v 120 -d . -z noise.txt -f pwdfile.txt echo "Generating self-signed Server certificate." ../shared/bin/certutil -S -n "Server-Cert" \ -s "cn=$FQDN,O=$ORG,L=$LOCALITY,ST=$STATE,C=$COUNTRY" -c "CA certificate" \ -t "u,u,u" -m $UNIQUE_SN_LDAP -v 120 -d . -z noise.txt -f pwdfile.txt echo "Renaming and linking modified security DBs." mv -f key3.db slapd-$HOST-key3.db mv -f cert8.db slapd-$HOST-cert8.db ln -s slapd-$HOST-key3.db key3.db ln -s slapd-$HOST-cert8.db cert8.db echo "Setting the correct ownership of security DBs" chown $SLAPD_OWNER:$SLAPD_GROUP *.db echo "Self-signed CA and SSL Server certs generated." echo "" echo "The following commands are OPTIONAL." echo "They are for backing up CA and Server Certs in PK12 format." echo "" echo "---Start of OPTIONAL commands---" cat <optional_cmds.txt ../shared/bin/pk12util -d . -P slapd-$HOST- -o cacert.pfx -n "CA certificate" ../shared/bin/pk12util -d . -P slapd-$HOST- -o servercert.pfx -n "Server-Cert" EOF cat optional_cmds.txt echo "---End of OPTIONAL commands---" echo "" # echo "Enabling SSL." echo "NOTE: changes will be saved to config/dse.ldif when slapd is shutdown" cat </tmp/ssl_enable.ldif dn: cn=encryption,cn=config changetype: modify replace: nsSSL3 nsSSL3: on - replace: nsSSLClientAuth nsSSLClientAuth: allowed dn: cn=config changetype: modify add: nsslapd-security nsslapd-security: on EOF if [ "$SERVER_ROOT" = "/opt/fedora-ds" ]; then cat <>/tmp/ssl_enable.ldif dn: cn=config replace: nsslapd-ssl-check-hostname nsslapd-ssl-check-hostname: off EOF fi ../shared/bin/ldapmodify -D "cn=Directory Manager" -w `cat /home/ldap/dirmgr.pwd` -f /tmp/ssl_enable.ldif [ $? -eq 0 ] && \ echo "Enabling SSL in cn=encryption,cn=config and cn=config done." [ $? -ne 0 ] && \ echo "Enabling SSL in cn=encryption,cn=config and cn=config failed." # cat </tmp/add_ssl_configs.ldif dn: cn=encryption,cn=config changetype: modify add: nsSSL3Ciphers nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezz a, +fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha , +tls_rsa_export1024_with_des_cbc_sha - add: nsKeyfile nsKeyfile: alias/slapd-$HOST-key3.db - add: nsCertfile nsCertfile: alias/slapd-$HOST-cert8.db EOF ../shared/bin/ldapmodify -D "cn=Directory Manager" -w `cat /home/ldap/dirmgr.pwd` -f /tmp/add_ssl_configs.ldif [ $? -eq 0 ] && echo "Adding SSL configs in cn=encryption,cn=config done." [ $? -ne 0 ] && echo "Adding SSL configs in cn=encryption,cn=config failed." # cat </tmp/addRSA.ldif dn: cn=RSA,cn=encryption,cn=config objectclass: top objectclass: nsEncryptionModule cn: RSA nsSSLPersonalitySSL: Server-Cert nsSSLToken: internal (software) nsSSLActivation: on EOF ../shared/bin/ldapmodify -a -c -D "cn=Directory Manager" -w `cat /home/ldap/dirmgr.pwd` -f /tmp/addRSA.ldif [ $? -eq 0 ] && echo "Adding cn=RSA,cn=encryption,cn=config done." [ $? -ne 0 ] && echo "Adding cn=RSA,cn=encryption,cn=config failed." # echo "Creating a pin.txt for auto-starting of slapd." echo "Internal (Software) Token:`cat pwdfile.txt`" >slapd-$HOST-pin.txt chown $SLAPD_OWNER:$SLAPD_GROUP slapd-$HOST-pin.txt chmod 400 slapd-$HOST-pin.txt echo "Exporting the CA Cert in ASCII format or DER format" ../shared/bin/certutil -L -d . -P slapd-$HOST- -n "CA certificate" \ -a > cacert.asc ../shared/bin/certutil -L -d . -P slapd-$HOST- -n "CA certificate" \ -r > cacert.der echo "Copying Server-Cert to Admin Server for Admin Server SSL connection." cp slapd-$HOST-key3.db admin-serv-$HOST-key3.db cp slapd-$HOST-cert8.db admin-serv-$HOST-cert8.db echo "Setting the correct ownership of Admin Server security DBs" chown $SLAPD_OWNER:$SLAPD_GROUP admin-serv-$HOST-*.db echo "Remember to enable SSL in Admin Server later." echo "Remember to select 'Server-Cert' as the Certificate and click OK." echo "Remember to restart Admin Server after that." echo "Creating a pin.txt for auto-starting of Admin Server." echo "`cat pwdfile.txt`" >admin-serv-$HOST-pin.txt chown $SLAPD_OWNER:$SLAPD_GROUP admin-serv-$HOST-pin.txt chmod 400 admin-serv-$HOST-pin.txt echo "Patching start-admin and creating start-admin.auto." if [ "$SERVER_ROOT" = "/opt/fedora-ds" ]; then sed -e \ '/^\$HTTPD/s/$/ \<"$SERVER_ROOT"\/alias\/admin-serv-`hostname`-pin.txt/' \ $SERVER_ROOT/start-admin >$SERVER_ROOT/start-admin.auto fi if [ "$SERVER_ROOT" = "/var/Sun/mps" ]; then sed -e \ '/uxwdog/s/$/ \<"$SERVER_ROOT"\/alias\/admin-serv-`hostname`-pin.txt/' \ $SERVER_ROOT/start-admin >$SERVER_ROOT/start-admin.auto fi chmod 755 $SERVER_ROOT/start-admin.auto echo "Please use $SERVER_ROOT/start-admin.auto in rc3.d as autostart script." echo "" echo "IMPORTANT NOTES:" echo "" echo "1. How to check if SSL Configurations are done properly?" echo "You may view config/dse.ldif after shutting down slapd" echo "to verify all the required SSL configurations are there." echo "" echo "2. How to fix slapd startup issue due to mis-configuration of SSL?" echo "If for any reason slapd fails to start due to SSL issue," echo "you may edit config/dse.ldif after shutting down slapd" echo "and revert back to non-SSL configs." echo "i.e. set nsSSL3: off, nsSSLActivation: off and nsslapd-security: off" echo "and then try to restart slapd." echo "" echo "3. How to fix Admin Server login issue due to mis-configuration of SSL?" echo "If for any reason Admin Server login fails and you wish to give up," echo "simply stop slapd and admin-serv and restore using the tar backup" echo "i.e. rm -f $SERVER_ROOT/alias/*.db;$TAR_XVF /var/tmp/ds_backup.tar" echo "" ===Sample Run=== # ./cr_ssl_certs.sh Please shutdown slapd and Admin Server and perform a tar backup and db2ldif backup of currently working system, and restart them again. Example of tar command: tar -cvf /var/tmp/ds_backup.tar /var/Sun/mps When you are ready, answer Yes and press Enter to continue. Press Ctrl-C to cancel. Yes Enter an UNIQUE SERIAL NUMBER for CA Cert. Eg: 1000 for ldap1, 2000 for ldap2, 3000 for ldap3, etc... 1000 Enter an UNIQUE SERIAL NUMBER for LDAP Server Cert. Eg: 1001 for ldap1, 1002 for ldap2, 1003 for ldap3. 1001 Backing up existing *.db (if any) to backup_24872. Creating new security key3.db/cert8.db pair. Generating encryption key. Generating key. This may take a few moments... Generating self-signed CA certificate. Generating key. This may take a few moments... Generating self-signed Server certificate. Generating key. This may take a few moments... Renaming and linking modified security DBs. Setting the correct ownership of security DBs Self-signed CA and SSL Server certs generated. The following commands are OPTIONAL. They are for backing up CA and Server Certs in PK12 format. ---Start of OPTIONAL commands--- ../shared/bin/pk12util -d . -P slapd-ldap1- -o cacert.pfx -n "CA certificate" ../shared/bin/pk12util -d . -P slapd-ldap1- -o servercert.pfx -n "Server-Cert" ---End of OPTIONAL commands--- Enabling SSL. NOTE: changes will be saved to config/dse.ldif when slapd is shutdown modifying entry cn=encryption,cn=config modifying entry cn=config Enabling SSL in cn=encryption,cn=config and cn=config done. modifying entry cn=encryption,cn=config Adding SSL configs in cn=encryption,cn=config done. adding new entry cn=RSA,cn=encryption,cn=config Adding cn=RSA,cn=encryption,cn=config done. Creating a pin.txt for auto-starting of slapd. Exporting the CA Cert in ASCII format or DER format Copying Server-Cert to Admin Server for Admin Server SSL connection. Setting the correct ownership of Admin Server security DBs Remember to enable SSL in Admin Server later. Remember to select 'Server-Cert' as the Certificate and click OK. Remember to restart Admin Server after that. Creating a pin.txt for auto-starting of Admin Server. Patching start-admin and creating start-admin.auto. Please use /var/Sun/mps/start-admin.auto in rc3.d as autostart script. IMPORTANT NOTES: 1. How to check if SSL Configurations are done properly? You may view config/dse.ldif after shutting down slapd to verify all the required SSL configurations are there. 2. How to fix slapd startup issue due to mis-configuration of SSL? If for any reason slapd fails to start due to SSL issue, you may edit config/dse.ldif after shutting down slapd and revert back to non-SSL configs. i.e. set nsSSL3: off, nsSSLActivation: off and nsslapd-security: off and then try to restart slapd. 3. How to fix Admin Server login issue due to mis-configuration of SSL? If for any reason Admin Server login fails and you wish to give up, simply stop slapd and admin-serv and restore using the tar backup i.e. rm -f /var/Sun/mps/alias/*.db;tar -xvf /var/tmp/ds_backup.tar -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Jason Russler Sent: Thursday, April 20, 2006 4:15 AM To: General discussion list for the Fedora Directory server project. Subject: [Fedora-directory-users] SSL directory server gateway Hi all, I'm pretty uncertain about the best way to go about configuring the admin server to use SSL (FDS1.0.2) . All of the docs I'm finding are pretty shaky. Ultimately, I want users to manage their passwords and info via the web-based Directory Server Gateway over SSL. This would appear to be the same thing as enabling SSL for the admin server. The setupssl.sh script provided by the SSL howto, generates the keys/certs for the admin server and imports them into the appropriate cert db (I guess, I've performed the process by hand as well, based on RedHat's docs and the script itself). This would imply to me that the admin console would find the generated certs and present them in the admin server's console (under the Configuration -> Encryption tab) in much the same way that it does in the directory server's console. I can't tell if something that's suppose to work isn't or if I'm misunderstanding something. I'd like to know before I try to generate new SSL certificates and import them. Thanks much, Jason -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From Gary_Tay at platts.com Thu Apr 20 09:11:25 2006 From: Gary_Tay at platts.com (Tay, Gary) Date: Thu, 20 Apr 2006 17:11:25 +0800 Subject: **Caution-External**: [Fedora-directory-users] Automated script for complementing SSLHowTo Message-ID: Version 2 of this script has been renamed cr_ssl_certs.sh and works for both FDS and SUN-ONE DS, check it out at: https://www.redhat.com/archives/fedora-directory-users/2006-April/msg001 45.html -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Tay, Gary Sent: Wednesday, April 12, 2006 6:20 PM To: fedora-directory-users at redhat.com Subject: **Caution-External**: [Fedora-directory-users] Automated script for complementing SSLHowTo FDS Folks, I wrote this script for the benefits of all. Gary Content of cr_ssl_certs_fds1ldap.sh #! /bin/sh # # cr_ssl_certs_fds1ldap.sh # # 1) Make sure 'root' is used to run this script # 2) Make sure /home/ldap/dirmgr.pwd contains password of cn=Direcyory Manager # #set -vx IS_ROOT_UID=`id | grep "uid=0(root)"` if [ ! -n "$IS_ROOT_UID" ]; then echo "Please run this script as root" exit 1 fi if [ ! -f /home/ldap/dirmgr.pwd ]; then echo "Please setup /home/ldap/dirmgr.pwd." exit 1 else chmod 600 /home/ldap/dirmgr.pwd fi # Pls customize the followings HOST="ldap1" DOMAIN="example.com" BASEDN="dc=example,dc=com" FQDN="$HOST.$DOMAIN" ORG="Example Companies" LOCALITY="NewYork City" STATE="NewYork" COUNTRY="US" SLAPD_OWNER="nobody" SLAPD_GROUP="nobody" FDS1_PATH=/opt/fedora-ds LD_LIBRARY_PATH=$FDS1_PATH/shared/lib:$FDS1_PATH/lib export LD_LIBRARY_PATH PATH=$FDS1_PATH/shared/bin:$PATH; export PATH cd $FDS1_PATH/alias DOW=`date | cut -d' ' -f1` echo "Backing up existing *.db (if any) to backup_$DOW." mkdir -p backup_$DOW >/dev/null 2>/dev/null cp -p *.db backup_$DOW >/dev/null 2>/dev/null /bin/rm -f *.db >/dev/null 2>/dev/null echo "secretpwd" >pwdfile.txt chmod 600 pwdfile.txt echo "dsadasdasdasdadasdasdasdasdsadfwerwerjfdksdjfksdlfhjsdk" >noise.txt echo "Creating new security key3.db/cert8.db pair." ../shared/bin/certutil -N -d . -f pwdfile.txt echo "Generating encryption key." ../shared/bin/certutil -G -d . -z noise.txt -f pwdfile.txt echo "Generating self-signed CA certificate." ../shared/bin/certutil -S -n "CA certificate" -s "cn=CAcert" -x \ -t "CT,," -m 1000 -v 120 -d . -z noise.txt -f pwdfile.txt echo "Generating self-signed Server certificate." ../shared/bin/certutil -S -n "Server-Cert" -s \ "cn=$FQDN,O=$ORG,L=$LOCALITY,ST=$STATE,C=$COUNTRY" -c "CA certificate" \ -t "u,u,u" -m 1001 -v 120 -d . -z noise.txt -f pwdfile.txt echo "Renaming and linking modified security DBs." mv -f key3.db slapd-$HOST-key3.db mv -f cert8.db slapd-$HOST-cert8.db ln -s slapd-$HOST-key3.db key3.db ln -s slapd-$HOST-cert8.db cert8.db echo "Setting the correct ownership of security DBs" chown $SLAPD_OWNER:$SLAPD_GROUP *.db echo "Self-signed CA and SSL Server certs generated." echo "" echo "The following commands are OPTIONAL." echo "They are for backing up CA and Server Certs in PK12 format," echo "exporting the CA Cert in ASCII format or DER format, and" echo "importing the CA Cert into the Admin Server" echo "" echo "---Start of OPTIONAL commands---" cat <optional_cmds.txt ../shared/bin/pk12util -d . -P slapd-$HOST- -o cacert.pfx -n "CA certificate" ../shared/bin/pk12util -d . -P slapd-$HOST- -o servercert.pfx -n "Server-Cert" ../shared/bin/certutil -L -d . -P slapd-$HOST- -n "CA certificate" \ -a > cacert.asc ../shared/bin/certutil -L -d . -P slapd-$HOST- -n "CA certificate" \ -r > cacert.der ../shared/bin/certutil -A -d . -P admin-serv-$HOST- -n "CA certificate" \ -t "CT,," -a -i cacert.asc EOF cat optional_cmds.txt echo "---End of OPTIONAL commands---" echo "" echo "Modifying server SSL configurations." echo "NOTE: changes will be saved to config/dse.ldif when slapd is shutdown" cat </tmp/ssl_enable.ldif dn: cn=encryption,cn=config changetype: modify replace: nsSSL3 nsSSL3: on - replace: nsSSLClientAuth nsSSLClientAuth: allowed - add: nsSSL3Ciphers nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezz a, +fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha , +tls_rsa_export1024_with_des_cbc_sha - add: nsKeyfile nsKeyfile: alias/slapd-$HOST-key3.db - add: nsCertfile nsCertfile: alias/slapd-$HOST-cert8.db dn: cn=config changetype: modify add: nsslapd-security nsslapd-security: on - replace: nsslapd-ssl-check-hostname nsslapd-ssl-check-hostname: off EOF ../shared/bin/ldapmodify -D "cn=Directory Manager" -w `cat /home/ldap/dirmgr.pwd` -f /tmp/ssl_enable.ldif cat </tmp/delRSA.ldif cn=RSA,cn=encryption,cn=config EOF ../shared/bin/ldapdelete -c -D "cn=Directory Manager" -w `cat /home/ldap/dirmgr.pwd` -f /tmp/delRSA.ldif [ $? -eq 0 ] && echo "deleting cn=RSA,cn=encryption,cn=config" cat </tmp/addRSA.ldif dn: cn=RSA,cn=encryption,cn=config objectclass: top objectclass: nsEncryptionModule cn: RSA nsSSLPersonalitySSL: Server-Cert nsSSLToken: internal (software) nsSSLActivation: on EOF ../shared/bin/ldapmodify -a -c -D "cn=Directory Manager" -w `cat /home/ldap/dirmgr.pwd` -f /tmp/addRSA.ldif echo "Creating a pin.txt for auto-starting of slapd." echo "Internal (Software) Token:`cat pwdfile.txt`" >slapd-$HOST-pin.txt chown $SLAPD_OWNER:$SLAPD_GROUP slapd-$HOST-pin.txt chmod 400 slapd-$HOST-pin.txt echo "" echo "IMPORTANT NOTES:" echo "" echo "1. How to check if SSL Configurations are done properly?" echo "You may view config/dse.ldif after shutting down slapd" echo "to verify all the required SSL configurations are there." echo "" echo "2. How to fix slapd startup issue due to mis-configuration of SSL?" echo "If for any reason slapd fails to start due to SSL issue," echo "you may edit config/dse.ldif after shutting down slapd" echo "and revert back to non-SSL configs." echo "i.e. set nsSSL3: off, nsslapd-security: off" echo "and then try to restart slapd." echo "" =======Sample run. # ./cr_ssl_certs_fds1ldap.sh Backing up existing *.db (if any) to backup_Wed. Creating new security key3.db/cert8.db pair. Generating encryption key. Generating key. This may take a few moments... Generating self-signed CA certificate. Generating key. This may take a few moments... Generating self-signed Server certificate. Generating key. This may take a few moments... Renaming and linking modified security DBs. Setting the correct ownership of security DBs Self-signed CA and SSL Server certs generated. The following commands are OPTIONAL. They are for backing up CA and Server Certs in PK12 format, exporting the CA Cert in ASCII format or DER format, and importing the CA Cert into the Admin Server ---Start of OPTIONAL commands--- ../shared/bin/pk12util -d . -P slapd-nj1net200plmon- -o cacert.pfx -n "CA certificate" ../shared/bin/pk12util -d . -P slapd-nj1net200plmon- -o servercert.pfx -n "Server-Cert" ../shared/bin/certutil -L -d . -P slapd-nj1net200plmon- -n "CA certificate" -a > cacert.asc ../shared/bin/certutil -L -d . -P slapd-nj1net200plmon- -n "CA certificate" -r > cacert.der ../shared/bin/certutil -A -d . -P admin-serv-nj1net200plmon- -n "CA certificate" -t "CT,," -a -i cacert.asc ---End of OPTIONAL commands--- Modifying server SSL configurations. NOTE: changes will be saved to config/dse.ldif when slapd is shutdown modifying entry cn=encryption,cn=config ldap_modify: Type or value exists deleting cn=RSA,cn=encryption,cn=config adding new entry cn=RSA,cn=encryption,cn=config Creating a pin.txt for auto-starting of slapd. IMPORTANT NOTES: 1. How to check if SSL Configurations are done properly? You may view config/dse.ldif after shutting down slapd to verify all the required SSL configurations are there. 2. How to fix slapd startup issue due to mis-configuration of SSL? If for any reason slapd fails to start due to SSL issue, you may edit config/dse.ldif after shutting down slapd and revert back to non-SSL configs. i.e. set nsSSL3: off, nsslapd-security: off and then try to restart slapd. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Apr 20 13:08:56 2006 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 20 Apr 2006 09:08:56 -0400 Subject: [Fedora-directory-users] Re: Fedora directory server 7.1 on CentOS? In-Reply-To: References: Message-ID: <444787E8.9090908@redhat.com> Hariharan R wrote: > Hai, > > Thanks for the reply. > > I tried to run the admin server after changing the JRE path in > "start_JVM" file and admin configuration file.But i am still not able to > run the admin server.I am getting the same error as i stated in my > previous posting.That is the server is seems to be running but it is not > actually. What do you mean you changed the JRE path? From what to what, and what JRE did you point to? Are you running an SMP kernel? Can you try a uniprocessor kernel? > > Is there any incompatability between FDS 7.1 and CentOS? > Is anybody tested Fedora DS 7.1 on either CentOS 4.2 or CentOS 4.3? We did no testing on CentOS. rob > > [I also attached /admin-server/logs/error file in my previous > posting] > > Pls help me resolve the problem. > > Regards, > Hariharan R > --------- > Can any one pls guide me. > > http://directory.fedora.redhat.com/wiki/FAQ#Admin_Server_fails_to_start_on_MP_Linux_kernel_or_on_x86_64 > > > Is there a reason you aren't using FDS 1.0.2? > > rob > ------------- > Thanks for your reply. > > As Jim summers said, i am running all the server instances as a same > user(root).But still i am not able to run my admin server.When i try to > run it it shows the following > > "server is ready to accept requests at 1800" suddenly the process > get detatched.There is no process listening on port 1800. > > I looked into the "/opt/fedora-ds/start-admin" script.There they are > running the following command > > "./uxwdog -d /opt/fedora-ds/admin-serv/config/ $@" > > I think this is the place the process get struck. > > My admin-server/log/error file has the following > > [19/Apr/2006:17:09:59] info ( 9431): successful server startup > > [19/Apr/2006:17:09:59] info ( 9431): Netscape-Enterprise/6.2 > B04/18/2005 13:49 [19/Apr/2006:17:09:59] info ( 9431): Access Host > filter is: *.cs.iitm.ernet.in > > [19/Apr/2006:17:09:59] info ( 9431): Access Address filter is: * > [19/Apr/2006:17:09:59] info ( 9432): Installing a new configuration > > [19/Apr/2006:17:09:59] info ( 9432): [LS ls1] > http://lilac.cs.iitm.ernet.in, port 1800 ready to accept requests > [19/Apr/2006:17:09:59] info ( 9432): A new configuration was > successfully installed > > > Hai, > I am trying to install Fedora DS 7.1 on CentOS4.2. > At the End of the installation,the Admin server is not able to run. > > > After starting the console i tried to login using admin ID but i am > getting error like "URL not found or server not running" > > When I first started with FDS I hit this also. It seemed like the > suggestion that worked for me was to have all of the servers (dir and > admin) run as the same user. > > -- > Fedora-directory-users mailing list > Fedora-directory-users redhat com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > --- > Hariharan.R -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From hariharan at lantana.cs.iitm.ernet.in Thu Apr 20 04:46:18 2006 From: hariharan at lantana.cs.iitm.ernet.in (Hariharan R) Date: Thu, 20 Apr 2006 10:16:18 +0530 (IST) Subject: [Fedora-directory-users] Fedora directory server 7.1 on CentOS? Message-ID: Hai, Thanks for the reply. I tried to run the admin server after changing the JRE path in "start_JVM" file and admin configuration file.But i am still not able to run the admin server.I am getting the same error as i stated in my previous posting.That is the server is seems to be running but it is not actually. Is there any incompatability between FDS 7.1 and CentOS? Is anybody tested Fedora DS 7.1 on either CentOS 4.2 or CentOS 4.3? [I also attached /admin-server/logs/error file in my previous posting] Pls help me resolve the problem. Regards, Hariharan R --------- Can any one pls guide me. http://directory.fedora.redhat.com/wiki/FAQ#Admin_Server_fails_to_start_on_MP_Linux_kernel_or_on_x86_64 Is there a reason you aren't using FDS 1.0.2? rob ------------- Thanks for your reply. As Jim summers said, i am running all the server instances as a same user(root).But still i am not able to run my admin server.When i try to run it it shows the following "server is ready to accept requests at 1800" suddenly the process get detatched.There is no process listening on port 1800. I looked into the "/opt/fedora-ds/start-admin" script.There they are running the following command "./uxwdog -d /opt/fedora-ds/admin-serv/config/ $@" I think this is the place the process get struck. My admin-server/log/error file has the following [19/Apr/2006:17:09:59] info ( 9431): successful server startup [19/Apr/2006:17:09:59] info ( 9431): Netscape-Enterprise/6.2 B04/18/2005 13:49 [19/Apr/2006:17:09:59] info ( 9431): Access Host filter is: *.cs.iitm.ernet.in [19/Apr/2006:17:09:59] info ( 9431): Access Address filter is: * [19/Apr/2006:17:09:59] info ( 9432): Installing a new configuration [19/Apr/2006:17:09:59] info ( 9432): [LS ls1] http://lilac.cs.iitm.ernet.in, port 1800 ready to accept requests [19/Apr/2006:17:09:59] info ( 9432): A new configuration was successfully installed Hai, I am trying to install Fedora DS 7.1 on CentOS4.2. At the End of the installation,the Admin server is not able to run. After starting the console i tried to login using admin ID but i am getting error like "URL not found or server not running" When I first started with FDS I hit this also. It seemed like the suggestion that worked for me was to have all of the servers (dir and admin) run as the same user. -- Fedora-directory-users mailing list Fedora-directory-users redhat com https://www.redhat.com/mailman/listinfo/fedora-directory-users --- Hariharan.R From hariharan at lantana.cs.iitm.ernet.in Thu Apr 20 12:06:42 2006 From: hariharan at lantana.cs.iitm.ernet.in (Hariharan R) Date: Thu, 20 Apr 2006 17:36:42 +0530 (IST) Subject: [Fedora-directory-users] Centos with Fedora Directory Server In-Reply-To: References: Message-ID: Hai, I have installed CentOS 4.3 in my system. I have two mode to boot my system,one is CentOS General mode and the other one is CentOS smp mode. Actually i want to test Fedora Directory Server 7.1 with CentOS SMP mode. Fedora Directory Server 7.1 is running perfectly in CentOS General mode. If i try to run the Fedora Directory Server 7.1 in CentOS4.3 SMP mode it was not running.That is, there is some problem in starting the Admin server.It seems to start the admin server but it is not actually. Is there is any option or suggestion to make Fedora Directory Server 7.1 working in CentOS 4.3 SMP mode. Pls advice me. --- Thanks, Hariharan.R From jeff.applewhite at motricity.com Thu Apr 20 15:13:37 2006 From: jeff.applewhite at motricity.com (Jeff Applewhite) Date: Thu, 20 Apr 2006 11:13:37 -0400 Subject: [Fedora-directory-users] Bug in the console Message-ID: Hi All, There appears to be a bug in the console such that new schema changes do not appear until the console is restarted. Here's what I did -- you should be able to reproduce it. Created a custom objectclass (a child of inetOrgPerson) and some custom optional attributes associated with it, then tried to add the objectclass to a user except the new custom objectclass does not appear in the scrollable list when I go into advanced view and attempt to add it to the abjectclasses. Once I restart the console all is well. Has anyone seen this or similar problems before? -- Jeff Applewhite Systems Administration Lead P (919) 287-7392 M (919) 491-4161 jeff.applewhite at motricity.com NOTICE: This e-mail message is for the sole use of the intended recipient(s) and may contain confidential and privileged information of Motricity. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. From rmeggins at redhat.com Thu Apr 20 14:12:58 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 20 Apr 2006 08:12:58 -0600 Subject: [Fedora-directory-users]: SSL directory server gateway, one-button SSL Certs (slapd + Admin Server) generation script In-Reply-To: References: Message-ID: <444796EA.1060802@redhat.com> Tay, Gary wrote: >I couldn't find setupssl.sh anywhere on the HowTo SSL link. > > It's http://directory.fedora.redhat.com/wiki/Howto:SSL#Script under http://directory.fedora.redhat.com/wiki/Howto:SSL When I get a chance, I'm going to merge some of the features from your script into that one. >Anyway, I have written cr_ssl_certs.sh which works for both FDS and >SUN-ONE DS, and this script will create also the Admin Server SSL Cert >(the same as slapd), once you have used Admin Console to enable SSL for >Admin Server at "Encryption" TAB, you would see a few .conf files >including console.conf get updated at $SERVER_ROOT/admin-serv/config, >the rest is history. > >Note that it is not a MUST to create different CA Certs for different >FDS Servers, they are so for testing purposes only, for production >usage, you would most likely purchase signed SSL Server Certs for your >different FDS Servers > > Or purchase a CA product and assign your own. >HTH. > >Gary > >Content of cr_ssl_certs.sh > >#! /bin/sh ># ># cr_ssl_certs.sh - This script works for either Fedora or SUN-ONE DS ># ># Gary Tay ># ># 1) Make sure 'root' is used to run this script ># 2) Make sure /home/ldap/dirmgr.pwd contains password of cn=Direcyory >Manager ># >#set -vx >IS_ROOT_UID=`id | grep "uid=0(root)"` >if [ ! -n "$IS_ROOT_UID" ]; then > echo "Please run this script as root" > exit 1 >fi >chmod 700 $0 >if [ ! -f /home/ldap/dirmgr.pwd ]; then > echo "Please setup /home/ldap/dirmgr.pwd." > exit 1 >else > chmod 600 /home/ldap/dirmgr.pwd >fi ># Pls customize the followings >HOST=`hostname` >DOMAIN="example.com" >BASEDN="dc=example,dc=com" >FQDN="$HOST.$DOMAIN" >ORG="Example Companies" >LOCALITY="NewYork City" >STATE="NewYork" >COUNTRY="US" ># Uncomment for Fedora/RedHat Directory Server >SERVER_ROOT="/opt/fedora-ds" ># Uncomment for SUN-ONE/Java System Directory Server >#SERVER_ROOT="/var/Sun/mps" >if [ "$SERVER_ROOT" = "/opt/fedora-ds" ]; then > LD_LIBRARY_PATH=$SERVER_ROOT/lib:$SERVER_ROOT/shared/lib > SLAPD_OWNER="ldap" > SLAPD_GROUP="ldap" > TAR_CVF="tar -Pcvf" > TAR_XVF="tar -Pxvf" >fi >if [ "$SERVER_ROOT" = "/var/Sun/mps" ]; then > LD_LIBRARY_PATH=$SERVER_ROOT/lib > SLAPD_OWNER="root" > SLAPD_GROUP="root" > TAR_CVF="tar -cvf" > TAR_XVF="tar -xvf" >fi >export LD_LIBRARY_PATH >PATH=$SERVER_ROOT/shared/bin:$PATH; export PATH >echo "Please shutdown slapd and Admin Server and perform a tar backup" >echo "and db2ldif backup of currently working system, and restart them >again." >echo "Example of tar command: $TAR_CVF /var/tmp/ds_backup.tar >$SERVER_ROOT" >echo "When you are ready, answer Yes and press Enter to continue." >echo "Press Ctrl-C to cancel." >read READY >[ "$READY" != "Yes" ] && exit 1 >echo "Enter an UNIQUE SERIAL NUMBER for CA Cert." >echo "Eg: 1000 for ldap1, 2000 for ldap2, 3000 for ldap3, etc..." >read UNIQUE_SN_CA >echo "Enter an UNIQUE SERIAL NUMBER for LDAP Server Cert." >echo "Eg: 1001 for ldap1, 1002 for ldap2, 1003 for ldap3." >read UNIQUE_SN_LDAP >cd $SERVER_ROOT/alias >echo "Backing up existing *.db (if any) to backup_$$." >mkdir -p backup_$$ >/dev/null 2>/dev/null >cp -p *.db backup_$$ >/dev/null 2>/dev/null >/bin/rm -f *.db >/dev/null 2>/dev/null >echo "secretpwd" >pwdfile.txt >chmod 600 pwdfile.txt >echo "dsadasdasdasdadasdasdasdasdsadfwerwerjfdksdjfksdlfhjsdk" > > >>noise.txt >> >> >echo "Creating new security key3.db/cert8.db pair." >../shared/bin/certutil -N -d . -f pwdfile.txt >echo "Generating encryption key." >../shared/bin/certutil -G -d . -z noise.txt -f pwdfile.txt >echo "Generating self-signed CA certificate." >../shared/bin/certutil -S -n "CA certificate" \ > -s "cn=CAcert $HOST" -x \ > -t "CT,," -m $UNIQUE_SN_CA -v 120 -d . -z noise.txt -f pwdfile.txt >echo "Generating self-signed Server certificate." >../shared/bin/certutil -S -n "Server-Cert" \ > -s "cn=$FQDN,O=$ORG,L=$LOCALITY,ST=$STATE,C=$COUNTRY" -c "CA >certificate" \ > -t "u,u,u" -m $UNIQUE_SN_LDAP -v 120 -d . -z noise.txt -f pwdfile.txt >echo "Renaming and linking modified security DBs." >mv -f key3.db slapd-$HOST-key3.db >mv -f cert8.db slapd-$HOST-cert8.db >ln -s slapd-$HOST-key3.db key3.db >ln -s slapd-$HOST-cert8.db cert8.db >echo "Setting the correct ownership of security DBs" >chown $SLAPD_OWNER:$SLAPD_GROUP *.db >echo "Self-signed CA and SSL Server certs generated." >echo "" >echo "The following commands are OPTIONAL." >echo "They are for backing up CA and Server Certs in PK12 format." >echo "" >echo "---Start of OPTIONAL commands---" >cat <optional_cmds.txt >../shared/bin/pk12util -d . -P slapd-$HOST- -o cacert.pfx -n "CA >certificate" >../shared/bin/pk12util -d . -P slapd-$HOST- -o servercert.pfx -n >"Server-Cert" >EOF >cat optional_cmds.txt >echo "---End of OPTIONAL commands---" >echo "" ># >echo "Enabling SSL." >echo "NOTE: changes will be saved to config/dse.ldif when slapd is >shutdown" >cat </tmp/ssl_enable.ldif >dn: cn=encryption,cn=config >changetype: modify >replace: nsSSL3 >nsSSL3: on >- >replace: nsSSLClientAuth >nsSSLClientAuth: allowed > >dn: cn=config >changetype: modify >add: nsslapd-security >nsslapd-security: on > >EOF >if [ "$SERVER_ROOT" = "/opt/fedora-ds" ]; then >cat <>/tmp/ssl_enable.ldif >dn: cn=config >replace: nsslapd-ssl-check-hostname >nsslapd-ssl-check-hostname: off > >EOF >fi >../shared/bin/ldapmodify -D "cn=Directory Manager" -w `cat >/home/ldap/dirmgr.pwd` -f /tmp/ssl_enable.ldif >[ $? -eq 0 ] && \ > echo "Enabling SSL in cn=encryption,cn=config and cn=config done." >[ $? -ne 0 ] && \ > echo "Enabling SSL in cn=encryption,cn=config and cn=config failed." ># >cat </tmp/add_ssl_configs.ldif >dn: cn=encryption,cn=config >changetype: modify >add: nsSSL3Ciphers >nsSSL3Ciphers: >-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, > >+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezz >a, > >+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha >, > +tls_rsa_export1024_with_des_cbc_sha >- >add: nsKeyfile >nsKeyfile: alias/slapd-$HOST-key3.db >- >add: nsCertfile >nsCertfile: alias/slapd-$HOST-cert8.db > >EOF >../shared/bin/ldapmodify -D "cn=Directory Manager" -w `cat >/home/ldap/dirmgr.pwd` -f /tmp/add_ssl_configs.ldif >[ $? -eq 0 ] && echo "Adding SSL configs in cn=encryption,cn=config >done." >[ $? -ne 0 ] && echo "Adding SSL configs in cn=encryption,cn=config >failed." ># >cat </tmp/addRSA.ldif >dn: cn=RSA,cn=encryption,cn=config >objectclass: top >objectclass: nsEncryptionModule >cn: RSA >nsSSLPersonalitySSL: Server-Cert >nsSSLToken: internal (software) >nsSSLActivation: on > >EOF >../shared/bin/ldapmodify -a -c -D "cn=Directory Manager" -w `cat >/home/ldap/dirmgr.pwd` -f /tmp/addRSA.ldif >[ $? -eq 0 ] && echo "Adding cn=RSA,cn=encryption,cn=config done." >[ $? -ne 0 ] && echo "Adding cn=RSA,cn=encryption,cn=config failed." ># >echo "Creating a pin.txt for auto-starting of slapd." >echo "Internal (Software) Token:`cat pwdfile.txt`" >slapd-$HOST-pin.txt >chown $SLAPD_OWNER:$SLAPD_GROUP slapd-$HOST-pin.txt >chmod 400 slapd-$HOST-pin.txt >echo "Exporting the CA Cert in ASCII format or DER format" >../shared/bin/certutil -L -d . -P slapd-$HOST- -n "CA certificate" \ > -a > cacert.asc >../shared/bin/certutil -L -d . -P slapd-$HOST- -n "CA certificate" \ > -r > cacert.der >echo "Copying Server-Cert to Admin Server for Admin Server SSL >connection." >cp slapd-$HOST-key3.db admin-serv-$HOST-key3.db >cp slapd-$HOST-cert8.db admin-serv-$HOST-cert8.db >echo "Setting the correct ownership of Admin Server security DBs" >chown $SLAPD_OWNER:$SLAPD_GROUP admin-serv-$HOST-*.db >echo "Remember to enable SSL in Admin Server later." >echo "Remember to select 'Server-Cert' as the Certificate and click OK." >echo "Remember to restart Admin Server after that." >echo "Creating a pin.txt for auto-starting of Admin Server." >echo "`cat pwdfile.txt`" >admin-serv-$HOST-pin.txt >chown $SLAPD_OWNER:$SLAPD_GROUP admin-serv-$HOST-pin.txt >chmod 400 admin-serv-$HOST-pin.txt >echo "Patching start-admin and creating start-admin.auto." >if [ "$SERVER_ROOT" = "/opt/fedora-ds" ]; then > sed -e \ > '/^\$HTTPD/s/$/ >\<"$SERVER_ROOT"\/alias\/admin-serv-`hostname`-pin.txt/' \ > $SERVER_ROOT/start-admin >$SERVER_ROOT/start-admin.auto >fi >if [ "$SERVER_ROOT" = "/var/Sun/mps" ]; then > sed -e \ > '/uxwdog/s/$/ >\<"$SERVER_ROOT"\/alias\/admin-serv-`hostname`-pin.txt/' \ > $SERVER_ROOT/start-admin >$SERVER_ROOT/start-admin.auto >fi >chmod 755 $SERVER_ROOT/start-admin.auto >echo "Please use $SERVER_ROOT/start-admin.auto in rc3.d as autostart >script." >echo "" >echo "IMPORTANT NOTES:" >echo "" >echo "1. How to check if SSL Configurations are done properly?" >echo "You may view config/dse.ldif after shutting down slapd" >echo "to verify all the required SSL configurations are there." >echo "" >echo "2. How to fix slapd startup issue due to mis-configuration of >SSL?" >echo "If for any reason slapd fails to start due to SSL issue," >echo "you may edit config/dse.ldif after shutting down slapd" >echo "and revert back to non-SSL configs." >echo "i.e. set nsSSL3: off, nsSSLActivation: off and nsslapd-security: >off" >echo "and then try to restart slapd." >echo "" >echo "3. How to fix Admin Server login issue due to mis-configuration of >SSL?" >echo "If for any reason Admin Server login fails and you wish to give >up," >echo "simply stop slapd and admin-serv and restore using the tar backup" >echo "i.e. rm -f $SERVER_ROOT/alias/*.db;$TAR_XVF >/var/tmp/ds_backup.tar" >echo "" > >===Sample Run=== > ># ./cr_ssl_certs.sh >Please shutdown slapd and Admin Server and perform a tar backup >and db2ldif backup of currently working system, and restart them again. >Example of tar command: tar -cvf /var/tmp/ds_backup.tar /var/Sun/mps >When you are ready, answer Yes and press Enter to continue. >Press Ctrl-C to cancel. >Yes >Enter an UNIQUE SERIAL NUMBER for CA Cert. >Eg: 1000 for ldap1, 2000 for ldap2, 3000 for ldap3, etc... >1000 >Enter an UNIQUE SERIAL NUMBER for LDAP Server Cert. >Eg: 1001 for ldap1, 1002 for ldap2, 1003 for ldap3. >1001 >Backing up existing *.db (if any) to backup_24872. >Creating new security key3.db/cert8.db pair. >Generating encryption key. > > >Generating key. This may take a few moments... > >Generating self-signed CA certificate. > > >Generating key. This may take a few moments... > >Generating self-signed Server certificate. > > >Generating key. This may take a few moments... > >Renaming and linking modified security DBs. >Setting the correct ownership of security DBs >Self-signed CA and SSL Server certs generated. > >The following commands are OPTIONAL. >They are for backing up CA and Server Certs in PK12 format. > >---Start of OPTIONAL commands--- >../shared/bin/pk12util -d . -P slapd-ldap1- -o cacert.pfx -n "CA >certificate" >../shared/bin/pk12util -d . -P slapd-ldap1- -o servercert.pfx -n >"Server-Cert" >---End of OPTIONAL commands--- > >Enabling SSL. >NOTE: changes will be saved to config/dse.ldif when slapd is shutdown >modifying entry cn=encryption,cn=config > >modifying entry cn=config > >Enabling SSL in cn=encryption,cn=config and cn=config done. >modifying entry cn=encryption,cn=config > >Adding SSL configs in cn=encryption,cn=config done. >adding new entry cn=RSA,cn=encryption,cn=config > >Adding cn=RSA,cn=encryption,cn=config done. >Creating a pin.txt for auto-starting of slapd. >Exporting the CA Cert in ASCII format or DER format >Copying Server-Cert to Admin Server for Admin Server SSL connection. >Setting the correct ownership of Admin Server security DBs >Remember to enable SSL in Admin Server later. >Remember to select 'Server-Cert' as the Certificate and click OK. >Remember to restart Admin Server after that. >Creating a pin.txt for auto-starting of Admin Server. >Patching start-admin and creating start-admin.auto. >Please use /var/Sun/mps/start-admin.auto in rc3.d as autostart script. > >IMPORTANT NOTES: > >1. How to check if SSL Configurations are done properly? >You may view config/dse.ldif after shutting down slapd >to verify all the required SSL configurations are there. > >2. How to fix slapd startup issue due to mis-configuration of SSL? >If for any reason slapd fails to start due to SSL issue, >you may edit config/dse.ldif after shutting down slapd >and revert back to non-SSL configs. >i.e. set nsSSL3: off, nsSSLActivation: off and nsslapd-security: off >and then try to restart slapd. > >3. How to fix Admin Server login issue due to mis-configuration of SSL? >If for any reason Admin Server login fails and you wish to give up, >simply stop slapd and admin-serv and restore using the tar backup >i.e. rm -f /var/Sun/mps/alias/*.db;tar -xvf /var/tmp/ds_backup.tar > > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Jason >Russler >Sent: Thursday, April 20, 2006 4:15 AM >To: General discussion list for the Fedora Directory server project. >Subject: [Fedora-directory-users] SSL directory server gateway > > >Hi all, >I'm pretty uncertain about the best way to go about configuring the >admin server to use SSL (FDS1.0.2) . All of the docs I'm finding are >pretty shaky. Ultimately, I want users to manage their passwords and >info via the web-based Directory Server Gateway over SSL. This would >appear to be the same thing as enabling SSL for the admin server. The >setupssl.sh script provided by the SSL howto, generates the keys/certs >for the admin server and imports them into the appropriate cert db (I >guess, I've performed the process by hand as well, based on RedHat's >docs and the script itself). This would imply to me that the admin >console would find the generated certs and present them in the admin >server's console (under the Configuration -> Encryption tab) in much the > >same way that it does in the directory server's console. I can't tell >if something that's suppose to work isn't or if I'm misunderstanding >something. I'd like to know before I try to generate new SSL >certificates and import them. >Thanks much, >Jason > >-- >Fedora-directory-users mailing list Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From thierry.lanfranchi at wanadoo.fr Thu Apr 20 15:44:25 2006 From: thierry.lanfranchi at wanadoo.fr (Thierry Lanfranchi) Date: Thu, 20 Apr 2006 17:44:25 +0200 Subject: [Fedora-directory-users] Bug in the console Message-ID: <200604201526.k3KFQQAo005420@relay3.clb.oleane.net> Happens to me to when I add attributes to a class and then tru to modify an object belonging to that class. Restarting the console is not needed, all you have to do is re-initiate a login thru the Console/Login as new user... menu The bug is a bit less annoying that way. But if the console could re-load completly the schema upon schema modification, it would indeed be great (although problem would persist if someone else is modifying the schema from another console) Thierry ----- Original Message ----- From: Jeff Applewhite To: Date: Thu, 20 Apr 2006 11:13:37 -0400 Subject: [Fedora-directory-users] Bug in the console > Hi All, > > There appears to be a bug in the console such that new schema changes do not > appear until the console is restarted. > > Here's what I did -- you should be able to reproduce it. > > Created a custom objectclass (a child of inetOrgPerson) and some custom > optional attributes associated with it, then tried to add the objectclass to > a user except the new custom objectclass does not appear in the scrollable > list when I go into advanced view and attempt to add it to the > abjectclasses. Once I restart the console all is well. Has anyone seen > this or similar problems before? > > -- > Jeff Applewhite > Systems Administration Lead > P (919) 287-7392 > M (919) 491-4161 > jeff.applewhite at motricity.com > > > NOTICE: This e-mail message is for the sole use of the intended > recipient(s) and may contain confidential and privileged information of > Motricity. Any unauthorized review, use, disclosure or distribution is > prohibited. If you are not the intended recipient, please contact the > sender by reply e-mail and destroy all copies of the original message. > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > From hariharan at lantana.cs.iitm.ernet.in Fri Apr 21 03:58:05 2006 From: hariharan at lantana.cs.iitm.ernet.in (Hariharan R) Date: Fri, 21 Apr 2006 09:28:05 +0530 (IST) Subject: [Fedora-directory-users] Re: Fedora directory server 7.1 on CentOS? In-Reply-To: <444787E8.9090908@redhat.com> References: <444787E8.9090908@redhat.com> Message-ID: Hai, By default Fedora DS 7.1 is configures to use the IBM JRE(in the start_JVM file).In one mailing list they asked me to change to Sun JRE.Because they told that that may be the reason for Admin server not able to run. My FDS 7.1 is running perfectly on CentOS 4.2 uniprocessor kernal.But i want this to get done in Multi Processor System Kernal(SMP),because i am in a requirement to do that. Pls guide me. Thanks. --- Regards, Hariharan.R On Thu, 20 Apr 2006, Rob Crittenden wrote: > Hariharan R wrote: >> Hai, >> >> Thanks for the reply. >> >> I tried to run the admin server after changing the JRE path in "start_JVM" >> file and admin configuration file.But i am still not able to run the admin >> server.I am getting the same error as i stated in my previous posting.That >> is the server is seems to be running but it is not actually. > > What do you mean you changed the JRE path? From what to what, and what JRE > did you point to? Are you running an SMP kernel? Can you try a uniprocessor > kernel? > >> >> Is there any incompatability between FDS 7.1 and CentOS? >> Is anybody tested Fedora DS 7.1 on either CentOS 4.2 or CentOS 4.3? > > We did no testing on CentOS. > > rob > >> >> [I also attached /admin-server/logs/error file in my previous >> posting] >> >> Pls help me resolve the problem. >> >> Regards, >> Hariharan R >> --------- >> Can any one pls guide me. >> >> http://directory.fedora.redhat.com/wiki/FAQ#Admin_Server_fails_to_start_on_MP_Linux_kernel_or_on_x86_64 >> >> Is there a reason you aren't using FDS 1.0.2? >> >> rob >> ------------- >> Thanks for your reply. >> >> As Jim summers said, i am running all the server instances as a same >> user(root).But still i am not able to run my admin server.When i try to >> run it it shows the following >> >> "server is ready to accept requests at 1800" suddenly the process get >> detatched.There is no process listening on port 1800. >> >> I looked into the "/opt/fedora-ds/start-admin" script.There they are >> running the following command >> >> "./uxwdog -d /opt/fedora-ds/admin-serv/config/ $@" >> >> I think this is the place the process get struck. >> >> My admin-server/log/error file has the following >> >> [19/Apr/2006:17:09:59] info ( 9431): successful server startup >> >> [19/Apr/2006:17:09:59] info ( 9431): Netscape-Enterprise/6.2 >> B04/18/2005 13:49 [19/Apr/2006:17:09:59] info ( 9431): Access Host filter >> is: *.cs.iitm.ernet.in >> >> [19/Apr/2006:17:09:59] info ( 9431): Access Address filter is: * >> [19/Apr/2006:17:09:59] info ( 9432): Installing a new configuration >> >> [19/Apr/2006:17:09:59] info ( 9432): [LS ls1] >> http://lilac.cs.iitm.ernet.in, port 1800 ready to accept requests >> [19/Apr/2006:17:09:59] info ( 9432): A new configuration was successfully >> installed >> >> >> Hai, >> I am trying to install Fedora DS 7.1 on CentOS4.2. >> At the End of the installation,the Admin server is not able to run. >> >> >> After starting the console i tried to login using admin ID but i am >> getting error like "URL not found or server not running" >> >> When I first started with FDS I hit this also. It seemed like the >> suggestion that worked for me was to have all of the servers (dir and >> admin) run as the same user. >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users redhat com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> --- >> Hariharan.R > > From rcritten at redhat.com Fri Apr 21 14:00:14 2006 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 21 Apr 2006 10:00:14 -0400 Subject: [Fedora-directory-users] Re: Fedora directory server 7.1 on CentOS? In-Reply-To: References: <444787E8.9090908@redhat.com> Message-ID: <4448E56E.5080800@redhat.com> Hariharan R wrote: > Hai, > By default Fedora DS 7.1 is configures to use the IBM JRE(in the > start_JVM file).In one mailing list they asked me to change to Sun > JRE.Because they told that that may be the reason for Admin server not > able to run. You mentioned that you had changed the JRE but didn't say what you changed it to. When 7.1 was released a LOT of users had this same problem and replacing the JRE fixed it for all of them. The other alternative is to try FDS 1.0.2 which uses a different web server so this problem goes away entirely. rob > > My FDS 7.1 is running perfectly on CentOS 4.2 uniprocessor kernal.But i > want this to get done in Multi Processor System Kernal(SMP),because i am > in a requirement to do that. > > Pls guide me. > > > Thanks. > --- > Regards, > Hariharan.R > > On Thu, 20 Apr 2006, Rob Crittenden wrote: > >> Hariharan R wrote: >> >>> Hai, >>> >>> Thanks for the reply. >>> >>> I tried to run the admin server after changing the JRE path in >>> "start_JVM" file and admin configuration file.But i am still not able >>> to run the admin server.I am getting the same error as i stated in my >>> previous posting.That is the server is seems to be running but it is >>> not actually. >> >> >> What do you mean you changed the JRE path? From what to what, and what >> JRE did you point to? Are you running an SMP kernel? Can you try a >> uniprocessor kernel? >> >>> >>> Is there any incompatability between FDS 7.1 and CentOS? >>> Is anybody tested Fedora DS 7.1 on either CentOS 4.2 or CentOS 4.3? >> >> >> We did no testing on CentOS. >> >> rob >> >>> >>> [I also attached /admin-server/logs/error file in my >>> previous posting] >>> >>> Pls help me resolve the problem. >>> >>> Regards, >>> Hariharan R >>> --------- >>> Can any one pls guide me. >>> >>> http://directory.fedora.redhat.com/wiki/FAQ#Admin_Server_fails_to_start_on_MP_Linux_kernel_or_on_x86_64 >>> >>> Is there a reason you aren't using FDS 1.0.2? >>> >>> rob >>> ------------- >>> Thanks for your reply. >>> >>> As Jim summers said, i am running all the server instances as a same >>> user(root).But still i am not able to run my admin server.When i try >>> to run it it shows the following >>> >>> "server is ready to accept requests at 1800" suddenly the process >>> get detatched.There is no process listening on port 1800. >>> >>> I looked into the "/opt/fedora-ds/start-admin" script.There they >>> are running the following command >>> >>> "./uxwdog -d /opt/fedora-ds/admin-serv/config/ $@" >>> >>> I think this is the place the process get struck. >>> >>> My admin-server/log/error file has the following >>> >>> [19/Apr/2006:17:09:59] info ( 9431): successful server startup >>> >>> [19/Apr/2006:17:09:59] info ( 9431): Netscape-Enterprise/6.2 >>> B04/18/2005 13:49 [19/Apr/2006:17:09:59] info ( 9431): Access Host >>> filter is: *.cs.iitm.ernet.in >>> >>> [19/Apr/2006:17:09:59] info ( 9431): Access Address filter is: * >>> [19/Apr/2006:17:09:59] info ( 9432): Installing a new configuration >>> >>> [19/Apr/2006:17:09:59] info ( 9432): [LS ls1] >>> http://lilac.cs.iitm.ernet.in, port 1800 ready to accept requests >>> [19/Apr/2006:17:09:59] info ( 9432): A new configuration was >>> successfully installed >>> >>> >>> Hai, >>> I am trying to install Fedora DS 7.1 on CentOS4.2. >>> At the End of the installation,the Admin server is not able to run. >>> >>> >>> After starting the console i tried to login using admin ID but i >>> am getting error like "URL not found or server not running" >>> >>> When I first started with FDS I hit this also. It seemed like the >>> suggestion that worked for me was to have all of the servers (dir and >>> admin) run as the same user. >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users redhat com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> --- >>> Hariharan.R >> >> >> -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Apr 21 23:08:57 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 21 Apr 2006 17:08:57 -0600 Subject: [Fedora-directory-users] SSL directory server gateway In-Reply-To: <44469A33.6060903@helix.nih.gov> References: <44469A33.6060903@helix.nih.gov> Message-ID: <44496609.7000700@redhat.com> Jason Russler wrote: > Hi all, > I'm pretty uncertain about the best way to go about configuring the > admin server to use SSL (FDS1.0.2) . All of the docs I'm finding are > pretty shaky. Ultimately, I want users to manage their passwords and > info via the web-based Directory Server Gateway over SSL. This would > appear to be the same thing as enabling SSL for the admin server. The > setupssl.sh script provided by the SSL howto, generates the > keys/certs for the admin server and imports them into the appropriate > cert db (I guess, I've performed the process by hand as well, based > on RedHat's docs and the script itself). This would imply to me that > the admin console would find the generated certs and present them in > the admin server's console (under the Configuration -> Encryption tab) > in much the same way that it does in the directory server's console. > I can't tell if something that's suppose to work isn't or if I'm > misunderstanding something. I'd like to know before I try to generate > new SSL certificates and import them. Yes, that's the way it is supposed to work. I verified that it does work on FC5 using FDS 1.0.2. > Thanks much, > Jason > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From nkinder at redhat.com Fri Apr 21 23:38:10 2006 From: nkinder at redhat.com (Nathan Kinder) Date: Fri, 21 Apr 2006 16:38:10 -0700 Subject: [Fedora-directory-users] Fedora Directory Server 1.0.2 - Now available for FC5 (x86 and x86_64) Message-ID: <44496CE2.6000806@redhat.com> Fedora Directory Server 1.0.2 is now available for Fedora Core 5 x86 and x86_64! You can download the Fedora Directory Server 1.0.2 RPMs from the download page: http://directory.fedora.redhat.com/wiki/Download For general information on Fedora Directory Server 1.0.2, please see the the release notes page on our wiki: http://directory.fedora.redhat.com/wiki/Release_Notes -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From mikael.kermorgant at gmail.com Mon Apr 24 12:26:02 2006 From: mikael.kermorgant at gmail.com (Mikael Kermorgant) Date: Mon, 24 Apr 2006 14:26:02 +0200 Subject: [Fedora-directory-users] access to console denied Message-ID: <9711147e0604240526h4e9db68aif6ae8fd918300e98@mail.gmail.com> Hello, I made a mistake by removing the "Allowed hosts" entry in the management console. Having saved this action, I cannot start the console (HttpException, 401 Authorization required). I've tried to run ./bin/admin/admconfig but it fails by not finding java on line 55. Is there anything I can do to restore access to the console ? Thanks in advance, -- Mikael Kermorgant -------------- next part -------------- An HTML attachment was scrubbed... URL: From mikael.kermorgant at gmail.com Mon Apr 24 12:42:45 2006 From: mikael.kermorgant at gmail.com (Mikael Kermorgant) Date: Mon, 24 Apr 2006 14:42:45 +0200 Subject: [Fedora-directory-users] Re: access to console denied In-Reply-To: <9711147e0604240526h4e9db68aif6ae8fd918300e98@mail.gmail.com> References: <9711147e0604240526h4e9db68aif6ae8fd918300e98@mail.gmail.com> Message-ID: <9711147e0604240542h2553fa6as73ce742c2f36a94e@mail.gmail.com> I just found the answer : http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt#How_to_set_the_hosts.2FIP_addresses_allowed_to_access_the_Admin_Server Sorry for the pollution, Mikael Kermorgant -------------- next part -------------- An HTML attachment was scrubbed... URL: From mikael.kermorgant at gmail.com Mon Apr 24 13:15:09 2006 From: mikael.kermorgant at gmail.com (Mikael Kermorgant) Date: Mon, 24 Apr 2006 15:15:09 +0200 Subject: [Fedora-directory-users] directory server gateway access configuration Message-ID: <9711147e0604240615r36fc5b01ged50e0643bd8ffa8@mail.gmail.com> Hello, I'd like to use the directory server gateway but I get a 401 error : --- Authorization Required This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required. --- I've not found the right way to configure access to the gateway. Could someone point me to the right direction ? Thanks in advance, -- Mikael Kermorgant From jrussler at helix.nih.gov Mon Apr 24 14:50:55 2006 From: jrussler at helix.nih.gov (Jason Russler) Date: Mon, 24 Apr 2006 10:50:55 -0400 Subject: [Fedora-directory-users] SSL directory server gateway In-Reply-To: <44496609.7000700@redhat.com> References: <44469A33.6060903@helix.nih.gov> <44496609.7000700@redhat.com> Message-ID: <444CE5CF.3040804@helix.nih.gov> Ok, I figured this out. The setupssl.sh script correctly names the cert and key databases for the administrator server based on identifier you give the directory server on setup. The default administrator server configuration, on the other hand, creates and uses databases named after the system's host name. This problem was corrected by setting the correct database file names in /opt/fedora-ds/admin-serv/config/adm.conf. Or alternatively, simply copy the database files created by the script to the filenames that the administrator wants to use. The setupssl script should probably be altered to set the correct database file names in the adm.conf file. Thanks for the responses, Jason >> Hi all, >> I'm pretty uncertain about the best way to go about configuring the >> admin server to use SSL (FDS1.0.2) . All of the docs I'm finding are >> pretty shaky. Ultimately, I want users to manage their passwords and >> info via the web-based Directory Server Gateway over SSL. This would >> appear to be the same thing as enabling SSL for the admin server. >> The setupssl.sh script provided by the SSL howto, generates the >> keys/certs for the admin server and imports them into the appropriate >> cert db (I guess, I've performed the process by hand as well, based >> on RedHat's docs and the script itself). This would imply to me that >> the admin console would find the generated certs and present them in >> the admin server's console (under the Configuration -> Encryption >> tab) in much the same way that it does in the directory server's >> console. I can't tell if something that's suppose to work isn't or >> if I'm misunderstanding something. I'd like to know before I try to >> generate new SSL certificates and import them. > Yes, that's the way it is supposed to work. I verified that it does > work on FC5 using FDS 1.0.2. > From jrussler at helix.nih.gov Mon Apr 24 15:46:46 2006 From: jrussler at helix.nih.gov (Jason Russler) Date: Mon, 24 Apr 2006 11:46:46 -0400 Subject: [Fedora-directory-users] Directory Server gateway over SSL Message-ID: <444CF2E6.7080407@helix.nih.gov> Hi all, After sorting out my SSL problems for the admin server I've run into an odd issue. The Directory server gateway runs very slowly and misses page items (images, form fields, etc): the "Authentication" tab, for instance, shows only the top menu bar and nothing else - the forms are left out. "Advanced Search" shows only the drop-down for "is, is not etc...". If I turn SSL off for the admin server and restart it, things go back to working great. Turn it on, and it slows and breaks again. Not sure what could cause this. The system is REH 3 with FDS 1.0.2. Anyone else see this behavior? -Jason From rcritten at redhat.com Mon Apr 24 18:00:18 2006 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 24 Apr 2006 14:00:18 -0400 Subject: [Fedora-directory-users] Directory Server gateway over SSL In-Reply-To: <444CF2E6.7080407@helix.nih.gov> References: <444CF2E6.7080407@helix.nih.gov> Message-ID: <444D1232.2090902@redhat.com> Jason Russler wrote: > Hi all, > After sorting out my SSL problems for the admin server I've run into an > odd issue. The Directory server gateway runs very slowly and misses > page items (images, form fields, etc): the "Authentication" tab, for > instance, shows only the top menu bar and nothing else - the forms are > left out. "Advanced Search" shows only the drop-down for "is, is not > etc...". If I turn SSL off for the admin server and restart it, things > go back to working great. Turn it on, and it slows and breaks again. > Not sure what could cause this. The system is REH 3 with FDS 1.0.2. > Anyone else see this behavior? > -Jason Can you look in /opt/fedora-ds/admin-serv/logs/errors? The problem is likely being logged there. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From jrussler at helix.nih.gov Mon Apr 24 20:32:00 2006 From: jrussler at helix.nih.gov (Jason Russler) Date: Mon, 24 Apr 2006 16:32:00 -0400 Subject: [Fedora-directory-users] Directory Server gateway over SSL In-Reply-To: <444D1232.2090902@redhat.com> References: <444CF2E6.7080407@helix.nih.gov> <444D1232.2090902@redhat.com> Message-ID: <444D35C0.5010806@helix.nih.gov> Crud - I was looking at the wrong logs.... At any rate here's what I see in the admin server's error logs: [Mon Apr 24 15:28:34 2006] [notice] child pid 17051 exit signal Segmentation fault (11) [Mon Apr 24 15:28:36 2006] [notice] [client x.x.x.x] admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x [Mon Apr 24 15:28:37 2006] [notice] child pid 17151 exit signal Segmentation fault (11) [Mon Apr 24 15:28:38 2006] [notice] [client x.x.x.x] admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x [Mon Apr 24 15:28:39 2006] [notice] child pid 17226 exit signal Segmentation fault (11) [Mon Apr 24 15:28:40 2006] [notice] [client x.x.x.x] admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x [Mon Apr 24 15:28:41 2006] [notice] child pid 17298 exit signal Segmentation fault (11) [Mon Apr 24 15:28:42 2006] [notice] [client x.x.x.x] admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x [Mon Apr 24 15:28:43 2006] [notice] child pid 17374 exit signal Segmentation fault (11) ... Where x.x.x.x is the ip of the client system (accessing the admin server via a web browser). "% host x.x.x.x" executed on the server system returns the correct host name for the remote client. Now, if I turn off SSL for the admin server I get similar entries: ... [Mon Apr 24 16:01:27 2006] [notice] [client x.x.x.x] admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x, referer: http://this.here.host:49657/clients/dsgw/bin/csearch?context=dsgw&file=base [Mon Apr 24 16:01:27 2006] [notice] [client x.x.x.x] admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x, referer: http://this.here.host:49657/clients/dsgw/bin/csearch?context=dsgw&file=attr [Mon Apr 24 16:01:27 2006] [notice] [client x.x.x.x] admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x, referer: http://this.here.host:49657/clients/dsgw/bin/csearch?context=dsgw&file=match [Mon Apr 24 16:01:27 2006] [notice] [client x.x.x.x] admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x, referer: http://this.here.host:49657/clients/dsgw/bin/csearch?context=dsgw&file=string ... This is now without the segfault following every entry. Everything works fine, just over a unencrypted connection. The system in question here is on 3 networks and is on one of our higher-end administrative systems (and the backup system when I get this one working). The /etc/hosts file entry for the system's "real" external IP address is not correct - the actual DNS name is associated with a private internal interface - for a pile of reasons that I won't go into. However DNS ("% host [system's full name]") resolves the system's real external IP address just fine. My wild guess is that the discrepancy between the hosts file and DNS is causing trouble when using SSL? But it is filling the error logs with or without SSL enabled. I have a stand-alone test system with one interface (running FC5) that works just fine over SSL - sucks for me that I have to get it working on the more complicated system. -Jason Rob Crittenden wrote: > Jason Russler wrote: >> Hi all, >> After sorting out my SSL problems for the admin server I've run into >> an odd issue. The Directory server gateway runs very slowly and >> misses page items (images, form fields, etc): the "Authentication" >> tab, for instance, shows only the top menu bar and nothing else - the >> forms are left out. "Advanced Search" shows only the drop-down for >> "is, is not etc...". If I turn SSL off for the admin server and >> restart it, things go back to working great. Turn it on, and it >> slows and breaks again. Not sure what could cause this. The system >> is REH 3 with FDS 1.0.2. Anyone else see this behavior? >> -Jason > > Can you look in /opt/fedora-ds/admin-serv/logs/errors? The problem is > likely being logged there. > > rob > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Tue Apr 25 02:22:09 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 24 Apr 2006 20:22:09 -0600 Subject: [Fedora-directory-users] Directory Server gateway over SSL In-Reply-To: <444D35C0.5010806@helix.nih.gov> References: <444CF2E6.7080407@helix.nih.gov> <444D1232.2090902@redhat.com> <444D35C0.5010806@helix.nih.gov> Message-ID: <444D87D1.8040606@redhat.com> Jason Russler wrote: > Crud - I was looking at the wrong logs.... At any rate here's what I > see in the admin server's error logs: > > > [Mon Apr 24 15:28:34 2006] [notice] child pid 17051 exit signal > Segmentation fault (11) > [Mon Apr 24 15:28:36 2006] [notice] [client x.x.x.x] > admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x > [Mon Apr 24 15:28:37 2006] [notice] child pid 17151 exit signal > Segmentation fault (11) > [Mon Apr 24 15:28:38 2006] [notice] [client x.x.x.x] > admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x > [Mon Apr 24 15:28:39 2006] [notice] child pid 17226 exit signal > Segmentation fault (11) > [Mon Apr 24 15:28:40 2006] [notice] [client x.x.x.x] > admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x > [Mon Apr 24 15:28:41 2006] [notice] child pid 17298 exit signal > Segmentation fault (11) > [Mon Apr 24 15:28:42 2006] [notice] [client x.x.x.x] > admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x > [Mon Apr 24 15:28:43 2006] [notice] child pid 17374 exit signal > Segmentation fault (11) Hmm - that's not good at all. What OS is this? You mentioned that you have an FC5 system running fine. Is this from just the initial click on the DS Gateway link from the main admin server page? Or do you actually get into the DS Gateway app? > ... > > Where x.x.x.x is the ip of the client system (accessing the admin > server via a web browser). "% host x.x.x.x" executed on the server > system returns the correct host name for the remote client. Now, if I > turn off SSL for the admin server I get similar entries: > > ... > [Mon Apr 24 16:01:27 2006] [notice] [client x.x.x.x] > admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x, > referer: > http://this.here.host:49657/clients/dsgw/bin/csearch?context=dsgw&file=base > > [Mon Apr 24 16:01:27 2006] [notice] [client x.x.x.x] > admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x, > referer: > http://this.here.host:49657/clients/dsgw/bin/csearch?context=dsgw&file=attr > > [Mon Apr 24 16:01:27 2006] [notice] [client x.x.x.x] > admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x, > referer: > http://this.here.host:49657/clients/dsgw/bin/csearch?context=dsgw&file=match > > [Mon Apr 24 16:01:27 2006] [notice] [client x.x.x.x] > admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x, > referer: > http://this.here.host:49657/clients/dsgw/bin/csearch?context=dsgw&file=string > > ... > > This is now without the segfault following every entry. Everything > works fine, just over a unencrypted connection. > > The system in question here is on 3 networks and is on one of our > higher-end administrative systems (and the backup system when I get > this one working). The /etc/hosts file entry for the system's "real" > external IP address is not correct - the actual DNS name is associated > with a private internal interface - for a pile of reasons that I won't > go into. However DNS ("% host [system's full name]") resolves the > system's real external IP address just fine. My wild guess is that > the discrepancy between the hosts file and DNS is causing trouble when > using SSL? But it is filling the error logs with or without SSL > enabled. I have a stand-alone test system with one interface (running > FC5) that works just fine over SSL - sucks for me that I have to get > it working on the more complicated system. > > -Jason > > > > > Rob Crittenden wrote: >> Jason Russler wrote: >>> Hi all, >>> After sorting out my SSL problems for the admin server I've run into >>> an odd issue. The Directory server gateway runs very slowly and >>> misses page items (images, form fields, etc): the "Authentication" >>> tab, for instance, shows only the top menu bar and nothing else - >>> the forms are left out. "Advanced Search" shows only the drop-down >>> for "is, is not etc...". If I turn SSL off for the admin server and >>> restart it, things go back to working great. Turn it on, and it >>> slows and breaks again. Not sure what could cause this. The system >>> is REH 3 with FDS 1.0.2. Anyone else see this behavior? >>> -Jason >> >> Can you look in /opt/fedora-ds/admin-serv/logs/errors? The problem is >> likely being logged there. >> >> rob >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From mikael.kermorgant at gmail.com Tue Apr 25 07:54:02 2006 From: mikael.kermorgant at gmail.com (Mikael Kermorgant) Date: Tue, 25 Apr 2006 09:54:02 +0200 Subject: [Fedora-directory-users] use of dynamic groups from client applications Message-ID: <9711147e0604250054o33c6f391u91d61d50dd810110@mail.gmail.com> Hello, I have recently discovered FDS and the use of dynamic groups. As I had many groups that I generate by scripts on a regular basis, I thought the use of dynamic groups would remove a certain amount of complexity and administration from my current setup. However, things do not work like I expected. I'm testing my dynamic groups from a site built with Plone (which can find which groups the user belongs to when authenticating) and group membership is not found. Do client applications have to support "dynamic groups" by using the "memberurl" attribute to issue a search by their own ? If that's the case, has the possibility to emulate a static group from an external point of view (with a cache being refreshed after updates on the directory) been envisaged ? Thanks in advance, -- Mikael Kermorgant From kedar7k3 at gmail.com Tue Apr 25 08:43:38 2006 From: kedar7k3 at gmail.com (Kedar) Date: Tue, 25 Apr 2006 14:13:38 +0530 Subject: [Fedora-directory-users] Fedora Directory Server -- Kerberos 5 integration. Message-ID: <444DE13A.4050108@gmail.com> Hi, I tried looking all over the web but could not find this. I wish to integrate Fedora Directory Server with Kerberos 5 such that FDS acts like a pass through. Any help on this will be appreciated. Regards, Kedar From hariharan at lantana.tenet.res.in Tue Apr 25 09:55:02 2006 From: hariharan at lantana.tenet.res.in (Hariharan R) Date: Tue, 25 Apr 2006 15:25:02 +0530 (IST) Subject: [Fedora-directory-users] Administrating Fedora directory Server through commands In-Reply-To: References: Message-ID: Hai, I am using Fedora Directory Server 7.1 on CentOS 4.3 (SMP kernal). Now i want to administer FDS from the command line.so i am using ldapadd,ldapmodify,ldapdelete ... commands. I have no problem in adding an organizational unit or user to the directory. I am getting problem while try to add a new root suffix to the FDS from the command line. This is the process i am following to add a new root suffix 1) The ldif file (root.ldif) contains the following attributes corresponds to the root entry dn: cn="dc=newroot,dc=com",cn=mapping tree,cn=config objectclass: dcobject objectclass: top objectClass: domain objectclass: extensibleObject objectclass: nsMappingTree nsslapd-state: backend nsslapd-backend: newdb cn: dc=newroot,dc=com dc: newroot 2) Then i am using ldap add command to add the root suffix which is defined in the ldif file(root.ldif) ldapadd -x -D "cn=Directory Manager" -w testingdir -f root.ldif This command is get executed perfectly.Then i opened the FDS console. Perhaps there is no error in the log file too. 3) Click Directory server > configuration I have the entry for "newroot" and "newdb" is the database assigned to the database. 4) Then If i open the Directory server > directory window i am not having a directory entry for the newly created root suffix. I don't have any problem if i create the root suffix from the GUI mode. What could be the problem? Can anyone pls help me to get rid of the problem? Is there is any documentation available for administrating the Fedora Directory server from the command line with trouble shooting methods.(Now i am using Fedors DS administration guide.) Thanks in advance. --- Regards, Hariharan.R From jrussler at helix.nih.gov Tue Apr 25 13:35:41 2006 From: jrussler at helix.nih.gov (Jason Russler) Date: Tue, 25 Apr 2006 09:35:41 -0400 Subject: [Fedora-directory-users] Directory Server gateway over SSL In-Reply-To: <444D87D1.8040606@redhat.com> References: <444CF2E6.7080407@helix.nih.gov> <444D1232.2090902@redhat.com> <444D35C0.5010806@helix.nih.gov> <444D87D1.8040606@redhat.com> Message-ID: <444E25AD.1040004@helix.nih.gov> > Hmm - that's not good at all. What OS is this? You mentioned that > you have an FC5 system running fine. Is this from just the initial > click on the DS Gateway link from the main admin server page? Or do > you actually get into the DS Gateway app? > This is a RedHat Enterprise 3 system (current update) on an x86 HP Proliant system. This logs look like this from the link page on up. For instance, when SSL is enabled for the admin server, these are the entries for the root page ("Services for Users" at the top): -- [Tue Apr 25 09:04:44 2006] [notice] [client x.x.x.x] admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x [Tue Apr 25 09:04:45 2006] [notice] child pid 20951 exit signal Segmentation fault (11) [Tue Apr 25 09:04:46 2006] [notice] [client x.x.x.x] admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x [Tue Apr 25 09:04:47 2006] [notice] child pid 21018 exit signal Segmentation fault (11) [Tue Apr 25 09:04:48 2006] [notice] [client x.x.x.x] admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x, referer: https://admin.server.host:49657/dist/download [Tue Apr 25 09:04:48 2006] [notice] [client x.x.x.x] admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x, referer: https://admin.server.host:49657/dist/download [Tue Apr 25 09:04:49 2006] [notice] child pid 21087 exit signal Segmentation fault (11) -- Where x.x.x.x is the client system. Funny thing is, I get that page - it's just slow. But if I go into the DS Gateway (and I can), only parts of the pages manage to get received by the client. The "Fedora Administration Express " section does the same. Images, for instance, successfully get fetched at random and many parts of the forms never manage to get downloaded. The log output looks the same however: a "can't resolve host" line followed by a "segfault" line for almost everything. Here's a piece of the "Directory Gateway" front page: -- [Tue Apr 25 09:22:58 2006] [notice] child pid 24036 exit signal Segmentation fault (11) [Tue Apr 25 09:22:59 2006] [notice] [client x.x.x.x] admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x, referer: https://admin.serv.host:49657/clients/dsgw/bin/lang?context=dsgw&file=maintitle.html [Tue Apr 25 09:22:59 2006] [notice] [client x.x.x.x] admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x, referer: https://admin.serv.host:49657/clients/dsgw/bin/lang?context=dsgw&file=maintitle.html [Tue Apr 25 09:23:00 2006] [notice] child pid 24107 exit signal Segmentation fault (11) [Tue Apr 25 09:23:01 2006] [notice] [client x.x.x.x] admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x, referer: https://admin.serv.host:49657/clients/dsgw/bin/lang?context=dsgw&file=maintitle.html [Tue Apr 25 09:23:01 2006] [notice] [client x.x.x.x] admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x, referer: https://admin.serv.host:49657/clients/dsgw/bin/lang?context=dsgw&file=maintitle.html [Tue Apr 25 09:23:02 2006] [notice] child pid 24179 exit signal Segmentation fault (11) [Tue Apr 25 09:23:03 2006] [notice] [client x.x.x.x] admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x, referer: https://admin.serv.host:49657/clients/dsgw/bin/lang?context=dsgw&file=maintitle.html [Tue Apr 25 09:23:04 2006] [notice] child pid 24249 exit signal Segmentation fault (11) [Tue Apr 25 09:23:05 2006] [notice] [client x.x.x.x] admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x, referer: https://admin.serv.host:49657/clients/dsgw/bin/lang?context=dsgw&file=maintitle.html [Tue Apr 25 09:23:06 2006] [notice] child pid 24318 exit signal Segmentation fault (11) -- Here's the output when accessing via the Java console (which attaches via a different interface): -- [Tue Apr 25 09:09:48 2006] [notice] [client 10.1.128.5] admserv_host_ip_check: ap_get_remote_host could not resolve 10.1.128.5 [Tue Apr 25 09:09:48 2006] [notice] [client 10.1.128.5] admserv_check_authz(): passing [/admin-serv/authenticate] to the userauth handler [Tue Apr 25 09:09:50 2006] [notice] child pid 21154 exit signal Segmentation fault (11) [Tue Apr 25 09:09:59 2006] [notice] [client 10.1.128.5] admserv_host_ip_check: ap_get_remote_host could not resolve 10.1.128.5 [Tue Apr 25 09:09:59 2006] [notice] child pid 21576 exit signal Segmentation fault (11) [Tue Apr 25 09:10:00 2006] [notice] [client 10.1.128.5] admserv_host_ip_check: ap_get_remote_host could not resolve 10.1.128.5 [Tue Apr 25 09:10:01 2006] [notice] child pid 21650 exit signal Segmentation fault (11) [Tue Apr 25 09:10:02 2006] [notice] [client 10.1.128.5] admserv_host_ip_check: ap_get_remote_host could not resolve 10.1.128.5 [Tue Apr 25 09:10:03 2006] [notice] child pid 21736 exit signal Segmentation fault (11) -- The console appears to work, but I haven't done a lot of testing. It is what I use to turn SSL on and off. If I turn SSL off, here's the root (Services for User) page from a browser: -- [Tue Apr 25 09:12:40 2006] [notice] [client x.x.x.x] admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x [Tue Apr 25 09:12:44 2006] [notice] [client x.x.x.x] admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x [Tue Apr 25 09:12:44 2006] [notice] [client x.x.x.x] admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x, referer: http://admin.server.host:49657/dist/download [Tue Apr 25 09:12:44 2006] [notice] [client x.x.x.x] admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x, referer: http://admin.server.host:49657/dist/download -- With SSL off, everything works quickly and nicely with the exception of these log entries. The client name/address and the system's name/address, do resolve correctly via DNS. The LDAP portion of the server works fine over SSL. From hariharan at lantana.tenet.res.in Tue Apr 25 03:56:49 2006 From: hariharan at lantana.tenet.res.in (Hariharan R) Date: Tue, 25 Apr 2006 09:26:49 +0530 (IST) Subject: [Fedora-directory-users] Re: Fedora directory server 7.1 on CentOS Message-ID: Hai, Thanks for your help. Finally i made the Fedora DS get working on CentOS 4.3 SMP kernal. There is a problem in support for java by FDS. To configure the Fedora DS 7.1 on Multiprocessor kernal like CentOS 4.3 SMP we need to do the following, 1) By default FDS 7.1 uses IBM JRE which will not help the Admin Server to run on Multiprocessor kernal 2) So Download the latest Sun Java(JDK V 1.5 or above) and install 3) Open the configuration file "/opt/fedora-ds/bin/https/bin/start_JVM" 4) Edit the file and update the NSES_JRE field with newly installed java (jre)path.Accordingly update the NSES_JRE_RUNTIME field. For Example: ----------- NSES_JRE=/opt/jdk1.5.0_06/jre;export NSES_JRE NSES_SERVER_HOME=/opt/fedora-ds; export NSES_SERVER_HOME NSES_JRE_RUNTIME_LIBPATH=${NSES_JRE}/lib/i386/server:${NSES_JRE}/lib/i386:${NSES_JRE}/lib/i386/classic:${NSES_SERVER_HOME}/lib/i386/native_threads; export NSES_JRE_RUNTIME_LIBPATH 5) Open the "/opt/fedora-ds/admin-serv/config/jvm12.conf" modify the jvm.option field as "jvm.option=Xrs -server" remove all other entries below on that file 6) Make sure directory server instance is running 7) Now start the Admin server (./start-admin). It should work. There is no problem in configuring the Fedora DS 7.1 in Uniprocessor Kernal. Thanks a lot for all your support. (Let me contact you all for further enquiries if i have any.) Note: I kindly request the moderator to post this mail in the user archive.This must be useful to fedora directory server users to configure FDS 7.1 on CentOS and Multiprocessor systems. ---- Regards, Hariharan.R On Fri, 21 Apr 2006, Rob Crittenden wrote: > Hariharan R wrote: >> Hai, >> By default Fedora DS 7.1 is configures to use the IBM JRE(in the >> start_JVM file).In one mailing list they asked me to change to Sun >> JRE.Because they told that that may be the reason for Admin server not >> able to run. > > You mentioned that you had changed the JRE but didn't say what you changed > it to. When 7.1 was released a LOT of users had this same problem and > replacing the JRE fixed it for all of them. > > The other alternative is to try FDS 1.0.2 which uses a different web server > so this problem goes away entirely. > > rob > >> >> My FDS 7.1 is running perfectly on CentOS 4.2 uniprocessor kernal.But i >> want this to get done in Multi Processor System Kernal(SMP),because i am >> in a requirement to do that. >> >> Pls guide me. >> >> >> Thanks. >> --- >> Regards, >> Hariharan.R >> >> On Thu, 20 Apr 2006, Rob Crittenden wrote: >> >>> Hariharan R wrote: >>> >>>> Hai, >>>> >>>> Thanks for the reply. >>>> >>>> I tried to run the admin server after changing the JRE path in >>>> "start_JVM" file and admin configuration file.But i am still not able >>>> to run the admin server.I am getting the same error as i stated in my >>>> previous posting.That is the server is seems to be running but it is >>>> not actually. >>> >>> >>> What do you mean you changed the JRE path? From what to what, and what >>> JRE did you point to? Are you running an SMP kernel? Can you try a >>> uniprocessor kernel? >>> >>>> >>>> Is there any incompatability between FDS 7.1 and CentOS? >>>> Is anybody tested Fedora DS 7.1 on either CentOS 4.2 or CentOS 4.3? >>> >>> >>> We did no testing on CentOS. >>> >>> rob >>> >>>> >>>> [I also attached /admin-server/logs/error file in my >>>> previous posting] >>>> >>>> Pls help me resolve the problem. >>>> >>>> Regards, >>>> Hariharan R >>>> --------- >>>> Can any one pls guide me. >>>> >>>> http://directory.fedora.redhat.com/wiki/FAQ#Admin_Server_fails_to_start_on_MP_Linux_kernel_or_on_x86_64 >>>> Is there a reason you aren't using FDS 1.0.2? >>>> >>>> rob >>>> ------------- >>>> Thanks for your reply. >>>> >>>> As Jim summers said, i am running all the server instances as a same >>>> user(root).But still i am not able to run my admin server.When i try >>>> to run it it shows the following >>>> >>>> "server is ready to accept requests at 1800" suddenly the process >>>> get detatched.There is no process listening on port 1800. >>>> >>>> I looked into the "/opt/fedora-ds/start-admin" script.There they >>>> are running the following command >>>> >>>> "./uxwdog -d /opt/fedora-ds/admin-serv/config/ $@" >>>> >>>> I think this is the place the process get struck. >>>> >>>> My admin-server/log/error file has the following >>>> >>>> [19/Apr/2006:17:09:59] info ( 9431): successful server startup >>>> >>>> [19/Apr/2006:17:09:59] info ( 9431): Netscape-Enterprise/6.2 >>>> B04/18/2005 13:49 [19/Apr/2006:17:09:59] info ( 9431): Access Host >>>> filter is: *.cs.iitm.ernet.in >>>> >>>> [19/Apr/2006:17:09:59] info ( 9431): Access Address filter is: * >>>> [19/Apr/2006:17:09:59] info ( 9432): Installing a new configuration >>>> >>>> [19/Apr/2006:17:09:59] info ( 9432): [LS ls1] >>>> http://lilac.cs.iitm.ernet.in, port 1800 ready to accept requests >>>> [19/Apr/2006:17:09:59] info ( 9432): A new configuration was >>>> successfully installed >>>> >>>> >>>> Hai, >>>> I am trying to install Fedora DS 7.1 on CentOS4.2. >>>> At the End of the installation,the Admin server is not able to run. >>>> >>>> >>>> After starting the console i tried to login using admin ID but i >>>> am getting error like "URL not found or server not running" >>>> >>>> When I first started with FDS I hit this also. It seemed like the >>>> suggestion that worked for me was to have all of the servers (dir and >>>> admin) run as the same user. >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users redhat com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>>> --- >>>> Hariharan.R >>> >>> >>> > > From rmeggins at redhat.com Tue Apr 25 14:29:41 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 25 Apr 2006 08:29:41 -0600 Subject: [Fedora-directory-users] use of dynamic groups from client applications In-Reply-To: <9711147e0604250054o33c6f391u91d61d50dd810110@mail.gmail.com> References: <9711147e0604250054o33c6f391u91d61d50dd810110@mail.gmail.com> Message-ID: <444E3255.2090504@redhat.com> Mikael Kermorgant wrote: > Hello, > > I have recently discovered FDS and the use of dynamic groups. > > As I had many groups that I generate by scripts on a regular basis, I > thought the use of dynamic groups would remove a certain amount of > complexity and administration from my current setup. > > However, things do not work like I expected. I'm testing my dynamic > groups from a site built with Plone (which can find which groups the > user belongs to when authenticating) and group membership is not > found. > > Do client applications have to support "dynamic groups" by using the > "memberurl" attribute to issue a search by their own ? > Yes. > If that's the case, has the possibility to emulate a static group from > an external point of view (with a cache being refreshed after updates > on the directory) been envisaged ? > It depends. What are you trying to do? Populate the members of a static group entry dynamically depending on some property of the entry of each member? Or do you automatically add some attribute to each member's entry indicating their group membership? Fedora DS has two features in addition to support for traditional groups: Roles and Class of Service. With Roles, you can create (statically or dynamically) "groups" that you can perform the following operations on much faster than with traditional groups: 1) List all members of a given Role 2) Test if user A has Role B 3) List all Roles that user A has Class of Service allows you to dynamically add virtual attributes to users' entries. > Thanks in advance, > > -- > Mikael Kermorgant > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Apr 25 14:40:38 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 25 Apr 2006 08:40:38 -0600 Subject: [Fedora-directory-users] Administrating Fedora directory Server through commands In-Reply-To: References: Message-ID: <444E34E6.1050003@redhat.com> Hariharan R wrote: > Hai, > > I am using Fedora Directory Server 7.1 on CentOS 4.3 (SMP kernal). > > Now i want to administer FDS from the command line.so i am using > ldapadd,ldapmodify,ldapdelete ... commands. > > I have no problem in adding an organizational unit or user to the > directory. > > I am getting problem while try to add a new root suffix to the FDS from > the command line. > > This is the process i am following to add a new root suffix > > 1) The ldif file (root.ldif) contains the following attributes > corresponds to the root entry > > dn: cn="dc=newroot,dc=com",cn=mapping tree,cn=config > objectclass: dcobject > objectclass: top > objectClass: domain > objectclass: extensibleObject > objectclass: nsMappingTree > nsslapd-state: backend > nsslapd-backend: newdb > cn: dc=newroot,dc=com > dc: newroot > > 2) Then i am using ldap add command to add the root suffix which is > defined in the ldif file(root.ldif) > > ldapadd -x -D "cn=Directory Manager" -w testingdir -f root.ldif > > This command is get executed perfectly.Then i opened the FDS console. > Perhaps there is no error in the log file too. > > 3) Click Directory server > configuration > > I have the entry for "newroot" and "newdb" is the database > assigned to > the database. But I think you did not define the database "newdb". See http://www.redhat.com/docs/manuals/dir-server/ag/7.1/entry_dist.html#18238 You should add an entry that looks like this: dn: cn=newdb,cn=ldbm database,cn=plugins,cn=config objectclass: extensibleObject objectclass: nsBackendInstance nsslapd-suffix: dc=newroot,dc=com > > 4) Then If i open the Directory server > directory window i am not > having > a directory entry for the newly created root suffix. Finally, you need to add an actual _entry_. The directory browser window only shows you entries. Defining a suffix and a database does not actually add any data/entries to the newly created suffix. You need to add an entry like this: dn: dc=newroot,dc=com objectclass: top objectclass: domain dc: newroot > > I don't have any problem if i create the root suffix from the GUI > mode. The console does a lot of this behind the scenes. > > > What could be the problem? > > Can anyone pls help me to get rid of the problem? > > Is there is any documentation available for administrating the Fedora > Directory server from the command line with trouble shooting > methods.(Now i am using Fedors DS administration guide.) > > Thanks in advance. > > --- > Regards, > Hariharan.R > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Apr 25 14:41:39 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 25 Apr 2006 08:41:39 -0600 Subject: [Fedora-directory-users] Fedora Directory Server -- Kerberos 5 integration. In-Reply-To: <444DE13A.4050108@gmail.com> References: <444DE13A.4050108@gmail.com> Message-ID: <444E3523.2030500@redhat.com> Kedar wrote: > Hi, > I tried looking all over the web but could not find this. > > I wish to integrate Fedora Directory Server with Kerberos 5 such that > FDS acts like a pass through. http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1083165 > > Any help on this will be appreciated. > > Regards, > Kedar > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From danhawker at wessexmc.org.uk Tue Apr 25 15:18:16 2006 From: danhawker at wessexmc.org.uk (Dan Hawker) Date: Tue, 25 Apr 2006 16:18:16 +0100 (BST) Subject: [Fedora-directory-users] Windows Console Problems Message-ID: <61816.194.203.13.71.1145978296.squirrel@www.gradwell.com> Hi All, Have managed to install a copy of FDS (1.0.2) on FC4 within a Xen guest. All works and went pretty well. My only problem at the moment is getting the console to load up. As you can appreciate, what with the host OS being a Xen VM, I have no need for a GUI on the server and do all of my admining via SSH, hence running the startconsole script to grab the script has proven I have tried following the instructions on the wiki, however whenever I try and connect, I reeive the error:- Exception in thread "main" java.lang.NoClassDefFoundError: com/netscape/management/client/console/Console I have had a search through the wiki and the archives, however as of yet have turned up nothing. Has anybody any ideas??? Have checked that FDS is up and running using Softerras LDAPBrowser software. All seems to be fine. TIA Dan From mikael.kermorgant at gmail.com Tue Apr 25 16:23:10 2006 From: mikael.kermorgant at gmail.com (Mikael Kermorgant) Date: Tue, 25 Apr 2006 18:23:10 +0200 Subject: [Fedora-directory-users] use of dynamic groups from client applications In-Reply-To: <444E3255.2090504@redhat.com> References: <9711147e0604250054o33c6f391u91d61d50dd810110@mail.gmail.com> <444E3255.2090504@redhat.com> Message-ID: <9711147e0604250923k1590b4f1n59dc1d4025b31e87@mail.gmail.com> > > Do client applications have to support "dynamic groups" by using the > > "memberurl" attribute to issue a search by their own ? > > > Yes. Ok, that burries the "dynamic group" option for my setup. Indeed, Plone is looking for the attribute 'member' or 'uniquemember' in the group objects. > > If that's the case, has the possibility to emulate a static group from > > an external point of view (with a cache being refreshed after updates > > on the directory) been envisaged ? > It depends. What are you trying to do? Populate the members of a > static group entry dynamically depending on some property of the entry > of each member? Exactly. But with a filtered Role, won't I have the same behaviour as in dynamic groups in the sense that the role only has a 'nsrolefilter' attribute similar to 'memberurl' and not a true list of the members ? Best Regards, -- Mikael Kermorgant From rmeggins at redhat.com Tue Apr 25 16:33:23 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 25 Apr 2006 10:33:23 -0600 Subject: [Fedora-directory-users] use of dynamic groups from client applications In-Reply-To: <9711147e0604250923k1590b4f1n59dc1d4025b31e87@mail.gmail.com> References: <9711147e0604250054o33c6f391u91d61d50dd810110@mail.gmail.com> <444E3255.2090504@redhat.com> <9711147e0604250923k1590b4f1n59dc1d4025b31e87@mail.gmail.com> Message-ID: <444E4F53.5080106@redhat.com> Mikael Kermorgant wrote: >>> Do client applications have to support "dynamic groups" by using the >>> "memberurl" attribute to issue a search by their own ? >>> >>> >> Yes. >> > Ok, that burries the "dynamic group" option for my setup. Indeed, > Plone is looking for the attribute 'member' or 'uniquemember' in the > group objects. > > >>> If that's the case, has the possibility to emulate a static group from >>> an external point of view (with a cache being refreshed after updates >>> on the directory) been envisaged ? >>> > > >> It depends. What are you trying to do? Populate the members of a >> static group entry dynamically depending on some property of the entry >> of each member? >> > > Exactly. > But with a filtered Role, won't I have the same behaviour as in > dynamic groups in the sense that the role only has a 'nsrolefilter' > attribute similar to 'memberurl' and not a true list of the members ? > Right. AFAIK, there is no way to have a single entry with a single attribute whose values are computed from a search filter. > Best Regards, > -- > Mikael Kermorgant > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From stein at interpost.no Tue Apr 25 18:11:05 2006 From: stein at interpost.no (Stein) Date: Tue, 25 Apr 2006 20:11:05 +0200 Subject: [Fedora-directory-users] replication errorlog Message-ID: <20060425181105.GA16112@slogen.sunnmore.net> Hi, Im running a fds 1.0.2 on a fc4 box, replicating users from an ad server. It seems to be working fine, but the error log fills up with: NSMMReplicationPlugin - agmt="cn=adsynctest" (10:389): Replica has no update vector. It has never been initialized. But the incremental update still works fine. If i add more logging on replication, [25/Apr/2006:19:46:48 +0200] NSMMReplicationPlugin - changelog program - libdb: txn_checkpoint: failed to flush the buffer cache No such file or directory [25/Apr/2006:19:46:48 +0200] NSMMReplicationPlugin - changelog program - libdb: f6dd6a82-1dd111b2-80cd8aae-532f0000_444d0d010000ffff0000.db4: unable to flush: No such file or directory [25/Apr/2006:19:46:48 +0200] NSMMReplicationPlugin - changelog program - libdb: txn_checkpoint: failed to flush the buffer cache No such file or directory [25/Apr/2006:19:46:49 +0200] NSMMReplicationPlugin - changelog program - libdb: f6dd6a82-1dd111b2-80cd8aae-532f0000_444d0d010000ffff0000.db4: unable to flush: No such file or directory [25/Apr/2006:19:46:49 +0200] NSMMReplicationPlugin - changelog program - libdb: txn_checkpoint: failed to flush the buffer cache No such file or directory So, ladies and gents, any idea whats going on? Recap, everything works, just a lot av entries in the error log Stein From simonf at cshl.edu Tue Apr 25 20:15:26 2006 From: simonf at cshl.edu (Vsevolod (Simon) Ilyushchenko) Date: Tue, 25 Apr 2006 16:15:26 -0400 Subject: [Fedora-directory-users] MS Services for Unix integration? Message-ID: <444E835E.1030508@cshl.edu> Hi, Is anyone working on adding support for transferring the Posix attributes from AD if SFU (Services for Unix) is enabled there? That would be, ahem, incredibly useful. By the way, someone implied that it might be possible to get Unix-crypted passwords. Has anyone tried that? Thanks, Simon -- Simon (Vsevolod ILyushchenko) simonf at cshl.edu http://www.simonf.com "Think like a man of action, act like a man of thought." Henri Bergson From rmeggins at redhat.com Tue Apr 25 20:25:08 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 25 Apr 2006 14:25:08 -0600 Subject: [Fedora-directory-users] MS Services for Unix integration? In-Reply-To: <444E835E.1030508@cshl.edu> References: <444E835E.1030508@cshl.edu> Message-ID: <444E85A4.3090307@redhat.com> Vsevolod (Simon) Ilyushchenko wrote: > Hi, > > Is anyone working on adding support for transferring the Posix > attributes from AD if SFU (Services for Unix) is enabled there? That > would be, ahem, incredibly useful. Do you mean for Fedora DS Windows Sync? > > > By the way, someone implied that it might be possible to get > Unix-crypted passwords. Has anyone tried that? > > Thanks, > Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From simonf at cshl.edu Tue Apr 25 20:42:48 2006 From: simonf at cshl.edu (Vsevolod (Simon) Ilyushchenko) Date: Tue, 25 Apr 2006 16:42:48 -0400 Subject: [Fedora-directory-users] MS Services for Unix integration? In-Reply-To: <444E85A4.3090307@redhat.com> References: <444E835E.1030508@cshl.edu> <444E85A4.3090307@redhat.com> Message-ID: <444E89C8.9000008@cshl.edu> Richard Megginson wrote on 04/25/2006 04:25 PM: > Vsevolod (Simon) Ilyushchenko wrote: > >> Hi, >> >> Is anyone working on adding support for transferring the Posix >> attributes from AD if SFU (Services for Unix) is enabled there? That >> would be, ahem, incredibly useful. > > Do you mean for Fedora DS Windows Sync? Correct. Thanks, Simon -- Simon (Vsevolod ILyushchenko) simonf at cshl.edu http://www.simonf.com "Think like a man of action, act like a man of thought." Henri Bergson From mikael.kermorgant at gmail.com Wed Apr 26 09:12:11 2006 From: mikael.kermorgant at gmail.com (Mikael Kermorgant) Date: Wed, 26 Apr 2006 11:12:11 +0200 Subject: [Fedora-directory-users] Re: directory server gateway access configuration In-Reply-To: <9711147e0604240615r36fc5b01ged50e0643bd8ffa8@mail.gmail.com> References: <9711147e0604240615r36fc5b01ged50e0643bd8ffa8@mail.gmail.com> Message-ID: <9711147e0604260212u6150924aq371a50997338a90c@mail.gmail.com> This was related to following bug : https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=183925 I changed the ip to a fake one following this howto : http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt Regards, Mikael From magobin at gmail.com Wed Apr 26 10:42:47 2006 From: magobin at gmail.com (Alex aka Magobin) Date: Wed, 26 Apr 2006 12:42:47 +0200 Subject: [Fedora-directory-users] Best way to populate DS with account and group! Message-ID: <1146048167.8695.11.camel@localhost.localdomain> Hi, now that I have a Fedora DS installed and replicated correctly with ssl encryption, I would to know what is the best way to populate DS with accounts to authenticate linux clients; the goal is to automate accounts creation for clients authentication and mail (postfix) authentication. So, for example I want that when I make an account on DS for "test" it must authenticate linux client and must authenticate postfix user (and obviously user must to be added to postfix group) What it the best way? thanks in advance Alex From danhawker at wessexmc.org.uk Wed Apr 26 12:37:41 2006 From: danhawker at wessexmc.org.uk (Dan Hawker) Date: Wed, 26 Apr 2006 13:37:41 +0100 (BST) Subject: [Fedora-directory-users] admin user password reset Message-ID: <56232.194.203.13.71.1146055061.squirrel@www.gradwell.com> Hi All, Have managed to access the console from my Windows machine. (ended up testing with a vmware instance I have around for testing Linux client probs), however I seem to be having trouble logging on and wondered how you reset the admin users password or why I am getting this error. I can used ldapmodify and ldapsearch OK (just tests) using the Directory Manager user, however it seems from reading some docs that it needs the admin user to login. I use the username fdsadmin and a password. have checked in the adm.conf and admpw file and I am pretty sure all is right, I just can't login. The error I get are below. Thanks Dan #### FDS Console pop-up Cannot logon because of an incorrect User ID, Incorrect password or Directory problem. HttpException; Response: HTTP/1.1 401 Authorization Required Status: 401 URL: http://prospero:1500/admin-serv/authenticate #### EOF My Windows command-line window displayed the following also... #### Windows command-line output Starting Console Fedora-Management-Console/1.0 B2006.060.1930 CommManager> New CommRecord (http://prospero:1500/admin-serv/authenticate) http://prospero:1500/[0:0] open> Ready http://prospero:1500/[0:0] accept> http://prospero:1500/admin-serv/authenticate http://prospero:1500/[0:0] send> GET \ http://prospero:1500/[0:0] send> /admin-serv/authenticate \ http://prospero:1500/[0:0] send> HTTP/1.0 http://prospero:1500/[0:0] send> Host: prospero:1500 http://prospero:1500/[0:0] send> Connection: Keep-Alive http://prospero:1500/[0:0] send> User-Agent: Fedora-Management-Console/1.0 http://prospero:1500/[0:0] send> Accept-Language: en http://prospero:1500/[0:0] send> Authorization: Basic \ http://prospero:1500/[0:0] send> ZmRzYWRtaW46dHlwaDAwbg== \ http://prospero:1500/[0:0] send> http://prospero:1500/[0:0] send> http://prospero:1500/[0:0] recv> HTTP/1.1 401 Authorization Required http://prospero:1500/[0:0] error> HttpException: Response: HTTP/1.1 401 Authorization Required Status: 401 URL: http://prospero:1500/admin-serv/authenticate http://prospero:1500/[0:0] close> Closed ####EOF From danhawker at wessexmc.org.uk Wed Apr 26 13:07:56 2006 From: danhawker at wessexmc.org.uk (Dan Hawker) Date: Wed, 26 Apr 2006 14:07:56 +0100 (BST) Subject: [Fedora-directory-users] admin user password reset : SOLVED In-Reply-To: <56232.194.203.13.71.1146055061.squirrel@www.gradwell.com> References: <56232.194.203.13.71.1146055061.squirrel@www.gradwell.com> Message-ID: <13258.194.203.13.71.1146056876.squirrel@www.gradwell.com> , however I seem to be having trouble logging on and wondered how > you reset the admin users password or why I am getting this error. Hi All, Please ignore, just realised I hadn't setup the server to allow my workstation to access it correctly. Doh!! Thanks and apologies. Dan From basile.mathieu at siris.sorbonne.fr Wed Apr 26 15:32:27 2006 From: basile.mathieu at siris.sorbonne.fr (basile au siris) Date: Wed, 26 Apr 2006 17:32:27 +0200 Subject: [Fedora-directory-users] problem with console on 1.0.2 Message-ID: <444F928B.4030806@siris.sorbonne.fr> hi i install fds on fedora core 3 and get this error when i try to launch console : httpd.worker: Syntax error on line 151 of /opt/fedora-ds/admin-serv/config/httpd.conf: Cannot load /opt/fedora-ds/bin/admin/lib/libmodrestartd.so into server: /opt/fedora-ds/bin/admin/lib/libmodrestartd.so: undefined symbol: apr_filename_of_pathname i find 2 thread on that problem , in the first solution was to correct start-admin script ( but it still correct ) , and in the second to build module by the hand :( is there any other solution thanks basile ps does redhat team give binaries of fds-1.0.2 for solaris 9 ? From rmeggins at redhat.com Wed Apr 26 15:36:41 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 26 Apr 2006 09:36:41 -0600 Subject: [Fedora-directory-users] problem with console on 1.0.2 In-Reply-To: <444F928B.4030806@siris.sorbonne.fr> References: <444F928B.4030806@siris.sorbonne.fr> Message-ID: <444F9389.70807@redhat.com> basile au siris wrote: > hi > i install fds on fedora core 3 and get this error when i try > to launch console : > > > httpd.worker: Syntax error on line 151 of > /opt/fedora-ds/admin-serv/config/httpd.conf: Cannot load > /opt/fedora-ds/bin/admin/lib/libmodrestartd.so into server: > /opt/fedora-ds/bin/admin/lib/libmodrestartd.so: undefined symbol: > apr_filename_of_pathname > > i find 2 thread on that problem , in the first solution was to correct > start-admin script ( but it still correct ) , and in the second to build > module by the hand :( > What version of Apache are you using? > is there any other solution > thanks > basile > ps > does redhat team give binaries of fds-1.0.2 for solaris 9 ? > No, we're still working on it, it will probably be a few more weeks. > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From basile.mathieu at siris.sorbonne.fr Wed Apr 26 15:39:11 2006 From: basile.mathieu at siris.sorbonne.fr (basile au siris) Date: Wed, 26 Apr 2006 17:39:11 +0200 Subject: [Fedora-directory-users] problem with console on 1.0.2 In-Reply-To: <444F9389.70807@redhat.com> References: <444F928B.4030806@siris.sorbonne.fr> <444F9389.70807@redhat.com> Message-ID: <444F941F.4060005@siris.sorbonne.fr> Richard Megginson a ?crit : > basile au siris wrote: >> hi >> i install fds on fedora core 3 and get this error when i try >> to launch console : >> >> >> httpd.worker: Syntax error on line 151 of >> /opt/fedora-ds/admin-serv/config/httpd.conf: Cannot load >> /opt/fedora-ds/bin/admin/lib/libmodrestartd.so into server: >> /opt/fedora-ds/bin/admin/lib/libmodrestartd.so: undefined symbol: >> apr_filename_of_pathname >> >> i find 2 thread on that problem , in the first solution was to correct >> start-admin script ( but it still correct ) , and in the second to build >> module by the hand :( >> > What version of Apache are you using? httpd-2.2 >> is there any other solution >> thanks >> basile >> ps >> does redhat team give binaries of fds-1.0.2 for solaris 9 ? >> Thanks . > No, we're still working on it, it will probably be a few more weeks. >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From rmeggins at redhat.com Wed Apr 26 15:43:55 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 26 Apr 2006 09:43:55 -0600 Subject: [Fedora-directory-users] problem with console on 1.0.2 In-Reply-To: <444F941F.4060005@siris.sorbonne.fr> References: <444F928B.4030806@siris.sorbonne.fr> <444F9389.70807@redhat.com> <444F941F.4060005@siris.sorbonne.fr> Message-ID: <444F953B.90601@redhat.com> basile au siris wrote: > Richard Megginson a ?crit : > >> basile au siris wrote: >> >>> hi >>> i install fds on fedora core 3 and get this error when i try >>> to launch console : >>> >>> >>> httpd.worker: Syntax error on line 151 of >>> /opt/fedora-ds/admin-serv/config/httpd.conf: Cannot load >>> /opt/fedora-ds/bin/admin/lib/libmodrestartd.so into server: >>> /opt/fedora-ds/bin/admin/lib/libmodrestartd.so: undefined symbol: >>> apr_filename_of_pathname >>> >>> i find 2 thread on that problem , in the first solution was to correct >>> start-admin script ( but it still correct ) , and in the second to build >>> module by the hand :( >>> >>> >> What version of Apache are you using? >> > > httpd-2.2 > We don't support httpd 2.2 in any binary release before Fedora Core 5. You will have to build Fedora DS yourself to support this. The problem is that a lot of the module API changed between httpd 2.0 and 2.2, breaking binary compatability. See http://directory.fedora.redhat.com/wiki/Building#One-Step_Build > >>> is there any other solution >>> thanks >>> basile >>> ps >>> does redhat team give binaries of fds-1.0.2 for solaris 9 ? >>> >>> > > Thanks . > > >> No, we're still working on it, it will probably be a few more weeks. >> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From simonf at cshl.edu Wed Apr 26 18:42:16 2006 From: simonf at cshl.edu (Vsevolod (Simon) Ilyushchenko) Date: Wed, 26 Apr 2006 14:42:16 -0400 Subject: [Fedora-directory-users] AD sync issues Message-ID: <444FBF08.8030001@cshl.edu> Hi, I've half gotten the AD sync to work, but I have a couple of issues: 1. The updates are not propagated on their own. If I choose 'Send/Receive updates' from the sync agreement, they are immediately transferred, but it never happens on it's own. 2. I tried to follow the steps here: http://www.redhat.com/docs/manuals/dir-server/ag/7.1/sync.html under 'Setting Up SSL for the Password Sync Service' to tranfer the FDS SSL certificate to the AD machine, and when I run the command in step 2 in the alias directory, I get: ../shared/bin/pk12util -d . -P slapd-fa22 -o servercert.pfx -n Server-Cert pk12util-bin: find user certs from nickname failed: security library: bad database. Can you tell me what I should be looking for? SSL access works on the FDS machine, so the database should not be corrupt. Thanks, Simon -- Simon (Vsevolod ILyushchenko) simonf at cshl.edu http://www.simonf.com "Think like a man of action, act like a man of thought." Henri Bergson From rmeggins at redhat.com Wed Apr 26 18:55:18 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 26 Apr 2006 12:55:18 -0600 Subject: [Fedora-directory-users] AD sync issues In-Reply-To: <444FBF08.8030001@cshl.edu> References: <444FBF08.8030001@cshl.edu> Message-ID: <444FC216.1090608@redhat.com> Vsevolod (Simon) Ilyushchenko wrote: > Hi, > > I've half gotten the AD sync to work, but I have a couple of issues: > > 1. The updates are not propagated on their own. If I choose > 'Send/Receive updates' from the sync agreement, they are immediately > transferred, but it never happens on it's own. Try turning on the replication error log level. > > 2. I tried to follow the steps here: > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/sync.html > under 'Setting Up SSL for the Password Sync Service' to tranfer the > FDS SSL certificate to the AD machine, and when I run the command in > step 2 in the alias directory, I get: > > ../shared/bin/pk12util -d . -P slapd-fa22 -o servercert.pfx -n > Server-Cert > pk12util-bin: find user certs from nickname failed: security library: > bad database. Are you missing the trailing "-" after slapd-fa22? > > Can you tell me what I should be looking for? SSL access works on the > FDS machine, so the database should not be corrupt. > > Thanks, > Simon > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From stein at interpost.no Wed Apr 26 18:55:21 2006 From: stein at interpost.no (Stein) Date: Wed, 26 Apr 2006 20:55:21 +0200 Subject: [Fedora-directory-users] AD sync issues In-Reply-To: <444FBF08.8030001@cshl.edu> References: <444FBF08.8030001@cshl.edu> Message-ID: <20060426185521.GA23235@slogen.sunnmore.net> On Wed, Apr 26, 2006 at 02:42:16PM -0400, Vsevolod (Simon) Ilyushchenko wrote: > ../shared/bin/pk12util -d . -P slapd-fa22 -o servercert.pfx -n Server-Cert > pk12util-bin: find user certs from nickname failed: security library: > bad database. You need a trailing - on slapd-fa22, so use slapd-fa22- instead. Stein From jsummers at bachman.cs.ou.edu Wed Apr 26 19:03:39 2006 From: jsummers at bachman.cs.ou.edu (Jim Summers) Date: Wed, 26 Apr 2006 14:03:39 -0500 Subject: [Fedora-directory-users] Proxy Access to Directory Message-ID: <444FC40B.5050701@cs.ou.edu> Hello List, I just discovered that I can anonymously access my directory. I have scoured over some of the docs and haven't seen a definitive howto on disabling that access. Is this an ACI mis-configuration on my part? I have looked and do see an "Enable anonymous access" ACI at both the Netscaperoot and the my domain levels. I am hesitant to remove them with out knowing whether that is safe. I would then in turn need to define ACI's for the proxyDN? Ideas / Suggestions? TIA -- Jim Summers School of Computer Science-University of Oklahoma ------------------------------------------------- From simonf at cshl.edu Wed Apr 26 20:53:52 2006 From: simonf at cshl.edu (Vsevolod (Simon) Ilyushchenko) Date: Wed, 26 Apr 2006 16:53:52 -0400 Subject: [Fedora-directory-users] AD sync issues In-Reply-To: <444FC216.1090608@redhat.com> References: <444FBF08.8030001@cshl.edu> <444FC216.1090608@redhat.com> Message-ID: <444FDDE0.1060706@cshl.edu> Rich, Thanks for your answers! Richard Megginson wrote on 04/26/2006 02:55 PM: > Vsevolod (Simon) Ilyushchenko wrote: > >> Hi, >> >> I've half gotten the AD sync to work, but I have a couple of issues: >> >> 1. The updates are not propagated on their own. If I choose >> 'Send/Receive updates' from the sync agreement, they are immediately >> transferred, but it never happens on it's own. > > Try turning on the replication error log level. Okay, I see "Replica has no update vector. It has never been initialized." My updates are indeed not sent from FDS to AD, but I don't want this anyway. The Windows sync docs do not specify which replica role I have to choose first. I actually need a dedicated consumer (AD->FDS only), but if I choose that role, I have to specify a supplier DN, and I'm not sure what I should put there for the Windows sync scenario. So I had to choose 'single master', and that implies sending FDS->AD updates, which currently doesn't work. Looks like these updates won't be sent until I initialize the consumer (AD), and I DON'T want to do this. So I'm in a bind. :( >> ../shared/bin/pk12util -d . -P slapd-fa22 -o servercert.pfx -n >> Server-Cert >> pk12util-bin: find user certs from nickname failed: security library: >> bad database. > > Are you missing the trailing "-" after slapd-fa22? Yes, that was it! Now that I know what to look for, I've noticed this on the wiki in the SSL article (though the WindowsSync pages in the Netscape docs and on the wiki do not mention it :). Thanks, Simon -- Simon (Vsevolod ILyushchenko) simonf at cshl.edu http://www.simonf.com "Think like a man of action, act like a man of thought." Henri Bergson From jsummers at bachman.cs.ou.edu Wed Apr 26 20:58:48 2006 From: jsummers at bachman.cs.ou.edu (Jim Summers) Date: Wed, 26 Apr 2006 15:58:48 -0500 Subject: [Fedora-directory-users] SSL Problem Message-ID: <444FDF08.2050006@cs.ou.edu> Hello All, While monitoring the access log on my FDS I am seeing the following message popping up: =============== [26/Apr/2006:14:59:30 -0500] conn=1 op=-1 fd=65 closed - Peer does not recognize and trust the CA that issued your certificate. =============== Is the "Peer" the client attempting to connect? I have the following set in the /etc/ldap.conf on the machine that is trying to connect: tls_checkpeer no tls_reqcert never Which I thought would instruct the client to not really care and just encrypt the packets. Actually this seems to only happen with an ldapsearch command. A sample search command I am testing with is: ldapsearch -v -x -LLL -D "uid=tulsa2,ou=people,dc=ou,dc=edu" -W -H ldaps://ldapserver.ou.edu -b ou=people,dc=ou,dc=edu '(uid=tulsa2)' I can issue id commands and ssh into the client without problem and it is over the ssl enabled 636 port. Which I just double checked with tcpdump and the logs. I am not sure what I have messed up. Ideas / Suggestions greatly appreciated. TIA -- Jim Summers School of Computer Science-University of Oklahoma ------------------------------------------------- From rmeggins at redhat.com Wed Apr 26 21:02:05 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 26 Apr 2006 15:02:05 -0600 Subject: [Fedora-directory-users] AD sync issues In-Reply-To: <444FDDE0.1060706@cshl.edu> References: <444FBF08.8030001@cshl.edu> <444FC216.1090608@redhat.com> <444FDDE0.1060706@cshl.edu> Message-ID: <444FDFCD.7060609@redhat.com> Vsevolod (Simon) Ilyushchenko wrote: > Rich, > > Thanks for your answers! > > Richard Megginson wrote on 04/26/2006 02:55 PM: >> Vsevolod (Simon) Ilyushchenko wrote: >> >>> Hi, >>> >>> I've half gotten the AD sync to work, but I have a couple of issues: >>> >>> 1. The updates are not propagated on their own. If I choose >>> 'Send/Receive updates' from the sync agreement, they are immediately >>> transferred, but it never happens on it's own. >> >> Try turning on the replication error log level. > > Okay, I see "Replica has no update vector. It has never been > initialized." My updates are indeed not sent from FDS to AD, but I > don't want this anyway. > > The Windows sync docs do not specify which replica role I have to > choose first. I actually need a dedicated consumer (AD->FDS only), but > if I choose that role, I have to specify a supplier DN, and I'm not > sure what I should put there for the Windows sync scenario. So I had > to choose 'single master', and that implies sending FDS->AD updates, > which currently doesn't work. Looks like these updates won't be sent > until I initialize the consumer (AD), and I DON'T want to do this. > > So I'm in a bind. :( I don't think the code is designed to do one way sync. The way sync works with AD is that FDS pulls changes from AD (using the DirSync control) and pushes changes to AD (using plain old LDAP operations). AD never contacts FDS (except for password sync, and that's a different issue), so you don't need to specify a supplier DN. > >>> ../shared/bin/pk12util -d . -P slapd-fa22 -o servercert.pfx -n >>> Server-Cert >>> pk12util-bin: find user certs from nickname failed: security >>> library: bad database. >> >> Are you missing the trailing "-" after slapd-fa22? > > Yes, that was it! Now that I know what to look for, I've noticed this > on the wiki in the SSL article (though the WindowsSync pages in the > Netscape docs and on the wiki do not mention it :). > > Thanks, > Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From espen.stefansen at imr.no Thu Apr 27 11:36:56 2006 From: espen.stefansen at imr.no (Espen A. Stefansen) Date: Thu, 27 Apr 2006 13:36:56 +0200 Subject: [Fedora-directory-users] Need help syncing between Active Directory and FDS Message-ID: <1146137816.5150.62.camel@itse6848> Hi I'm a new user to FDS, so I've got some problems getting it to work. I'm trying to sync our Active Directory over to FDS. Unfortunately it doesn't work, so hopefully someone can give me some pointers. I've been looking through the wiki and the manuals, but i haven't found that helped. This is how I installed FDS: 1. Installed FDS on CentOS 4; fds.example.com. 2. Ran setup with default values (including directory manager) 3. Ran setupssl.sh. 4. Install PassSync on a Windows Domain Controller (Windows 2003); win.example.com. - Values: --- Hostname: fds.example.com --- Port: 686 --- Username: cn=directory manager,cn=config --- Cert Token: ?? (Should this be the password for the certificate?) --- Search: dc=example,dc=com And then imported the certificates from fds.example.com 5. Started the console, and enabled "changelog" and "replica" as "single master". 6. I then generated a "windows sync agreement". - Values: --- domain: example.com --- DCH: win.example.com --- Enabled SSL --- Bind as: cn=directory manager,cn=config When I try to do a full sync, it says it cant find the LDAP-server, error 81. Does that mean the FDS-server? Does anyone have any idea on what might be wrong? And have I installed it correctly? Regards Espen Stefansen From mikael.kermorgant at gmail.com Thu Apr 27 12:37:30 2006 From: mikael.kermorgant at gmail.com (Mikael Kermorgant) Date: Thu, 27 Apr 2006 14:37:30 +0200 Subject: [Fedora-directory-users] directory gateway translation in French Message-ID: <9711147e0604270537p2c7f2fa7jdb8a9802556c69ae@mail.gmail.com> Hello, Is there any French translation available for the directory gateway html files ? Regards, -- Mikael Kermorgant From danhawker at wessexmc.org.uk Thu Apr 27 12:42:26 2006 From: danhawker at wessexmc.org.uk (Dan Hawker) Date: Thu, 27 Apr 2006 13:42:26 +0100 (BST) Subject: [Fedora-directory-users] Import POSIX Users Message-ID: <26784.194.203.13.71.1146141746.squirrel@www.gradwell.com> Hi All, Have my test FDS 1.0.2 server up and running and touch wood, it seems to be working well. Am slightly confused about something that is pretty simple, just need some clarification. I am planning on migrating my users from having a username stored on every server (around 10 or so) to having a central directory. Hence my install of FDS. I have been testing the PADL migration tools to migrate my users. One thing I have noticed is that when you import a user (or group) via this mechanism there are a few attributes that are either not used or are added. For instance if you look at groups... A standard FDS *group* is a groupofuniquenames, whereas an imported group is a posixgroup. Logical enough. The only real difference in simple terms (that I can see) is that the posix one has a couple of extra attributes such as groupid and memberUid, and the groupofuniquenames has an additional description attribute. What I am noticing however is that when adding users to groups that is a *groupofuniquenames* you get to use the simple, easy-to-use dialogue, whereas with the *posixgroup* you get the advanced dialogue. This is fine, they are both easy to use. However when adding a new user (via the console) you add a regular user. This can have posix attributes added (as per the posix user tab) which is great. However I have noticed that posixusers are not recognised as *users* when searching from the console (say to add ppl to a group), hence you cannot use the usual add member to a group if the user is a posixuser. Also I wondered what happens when you add aforementioned regular user to a non-posix group. How does FDS (or indeed the posix based machine that is asking for the info, understand if the user is a member of that group and hence allow access to the resource??? So... Am I missing something simple??? is this the nature of LDAP (or the way the interface works)??? should I *filter* my LDIF a bit more and edit it to suit *standard user & groups* (will this work OK)??? should I just use posix users & groups (within FDS)??? is there a way of adding attributes to existing objectClasses to add the additional attributes??? TIA Dan From nkinder at redhat.com Thu Apr 27 14:28:08 2006 From: nkinder at redhat.com (Nathan Kinder) Date: Thu, 27 Apr 2006 07:28:08 -0700 Subject: [Fedora-directory-users] Need help syncing between Active Directory and FDS In-Reply-To: <1146137816.5150.62.camel@itse6848> References: <1146137816.5150.62.camel@itse6848> Message-ID: <4450D4F8.9020900@redhat.com> Espen A. Stefansen wrote: >Hi >I'm a new user to FDS, so I've got some problems getting it to work. I'm >trying to sync our Active Directory over to FDS. Unfortunately it >doesn't work, so hopefully someone can give me some pointers. > >I've been looking through the wiki and the manuals, but i haven't found >that helped. > >This is how I installed FDS: > >1. Installed FDS on CentOS 4; fds.example.com. > >2. Ran setup with default values (including directory manager) > >3. Ran setupssl.sh. > >4. Install PassSync on a Windows Domain Controller (Windows 2003); >win.example.com. > - Values: > --- Hostname: fds.example.com > --- Port: 686 > --- Username: cn=directory manager,cn=config > --- Cert Token: ?? (Should this be the password for the certificate?) > > You don't need to fill the cert token in. > --- Search: dc=example,dc=com > > And then imported the certificates from fds.example.com > >5. Started the console, and enabled "changelog" and "replica" as >"single master". > >6. I then generated a "windows sync agreement". > - Values: > --- domain: example.com > --- DCH: win.example.com > --- Enabled SSL > --- Bind as: cn=directory manager,cn=config > > >When I try to do a full sync, it says it cant find the LDAP-server, >error 81. Does that mean the FDS-server? > > It's saying it can't connect to Active Directory. This is probably because Active Directory is not running on the secure port (636). You need to setup Active Directory for LDAPS. Take a look at this page on our wiki for details on how to do this: http://directory.fedora.redhat.com/wiki/Howto:WindowsSync You should also make sure you can connect to Active Directory over LDAPS with ldapsearch before you create your sync agreement. -NGK >Does anyone have any idea on what might be wrong? And have I installed >it correctly? > >Regards >Espen Stefansen > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From nkinder at redhat.com Thu Apr 27 14:38:15 2006 From: nkinder at redhat.com (Nathan Kinder) Date: Thu, 27 Apr 2006 07:38:15 -0700 Subject: [Fedora-directory-users] directory gateway translation in French In-Reply-To: <9711147e0604270537p2c7f2fa7jdb8a9802556c69ae@mail.gmail.com> References: <9711147e0604270537p2c7f2fa7jdb8a9802556c69ae@mail.gmail.com> Message-ID: <4450D757.3000309@redhat.com> Mikael Kermorgant wrote: >Hello, > >Is there any French translation available for the directory gateway html files ? > > Yes, there are, but I'm not sure how up to date they are. To get the files, you need to check our the ldapserver source from CVS (see the wiki for instructions). The files are in the /ldapserver/ldap/clients/dsgw/html/fr directory in the source tree. -NGK >Regards, > >-- >Mikael Kermorgant > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From dshackel at arbor.edu Thu Apr 27 14:47:51 2006 From: dshackel at arbor.edu (Daniel Shackelford) Date: Thu, 27 Apr 2006 10:47:51 -0400 Subject: [Fedora-directory-users] Re: Need help syncing between Active, Directory and FDS In-Reply-To: <20060427143821.793817353C@hormel.redhat.com> References: <20060427143821.793817353C@hormel.redhat.com> Message-ID: <4450D997.8080501@arbor.edu> > Message: 8 > Date: Thu, 27 Apr 2006 13:36:56 +0200 > From: "Espen A. Stefansen" > Subject: [Fedora-directory-users] Need help syncing between Active > Directory and FDS > To: fedora-directory-users at redhat.com > Message-ID: <1146137816.5150.62.camel at itse6848> > Content-Type: text/plain > > Hi > I'm a new user to FDS, so I've got some problems getting it to work. I'm > trying to sync our Active Directory over to FDS. Unfortunately it > doesn't work, so hopefully someone can give me some pointers. > > I've been looking through the wiki and the manuals, but i haven't found > that helped. > > This is how I installed FDS: > > 1. Installed FDS on CentOS 4; fds.example.com. > > 2. Ran setup with default values (including directory manager) > > 3. Ran setupssl.sh. > > 4. Install PassSync on a Windows Domain Controller (Windows 2003); > win.example.com. > - Values: > --- Hostname: fds.example.com > --- Port: 686 > --- Username: cn=directory manager,cn=config > --- Cert Token: ?? (Should this be the password for the certificate?) > --- Search: dc=example,dc=com > > And then imported the certificates from fds.example.com > > 5. Started the console, and enabled "changelog" and "replica" as > "single master". > > 6. I then generated a "windows sync agreement". > - Values: > --- domain: example.com > --- DCH: win.example.com > --- Enabled SSL > --- Bind as: cn=directory manager,cn=config > > It looks like you are using the FDS Directory Manager account, rather than a valid AD account. You will need to use an AD account that has the ability to create/update entries. > When I try to do a full sync, it says it cant find the LDAP-server, > error 81. Does that mean the FDS-server? > > Does anyone have any idea on what might be wrong? And have I installed > it correctly? > > Regards > Espen Stefansen > > -- Daniel Shackelford Systems Administrator Technology Services Spring Arbor University 517 750-6648 From rinconsystems at yahoo.com Thu Apr 27 23:53:28 2006 From: rinconsystems at yahoo.com (Scott Gilbert) Date: Thu, 27 Apr 2006 16:53:28 -0700 (PDT) Subject: [Fedora-directory-users] LDAP to AD attribute mapping doc? Message-ID: <20060427235328.61223.qmail@web34113.mail.mud.yahoo.com> In preparing to set up the sync to AD, is there documentation on LDAP to AD attribute mapping? Maybe theres a good reference on the web? mucho gracias. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From david_list at boreham.org Fri Apr 28 00:19:30 2006 From: david_list at boreham.org (David Boreham) Date: Thu, 27 Apr 2006 18:19:30 -0600 Subject: [Fedora-directory-users] LDAP to AD attribute mapping doc? In-Reply-To: <20060427235328.61223.qmail@web34113.mail.mud.yahoo.com> References: <20060427235328.61223.qmail@web34113.mail.mud.yahoo.com> Message-ID: <44515F92.2050107@boreham.org> Scott Gilbert wrote: >In preparing to set up the sync to AD, is there >documentation on LDAP to AD attribute mapping? Maybe >theres a good reference on the web? mucho gracias. > > > Here: http://www.redhat.com/docs/manuals/dir-server/ag/7.1/sync.html#2859623 From sysadmin.linux at gmail.com Fri Apr 28 02:35:58 2006 From: sysadmin.linux at gmail.com (Linux Admin) Date: Thu, 27 Apr 2006 21:35:58 -0500 Subject: [Fedora-directory-users] replicating configuration directotry (NetscapeRoot) Message-ID: <696934990604271935r53646904xd64d928c847fcc93@mail.gmail.com> Folks, Is it possible to set up multi-master replication of NetscapeRoot configuration directory. I have tried and I can successfully initialize subscribers from the current configuration directory server. However initialization of replication in opposite direction fails. Server 1 current conf dir -> Server 2: rplication sucsfull o=NetscapeRoot is populated Server 1 current conf dir <- Server 2: rplication failes with error: Permission denied. Error code 3 on Server 2 I had to manully create NetscapeRoot database. What am I missing?. Is it "idiot prrof" feature? Thanks in advance for any help SysLin -------------- next part -------------- An HTML attachment was scrubbed... URL: From craigwhite at azapple.com Fri Apr 28 12:42:15 2006 From: craigwhite at azapple.com (Craig White) Date: Fri, 28 Apr 2006 05:42:15 -0700 Subject: [Fedora-directory-users] mailAlternateAddress Message-ID: <1146228135.6398.56.camel@lin-workstation.azapple.com> I wanted to import the 'misc' schema from openldap so I could use mailLocalAddress and fedora-ds didn't like that since there was a collision at "2.16.840.1.113730.3.1.13" - where: # grep "2.16.840.1.113730.3.1.13" /opt/fedora-ds/slapd-srv1/config/schema/* /opt/fedora-ds/slapd-srv1/config/schema/50ns-calendar.ldif:attributeTypes: ( 2.16.840.1.113730.3.1.130 NAME 'nsCalRefreshPrefs' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Calendar Server' ) /opt/fedora-ds/slapd-srv1/config/schema/50ns-calendar.ldif:attributeTypes: ( 2.16.840.1.113730.3.1.131 NAME 'nsCalResourceCapacity' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Calendar Server' ) /opt/fedora-ds/slapd-srv1/config/schema/50ns-calendar.ldif:attributeTypes: ( 2.16.840.1.113730.3.1.132 NAME 'nsCalResourceNumber' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Calendar Server' ) /opt/fedora-ds/slapd-srv1/config/schema/50ns-calendar.ldif:attributeTypes: ( 2.16.840.1.113730.3.1.133 NAME 'nsCalServerVersion' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Calendar Server' ) /opt/fedora-ds/slapd-srv1/config/schema/50ns-calendar.ldif:attributeTypes: ( 2.16.840.1.113730.3.1.134 NAME 'nsCalSysopCanWritePassword' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Calendar Server' ) /opt/fedora-ds/slapd-srv1/config/schema/50ns-calendar.ldif:attributeTypes: ( 2.16.840.1.113730.3.1.135 NAME 'nsCalTimezone' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Calendar Server' ) /opt/fedora-ds/slapd-srv1/config/schema/50ns-calendar.ldif:attributeTypes: ( 2.16.840.1.113730.3.1.136 NAME 'nsCalXItemId' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Calendar Server' ) /opt/fedora-ds/slapd-srv1/config/schema/50ns-compass.ldif:attributeTypes: ( 2.16.840.1.113730.3.1.137 NAME 'pipuid' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Compass Server' ) /opt/fedora-ds/slapd-srv1/config/schema/50ns-compass.ldif:attributeTypes: ( 2.16.840.1.113730.3.1.138 NAME 'pipcompassservers' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Compass Server' ) /opt/fedora-ds/slapd-srv1/config/schema/50ns-compass.ldif:attributeTypes: ( 2.16.840.1.113730.3.1.139 NAME 'pipuniqueid' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Compass Server' ) /opt/fedora-ds/slapd-srv1/config/schema/50ns-mail.ldif:attributeTypes: ( 2.16.840.1.113730.3.1.13 NAME ( 'mailAlternateAddress' ) DESC 'Netscape Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Messaging Server 4.x' ) But as I look through available attributes in the console, I cannot use mailAlternateAddress and so I am stumped. How can I use such a beast? Craig From espen.stefansen at imr.no Fri Apr 28 13:38:07 2006 From: espen.stefansen at imr.no (Espen A. Stefansen) Date: Fri, 28 Apr 2006 15:38:07 +0200 Subject: [Fedora-directory-users] Re: Need help syncing between Active, Directory and FDS In-Reply-To: <4450D997.8080501@arbor.edu> References: <20060427143821.793817353C@hormel.redhat.com> <4450D997.8080501@arbor.edu> Message-ID: <1146231487.5150.80.camel@itse6848> On Thu, 2006-04-27 at 10:47 -0400, Daniel Shackelford wrote: > > Message: 8 > > Date: Thu, 27 Apr 2006 13:36:56 +0200 > > From: "Espen A. Stefansen" > > Subject: [Fedora-directory-users] Need help syncing between Active > > Directory and FDS > > To: fedora-directory-users at redhat.com > > Message-ID: <1146137816.5150.62.camel at itse6848> > > Content-Type: text/plain > > 4. Install PassSync on a Windows Domain Controller (Windows 2003); > > win.example.com. > > - Values: > > --- Hostname: fds.example.com > > --- Port: 686 > > --- Username: cn=directory manager,cn=config > > --- Cert Token: ?? (Should this be the password for the certificate?) > > --- Search: dc=example,dc=com > > The username here have to be a OU-name in AD. But after looking carefully at the DC i found out that it didn't run SSL. How to enable SSL on your DC, have a look here: http://support.microsoft.com/default.aspx?scid=kb;en-us;321051 After following this explanation and importing the certificate in FDS, the connection was ok. > > And then imported the certificates from fds.example.com > > > > 5. Started the console, and enabled "changelog" and "replica" as > > "single master". > > > > 6. I then generated a "windows sync agreement". > > - Values: > > --- domain: example.com > > --- DCH: win.example.com > > --- Enabled SSL > > --- Bind as: cn=directory manager,cn=config The same goes here. The username must be in AD. > > > > > It looks like you are using the FDS Directory Manager account, rather > than a valid AD account. You will need to use an AD account that has > the ability to create/update entries. I'm using a valid AD account now. > > When I try to do a full sync, it says it cant find the LDAP-server, > > error 81. Does that mean the FDS-server? So now it's starting to synchronize, but nothing shows up in the database in the console. Do i have to initialize the database as well? Or is there something else i have to do in the console? It also give me the following error in the error log: "Replica has no update vector. It has never been initialized." Any ideas? > > Does anyone have any idea on what might be wrong? And have I installed > > it correctly? > > > > Regards > > Espen Stefansen Regards Espen From rmeggins at redhat.com Fri Apr 28 14:27:00 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 28 Apr 2006 08:27:00 -0600 Subject: [Fedora-directory-users] mailAlternateAddress In-Reply-To: <1146228135.6398.56.camel@lin-workstation.azapple.com> References: <1146228135.6398.56.camel@lin-workstation.azapple.com> Message-ID: <44522634.3000901@redhat.com> Craig White wrote: > I wanted to import the 'misc' schema from openldap so I could use > mailLocalAddress and fedora-ds didn't like that since there was a > collision at "2.16.840.1.113730.3.1.13" - where: > > # grep > "2.16.840.1.113730.3.1.13" /opt/fedora-ds/slapd-srv1/config/schema/* > /opt/fedora-ds/slapd-srv1/config/schema/50ns-calendar.ldif:attributeTypes: ( 2.16.840.1.113730.3.1.130 NAME 'nsCalRefreshPrefs' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Calendar Server' ) > /opt/fedora-ds/slapd-srv1/config/schema/50ns-calendar.ldif:attributeTypes: ( 2.16.840.1.113730.3.1.131 NAME 'nsCalResourceCapacity' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Calendar Server' ) > /opt/fedora-ds/slapd-srv1/config/schema/50ns-calendar.ldif:attributeTypes: ( 2.16.840.1.113730.3.1.132 NAME 'nsCalResourceNumber' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Calendar Server' ) > /opt/fedora-ds/slapd-srv1/config/schema/50ns-calendar.ldif:attributeTypes: ( 2.16.840.1.113730.3.1.133 NAME 'nsCalServerVersion' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Calendar Server' ) > /opt/fedora-ds/slapd-srv1/config/schema/50ns-calendar.ldif:attributeTypes: ( 2.16.840.1.113730.3.1.134 NAME 'nsCalSysopCanWritePassword' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Calendar Server' ) > /opt/fedora-ds/slapd-srv1/config/schema/50ns-calendar.ldif:attributeTypes: ( 2.16.840.1.113730.3.1.135 NAME 'nsCalTimezone' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Calendar Server' ) > /opt/fedora-ds/slapd-srv1/config/schema/50ns-calendar.ldif:attributeTypes: ( 2.16.840.1.113730.3.1.136 NAME 'nsCalXItemId' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Calendar Server' ) > /opt/fedora-ds/slapd-srv1/config/schema/50ns-compass.ldif:attributeTypes: ( 2.16.840.1.113730.3.1.137 NAME 'pipuid' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Compass Server' ) > /opt/fedora-ds/slapd-srv1/config/schema/50ns-compass.ldif:attributeTypes: ( 2.16.840.1.113730.3.1.138 NAME 'pipcompassservers' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Compass Server' ) > /opt/fedora-ds/slapd-srv1/config/schema/50ns-compass.ldif:attributeTypes: ( 2.16.840.1.113730.3.1.139 NAME 'pipuniqueid' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Compass Server' ) > > /opt/fedora-ds/slapd-srv1/config/schema/50ns-mail.ldif:attributeTypes: > ( 2.16.840.1.113730.3.1.13 NAME ( 'mailAlternateAddress' ) DESC > 'Netscape Messaging Server 4.x defined attribute' SYNTAX > 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Messaging Server > 4.x' ) > This is the problem. You could either remove this attribute type, or change mailAlternateAddress to mailLocalAddress, or add mailLocalAddress as an alias for mailAlternateAddress. I don't think this file is used anymore (unless you have an old version of Netscape Messaging Server) so I think it should be safe to remove it if you need to. > But as I look through available attributes in the console, I cannot use > mailAlternateAddress and so I am stumped. > > How can I use such a beast? > > Craig > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Apr 28 14:29:13 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 28 Apr 2006 08:29:13 -0600 Subject: [Fedora-directory-users] replicating configuration directotry (NetscapeRoot) In-Reply-To: <696934990604271935r53646904xd64d928c847fcc93@mail.gmail.com> References: <696934990604271935r53646904xd64d928c847fcc93@mail.gmail.com> Message-ID: <445226B9.1020201@redhat.com> Linux Admin wrote: > Folks, > Is it possible to set up multi-master replication of NetscapeRoot > configuration directory. > I have tried and I can successfully initialize subscribers from the > current configuration directory server. > However initialization of replication in opposite direction fails. > > Server 1 current conf dir -> Server 2: rplication sucsfull > o=NetscapeRoot is populated > Server 1 current conf dir <- Server 2: rplication failes with error: > Permission denied. Error code 3 Part of the problem is that, when you set up a second instance, the installer automatically enables pass through authentication for the console admin user, which allows that user to login as uid=admin,.....,o=NetscapeRoot on machines which do not have o=NetscapeRoot. So the first thing you need to do is to disable the pass through auth plugin (console -> directory console -> Configuration -> Plug-ins -> Pass Through -> uncheck the Enable box - then restart the server. > > on Server 2 I had to manully create NetscapeRoot database. > What am I missing?. Is it "idiot prrof" feature? > > Thanks in advance for any help > SysLin > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From sysadmin.linux at gmail.com Fri Apr 28 15:01:23 2006 From: sysadmin.linux at gmail.com (Linux Admin) Date: Fri, 28 Apr 2006 10:01:23 -0500 Subject: [Fedora-directory-users] replicating configuration directotry (NetscapeRoot) In-Reply-To: <445226B9.1020201@redhat.com> References: <696934990604271935r53646904xd64d928c847fcc93@mail.gmail.com> <445226B9.1020201@redhat.com> Message-ID: <696934990604280801v3d924cecvb0505c7f24757717@mail.gmail.com> Richard, Thanks, this is very good. I do not want to really disable it right now, I just want to have 2 way replication between Server 1 and Server 2, and used authenticate against server1. I would then setup in pluging authentication against both 1 and 2. Is this right way? Thank your very much for your time and advice. On 4/28/06, Richard Megginson wrote: > > Linux Admin wrote: > > Folks, > > Is it possible to set up multi-master replication of NetscapeRoot > > configuration directory. > > I have tried and I can successfully initialize subscribers from the > > current configuration directory server. > > However initialization of replication in opposite direction fails. > > > > Server 1 current conf dir -> Server 2: rplication sucsfull > > o=NetscapeRoot is populated > > Server 1 current conf dir <- Server 2: rplication failes with error: > > Permission denied. Error code 3 > Part of the problem is that, when you set up a second instance, the > installer automatically enables pass through authentication for the > console admin user, which allows that user to login as > uid=admin,.....,o=NetscapeRoot on machines which do not have > o=NetscapeRoot. So the first thing you need to do is to disable the > pass through auth plugin (console -> directory console -> Configuration > -> Plug-ins -> Pass Through -> uncheck the Enable box - then restart the > server. > > > > on Server 2 I had to manully create NetscapeRoot database. > > What am I missing?. Is it "idiot prrof" feature? > > > > Thanks in advance for any help > > SysLin > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From elias at hi.is Fri Apr 28 15:11:06 2006 From: elias at hi.is (=?ISO-8859-1?Q?El=EDas_Halld=F3r_=C1g=FAstsson?=) Date: Fri, 28 Apr 2006 15:11:06 +0000 Subject: [Fedora-directory-users] FDS to AD sync weirdness ... CN changes, unique constraints. Message-ID: <4452308A.6070200@hi.is> We are experimenting with Fedora Directory Server and trying to sync it to AD. Setting up SSL for both and initiating sync was successful. However, it seems that DN in AD is constructed from the CN, which is the full name. However, that's neigh impossible, since DN has a unique constraint, but full names are seldom unique, and particularly not here in Iceland. For example, my organization has at least 10 people called "Krist?n J?nsd?ttir". I regard AD as broken by design in this regard. My question is, can this be fixed? What would be the right way to approach this problem? -- El?as Halld?r ?g?stsson | Elias Halldor Agustsson Unix Kerfisstj?ri | Unix Systems Administrator Reiknistofnun H?sk?la ?slands | University of Iceland Computing Services http://elias.rhi.hi.is/ | +354 525 4903 From david_list at boreham.org Fri Apr 28 15:21:51 2006 From: david_list at boreham.org (David Boreham) Date: Fri, 28 Apr 2006 09:21:51 -0600 Subject: [Fedora-directory-users] FDS to AD sync weirdness ... CN changes, unique constraints. In-Reply-To: <4452308A.6070200@hi.is> References: <4452308A.6070200@hi.is> Message-ID: <4452330F.7010407@boreham.org> > I regard AD as broken by design in this regard. My question is, can > this be fixed? What would be the right way to approach this problem? Yes it's broken by design. As far as I know the way to work around it is to assign unique CN's (e.g. include middle initials, something like that). From rmeggins at redhat.com Fri Apr 28 15:26:05 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 28 Apr 2006 09:26:05 -0600 Subject: [Fedora-directory-users] replicating configuration directotry (NetscapeRoot) In-Reply-To: <696934990604280801v3d924cecvb0505c7f24757717@mail.gmail.com> References: <696934990604271935r53646904xd64d928c847fcc93@mail.gmail.com> <445226B9.1020201@redhat.com> <696934990604280801v3d924cecvb0505c7f24757717@mail.gmail.com> Message-ID: <4452340D.20205@redhat.com> Linux Admin wrote: > Richard, > Thanks, this is very good. > I do not want to really disable it right now, I think you may need to disable it on the replica in order to make replication work. > I just want to have 2 way replication between Server 1 and Server 2, > and used authenticate against server1. I would then setup in pluging > authentication against both 1 and 2. Is this right way? > Thank your very much for your time and advice. > > > On 4/28/06, *Richard Megginson* > wrote: > > Linux Admin wrote: > > Folks, > > Is it possible to set up multi-master replication of NetscapeRoot > > configuration directory. > > I have tried and I can successfully initialize subscribers from the > > current configuration directory server. > > However initialization of replication in opposite direction fails. > > > > Server 1 current conf dir -> Server 2: rplication sucsfull > > o=NetscapeRoot is populated > > Server 1 current conf dir <- Server 2: rplication failes with error: > > Permission denied. Error code 3 > Part of the problem is that, when you set up a second instance, the > installer automatically enables pass through authentication for the > console admin user, which allows that user to login as > uid=admin,.....,o=NetscapeRoot on machines which do not have > o=NetscapeRoot. So the first thing you need to do is to disable the > pass through auth plugin (console -> directory console -> > Configuration > -> Plug-ins -> Pass Through -> uncheck the Enable box - then > restart the > server. > > > > on Server 2 I had to manully create NetscapeRoot database. > > What am I missing?. Is it "idiot prrof" feature? > > > > Thanks in advance for any help > > SysLin > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From sysadmin.linux at gmail.com Fri Apr 28 15:33:37 2006 From: sysadmin.linux at gmail.com (Linux Admin) Date: Fri, 28 Apr 2006 10:33:37 -0500 Subject: [Fedora-directory-users] replicating configuration directotry (NetscapeRoot) In-Reply-To: <4452340D.20205@redhat.com> References: <696934990604271935r53646904xd64d928c847fcc93@mail.gmail.com> <445226B9.1020201@redhat.com> <696934990604280801v3d924cecvb0505c7f24757717@mail.gmail.com> <4452340D.20205@redhat.com> Message-ID: <696934990604280833w48492228q4c634fb02cbacee0@mail.gmail.com> Richard, Thanks, let me try. I am surprised there is no documentation at all on NetScape root replication. You help is very much appricated On 4/28/06, Richard Megginson wrote: > > Linux Admin wrote: > > Richard, > > Thanks, this is very good. > > I do not want to really disable it right now, > I think you may need to disable it on the replica in order to make > replication work. > > I just want to have 2 way replication between Server 1 and Server 2, > > and used authenticate against server1. I would then setup in pluging > > authentication against both 1 and 2. Is this right way? > > Thank your very much for your time and advice. > > > > > > On 4/28/06, *Richard Megginson* > > wrote: > > > > Linux Admin wrote: > > > Folks, > > > Is it possible to set up multi-master replication of NetscapeRoot > > > configuration directory. > > > I have tried and I can successfully initialize subscribers from > the > > > current configuration directory server. > > > However initialization of replication in opposite direction fails. > > > > > > Server 1 current conf dir -> Server 2: rplication sucsfull > > > o=NetscapeRoot is populated > > > Server 1 current conf dir <- Server 2: rplication failes with > error: > > > Permission denied. Error code 3 > > Part of the problem is that, when you set up a second instance, the > > installer automatically enables pass through authentication for the > > console admin user, which allows that user to login as > > uid=admin,.....,o=NetscapeRoot on machines which do not have > > o=NetscapeRoot. So the first thing you need to do is to disable the > > pass through auth plugin (console -> directory console -> > > Configuration > > -> Plug-ins -> Pass Through -> uncheck the Enable box - then > > restart the > > server. > > > > > > on Server 2 I had to manully create NetscapeRoot database. > > > What am I missing?. Is it "idiot prrof" feature? > > > > > > Thanks in advance for any help > > > SysLin > > > > > > > > > ------------------------------------------------------------------------ > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From gholbert at broadcom.com Fri Apr 28 18:32:50 2006 From: gholbert at broadcom.com (George Holbert) Date: Fri, 28 Apr 2006 11:32:50 -0700 Subject: [Fedora-directory-users] FDS to AD sync weirdness ... CN changes, unique constraints. In-Reply-To: <4452308A.6070200@hi.is> References: <4452308A.6070200@hi.is> Message-ID: <44525FD2.60704@broadcom.com> Elias, I agree with you that AD is wrong on this. I believe that CN is a multivalued attribute (at least in FDS). So, if it's any help, you could have unique CNs that are used in the entries' DNs, and optionally have additional CNs that may not be unique. e.g., dn: cn=Krist?n J?nsd?ttir_00,ou=people,dc=example,dc=edu cn: Krist?n J?nsd?ttir_00 cn: Krist?n J?nsd?ttir telephoneNumber: 123-456-7890 ... The "_00" unique suffix is just an example, you could use whatever you like of course. El?as Halld?r ?g?stsson wrote: > We are experimenting with Fedora Directory Server and trying to sync > it to AD. > > Setting up SSL for both and initiating sync was successful. > > However, it seems that DN in AD is constructed from the CN, which is > the full name. However, that's neigh impossible, since DN has a unique > constraint, but full names are seldom unique, and particularly not > here in Iceland. For example, my organization has at least 10 people > called "Krist?n J?nsd?ttir". > > I regard AD as broken by design in this regard. My question is, can > this be fixed? What would be the right way to approach this problem? > From b.j.smith at ieee.org Fri Apr 28 22:15:40 2006 From: b.j.smith at ieee.org (Bryan J. Smith) Date: Fri, 28 Apr 2006 15:15:40 -0700 (PDT) Subject: [Fedora-directory-users] [OT] A call for input from directory server experts ... Message-ID: <20060428221540.57218.qmail@web34106.mail.mud.yahoo.com> I'm helping head up development of a broad set real-world objectives that covers Linux-based directory services. To this date, the early focus had only looked at OpenLDAP, prior to the FDS project's existence. Being a longer-term Netscape Directory Server administrator myself (and thank God that Red Hat bought it), I would like to change that by ensuring the objectives reflect "real-world" directory service capabilities in FDS as well as OpenLDAP. So I'm looking for peer experts who have deployed NsDS/RHDS/FDS in the past, ideally with OpenLDAP (or other, general LDAP capabilities of another directory service) experience as well, to help build a set of objectives. It's also welcome to FDS developers as well -- although if you are a Red Hat employee, I understand there might be a "conflict of interest" since Red Hat offers certification/training in its RHCA program. These objectives would cover, in real-world tasks, what an enterprise Linux administrator should know about in deploying and maintaining LDAP (FDS, OpenLDAP, etc...) in an enterprise environment. If anything, it's a good opportunity to expose FDS to many people that assume OpenLDAP is the only option out there. And ensure it in a broad, vendor-neutral, peer-professional organization. If you are interested, please contact me _off-list_. -- Bryan J. Smith, LPIC-2, RHCE -- Bryan J. Smith Professional, Technical Annoyance b.j.smith at ieee.org http://thebs413.blogspot.com ----------------------------------------------------------- Americans don't get upset because citizens in some foreign nations can burn the American flag -- Americans get upset because citizens in those same nations can't burn their own From mikael.kermorgant at gmail.com Sun Apr 30 14:23:53 2006 From: mikael.kermorgant at gmail.com (Mikael Kermorgant) Date: Sun, 30 Apr 2006 16:23:53 +0200 Subject: [Fedora-directory-users] referential integrity checks for disactivated users Message-ID: <9711147e0604300723g2d7f5be1u4de23dc2685c56b6@mail.gmail.com> Hello, I'm interested by the Referential Integrity plugin for updating groups when a user is disactivated. My problem is that disactivated users are not deleted but moved from "ou=People" to "ou=disabled". Would you have an idea of how to use Referential Integrity with this way of handling users ? Thanks, -- Mikael Kermorgant