From pkime at Shopzilla.com Fri Dec 1 02:02:55 2006 From: pkime at Shopzilla.com (Philip Kime) Date: Thu, 30 Nov 2006 18:02:55 -0800 Subject: [Fedora-directory-users] Problem with SSL console in X in specific circumstances Message-ID: <9C0091F428E697439E7A773FFD083427435BE3@szexchange.Shopzilla.inc> Here's the problem: Running startconsole (SSL) to a remote display on a PC X-server (xwin32) works fine and requires that my windows home dir on the PC X-server machine has .fedora-console/ containing cert8.db and key3.db, as you'd expect. If I rename this dir, the console hangs at the splash screen. So far, so good, all makes sense. If I try the same thing to cygwin's X server on same machine or to an X server on a Mac running OSX, startconsole always hangs as if it can't find ~/.fedora-console on the local machine. I've tried copying this dir to what cygwin/OSX thinks is the user's home dir but no luck. Where should I put the Cert db files under "real" UNIX X to get the SSL console to work? Also tried ~/.mmc as per the docs but I could never get this to work. PK -- Philip Kime NOPS Systems Architect 310 401 0407 -------------- next part -------------- An HTML attachment was scrubbed... URL: From Darren.Paxton at mercer.com Fri Dec 1 08:04:30 2006 From: Darren.Paxton at mercer.com (Paxton, Darren) Date: Fri, 1 Dec 2006 08:04:30 -0000 Subject: FW: [Fedora-directory-users] Extracting details from ActiveDirectoryto FDS Message-ID: <52F7C07B119CF4439B7EFBFE0FB3256B027CBD02@eidwpexms06.mercer.com> Apologies for mailing yet again, however either my messages are not getting through (something I don't believe as I keep getting the post to the mailing list) - or for some reason, no one is willing to even acknowledge my issue. In the spirit of the community - can someone at least acknowledge a message as I find it quite disheartening that I have had no replies at all even if just to point me somewhere for assistance. ________________________________ From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Paxton, Darren Sent: 30 November 2006 08:46 To: General discussion list for the Fedora Directory server project. Subject: RE: [Fedora-directory-users] Extracting details from ActiveDirectoryto FDS Hi Has anyone had any thoughts on my query or can point me in the right direction? As is the nature of AD, I would have thought it is possible to extract this information using a scope setting or something similar. Thanks Darren ________________________________ From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Paxton, Darren Sent: 24 November 2006 14:56 To: fedora-directory-users at redhat.com Subject: [Fedora-directory-users] Extracting details from Active Directoryto FDS Hi all, I've been tinkering with integrating our Linux devices into our AD domain for some time and I've hit a few brick walls, however I've recently discovered FDS and the synchronisation features with AD. I've managed to set up a few replication jobs, however due to the extensive nature of our AD, I've realised that the sync only takes the group and user objects from the OU or CN being specified. Is there any way I can specify that it should traverse all subtrees of an OU and extract all that information back into FDS? Thanks Darren -- Darren Paxton EMEA Tier2 Red Hat Certified Engineer VMware Certified Professional MGTI Centralised ops This e-mail and any attachments may be confidential or legally privileged.If you received this message in error or are not the intended recipient, you should destroy the email message and any attachments or copies, and you are prohibited from retaining, distributing, disclosing or using any information contained herein. Please inform us of the erroneous delivery by return e-mail. Thank you for your co-operation. Mercer Human Resource Consulting Limited is authorised and regulated by the Financial Services Authority. Registered in England No. 984275. Registered Office: 1 Tower Place West, Tower Place, London, EC3R 5BU. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: ATT5932195.txt URL: From tchen_pat at yahoo.fr Fri Dec 1 08:10:42 2006 From: tchen_pat at yahoo.fr (patrick ndjientcheu ngandjui) Date: Fri, 1 Dec 2006 08:10:42 +0000 (GMT) Subject: [Fedora-directory-users] alias in fedora directory server Message-ID: <20061201081042.78578.qmail@web25801.mail.ukl.yahoo.com> Hi, I would like to know how to use alias in fedora directory server.It seems that it is used for point to another entry in the directory,but i don't know how to use this feature.May someone helps me on this issue? I would really appreciate an example. Thanks ___________________________________________________________________________ D?couvrez une nouvelle fa?on d'obtenir des r?ponses ? toutes vos questions ! Profitez des connaissances, des opinions et des exp?riences des internautes sur Yahoo! Questions/R?ponses http://fr.answers.yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From nicholas.byrne at quadriga.com Fri Dec 1 11:50:13 2006 From: nicholas.byrne at quadriga.com (Nicholas Byrne) Date: Fri, 01 Dec 2006 11:50:13 +0000 Subject: FW: [Fedora-directory-users] Extracting details from ActiveDirectoryto FDS In-Reply-To: <52F7C07B119CF4439B7EFBFE0FB3256B027CBD02@eidwpexms06.mercer.com> References: <52F7C07B119CF4439B7EFBFE0FB3256B027CBD02@eidwpexms06.mercer.com> Message-ID: <457016F5.5030202@quadriga.com> Your messages got through - you can confirm by checking the archives - https://www.redhat.com/archives/fedora-directory-users/ I'm a new user as well so i'm afraid i can't answer your question, but if you keep asking i'm sure someone will know! Nick Paxton, Darren wrote: > Apologies for mailing yet again, however either my messages are not > getting through (something I don't believe as I keep getting the post > to the mailing list) - or for some reason, no one is willing to even > acknowledge my issue. > > In the spirit of the community - can someone at least acknowledge a > message as I find it quite disheartening that I have had no replies at > all even if just to point me somewhere for assistance. > > ------------------------------------------------------------------------ > *From:* fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] *On Behalf Of > *Paxton, Darren > *Sent:* 30 November 2006 08:46 > *To:* General discussion list for the Fedora Directory server project. > *Subject:* RE: [Fedora-directory-users] Extracting details from > ActiveDirectoryto FDS > > Hi > > Has anyone had any thoughts on my query or can point me in the right > direction? > > As is the nature of AD, I would have thought it is possible to extract > this information using a scope setting or something similar. > > Thanks > > Darren > > ------------------------------------------------------------------------ > *From:* fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] *On Behalf Of > *Paxton, Darren > *Sent:* 24 November 2006 14:56 > *To:* fedora-directory-users at redhat.com > *Subject:* [Fedora-directory-users] Extracting details from Active > Directoryto FDS > > Hi all, > > I've been tinkering with integrating our Linux devices into our AD > domain for some time and I've hit a few brick walls, however I've > recently discovered FDS and the synchronisation features with AD. > > I've managed to set up a few replication jobs, however due to the > extensive nature of our AD, I've realised that the sync only takes > the group and user objects from the OU or CN being specified. > > Is there any way I can specify that it should traverse all > subtrees of an OU and extract all that information back into FDS? > > Thanks > > Darren > > -- > Darren Paxton > EMEA Tier2 > Red Hat Certified Engineer > VMware Certified Professional > MGTI Centralised ops > > > This e-mail and any attachments may be confidential or legally > privileged.If you received this message in error or are not the > intended recipient, you should destroy the email message and any > attachments or copies, and you are prohibited from retaining, > distributing, disclosing or using any information contained herein. > Please inform us of the erroneous delivery by return e-mail. Thank you > for your co-operation. > > Mercer Human Resource Consulting Limited is authorised and regulated > by the Financial Services Authority. Registered in England No. 984275. > Registered Office: 1 Tower Place West, Tower Place, London, EC3R 5BU. > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > This e-mail is the property of Quadriga Worldwide Ltd, intended for the addressee only and confidential. Any dissemination, copying or distribution of this message or any attachments is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer. Messages sent to and from Quadriga may be monitored. Quadriga cannot guarantee any message delivery method is secure or error-free. Information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. We do not accept responsibility for any errors or omissions in this message and/or attachment that arise as a result of transmission. You should carry out your own virus checks before opening any attachment. Any views or opinions presented are solely those of the author and do not necessarily represent those of Quadriga. From koniczynek at uaznia.net Fri Dec 1 15:45:28 2006 From: koniczynek at uaznia.net (koniczynek) Date: Fri, 01 Dec 2006 16:45:28 +0100 Subject: [Fedora-directory-users] Memory usage In-Reply-To: <456EFCAC.7010207@redhat.com> References: <456E97F7.2050604@uaznia.net> <456EFCAC.7010207@redhat.com> Message-ID: <45704E18.3070705@uaznia.net> Richard Megginson napisa?(a): > This is an excellent cache/memory tuning document from a Sun employee, > primarily targeted to Sun DS users, but almost all of the information is > relevant to Fedora DS (since they share a common lineage). > > http://www.directorymanager.org/blogs/ds_cache_sizing.pdf Lets say I heven't got much time lately so without thinking I've changed in dse.ldif nsslapd-import-cache-autosize from -1 to 1 and after restarting I've started to receive errors like: "3 Time limit exceeded" Someone do know what to do? ;) -- xmpp/email: koniczynek at uaznia.net xmpp/email: koniczynek at gmail.com From david_list at boreham.org Fri Dec 1 16:15:14 2006 From: david_list at boreham.org (David Boreham) Date: Fri, 01 Dec 2006 09:15:14 -0700 Subject: [Fedora-directory-users] Memory usage In-Reply-To: <45704E18.3070705@uaznia.net> References: <456E97F7.2050604@uaznia.net> <456EFCAC.7010207@redhat.com> <45704E18.3070705@uaznia.net> Message-ID: <45705512.4070808@boreham.org> koniczynek wrote: > Richard Megginson napisa?(a): > >> This is an excellent cache/memory tuning document from a Sun >> employee, primarily targeted to Sun DS users, but almost all of the >> information is relevant to Fedora DS (since they share a common >> lineage). >> >> http://www.directorymanager.org/blogs/ds_cache_sizing.pdf > > Lets say I heven't got much time lately so without thinking I've > changed in dse.ldif > nsslapd-import-cache-autosize from -1 to 1 and after restarting I've > started to receive errors like: "3 Time limit exceeded" Someone do > know what to do? ;) > Change it back ? From koniczynek at uaznia.net Fri Dec 1 16:53:22 2006 From: koniczynek at uaznia.net (koniczynek) Date: Fri, 01 Dec 2006 17:53:22 +0100 Subject: [Fedora-directory-users] Memory usage In-Reply-To: <45705512.4070808@boreham.org> References: <456E97F7.2050604@uaznia.net> <456EFCAC.7010207@redhat.com> <45704E18.3070705@uaznia.net> <45705512.4070808@boreham.org> Message-ID: <45705E02.7020709@uaznia.net> David Boreham, dnia 2006-12-01 17:15 napisal: >> Lets say I heven't got much time lately so without thinking I've >> changed in dse.ldif >> nsslapd-import-cache-autosize from -1 to 1 and after restarting I've >> started to receive errors like: "3 Time limit exceeded" Someone do >> know what to do? ;) > Change it back ? man, please, show some respect ;) I did change it back, but to no avail. Also I can say (to stop further questions): yes, I've stopped the server before change. -- email/xmpp: koniczynek at uaznia.net From nicholas.byrne at quadriga.com Fri Dec 1 17:05:09 2006 From: nicholas.byrne at quadriga.com (Nicholas Byrne) Date: Fri, 01 Dec 2006 17:05:09 +0000 Subject: [Fedora-directory-users] Windows Sync without Domain Admin? Message-ID: <457060C5.9090700@quadriga.com> Hi all, Is it possible to do a syncronisation of a windows peer without the windows user who i use to bind being a domain admin? I have a read only user with which i can run ldapsearch and find all users data in the AD directory but using the same user to sync with fails. The replication status says "total update completed" but i see no updates to the my FDS directory. If i modify this user in AD to be a domain admin it works correctly, but what i want to know is why can't i use a read-only user to sync? Is there any way around this? Thanks Nick This e-mail is the property of Quadriga Worldwide Ltd, intended for the addressee only and confidential. Any dissemination, copying or distribution of this message or any attachments is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer. Messages sent to and from Quadriga may be monitored. Quadriga cannot guarantee any message delivery method is secure or error-free. Information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. We do not accept responsibility for any errors or omissions in this message and/or attachment that arise as a result of transmission. You should carry out your own virus checks before opening any attachment. Any views or opinions presented are solely those of the author and do not necessarily represent those of Quadriga. From rmeggins at redhat.com Fri Dec 1 16:23:47 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 01 Dec 2006 09:23:47 -0700 Subject: [Fedora-directory-users] Windows Sync without Domain Admin? In-Reply-To: <457060C5.9090700@quadriga.com> References: <457060C5.9090700@quadriga.com> Message-ID: <45705713.8060106@redhat.com> Nicholas Byrne wrote: > Hi all, > > Is it possible to do a syncronisation of a windows peer without the > windows user who i use to bind being a domain admin? I have a read > only user with which i can run ldapsearch and find all users data in > the AD directory but using the same user to sync with fails. The > replication status says "total update completed" but i see no updates > to the my FDS directory. > > If i modify this user in AD to be a domain admin it works correctly, > but what i want to know is why can't i use a read-only user to sync? > Is there any way around this? Because in order for sync to work, Fedora DS must be able to modify the AD data, to send updates to AD. Windows Sync is bi-directional, and cannot be changed to uni-directional (at least, not without a lot of hacking). You do not have to use the Domain Admin user. You can create another user which has the ability to read-write the AD data. > > Thanks > Nick > > > > This e-mail is the property of Quadriga Worldwide Ltd, intended for > the addressee only and confidential. Any dissemination, copying or > distribution of this message or any attachments is strictly prohibited. > > If you have received this message in error, please notify us > immediately by replying to the message and deleting it from your > computer. > > Messages sent to and from Quadriga may be monitored. > > Quadriga cannot guarantee any message delivery method is secure or > error-free. Information could be intercepted, corrupted, lost, > destroyed, arrive late or incomplete, or contain viruses. > > We do not accept responsibility for any errors or omissions in this > message and/or attachment that arise as a result of transmission. > > You should carry out your own virus checks before opening any attachment. > > Any views or opinions presented are solely those of the author and do > not necessarily represent those of Quadriga. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Dec 1 16:58:01 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 01 Dec 2006 09:58:01 -0700 Subject: [Fedora-directory-users] Extracting details from Active Directoryto FDS In-Reply-To: <52F7C07B119CF4439B7EFBFE0FB3256B027CBC5D@eidwpexms06.mercer.com> References: <52F7C07B119CF4439B7EFBFE0FB3256B027CBC5D@eidwpexms06.mercer.com> Message-ID: <45705F19.2090505@redhat.com> Paxton, Darren wrote: > Hi > > Has anyone had any thoughts on my query or can point me in the right > direction? > > As is the nature of AD, I would have thought it is possible to extract > this information using a scope setting or something similar. Fedora DS can currently only sync simple user, group, and password information. Have you tried specifying a sync DN like "dc=domain,dc=com" instead of "cn=Users,dc=domain,dc=com"? > > Thanks > > Darren > > ------------------------------------------------------------------------ > *From:* fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] *On Behalf Of > *Paxton, Darren > *Sent:* 24 November 2006 14:56 > *To:* fedora-directory-users at redhat.com > *Subject:* [Fedora-directory-users] Extracting details from Active > Directoryto FDS > > Hi all, > > I've been tinkering with integrating our Linux devices into our AD > domain for some time and I've hit a few brick walls, however I've > recently discovered FDS and the synchronisation features with AD. > > I've managed to set up a few replication jobs, however due to the > extensive nature of our AD, I've realised that the sync only takes > the group and user objects from the OU or CN being specified. > > Is there any way I can specify that it should traverse all > subtrees of an OU and extract all that information back into FDS? > > Thanks > > Darren > > -- > Darren Paxton > EMEA Tier2 > Red Hat Certified Engineer > VMware Certified Professional > MGTI Centralised ops > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Dec 1 16:58:27 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 01 Dec 2006 09:58:27 -0700 Subject: [Fedora-directory-users] alias in fedora directory server In-Reply-To: <20061201081042.78578.qmail@web25801.mail.ukl.yahoo.com> References: <20061201081042.78578.qmail@web25801.mail.ukl.yahoo.com> Message-ID: <45705F33.9090506@redhat.com> patrick ndjientcheu ngandjui wrote: > Hi, > I would like to know how to use alias in fedora directory server.It > seems that it is used for point to another entry in the directory,but > i don't know how to use this feature.May someone helps me on this > issue? I would really appreciate an example. Fedora DS does not support aliases. > > Thanks > > ------------------------------------------------------------------------ > D?couvrez une nouvelle fa?on d'obtenir des r?ponses ? toutes vos > questions ! Profitez des connaissances, des opinions et des > exp?riences des internautes sur Yahoo! Questions/R?ponses > . > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Dec 1 17:00:37 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 01 Dec 2006 10:00:37 -0700 Subject: [Fedora-directory-users] Memory usage In-Reply-To: <45705E02.7020709@uaznia.net> References: <456E97F7.2050604@uaznia.net> <456EFCAC.7010207@redhat.com> <45704E18.3070705@uaznia.net> <45705512.4070808@boreham.org> <45705E02.7020709@uaznia.net> Message-ID: <45705FB5.8090104@redhat.com> koniczynek wrote: > David Boreham, dnia 2006-12-01 17:15 napisal: > >>> Lets say I heven't got much time lately so without thinking I've >>> changed in dse.ldif >>> nsslapd-import-cache-autosize from -1 to 1 and after restarting I've >>> started to receive errors like: "3 Time limit exceeded" Someone do >>> know what to do? ;) >>> >> Change it back ? >> > man, please, show some respect ;) I did change it back, but to no avail. > Also I can say (to stop further questions): yes, I've stopped the server > before change. > What types of searches are returning time limit exceeded? Can you post relevant excerpts from the access and error logs? -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From david_list at boreham.org Fri Dec 1 18:05:32 2006 From: david_list at boreham.org (David Boreham) Date: Fri, 01 Dec 2006 11:05:32 -0700 Subject: [Fedora-directory-users] Windows Sync without Domain Admin? In-Reply-To: <457060C5.9090700@quadriga.com> References: <457060C5.9090700@quadriga.com> Message-ID: <45706EEC.3080007@boreham.org> Nicholas Byrne wrote: > Is it possible to do a syncronisation of a windows peer without the > windows user who i use to bind being a domain admin? No. I'm not 100% sure but I believe you need to be a domain admin to use the dirsync control, which FDS uses to pull entries from AD. If that isn't the problem then I'm not sure what's going on. You certainly need to bind as a domain admin to modify passwords in AD, but from your desciption of the problem you're not expecting that to work anyway, just the AD->FDS entry sync functionality. Note that because passwords are modified with a separate operation, outbound sync (sans passwords) should still work if the bind identity is not a domain admin (but has rights to modify the target entries). From gholbert at broadcom.com Fri Dec 1 18:47:21 2006 From: gholbert at broadcom.com (George Holbert) Date: Fri, 01 Dec 2006 10:47:21 -0800 Subject: FW: [Fedora-directory-users] Extracting details from ActiveDirectoryto FDS In-Reply-To: <52F7C07B119CF4439B7EFBFE0FB3256B027CBD02@eidwpexms06.mercer.com> References: <52F7C07B119CF4439B7EFBFE0FB3256B027CBD02@eidwpexms06.mercer.com> Message-ID: <457078B9.5050704@broadcom.com> > I've realised that the sync only takes the group and user objects from > the OU or CN being specified. Hi Darren, As you noticed, the PassSync service isn't really intended to sync arbitrary data from AD to FDS. Probably most people haven't yet tried to use it for this purpose, so no one has a good answer for you. Browsing the source code might shed some light as to whether it can be made to do what you want. PassSync is in the fedora-ds source, which can be downloaded from: http://directory.fedora.redhat.com/wiki/Download Good luck! Paxton, Darren wrote: > Apologies for mailing yet again, however either my messages are not > getting through (something I don't believe as I keep getting the post > to the mailing list) - or for some reason, no one is willing to even > acknowledge my issue. > > In the spirit of the community - can someone at least acknowledge a > message as I find it quite disheartening that I have had no replies at > all even if just to point me somewhere for assistance. > > ------------------------------------------------------------------------ > ** From voltaire at idirect.com Fri Dec 1 20:33:37 2006 From: voltaire at idirect.com (Jeffrey C. Rombough) Date: Fri, 1 Dec 2006 15:33:37 -0500 Subject: [Fedora-directory-users] unsubscribe In-Reply-To: <457078B9.5050704@broadcom.com> Message-ID: <022501c71588$0e0ae8c0$640a0a0a@andromeda> -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of George Holbert Sent: December 1, 2006 1:47 PM To: General discussion list for the Fedora Directory server project. Subject: Re: FW: [Fedora-directory-users] Extracting details fromActiveDirectoryto FDS > I've realised that the sync only takes the group and user objects from > the OU or CN being specified. Hi Darren, As you noticed, the PassSync service isn't really intended to sync arbitrary data from AD to FDS. Probably most people haven't yet tried to use it for this purpose, so no one has a good answer for you. Browsing the source code might shed some light as to whether it can be made to do what you want. PassSync is in the fedora-ds source, which can be downloaded from: http://directory.fedora.redhat.com/wiki/Download Good luck! Paxton, Darren wrote: > Apologies for mailing yet again, however either my messages are not > getting through (something I don't believe as I keep getting the post > to the mailing list) - or for some reason, no one is willing to even > acknowledge my issue. > > In the spirit of the community - can someone at least acknowledge a > message as I find it quite disheartening that I have had no replies at > all even if just to point me somewhere for assistance. > > ---------------------------------------------------------------------- > -- > ** -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From mxheadroom at hotmail.com Fri Dec 1 20:14:31 2006 From: mxheadroom at hotmail.com (t b) Date: Fri, 01 Dec 2006 15:14:31 -0500 Subject: [Fedora-directory-users] RE: Fedora-directory-users Digest, Vol 19, Issue 1 In-Reply-To: <20061201170006.3ED9F73857@hormel.redhat.com> Message-ID: My logs seem to indicate that the connection is being encrypted; I can ssh to a client server and get the password prompt, but when I enter the password it just returns me to the password prompt again [01/Dec/2006:19:47:44 -0500] conn=650 fd=69 slot=69 connection from xxx.xxx.xxx.xxx to xxx.xxx.xxx.xxx [01/Dec/2006:19:47:44 -0500] conn=650 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [01/Dec/2006:19:47:44 -0500] conn=650 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [01/Dec/2006:19:47:44 -0500] conn=650 SSL 256-bit AES [01/Dec/2006:19:47:44 -0500] conn=650 op=1 UNBIND [01/Dec/2006:19:47:44 -0500] conn=650 op=1 fd=69 closed - U1 If I disable TLS everything works fine, the client server can query the FDS and auth the client properly I am not sure if the problem has to do with the pam_ldap not properly formatted or the cert file not in proper format Does anyone have an example of what the pam_ldap config should look like? or suggestions on checking whether the cert file is in proper format Also what's the UNBIND shown in the logs? Thanks >From: fedora-directory-users-request at redhat.com >Reply-To: fedora-directory-users at redhat.com >To: fedora-directory-users at redhat.com >Subject: Fedora-directory-users Digest, Vol 19, Issue 1 >Date: Fri, 1 Dec 2006 12:00:06 -0500 (EST) > >Send Fedora-directory-users mailing list submissions to > fedora-directory-users at redhat.com > >To subscribe or unsubscribe via the World Wide Web, visit > https://www.redhat.com/mailman/listinfo/fedora-directory-users >or, via email, send a message with subject or body 'help' to > fedora-directory-users-request at redhat.com > >You can reach the person managing the list at > fedora-directory-users-owner at redhat.com > >When replying, please edit your Subject line so it is more specific >than "Re: Contents of Fedora-directory-users digest..." > > >Today's Topics: > > 1. pam_ldap with SSL/TLS (t b) > 2. RE: pam_ldap with SSL/TLS (Morris, Patrick) > 3. Re: pam_ldap with SSL/TLS (Richard Megginson) > 4. Problem with SSL console in X in specific circumstances > (Philip Kime) > 5. FW: [Fedora-directory-users] Extracting details from > ActiveDirectoryto FDS (Paxton, Darren) > 6. alias in fedora directory server (patrick ndjientcheu ngandjui) > 7. Re: FW: [Fedora-directory-users] Extracting details from > ActiveDirectoryto FDS (Nicholas Byrne) > 8. Re: Memory usage (koniczynek) > 9. Re: Memory usage (David Boreham) > 10. Re: Memory usage (koniczynek) > > >---------------------------------------------------------------------- > >Message: 1 >Date: Thu, 30 Nov 2006 12:31:50 -0500 >From: "t b" >Subject: [Fedora-directory-users] pam_ldap with SSL/TLS >To: fedora-directory-users at redhat.com >Message-ID: >Content-Type: text/plain; format=flowed > >I am trying to setup pam_ldap to use TLS to communicate with the FDS, but >having lots of problems doing so; it works if I use the unencrypted way but >not if I use ldaps ( port 636 ) > >I used the instructions at, >http://directory.fedora.redhat.com/wiki/Howto:PAM > >Has anyone gotten PAM to work TLS > > >Thanks > >_________________________________________________________________ >Buy, Load, Play. The new Sympatico / MSN Music Store works seamlessly with >Windows Media Player. Just Click PLAY. >http://musicstore.sympatico.msn.ca/content/viewer.aspx?cid=SMS_Sept192006 > > > >------------------------------ > >Message: 2 >Date: Thu, 30 Nov 2006 13:00:56 -0500 >From: "Morris, Patrick" >Subject: RE: [Fedora-directory-users] pam_ldap with SSL/TLS >To: "General discussion list for the Fedora Directory server project." > >Message-ID: > > >Content-Type: text/plain; charset="US-ASCII" > > > I am trying to setup pam_ldap to use TLS to communicate with > > the FDS, but having lots of problems doing so; it works if I > > use the unencrypted way but not if I use ldaps ( port 636 ) > >Someone should jump in here and correct me if I'm wrong, but I believe >it's normal for TLS connections to happen on the standard LDAP port. >You should be able to tell from your logs whether the connection is >encrypted or not. > > > >------------------------------ > >Message: 3 >Date: Thu, 30 Nov 2006 11:08:08 -0700 >From: Richard Megginson >Subject: Re: [Fedora-directory-users] pam_ldap with SSL/TLS >To: "General discussion list for the Fedora Directory server project." > >Message-ID: <456F1E08.40601 at redhat.com> >Content-Type: text/plain; charset="iso-8859-1" > >Morris, Patrick wrote: > >> I am trying to setup pam_ldap to use TLS to communicate with > >> the FDS, but having lots of problems doing so; it works if I > >> use the unencrypted way but not if I use ldaps ( port 636 ) > >> > > > > Someone should jump in here and correct me if I'm wrong, but I believe > > it's normal for TLS connections to happen on the standard LDAP port. > > You should be able to tell from your logs whether the connection is > > encrypted or not. > > >Yes. The LDAP "preferred" way is to use the startTLS extended operation >which starts a TLS session on the non-secure port. This will be logged >in the access log. > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > >-------------- next part -------------- >A non-text attachment was scrubbed... >Name: smime.p7s >Type: application/x-pkcs7-signature >Size: 3178 bytes >Desc: S/MIME Cryptographic Signature >Url : >https://www.redhat.com/archives/fedora-directory-users/attachments/20061130/0634e78a/smime.bin > >------------------------------ > >Message: 4 >Date: Thu, 30 Nov 2006 18:02:55 -0800 >From: "Philip Kime" >Subject: [Fedora-directory-users] Problem with SSL console in X in > specific circumstances >To: >Message-ID: > <9C0091F428E697439E7A773FFD083427435BE3 at szexchange.Shopzilla.inc> >Content-Type: text/plain; charset="us-ascii" > >Here's the problem: > >Running startconsole (SSL) to a remote display on a PC X-server (xwin32) >works fine and requires that my windows home dir on the PC X-server >machine has .fedora-console/ containing cert8.db and key3.db, as you'd >expect. If I rename this dir, the console hangs at the splash screen. So >far, so good, all makes sense. > >If I try the same thing to cygwin's X server on same machine or to an X >server on a Mac running OSX, startconsole always hangs as if it can't >find ~/.fedora-console on the local machine. I've tried copying this dir >to what cygwin/OSX thinks is the user's home dir but no luck. Where >should I put the Cert db files under "real" UNIX X to get the SSL >console to work? Also tried ~/.mmc as per the docs but I could never get >this to work. > >PK > >-- >Philip Kime >NOPS Systems Architect >310 401 0407 > >-------------- next part -------------- >An HTML attachment was scrubbed... >URL: >https://www.redhat.com/archives/fedora-directory-users/attachments/20061130/054ecbd6/attachment.html > >------------------------------ > >Message: 5 >Date: Fri, 1 Dec 2006 08:04:30 -0000 >From: "Paxton, Darren" >Subject: FW: [Fedora-directory-users] Extracting details from > ActiveDirectoryto FDS >To: >Message-ID: > <52F7C07B119CF4439B7EFBFE0FB3256B027CBD02 at eidwpexms06.mercer.com> >Content-Type: text/plain; charset="us-ascii" > >Skipped content of type multipart/alternative-------------- next part >-------------- >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > >------------------------------ > >Message: 6 >Date: Fri, 1 Dec 2006 08:10:42 +0000 (GMT) >From: patrick ndjientcheu ngandjui >Subject: [Fedora-directory-users] alias in fedora directory server >To: Fedora-directory-users at redhat.com >Message-ID: <20061201081042.78578.qmail at web25801.mail.ukl.yahoo.com> >Content-Type: text/plain; charset="iso-8859-1" > >Hi, >I would like to know how to use alias in fedora directory server.It seems >that it is used for point to another entry in the directory,but i don't >know how to use this feature.May someone helps me on this issue? I would >really appreciate an example. > >Thanks > > > > > > > > >___________________________________________________________________________ >D?couvrez une nouvelle fa?on d'obtenir des r?ponses ? toutes vos questions >! >Profitez des connaissances, des opinions et des exp?riences des internautes >sur Yahoo! Questions/R?ponses >http://fr.answers.yahoo.com >-------------- next part -------------- >An HTML attachment was scrubbed... >URL: >https://www.redhat.com/archives/fedora-directory-users/attachments/20061201/0fa54e4f/attachment.html > >------------------------------ > >Message: 7 >Date: Fri, 01 Dec 2006 11:50:13 +0000 >From: Nicholas Byrne >Subject: Re: FW: [Fedora-directory-users] Extracting details from > ActiveDirectoryto FDS >To: "General discussion list for the Fedora Directory server project." > >Message-ID: <457016F5.5030202 at quadriga.com> >Content-Type: text/plain; charset=ISO-8859-1; format=flowed > >Your messages got through - you can confirm by checking the archives - >https://www.redhat.com/archives/fedora-directory-users/ > >I'm a new user as well so i'm afraid i can't answer your question, but >if you keep asking i'm sure someone will know! >Nick > >Paxton, Darren wrote: > > Apologies for mailing yet again, however either my messages are not > > getting through (something I don't believe as I keep getting the post > > to the mailing list) - or for some reason, no one is willing to even > > acknowledge my issue. > > > > In the spirit of the community - can someone at least acknowledge a > > message as I find it quite disheartening that I have had no replies at > > all even if just to point me somewhere for assistance. > > > > ------------------------------------------------------------------------ > > *From:* fedora-directory-users-bounces at redhat.com > > [mailto:fedora-directory-users-bounces at redhat.com] *On Behalf Of > > *Paxton, Darren > > *Sent:* 30 November 2006 08:46 > > *To:* General discussion list for the Fedora Directory server project. > > *Subject:* RE: [Fedora-directory-users] Extracting details from > > ActiveDirectoryto FDS > > > > Hi > > > > Has anyone had any thoughts on my query or can point me in the right > > direction? > > > > As is the nature of AD, I would have thought it is possible to extract > > this information using a scope setting or something similar. > > > > Thanks > > > > Darren > > > > >------------------------------------------------------------------------ > > *From:* fedora-directory-users-bounces at redhat.com > > [mailto:fedora-directory-users-bounces at redhat.com] *On Behalf Of > > *Paxton, Darren > > *Sent:* 24 November 2006 14:56 > > *To:* fedora-directory-users at redhat.com > > *Subject:* [Fedora-directory-users] Extracting details from Active > > Directoryto FDS > > > > Hi all, > > > > I've been tinkering with integrating our Linux devices into our AD > > domain for some time and I've hit a few brick walls, however I've > > recently discovered FDS and the synchronisation features with AD. > > > > I've managed to set up a few replication jobs, however due to the > > extensive nature of our AD, I've realised that the sync only takes > > the group and user objects from the OU or CN being specified. > > > > Is there any way I can specify that it should traverse all > > subtrees of an OU and extract all that information back into FDS? > > > > Thanks > > > > Darren > > > > -- > > Darren Paxton > > EMEA Tier2 > > Red Hat Certified Engineer > > VMware Certified Professional > > MGTI Centralised ops > > > > > > This e-mail and any attachments may be confidential or legally > > privileged.If you received this message in error or are not the > > intended recipient, you should destroy the email message and any > > attachments or copies, and you are prohibited from retaining, > > distributing, disclosing or using any information contained herein. > > Please inform us of the erroneous delivery by return e-mail. Thank you > > for your co-operation. > > > > Mercer Human Resource Consulting Limited is authorised and regulated > > by the Financial Services Authority. Registered in England No. 984275. > > Registered Office: 1 Tower Place West, Tower Place, London, EC3R 5BU. > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > >This e-mail is the property of Quadriga Worldwide Ltd, intended for the >addressee only and confidential. Any dissemination, copying or >distribution of this message or any attachments is strictly prohibited. > >If you have received this message in error, please notify us immediately by >replying to the message and deleting it from your computer. > >Messages sent to and from Quadriga may be monitored. > >Quadriga cannot guarantee any message delivery method is secure or >error-free. Information could be intercepted, corrupted, lost, destroyed, >arrive late or incomplete, or contain viruses. > >We do not accept responsibility for any errors or omissions in this message >and/or attachment that arise as a result of transmission. > >You should carry out your own virus checks before opening any attachment. > >Any views or opinions presented are solely those of the author and do not >necessarily represent those of Quadriga. > > > >------------------------------ > >Message: 8 >Date: Fri, 01 Dec 2006 16:45:28 +0100 >From: koniczynek >Subject: Re: [Fedora-directory-users] Memory usage >To: "General discussion list for the Fedora Directory server project." > >Message-ID: <45704E18.3070705 at uaznia.net> >Content-Type: text/plain; charset=ISO-8859-2; format=flowed > >Richard Megginson napisa?(a): > > This is an excellent cache/memory tuning document from a Sun employee, > > primarily targeted to Sun DS users, but almost all of the information is > > relevant to Fedora DS (since they share a common lineage). > > > > http://www.directorymanager.org/blogs/ds_cache_sizing.pdf >Lets say I heven't got much time lately so without thinking I've changed >in dse.ldif >nsslapd-import-cache-autosize from -1 to 1 and after restarting I've >started to receive errors like: "3 Time limit exceeded" Someone do know >what to do? ;) > >-- >xmpp/email: koniczynek at uaznia.net >xmpp/email: koniczynek at gmail.com > > > >------------------------------ > >Message: 9 >Date: Fri, 01 Dec 2006 09:15:14 -0700 >From: David Boreham >Subject: Re: [Fedora-directory-users] Memory usage >To: "General discussion list for the Fedora Directory server project." > >Message-ID: <45705512.4070808 at boreham.org> >Content-Type: text/plain; charset=ISO-8859-2; format=flowed > >koniczynek wrote: > > > Richard Megginson napisa?(a): > > > >> This is an excellent cache/memory tuning document from a Sun > >> employee, primarily targeted to Sun DS users, but almost all of the > >> information is relevant to Fedora DS (since they share a common > >> lineage). > >> > >> http://www.directorymanager.org/blogs/ds_cache_sizing.pdf > > > > Lets say I heven't got much time lately so without thinking I've > > changed in dse.ldif > > nsslapd-import-cache-autosize from -1 to 1 and after restarting I've > > started to receive errors like: "3 Time limit exceeded" Someone do > > know what to do? ;) > > >Change it back ? > > > > > >------------------------------ > >Message: 10 >Date: Fri, 01 Dec 2006 17:53:22 +0100 >From: koniczynek >Subject: Re: [Fedora-directory-users] Memory usage >To: "General discussion list for the Fedora Directory server project." > >Message-ID: <45705E02.7020709 at uaznia.net> >Content-Type: text/plain; charset=ISO-8859-2 > >David Boreham, dnia 2006-12-01 17:15 napisal: > >> Lets say I heven't got much time lately so without thinking I've > >> changed in dse.ldif > >> nsslapd-import-cache-autosize from -1 to 1 and after restarting I've > >> started to receive errors like: "3 Time limit exceeded" Someone do > >> know what to do? ;) > > Change it back ? >man, please, show some respect ;) I did change it back, but to no avail. >Also I can say (to stop further questions): yes, I've stopped the server >before change. > >-- >email/xmpp: koniczynek at uaznia.net > > > >------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > >End of Fedora-directory-users Digest, Vol 19, Issue 1 >***************************************************** _________________________________________________________________ Off to school, going on a trip, or moving? Windows Live (MSN) Messenger lets you stay in touch with friends and family wherever you go. Click here to find out how to sign up! http://www.telusmobility.com/msnxbox/ From rmeggins at redhat.com Fri Dec 1 19:55:24 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 01 Dec 2006 12:55:24 -0700 Subject: [Fedora-directory-users] RE: Fedora-directory-users Digest, Vol 19, Issue 1 In-Reply-To: References: Message-ID: <457088AC.1030004@redhat.com> t b wrote: > My logs seem to indicate that the connection is being encrypted; I can > ssh to a client server and get the password prompt, but when I enter > the password it just returns me to the password prompt again > > [01/Dec/2006:19:47:44 -0500] conn=650 fd=69 slot=69 connection from > xxx.xxx.xxx.xxx to xxx.xxx.xxx.xxx > [01/Dec/2006:19:47:44 -0500] conn=650 op=0 EXT > oid="1.3.6.1.4.1.1466.20037" name="startTLS" > [01/Dec/2006:19:47:44 -0500] conn=650 op=0 RESULT err=0 tag=120 > nentries=0 etime=0 > [01/Dec/2006:19:47:44 -0500] conn=650 SSL 256-bit AES All of this means the client was able to successfully perform the startTLS extended operation and start using SSL. > [01/Dec/2006:19:47:44 -0500] conn=650 op=1 UNBIND > [01/Dec/2006:19:47:44 -0500] conn=650 op=1 fd=69 closed - U1 The UNBIND means the client had a problem and closed the connection. Does the client print any errors? Are there any messages in the server error log? > > If I disable TLS everything works fine, the client server can query > the FDS and auth the client properly > > I am not sure if the problem has to do with the pam_ldap not properly > formatted or the cert file not in proper format > > Does anyone have an example of what the pam_ldap config should look > like? or suggestions on checking whether the cert file is in proper > format I'm not sure. PAM needs the ca cert of the CA that issued the directory server server cert. See http://directory.fedora.redhat.com/wiki/Howto:SSL for more information. > > Also what's the UNBIND shown in the logs? > > Thanks > >> From: fedora-directory-users-request at redhat.com >> Reply-To: fedora-directory-users at redhat.com >> To: fedora-directory-users at redhat.com >> Subject: Fedora-directory-users Digest, Vol 19, Issue 1 >> Date: Fri, 1 Dec 2006 12:00:06 -0500 (EST) >> >> Send Fedora-directory-users mailing list submissions to >> fedora-directory-users at redhat.com >> >> To subscribe or unsubscribe via the World Wide Web, visit >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> or, via email, send a message with subject or body 'help' to >> fedora-directory-users-request at redhat.com >> >> You can reach the person managing the list at >> fedora-directory-users-owner at redhat.com >> >> When replying, please edit your Subject line so it is more specific >> than "Re: Contents of Fedora-directory-users digest..." >> >> >> Today's Topics: >> >> 1. pam_ldap with SSL/TLS (t b) >> 2. RE: pam_ldap with SSL/TLS (Morris, Patrick) >> 3. Re: pam_ldap with SSL/TLS (Richard Megginson) >> 4. Problem with SSL console in X in specific circumstances >> (Philip Kime) >> 5. FW: [Fedora-directory-users] Extracting details from >> ActiveDirectoryto FDS (Paxton, Darren) >> 6. alias in fedora directory server (patrick ndjientcheu ngandjui) >> 7. Re: FW: [Fedora-directory-users] Extracting details from >> ActiveDirectoryto FDS (Nicholas Byrne) >> 8. Re: Memory usage (koniczynek) >> 9. Re: Memory usage (David Boreham) >> 10. Re: Memory usage (koniczynek) >> >> >> ---------------------------------------------------------------------- >> >> Message: 1 >> Date: Thu, 30 Nov 2006 12:31:50 -0500 >> From: "t b" >> Subject: [Fedora-directory-users] pam_ldap with SSL/TLS >> To: fedora-directory-users at redhat.com >> Message-ID: >> Content-Type: text/plain; format=flowed >> >> I am trying to setup pam_ldap to use TLS to communicate with the FDS, >> but >> having lots of problems doing so; it works if I use the unencrypted >> way but >> not if I use ldaps ( port 636 ) >> >> I used the instructions at, >> http://directory.fedora.redhat.com/wiki/Howto:PAM >> >> Has anyone gotten PAM to work TLS >> >> >> Thanks >> >> _________________________________________________________________ >> Buy, Load, Play. The new Sympatico / MSN Music Store works seamlessly >> with >> Windows Media Player. Just Click PLAY. >> http://musicstore.sympatico.msn.ca/content/viewer.aspx?cid=SMS_Sept192006 >> >> >> >> >> ------------------------------ >> >> Message: 2 >> Date: Thu, 30 Nov 2006 13:00:56 -0500 >> From: "Morris, Patrick" >> Subject: RE: [Fedora-directory-users] pam_ldap with SSL/TLS >> To: "General discussion list for the Fedora Directory server project." >> >> Message-ID: >> >> >> >> Content-Type: text/plain; charset="US-ASCII" >> >> > I am trying to setup pam_ldap to use TLS to communicate with >> > the FDS, but having lots of problems doing so; it works if I >> > use the unencrypted way but not if I use ldaps ( port 636 ) >> >> Someone should jump in here and correct me if I'm wrong, but I believe >> it's normal for TLS connections to happen on the standard LDAP port. >> You should be able to tell from your logs whether the connection is >> encrypted or not. >> >> >> >> ------------------------------ >> >> Message: 3 >> Date: Thu, 30 Nov 2006 11:08:08 -0700 >> From: Richard Megginson >> Subject: Re: [Fedora-directory-users] pam_ldap with SSL/TLS >> To: "General discussion list for the Fedora Directory server project." >> >> Message-ID: <456F1E08.40601 at redhat.com> >> Content-Type: text/plain; charset="iso-8859-1" >> >> Morris, Patrick wrote: >> >> I am trying to setup pam_ldap to use TLS to communicate with >> >> the FDS, but having lots of problems doing so; it works if I >> >> use the unencrypted way but not if I use ldaps ( port 636 ) >> >> >> > >> > Someone should jump in here and correct me if I'm wrong, but I believe >> > it's normal for TLS connections to happen on the standard LDAP port. >> > You should be able to tell from your logs whether the connection is >> > encrypted or not. >> > >> Yes. The LDAP "preferred" way is to use the startTLS extended operation >> which starts a TLS session on the non-secure port. This will be logged >> in the access log. >> > -- >> > Fedora-directory-users mailing list >> > Fedora-directory-users at redhat.com >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > >> -------------- next part -------------- >> A non-text attachment was scrubbed... >> Name: smime.p7s >> Type: application/x-pkcs7-signature >> Size: 3178 bytes >> Desc: S/MIME Cryptographic Signature >> Url : >> https://www.redhat.com/archives/fedora-directory-users/attachments/20061130/0634e78a/smime.bin >> >> >> ------------------------------ >> >> Message: 4 >> Date: Thu, 30 Nov 2006 18:02:55 -0800 >> From: "Philip Kime" >> Subject: [Fedora-directory-users] Problem with SSL console in X in >> specific circumstances >> To: >> Message-ID: >> <9C0091F428E697439E7A773FFD083427435BE3 at szexchange.Shopzilla.inc> >> Content-Type: text/plain; charset="us-ascii" >> >> Here's the problem: >> >> Running startconsole (SSL) to a remote display on a PC X-server (xwin32) >> works fine and requires that my windows home dir on the PC X-server >> machine has .fedora-console/ containing cert8.db and key3.db, as you'd >> expect. If I rename this dir, the console hangs at the splash screen. So >> far, so good, all makes sense. >> >> If I try the same thing to cygwin's X server on same machine or to an X >> server on a Mac running OSX, startconsole always hangs as if it can't >> find ~/.fedora-console on the local machine. I've tried copying this dir >> to what cygwin/OSX thinks is the user's home dir but no luck. Where >> should I put the Cert db files under "real" UNIX X to get the SSL >> console to work? Also tried ~/.mmc as per the docs but I could never get >> this to work. >> >> PK >> >> -- >> Philip Kime >> NOPS Systems Architect >> 310 401 0407 >> >> -------------- next part -------------- >> An HTML attachment was scrubbed... >> URL: >> https://www.redhat.com/archives/fedora-directory-users/attachments/20061130/054ecbd6/attachment.html >> >> >> ------------------------------ >> >> Message: 5 >> Date: Fri, 1 Dec 2006 08:04:30 -0000 >> From: "Paxton, Darren" >> Subject: FW: [Fedora-directory-users] Extracting details from >> ActiveDirectoryto FDS >> To: >> Message-ID: >> <52F7C07B119CF4439B7EFBFE0FB3256B027CBD02 at eidwpexms06.mercer.com> >> Content-Type: text/plain; charset="us-ascii" >> >> Skipped content of type multipart/alternative-------------- next part >> -------------- >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> ------------------------------ >> >> Message: 6 >> Date: Fri, 1 Dec 2006 08:10:42 +0000 (GMT) >> From: patrick ndjientcheu ngandjui >> Subject: [Fedora-directory-users] alias in fedora directory server >> To: Fedora-directory-users at redhat.com >> Message-ID: <20061201081042.78578.qmail at web25801.mail.ukl.yahoo.com> >> Content-Type: text/plain; charset="iso-8859-1" >> >> Hi, >> I would like to know how to use alias in fedora directory server.It >> seems that it is used for point to another entry in the directory,but >> i don't know how to use this feature.May someone helps me on this >> issue? I would really appreciate an example. >> >> Thanks >> >> >> >> >> >> >> >> >> ___________________________________________________________________________ >> >> D?couvrez une nouvelle fa?on d'obtenir des r?ponses ? toutes vos >> questions ! >> Profitez des connaissances, des opinions et des exp?riences des >> internautes sur Yahoo! Questions/R?ponses >> http://fr.answers.yahoo.com >> -------------- next part -------------- >> An HTML attachment was scrubbed... >> URL: >> https://www.redhat.com/archives/fedora-directory-users/attachments/20061201/0fa54e4f/attachment.html >> >> >> ------------------------------ >> >> Message: 7 >> Date: Fri, 01 Dec 2006 11:50:13 +0000 >> From: Nicholas Byrne >> Subject: Re: FW: [Fedora-directory-users] Extracting details from >> ActiveDirectoryto FDS >> To: "General discussion list for the Fedora Directory server project." >> >> Message-ID: <457016F5.5030202 at quadriga.com> >> Content-Type: text/plain; charset=ISO-8859-1; format=flowed >> >> Your messages got through - you can confirm by checking the archives - >> https://www.redhat.com/archives/fedora-directory-users/ >> >> I'm a new user as well so i'm afraid i can't answer your question, but >> if you keep asking i'm sure someone will know! >> Nick >> >> Paxton, Darren wrote: >> > Apologies for mailing yet again, however either my messages are not >> > getting through (something I don't believe as I keep getting the post >> > to the mailing list) - or for some reason, no one is willing to even >> > acknowledge my issue. >> > >> > In the spirit of the community - can someone at least acknowledge a >> > message as I find it quite disheartening that I have had no replies at >> > all even if just to point me somewhere for assistance. >> > >> > >> ------------------------------------------------------------------------ >> > *From:* fedora-directory-users-bounces at redhat.com >> > [mailto:fedora-directory-users-bounces at redhat.com] *On Behalf Of >> > *Paxton, Darren >> > *Sent:* 30 November 2006 08:46 >> > *To:* General discussion list for the Fedora Directory server project. >> > *Subject:* RE: [Fedora-directory-users] Extracting details from >> > ActiveDirectoryto FDS >> > >> > Hi >> > >> > Has anyone had any thoughts on my query or can point me in the right >> > direction? >> > >> > As is the nature of AD, I would have thought it is possible to extract >> > this information using a scope setting or something similar. >> > >> > Thanks >> > >> > Darren >> > >> > >> ------------------------------------------------------------------------ >> > *From:* fedora-directory-users-bounces at redhat.com >> > [mailto:fedora-directory-users-bounces at redhat.com] *On Behalf Of >> > *Paxton, Darren >> > *Sent:* 24 November 2006 14:56 >> > *To:* fedora-directory-users at redhat.com >> > *Subject:* [Fedora-directory-users] Extracting details from Active >> > Directoryto FDS >> > >> > Hi all, >> > >> > I've been tinkering with integrating our Linux devices into our AD >> > domain for some time and I've hit a few brick walls, however I've >> > recently discovered FDS and the synchronisation features with AD. >> > >> > I've managed to set up a few replication jobs, however due to the >> > extensive nature of our AD, I've realised that the sync only takes >> > the group and user objects from the OU or CN being specified. >> > >> > Is there any way I can specify that it should traverse all >> > subtrees of an OU and extract all that information back into FDS? >> > >> > Thanks >> > >> > Darren >> > >> > -- >> > Darren Paxton >> > EMEA Tier2 >> > Red Hat Certified Engineer >> > VMware Certified Professional >> > MGTI Centralised ops >> > >> > >> > This e-mail and any attachments may be confidential or legally >> > privileged.If you received this message in error or are not the >> > intended recipient, you should destroy the email message and any >> > attachments or copies, and you are prohibited from retaining, >> > distributing, disclosing or using any information contained herein. >> > Please inform us of the erroneous delivery by return e-mail. Thank you >> > for your co-operation. >> > >> > Mercer Human Resource Consulting Limited is authorised and regulated >> > by the Financial Services Authority. Registered in England No. 984275. >> > Registered Office: 1 Tower Place West, Tower Place, London, EC3R 5BU. >> > >> > >> ------------------------------------------------------------------------ >> > >> > -- >> > Fedora-directory-users mailing list >> > Fedora-directory-users at redhat.com >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > >> > >> ------------------------------------------------------------------------ >> > >> > -- >> > Fedora-directory-users mailing list >> > Fedora-directory-users at redhat.com >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > >> >> >> >> This e-mail is the property of Quadriga Worldwide Ltd, intended for >> the addressee only and confidential. Any dissemination, copying or >> distribution of this message or any attachments is strictly prohibited. >> >> If you have received this message in error, please notify us >> immediately by replying to the message and deleting it from your >> computer. >> >> Messages sent to and from Quadriga may be monitored. >> >> Quadriga cannot guarantee any message delivery method is secure or >> error-free. Information could be intercepted, corrupted, lost, >> destroyed, arrive late or incomplete, or contain viruses. >> >> We do not accept responsibility for any errors or omissions in this >> message and/or attachment that arise as a result of transmission. >> >> You should carry out your own virus checks before opening any >> attachment. >> >> Any views or opinions presented are solely those of the author and do >> not necessarily represent those of Quadriga. >> >> >> >> ------------------------------ >> >> Message: 8 >> Date: Fri, 01 Dec 2006 16:45:28 +0100 >> From: koniczynek >> Subject: Re: [Fedora-directory-users] Memory usage >> To: "General discussion list for the Fedora Directory server project." >> >> Message-ID: <45704E18.3070705 at uaznia.net> >> Content-Type: text/plain; charset=ISO-8859-2; format=flowed >> >> Richard Megginson napisa?(a): >> > This is an excellent cache/memory tuning document from a Sun employee, >> > primarily targeted to Sun DS users, but almost all of the >> information is >> > relevant to Fedora DS (since they share a common lineage). >> > >> > http://www.directorymanager.org/blogs/ds_cache_sizing.pdf >> Lets say I heven't got much time lately so without thinking I've changed >> in dse.ldif >> nsslapd-import-cache-autosize from -1 to 1 and after restarting I've >> started to receive errors like: "3 Time limit exceeded" Someone do know >> what to do? ;) >> >> -- >> xmpp/email: koniczynek at uaznia.net >> xmpp/email: koniczynek at gmail.com >> >> >> >> ------------------------------ >> >> Message: 9 >> Date: Fri, 01 Dec 2006 09:15:14 -0700 >> From: David Boreham >> Subject: Re: [Fedora-directory-users] Memory usage >> To: "General discussion list for the Fedora Directory server project." >> >> Message-ID: <45705512.4070808 at boreham.org> >> Content-Type: text/plain; charset=ISO-8859-2; format=flowed >> >> koniczynek wrote: >> >> > Richard Megginson napisa?(a): >> > >> >> This is an excellent cache/memory tuning document from a Sun >> >> employee, primarily targeted to Sun DS users, but almost all of the >> >> information is relevant to Fedora DS (since they share a common >> >> lineage). >> >> >> >> http://www.directorymanager.org/blogs/ds_cache_sizing.pdf >> > >> > Lets say I heven't got much time lately so without thinking I've >> > changed in dse.ldif >> > nsslapd-import-cache-autosize from -1 to 1 and after restarting I've >> > started to receive errors like: "3 Time limit exceeded" Someone do >> > know what to do? ;) >> > >> Change it back ? >> >> >> >> >> >> ------------------------------ >> >> Message: 10 >> Date: Fri, 01 Dec 2006 17:53:22 +0100 >> From: koniczynek >> Subject: Re: [Fedora-directory-users] Memory usage >> To: "General discussion list for the Fedora Directory server project." >> >> Message-ID: <45705E02.7020709 at uaznia.net> >> Content-Type: text/plain; charset=ISO-8859-2 >> >> David Boreham, dnia 2006-12-01 17:15 napisal: >> >> Lets say I heven't got much time lately so without thinking I've >> >> changed in dse.ldif >> >> nsslapd-import-cache-autosize from -1 to 1 and after restarting I've >> >> started to receive errors like: "3 Time limit exceeded" Someone do >> >> know what to do? ;) >> > Change it back ? >> man, please, show some respect ;) I did change it back, but to no avail. >> Also I can say (to stop further questions): yes, I've stopped the server >> before change. >> >> -- >> email/xmpp: koniczynek at uaznia.net >> >> >> >> ------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> End of Fedora-directory-users Digest, Vol 19, Issue 1 >> ***************************************************** > > _________________________________________________________________ > Off to school, going on a trip, or moving? Windows Live (MSN) > Messenger lets you stay in touch with friends and family wherever you > go. Click here to find out how to sign up! > http://www.telusmobility.com/msnxbox/ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From tngan at redhat.com Fri Dec 1 23:23:28 2006 From: tngan at redhat.com (To Ngan) Date: Fri, 01 Dec 2006 15:23:28 -0800 Subject: [Fedora-directory-users] AD + FDS sync stops working? In-Reply-To: <200611301521.kAUFLUk8012823@mail.teleformix.com> References: <200611301521.kAUFLUk8012823@mail.teleformix.com> Message-ID: <4570B970.3070901@redhat.com> Dan Oglesby wrote: > I tried the following: > > In windows registry->HKLM->Software->PasswordSync, try add string value ?Log > Level? and set it to ?1?. Restart the passsync service. This should log > all transactions and errors. Turn this back to "0" and restart passsync > after troubleshooting. > > All I see in the log is this: > > 11/30/06 09:12:58: begin log > 11/30/06 09:12:59: 0 new entries loaded from file > 11/30/06 09:14:20: 0 new entries loaded from file > 11/30/06 09:14:20: 0 entries saved to file > 11/30/06 09:14:20: end log > 11/30/06 09:14:22: begin log > 11/30/06 09:14:22: 0 new entries loaded from file > > That?s after restarting the passsync service twice, and changing a user?s > password in AD four times. > Hmm... 2 Windows sync stopped working together after 6 months. Any cert on AD or DS side expired? -- toto -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3233 bytes Desc: S/MIME Cryptographic Signature URL: From koniczynek at uaznia.net Sat Dec 2 08:28:17 2006 From: koniczynek at uaznia.net (koniczynek) Date: Sat, 02 Dec 2006 09:28:17 +0100 Subject: [Fedora-directory-users] Memory usage In-Reply-To: <45705FB5.8090104@redhat.com> References: <456E97F7.2050604@uaznia.net> <456EFCAC.7010207@redhat.com> <45704E18.3070705@uaznia.net> <45705512.4070808@boreham.org> <45705E02.7020709@uaznia.net> <45705FB5.8090104@redhat.com> Message-ID: <45713921.1080009@uaznia.net> Richard Megginson, dnia 2006-12-01 18:00 napisal: >> man, please, show some respect ;) I did change it back, but to no avail. >> Also I can say (to stop further questions): yes, I've stopped the server >> before change. >> > What types of searches are returning time limit exceeded? Can you post > relevant excerpts from the access and error logs? I'm "benchmarking" my FDS with "ldapsearch -x" and earlier it worked and now it does not. In error logs there were "err=3" but I don't remember much more and I'll have access to the logs on Monday, so till then, only I can provide only this information (because I do not remember anything more ;) ) -- email/xmpp: koniczynek at uaznia.net From ankur_agwal at yahoo.com Sat Dec 2 18:01:51 2006 From: ankur_agwal at yahoo.com (Ankur Agarwal) Date: Sat, 2 Dec 2006 10:01:51 -0800 (PST) Subject: [Fedora-directory-users] Which is better - attribute of type dn or multivalued attribute? Message-ID: <769884.80041.qm@web54111.mail.yahoo.com> Hi, In our schema we need to have users who will belong to multiple groups. These groups are independent groups and do not have any parent child relationship. So while defining the ObjectClass for my user i have two options: 1) Have an attribute called - isMemberOf and make it of type distinguishedName. This will be a list of all groups to which a user belongs. 2) Have a multivalued attribute - groupName. which option makes more sense. Assume the functionalities that i need to support are: 1) Search all users belonging to a group 2) edit a user to add/remove a group from profile 3) Delete all the users belonging to a group regards, Ankur --------------------------------- Cheap Talk? Check out Yahoo! Messenger's low PC-to-Phone call rates. -------------- next part -------------- An HTML attachment was scrubbed... URL: From patrick.morris at hp.com Sat Dec 2 19:22:56 2006 From: patrick.morris at hp.com (Morris, Patrick) Date: Sat, 2 Dec 2006 14:22:56 -0500 Subject: [Fedora-directory-users] Which is better - attribute of type dn ormultivalued attribute? In-Reply-To: <769884.80041.qm@web54111.mail.yahoo.com> Message-ID: > In our schema we need to have users who will belong to > multiple groups. These groups are independent groups and do > not have any parent child relationship. So while defining the > ObjectClass for my user i have two options: > > 1) Have an attribute called - isMemberOf and make it of type > distinguishedName. This will be a list of all groups to which > a user belongs. > > 2) Have a multivalued attribute - groupName. > > which option makes more sense. Assume the functionalities > that i need to support are: > 1) Search all users belonging to a group > 2) edit a user to add/remove a group from profile > 3) Delete all the users belonging to a group That's really totally up to you, and what makes sense for you and the apps your LDAP server needs to support. Either way has pros and cons, and you'll need to weigh those and figure out which one works best in your particular situation. From rmeggins at redhat.com Sun Dec 3 00:12:17 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Sat, 02 Dec 2006 19:12:17 -0500 Subject: [Fedora-directory-users] Memory usage In-Reply-To: <45713921.1080009@uaznia.net> References: <456E97F7.2050604@uaznia.net> <456EFCAC.7010207@redhat.com> <45704E18.3070705@uaznia.net> <45705512.4070808@boreham.org> <45705E02.7020709@uaznia.net> <45705FB5.8090104@redhat.com> <45713921.1080009@uaznia.net> Message-ID: <45721661.1090908@redhat.com> koniczynek wrote: > Richard Megginson, dnia 2006-12-01 18:00 napisal: > >>> man, please, show some respect ;) I did change it back, but to no avail. >>> Also I can say (to stop further questions): yes, I've stopped the server >>> before change. >>> >>> >> What types of searches are returning time limit exceeded? Can you post >> relevant excerpts from the access and error logs? >> > I'm "benchmarking" my FDS with "ldapsearch -x" and earlier it worked and > now it does not. In error logs there were "err=3" but I don't remember > much more and I'll have access to the logs on Monday, so till then, only > I can provide only this information (because I do not remember anything > more ;) ) > Then I'm really surprised you didn't get this error before. You're doing a subtree search of all records as anonymous. If you have more than a few thousand records, this will always give a size limit or admin limit exceeded error. From rmeggins at redhat.com Sun Dec 3 01:03:28 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Sat, 02 Dec 2006 20:03:28 -0500 Subject: [Fedora-directory-users] Which is better - attribute of type dn or multivalued attribute? In-Reply-To: <769884.80041.qm@web54111.mail.yahoo.com> References: <769884.80041.qm@web54111.mail.yahoo.com> Message-ID: <45722260.7000402@redhat.com> Ankur Agarwal wrote: > Hi, > > In our schema we need to have users who will belong to multiple > groups. These groups are independent groups and do not have any parent > child relationship. So while defining the ObjectClass for my user i > have two options: > > 1) Have an attribute called - isMemberOf and make it of type > distinguishedName. This will be a list of all groups to which a user > belongs. > > 2) Have a multivalued attribute - groupName. > > which option makes more sense. Assume the functionalities that i need > to support are: > 1) Search all users belonging to a group > 2) edit a user to add/remove a group from profile > 3) Delete all the users belonging to a group Check out the Roles feature - http://www.redhat.com/docs/manuals/dir-server/ag/7.1/roles.html#1115402 > > regards, > Ankur > > > ------------------------------------------------------------------------ > Cheap Talk? Check out > > Yahoo! Messenger's low PC-to-Phone call rates. > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From koniczynek at uaznia.net Sun Dec 3 20:30:58 2006 From: koniczynek at uaznia.net (koniczynek) Date: Sun, 03 Dec 2006 21:30:58 +0100 Subject: [Fedora-directory-users] Memory usage In-Reply-To: <45721661.1090908@redhat.com> References: <456E97F7.2050604@uaznia.net> <456EFCAC.7010207@redhat.com> <45704E18.3070705@uaznia.net> <45705512.4070808@boreham.org> <45705E02.7020709@uaznia.net> <45705FB5.8090104@redhat.com> <45713921.1080009@uaznia.net> <45721661.1090908@redhat.com> Message-ID: <45733402.4030404@uaznia.net> Richard Megginson, dnia 2006-12-03 01:12 napisal: > Then I'm really surprised you didn't get this error before. You're > doing a subtree search of all records as anonymous. If you have more > than a few thousand records, this will always give a size limit or admin > limit exceeded error. Yes, and I've got error 11 earlier (size limit exceeded - my ldif file is 4MiB big ;) ) but I've changed the limits and everything worked fine till when I've changed this "nsslapd-import-cache-autosize". -- email/xmpp: koniczynek at uaznia.net From tchen_pat at yahoo.fr Sun Dec 3 21:52:21 2006 From: tchen_pat at yahoo.fr (patrick ndjientcheu ngandjui) Date: Sun, 3 Dec 2006 22:52:21 +0100 (CET) Subject: [Fedora-directory-users] access permissions Message-ID: <389763.60785.qm@web25807.mail.ukl.yahoo.com> hi, I want to access a permission to a user so that he can create, in the entry he belongs to (say ou=SalesDept,ou=Employee,ou=example,ou=com),entries which are an instance of a particular object class say ExamplePerson. But, he must not have the right to modify or delete entries he has created. How can I resolve this problem? Thanks. --------------------------------- Yahoo! Mail r?invente le mail ! D?couvrez le nouveau Yahoo! Mail et son interface r?volutionnaire. -------------- next part -------------- An HTML attachment was scrubbed... URL: From koniczynek at uaznia.net Mon Dec 4 08:28:09 2006 From: koniczynek at uaznia.net (koniczynek) Date: Mon, 04 Dec 2006 09:28:09 +0100 Subject: [Fedora-directory-users] Memory usage In-Reply-To: <45733402.4030404@uaznia.net> References: <456E97F7.2050604@uaznia.net> <456EFCAC.7010207@redhat.com> <45704E18.3070705@uaznia.net> <45705512.4070808@boreham.org> <45705E02.7020709@uaznia.net> <45705FB5.8090104@redhat.com> <45713921.1080009@uaznia.net> <45721661.1090908@redhat.com> <45733402.4030404@uaznia.net> Message-ID: <4573DC19.4030308@uaznia.net> koniczynek napisa?(a): > Richard Megginson, dnia 2006-12-03 01:12 napisal: >> Then I'm really surprised you didn't get this error before. You're >> doing a subtree search of all records as anonymous. If you have more >> than a few thousand records, this will always give a size limit or admin >> limit exceeded error. > Yes, and I've got error 11 earlier (size limit exceeded - my ldif file > is 4MiB big ;) ) but I've changed the limits and everything worked fine > till when I've changed this "nsslapd-import-cache-autosize". Ok, I've located the problem: on one of my test machines (machines which queried ldap to generate load and test performance) in ldap.conf file there was timeout set (5 secs). I don't know why earlier it worked, but this is the problem (not the change of attribute value). -- xmpp/email: koniczynek at uaznia.net xmpp/email: koniczynek at gmail.com From clayton at bundaberg.qld.gov.au Mon Dec 4 09:09:52 2006 From: clayton at bundaberg.qld.gov.au (Clayton Rogers) Date: Mon, 04 Dec 2006 19:09:52 +1000 Subject: [Fedora-directory-users] Upgrade from 1.0.1 to 1.0.4 problems (admserver10.jar not found) Message-ID: <4573E5E0.2050805@bundaberg.qld.gov.au> An HTML attachment was scrubbed... URL: From tchen_pat at yahoo.fr Mon Dec 4 09:35:56 2006 From: tchen_pat at yahoo.fr (patrick ndjientcheu ngandjui) Date: Mon, 4 Dec 2006 10:35:56 +0100 (CET) Subject: [Fedora-directory-users] store image or path to the image Message-ID: <20061204093556.11930.qmail@web25813.mail.ukl.yahoo.com> hi, I would like to store photo of people in my directory.But i don't know if it is better to store binary image or just the path to the image. If it is the first option which is the better choice,which type should I choose for the photo attribute? Thanks. --------------------------------- D?couvrez une nouvelle fa?on d'obtenir des r?ponses ? toutes vos questions ! Profitez des connaissances, des opinions et des exp?riences des internautes sur Yahoo! Questions/R?ponses. -------------- next part -------------- An HTML attachment was scrubbed... URL: From claytonr at bundaberg.qld.gov.au Mon Dec 4 02:43:59 2006 From: claytonr at bundaberg.qld.gov.au (Clayton Rogers) Date: Mon, 04 Dec 2006 12:43:59 +1000 Subject: [Fedora-directory-users] Upgrade from 1.0.1 to 1.0.4 problems (admserver10.jar not found) Message-ID: <45738B6F.5030600@bundaberg.qld.gov.au> Hi all, I just ran an rpm -Uvh fedora-ds-1.0.4-1.RHEL4.i386.opt.rpm on an existing 1.0.1 installation. Everything worked fine except for the Fedora Administration console comes up with the following error when I click on Administration Server:- * Installing Server Components * Downloading admserver10.jar * Failed to install a local copy of admserv10.jar or one of its support files: * admserv10.jar not found at http://server.domain:51211/ Any help greatly appreciated. Cheers -- Clayton Rogers Systems Administrator Bundaberg City Council Phone: (07) 41539236 Fax: (07) 41529155 -------------- next part -------------- An HTML attachment was scrubbed... URL: From doglesby at teleformix.com Mon Dec 4 14:55:01 2006 From: doglesby at teleformix.com (Dan Oglesby) Date: Mon, 4 Dec 2006 08:55:01 -0600 Subject: [Fedora-directory-users] AD + FDS sync stops working? In-Reply-To: <4570B970.3070901@redhat.com> Message-ID: <200612041455.kB4Et30l026109@mail.teleformix.com> -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of To Ngan Sent: Friday, December 01, 2006 5:23 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] AD + FDS sync stops working? Dan Oglesby wrote: > I tried the following: > > In windows registry->HKLM->Software->PasswordSync, try add string value "Log > Level" and set it to "1". Restart the passsync service. This should log > all transactions and errors. Turn this back to "0" and restart passsync > after troubleshooting. > > All I see in the log is this: > > 11/30/06 09:12:58: begin log > 11/30/06 09:12:59: 0 new entries loaded from file > 11/30/06 09:14:20: 0 new entries loaded from file > 11/30/06 09:14:20: 0 entries saved to file > 11/30/06 09:14:20: end log > 11/30/06 09:14:22: begin log > 11/30/06 09:14:22: 0 new entries loaded from file > > That's after restarting the passsync service twice, and changing a user's > password in AD four times. > Hmm... 2 Windows sync stopped working together after 6 months. Any cert on AD or DS side expired? -- toto >From what I remember, the certs were created with a ten year lifespan. I'll check into that, though... the one place I haven't really poked at yet. --Dan From mxheadroom at hotmail.com Mon Dec 4 15:47:19 2006 From: mxheadroom at hotmail.com (t b) Date: Mon, 04 Dec 2006 10:47:19 -0500 Subject: [Fedora-directory-users] RE: Fedora-directory-users Digest, Vol 19, Issue 3 Message-ID: >From: fedora-directory-users-request at redhat.com >Reply-To: fedora-directory-users at redhat.com >To: fedora-directory-users at redhat.com >Subject: Fedora-directory-users Digest, Vol 19, Issue 3 >Date: Sat, 2 Dec 2006 12:00:05 -0500 (EST) > >Send Fedora-directory-users mailing list submissions to > fedora-directory-users at redhat.com > >To subscribe or unsubscribe via the World Wide Web, visit > https://www.redhat.com/mailman/listinfo/fedora-directory-users >or, via email, send a message with subject or body 'help' to > fedora-directory-users-request at redhat.com > >You can reach the person managing the list at > fedora-directory-users-owner at redhat.com > >When replying, please edit your Subject line so it is more specific >than "Re: Contents of Fedora-directory-users digest..." > > >Today's Topics: > > 1. Re: RE: Fedora-directory-users Digest, Vol 19, Issue 1 > (Richard Megginson) > 2. Re: AD + FDS sync stops working? (To Ngan) > 3. Re: Memory usage (koniczynek) > > >---------------------------------------------------------------------- > >Message: 1 >Date: Fri, 01 Dec 2006 12:55:24 -0700 >From: Richard Megginson >Subject: Re: [Fedora-directory-users] RE: Fedora-directory-users > Digest, Vol 19, Issue 1 >To: "General discussion list for the Fedora Directory server project." > >Message-ID: <457088AC.1030004 at redhat.com> >Content-Type: text/plain; charset="iso-8859-1" > >t b wrote: > > My logs seem to indicate that the connection is being encrypted; I can > > ssh to a client server and get the password prompt, but when I enter > > the password it just returns me to the password prompt again > > > > [01/Dec/2006:19:47:44 -0500] conn=650 fd=69 slot=69 connection from > > xxx.xxx.xxx.xxx to xxx.xxx.xxx.xxx > > [01/Dec/2006:19:47:44 -0500] conn=650 op=0 EXT > > oid="1.3.6.1.4.1.1466.20037" name="startTLS" > > [01/Dec/2006:19:47:44 -0500] conn=650 op=0 RESULT err=0 tag=120 > > nentries=0 etime=0 > > [01/Dec/2006:19:47:44 -0500] conn=650 SSL 256-bit AES >All of this means the client was able to successfully perform the >startTLS extended operation and start using SSL. > > [01/Dec/2006:19:47:44 -0500] conn=650 op=1 UNBIND > > [01/Dec/2006:19:47:44 -0500] conn=650 op=1 fd=69 closed - U1 >The UNBIND means the client had a problem and closed the connection. >Does the client print any errors? Are there any messages in the server >error log? On the client server it show, sshd[24149]: Failed password for invalid user xxxxx from xxx.xxx.xxx.xxx port xxx ssh2 > > > > If I disable TLS everything works fine, the client server can query > > the FDS and auth the client properly > > > > I am not sure if the problem has to do with the pam_ldap not properly > > formatted or the cert file not in proper format > > > > Does anyone have an example of what the pam_ldap config should look > > like? or suggestions on checking whether the cert file is in proper > > format >I'm not sure. PAM needs the ca cert of the CA that issued the directory >server server cert. See >http://directory.fedora.redhat.com/wiki/Howto:SSL for more information. > > That was the info I used to do the SSL setup, but I only see a part of the log output they indicated, Their logs, [18/Jul/2005:20:33:36 -0400] conn=4 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [18/Jul/2005:20:33:36 -0400] conn=4 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [18/Jul/2005:20:33:36 -0400] conn=4 SSL 256-bit AES [18/Jul/2005:20:33:36 -0400] conn=4 op=1 BIND dn="" method=128 version=3 [18/Jul/2005:20:33:36 -0400] conn=4 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [18/Jul/2005:20:33:36 -0400] conn=4 op=2 SRCH base="dc=example,dc=com" scope=2 filter="(uid=testuser)" attrs=ALL My Logs, [04/Dec/2006:14:35:52 -0500] conn=757 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [04/Dec/2006:14:35:52 -0500] conn=757 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [04/Dec/2006:14:35:52 -0500] conn=757 SSL 256-bit AES [04/Dec/2006:14:35:52 -0500] conn=757 op=1 UNBIND [04/Dec/2006:14:35:52 -0500] conn=757 op=1 fd=71 closed - U1 For some reason my setup dies just before querying the FDS to determine user details Do you know of any tests that I can run just on the client server to determine proper confuguration? > > Also what's the UNBIND shown in the logs? > > > > Thanks > > > >> From: fedora-directory-users-request at redhat.com > >> Reply-To: fedora-directory-users at redhat.com > >> To: fedora-directory-users at redhat.com > >> Subject: Fedora-directory-users Digest, Vol 19, Issue 1 > >> Date: Fri, 1 Dec 2006 12:00:06 -0500 (EST) > >> > >> Send Fedora-directory-users mailing list submissions to > >> fedora-directory-users at redhat.com > >> > >> To subscribe or unsubscribe via the World Wide Web, visit > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> or, via email, send a message with subject or body 'help' to > >> fedora-directory-users-request at redhat.com > >> > >> You can reach the person managing the list at > >> fedora-directory-users-owner at redhat.com > >> > >> When replying, please edit your Subject line so it is more specific > >> than "Re: Contents of Fedora-directory-users digest..." > >> > >> > >> Today's Topics: > >> > >> 1. pam_ldap with SSL/TLS (t b) > >> 2. RE: pam_ldap with SSL/TLS (Morris, Patrick) > >> 3. Re: pam_ldap with SSL/TLS (Richard Megginson) > >> 4. Problem with SSL console in X in specific circumstances > >> (Philip Kime) > >> 5. FW: [Fedora-directory-users] Extracting details from > >> ActiveDirectoryto FDS (Paxton, Darren) > >> 6. alias in fedora directory server (patrick ndjientcheu ngandjui) > >> 7. Re: FW: [Fedora-directory-users] Extracting details from > >> ActiveDirectoryto FDS (Nicholas Byrne) > >> 8. Re: Memory usage (koniczynek) > >> 9. Re: Memory usage (David Boreham) > >> 10. Re: Memory usage (koniczynek) > >> > >> > >> ---------------------------------------------------------------------- > >> > >> Message: 1 > >> Date: Thu, 30 Nov 2006 12:31:50 -0500 > >> From: "t b" > >> Subject: [Fedora-directory-users] pam_ldap with SSL/TLS > >> To: fedora-directory-users at redhat.com > >> Message-ID: > >> Content-Type: text/plain; format=flowed > >> > >> I am trying to setup pam_ldap to use TLS to communicate with the FDS, > >> but > >> having lots of problems doing so; it works if I use the unencrypted > >> way but > >> not if I use ldaps ( port 636 ) > >> > >> I used the instructions at, > >> http://directory.fedora.redhat.com/wiki/Howto:PAM > >> > >> Has anyone gotten PAM to work TLS > >> > >> > >> Thanks > >> > >> _________________________________________________________________ > >> Buy, Load, Play. The new Sympatico / MSN Music Store works seamlessly > >> with > >> Windows Media Player. Just Click PLAY. > >> >http://musicstore.sympatico.msn.ca/content/viewer.aspx?cid=SMS_Sept192006 > >> > >> > >> > >> > >> ------------------------------ > >> > >> Message: 2 > >> Date: Thu, 30 Nov 2006 13:00:56 -0500 > >> From: "Morris, Patrick" > >> Subject: RE: [Fedora-directory-users] pam_ldap with SSL/TLS > >> To: "General discussion list for the Fedora Directory server project." > >> > >> Message-ID: > >> > > >> > >> > >> Content-Type: text/plain; charset="US-ASCII" > >> > >> > I am trying to setup pam_ldap to use TLS to communicate with > >> > the FDS, but having lots of problems doing so; it works if I > >> > use the unencrypted way but not if I use ldaps ( port 636 ) > >> > >> Someone should jump in here and correct me if I'm wrong, but I believe > >> it's normal for TLS connections to happen on the standard LDAP port. > >> You should be able to tell from your logs whether the connection is > >> encrypted or not. > >> > >> > >> > >> ------------------------------ > >> > >> Message: 3 > >> Date: Thu, 30 Nov 2006 11:08:08 -0700 > >> From: Richard Megginson > >> Subject: Re: [Fedora-directory-users] pam_ldap with SSL/TLS > >> To: "General discussion list for the Fedora Directory server project." > >> > >> Message-ID: <456F1E08.40601 at redhat.com> > >> Content-Type: text/plain; charset="iso-8859-1" > >> > >> Morris, Patrick wrote: > >> >> I am trying to setup pam_ldap to use TLS to communicate with > >> >> the FDS, but having lots of problems doing so; it works if I > >> >> use the unencrypted way but not if I use ldaps ( port 636 ) > >> >> > >> > > >> > Someone should jump in here and correct me if I'm wrong, but I >believe > >> > it's normal for TLS connections to happen on the standard LDAP port. > >> > You should be able to tell from your logs whether the connection is > >> > encrypted or not. > >> > > >> Yes. The LDAP "preferred" way is to use the startTLS extended >operation > >> which starts a TLS session on the non-secure port. This will be logged > >> in the access log. > >> > -- > >> > Fedora-directory-users mailing list > >> > Fedora-directory-users at redhat.com > >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > > >> -------------- next part -------------- > >> A non-text attachment was scrubbed... > >> Name: smime.p7s > >> Type: application/x-pkcs7-signature > >> Size: 3178 bytes > >> Desc: S/MIME Cryptographic Signature > >> Url : > >> >https://www.redhat.com/archives/fedora-directory-users/attachments/20061130/0634e78a/smime.bin > >> > >> > >> ------------------------------ > >> > >> Message: 4 > >> Date: Thu, 30 Nov 2006 18:02:55 -0800 > >> From: "Philip Kime" > >> Subject: [Fedora-directory-users] Problem with SSL console in X in > >> specific circumstances > >> To: > >> Message-ID: > >> <9C0091F428E697439E7A773FFD083427435BE3 at szexchange.Shopzilla.inc> > >> Content-Type: text/plain; charset="us-ascii" > >> > >> Here's the problem: > >> > >> Running startconsole (SSL) to a remote display on a PC X-server >(xwin32) > >> works fine and requires that my windows home dir on the PC X-server > >> machine has .fedora-console/ containing cert8.db and key3.db, as you'd > >> expect. If I rename this dir, the console hangs at the splash screen. >So > >> far, so good, all makes sense. > >> > >> If I try the same thing to cygwin's X server on same machine or to an X > >> server on a Mac running OSX, startconsole always hangs as if it can't > >> find ~/.fedora-console on the local machine. I've tried copying this >dir > >> to what cygwin/OSX thinks is the user's home dir but no luck. Where > >> should I put the Cert db files under "real" UNIX X to get the SSL > >> console to work? Also tried ~/.mmc as per the docs but I could never >get > >> this to work. > >> > >> PK > >> > >> -- > >> Philip Kime > >> NOPS Systems Architect > >> 310 401 0407 > >> > >> -------------- next part -------------- > >> An HTML attachment was scrubbed... > >> URL: > >> >https://www.redhat.com/archives/fedora-directory-users/attachments/20061130/054ecbd6/attachment.html > >> > >> > >> ------------------------------ > >> > >> Message: 5 > >> Date: Fri, 1 Dec 2006 08:04:30 -0000 > >> From: "Paxton, Darren" > >> Subject: FW: [Fedora-directory-users] Extracting details from > >> ActiveDirectoryto FDS > >> To: > >> Message-ID: > >> <52F7C07B119CF4439B7EFBFE0FB3256B027CBD02 at eidwpexms06.mercer.com> > >> Content-Type: text/plain; charset="us-ascii" > >> > >> Skipped content of type multipart/alternative-------------- next part > >> -------------- > >> -- > >> Fedora-directory-users mailing list > >> Fedora-directory-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > >> ------------------------------ > >> > >> Message: 6 > >> Date: Fri, 1 Dec 2006 08:10:42 +0000 (GMT) > >> From: patrick ndjientcheu ngandjui > >> Subject: [Fedora-directory-users] alias in fedora directory server > >> To: Fedora-directory-users at redhat.com > >> Message-ID: <20061201081042.78578.qmail at web25801.mail.ukl.yahoo.com> > >> Content-Type: text/plain; charset="iso-8859-1" > >> > >> Hi, > >> I would like to know how to use alias in fedora directory server.It > >> seems that it is used for point to another entry in the directory,but > >> i don't know how to use this feature.May someone helps me on this > >> issue? I would really appreciate an example. > >> > >> Thanks > >> > >> > >> > >> > >> > >> > >> > >> > >> >___________________________________________________________________________ > >> > >> D?couvrez une nouvelle fa?on d'obtenir des r?ponses ? toutes vos > >> questions ! > >> Profitez des connaissances, des opinions et des exp?riences des > >> internautes sur Yahoo! Questions/R?ponses > >> http://fr.answers.yahoo.com > >> -------------- next part -------------- > >> An HTML attachment was scrubbed... > >> URL: > >> >https://www.redhat.com/archives/fedora-directory-users/attachments/20061201/0fa54e4f/attachment.html > >> > >> > >> ------------------------------ > >> > >> Message: 7 > >> Date: Fri, 01 Dec 2006 11:50:13 +0000 > >> From: Nicholas Byrne > >> Subject: Re: FW: [Fedora-directory-users] Extracting details from > >> ActiveDirectoryto FDS > >> To: "General discussion list for the Fedora Directory server project." > >> > >> Message-ID: <457016F5.5030202 at quadriga.com> > >> Content-Type: text/plain; charset=ISO-8859-1; format=flowed > >> > >> Your messages got through - you can confirm by checking the archives - > >> https://www.redhat.com/archives/fedora-directory-users/ > >> > >> I'm a new user as well so i'm afraid i can't answer your question, but > >> if you keep asking i'm sure someone will know! > >> Nick > >> > >> Paxton, Darren wrote: > >> > Apologies for mailing yet again, however either my messages are not > >> > getting through (something I don't believe as I keep getting the post > >> > to the mailing list) - or for some reason, no one is willing to even > >> > acknowledge my issue. > >> > > >> > In the spirit of the community - can someone at least acknowledge a > >> > message as I find it quite disheartening that I have had no replies >at > >> > all even if just to point me somewhere for assistance. > >> > > >> > > >> >------------------------------------------------------------------------ > >> > *From:* fedora-directory-users-bounces at redhat.com > >> > [mailto:fedora-directory-users-bounces at redhat.com] *On Behalf Of > >> > *Paxton, Darren > >> > *Sent:* 30 November 2006 08:46 > >> > *To:* General discussion list for the Fedora Directory server >project. > >> > *Subject:* RE: [Fedora-directory-users] Extracting details from > >> > ActiveDirectoryto FDS > >> > > >> > Hi > >> > > >> > Has anyone had any thoughts on my query or can point me in the right > >> > direction? > >> > > >> > As is the nature of AD, I would have thought it is possible to >extract > >> > this information using a scope setting or something similar. > >> > > >> > Thanks > >> > > >> > Darren > >> > > >> > > >> >------------------------------------------------------------------------ > >> > *From:* fedora-directory-users-bounces at redhat.com > >> > [mailto:fedora-directory-users-bounces at redhat.com] *On Behalf Of > >> > *Paxton, Darren > >> > *Sent:* 24 November 2006 14:56 > >> > *To:* fedora-directory-users at redhat.com > >> > *Subject:* [Fedora-directory-users] Extracting details from >Active > >> > Directoryto FDS > >> > > >> > Hi all, > >> > > >> > I've been tinkering with integrating our Linux devices into our >AD > >> > domain for some time and I've hit a few brick walls, however I've > >> > recently discovered FDS and the synchronisation features with AD. > >> > > >> > I've managed to set up a few replication jobs, however due to the > >> > extensive nature of our AD, I've realised that the sync only >takes > >> > the group and user objects from the OU or CN being specified. > >> > > >> > Is there any way I can specify that it should traverse all > >> > subtrees of an OU and extract all that information back into FDS? > >> > > >> > Thanks > >> > > >> > Darren > >> > > >> > -- > >> > Darren Paxton > >> > EMEA Tier2 > >> > Red Hat Certified Engineer > >> > VMware Certified Professional > >> > MGTI Centralised ops > >> > > >> > > >> > This e-mail and any attachments may be confidential or legally > >> > privileged.If you received this message in error or are not the > >> > intended recipient, you should destroy the email message and any > >> > attachments or copies, and you are prohibited from retaining, > >> > distributing, disclosing or using any information contained herein. > >> > Please inform us of the erroneous delivery by return e-mail. Thank >you > >> > for your co-operation. > >> > > >> > Mercer Human Resource Consulting Limited is authorised and regulated > >> > by the Financial Services Authority. Registered in England No. >984275. > >> > Registered Office: 1 Tower Place West, Tower Place, London, EC3R 5BU. > >> > > >> > > >> >------------------------------------------------------------------------ > >> > > >> > -- > >> > Fedora-directory-users mailing list > >> > Fedora-directory-users at redhat.com > >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > > >> > > >> >------------------------------------------------------------------------ > >> > > >> > -- > >> > Fedora-directory-users mailing list > >> > Fedora-directory-users at redhat.com > >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > > >> > >> > >> > >> This e-mail is the property of Quadriga Worldwide Ltd, intended for > >> the addressee only and confidential. Any dissemination, copying or > >> distribution of this message or any attachments is strictly prohibited. > >> > >> If you have received this message in error, please notify us > >> immediately by replying to the message and deleting it from your > >> computer. > >> > >> Messages sent to and from Quadriga may be monitored. > >> > >> Quadriga cannot guarantee any message delivery method is secure or > >> error-free. Information could be intercepted, corrupted, lost, > >> destroyed, arrive late or incomplete, or contain viruses. > >> > >> We do not accept responsibility for any errors or omissions in this > >> message and/or attachment that arise as a result of transmission. > >> > >> You should carry out your own virus checks before opening any > >> attachment. > >> > >> Any views or opinions presented are solely those of the author and do > >> not necessarily represent those of Quadriga. > >> > >> > >> > >> ------------------------------ > >> > >> Message: 8 > >> Date: Fri, 01 Dec 2006 16:45:28 +0100 > >> From: koniczynek > >> Subject: Re: [Fedora-directory-users] Memory usage > >> To: "General discussion list for the Fedora Directory server project." > >> > >> Message-ID: <45704E18.3070705 at uaznia.net> > >> Content-Type: text/plain; charset=ISO-8859-2; format=flowed > >> > >> Richard Megginson napisa?(a): > >> > This is an excellent cache/memory tuning document from a Sun >employee, > >> > primarily targeted to Sun DS users, but almost all of the > >> information is > >> > relevant to Fedora DS (since they share a common lineage). > >> > > >> > http://www.directorymanager.org/blogs/ds_cache_sizing.pdf > >> Lets say I heven't got much time lately so without thinking I've >changed > >> in dse.ldif > >> nsslapd-import-cache-autosize from -1 to 1 and after restarting I've > >> started to receive errors like: "3 Time limit exceeded" Someone do know > >> what to do? ;) > >> > >> -- > >> xmpp/email: koniczynek at uaznia.net > >> xmpp/email: koniczynek at gmail.com > >> > >> > >> > >> ------------------------------ > >> > >> Message: 9 > >> Date: Fri, 01 Dec 2006 09:15:14 -0700 > >> From: David Boreham > >> Subject: Re: [Fedora-directory-users] Memory usage > >> To: "General discussion list for the Fedora Directory server project." > >> > >> Message-ID: <45705512.4070808 at boreham.org> > >> Content-Type: text/plain; charset=ISO-8859-2; format=flowed > >> > >> koniczynek wrote: > >> > >> > Richard Megginson napisa?(a): > >> > > >> >> This is an excellent cache/memory tuning document from a Sun > >> >> employee, primarily targeted to Sun DS users, but almost all of the > >> >> information is relevant to Fedora DS (since they share a common > >> >> lineage). > >> >> > >> >> http://www.directorymanager.org/blogs/ds_cache_sizing.pdf > >> > > >> > Lets say I heven't got much time lately so without thinking I've > >> > changed in dse.ldif > >> > nsslapd-import-cache-autosize from -1 to 1 and after restarting I've > >> > started to receive errors like: "3 Time limit exceeded" Someone do > >> > know what to do? ;) > >> > > >> Change it back ? > >> > >> > >> > >> > >> > >> ------------------------------ > >> > >> Message: 10 > >> Date: Fri, 01 Dec 2006 17:53:22 +0100 > >> From: koniczynek > >> Subject: Re: [Fedora-directory-users] Memory usage > >> To: "General discussion list for the Fedora Directory server project." > >> > >> Message-ID: <45705E02.7020709 at uaznia.net> > >> Content-Type: text/plain; charset=ISO-8859-2 > >> > >> David Boreham, dnia 2006-12-01 17:15 napisal: > >> >> Lets say I heven't got much time lately so without thinking I've > >> >> changed in dse.ldif > >> >> nsslapd-import-cache-autosize from -1 to 1 and after restarting I've > >> >> started to receive errors like: "3 Time limit exceeded" Someone do > >> >> know what to do? ;) > >> > Change it back ? > >> man, please, show some respect ;) I did change it back, but to no >avail. > >> Also I can say (to stop further questions): yes, I've stopped the >server > >> before change. > >> > >> -- > >> email/xmpp: koniczynek at uaznia.net > >> > >> > >> > >> ------------------------------ > >> > >> -- > >> Fedora-directory-users mailing list > >> Fedora-directory-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > >> > >> End of Fedora-directory-users Digest, Vol 19, Issue 1 > >> ***************************************************** > > > > _________________________________________________________________ > > Off to school, going on a trip, or moving? Windows Live (MSN) > > Messenger lets you stay in touch with friends and family wherever you > > go. Click here to find out how to sign up! > > http://www.telusmobility.com/msnxbox/ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users >-------------- next part -------------- >A non-text attachment was scrubbed... >Name: smime.p7s >Type: application/x-pkcs7-signature >Size: 3178 bytes >Desc: S/MIME Cryptographic Signature >Url : >https://www.redhat.com/archives/fedora-directory-users/attachments/20061201/7d15c5b4/smime.bin > >------------------------------ > >Message: 2 >Date: Fri, 01 Dec 2006 15:23:28 -0800 >From: To Ngan >Subject: Re: [Fedora-directory-users] AD + FDS sync stops working? >To: "General discussion list for the Fedora Directory server project." > >Message-ID: <4570B970.3070901 at redhat.com> >Content-Type: text/plain; charset="windows-1252" > >Dan Oglesby wrote: > > I tried the following: > > > > In windows registry->HKLM->Software->PasswordSync, try add string value >?Log > > Level? and set it to ?1?. Restart the passsync service. This should >log > > all transactions and errors. Turn this back to "0" and restart passsync > > after troubleshooting. > > > > All I see in the log is this: > > > > 11/30/06 09:12:58: begin log > > 11/30/06 09:12:59: 0 new entries loaded from file > > 11/30/06 09:14:20: 0 new entries loaded from file > > 11/30/06 09:14:20: 0 entries saved to file > > 11/30/06 09:14:20: end log > > 11/30/06 09:14:22: begin log > > 11/30/06 09:14:22: 0 new entries loaded from file > > > > That?s after restarting the passsync service twice, and changing a >user?s > > password in AD four times. > > > >Hmm... 2 Windows sync stopped working together after 6 months. Any cert >on AD or DS side expired? >-- >toto > >-------------- next part -------------- >A non-text attachment was scrubbed... >Name: smime.p7s >Type: application/x-pkcs7-signature >Size: 3233 bytes >Desc: S/MIME Cryptographic Signature >Url : >https://www.redhat.com/archives/fedora-directory-users/attachments/20061201/b9f1ea83/smime.bin > >------------------------------ > >Message: 3 >Date: Sat, 02 Dec 2006 09:28:17 +0100 >From: koniczynek >Subject: Re: [Fedora-directory-users] Memory usage >To: "General discussion list for the Fedora Directory server project." > >Message-ID: <45713921.1080009 at uaznia.net> >Content-Type: text/plain; charset=ISO-8859-2 > >Richard Megginson, dnia 2006-12-01 18:00 napisal: > >> man, please, show some respect ;) I did change it back, but to no >avail. > >> Also I can say (to stop further questions): yes, I've stopped the >server > >> before change. > >> > > What types of searches are returning time limit exceeded? Can you post > > relevant excerpts from the access and error logs? >I'm "benchmarking" my FDS with "ldapsearch -x" and earlier it worked and >now it does not. In error logs there were "err=3" but I don't remember >much more and I'll have access to the logs on Monday, so till then, only > I can provide only this information (because I do not remember anything >more ;) ) > >-- >email/xmpp: koniczynek at uaznia.net > > > >------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > >End of Fedora-directory-users Digest, Vol 19, Issue 3 >***************************************************** _________________________________________________________________ Off to school, going on a trip, or moving? Windows Live (MSN) Messenger lets you stay in touch with friends and family wherever you go. Click here to find out how to sign up! http://www.telusmobility.com/msnxbox/ From rmeggins at redhat.com Mon Dec 4 14:20:57 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 04 Dec 2006 09:20:57 -0500 Subject: [Fedora-directory-users] Upgrade from 1.0.1 to 1.0.4 problems (admserver10.jar not found) In-Reply-To: <4573E5E0.2050805@bundaberg.qld.gov.au> References: <4573E5E0.2050805@bundaberg.qld.gov.au> Message-ID: <45742EC9.5040206@redhat.com> Clayton Rogers wrote: > Hi all, > > I just ran an rpm -Uvh fedora-ds-1.0.4-1.RHEL4.i386.opt.rpm on an > existing 1.0.1 installation. Everything worked fine except for the > Fedora Administration console comes up with the following error when I > click on Administration Server:- > > * Installing Server Components > * Downloading admserver10.jar > * Failed to install a local copy of admserv10.jar or one of its > support files: > * admserv10.jar not found at http://server.domain:51211/ > > Any help greatly appreciated. Try shutting down the console and removing all .jar files under $HOME/.fedora-console > > Cheers > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From davea at support.kcm.org Mon Dec 4 19:50:56 2006 From: davea at support.kcm.org (Dave Augustus) Date: Mon, 04 Dec 2006 13:50:56 -0600 Subject: [Fedora-directory-users] Multimaster Replication Behind a Load Balancer Message-ID: <1165261856.7554.10.camel@kcm40202.kcmhq.org> Hello All. I want to have 2 hosts that are setup to do multimaster between themselves. Because my application on allows for a single server entry, I want to put both of these behind Linux Virtual Server director, which is a load-balancer that I use for other services currently. With this configuration, I can have either LDAP server go down and my application won't break. The load balancer requires that I tell the LDAP servers to not respond to arp requests so that the load balancer can. So how can the LDAP servers communicate with each other for updates ? I looked for some information on how to make the LDAP servers use more than one IP for LDAP but could find no answer. Thanks for your time, Dave From srigler at marathonoil.com Mon Dec 4 20:03:54 2006 From: srigler at marathonoil.com (Stephen C. Rigler) Date: Mon, 04 Dec 2006 14:03:54 -0600 Subject: [Fedora-directory-users] Multimaster Replication Behind a Load Balancer In-Reply-To: <1165261856.7554.10.camel@kcm40202.kcmhq.org> References: <1165261856.7554.10.camel@kcm40202.kcmhq.org> Message-ID: <1165262634.18131.43.camel@houuc8> Dave, We're still in the early stages of looking at doing this, but we're using Piranha doing direct-routing as a load balancer. On the real servers, we have iptables rules that look like this: -A PREROUTING -d -p tcp -m tcp --dport 389 -j REDIRECT -A PREROUTING -d -p tcp -m tcp --dport 636 -j REDIRECT It also becomes necessary to set nsslapd-idletimout so that you don't end up with tons of idle connections. -Steve On Mon, 2006-12-04 at 13:50 -0600, Dave Augustus wrote: > Hello All. > > I want to have 2 hosts that are setup to do multimaster between > themselves. Because my application on allows for a single server entry, > I want to put both of these behind Linux Virtual Server director, which > is a load-balancer that I use for other services currently. With this > configuration, I can have either LDAP server go down and my application > won't break. > > The load balancer requires that I tell the LDAP servers to not respond > to arp requests so that the load balancer can. So how can the LDAP > servers communicate with each other for updates ? I looked for some > information on how to make the LDAP servers use more than one IP for > LDAP but could find no answer. > > Thanks for your time, > Dave > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From jeremy.thornhill at motricity.com Mon Dec 4 20:09:43 2006 From: jeremy.thornhill at motricity.com (Jeremy Thornhill) Date: Mon, 04 Dec 2006 15:09:43 -0500 Subject: [Fedora-directory-users] Trouble upgrading 1.0.2 -> 1.0.4 w/ SSL-enabled configuration directory server Message-ID: We have a single supplier / multiple replica setup, using SSL. The supplier is configured as the "Configuration Directory Server" and clients are configured accordingly. I attempted to upgrade one of the replicas in accordance with the release notes (i.e. Upgrade the RPM, restart the server, run /opt/fedora-ds/setup/setup). Setup proceeds as expected until the point where the application prompts for the admin password. This is the text of the dialogue: > In order to reconfigure your installation, the Configuration Directory > Administrator password is required. Here is your current information: > > Configuration Directory: ldaps://.:636/o=NetscapeRoot > Configuration Administrator ID: admin > > At the prompt, please enter the password for the Configuration Administrator. > > Fedora configuration directory server > administrator ID [admin]: > Password: Regardless of what information is entered, the application seems to hang, and does not display any new information or prompts after this point. Curious, I tried disabling SSL on the upgraded replica's admin server config by editing the following files (the information at this url pointed me in the right direction: http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt): /opt/fedora-ds/admin-serv/config/adm.conf /opt/fedora-ds/shared/config/dbswitch.conf Disabling ssl in these locations and re-running setup resulted in success. Once the upgrade was complete, I shut the server down and re-enabled ssl - everything worked swimmingly thereafter. Now, we've been using ssl successfully for pretty much everything with no issue (certs all distributed and everything working fine), so I'm not sure why this is failing. Is this perhaps a bug in setup? Is there something else I need to be doing to have SSL work for the setup application? It's ultimately not a huge issue since it can be worked around, but it took a good chunk of time for me to track down the problem. Thanks, Jeremy Thornhill System administrator jeremy.thornhill at motricity.com NOTICE: This e-mail message is for the sole use of the intended recipient(s) and may contain confidential and privileged information of Motricity. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. From rmeggins at redhat.com Mon Dec 4 18:24:21 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 04 Dec 2006 13:24:21 -0500 Subject: [Fedora-directory-users] Trouble upgrading 1.0.2 -> 1.0.4 w/ SSL-enabled configuration directory server In-Reply-To: References: Message-ID: <457467D5.1030506@redhat.com> Jeremy Thornhill wrote: > We have a single supplier / multiple replica setup, using SSL. The supplier > is configured as the "Configuration Directory Server" and clients are > configured accordingly. I attempted to upgrade one of the replicas in > accordance with the release notes (i.e. Upgrade the RPM, restart the server, > run /opt/fedora-ds/setup/setup). > > Setup proceeds as expected until the point where the application prompts for > the admin password. This is the text of the dialogue: > > >> In order to reconfigure your installation, the Configuration Directory >> Administrator password is required. Here is your current information: >> >> Configuration Directory: ldaps://.:636/o=NetscapeRoot >> Configuration Administrator ID: admin >> >> At the prompt, please enter the password for the Configuration Administrator. >> >> Fedora configuration directory server >> administrator ID [admin]: >> Password: >> > > Regardless of what information is entered, the application seems to hang, > and does not display any new information or prompts after this point. > > Curious, I tried disabling SSL on the upgraded replica's admin server config > by editing the following files (the information at this url pointed me in > the right direction: > http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt): > > /opt/fedora-ds/admin-serv/config/adm.conf > /opt/fedora-ds/shared/config/dbswitch.conf > > Disabling ssl in these locations and re-running setup resulted in success. > Once the upgrade was complete, I shut the server down and re-enabled ssl - > everything worked swimmingly thereafter. > > Now, we've been using ssl successfully for pretty much everything with no > issue (certs all distributed and everything working fine), so I'm not sure > why this is failing. Is this perhaps a bug in setup? It sounds like it. setup doesn't like SSL, so it is supposed to disable SSL in the directory server and admin server in the "pre" section and reenable SSL in the "post" section. > Is there something > else I need to be doing to have SSL work for the setup application? It's > ultimately not a huge issue since it can be worked around, but it took a > good chunk of time for me to track down the problem. > Take a look at your setup/setup.log file. > Thanks, > Jeremy Thornhill > System administrator > jeremy.thornhill at motricity.com > > > NOTICE: This e-mail message is for the sole use of the intended recipient(s) and may contain confidential and privileged information of Motricity. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From davea at support.kcm.org Mon Dec 4 20:39:12 2006 From: davea at support.kcm.org (Dave Augustus) Date: Mon, 04 Dec 2006 14:39:12 -0600 Subject: [Fedora-directory-users] Multimaster Replication Behind a Load Balancer In-Reply-To: <1165262634.18131.43.camel@houuc8> References: <1165261856.7554.10.camel@kcm40202.kcmhq.org> <1165262634.18131.43.camel@houuc8> Message-ID: <1165264752.7554.17.camel@kcm40202.kcmhq.org> piranha = LVS I do believe- maybe some management scripts are different. I have been using LVS for 5 years now. It works great! (Help me understand... I am not an iptables guru but I have done some to get done what I needed to) your statements: -A PREROUTING -d -p tcp -m tcp --dport 389 -j REDIRECT -A PREROUTING -d -p tcp -m tcp --dport 636 -j REDIRECT Does this mean? -you are assigning an 2 IPs to your LDAP servers, one for loadbalancing and one for LDAP server -any traffic to the VIP is redirected to the IP that you have told LDAP server to use Correct? On Mon, 2006-12-04 at 14:03 -0600, Stephen C. Rigler wrote: > Dave, > > We're still in the early stages of looking at doing this, but we're > using Piranha doing direct-routing as a load balancer. > > On the real servers, we have iptables rules that look like this: > > -A PREROUTING -d -p tcp -m tcp --dport 389 -j REDIRECT > -A PREROUTING -d -p tcp -m tcp --dport 636 -j REDIRECT > > It also becomes necessary to set nsslapd-idletimout so that you don't > end up with tons of idle connections. > > -Steve > > On Mon, 2006-12-04 at 13:50 -0600, Dave Augustus wrote: > > Hello All. > > > > I want to have 2 hosts that are setup to do multimaster between > > themselves. Because my application on allows for a single server entry, > > I want to put both of these behind Linux Virtual Server director, which > > is a load-balancer that I use for other services currently. With this > > configuration, I can have either LDAP server go down and my application > > won't break. > > > > The load balancer requires that I tell the LDAP servers to not respond > > to arp requests so that the load balancer can. So how can the LDAP > > servers communicate with each other for updates ? I looked for some > > information on how to make the LDAP servers use more than one IP for > > LDAP but could find no answer. > > > > Thanks for your time, > > Dave > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From srigler at marathonoil.com Mon Dec 4 21:00:33 2006 From: srigler at marathonoil.com (Stephen C. Rigler) Date: Mon, 04 Dec 2006 15:00:33 -0600 Subject: [Fedora-directory-users] Multimaster Replication Behind a Load Balancer In-Reply-To: <1165264752.7554.17.camel@kcm40202.kcmhq.org> References: <1165261856.7554.10.camel@kcm40202.kcmhq.org> <1165262634.18131.43.camel@houuc8> <1165264752.7554.17.camel@kcm40202.kcmhq.org> Message-ID: <1165266033.18131.64.camel@houuc8> On Mon, 2006-12-04 at 14:39 -0600, Dave Augustus wrote: > piranha = LVS I do believe- maybe some management scripts are different. > I have been using LVS for 5 years now. It works great! Piranha was the easiest thing for me to grab with YUM. I tried looking into the other packages out there and got worried about the amount of documentation dedicated to 2.2 kernels. > (Help me understand... I am not an iptables guru but I have done some to > get done what I needed to) > > your statements: > -A PREROUTING -d -p tcp -m tcp --dport 389 -j REDIRECT > -A PREROUTING -d -p tcp -m tcp --dport 636 -j REDIRECT Small typo, insert "-t nat" at the beginning of both lines. > > Does this mean? > -you are assigning an 2 IPs to your LDAP servers, one for loadbalancing > and one for LDAP server > -any traffic to the VIP is redirected to the IP that you have told LDAP > server to use > > Correct? > In my scenario, the real servers are separate from the load balancer. Only the load balancer is hosting the VIP. I borrowed this method from the "HOWTO.direct-routing" that came with the Piranha docs. A method that uses arptables was also documented, but I didn't have much luck with it. I've pasted what the HOWTO says about iptables below. -Steve Setting up the Real Servers, method #2: Use iptables to tell the real servers to handle the packets. How it works: We use an IP tables rule to create a transparent proxy so that a node will service packets sent to the virtual IP address(es), even though the virtual IP address does not exist on the system. Advantages: * Simple to configure. * Avoids the LVS "ARP problem" entirely. Because the virtual IP address(es) only exist on the active LVS director, there _is_ no ARP problem! Disadvantages: * Performance. There is overhead in forwarding/masquerading every packet. * Impossible to reuse ports. For instance, it is not possible to run two separate Apache services bound to port 80, because both must bind to INADDR_ANY instead of the virtual IP addresses. (1) BACK UP YOUR IPTABLES CONFIGURATION. (2) On each real server, run the following for every VIP / port / protocol (TCP, UDP) combination intended to be serviced for that real server: iptables -t nat -A PREROUTING -p -d \ --dport -j REDIRECT This will cause the real servers to process packets destined for the VIP which they are handed. service iptables save chkconfig --level 2345 iptables on The second command will cause the system to reload the arptables configuration we just made on boot - before the network is started. From radek at eadresa.cz Mon Dec 4 21:27:28 2006 From: radek at eadresa.cz (Radek Hladik) Date: Mon, 04 Dec 2006 22:27:28 +0100 Subject: [Fedora-directory-users] ACI Design Message-ID: <457492C0.6000606@eadresa.cz> I'm designing new directory for keeping records about our company computers, accounts, etc... I would like to have number of different access levels like support, management, network technician,... Every entry would have multivalued attribute named for example accessclass to determine its access and there would be role for every access level. What is the best way to implement ACIs like "allow access to every entry with attribute accessclass=support for every member of role support"? I've found out that there are 3 options: 1) Create separate ACI for each access class 2) Create Macro ACI using something like roledn = "ldap:///($attr.accessclass),ou=roles,dc=....." But it seems, that this macro expands to accessclass=support,ou=roles,.. and thus my roles would need to be named using accessclass attribute instead of common name... 3) Create ACI using userattr like this: userattr = "accessclass#ROLEDN" but this would require to have complete role RDN in user accessclass attribute. Which way would you suggest? Radek From claytonr at bundaberg.qld.gov.au Mon Dec 4 22:18:58 2006 From: claytonr at bundaberg.qld.gov.au (Clayton Rogers) Date: Tue, 05 Dec 2006 08:18:58 +1000 Subject: [Fedora-directory-users] Upgrade from 1.0.1 to 1.0.4 problems (admserver10.jar not found) In-Reply-To: <45742EC9.5040206@redhat.com> References: <4573E5E0.2050805@bundaberg.qld.gov.au> <45742EC9.5040206@redhat.com> Message-ID: <45749ED2.6020900@bundaberg.qld.gov.au> Hi, Tried that and still no luck. It is still trying to go and download admserv10.jar. Any ideas? Cheers Richard Megginson wrote: > Clayton Rogers wrote: >> Hi all, >> >> I just ran an rpm -Uvh fedora-ds-1.0.4-1.RHEL4.i386.opt.rpm on an >> existing 1.0.1 installation. Everything worked fine except for the >> Fedora Administration console comes up with the following error when >> I click on Administration Server:- >> >> * Installing Server Components >> * Downloading admserver10.jar >> * Failed to install a local copy of admserv10.jar or one of its >> support files: >> * admserv10.jar not found at http://server.domain:51211/ >> >> Any help greatly appreciated. > Try shutting down the console and removing all .jar files under > $HOME/.fedora-console >> >> Cheers >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Clayton Rogers Systems Administrator Bundaberg City Council Phone: (07) 41539236 Fax: (07) 41529155 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Dec 4 21:07:30 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 04 Dec 2006 16:07:30 -0500 Subject: [Fedora-directory-users] Upgrade from 1.0.1 to 1.0.4 problems (admserver10.jar not found) In-Reply-To: <45749ED2.6020900@bundaberg.qld.gov.au> References: <4573E5E0.2050805@bundaberg.qld.gov.au> <45742EC9.5040206@redhat.com> <45749ED2.6020900@bundaberg.qld.gov.au> Message-ID: <45748E12.8080808@redhat.com> Clayton Rogers wrote: > Hi, > > Tried that and still no luck. It is still trying to go and download > admserv10.jar. > > Any ideas? D'oh! The jar file name changed. You need to tell the console to grab the new name: http://directory.fedora.redhat.com/wiki/Install_Guide#Upgrading_from_the_7.1_release Don't follow these steps exactly. Instead, where it says " replace admserv70.jar with admserv10.jar" do " replace admserv10.jar with fedora-admserv-1.0.jar" You don't have to replace the ou and the ds .jar - they were already updated in fds 1.0.1. > > Cheers > > Richard Megginson wrote: >> Clayton Rogers wrote: >>> Hi all, >>> >>> I just ran an rpm -Uvh fedora-ds-1.0.4-1.RHEL4.i386.opt.rpm on an >>> existing 1.0.1 installation. Everything worked fine except for the >>> Fedora Administration console comes up with the following error when >>> I click on Administration Server:- >>> >>> * Installing Server Components >>> * Downloading admserver10.jar >>> * Failed to install a local copy of admserv10.jar or one of its >>> support files: >>> * admserv10.jar not found at http://server.domain:51211/ >>> >>> Any help greatly appreciated. >> Try shutting down the console and removing all .jar files under >> $HOME/.fedora-console >>> >>> Cheers >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Clayton Rogers > Systems Administrator > Bundaberg City Council > Phone: (07) 41539236 > Fax: (07) 41529155 > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From jo.de.troy at gmail.com Tue Dec 5 12:55:08 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Tue, 5 Dec 2006 13:55:08 +0100 Subject: [Fedora-directory-users] insufficient access (50) error Message-ID: Hello, suddenly when I try to change a password for a user via a perl script I get the error above. Any ideas what could be causing this? I'm running Fedora DS 1.0.2 on RHEL4. Thanks in advance, Jo From capareci at uol.com.br Tue Dec 5 13:06:33 2006 From: capareci at uol.com.br (Renato Ribeiro da Silva) Date: Tue, 5 Dec 2006 11:06:33 -0200 Subject: [Fedora-directory-users] insufficient access (50) error Message-ID: Hi, Does the user that bind to the Directory is the same that is trying to change password ? By default FDS gives to the user rights to change his own password, but maybe the script is binding with another user. > Hello, > > suddenly when I try to change a password for a user via a perl script > I get the error above. Any ideas what could be causing this? > I'm running Fedora DS 1.0.2 on RHEL4. > > Thanks in advance, > Jo > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From jo.de.troy at gmail.com Tue Dec 5 13:24:43 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Tue, 5 Dec 2006 14:24:43 +0100 Subject: [Fedora-directory-users] insufficient acces error (50) Message-ID: Hi, I'm using the directory manager, he should have enough permissions. It has always worked just now it stopped working. I even tried adding an ou attribute and I get the message: LDAP server is unwilling to perform; database is read-only. Any ideas? Thans again, Jo From jo.de.troy at gmail.com Tue Dec 5 13:59:29 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Tue, 5 Dec 2006 14:59:29 +0100 Subject: [Fedora-directory-users] insufficient acces error (50) Message-ID: Hi, I've enabled heavy error logging by putting nsslapd-errorlog-level to 128 under cn=config When I try to change a password of an existing user (even from within the console) I get NSACLPlugin - conn=128 op=2 (main): Deny write on entry(uid=jdoe,ou=people,dc=example,dc=com): readonly backend Where should I be looking the entry nsslapd-readonly is false. I have tried restarting the directory server, without result. Thanks in advance, Jo From rmeggins at redhat.com Tue Dec 5 12:00:40 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 05 Dec 2006 07:00:40 -0500 Subject: [Fedora-directory-users] insufficient acces error (50) In-Reply-To: References: Message-ID: <45755F68.5080207@redhat.com> Jo De Troy wrote: > Hi, > > I've enabled heavy error logging by putting nsslapd-errorlog-level to > 128 under cn=config > When I try to change a password of an existing user (even from within > the console) I get > NSACLPlugin - conn=128 op=2 (main): Deny write on > entry(uid=jdoe,ou=people,dc=example,dc=com): readonly backend > > Where should I be looking the entry nsslapd-readonly is false. > I have tried restarting the directory server, without result. Something has changed, even something that appears to be unrelated, or perhaps you tried to configure this server as a replica? > > Thanks in advance, > Jo > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From jo.de.troy at gmail.com Tue Dec 5 14:12:49 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Tue, 5 Dec 2006 15:12:49 +0100 Subject: [Fedora-directory-users] insufficient acces error (50) Message-ID: Hi Rich, certainly no replication was set up. The last thing I could do was disable a user, soon afterwards the helpdesk tried resetting a password via a perl script and we got this error. What would we the best and/or quickest way to get back to an operational directory service? A restore from a directory backup? Could I enable more logging to find out what is causing this behavior? Thanks again, Jo From tngan at redhat.com Tue Dec 5 15:14:07 2006 From: tngan at redhat.com (To Ngan) Date: Tue, 05 Dec 2006 07:14:07 -0800 Subject: [Fedora-directory-users] insufficient acces error (50) In-Reply-To: References: Message-ID: <45758CBF.9000600@redhat.com> Jo De Troy wrote: > Hi Rich, > > certainly no replication was set up. > The last thing I could do was disable a user, soon afterwards the > helpdesk tried resetting a password via a perl script and we got this > error. > What would we the best and/or quickest way to get back to an > operational directory service? > A restore from a directory backup? > Could I enable more logging to find out what is causing this behavior? > > Thanks again, > Jo Search for "nsslapd-readonly" in dse.ldif for your data backend. Is that off or on? -- toto -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3233 bytes Desc: S/MIME Cryptographic Signature URL: From jo.de.troy at gmail.com Tue Dec 5 15:26:08 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Tue, 5 Dec 2006 16:26:08 +0100 Subject: [Fedora-directory-users] insufficient acces error (50) Message-ID: Hello, "nsslapd-readonly" on userRoot was on. Very weird, that is. I changed it back in the interface and it works again. Thanks a million, Jo From koippa at gmail.com Tue Dec 5 14:52:58 2006 From: koippa at gmail.com (Kimmo Koivisto) Date: Tue, 5 Dec 2006 16:52:58 +0200 Subject: [Fedora-directory-users] access permissions In-Reply-To: <389763.60785.qm@web25807.mail.ukl.yahoo.com> References: <389763.60785.qm@web25807.mail.ukl.yahoo.com> Message-ID: <200612051652.58202.koippa@gmail.com> On Sunday 03 December 2006 23:52, patrick ndjientcheu ngandjui wrote: > hi, > I want to access a permission to a user so that he can create, in the > entry he belongs to (say > ou=SalesDept,ou=Employee,ou=example,ou=com),entries which are an instance > of a particular object class say ExamplePerson. But, he must not have the > right to modify or delete entries he has created. > > How can I resolve this problem? > Thanks. Hi I'm not sure but you might have to add user to group and then add those acl's to the group or to that user. But I don't know if you can define that some user X "belongs" to some other entry than user's own entry. Console has quite easy to use interface to the acl's, there you can define the entry, attributes (maybe objectclass too) and rights to the user or group. So, I don't know direct answer but if I'd be you, I would use console to make acl and test. Acl's can be done without console too, but IMHO it is easier to learn and test those from console. Best Regards Kimmo Koivisto From jo.de.troy at gmail.com Tue Dec 5 16:35:31 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Tue, 5 Dec 2006 17:35:31 +0100 Subject: [Fedora-directory-users] SSH login and pwd expiration message Message-ID: Hello, I've configured a RHEL3 as LDAP client to my FedoraDS 1.0.2 on RHEL4. When I login via ssh with an LDAP account on the ldapclient I immediately get You are required to change your password immediately (password aged) Your password has expired, the session cannot proceed. You must change your password now and login again! After that I change the password and login again and I get the same error again. Any idea what's causing this? Is it an ACL that's preventing some attributes to be updates? Which attributes? If I just for testing delete these attributes I should get rid of this message, shouldn't I? Thanks in advance, Jo From rmeggins at redhat.com Tue Dec 5 15:19:57 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 05 Dec 2006 10:19:57 -0500 Subject: [Fedora-directory-users] RE: Fedora-directory-users Digest, Vol 19, Issue 3 In-Reply-To: References: Message-ID: <45758E1D.8090809@redhat.com> t b wrote: >> From: fedora-directory-users-request at redhat.com >> Reply-To: fedora-directory-users at redhat.com >> To: fedora-directory-users at redhat.com >> Subject: Fedora-directory-users Digest, Vol 19, Issue 3 >> Date: Sat, 2 Dec 2006 12:00:05 -0500 (EST) >> >> Send Fedora-directory-users mailing list submissions to >> fedora-directory-users at redhat.com >> >> To subscribe or unsubscribe via the World Wide Web, visit >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> or, via email, send a message with subject or body 'help' to >> fedora-directory-users-request at redhat.com >> >> You can reach the person managing the list at >> fedora-directory-users-owner at redhat.com >> >> When replying, please edit your Subject line so it is more specific >> than "Re: Contents of Fedora-directory-users digest..." >> >> >> Today's Topics: >> >> 1. Re: RE: Fedora-directory-users Digest, Vol 19, Issue 1 >> (Richard Megginson) >> 2. Re: AD + FDS sync stops working? (To Ngan) >> 3. Re: Memory usage (koniczynek) >> >> >> ---------------------------------------------------------------------- >> >> Message: 1 >> Date: Fri, 01 Dec 2006 12:55:24 -0700 >> From: Richard Megginson >> Subject: Re: [Fedora-directory-users] RE: Fedora-directory-users >> Digest, Vol 19, Issue 1 >> To: "General discussion list for the Fedora Directory server project." >> >> Message-ID: <457088AC.1030004 at redhat.com> >> Content-Type: text/plain; charset="iso-8859-1" >> >> t b wrote: >> > My logs seem to indicate that the connection is being encrypted; I can >> > ssh to a client server and get the password prompt, but when I enter >> > the password it just returns me to the password prompt again >> > >> > [01/Dec/2006:19:47:44 -0500] conn=650 fd=69 slot=69 connection from >> > xxx.xxx.xxx.xxx to xxx.xxx.xxx.xxx >> > [01/Dec/2006:19:47:44 -0500] conn=650 op=0 EXT >> > oid="1.3.6.1.4.1.1466.20037" name="startTLS" >> > [01/Dec/2006:19:47:44 -0500] conn=650 op=0 RESULT err=0 tag=120 >> > nentries=0 etime=0 >> > [01/Dec/2006:19:47:44 -0500] conn=650 SSL 256-bit AES >> All of this means the client was able to successfully perform the >> startTLS extended operation and start using SSL. >> > [01/Dec/2006:19:47:44 -0500] conn=650 op=1 UNBIND >> > [01/Dec/2006:19:47:44 -0500] conn=650 op=1 fd=69 closed - U1 >> The UNBIND means the client had a problem and closed the connection. >> Does the client print any errors? Are there any messages in the server >> error log? > > On the client server it show, > > sshd[24149]: Failed password for invalid user xxxxx from > xxx.xxx.xxx.xxx port xxx ssh2 > > > > > > > > > >> > >> > If I disable TLS everything works fine, the client server can query >> > the FDS and auth the client properly >> > >> > I am not sure if the problem has to do with the pam_ldap not properly >> > formatted or the cert file not in proper format >> > >> > Does anyone have an example of what the pam_ldap config should look >> > like? or suggestions on checking whether the cert file is in proper >> > format >> I'm not sure. PAM needs the ca cert of the CA that issued the directory >> server server cert. See >> http://directory.fedora.redhat.com/wiki/Howto:SSL for more information. >> > > > That was the info I used to do the SSL setup, but I only see a part of > the log output they indicated, > > Their logs, > > [18/Jul/2005:20:33:36 -0400] conn=4 op=0 EXT > oid="1.3.6.1.4.1.1466.20037" name="startTLS" > [18/Jul/2005:20:33:36 -0400] conn=4 op=0 RESULT err=0 tag=120 > nentries=0 etime=0 > [18/Jul/2005:20:33:36 -0400] conn=4 SSL 256-bit AES > [18/Jul/2005:20:33:36 -0400] conn=4 op=1 BIND dn="" method=128 version=3 > [18/Jul/2005:20:33:36 -0400] conn=4 op=1 RESULT err=0 tag=97 > nentries=0 etime=0 dn="" > [18/Jul/2005:20:33:36 -0400] conn=4 op=2 SRCH base="dc=example,dc=com" > scope=2 filter="(uid=testuser)" attrs=ALL > > My Logs, > > [04/Dec/2006:14:35:52 -0500] conn=757 op=0 EXT > oid="1.3.6.1.4.1.1466.20037" name="startTLS" > [04/Dec/2006:14:35:52 -0500] conn=757 op=0 RESULT err=0 tag=120 > nentries=0 etime=0 > [04/Dec/2006:14:35:52 -0500] conn=757 SSL 256-bit AES > [04/Dec/2006:14:35:52 -0500] conn=757 op=1 UNBIND > [04/Dec/2006:14:35:52 -0500] conn=757 op=1 fd=71 closed - U1 > > For some reason my setup dies just before querying the FDS to > determine user details > > Do you know of any tests that I can run just on the client server to > determine proper confuguration? Firstly, try /usr/bin/ldapsearch to see if you can use startTLS and bind as your user. > > > > > >> > Also what's the UNBIND shown in the logs? >> > >> > Thanks >> > >> >> From: fedora-directory-users-request at redhat.com >> >> Reply-To: fedora-directory-users at redhat.com >> >> To: fedora-directory-users at redhat.com >> >> Subject: Fedora-directory-users Digest, Vol 19, Issue 1 >> >> Date: Fri, 1 Dec 2006 12:00:06 -0500 (EST) >> >> >> >> Send Fedora-directory-users mailing list submissions to >> >> fedora-directory-users at redhat.com >> >> >> >> To subscribe or unsubscribe via the World Wide Web, visit >> >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> or, via email, send a message with subject or body 'help' to >> >> fedora-directory-users-request at redhat.com >> >> >> >> You can reach the person managing the list at >> >> fedora-directory-users-owner at redhat.com >> >> >> >> When replying, please edit your Subject line so it is more specific >> >> than "Re: Contents of Fedora-directory-users digest..." >> >> >> >> >> >> Today's Topics: >> >> >> >> 1. pam_ldap with SSL/TLS (t b) >> >> 2. RE: pam_ldap with SSL/TLS (Morris, Patrick) >> >> 3. Re: pam_ldap with SSL/TLS (Richard Megginson) >> >> 4. Problem with SSL console in X in specific circumstances >> >> (Philip Kime) >> >> 5. FW: [Fedora-directory-users] Extracting details from >> >> ActiveDirectoryto FDS (Paxton, Darren) >> >> 6. alias in fedora directory server (patrick ndjientcheu ngandjui) >> >> 7. Re: FW: [Fedora-directory-users] Extracting details from >> >> ActiveDirectoryto FDS (Nicholas Byrne) >> >> 8. Re: Memory usage (koniczynek) >> >> 9. Re: Memory usage (David Boreham) >> >> 10. Re: Memory usage (koniczynek) >> >> >> >> >> >> >> ---------------------------------------------------------------------- >> >> >> >> Message: 1 >> >> Date: Thu, 30 Nov 2006 12:31:50 -0500 >> >> From: "t b" >> >> Subject: [Fedora-directory-users] pam_ldap with SSL/TLS >> >> To: fedora-directory-users at redhat.com >> >> Message-ID: >> >> Content-Type: text/plain; format=flowed >> >> >> >> I am trying to setup pam_ldap to use TLS to communicate with the FDS, >> >> but >> >> having lots of problems doing so; it works if I use the unencrypted >> >> way but >> >> not if I use ldaps ( port 636 ) >> >> >> >> I used the instructions at, >> >> http://directory.fedora.redhat.com/wiki/Howto:PAM >> >> >> >> Has anyone gotten PAM to work TLS >> >> >> >> >> >> Thanks >> >> >> >> _________________________________________________________________ >> >> Buy, Load, Play. The new Sympatico / MSN Music Store works seamlessly >> >> with >> >> Windows Media Player. Just Click PLAY. >> >> >> http://musicstore.sympatico.msn.ca/content/viewer.aspx?cid=SMS_Sept192006 >> >> >> >> >> >> >> >> >> >> >> ------------------------------ >> >> >> >> Message: 2 >> >> Date: Thu, 30 Nov 2006 13:00:56 -0500 >> >> From: "Morris, Patrick" >> >> Subject: RE: [Fedora-directory-users] pam_ldap with SSL/TLS >> >> To: "General discussion list for the Fedora Directory server >> project." >> >> >> >> Message-ID: >> >> >> >> >> >> >> >> >> Content-Type: text/plain; charset="US-ASCII" >> >> >> >> > I am trying to setup pam_ldap to use TLS to communicate with >> >> > the FDS, but having lots of problems doing so; it works if I >> >> > use the unencrypted way but not if I use ldaps ( port 636 ) >> >> >> >> Someone should jump in here and correct me if I'm wrong, but I >> believe >> >> it's normal for TLS connections to happen on the standard LDAP port. >> >> You should be able to tell from your logs whether the connection is >> >> encrypted or not. >> >> >> >> >> >> >> >> ------------------------------ >> >> >> >> Message: 3 >> >> Date: Thu, 30 Nov 2006 11:08:08 -0700 >> >> From: Richard Megginson >> >> Subject: Re: [Fedora-directory-users] pam_ldap with SSL/TLS >> >> To: "General discussion list for the Fedora Directory server >> project." >> >> >> >> Message-ID: <456F1E08.40601 at redhat.com> >> >> Content-Type: text/plain; charset="iso-8859-1" >> >> >> >> Morris, Patrick wrote: >> >> >> I am trying to setup pam_ldap to use TLS to communicate with >> >> >> the FDS, but having lots of problems doing so; it works if I >> >> >> use the unencrypted way but not if I use ldaps ( port 636 ) >> >> >> >> >> > >> >> > Someone should jump in here and correct me if I'm wrong, but I >> believe >> >> > it's normal for TLS connections to happen on the standard LDAP >> port. >> >> > You should be able to tell from your logs whether the connection is >> >> > encrypted or not. >> >> > >> >> Yes. The LDAP "preferred" way is to use the startTLS extended >> operation >> >> which starts a TLS session on the non-secure port. This will be >> logged >> >> in the access log. >> >> > -- >> >> > Fedora-directory-users mailing list >> >> > Fedora-directory-users at redhat.com >> >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > >> >> -------------- next part -------------- >> >> A non-text attachment was scrubbed... >> >> Name: smime.p7s >> >> Type: application/x-pkcs7-signature >> >> Size: 3178 bytes >> >> Desc: S/MIME Cryptographic Signature >> >> Url : >> >> >> https://www.redhat.com/archives/fedora-directory-users/attachments/20061130/0634e78a/smime.bin >> >> >> >> >> >> >> ------------------------------ >> >> >> >> Message: 4 >> >> Date: Thu, 30 Nov 2006 18:02:55 -0800 >> >> From: "Philip Kime" >> >> Subject: [Fedora-directory-users] Problem with SSL console in X in >> >> specific circumstances >> >> To: >> >> Message-ID: >> >> <9C0091F428E697439E7A773FFD083427435BE3 at szexchange.Shopzilla.inc> >> >> Content-Type: text/plain; charset="us-ascii" >> >> >> >> Here's the problem: >> >> >> >> Running startconsole (SSL) to a remote display on a PC X-server >> (xwin32) >> >> works fine and requires that my windows home dir on the PC X-server >> >> machine has .fedora-console/ containing cert8.db and key3.db, as >> you'd >> >> expect. If I rename this dir, the console hangs at the splash >> screen. So >> >> far, so good, all makes sense. >> >> >> >> If I try the same thing to cygwin's X server on same machine or to >> an X >> >> server on a Mac running OSX, startconsole always hangs as if it can't >> >> find ~/.fedora-console on the local machine. I've tried copying >> this dir >> >> to what cygwin/OSX thinks is the user's home dir but no luck. Where >> >> should I put the Cert db files under "real" UNIX X to get the SSL >> >> console to work? Also tried ~/.mmc as per the docs but I could >> never get >> >> this to work. >> >> >> >> PK >> >> >> >> -- >> >> Philip Kime >> >> NOPS Systems Architect >> >> 310 401 0407 >> >> >> >> -------------- next part -------------- >> >> An HTML attachment was scrubbed... >> >> URL: >> >> >> https://www.redhat.com/archives/fedora-directory-users/attachments/20061130/054ecbd6/attachment.html >> >> >> >> >> >> >> ------------------------------ >> >> >> >> Message: 5 >> >> Date: Fri, 1 Dec 2006 08:04:30 -0000 >> >> From: "Paxton, Darren" >> >> Subject: FW: [Fedora-directory-users] Extracting details from >> >> ActiveDirectoryto FDS >> >> To: >> >> Message-ID: >> >> <52F7C07B119CF4439B7EFBFE0FB3256B027CBD02 at eidwpexms06.mercer.com> >> >> Content-Type: text/plain; charset="us-ascii" >> >> >> >> Skipped content of type multipart/alternative-------------- next part >> >> -------------- >> >> -- >> >> Fedora-directory-users mailing list >> >> Fedora-directory-users at redhat.com >> >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> ------------------------------ >> >> >> >> Message: 6 >> >> Date: Fri, 1 Dec 2006 08:10:42 +0000 (GMT) >> >> From: patrick ndjientcheu ngandjui >> >> Subject: [Fedora-directory-users] alias in fedora directory server >> >> To: Fedora-directory-users at redhat.com >> >> Message-ID: <20061201081042.78578.qmail at web25801.mail.ukl.yahoo.com> >> >> Content-Type: text/plain; charset="iso-8859-1" >> >> >> >> Hi, >> >> I would like to know how to use alias in fedora directory server.It >> >> seems that it is used for point to another entry in the directory,but >> >> i don't know how to use this feature.May someone helps me on this >> >> issue? I would really appreciate an example. >> >> >> >> Thanks >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> ___________________________________________________________________________ >> >> >> >> >> D?couvrez une nouvelle fa?on d'obtenir des r?ponses ? toutes vos >> >> questions ! >> >> Profitez des connaissances, des opinions et des exp?riences des >> >> internautes sur Yahoo! Questions/R?ponses >> >> http://fr.answers.yahoo.com >> >> -------------- next part -------------- >> >> An HTML attachment was scrubbed... >> >> URL: >> >> >> https://www.redhat.com/archives/fedora-directory-users/attachments/20061201/0fa54e4f/attachment.html >> >> >> >> >> >> >> ------------------------------ >> >> >> >> Message: 7 >> >> Date: Fri, 01 Dec 2006 11:50:13 +0000 >> >> From: Nicholas Byrne >> >> Subject: Re: FW: [Fedora-directory-users] Extracting details from >> >> ActiveDirectoryto FDS >> >> To: "General discussion list for the Fedora Directory server >> project." >> >> >> >> Message-ID: <457016F5.5030202 at quadriga.com> >> >> Content-Type: text/plain; charset=ISO-8859-1; format=flowed >> >> >> >> Your messages got through - you can confirm by checking the >> archives - >> >> https://www.redhat.com/archives/fedora-directory-users/ >> >> >> >> I'm a new user as well so i'm afraid i can't answer your question, >> but >> >> if you keep asking i'm sure someone will know! >> >> Nick >> >> >> >> Paxton, Darren wrote: >> >> > Apologies for mailing yet again, however either my messages are not >> >> > getting through (something I don't believe as I keep getting the >> post >> >> > to the mailing list) - or for some reason, no one is willing to >> even >> >> > acknowledge my issue. >> >> > >> >> > In the spirit of the community - can someone at least acknowledge a >> >> > message as I find it quite disheartening that I have had no >> replies at >> >> > all even if just to point me somewhere for assistance. >> >> > >> >> > >> >> >> ------------------------------------------------------------------------ >> >> > *From:* fedora-directory-users-bounces at redhat.com >> >> > [mailto:fedora-directory-users-bounces at redhat.com] *On Behalf Of >> >> > *Paxton, Darren >> >> > *Sent:* 30 November 2006 08:46 >> >> > *To:* General discussion list for the Fedora Directory server >> project. >> >> > *Subject:* RE: [Fedora-directory-users] Extracting details from >> >> > ActiveDirectoryto FDS >> >> > >> >> > Hi >> >> > >> >> > Has anyone had any thoughts on my query or can point me in the >> right >> >> > direction? >> >> > >> >> > As is the nature of AD, I would have thought it is possible to >> extract >> >> > this information using a scope setting or something similar. >> >> > >> >> > Thanks >> >> > >> >> > Darren >> >> > >> >> > >> >> >> ------------------------------------------------------------------------ >> >> > *From:* fedora-directory-users-bounces at redhat.com >> >> > [mailto:fedora-directory-users-bounces at redhat.com] *On Behalf Of >> >> > *Paxton, Darren >> >> > *Sent:* 24 November 2006 14:56 >> >> > *To:* fedora-directory-users at redhat.com >> >> > *Subject:* [Fedora-directory-users] Extracting details from Active >> >> > Directoryto FDS >> >> > >> >> > Hi all, >> >> > >> >> > I've been tinkering with integrating our Linux devices into our AD >> >> > domain for some time and I've hit a few brick walls, however I've >> >> > recently discovered FDS and the synchronisation features with AD. >> >> > >> >> > I've managed to set up a few replication jobs, however due to the >> >> > extensive nature of our AD, I've realised that the sync only takes >> >> > the group and user objects from the OU or CN being specified. >> >> > >> >> > Is there any way I can specify that it should traverse all >> >> > subtrees of an OU and extract all that information back into FDS? >> >> > >> >> > Thanks >> >> > >> >> > Darren >> >> > >> >> > -- >> >> > Darren Paxton >> >> > EMEA Tier2 >> >> > Red Hat Certified Engineer >> >> > VMware Certified Professional >> >> > MGTI Centralised ops >> >> > >> >> > >> >> > This e-mail and any attachments may be confidential or legally >> >> > privileged.If you received this message in error or are not the >> >> > intended recipient, you should destroy the email message and any >> >> > attachments or copies, and you are prohibited from retaining, >> >> > distributing, disclosing or using any information contained herein. >> >> > Please inform us of the erroneous delivery by return e-mail. >> Thank you >> >> > for your co-operation. >> >> > >> >> > Mercer Human Resource Consulting Limited is authorised and >> regulated >> >> > by the Financial Services Authority. Registered in England No. >> 984275. >> >> > Registered Office: 1 Tower Place West, Tower Place, London, EC3R >> 5BU. >> >> > >> >> > >> >> >> ------------------------------------------------------------------------ >> >> > >> >> > -- >> >> > Fedora-directory-users mailing list >> >> > Fedora-directory-users at redhat.com >> >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > >> >> > >> >> >> ------------------------------------------------------------------------ >> >> > >> >> > -- >> >> > Fedora-directory-users mailing list >> >> > Fedora-directory-users at redhat.com >> >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > >> >> >> >> >> >> >> >> This e-mail is the property of Quadriga Worldwide Ltd, intended for >> >> the addressee only and confidential. Any dissemination, copying or >> >> distribution of this message or any attachments is strictly >> prohibited. >> >> >> >> If you have received this message in error, please notify us >> >> immediately by replying to the message and deleting it from your >> >> computer. >> >> >> >> Messages sent to and from Quadriga may be monitored. >> >> >> >> Quadriga cannot guarantee any message delivery method is secure or >> >> error-free. Information could be intercepted, corrupted, lost, >> >> destroyed, arrive late or incomplete, or contain viruses. >> >> >> >> We do not accept responsibility for any errors or omissions in this >> >> message and/or attachment that arise as a result of transmission. >> >> >> >> You should carry out your own virus checks before opening any >> >> attachment. >> >> >> >> Any views or opinions presented are solely those of the author and do >> >> not necessarily represent those of Quadriga. >> >> >> >> >> >> >> >> ------------------------------ >> >> >> >> Message: 8 >> >> Date: Fri, 01 Dec 2006 16:45:28 +0100 >> >> From: koniczynek >> >> Subject: Re: [Fedora-directory-users] Memory usage >> >> To: "General discussion list for the Fedora Directory server >> project." >> >> >> >> Message-ID: <45704E18.3070705 at uaznia.net> >> >> Content-Type: text/plain; charset=ISO-8859-2; format=flowed >> >> >> >> Richard Megginson napisa?(a): >> >> > This is an excellent cache/memory tuning document from a Sun >> employee, >> >> > primarily targeted to Sun DS users, but almost all of the >> >> information is >> >> > relevant to Fedora DS (since they share a common lineage). >> >> > >> >> > http://www.directorymanager.org/blogs/ds_cache_sizing.pdf >> >> Lets say I heven't got much time lately so without thinking I've >> changed >> >> in dse.ldif >> >> nsslapd-import-cache-autosize from -1 to 1 and after restarting I've >> >> started to receive errors like: "3 Time limit exceeded" Someone do >> know >> >> what to do? ;) >> >> >> >> -- >> >> xmpp/email: koniczynek at uaznia.net >> >> xmpp/email: koniczynek at gmail.com >> >> >> >> >> >> >> >> ------------------------------ >> >> >> >> Message: 9 >> >> Date: Fri, 01 Dec 2006 09:15:14 -0700 >> >> From: David Boreham >> >> Subject: Re: [Fedora-directory-users] Memory usage >> >> To: "General discussion list for the Fedora Directory server >> project." >> >> >> >> Message-ID: <45705512.4070808 at boreham.org> >> >> Content-Type: text/plain; charset=ISO-8859-2; format=flowed >> >> >> >> koniczynek wrote: >> >> >> >> > Richard Megginson napisa?(a): >> >> > >> >> >> This is an excellent cache/memory tuning document from a Sun >> >> >> employee, primarily targeted to Sun DS users, but almost all of >> the >> >> >> information is relevant to Fedora DS (since they share a common >> >> >> lineage). >> >> >> >> >> >> http://www.directorymanager.org/blogs/ds_cache_sizing.pdf >> >> > >> >> > Lets say I heven't got much time lately so without thinking I've >> >> > changed in dse.ldif >> >> > nsslapd-import-cache-autosize from -1 to 1 and after restarting >> I've >> >> > started to receive errors like: "3 Time limit exceeded" Someone do >> >> > know what to do? ;) >> >> > >> >> Change it back ? >> >> >> >> >> >> >> >> >> >> >> >> ------------------------------ >> >> >> >> Message: 10 >> >> Date: Fri, 01 Dec 2006 17:53:22 +0100 >> >> From: koniczynek >> >> Subject: Re: [Fedora-directory-users] Memory usage >> >> To: "General discussion list for the Fedora Directory server >> project." >> >> >> >> Message-ID: <45705E02.7020709 at uaznia.net> >> >> Content-Type: text/plain; charset=ISO-8859-2 >> >> >> >> David Boreham, dnia 2006-12-01 17:15 napisal: >> >> >> Lets say I heven't got much time lately so without thinking I've >> >> >> changed in dse.ldif >> >> >> nsslapd-import-cache-autosize from -1 to 1 and after restarting >> I've >> >> >> started to receive errors like: "3 Time limit exceeded" Someone do >> >> >> know what to do? ;) >> >> > Change it back ? >> >> man, please, show some respect ;) I did change it back, but to no >> avail. >> >> Also I can say (to stop further questions): yes, I've stopped the >> server >> >> before change. >> >> >> >> -- >> >> email/xmpp: koniczynek at uaznia.net >> >> >> >> >> >> >> >> ------------------------------ >> >> >> >> -- >> >> Fedora-directory-users mailing list >> >> Fedora-directory-users at redhat.com >> >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> >> >> End of Fedora-directory-users Digest, Vol 19, Issue 1 >> >> ***************************************************** >> > >> > _________________________________________________________________ >> > Off to school, going on a trip, or moving? Windows Live (MSN) >> > Messenger lets you stay in touch with friends and family wherever you >> > go. Click here to find out how to sign up! >> > http://www.telusmobility.com/msnxbox/ >> > >> > -- >> > Fedora-directory-users mailing list >> > Fedora-directory-users at redhat.com >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >> -------------- next part -------------- >> A non-text attachment was scrubbed... >> Name: smime.p7s >> Type: application/x-pkcs7-signature >> Size: 3178 bytes >> Desc: S/MIME Cryptographic Signature >> Url : >> https://www.redhat.com/archives/fedora-directory-users/attachments/20061201/7d15c5b4/smime.bin >> >> >> ------------------------------ >> >> Message: 2 >> Date: Fri, 01 Dec 2006 15:23:28 -0800 >> From: To Ngan >> Subject: Re: [Fedora-directory-users] AD + FDS sync stops working? >> To: "General discussion list for the Fedora Directory server project." >> >> Message-ID: <4570B970.3070901 at redhat.com> >> Content-Type: text/plain; charset="windows-1252" >> >> Dan Oglesby wrote: >> > I tried the following: >> > >> > In windows registry->HKLM->Software->PasswordSync, try add string >> value ?Log >> > Level? and set it to ?1?. Restart the passsync service. This should >> log >> > all transactions and errors. Turn this back to "0" and restart >> passsync >> > after troubleshooting. >> > >> > All I see in the log is this: >> > >> > 11/30/06 09:12:58: begin log >> > 11/30/06 09:12:59: 0 new entries loaded from file >> > 11/30/06 09:14:20: 0 new entries loaded from file >> > 11/30/06 09:14:20: 0 entries saved to file >> > 11/30/06 09:14:20: end log >> > 11/30/06 09:14:22: begin log >> > 11/30/06 09:14:22: 0 new entries loaded from file >> > >> > That?s after restarting the passsync service twice, and changing a >> user?s >> > password in AD four times. >> > >> >> Hmm... 2 Windows sync stopped working together after 6 months. Any cert >> on AD or DS side expired? >> -- >> toto >> >> -------------- next part -------------- >> A non-text attachment was scrubbed... >> Name: smime.p7s >> Type: application/x-pkcs7-signature >> Size: 3233 bytes >> Desc: S/MIME Cryptographic Signature >> Url : >> https://www.redhat.com/archives/fedora-directory-users/attachments/20061201/b9f1ea83/smime.bin >> >> >> ------------------------------ >> >> Message: 3 >> Date: Sat, 02 Dec 2006 09:28:17 +0100 >> From: koniczynek >> Subject: Re: [Fedora-directory-users] Memory usage >> To: "General discussion list for the Fedora Directory server project." >> >> Message-ID: <45713921.1080009 at uaznia.net> >> Content-Type: text/plain; charset=ISO-8859-2 >> >> Richard Megginson, dnia 2006-12-01 18:00 napisal: >> >> man, please, show some respect ;) I did change it back, but to no >> avail. >> >> Also I can say (to stop further questions): yes, I've stopped the >> server >> >> before change. >> >> >> > What types of searches are returning time limit exceeded? Can you post >> > relevant excerpts from the access and error logs? >> I'm "benchmarking" my FDS with "ldapsearch -x" and earlier it worked and >> now it does not. In error logs there were "err=3" but I don't remember >> much more and I'll have access to the logs on Monday, so till then, only >> I can provide only this information (because I do not remember anything >> more ;) ) >> >> -- >> email/xmpp: koniczynek at uaznia.net >> >> >> >> ------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> End of Fedora-directory-users Digest, Vol 19, Issue 3 >> ***************************************************** > > _________________________________________________________________ > Off to school, going on a trip, or moving? Windows Live (MSN) > Messenger lets you stay in touch with friends and family wherever you > go. Click here to find out how to sign up! > http://www.telusmobility.com/msnxbox/ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From kylet at panix.com Tue Dec 5 17:28:36 2006 From: kylet at panix.com (Kyle Tucker) Date: Tue, 5 Dec 2006 12:28:36 -0500 (EST) Subject: [Fedora-directory-users] SSH login and pwd expiration message In-Reply-To: Message-ID: <200612051728.kB5HSap03879@panix1.panix.com> > I've configured a RHEL3 as LDAP client to my FedoraDS 1.0.2 on RHEL4. > When I login via ssh with an LDAP account on the ldapclient I immediately get > You are required to change your password immediately (password aged) > Your password has expired, the session cannot proceed. > You must change your password now and login again! > > After that I change the password and login again and I get the same error again. > Any idea what's causing this? Is it an ACL that's preventing some > attributes to be updates? Which attributes? If I just for testing > delete these attributes I should get rid of this message, shouldn't I? Assuming you're using shadowAccount attributes for your password expiry, you are seeing just what I saw until "write for self" access was given to users to up the shadowLastChange attribute. Here's how I fixed it in admin console. In Directory tab, select root domain Right click and select "Set Access Permissions" Select "Enable self-write for common attributes" and click on Edit After "userPassword", insert "|| shadowLastChange " and click on OK and again on OK on the parent window. -- - Kyle --------------------------------------------- kylet at panix.com http://www.panix.com/~kylet --------------------------------------------- From srigler at marathonoil.com Tue Dec 5 17:59:04 2006 From: srigler at marathonoil.com (Stephen C. Rigler) Date: Tue, 05 Dec 2006 11:59:04 -0600 Subject: [Fedora-directory-users] SSH login and pwd expiration message In-Reply-To: <200612051728.kB5HSap03879@panix1.panix.com> References: <200612051728.kB5HSap03879@panix1.panix.com> Message-ID: <1165341544.11636.14.camel@houuc8> On Tue, 2006-12-05 at 12:28 -0500, Kyle Tucker wrote: > Assuming you're using shadowAccount attributes for your password expiry, you > are seeing just what I saw until "write for self" access was given to users > to up the shadowLastChange attribute. Here's how I fixed it in admin console. > > In Directory tab, select root domain > > Right click and select "Set Access Permissions" > > Select "Enable self-write for common attributes" and click on Edit > > After "userPassword", insert "|| shadowLastChange " and click on OK and > again on OK on the parent window. The problem we had with using the shadow attributes is that not all platforms honor them (I don't recall seeing Solaris update shadowLastChange). You'd also need to remember to update the shadowLastChange attribute manually if you reset a user's password by some mechanism outside of PAM (from the Administrator's Console, for example). -Steve From koniczynek at uaznia.net Tue Dec 5 18:01:07 2006 From: koniczynek at uaznia.net (koniczynek) Date: Tue, 05 Dec 2006 19:01:07 +0100 Subject: [Fedora-directory-users] RE: Fedora-directory-users Digest, Vol 19, Issue 3 In-Reply-To: <45758E1D.8090809@redhat.com> References: <45758E1D.8090809@redhat.com> Message-ID: <4575B3E3.1040901@uaznia.net> OMG please remove necessary information from the post, because now it's hard to find what you wrote! And this happens in all of your posts ;) so please, for the clarity and for the future use (mailing list archive) ;) Richard Megginson, dnia 2006-12-05 16:19 napisal: > t b wrote: >>> From: fedora-directory-users-request at redhat.com >>> Reply-To: fedora-directory-users at redhat.com >>> To: fedora-directory-users at redhat.com >>> Subject: Fedora-directory-users Digest, Vol 19, Issue 3 >>> Date: Sat, 2 Dec 2006 12:00:05 -0500 (EST) >>> >>> Send Fedora-directory-users mailing list submissions to >>> fedora-directory-users at redhat.com >>> >>> To subscribe or unsubscribe via the World Wide Web, visit >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> or, via email, send a message with subject or body 'help' to >>> fedora-directory-users-request at redhat.com >>> >>> You can reach the person managing the list at >>> fedora-directory-users-owner at redhat.com >>> >>> When replying, please edit your Subject line so it is more specific >>> than "Re: Contents of Fedora-directory-users digest..." >>> >>> >>> Today's Topics: >>> >>> 1. Re: RE: Fedora-directory-users Digest, Vol 19, Issue 1 >>> (Richard Megginson) >>> 2. Re: AD + FDS sync stops working? (To Ngan) >>> 3. Re: Memory usage (koniczynek) >>> >>> >>> ---------------------------------------------------------------------- >>> >>> Message: 1 >>> Date: Fri, 01 Dec 2006 12:55:24 -0700 >>> From: Richard Megginson >>> Subject: Re: [Fedora-directory-users] RE: Fedora-directory-users >>> Digest, Vol 19, Issue 1 >>> To: "General discussion list for the Fedora Directory server project." >>> >>> Message-ID: <457088AC.1030004 at redhat.com> >>> Content-Type: text/plain; charset="iso-8859-1" >>> >>> t b wrote: >>> > My logs seem to indicate that the connection is being encrypted; I can >>> > ssh to a client server and get the password prompt, but when I enter >>> > the password it just returns me to the password prompt again >>> > >>> > [01/Dec/2006:19:47:44 -0500] conn=650 fd=69 slot=69 connection from >>> > xxx.xxx.xxx.xxx to xxx.xxx.xxx.xxx >>> > [01/Dec/2006:19:47:44 -0500] conn=650 op=0 EXT >>> > oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>> > [01/Dec/2006:19:47:44 -0500] conn=650 op=0 RESULT err=0 tag=120 >>> > nentries=0 etime=0 >>> > [01/Dec/2006:19:47:44 -0500] conn=650 SSL 256-bit AES >>> All of this means the client was able to successfully perform the >>> startTLS extended operation and start using SSL. >>> > [01/Dec/2006:19:47:44 -0500] conn=650 op=1 UNBIND >>> > [01/Dec/2006:19:47:44 -0500] conn=650 op=1 fd=69 closed - U1 >>> The UNBIND means the client had a problem and closed the connection. >>> Does the client print any errors? Are there any messages in the server >>> error log? >> >> On the client server it show, >> >> sshd[24149]: Failed password for invalid user xxxxx from >> xxx.xxx.xxx.xxx port xxx ssh2 >> >> >> >> >> >> >> >> >> >>> > >>> > If I disable TLS everything works fine, the client server can query >>> > the FDS and auth the client properly >>> > >>> > I am not sure if the problem has to do with the pam_ldap not properly >>> > formatted or the cert file not in proper format >>> > >>> > Does anyone have an example of what the pam_ldap config should look >>> > like? or suggestions on checking whether the cert file is in proper >>> > format >>> I'm not sure. PAM needs the ca cert of the CA that issued the directory >>> server server cert. See >>> http://directory.fedora.redhat.com/wiki/Howto:SSL for more information. >>> > >> >> That was the info I used to do the SSL setup, but I only see a part of >> the log output they indicated, >> >> Their logs, >> >> [18/Jul/2005:20:33:36 -0400] conn=4 op=0 EXT >> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >> [18/Jul/2005:20:33:36 -0400] conn=4 op=0 RESULT err=0 tag=120 >> nentries=0 etime=0 >> [18/Jul/2005:20:33:36 -0400] conn=4 SSL 256-bit AES >> [18/Jul/2005:20:33:36 -0400] conn=4 op=1 BIND dn="" method=128 version=3 >> [18/Jul/2005:20:33:36 -0400] conn=4 op=1 RESULT err=0 tag=97 >> nentries=0 etime=0 dn="" >> [18/Jul/2005:20:33:36 -0400] conn=4 op=2 SRCH base="dc=example,dc=com" >> scope=2 filter="(uid=testuser)" attrs=ALL >> >> My Logs, >> >> [04/Dec/2006:14:35:52 -0500] conn=757 op=0 EXT >> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >> [04/Dec/2006:14:35:52 -0500] conn=757 op=0 RESULT err=0 tag=120 >> nentries=0 etime=0 >> [04/Dec/2006:14:35:52 -0500] conn=757 SSL 256-bit AES >> [04/Dec/2006:14:35:52 -0500] conn=757 op=1 UNBIND >> [04/Dec/2006:14:35:52 -0500] conn=757 op=1 fd=71 closed - U1 >> >> For some reason my setup dies just before querying the FDS to >> determine user details >> >> Do you know of any tests that I can run just on the client server to >> determine proper confuguration? > Firstly, try /usr/bin/ldapsearch to see if you can use startTLS and bind > as your user. >> >> >> >> >> >>> > Also what's the UNBIND shown in the logs? >>> > >>> > Thanks >>> > >>> >> From: fedora-directory-users-request at redhat.com >>> >> Reply-To: fedora-directory-users at redhat.com >>> >> To: fedora-directory-users at redhat.com >>> >> Subject: Fedora-directory-users Digest, Vol 19, Issue 1 >>> >> Date: Fri, 1 Dec 2006 12:00:06 -0500 (EST) >>> >> >>> >> Send Fedora-directory-users mailing list submissions to >>> >> fedora-directory-users at redhat.com >>> >> >>> >> To subscribe or unsubscribe via the World Wide Web, visit >>> >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> or, via email, send a message with subject or body 'help' to >>> >> fedora-directory-users-request at redhat.com >>> >> >>> >> You can reach the person managing the list at >>> >> fedora-directory-users-owner at redhat.com >>> >> >>> >> When replying, please edit your Subject line so it is more specific >>> >> than "Re: Contents of Fedora-directory-users digest..." >>> >> >>> >> >>> >> Today's Topics: >>> >> >>> >> 1. pam_ldap with SSL/TLS (t b) >>> >> 2. RE: pam_ldap with SSL/TLS (Morris, Patrick) >>> >> 3. Re: pam_ldap with SSL/TLS (Richard Megginson) >>> >> 4. Problem with SSL console in X in specific circumstances >>> >> (Philip Kime) >>> >> 5. FW: [Fedora-directory-users] Extracting details from >>> >> ActiveDirectoryto FDS (Paxton, Darren) >>> >> 6. alias in fedora directory server (patrick ndjientcheu ngandjui) >>> >> 7. Re: FW: [Fedora-directory-users] Extracting details from >>> >> ActiveDirectoryto FDS (Nicholas Byrne) >>> >> 8. Re: Memory usage (koniczynek) >>> >> 9. Re: Memory usage (David Boreham) >>> >> 10. Re: Memory usage (koniczynek) >>> >> >>> >> >>> >> >>> ---------------------------------------------------------------------- >>> >> >>> >> Message: 1 >>> >> Date: Thu, 30 Nov 2006 12:31:50 -0500 >>> >> From: "t b" >>> >> Subject: [Fedora-directory-users] pam_ldap with SSL/TLS >>> >> To: fedora-directory-users at redhat.com >>> >> Message-ID: >>> >> Content-Type: text/plain; format=flowed >>> >> >>> >> I am trying to setup pam_ldap to use TLS to communicate with the FDS, >>> >> but >>> >> having lots of problems doing so; it works if I use the unencrypted >>> >> way but >>> >> not if I use ldaps ( port 636 ) >>> >> >>> >> I used the instructions at, >>> >> http://directory.fedora.redhat.com/wiki/Howto:PAM >>> >> >>> >> Has anyone gotten PAM to work TLS >>> >> >>> >> >>> >> Thanks >>> >> >>> >> _________________________________________________________________ >>> >> Buy, Load, Play. The new Sympatico / MSN Music Store works seamlessly >>> >> with >>> >> Windows Media Player. Just Click PLAY. >>> >> >>> http://musicstore.sympatico.msn.ca/content/viewer.aspx?cid=SMS_Sept192006 >>> >>> >> >>> >> >>> >> >>> >> >>> >> ------------------------------ >>> >> >>> >> Message: 2 >>> >> Date: Thu, 30 Nov 2006 13:00:56 -0500 >>> >> From: "Morris, Patrick" >>> >> Subject: RE: [Fedora-directory-users] pam_ldap with SSL/TLS >>> >> To: "General discussion list for the Fedora Directory server >>> project." >>> >> >>> >> Message-ID: >>> >> >>> >>> >> >>> >> >>> >> Content-Type: text/plain; charset="US-ASCII" >>> >> >>> >> > I am trying to setup pam_ldap to use TLS to communicate with >>> >> > the FDS, but having lots of problems doing so; it works if I >>> >> > use the unencrypted way but not if I use ldaps ( port 636 ) >>> >> >>> >> Someone should jump in here and correct me if I'm wrong, but I >>> believe >>> >> it's normal for TLS connections to happen on the standard LDAP port. >>> >> You should be able to tell from your logs whether the connection is >>> >> encrypted or not. >>> >> >>> >> >>> >> >>> >> ------------------------------ >>> >> >>> >> Message: 3 >>> >> Date: Thu, 30 Nov 2006 11:08:08 -0700 >>> >> From: Richard Megginson >>> >> Subject: Re: [Fedora-directory-users] pam_ldap with SSL/TLS >>> >> To: "General discussion list for the Fedora Directory server >>> project." >>> >> >>> >> Message-ID: <456F1E08.40601 at redhat.com> >>> >> Content-Type: text/plain; charset="iso-8859-1" >>> >> >>> >> Morris, Patrick wrote: >>> >> >> I am trying to setup pam_ldap to use TLS to communicate with >>> >> >> the FDS, but having lots of problems doing so; it works if I >>> >> >> use the unencrypted way but not if I use ldaps ( port 636 ) >>> >> >> >>> >> > >>> >> > Someone should jump in here and correct me if I'm wrong, but I >>> believe >>> >> > it's normal for TLS connections to happen on the standard LDAP >>> port. >>> >> > You should be able to tell from your logs whether the connection is >>> >> > encrypted or not. >>> >> > >>> >> Yes. The LDAP "preferred" way is to use the startTLS extended >>> operation >>> >> which starts a TLS session on the non-secure port. This will be >>> logged >>> >> in the access log. >>> >> > -- >>> >> > Fedora-directory-users mailing list >>> >> > Fedora-directory-users at redhat.com >>> >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> > >>> >> -------------- next part -------------- >>> >> A non-text attachment was scrubbed... >>> >> Name: smime.p7s >>> >> Type: application/x-pkcs7-signature >>> >> Size: 3178 bytes >>> >> Desc: S/MIME Cryptographic Signature >>> >> Url : >>> >> >>> https://www.redhat.com/archives/fedora-directory-users/attachments/20061130/0634e78a/smime.bin >>> >>> >> >>> >> >>> >> ------------------------------ >>> >> >>> >> Message: 4 >>> >> Date: Thu, 30 Nov 2006 18:02:55 -0800 >>> >> From: "Philip Kime" >>> >> Subject: [Fedora-directory-users] Problem with SSL console in X in >>> >> specific circumstances >>> >> To: >>> >> Message-ID: >>> >> <9C0091F428E697439E7A773FFD083427435BE3 at szexchange.Shopzilla.inc> >>> >> Content-Type: text/plain; charset="us-ascii" >>> >> >>> >> Here's the problem: >>> >> >>> >> Running startconsole (SSL) to a remote display on a PC X-server >>> (xwin32) >>> >> works fine and requires that my windows home dir on the PC X-server >>> >> machine has .fedora-console/ containing cert8.db and key3.db, as >>> you'd >>> >> expect. If I rename this dir, the console hangs at the splash >>> screen. So >>> >> far, so good, all makes sense. >>> >> >>> >> If I try the same thing to cygwin's X server on same machine or to >>> an X >>> >> server on a Mac running OSX, startconsole always hangs as if it can't >>> >> find ~/.fedora-console on the local machine. I've tried copying >>> this dir >>> >> to what cygwin/OSX thinks is the user's home dir but no luck. Where >>> >> should I put the Cert db files under "real" UNIX X to get the SSL >>> >> console to work? Also tried ~/.mmc as per the docs but I could >>> never get >>> >> this to work. >>> >> >>> >> PK >>> >> >>> >> -- >>> >> Philip Kime >>> >> NOPS Systems Architect >>> >> 310 401 0407 >>> >> >>> >> -------------- next part -------------- >>> >> An HTML attachment was scrubbed... >>> >> URL: >>> >> >>> https://www.redhat.com/archives/fedora-directory-users/attachments/20061130/054ecbd6/attachment.html >>> >>> >> >>> >> >>> >> ------------------------------ >>> >> >>> >> Message: 5 >>> >> Date: Fri, 1 Dec 2006 08:04:30 -0000 >>> >> From: "Paxton, Darren" >>> >> Subject: FW: [Fedora-directory-users] Extracting details from >>> >> ActiveDirectoryto FDS >>> >> To: >>> >> Message-ID: >>> >> <52F7C07B119CF4439B7EFBFE0FB3256B027CBD02 at eidwpexms06.mercer.com> >>> >> Content-Type: text/plain; charset="us-ascii" >>> >> >>> >> Skipped content of type multipart/alternative-------------- next part >>> >> -------------- >>> >> -- >>> >> Fedora-directory-users mailing list >>> >> Fedora-directory-users at redhat.com >>> >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >>> >> ------------------------------ >>> >> >>> >> Message: 6 >>> >> Date: Fri, 1 Dec 2006 08:10:42 +0000 (GMT) >>> >> From: patrick ndjientcheu ngandjui >>> >> Subject: [Fedora-directory-users] alias in fedora directory server >>> >> To: Fedora-directory-users at redhat.com >>> >> Message-ID: <20061201081042.78578.qmail at web25801.mail.ukl.yahoo.com> >>> >> Content-Type: text/plain; charset="iso-8859-1" >>> >> >>> >> Hi, >>> >> I would like to know how to use alias in fedora directory server.It >>> >> seems that it is used for point to another entry in the directory,but >>> >> i don't know how to use this feature.May someone helps me on this >>> >> issue? I would really appreciate an example. >>> >> >>> >> Thanks >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> ___________________________________________________________________________ >>> >>> >> >>> >> D?couvrez une nouvelle fa?on d'obtenir des r?ponses ? toutes vos >>> >> questions ! >>> >> Profitez des connaissances, des opinions et des exp?riences des >>> >> internautes sur Yahoo! Questions/R?ponses >>> >> http://fr.answers.yahoo.com >>> >> -------------- next part -------------- >>> >> An HTML attachment was scrubbed... >>> >> URL: >>> >> >>> https://www.redhat.com/archives/fedora-directory-users/attachments/20061201/0fa54e4f/attachment.html >>> >>> >> >>> >> >>> >> ------------------------------ >>> >> >>> >> Message: 7 >>> >> Date: Fri, 01 Dec 2006 11:50:13 +0000 >>> >> From: Nicholas Byrne >>> >> Subject: Re: FW: [Fedora-directory-users] Extracting details from >>> >> ActiveDirectoryto FDS >>> >> To: "General discussion list for the Fedora Directory server >>> project." >>> >> >>> >> Message-ID: <457016F5.5030202 at quadriga.com> >>> >> Content-Type: text/plain; charset=ISO-8859-1; format=flowed >>> >> >>> >> Your messages got through - you can confirm by checking the >>> archives - >>> >> https://www.redhat.com/archives/fedora-directory-users/ >>> >> >>> >> I'm a new user as well so i'm afraid i can't answer your question, >>> but >>> >> if you keep asking i'm sure someone will know! >>> >> Nick >>> >> >>> >> Paxton, Darren wrote: >>> >> > Apologies for mailing yet again, however either my messages are not >>> >> > getting through (something I don't believe as I keep getting the >>> post >>> >> > to the mailing list) - or for some reason, no one is willing to >>> even >>> >> > acknowledge my issue. >>> >> > >>> >> > In the spirit of the community - can someone at least acknowledge a >>> >> > message as I find it quite disheartening that I have had no >>> replies at >>> >> > all even if just to point me somewhere for assistance. >>> >> > >>> >> > >>> >> >>> ------------------------------------------------------------------------ >>> >> > *From:* fedora-directory-users-bounces at redhat.com >>> >> > [mailto:fedora-directory-users-bounces at redhat.com] *On Behalf Of >>> >> > *Paxton, Darren >>> >> > *Sent:* 30 November 2006 08:46 >>> >> > *To:* General discussion list for the Fedora Directory server >>> project. >>> >> > *Subject:* RE: [Fedora-directory-users] Extracting details from >>> >> > ActiveDirectoryto FDS >>> >> > >>> >> > Hi >>> >> > >>> >> > Has anyone had any thoughts on my query or can point me in the >>> right >>> >> > direction? >>> >> > >>> >> > As is the nature of AD, I would have thought it is possible to >>> extract >>> >> > this information using a scope setting or something similar. >>> >> > >>> >> > Thanks >>> >> > >>> >> > Darren >>> >> > >>> >> > >>> >> >>> ------------------------------------------------------------------------ >>> >> > *From:* fedora-directory-users-bounces at redhat.com >>> >> > [mailto:fedora-directory-users-bounces at redhat.com] *On Behalf Of >>> >> > *Paxton, Darren >>> >> > *Sent:* 24 November 2006 14:56 >>> >> > *To:* fedora-directory-users at redhat.com >>> >> > *Subject:* [Fedora-directory-users] Extracting details from Active >>> >> > Directoryto FDS >>> >> > >>> >> > Hi all, >>> >> > >>> >> > I've been tinkering with integrating our Linux devices into our AD >>> >> > domain for some time and I've hit a few brick walls, however I've >>> >> > recently discovered FDS and the synchronisation features with AD. >>> >> > >>> >> > I've managed to set up a few replication jobs, however due to the >>> >> > extensive nature of our AD, I've realised that the sync only takes >>> >> > the group and user objects from the OU or CN being specified. >>> >> > >>> >> > Is there any way I can specify that it should traverse all >>> >> > subtrees of an OU and extract all that information back into FDS? >>> >> > >>> >> > Thanks >>> >> > >>> >> > Darren >>> >> > >>> >> > -- >>> >> > Darren Paxton >>> >> > EMEA Tier2 >>> >> > Red Hat Certified Engineer >>> >> > VMware Certified Professional >>> >> > MGTI Centralised ops >>> >> > >>> >> > >>> >> > This e-mail and any attachments may be confidential or legally >>> >> > privileged.If you received this message in error or are not the >>> >> > intended recipient, you should destroy the email message and any >>> >> > attachments or copies, and you are prohibited from retaining, >>> >> > distributing, disclosing or using any information contained herein. >>> >> > Please inform us of the erroneous delivery by return e-mail. >>> Thank you >>> >> > for your co-operation. >>> >> > >>> >> > Mercer Human Resource Consulting Limited is authorised and >>> regulated >>> >> > by the Financial Services Authority. Registered in England No. >>> 984275. >>> >> > Registered Office: 1 Tower Place West, Tower Place, London, EC3R >>> 5BU. >>> >> > >>> >> > >>> >> >>> ------------------------------------------------------------------------ >>> >> > >>> >> > -- >>> >> > Fedora-directory-users mailing list >>> >> > Fedora-directory-users at redhat.com >>> >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> > >>> >> > >>> >> >>> ------------------------------------------------------------------------ >>> >> > >>> >> > -- >>> >> > Fedora-directory-users mailing list >>> >> > Fedora-directory-users at redhat.com >>> >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> > >>> >> >>> >> >>> >> >>> >> This e-mail is the property of Quadriga Worldwide Ltd, intended for >>> >> the addressee only and confidential. Any dissemination, copying or >>> >> distribution of this message or any attachments is strictly >>> prohibited. >>> >> >>> >> If you have received this message in error, please notify us >>> >> immediately by replying to the message and deleting it from your >>> >> computer. >>> >> >>> >> Messages sent to and from Quadriga may be monitored. >>> >> >>> >> Quadriga cannot guarantee any message delivery method is secure or >>> >> error-free. Information could be intercepted, corrupted, lost, >>> >> destroyed, arrive late or incomplete, or contain viruses. >>> >> >>> >> We do not accept responsibility for any errors or omissions in this >>> >> message and/or attachment that arise as a result of transmission. >>> >> >>> >> You should carry out your own virus checks before opening any >>> >> attachment. >>> >> >>> >> Any views or opinions presented are solely those of the author and do >>> >> not necessarily represent those of Quadriga. >>> >> >>> >> >>> >> >>> >> ------------------------------ >>> >> >>> >> Message: 8 >>> >> Date: Fri, 01 Dec 2006 16:45:28 +0100 >>> >> From: koniczynek >>> >> Subject: Re: [Fedora-directory-users] Memory usage >>> >> To: "General discussion list for the Fedora Directory server >>> project." >>> >> >>> >> Message-ID: <45704E18.3070705 at uaznia.net> >>> >> Content-Type: text/plain; charset=ISO-8859-2; format=flowed >>> >> >>> >> Richard Megginson napisa?(a): >>> >> > This is an excellent cache/memory tuning document from a Sun >>> employee, >>> >> > primarily targeted to Sun DS users, but almost all of the >>> >> information is >>> >> > relevant to Fedora DS (since they share a common lineage). >>> >> > >>> >> > http://www.directorymanager.org/blogs/ds_cache_sizing.pdf >>> >> Lets say I heven't got much time lately so without thinking I've >>> changed >>> >> in dse.ldif >>> >> nsslapd-import-cache-autosize from -1 to 1 and after restarting I've >>> >> started to receive errors like: "3 Time limit exceeded" Someone do >>> know >>> >> what to do? ;) >>> >> >>> >> -- >>> >> xmpp/email: koniczynek at uaznia.net >>> >> xmpp/email: koniczynek at gmail.com >>> >> >>> >> >>> >> >>> >> ------------------------------ >>> >> >>> >> Message: 9 >>> >> Date: Fri, 01 Dec 2006 09:15:14 -0700 >>> >> From: David Boreham >>> >> Subject: Re: [Fedora-directory-users] Memory usage >>> >> To: "General discussion list for the Fedora Directory server >>> project." >>> >> >>> >> Message-ID: <45705512.4070808 at boreham.org> >>> >> Content-Type: text/plain; charset=ISO-8859-2; format=flowed >>> >> >>> >> koniczynek wrote: >>> >> >>> >> > Richard Megginson napisa?(a): >>> >> > >>> >> >> This is an excellent cache/memory tuning document from a Sun >>> >> >> employee, primarily targeted to Sun DS users, but almost all of >>> the >>> >> >> information is relevant to Fedora DS (since they share a common >>> >> >> lineage). >>> >> >> >>> >> >> http://www.directorymanager.org/blogs/ds_cache_sizing.pdf >>> >> > >>> >> > Lets say I heven't got much time lately so without thinking I've >>> >> > changed in dse.ldif >>> >> > nsslapd-import-cache-autosize from -1 to 1 and after restarting >>> I've >>> >> > started to receive errors like: "3 Time limit exceeded" Someone do >>> >> > know what to do? ;) >>> >> > >>> >> Change it back ? >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> ------------------------------ >>> >> >>> >> Message: 10 >>> >> Date: Fri, 01 Dec 2006 17:53:22 +0100 >>> >> From: koniczynek >>> >> Subject: Re: [Fedora-directory-users] Memory usage >>> >> To: "General discussion list for the Fedora Directory server >>> project." >>> >> >>> >> Message-ID: <45705E02.7020709 at uaznia.net> >>> >> Content-Type: text/plain; charset=ISO-8859-2 >>> >> >>> >> David Boreham, dnia 2006-12-01 17:15 napisal: >>> >> >> Lets say I heven't got much time lately so without thinking I've >>> >> >> changed in dse.ldif >>> >> >> nsslapd-import-cache-autosize from -1 to 1 and after restarting >>> I've >>> >> >> started to receive errors like: "3 Time limit exceeded" Someone do >>> >> >> know what to do? ;) >>> >> > Change it back ? >>> >> man, please, show some respect ;) I did change it back, but to no >>> avail. >>> >> Also I can say (to stop further questions): yes, I've stopped the >>> server >>> >> before change. >>> >> >>> >> -- >>> >> email/xmpp: koniczynek at uaznia.net >>> >> >>> >> >>> >> >>> >> ------------------------------ >>> >> >>> >> -- >>> >> Fedora-directory-users mailing list >>> >> Fedora-directory-users at redhat.com >>> >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >>> >> >>> >> End of Fedora-directory-users Digest, Vol 19, Issue 1 >>> >> ***************************************************** >>> > >>> > _________________________________________________________________ >>> > Off to school, going on a trip, or moving? Windows Live (MSN) >>> > Messenger lets you stay in touch with friends and family wherever you >>> > go. Click here to find out how to sign up! >>> > http://www.telusmobility.com/msnxbox/ >>> > >>> > -- >>> > Fedora-directory-users mailing list >>> > Fedora-directory-users at redhat.com >>> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> -------------- next part -------------- >>> A non-text attachment was scrubbed... >>> Name: smime.p7s >>> Type: application/x-pkcs7-signature >>> Size: 3178 bytes >>> Desc: S/MIME Cryptographic Signature >>> Url : >>> https://www.redhat.com/archives/fedora-directory-users/attachments/20061201/7d15c5b4/smime.bin >>> >>> >>> ------------------------------ >>> >>> Message: 2 >>> Date: Fri, 01 Dec 2006 15:23:28 -0800 >>> From: To Ngan >>> Subject: Re: [Fedora-directory-users] AD + FDS sync stops working? >>> To: "General discussion list for the Fedora Directory server project." >>> >>> Message-ID: <4570B970.3070901 at redhat.com> >>> Content-Type: text/plain; charset="windows-1252" >>> >>> Dan Oglesby wrote: >>> > I tried the following: >>> > >>> > In windows registry->HKLM->Software->PasswordSync, try add string >>> value ?Log >>> > Level? and set it to ?1?. Restart the passsync service. This should >>> log >>> > all transactions and errors. Turn this back to "0" and restart >>> passsync >>> > after troubleshooting. >>> > >>> > All I see in the log is this: >>> > >>> > 11/30/06 09:12:58: begin log >>> > 11/30/06 09:12:59: 0 new entries loaded from file >>> > 11/30/06 09:14:20: 0 new entries loaded from file >>> > 11/30/06 09:14:20: 0 entries saved to file >>> > 11/30/06 09:14:20: end log >>> > 11/30/06 09:14:22: begin log >>> > 11/30/06 09:14:22: 0 new entries loaded from file >>> > >>> > That?s after restarting the passsync service twice, and changing a >>> user?s >>> > password in AD four times. >>> > >>> >>> Hmm... 2 Windows sync stopped working together after 6 months. Any cert >>> on AD or DS side expired? >>> -- >>> toto >>> >>> -------------- next part -------------- >>> A non-text attachment was scrubbed... >>> Name: smime.p7s >>> Type: application/x-pkcs7-signature >>> Size: 3233 bytes >>> Desc: S/MIME Cryptographic Signature >>> Url : >>> https://www.redhat.com/archives/fedora-directory-users/attachments/20061201/b9f1ea83/smime.bin >>> >>> >>> ------------------------------ >>> >>> Message: 3 >>> Date: Sat, 02 Dec 2006 09:28:17 +0100 >>> From: koniczynek >>> Subject: Re: [Fedora-directory-users] Memory usage >>> To: "General discussion list for the Fedora Directory server project." >>> >>> Message-ID: <45713921.1080009 at uaznia.net> >>> Content-Type: text/plain; charset=ISO-8859-2 >>> >>> Richard Megginson, dnia 2006-12-01 18:00 napisal: >>> >> man, please, show some respect ;) I did change it back, but to no >>> avail. >>> >> Also I can say (to stop further questions): yes, I've stopped the >>> server >>> >> before change. >>> >> >>> > What types of searches are returning time limit exceeded? Can you post >>> > relevant excerpts from the access and error logs? >>> I'm "benchmarking" my FDS with "ldapsearch -x" and earlier it worked and >>> now it does not. In error logs there were "err=3" but I don't remember >>> much more and I'll have access to the logs on Monday, so till then, only >>> I can provide only this information (because I do not remember anything >>> more ;) ) >>> >>> -- >>> email/xmpp: koniczynek at uaznia.net >>> >>> >>> >>> ------------------------------ >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> End of Fedora-directory-users Digest, Vol 19, Issue 3 >>> ***************************************************** >> >> _________________________________________________________________ >> Off to school, going on a trip, or moving? Windows Live (MSN) >> Messenger lets you stay in touch with friends and family wherever you >> go. Click here to find out how to sign up! >> http://www.telusmobility.com/msnxbox/ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- email/xmpp: koniczynek at uaznia.net From koniczynek at uaznia.net Tue Dec 5 18:13:45 2006 From: koniczynek at uaznia.net (koniczynek) Date: Tue, 05 Dec 2006 19:13:45 +0100 Subject: [Fedora-directory-users] RE: Fedora-directory-users Digest, Vol 19, Issue 3 In-Reply-To: <4575B3E3.1040901@uaznia.net> References: <45758E1D.8090809@redhat.com> <4575B3E3.1040901@uaznia.net> Message-ID: <4575B6D9.1020102@uaznia.net> koniczynek, dnia 2006-12-05 19:01 napisal: > (...) necessary (...) and of course I was speaking about unnecessary ;) -- email/xmpp: koniczynek at uaznia.net From kylet at panix.com Tue Dec 5 18:31:25 2006 From: kylet at panix.com (Kyle Tucker) Date: Tue, 5 Dec 2006 13:31:25 -0500 (EST) Subject: [Fedora-directory-users] SSH login and pwd expiration message In-Reply-To: <1165341544.11636.14.camel@houuc8> Message-ID: <200612051831.kB5IVPT18649@panix1.panix.com> > > > > After "userPassword", insert "|| shadowLastChange " and click on OK and > > again on OK on the parent window. > > The problem we had with using the shadow attributes is that not all > platforms honor them (I don't recall seeing Solaris update > shadowLastChange). Well that's unsettling. I'd have thought the nss_ldap would provide adherence to RFC2307, where I believe shadowAccount to be outlined, across platforms. And I'd have thought Solaris to support it foremost. My implementations have been all Linux, but I know what I am going to test next. > You'd also need to remember to update the > shadowLastChange attribute manually if you reset a user's password by > some mechanism outside of PAM (from the Administrator's Console, for > example). Yes, I set this to today's date in my management scripts for command line account maintenance. FWIW, these scripts, and their templates, are here if anyone finds any use for them. http://www.panix.com/~kylet/ldap -- - Kyle --------------------------------------------- kylet at panix.com http://www.panix.com/~kylet --------------------------------------------- From srigler at marathonoil.com Tue Dec 5 18:45:47 2006 From: srigler at marathonoil.com (Stephen C. Rigler) Date: Tue, 05 Dec 2006 12:45:47 -0600 Subject: [Fedora-directory-users] SSH login and pwd expiration message In-Reply-To: <200612051831.kB5IVPT18649@panix1.panix.com> References: <200612051831.kB5IVPT18649@panix1.panix.com> Message-ID: <1165344347.1517.7.camel@houuc8> On Tue, 2006-12-05 at 13:31 -0500, Kyle Tucker wrote: > > The problem we had with using the shadow attributes is that not all > > platforms honor them (I don't recall seeing Solaris update > > shadowLastChange). > > Well that's unsettling. I'd have thought the nss_ldap would provide > adherence to RFC2307, where I believe shadowAccount to be outlined, > across platforms. And I'd have thought Solaris to support it foremost. > My implementations have been all Linux, but I know what I am going to > test next. I was testing in conjunction with password policies enforced by the directory since I don't consider using the shadow attributes a full- proof means of handling password aging (nothing to stop the user from updating shadowLastChange if they don't feel like changing their password every x days). IIRC, Solaris wanted every account to be a shadowAccount, but it didn't seem to care about any of the values that shadow provides. Maybe it ignores shadow if their is a password policy in place... All of the platforms I've tested (RHEL 3, RHEL 4, Solaris 8/9, and Irix) were happy with the password policies enforced by the directory. -Steve From ersin.er at gmail.com Tue Dec 5 21:41:51 2006 From: ersin.er at gmail.com (Ersin Er) Date: Tue, 5 Dec 2006 23:41:51 +0200 Subject: [Fedora-directory-users] Show Effective Rights via the console Message-ID: Hi all, I am trying to use the "Show Effective Rights" feature via the console, however I get nothing when I check the box. Just an "Entry Level Rights:" label is displayed at the bottom of the window but no value is displayed for neither the Entry nor attributes. Do I have to do some more configuration to make this work? Thanks. -- Ersin -------------- next part -------------- An HTML attachment was scrubbed... URL: From jon at compbio.dundee.ac.uk Wed Dec 6 09:32:23 2006 From: jon at compbio.dundee.ac.uk (Jonathan Barber) Date: Wed, 6 Dec 2006 09:32:23 +0000 Subject: [Fedora-directory-users] Show Effective Rights via the console In-Reply-To: References: Message-ID: <20061206093223.GG24821@compbio.dundee.ac.uk> On Tue, Dec 05, 2006 at 11:41:51PM +0200, Ersin Er wrote: > Hi all, > > I am trying to use the "Show Effective Rights" feature via the console, > however I get nothing when I check the box. Just an "Entry Level Rights:" > label is displayed at the bottom of the window but no value is displayed for > neither the Entry nor attributes. > > Do I have to do some more configuration to make this work? I would guess that this is probably because you're not binding as the Directory Manager, but rather the admin user, who doesn't have permission to see the effective rights of other entries. Now I have a question, is it possible to allow FDS to show the effective rights of any entry in the server for any user (read access to the entry permitting)? The documentation here: http://directory.fedora.redhat.com/wiki/Get_Effective_Rights_Design#.22G.22_Permission suggests not. Are there plans for this to change? I ask as I am writing an application for editing entries in FDS, and would like to customise the display to only show those actions on an entry that the user can actually make. I do not want to store the authentication credentials of the Directory Manager within the application. Cheers. > Thanks. > > -- > Ersin -- Jonathan Barber High Performance Computing Analyst Tel. +44 (0) 1382 386389 From ersin.er at gmail.com Wed Dec 6 09:49:03 2006 From: ersin.er at gmail.com (Ersin Er) Date: Wed, 6 Dec 2006 11:49:03 +0200 Subject: [Fedora-directory-users] Show Effective Rights via the console In-Reply-To: <20061206093223.GG24821@compbio.dundee.ac.uk> References: <20061206093223.GG24821@compbio.dundee.ac.uk> Message-ID: Hi! On 12/6/06, Jonathan Barber wrote: > > On Tue, Dec 05, 2006 at 11:41:51PM +0200, Ersin Er wrote: > > Hi all, > > > > I am trying to use the "Show Effective Rights" feature via the console, > > however I get nothing when I check the box. Just an "Entry Level > Rights:" > > label is displayed at the bottom of the window but no value is displayed > for > > neither the Entry nor attributes. > > > > Do I have to do some more configuration to make this work? > > I would guess that this is probably because you're not binding as the > Directory Manager, but rather the admin user, who doesn't have > permission to see the effective rights of other entries. You are perfectly right. It just worked when I tried as the Direcotory Manager. Thank you very much. Now I have a question, is it possible to allow FDS to show the effective > rights of any entry in the server for any user (read access to the entry > permitting)? The documentation here: > > > http://directory.fedora.redhat.com/wiki/Get_Effective_Rights_Design#.22G.22_Permission > > suggests not. Are there plans for this to change? I ask as I am writing > an application for editing entries in FDS, and would like to customise > the display to only show those actions on an entry that the user can > actually make. I do not want to store the authentication credentials of > the Directory Manager within the application. > > Cheers. > > > Thanks. > > > > -- > > Ersin > > -- > Jonathan Barber > High Performance Computing Analyst > Tel. +44 (0) 1382 386389 > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Ersin -------------- next part -------------- An HTML attachment was scrubbed... URL: From capareci at uol.com.br Wed Dec 6 11:51:39 2006 From: capareci at uol.com.br (Renato Ribeiro da Silva) Date: Wed, 6 Dec 2006 09:51:39 -0200 Subject: [Fedora-directory-users] Advanced button hidden when editing user and groups Message-ID: Hello, I'm trying to edit users properties using the Fedora Management Console ( users and groups tab ), but I need to update advanced attributes too. The problem is that the "Advanced Button" doesn't appear. If I use the Directory Console I can access the button without problems. Any idea about what is happening? Thanks in advance, Renato. From jo.de.troy at gmail.com Wed Dec 6 14:34:26 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Wed, 6 Dec 2006 15:34:26 +0100 Subject: [Fedora-directory-users] Adding admin users Message-ID: Hello, I was wondering what the correct way is to add a extra admin user (not directory manager or admin) who could login via the console to do maintenance tasks. Add users/groups, reset passwords, unlock users, restore backups, do imports, etc I tried adding a user as uniquemember to the group Directory Administrators and I can login to the console but I can only see the domain in the default view I cannot select the server or the admin server or directory server console. I guess using an aci for every specific user that needs privileged access is not the best way. Thanks in advance, Jo From rmeggins at redhat.com Wed Dec 6 12:47:35 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 06 Dec 2006 07:47:35 -0500 Subject: [Fedora-directory-users] Advanced button hidden when editing user and groups In-Reply-To: References: Message-ID: <4576BBE7.70004@redhat.com> Renato Ribeiro da Silva wrote: > Hello, > I'm trying to edit users properties using the Fedora Management Console ( users and groups tab ), but I need to update advanced attributes too. The problem is that the "Advanced Button" doesn't appear. If I use the Directory Console I can access the button without problems. Any idea about what is happening? > That's by design. The Users&Groups tab is supposed to only allow non-advanced editing. > Thanks in advance, > Renato. > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Dec 6 12:52:01 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 06 Dec 2006 07:52:01 -0500 Subject: [Fedora-directory-users] Adding admin users In-Reply-To: References: Message-ID: <4576BCF1.6000604@redhat.com> Jo De Troy wrote: > Hello, > > I was wondering what the correct way is to add a extra admin user (not > directory manager or admin) who could login via the console to do > maintenance tasks. Add users/groups, reset passwords, unlock users, > restore backups, do imports, etc > I tried adding a user as uniquemember to the group Directory > Administrators and I can login to the console but I can only see the > domain in the default view I cannot select the server or the admin > server or directory server console. > I guess using an aci for every specific user that needs privileged > access is not the best way. No. I suggest searching for the uid=admin user that gets created during setup. > > Thanks in advance, > Jo > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From jo.de.troy at gmail.com Wed Dec 6 15:19:25 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Wed, 6 Dec 2006 16:19:25 +0100 Subject: [Fedora-directory-users] Adding admin users Message-ID: Hi Rich, what exactly do you mean? Searching for the uid=admin? So adding a user to the Directory Administrators is not good enough. What extra rights does an extra admin user need? And how should I enable these rights for this user? Can I do this from the console? Or do I better do it via an ldif import? Thanks in advance, Jo > Hello, > > I was wondering what the correct way is to add a extra admin user (not > directory manager or admin) who could login via the console to do > maintenance tasks. Add users/groups, reset passwords, unlock users, > restore backups, do imports, etc > I tried adding a user as uniquemember to the group Directory > Administrators and I can login to the console but I can only see the > domain in the default view I cannot select the server or the admin > server or directory server console. > I guess using an aci for every specific user that needs privileged > access is not the best way. > No. I suggest searching for the uid=admin user that gets created during setup. Thanks in advance, > Jo > -- Fedora-directory-users mailing list Fedora-directory-users redhat com https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Dec 6 13:26:00 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 06 Dec 2006 08:26:00 -0500 Subject: [Fedora-directory-users] Adding admin users In-Reply-To: References: Message-ID: <4576C4E8.2000104@redhat.com> Jo De Troy wrote: > Hi Rich, > > what exactly do you mean? Searching for the uid=admin? > So adding a user to the Directory Administrators is not good enough. > What extra rights does an extra admin user need? And how should I > enable these rights for this user? Can I do this from the console? Or > do I better do it via an ldif import? First, look at an LDIF dump of o=netscaperoot and your userdatabase (I suggest using db2ldif:) ./db2ldif -U -s o=netscaperoot -a /tmp/nsroot.ldif Also do the same for your user suffix e.g. -s "dc=example,dc=com" Use -U to disable line wrapping, which makes using grep easier. Then, just grep for uid=admin to see which entries have an aci which explicitly calls out uid=admin, and which groups have uid=admin added to them. Then, do the same for your dse.ldif, in the entries and children of "", cn=schema, cn=config, and cn=monitor. dse.ldif is already in ldif format, so you can just grep it. > > Thanks in advance, > Jo > > Hello, > > I was wondering what the correct way is to add a extra admin > user (not > directory manager or admin) who could login via the console to do > maintenance tasks. Add users/groups, reset passwords, unlock > users, > restore backups, do imports, etc > I tried adding a user as uniquemember to the group Directory > Administrators and I can login to the console but I can only > see the > domain in the default view I cannot select the server or the admin > server or directory server console. > I guess using an aci for every specific user that needs > privileged > access is not the best way. > > > No. I suggest searching for the uid=admin user that gets created > during setup. > > Thanks in advance, > Jo > > > -- > Fedora-directory-users mailing list > Fedora-directory-users redhat com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From mxheadroom at hotmail.com Wed Dec 6 18:38:50 2006 From: mxheadroom at hotmail.com (t b) Date: Wed, 06 Dec 2006 13:38:50 -0500 Subject: [Fedora-directory-users] RE: pam_ldap with SSL/TLS In-Reply-To: <20061202170005.532BB733CD@hormel.redhat.com> Message-ID: >From: fedora-directory-users-request at redhat.com >Reply-To: fedora-directory-users at redhat.com >To: fedora-directory-users at redhat.com >Subject: Fedora-directory-users Digest, Vol 19, Issue 3 >Date: Sat, 2 Dec 2006 12:00:05 -0500 (EST) > >Send Fedora-directory-users mailing list submissions to > fedora-directory-users at redhat.com > >To subscribe or unsubscribe via the World Wide Web, visit > https://www.redhat.com/mailman/listinfo/fedora-directory-users >or, via email, send a message with subject or body 'help' to > fedora-directory-users-request at redhat.com > >You can reach the person managing the list at > fedora-directory-users-owner at redhat.com > >When replying, please edit your Subject line so it is more specific >than "Re: Contents of Fedora-directory-users digest..." > > >Today's Topics: > > 1. Re: RE: Fedora-directory-users Digest, Vol 19, Issue 1 > (Richard Megginson) > 2. Re: AD + FDS sync stops working? (To Ngan) > 3. Re: Memory usage (koniczynek) > > >---------------------------------------------------------------------- > >Message: 1 >Date: Fri, 01 Dec 2006 12:55:24 -0700 >From: Richard Megginson >Subject: Re: [Fedora-directory-users] RE: Fedora-directory-users > Digest, Vol 19, Issue 1 >To: "General discussion list for the Fedora Directory server project." > >Message-ID: <457088AC.1030004 at redhat.com> >Content-Type: text/plain; charset="iso-8859-1" > >t b wrote: > > My logs seem to indicate that the connection is being encrypted; I can > > ssh to a client server and get the password prompt, but when I enter > > the password it just returns me to the password prompt again > > > > [01/Dec/2006:19:47:44 -0500] conn=650 fd=69 slot=69 connection from > > xxx.xxx.xxx.xxx to xxx.xxx.xxx.xxx > > [01/Dec/2006:19:47:44 -0500] conn=650 op=0 EXT > > oid="1.3.6.1.4.1.1466.20037" name="startTLS" > > [01/Dec/2006:19:47:44 -0500] conn=650 op=0 RESULT err=0 tag=120 > > nentries=0 etime=0 > > [01/Dec/2006:19:47:44 -0500] conn=650 SSL 256-bit AES >All of this means the client was able to successfully perform the >startTLS extended operation and start using SSL. > > [01/Dec/2006:19:47:44 -0500] conn=650 op=1 UNBIND > > [01/Dec/2006:19:47:44 -0500] conn=650 op=1 fd=69 closed - U1 >The UNBIND means the client had a problem and closed the connection. >Does the client print any errors? Are there any messages in the server >error log? > > > > If I disable TLS everything works fine, the client server can query > > the FDS and auth the client properly > > > > I am not sure if the problem has to do with the pam_ldap not properly > > formatted or the cert file not in proper format > > > > Does anyone have an example of what the pam_ldap config should look > > like? or suggestions on checking whether the cert file is in proper > > format >I'm not sure. PAM needs the ca cert of the CA that issued the directory >server server cert. See >http://directory.fedora.redhat.com/wiki/Howto:SSL for more information. > > > > Also what's the UNBIND shown in the logs? > > > > Thanks > > Problem solved, the following link added the missing part to the puzzle, http://www.fedoraforum.org/forum/archive/index.php/t-1997.html The problem turns out to be that when you run the command /usr/bin/authconfig as recommended at, http://directory.fedora.redhat.com/wiki/Howto:PAM it does not make all of the necessary adjustments to /etc/ldap.conf -- you need to also add the settings mentioned in the link above Hopes this helps anyone having the same issues, and thanks to everyone for their suggestions As an addition, I am trying to download the posixuser auto creation script from, http://www.netauth.com/~jacksonm/ldap/newuser.pl.txt but the port seems to be blocked; does anyone know where I can get a hold of that script Thanks > >> From: fedora-directory-users-request at redhat.com > >> Reply-To: fedora-directory-users at redhat.com > >> To: fedora-directory-users at redhat.com > >> Subject: Fedora-directory-users Digest, Vol 19, Issue 1 > >> Date: Fri, 1 Dec 2006 12:00:06 -0500 (EST) > >> > >> Send Fedora-directory-users mailing list submissions to > >> fedora-directory-users at redhat.com > >> > >> To subscribe or unsubscribe via the World Wide Web, visit > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> or, via email, send a message with subject or body 'help' to > >> fedora-directory-users-request at redhat.com > >> > >> You can reach the person managing the list at > >> fedora-directory-users-owner at redhat.com > >> > >> When replying, please edit your Subject line so it is more specific > >> than "Re: Contents of Fedora-directory-users digest..." > >> > >> > >> Today's Topics: > >> > >> 1. pam_ldap with SSL/TLS (t b) > >> 2. RE: pam_ldap with SSL/TLS (Morris, Patrick) > >> 3. Re: pam_ldap with SSL/TLS (Richard Megginson) > >> 4. Problem with SSL console in X in specific circumstances > >> (Philip Kime) > >> 5. FW: [Fedora-directory-users] Extracting details from > >> ActiveDirectoryto FDS (Paxton, Darren) > >> 6. alias in fedora directory server (patrick ndjientcheu ngandjui) > >> 7. Re: FW: [Fedora-directory-users] Extracting details from > >> ActiveDirectoryto FDS (Nicholas Byrne) > >> 8. Re: Memory usage (koniczynek) > >> 9. Re: Memory usage (David Boreham) > >> 10. Re: Memory usage (koniczynek) > >> > >> > >> ---------------------------------------------------------------------- > >> > >> Message: 1 > >> Date: Thu, 30 Nov 2006 12:31:50 -0500 > >> From: "t b" > >> Subject: [Fedora-directory-users] pam_ldap with SSL/TLS > >> To: fedora-directory-users at redhat.com > >> Message-ID: > >> Content-Type: text/plain; format=flowed > >> > >> I am trying to setup pam_ldap to use TLS to communicate with the FDS, > >> but > >> having lots of problems doing so; it works if I use the unencrypted > >> way but > >> not if I use ldaps ( port 636 ) > >> > >> I used the instructions at, > >> http://directory.fedora.redhat.com/wiki/Howto:PAM > >> > >> Has anyone gotten PAM to work TLS > >> > >> > >> Thanks > >> > >> _________________________________________________________________ > >> Buy, Load, Play. The new Sympatico / MSN Music Store works seamlessly > >> with > >> Windows Media Player. Just Click PLAY. > >> >http://musicstore.sympatico.msn.ca/content/viewer.aspx?cid=SMS_Sept192006 > >> > >> > >> > >> > >> ------------------------------ > >> > >> Message: 2 > >> Date: Thu, 30 Nov 2006 13:00:56 -0500 > >> From: "Morris, Patrick" > >> Subject: RE: [Fedora-directory-users] pam_ldap with SSL/TLS > >> To: "General discussion list for the Fedora Directory server project." > >> > >> Message-ID: > >> > > >> > >> > >> Content-Type: text/plain; charset="US-ASCII" > >> > >> > I am trying to setup pam_ldap to use TLS to communicate with > >> > the FDS, but having lots of problems doing so; it works if I > >> > use the unencrypted way but not if I use ldaps ( port 636 ) > >> > >> Someone should jump in here and correct me if I'm wrong, but I believe > >> it's normal for TLS connections to happen on the standard LDAP port. > >> You should be able to tell from your logs whether the connection is > >> encrypted or not. > >> > >> > >> > >> ------------------------------ > >> > >> Message: 3 > >> Date: Thu, 30 Nov 2006 11:08:08 -0700 > >> From: Richard Megginson > >> Subject: Re: [Fedora-directory-users] pam_ldap with SSL/TLS > >> To: "General discussion list for the Fedora Directory server project." > >> > >> Message-ID: <456F1E08.40601 at redhat.com> > >> Content-Type: text/plain; charset="iso-8859-1" > >> > >> Morris, Patrick wrote: > >> >> I am trying to setup pam_ldap to use TLS to communicate with > >> >> the FDS, but having lots of problems doing so; it works if I > >> >> use the unencrypted way but not if I use ldaps ( port 636 ) > >> >> > >> > > >> > Someone should jump in here and correct me if I'm wrong, but I >believe > >> > it's normal for TLS connections to happen on the standard LDAP port. > >> > You should be able to tell from your logs whether the connection is > >> > encrypted or not. > >> > > >> Yes. The LDAP "preferred" way is to use the startTLS extended >operation > >> which starts a TLS session on the non-secure port. This will be logged > >> in the access log. > >> > -- > >> > Fedora-directory-users mailing list > >> > Fedora-directory-users at redhat.com > >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > > >> -------------- next part -------------- > >> A non-text attachment was scrubbed... > >> Name: smime.p7s > >> Type: application/x-pkcs7-signature > >> Size: 3178 bytes > >> Desc: S/MIME Cryptographic Signature > >> Url : > >> >https://www.redhat.com/archives/fedora-directory-users/attachments/20061130/0634e78a/smime.bin > >> > >> > >> ------------------------------ > >> > >> Message: 4 > >> Date: Thu, 30 Nov 2006 18:02:55 -0800 > >> From: "Philip Kime" > >> Subject: [Fedora-directory-users] Problem with SSL console in X in > >> specific circumstances > >> To: > >> Message-ID: > >> <9C0091F428E697439E7A773FFD083427435BE3 at szexchange.Shopzilla.inc> > >> Content-Type: text/plain; charset="us-ascii" > >> > >> Here's the problem: > >> > >> Running startconsole (SSL) to a remote display on a PC X-server >(xwin32) > >> works fine and requires that my windows home dir on the PC X-server > >> machine has .fedora-console/ containing cert8.db and key3.db, as you'd > >> expect. If I rename this dir, the console hangs at the splash screen. >So > >> far, so good, all makes sense. > >> > >> If I try the same thing to cygwin's X server on same machine or to an X > >> server on a Mac running OSX, startconsole always hangs as if it can't > >> find ~/.fedora-console on the local machine. I've tried copying this >dir > >> to what cygwin/OSX thinks is the user's home dir but no luck. Where > >> should I put the Cert db files under "real" UNIX X to get the SSL > >> console to work? Also tried ~/.mmc as per the docs but I could never >get > >> this to work. > >> > >> PK > >> > >> -- > >> Philip Kime > >> NOPS Systems Architect > >> 310 401 0407 > >> > >> -------------- next part -------------- > >> An HTML attachment was scrubbed... > >> URL: > >> >https://www.redhat.com/archives/fedora-directory-users/attachments/20061130/054ecbd6/attachment.html > >> > >> > >> ------------------------------ > >> > >> Message: 5 > >> Date: Fri, 1 Dec 2006 08:04:30 -0000 > >> From: "Paxton, Darren" > >> Subject: FW: [Fedora-directory-users] Extracting details from > >> ActiveDirectoryto FDS > >> To: > >> Message-ID: > >> <52F7C07B119CF4439B7EFBFE0FB3256B027CBD02 at eidwpexms06.mercer.com> > >> Content-Type: text/plain; charset="us-ascii" > >> > >> Skipped content of type multipart/alternative-------------- next part > >> -------------- > >> -- > >> Fedora-directory-users mailing list > >> Fedora-directory-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > >> ------------------------------ > >> > >> Message: 6 > >> Date: Fri, 1 Dec 2006 08:10:42 +0000 (GMT) > >> From: patrick ndjientcheu ngandjui > >> Subject: [Fedora-directory-users] alias in fedora directory server > >> To: Fedora-directory-users at redhat.com > >> Message-ID: <20061201081042.78578.qmail at web25801.mail.ukl.yahoo.com> > >> Content-Type: text/plain; charset="iso-8859-1" > >> > >> Hi, > >> I would like to know how to use alias in fedora directory server.It > >> seems that it is used for point to another entry in the directory,but > >> i don't know how to use this feature.May someone helps me on this > >> issue? I would really appreciate an example. > >> > >> Thanks > >> > >> > >> > >> > >> > >> > >> > >> > >> >___________________________________________________________________________ > >> > >> D?couvrez une nouvelle fa?on d'obtenir des r?ponses ? toutes vos > >> questions ! > >> Profitez des connaissances, des opinions et des exp?riences des > >> internautes sur Yahoo! Questions/R?ponses > >> http://fr.answers.yahoo.com > >> -------------- next part -------------- > >> An HTML attachment was scrubbed... > >> URL: > >> >https://www.redhat.com/archives/fedora-directory-users/attachments/20061201/0fa54e4f/attachment.html > >> > >> > >> ------------------------------ > >> > >> Message: 7 > >> Date: Fri, 01 Dec 2006 11:50:13 +0000 > >> From: Nicholas Byrne > >> Subject: Re: FW: [Fedora-directory-users] Extracting details from > >> ActiveDirectoryto FDS > >> To: "General discussion list for the Fedora Directory server project." > >> > >> Message-ID: <457016F5.5030202 at quadriga.com> > >> Content-Type: text/plain; charset=ISO-8859-1; format=flowed > >> > >> Your messages got through - you can confirm by checking the archives - > >> https://www.redhat.com/archives/fedora-directory-users/ > >> > >> I'm a new user as well so i'm afraid i can't answer your question, but > >> if you keep asking i'm sure someone will know! > >> Nick > >> > >> Paxton, Darren wrote: > >> > Apologies for mailing yet again, however either my messages are not > >> > getting through (something I don't believe as I keep getting the post > >> > to the mailing list) - or for some reason, no one is willing to even > >> > acknowledge my issue. > >> > > >> > In the spirit of the community - can someone at least acknowledge a > >> > message as I find it quite disheartening that I have had no replies >at > >> > all even if just to point me somewhere for assistance. > >> > > >> > > >> >------------------------------------------------------------------------ > >> > *From:* fedora-directory-users-bounces at redhat.com > >> > [mailto:fedora-directory-users-bounces at redhat.com] *On Behalf Of > >> > *Paxton, Darren > >> > *Sent:* 30 November 2006 08:46 > >> > *To:* General discussion list for the Fedora Directory server >project. > >> > *Subject:* RE: [Fedora-directory-users] Extracting details from > >> > ActiveDirectoryto FDS > >> > > >> > Hi > >> > > >> > Has anyone had any thoughts on my query or can point me in the right > >> > direction? > >> > > >> > As is the nature of AD, I would have thought it is possible to >extract > >> > this information using a scope setting or something similar. > >> > > >> > Thanks > >> > > >> > Darren > >> > > >> > > >> >------------------------------------------------------------------------ > >> > *From:* fedora-directory-users-bounces at redhat.com > >> > [mailto:fedora-directory-users-bounces at redhat.com] *On Behalf Of > >> > *Paxton, Darren > >> > *Sent:* 24 November 2006 14:56 > >> > *To:* fedora-directory-users at redhat.com > >> > *Subject:* [Fedora-directory-users] Extracting details from >Active > >> > Directoryto FDS > >> > > >> > Hi all, > >> > > >> > I've been tinkering with integrating our Linux devices into our >AD > >> > domain for some time and I've hit a few brick walls, however I've > >> > recently discovered FDS and the synchronisation features with AD. > >> > > >> > I've managed to set up a few replication jobs, however due to the > >> > extensive nature of our AD, I've realised that the sync only >takes > >> > the group and user objects from the OU or CN being specified. > >> > > >> > Is there any way I can specify that it should traverse all > >> > subtrees of an OU and extract all that information back into FDS? > >> > > >> > Thanks > >> > > >> > Darren > >> > > >> > -- > >> > Darren Paxton > >> > EMEA Tier2 > >> > Red Hat Certified Engineer > >> > VMware Certified Professional > >> > MGTI Centralised ops > >> > > >> > > >> > This e-mail and any attachments may be confidential or legally > >> > privileged.If you received this message in error or are not the > >> > intended recipient, you should destroy the email message and any > >> > attachments or copies, and you are prohibited from retaining, > >> > distributing, disclosing or using any information contained herein. > >> > Please inform us of the erroneous delivery by return e-mail. Thank >you > >> > for your co-operation. > >> > > >> > Mercer Human Resource Consulting Limited is authorised and regulated > >> > by the Financial Services Authority. Registered in England No. >984275. > >> > Registered Office: 1 Tower Place West, Tower Place, London, EC3R 5BU. > >> > > >> > > >> >------------------------------------------------------------------------ > >> > > >> > -- > >> > Fedora-directory-users mailing list > >> > Fedora-directory-users at redhat.com > >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > > >> > > >> >------------------------------------------------------------------------ > >> > > >> > -- > >> > Fedora-directory-users mailing list > >> > Fedora-directory-users at redhat.com > >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > > >> > >> > >> > >> This e-mail is the property of Quadriga Worldwide Ltd, intended for > >> the addressee only and confidential. Any dissemination, copying or > >> distribution of this message or any attachments is strictly prohibited. > >> > >> If you have received this message in error, please notify us > >> immediately by replying to the message and deleting it from your > >> computer. > >> > >> Messages sent to and from Quadriga may be monitored. > >> > >> Quadriga cannot guarantee any message delivery method is secure or > >> error-free. Information could be intercepted, corrupted, lost, > >> destroyed, arrive late or incomplete, or contain viruses. > >> > >> We do not accept responsibility for any errors or omissions in this > >> message and/or attachment that arise as a result of transmission. > >> > >> You should carry out your own virus checks before opening any > >> attachment. > >> > >> Any views or opinions presented are solely those of the author and do > >> not necessarily represent those of Quadriga. > >> > >> > >> > >> ------------------------------ > >> > >> Message: 8 > >> Date: Fri, 01 Dec 2006 16:45:28 +0100 > >> From: koniczynek > >> Subject: Re: [Fedora-directory-users] Memory usage > >> To: "General discussion list for the Fedora Directory server project." > >> > >> Message-ID: <45704E18.3070705 at uaznia.net> > >> Content-Type: text/plain; charset=ISO-8859-2; format=flowed > >> > >> Richard Megginson napisa?(a): > >> > This is an excellent cache/memory tuning document from a Sun >employee, > >> > primarily targeted to Sun DS users, but almost all of the > >> information is > >> > relevant to Fedora DS (since they share a common lineage). > >> > > >> > http://www.directorymanager.org/blogs/ds_cache_sizing.pdf > >> Lets say I heven't got much time lately so without thinking I've >changed > >> in dse.ldif > >> nsslapd-import-cache-autosize from -1 to 1 and after restarting I've > >> started to receive errors like: "3 Time limit exceeded" Someone do know > >> what to do? ;) > >> > >> -- > >> xmpp/email: koniczynek at uaznia.net > >> xmpp/email: koniczynek at gmail.com > >> > >> > >> > >> ------------------------------ > >> > >> Message: 9 > >> Date: Fri, 01 Dec 2006 09:15:14 -0700 > >> From: David Boreham > >> Subject: Re: [Fedora-directory-users] Memory usage > >> To: "General discussion list for the Fedora Directory server project." > >> > >> Message-ID: <45705512.4070808 at boreham.org> > >> Content-Type: text/plain; charset=ISO-8859-2; format=flowed > >> > >> koniczynek wrote: > >> > >> > Richard Megginson napisa?(a): > >> > > >> >> This is an excellent cache/memory tuning document from a Sun > >> >> employee, primarily targeted to Sun DS users, but almost all of the > >> >> information is relevant to Fedora DS (since they share a common > >> >> lineage). > >> >> > >> >> http://www.directorymanager.org/blogs/ds_cache_sizing.pdf > >> > > >> > Lets say I heven't got much time lately so without thinking I've > >> > changed in dse.ldif > >> > nsslapd-import-cache-autosize from -1 to 1 and after restarting I've > >> > started to receive errors like: "3 Time limit exceeded" Someone do > >> > know what to do? ;) > >> > > >> Change it back ? > >> > >> > >> > >> > >> > >> ------------------------------ > >> > >> Message: 10 > >> Date: Fri, 01 Dec 2006 17:53:22 +0100 > >> From: koniczynek > >> Subject: Re: [Fedora-directory-users] Memory usage > >> To: "General discussion list for the Fedora Directory server project." > >> > >> Message-ID: <45705E02.7020709 at uaznia.net> > >> Content-Type: text/plain; charset=ISO-8859-2 > >> > >> David Boreham, dnia 2006-12-01 17:15 napisal: > >> >> Lets say I heven't got much time lately so without thinking I've > >> >> changed in dse.ldif > >> >> nsslapd-import-cache-autosize from -1 to 1 and after restarting I've > >> >> started to receive errors like: "3 Time limit exceeded" Someone do > >> >> know what to do? ;) > >> > Change it back ? > >> man, please, show some respect ;) I did change it back, but to no >avail. > >> Also I can say (to stop further questions): yes, I've stopped the >server > >> before change. > >> > >> -- > >> email/xmpp: koniczynek at uaznia.net > >> > >> > >> > >> ------------------------------ > >> > >> -- > >> Fedora-directory-users mailing list > >> Fedora-directory-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > >> > >> End of Fedora-directory-users Digest, Vol 19, Issue 1 > >> ***************************************************** > > > > _________________________________________________________________ > > Off to school, going on a trip, or moving? Windows Live (MSN) > > Messenger lets you stay in touch with friends and family wherever you > > go. Click here to find out how to sign up! > > http://www.telusmobility.com/msnxbox/ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users >-------------- next part -------------- >A non-text attachment was scrubbed... >Name: smime.p7s >Type: application/x-pkcs7-signature >Size: 3178 bytes >Desc: S/MIME Cryptographic Signature >Url : >https://www.redhat.com/archives/fedora-directory-users/attachments/20061201/7d15c5b4/smime.bin > >------------------------------ > >Message: 2 >Date: Fri, 01 Dec 2006 15:23:28 -0800 >From: To Ngan >Subject: Re: [Fedora-directory-users] AD + FDS sync stops working? >To: "General discussion list for the Fedora Directory server project." > >Message-ID: <4570B970.3070901 at redhat.com> >Content-Type: text/plain; charset="windows-1252" > >Dan Oglesby wrote: > > I tried the following: > > > > In windows registry->HKLM->Software->PasswordSync, try add string value >?Log > > Level? and set it to ?1?. Restart the passsync service. This should >log > > all transactions and errors. Turn this back to "0" and restart passsync > > after troubleshooting. > > > > All I see in the log is this: > > > > 11/30/06 09:12:58: begin log > > 11/30/06 09:12:59: 0 new entries loaded from file > > 11/30/06 09:14:20: 0 new entries loaded from file > > 11/30/06 09:14:20: 0 entries saved to file > > 11/30/06 09:14:20: end log > > 11/30/06 09:14:22: begin log > > 11/30/06 09:14:22: 0 new entries loaded from file > > > > That?s after restarting the passsync service twice, and changing a >user?s > > password in AD four times. > > > >Hmm... 2 Windows sync stopped working together after 6 months. Any cert >on AD or DS side expired? >-- >toto > >-------------- next part -------------- >A non-text attachment was scrubbed... >Name: smime.p7s >Type: application/x-pkcs7-signature >Size: 3233 bytes >Desc: S/MIME Cryptographic Signature >Url : >https://www.redhat.com/archives/fedora-directory-users/attachments/20061201/b9f1ea83/smime.bin > >------------------------------ > >Message: 3 >Date: Sat, 02 Dec 2006 09:28:17 +0100 >From: koniczynek >Subject: Re: [Fedora-directory-users] Memory usage >To: "General discussion list for the Fedora Directory server project." > >Message-ID: <45713921.1080009 at uaznia.net> >Content-Type: text/plain; charset=ISO-8859-2 > >Richard Megginson, dnia 2006-12-01 18:00 napisal: > >> man, please, show some respect ;) I did change it back, but to no >avail. > >> Also I can say (to stop further questions): yes, I've stopped the >server > >> before change. > >> > > What types of searches are returning time limit exceeded? Can you post > > relevant excerpts from the access and error logs? >I'm "benchmarking" my FDS with "ldapsearch -x" and earlier it worked and >now it does not. In error logs there were "err=3" but I don't remember >much more and I'll have access to the logs on Monday, so till then, only > I can provide only this information (because I do not remember anything >more ;) ) > >-- >email/xmpp: koniczynek at uaznia.net > > > >------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > >End of Fedora-directory-users Digest, Vol 19, Issue 3 >***************************************************** _________________________________________________________________ Enter the "Telus Mobility Xbox a Day" contest for your chance to WIN! Telus Mobility is giving away an Microsoft Xbox? 360 every day from November 20 to December 31, 2006! Just download Windows Live (MSN) Messenger to your IM-capable TELUS mobile phone, and you could be a winner! http://www.telusmobility.com/msnxbox/ From rmeggins at redhat.com Wed Dec 6 17:01:32 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 06 Dec 2006 12:01:32 -0500 Subject: [Fedora-directory-users] Show Effective Rights via the console In-Reply-To: <20061206093223.GG24821@compbio.dundee.ac.uk> References: <20061206093223.GG24821@compbio.dundee.ac.uk> Message-ID: <4576F76C.8070200@redhat.com> Jonathan Barber wrote: > On Tue, Dec 05, 2006 at 11:41:51PM +0200, Ersin Er wrote: > >> Hi all, >> >> I am trying to use the "Show Effective Rights" feature via the console, >> however I get nothing when I check the box. Just an "Entry Level Rights:" >> label is displayed at the bottom of the window but no value is displayed for >> neither the Entry nor attributes. >> >> Do I have to do some more configuration to make this work? >> > > I would guess that this is probably because you're not binding as the > Directory Manager, but rather the admin user, who doesn't have > permission to see the effective rights of other entries. > > Now I have a question, is it possible to allow FDS to show the effective > rights of any entry in the server for any user (read access to the entry > permitting)? The documentation here: > > http://directory.fedora.redhat.com/wiki/Get_Effective_Rights_Design#.22G.22_Permission > > suggests not. Are there plans for this to change? I ask as I am writing > an application for editing entries in FDS, and would like to customise > the display to only show those actions on an entry that the user can > actually make. I do not want to store the authentication credentials of > the Directory Manager within the application. > Samba 4 needs a similar feature, and such a feature would be very useful to all UI clients for the purpose you describe above - being able to show the fields editable by the user, and optionally those which are not. With Fedora DS, a field may not be editable for a number of reasons, ACI being just one of them. Other reasons would be the NO-USER-MODIFICATION field set in the schema, or the attribute value is virtual, and other reasons are possible as well. See https://www.redhat.com/archives/fedora-directory-devel/2006-November/msg00000.html for a discussion about this issue. > Cheers. > > >> Thanks. >> >> -- >> Ersin >> > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ersin.er at gmail.com Wed Dec 6 21:43:18 2006 From: ersin.er at gmail.com (Ersin Er) Date: Wed, 6 Dec 2006 23:43:18 +0200 Subject: [Fedora-directory-users] Error: Database is read-only Message-ID: Hi all, After I played a little bit Fedora Directory Server I started to get an error message: "Database is read-only", when I tried to modify anything. Did I change any setting accidently? Thanks. -- Ersin -------------- next part -------------- An HTML attachment was scrubbed... URL: From glenn at mail.txwes.edu Wed Dec 6 22:01:53 2006 From: glenn at mail.txwes.edu (Glenn) Date: Wed, 6 Dec 2006 16:01:53 -0600 Subject: [Fedora-directory-users] Windows Sync without Domain Admin? In-Reply-To: <457060C5.9090700@quadriga.com> References: <457060C5.9090700@quadriga.com> Message-ID: <20061206220006.M10393@mail.txwes.edu> I haven't tested this, but it might be possible. See Microsoft KB article 303972. -Glenn. http://support.microsoft.com/kb/303972/ ---------- Original Message ----------- From: Nicholas Byrne To: "General discussion list for the Fedora Directory server project." Sent: Fri, 01 Dec 2006 17:05:09 +0000 Subject: [Fedora-directory-users] Windows Sync without Domain Admin? > Hi all, > > Is it possible to do a syncronisation of a windows peer without the > windows user who i use to bind being a domain admin? I have a read > only user with which i can run ldapsearch and find all users data in > the AD directory but using the same user to sync with fails. The > replication status says "total update completed" but i see no > updates to the my FDS directory. > > If i modify this user in AD to be a domain admin it works correctly, > but what i want to know is why can't i use a read-only user to sync? > Is there any way around this? > > Thanks > Nick > From koniczynek at uaznia.net Thu Dec 7 07:04:57 2006 From: koniczynek at uaznia.net (koniczynek) Date: Thu, 07 Dec 2006 08:04:57 +0100 Subject: [Fedora-directory-users] Error: Database is read-only In-Reply-To: References: Message-ID: <4577BD19.6000504@uaznia.net> Ersin Er napisa?(a): > After I played a little bit Fedora Directory Server I started to get an > error message: "Database is read-only", when I tried to modify anything. > Did I change any setting accidently? As was mentioned earlier - maybe you set this FDS to be a read-only replica? -- xmpp/email: koniczynek at uaznia.net xmpp/email: koniczynek at gmail.com From capareci at uol.com.br Thu Dec 7 16:51:04 2006 From: capareci at uol.com.br (Renato Ribeiro da Silva) Date: Thu, 7 Dec 2006 14:51:04 -0200 Subject: [Fedora-directory-users] Sort Objects problem in Directory Server Console Message-ID: Hello, I'm trying to sort objects in Directory Server Console ( View Menu -> Sort Objects ) but this function isn't working. I need to use only numbers to identify the users (ex. uid=12345678910). Any idea? Thanks in advance, Renato. From nicholas.byrne at quadriga.com Thu Dec 7 16:53:09 2006 From: nicholas.byrne at quadriga.com (Nicholas Byrne) Date: Thu, 07 Dec 2006 16:53:09 +0000 Subject: [Fedora-directory-users] Windows Sync without Domain Admin? In-Reply-To: <20061206220006.M10393@mail.txwes.edu> References: <457060C5.9090700@quadriga.com> <20061206220006.M10393@mail.txwes.edu> Message-ID: <457846F5.5000709@quadriga.com> It works well. Just as described in the article, adding "Replication Directory Changes" permission to a read only user allows me to syncronise. Creation, deletion of entries don't get pushed to AD as expected. Whereas changes on AD get pulled to FDS. Thanks very much Nick Glenn wrote: > I haven't tested this, but it might be possible. See Microsoft KB article > 303972. -Glenn. > > http://support.microsoft.com/kb/303972/ > > > ---------- Original Message ----------- > From: Nicholas Byrne > To: "General discussion list for the Fedora Directory server project." > > Sent: Fri, 01 Dec 2006 17:05:09 +0000 > Subject: [Fedora-directory-users] Windows Sync without Domain Admin? > > >> Hi all, >> >> Is it possible to do a syncronisation of a windows peer without the >> windows user who i use to bind being a domain admin? I have a read >> only user with which i can run ldapsearch and find all users data in >> the AD directory but using the same user to sync with fails. The >> replication status says "total update completed" but i see no >> updates to the my FDS directory. >> >> If i modify this user in AD to be a domain admin it works correctly, >> but what i want to know is why can't i use a read-only user to sync? >> Is there any way around this? >> >> Thanks >> Nick >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > This e-mail is the property of Quadriga Worldwide Ltd, intended for the addressee only and confidential. Any dissemination, copying or distribution of this message or any attachments is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer. Messages sent to and from Quadriga may be monitored. Quadriga cannot guarantee any message delivery method is secure or error-free. Information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. We do not accept responsibility for any errors or omissions in this message and/or attachment that arise as a result of transmission. You should carry out your own virus checks before opening any attachment. Any views or opinions presented are solely those of the author and do not necessarily represent those of Quadriga. From GCopeland at efjohnson.com Thu Dec 7 17:16:58 2006 From: GCopeland at efjohnson.com (Greg Copeland) Date: Thu, 7 Dec 2006 11:16:58 -0600 Subject: [Fedora-directory-users] Error: Database is read-only In-Reply-To: Message-ID: <273A72C669F45B4996896A031B88CCEF3E17BB@EFJDFWMX01.EFJDFW.local> I had this happen to me too. I came in one day and found the database was suddenly marked read-only. I had to find the read-only setting and make it read/write and everything was happy again. Cheers, Greg Copeland ________________________________ From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Ersin Er Sent: Wednesday, December 06, 2006 3:43 PM To: Fedora-directory-users mailing list Subject: [Fedora-directory-users] Error: Database is read-only Hi all, After I played a little bit Fedora Directory Server I started to get an error message: "Database is read-only", when I tried to modify anything. Did I change any setting accidently? Thanks. -- Ersin -------------- next part -------------- An HTML attachment was scrubbed... URL: From davea at support.kcm.org Thu Dec 7 23:17:54 2006 From: davea at support.kcm.org (Dave Augustus) Date: Thu, 07 Dec 2006 17:17:54 -0600 Subject: [Fedora-directory-users] Multiple Servers. Multiple Consoles? Message-ID: <1165533474.16528.3.camel@kcm40202.kcmhq.org> Hello All, I have 2 LDAP servers running in MultiMaster behind a load balancer. I also have FDS management consoles running on both. Is the management console required for each install of FDS ? Is there a way to consolidate them? Thanks, Dave From rmeggins at redhat.com Thu Dec 7 23:34:42 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 07 Dec 2006 16:34:42 -0700 Subject: [Fedora-directory-users] Multiple Servers. Multiple Consoles? In-Reply-To: <1165533474.16528.3.camel@kcm40202.kcmhq.org> References: <1165533474.16528.3.camel@kcm40202.kcmhq.org> Message-ID: <4578A512.5030507@redhat.com> Dave Augustus wrote: > Hello All, > > I have 2 LDAP servers running in MultiMaster behind a load balancer. I > also have FDS management consoles running on both. > > Is the management console required for each install of FDS ? > No. > Is there a way to consolidate them? > When you installed the first instance of FDS, it should have created it as the configuration DS. When you run setup subsequent times, in Typical mode, you will be given the opportunity to register the new instance with the configuration DS. > > Thanks, > Dave > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From davea at support.kcm.org Fri Dec 8 17:28:08 2006 From: davea at support.kcm.org (Dave Augustus) Date: Fri, 08 Dec 2006 11:28:08 -0600 Subject: [Fedora-directory-users] Multiple Servers. Multiple Consoles? In-Reply-To: <4578A512.5030507@redhat.com> References: <1165533474.16528.3.camel@kcm40202.kcmhq.org> <4578A512.5030507@redhat.com> Message-ID: <1165598888.18568.3.camel@kcm40202.kcmhq.org> But of course the console is required to *manage* one or more instances of FDS. So it would seem that having the management console on more than one server would be beneficial from a high-availability standpoint. Is there a method to add an existing install of FDS to an existing install of the FDS admin ? As I said, I have 2 servers in a multimaster configuration. I am running the console on both. Can I add the non-local instance of FDS to the local version? That would give me the ability to manage both servers from either one of the FDS admin consoles. Thanks, Dave On Thu, 2006-12-07 at 16:34 -0700, Richard Megginson wrote: > Dave Augustus wrote: > > Hello All, > > > > I have 2 LDAP servers running in MultiMaster behind a load balancer. I > > also have FDS management consoles running on both. > > > > Is the management console required for each install of FDS ? > > > No. > > Is there a way to consolidate them? > > > When you installed the first instance of FDS, it should have created it > as the configuration DS. When you run setup subsequent times, in > Typical mode, you will be given the opportunity to register the new > instance with the configuration DS. > > > > Thanks, > > Dave > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From phil.lembo at gmail.com Fri Dec 8 17:24:28 2006 From: phil.lembo at gmail.com (Phil Lembo) Date: Fri, 8 Dec 2006 12:24:28 -0500 Subject: [Fedora-directory-users] Re: Multiple Servers. Multiple Consoles? (Richard Megginson) Message-ID: When we first started with the old iPlanet product all our prod directories were connected to a common admin server config instance. Over time, I found that made things difficult when something would "happen" to that admin server (whether intentionally or unintentionally). As a result, my practice now is to have a separate config instance for each physical server. I've often wanted to go back to using a single config instance, but never had the time to really think through what you'd need to do to recover if, for example, the admin server stopped working for some reason. I think i once saw a way to attach a running directory to a different admin server, just can't remmember where. Something covering that would make a great HOWTO. Phil Lembo On 12/8/06, fedora-directory-users-request at redhat.com < fedora-directory-users-request at redhat.com> wrote: > > Send Fedora-directory-users mailing list submissions to > fedora-directory-users at redhat.com > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.redhat.com/mailman/listinfo/fedora-directory-users > or, via email, send a message with subject or body 'help' to > fedora-directory-users-request at redhat.com > > You can reach the person managing the list at > fedora-directory-users-owner at redhat.com > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Fedora-directory-users digest..." > > > Today's Topics: > > 1. RE: Error: Database is read-only (Greg Copeland) > 2. Multiple Servers. Multiple Consoles? (Dave Augustus) > 3. Re: Multiple Servers. Multiple Consoles? (Richard Megginson) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 7 Dec 2006 11:16:58 -0600 > From: "Greg Copeland" > Subject: RE: [Fedora-directory-users] Error: Database is read-only > To: "General discussion list for the Fedora Directory server project." > > Message-ID: > <273A72C669F45B4996896A031B88CCEF3E17BB at EFJDFWMX01.EFJDFW.local> > Content-Type: text/plain; charset="us-ascii" > > I had this happen to me too. I came in one day and found the database > was suddenly marked read-only. I had to find the read-only setting and > make it read/write and everything was happy again. > > Cheers, > > Greg Copeland > > ________________________________ > > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Ersin Er > Sent: Wednesday, December 06, 2006 3:43 PM > To: Fedora-directory-users mailing list > Subject: [Fedora-directory-users] Error: Database is read-only > > Hi all, > > After I played a little bit Fedora Directory Server I started to get an > error message: "Database is read-only", when I tried to modify anything. > Did I change any setting accidently? > > Thanks. > > -- > Ersin > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > https://www.redhat.com/archives/fedora-directory-users/attachments/20061207/85f4e224/attachment.html > > ------------------------------ > > Message: 2 > Date: Thu, 07 Dec 2006 17:17:54 -0600 > From: Dave Augustus > Subject: [Fedora-directory-users] Multiple Servers. Multiple Consoles? > To: "General discussion list for the Fedora Directory server project." > > Message-ID: <1165533474.16528.3.camel at kcm40202.kcmhq.org> > Content-Type: text/plain > > Hello All, > > I have 2 LDAP servers running in MultiMaster behind a load balancer. I > also have FDS management consoles running on both. > > Is the management console required for each install of FDS ? > > Is there a way to consolidate them? > > > Thanks, > Dave > > > > ------------------------------ > > Message: 3 > Date: Thu, 07 Dec 2006 16:34:42 -0700 > From: Richard Megginson > Subject: Re: [Fedora-directory-users] Multiple Servers. Multiple > Consoles? > To: "General discussion list for the Fedora Directory server project." > > Message-ID: <4578A512.5030507 at redhat.com> > Content-Type: text/plain; charset="iso-8859-1" > > Dave Augustus wrote: > > Hello All, > > > > I have 2 LDAP servers running in MultiMaster behind a load balancer. I > > also have FDS management consoles running on both. > > > > Is the management console required for each install of FDS ? > > > No. > > Is there a way to consolidate them? > > > When you installed the first instance of FDS, it should have created it > as the configuration DS. When you run setup subsequent times, in > Typical mode, you will be given the opportunity to register the new > instance with the configuration DS. > > > > Thanks, > > Dave > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: smime.p7s > Type: application/x-pkcs7-signature > Size: 3245 bytes > Desc: S/MIME Cryptographic Signature > Url : > https://www.redhat.com/archives/fedora-directory-users/attachments/20061207/6ca4ceb5/smime.bin > > ------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > End of Fedora-directory-users Digest, Vol 19, Issue 11 > ****************************************************** > -- Phil Lembo e-mail: phil.lembo at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri Dec 8 18:24:34 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 08 Dec 2006 11:24:34 -0700 Subject: [Fedora-directory-users] Multiple Servers. Multiple Consoles? In-Reply-To: <1165598888.18568.3.camel@kcm40202.kcmhq.org> References: <1165533474.16528.3.camel@kcm40202.kcmhq.org> <4578A512.5030507@redhat.com> <1165598888.18568.3.camel@kcm40202.kcmhq.org> Message-ID: <4579ADE2.4030602@redhat.com> Dave Augustus wrote: > But of course the console is required to *manage* one or more instances > of FDS. So it would seem that having the management console on more than > one server would be beneficial from a high-availability standpoint. Is > there a method to add an existing install of FDS to an existing install > of the FDS admin ? > > As I said, I have 2 servers in a multimaster configuration. I am running > the console on both. Can I add the non-local instance of FDS to the > local version? That would give me the ability to manage both servers > from either one of the FDS admin consoles. > It is possible, but not easy. The best way I can think of would be to actually do this to see what entries are created. E.g. setup a new ds instance using setup and register it with your configuration ds. Take a db2ldif dump of o=netscaperoot on your configuration ds before and after, and compare. Also compare the dse.ldif from the new console instance with the instance that is not in the console. > Thanks, > Dave > > > On Thu, 2006-12-07 at 16:34 -0700, Richard Megginson wrote: > >> Dave Augustus wrote: >> >>> Hello All, >>> >>> I have 2 LDAP servers running in MultiMaster behind a load balancer. I >>> also have FDS management consoles running on both. >>> >>> Is the management console required for each install of FDS ? >>> >>> >> No. >> >>> Is there a way to consolidate them? >>> >>> >> When you installed the first instance of FDS, it should have created it >> as the configuration DS. When you run setup subsequent times, in >> Typical mode, you will be given the opportunity to register the new >> instance with the configuration DS. >> >>> Thanks, >>> Dave >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From jo.de.troy at gmail.com Sun Dec 10 20:39:27 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Sun, 10 Dec 2006 21:39:27 +0100 Subject: [Fedora-directory-users] db2ldif hangs Message-ID: Hello, I have a daily cron job to run db2ldif. But one day last week it kept on running and during that time I couldn't write any changes. When I killed the job I could again write changes. When I rerun db2ldif it completes quickly as before. Has anyone else seen this behavior? I'm running FedoraDS1.0.2 on RHEL4. Thanks in advance, Jo -------------- next part -------------- An HTML attachment was scrubbed... URL: From prowley at redhat.com Mon Dec 11 16:57:04 2006 From: prowley at redhat.com (Pete Rowley) Date: Mon, 11 Dec 2006 08:57:04 -0800 Subject: [Fedora-directory-users] Sort Objects problem in Directory Server Console In-Reply-To: References: Message-ID: <457D8DE0.3010102@redhat.com> Renato Ribeiro da Silva wrote: > Hello, > I'm trying to sort objects in Directory Server Console ( View Menu -> Sort Objects ) but this function isn't working. I need to use only numbers to identify the users (ex. uid=12345678910). Any idea? > > You should probably use uidNumber from the posixAccount objectclass - uid is being sorted alphabetically according to its syntax. > Thanks in advance, > Renato. > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From capareci at uol.com.br Mon Dec 11 18:34:51 2006 From: capareci at uol.com.br (Renato Ribeiro da Silva) Date: Mon, 11 Dec 2006 16:34:51 -0200 Subject: [Fedora-directory-users] Sort Objects problem in Directory Server Console Message-ID: Ok, But when I use the ldapsearch command it works succeffuly. ( ./ldapsearch -b objectclass=* -h -S uid ) The problem is that I really need to use Personal ID's to identify users on the network. It's not allowed to use another kind of identification. Is there any configuration that I can change to sort the users correctly? Thank you, Renato. > Renato Ribeiro da Silva wrote: > > Hello, > > I'm trying to sort objects in Directory Server Console ( View Menu -> Sort Objects ) but this function isn't working. I need to use only numbers to identify the users (ex. uid=12345678910). Any idea? > > > > > You should probably use uidNumber from the posixAccount objectclass - > uid is being sorted alphabetically according to its syntax. > > Thanks in advance, > > Renato. > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Pete > > From prowley at redhat.com Mon Dec 11 19:17:04 2006 From: prowley at redhat.com (Pete Rowley) Date: Mon, 11 Dec 2006 11:17:04 -0800 Subject: [Fedora-directory-users] Sort Objects problem in Directory Server Console In-Reply-To: References: Message-ID: <457DAEB0.4030405@redhat.com> Renato Ribeiro da Silva wrote: > Ok, > But when I use the ldapsearch command it works succeffuly. ( ./ldapsearch -b objectclass=* -h -S uid ) > The problem is that I really need to use Personal ID's to identify users on the network. It's not allowed to use another kind of identification. > Is there any configuration that I can change to sort the users correctly? > In what way does it fail in the console? -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From listman at nerdherdclan.com Tue Dec 12 04:54:52 2006 From: listman at nerdherdclan.com (listman) Date: Mon, 11 Dec 2006 20:54:52 -0800 (PST) Subject: [Fedora-directory-users] FDS and samba Message-ID: <2726.67.181.252.39.1165899292.squirrel@www.depfyffer.com> I?ve gone over a fair share of docs that showed up on google and keep coming back to http://directory.fedora.redhat.com/wiki/Howto:Samba Mainly because it doesn?t involve the conlsole. I?ve checked it out a few times and added a few users with it but what I really want is a windows/linux pdc and found myself just lost. I checked out http://www.linux.com/article.pl?sid=06/11/28/2019258 but it doesn?t really go into depth on setting up samba. So my actual question is, I follow http://directory.fedora.redhat.com/wiki/Howto:Samba to a tee and when I get to /opt/fedora-ds/slapd-/ldif2ldap "cn=Directory manager" password /tmp/sambaGroups.ldif I get Ldap_add: No such object Ldap_add: matched : dc=localdomain I assumed dc=localhost was missing so I changed user directory subtree: from dc=localdomain to dc=localhost,dc=localdomain But I still get the same error. I thought maybe I could ignore it so I continue and type net groupmap add rid=512 ntgroup='Domain Admins' unixgroup='Domain Admins' And get ?Can?t lookup UNIX group Domain Admins? Do I just need to add the unix group before I run this? Or do I have other problems? If there is anything else I can provide to help me figure this out just let me know. Oh and yes this is my first encounter with FDS Thanks for any input From capareci at uol.com.br Tue Dec 12 10:12:08 2006 From: capareci at uol.com.br (Renato Ribeiro da Silva) Date: Tue, 12 Dec 2006 08:12:08 -0200 Subject: [Fedora-directory-users] Sort Objects problem in Directory Server Console Message-ID: I've made more tests with the Console and the problem is not related to use numbers in attribute uid. Sorry. The problem is that when I click in "sort objects" the console doesn't sort by "uid" but by "cn" attribute. I need to sort by the uid attribute. Thanks, Renato. > Renato Ribeiro da Silva wrote: > > Ok, > > But when I use the ldapsearch command it works succeffuly. ( ./ldapsearch -b objectclass=* -h -S uid ) > > The problem is that I really need to use Personal ID's to identify users on the network. It's not allowed to use another kind of identification. > > Is there any configuration that I can change to sort the users correctly? > > > In what way does it fail in the console? > > -- > Pete > > From rmeggins at redhat.com Tue Dec 12 15:14:07 2006 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 12 Dec 2006 07:14:07 -0800 Subject: [Fedora-directory-users] Sort Objects problem in Directory Server Console In-Reply-To: References: Message-ID: <457EC73F.6040101@redhat.com> Renato Ribeiro da Silva wrote: > I've made more tests with the Console and the problem is not related to use numbers in attribute uid. Sorry. > The problem is that when I click in "sort objects" the console doesn't sort by "uid" but by "cn" attribute. I need to sort by the uid attribute. > That's a missing feature in the console - it can only sort by cn. > Thanks, > Renato. > > >> Renato Ribeiro da Silva wrote: >> >>> Ok, >>> But when I use the ldapsearch command it works succeffuly. ( ./ldapsearch -b objectclass=* -h -S uid ) >>> The problem is that I really need to use Personal ID's to identify users on the network. It's not allowed to use another kind of identification. >>> Is there any configuration that I can change to sort the users correctly? >>> >>> >> In what way does it fail in the console? >> >> -- >> Pete >> >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From dtimms at iinet.net.au Tue Dec 12 22:40:30 2006 From: dtimms at iinet.net.au (David Timms) Date: Wed, 13 Dec 2006 09:40:30 +1100 Subject: [Fedora-directory-users] Sort Objects problem in Directory Server Console In-Reply-To: <457EC73F.6040101@redhat.com> References: <457EC73F.6040101@redhat.com> Message-ID: <457F2FDE.1060108@iinet.net.au> Rich Megginson wrote: > Renato Ribeiro da Silva wrote: >> I've made more tests with the Console and the problem is not related >> to use numbers in attribute uid. Sorry. >> The problem is that when I click in "sort objects" the console doesn't >> sort by "uid" but by "cn" attribute. I need to sort by the uid attribute. >> > That's a missing feature in the console - it can only sort by cn. A workaround might be to try ldapbrowser to view the fds contents ? http://www-unix.mcs.anl.gov/~gawor/ldap/index.html In my openldap, I can sort the entries by the users name, but again, it is probably actually by cn with the cn being username and full name. DaveT. From taymour.elerian at tedata.net Wed Dec 13 08:52:10 2006 From: taymour.elerian at tedata.net (Taymour A. El Erian) Date: Wed, 13 Dec 2006 10:52:10 +0200 Subject: [Fedora-directory-users] ACL migration from OpenLDAP to FDS Message-ID: <457FBF3A.4010308@tedata.net> Hi, We have OpenLDAP installation which runs Qmail, Horde/IMP, FreeRADIUS. We are looking into moving to FDS and had converted the schemas and populated the database with sample entries. The problem is I do not know how to migrate the current ACLs in OpenLDAP configuration files (we use OpenLDAP 2.0.x) -- Taymour A El Erian System Division Manager RHCE, LPIC, CCNA, MCSE, CNA TE Data E-mail: taymour.elerian at tedata.net Web: www.tedata.net Tel: +(202)-3320700 Fax: +(202)-3320800 Ext: 1101 From ankur_agwal at yahoo.com Wed Dec 13 19:20:27 2006 From: ankur_agwal at yahoo.com (Ankur Agarwal) Date: Wed, 13 Dec 2006 11:20:27 -0800 (PST) Subject: [Fedora-directory-users] Extending inetOrgPerson Class Message-ID: <20061213192027.23749.qmail@web54106.mail.yahoo.com> Hi, I want to add some attributes to my users hence want to extend inetOrgPerson class. Have a few questions related to that: 1) I am able to add attributes and create a new class extending inetOrgPerson using Red Hat directory console. But if i want to move these chanegs to other environment do i need to use console only to make chanegs maually? How can i export this new class and attributes and import on target environment? 2) If there is an optional attribute in inetOrgPerson that i want to make mandatory how can i do that? 3) How can i export my new ou and import it to target env? I have looked at dsadm pdf documentation and could not find any ways to move chanegs using scripts/ldif files. Please help me here. Thanks, --------------------------------- Check out the all-new Yahoo! Mail beta - Fire up a more powerful email and get things done faster. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gholbert at broadcom.com Wed Dec 13 19:32:05 2006 From: gholbert at broadcom.com (George Holbert) Date: Wed, 13 Dec 2006 11:32:05 -0800 Subject: [Fedora-directory-users] Extending inetOrgPerson Class In-Reply-To: <20061213192027.23749.qmail@web54106.mail.yahoo.com> References: <20061213192027.23749.qmail@web54106.mail.yahoo.com> Message-ID: <45805535.80904@broadcom.com> Hi Ankur, Try these: http://www.redhat.com/docs/manuals/dir-server/schema/7.1/schemaTOC.html http://www.redhat.com/docs/manuals/dir-server/deploy/7.1/schema.html All schema changes you make through the console or via LDAP modifications to cn=schema end up in serverRoot/slapd-serverID/config/schema/99user.ldif (so named because it stores user-defined schema). Alternatively, you can define schema in other LDIF files, and manually copy them to serverRoot/slapd-serverID/config/schema. See the docs at the links above for more details. -- George Ankur Agarwal wrote: > Hi, > > I want to add some attributes to my users hence want to extend > inetOrgPerson class. Have a few questions related to that: > > 1) I am able to add attributes and create a new class extending > inetOrgPerson using Red Hat directory console. But if i want to move > these chanegs to other environment do i need to use console only to > make chanegs maually? How can i export this new class and attributes > and import on target environment? > > 2) If there is an optional attribute in inetOrgPerson that i want to > make mandatory how can i do that? > > 3) How can i export my new ou and import it to target env? > > I have looked at dsadm pdf documentation and could not find any ways > to move chanegs using scripts/ldif files. Please help me here. > > Thanks, > > ------------------------------------------------------------------------ > Check out the all-new Yahoo! Mail beta > > - Fire up a more powerful email and get things done faster. > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From kj6loh at yahoo.com Thu Dec 14 19:47:28 2006 From: kj6loh at yahoo.com (Jonathan Loh) Date: Thu, 14 Dec 2006 11:47:28 -0800 (PST) Subject: [Fedora-directory-users] FDS newbie Message-ID: <20061214194729.86473.qmail@web50914.mail.yahoo.com> So I've decided to learn FDS by doing. But am running into trouble. I can't log in to the console. Here's what I've done so far: I'm running FC3. I have 1.5GB disk space which should not be a problem since it's about 200M per user and there's just one user I also have 512M of Ram. I'm running the 2.6.12-1.1381 version of the kernel. installed j2sdk 1.4.2-13 made the kernel and other fs tweaks listed on the directory.fedora.redhat.com site. installed fedora-ds 1.0.4 So I did the startconsole thing and couldn't login. The password was even copy and pasted from /opt/fedora-ds/setup/myinstall.inf! nmap originally found my admin port when run within minutes of my initial setup but 10-15 mins later the admin port was gone. I tried running setup/setup again and this time it did give me some errors. But there are none in the errors or access log. Below is the edited output of my last setup command. ----------------------------------------------- In order to reconfigure your installation, the Configuration Directory Administrator password is required. Here is your current information: Configuration Directory: ldap://.:/o=NetscapeRoot Configuration Administrator ID: admin At the prompt, please enter the password for the Configuration Administrator. administrator ID: admin Password: Converting slapd- to new format password file . . . Copying new schema ldiffiles . . . Starting slapd- . . . NMC_ErrInfo: NMC_STATUS: -2 Start Slapd Starting Slapd server reconfiguration. Info Slapd No old nsperl references found Configuring Administration Server... InstallInfo: Apache Directory "ApacheDir" is missing. You can now use the console. Here is the command to use to start the console: cd /opt/fedora-ds ./startconsole -u admin -a http://:/ INFO Finished with setup, logfile is setup/setup.log ---------------------------------------------- Any ideas? ____________________________________________________________________________________ Cheap talk? Check out Yahoo! Messenger's low PC-to-Phone call rates. http://voice.yahoo.com From wdtj at yahoo.com Thu Dec 14 20:21:06 2006 From: wdtj at yahoo.com (Wayne Johnson) Date: Thu, 14 Dec 2006 12:21:06 -0800 (PST) Subject: [Fedora-directory-users] Using FDS to replace ActiveDirectory Message-ID: <373381.55309.qm@web53811.mail.yahoo.com> I've tried to research this but been coming up relatively empty, so any references and examples you can give would be appreciated. I've used LDAP but not in this context. We have a network at our school of various Fedora Core servers and Windows desktops. We'd like to create a homogeneous login system. Fedora can use LDAP of course, but what about Windows. I know ActiveDirectory runs an LDAP server, but can we use FDS as a replacement to AD so that the Windows98 and XP machines we have will use FDS for authentication? Will FDS also do the various other AD functions (like Outlook addresses, etc)? Thanks. --- Wayne Johnson, | There are two kinds of people: Those 3943 Penn Ave. N. | who say to God, "Thy will be done," Minneapolis, MN 55412-1908 | and those to whom God says, "All right, (612) 522-7003 | then, have it your way." --C.S. Lewis __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From davea at support.kcm.org Thu Dec 14 22:25:36 2006 From: davea at support.kcm.org (Dave Augustus) Date: Thu, 14 Dec 2006 16:25:36 -0600 Subject: [Fedora-directory-users] User is locked out- ERR 3 LDAP TIMELIMIT EXCEEDED Message-ID: <1166135136.32468.7.camel@kcm40202.kcmhq.org> I have a check script running on 2 server. One of them is failing. The logs are stating this: RESULT err=3 tag=101 nentries=0 etime=0 Why? How can I fix this? TIA, Dave From ando at sys-net.it Thu Dec 14 22:54:37 2006 From: ando at sys-net.it (Pierangelo Masarati) Date: Thu, 14 Dec 2006 23:54:37 +0100 Subject: [Fedora-directory-users] User is locked out- ERR 3 LDAP TIMELIMIT EXCEEDED In-Reply-To: <1166135136.32468.7.camel@kcm40202.kcmhq.org> References: <1166135136.32468.7.camel@kcm40202.kcmhq.org> Message-ID: <4581D62D.4050601@sys-net.it> Dave Augustus wrote: > I have a check script running on 2 server. One of them is failing. The > logs are stating this: > > RESULT err=3 tag=101 nentries=0 etime=0 > > Why? > (server-enforced?) time limit is being exceeded (err=3) > How can I fix this? > You don't provide enough info to understand why the server is going into timelimit without returning a single entry and with what appears to be zero elapsed time (etime=0). p. From davea at support.kcm.org Thu Dec 14 23:12:31 2006 From: davea at support.kcm.org (Dave Augustus) Date: Thu, 14 Dec 2006 17:12:31 -0600 Subject: [Fedora-directory-users] User is locked out- ERR 3 LDAP TIMELIMIT EXCEEDED In-Reply-To: <4581D62D.4050601@sys-net.it> References: <1166135136.32468.7.camel@kcm40202.kcmhq.org> <4581D62D.4050601@sys-net.it> Message-ID: <1166137951.32468.20.camel@kcm40202.kcmhq.org> Sorry! (Let me get my head out of the sand) I use a check script called ldap.monitor. It comes with mon, a monitoring package written in perl. The script just binds and checks that a certain attribute exists and is a certain value. Here is an example: monitor ldap.monitor \ --username "uid=mscript,ou=Special Users,dc=hq,dc=org" \ --password "12345678" \ --basedn "uid=mscript,ou=Special Users,dc=hq,dc=org" \ --filter "uid=*" \ --attribute "uid" \ --value "mscript" \ 192.168.16.10 I use this on BOTH of my servers. The other day I attempted to delete alot of objects (>10,000) as the admin user from my ou=people leaf and then my admin account was locked out with this SAME error. Then my script started failing. I ended up having to login as Directory Manager to complete the deletion. So my script now fails and neither my admin account (admin) nor my script account(mscript) can login successfully. The log entries are the same: "RESULT err=3 tag=101 nentries=0 etime=0" All that is happening is that the script is checking to see if an attribute is the right value. The script cant login and therefore fails the *check*. I have restarted the server several times. Thanks for your time, Dave On Thu, 2006-12-14 at 23:54 +0100, Pierangelo Masarati wrote: > Dave Augustus wrote: > > I have a check script running on 2 server. One of them is failing. The > > logs are stating this: > > > > RESULT err=3 tag=101 nentries=0 etime=0 > > > > Why? > > > (server-enforced?) time limit is being exceeded (err=3) > > How can I fix this? > > > You don't provide enough info to understand why the server is going into > timelimit without returning a single entry and with what appears to be > zero elapsed time (etime=0). > > p. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From craigwhite at azapple.com Fri Dec 15 01:14:04 2006 From: craigwhite at azapple.com (Craig White) Date: Thu, 14 Dec 2006 18:14:04 -0700 Subject: [Fedora-directory-users] Using FDS to replace ActiveDirectory In-Reply-To: <373381.55309.qm@web53811.mail.yahoo.com> References: <373381.55309.qm@web53811.mail.yahoo.com> Message-ID: <1166145244.11266.3.camel@lin-workstation.azapple.com> On Thu, 2006-12-14 at 12:21 -0800, Wayne Johnson wrote: > I've tried to research this but been coming up relatively empty, so > any references and examples you can give would be appreciated. I've > used LDAP but not in this context. > > We have a network at our school of various Fedora Core servers and > Windows desktops. We'd like to create a homogeneous login system. > Fedora can use LDAP of course, but what about Windows. I know > ActiveDirectory runs an LDAP server, but can we use FDS as a > replacement to AD so that the Windows98 and XP machines we have will > use FDS for authentication? Will FDS also do the various other AD > functions (like Outlook addresses, etc)? ---- Samba can provide login/domain controller functions for Windows networking but on a level of NT Server and use FDS as the authentication backend - thus your Windows desktop systems can authenticate, get roaming profiles and some level of policy management. FDS can be configured as a datastore for shared & personal addressbooks as well without much difficulty. Probably best to start with the samba documentation - http://www.samba.org/samba/docs but by design, LDAP implementation is up to the system administrators and there is no one way to do things. Craig From srigler at marathonoil.com Thu Dec 14 15:32:16 2006 From: srigler at marathonoil.com (Stephen C. Rigler) Date: Thu, 14 Dec 2006 09:32:16 -0600 Subject: [Fedora-directory-users] Password Policy Question Message-ID: <1166110336.4527.22.camel@houuc8> Is it possible to specify different types of password encryption on a subtree level from the that which is specified in the global policy? Using 1.0.4, it seems that if I specify "crypt" on the global level, specifying "sha" on a subtree level has no affect on the hashing algorithm used on that subtree. Thanks, Steve From rmeggins at redhat.com Fri Dec 15 16:39:52 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 15 Dec 2006 09:39:52 -0700 Subject: [Fedora-directory-users] User is locked out- ERR 3 LDAP TIMELIMIT EXCEEDED In-Reply-To: <1166137951.32468.20.camel@kcm40202.kcmhq.org> References: <1166135136.32468.7.camel@kcm40202.kcmhq.org> <4581D62D.4050601@sys-net.it> <1166137951.32468.20.camel@kcm40202.kcmhq.org> Message-ID: <4582CFD8.9040406@redhat.com> Dave Augustus wrote: > Sorry! (Let me get my head out of the sand) > > I use a check script called ldap.monitor. It comes with mon, a > monitoring package written in perl. > > The script just binds and checks that a certain attribute exists and is > a certain value. Here is an example: > > monitor ldap.monitor \ > --username "uid=mscript,ou=Special Users,dc=hq,dc=org" \ > --password "12345678" \ > --basedn "uid=mscript,ou=Special Users,dc=hq,dc=org" \ > --filter "uid=*" \ > This seems bad to use this filter if the search is using scope SUBTREE. It doesn't appear to be the case here, but you might want to check and make sure. > --attribute "uid" \ > --value "mscript" \ > 192.168.16.10 > > I use this on BOTH of my servers. The other day I attempted to delete > alot of objects (>10,000) as the admin user from my ou=people leaf and > then my admin account was locked out with this SAME error. > > Then my script started failing. I ended up having to login as Directory > Manager to complete the deletion. > > So my script now fails and neither my admin account (admin) nor my > script account(mscript) can login successfully. > > The log entries are the same: > > "RESULT err=3 tag=101 nentries=0 etime=0" > > All that is happening is that the script is checking to see if an > attribute is the right value. The script cant login and therefore fails > the *check*. > > I have restarted the server several times. > If the script is really just doing a BASE level search, I don't see how this can happen. You can raise the search limits on a per user/role basis - see http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#1085603 > Thanks for your time, > > Dave > > On Thu, 2006-12-14 at 23:54 +0100, Pierangelo Masarati wrote: > >> Dave Augustus wrote: >> >>> I have a check script running on 2 server. One of them is failing. The >>> logs are stating this: >>> >>> RESULT err=3 tag=101 nentries=0 etime=0 >>> >>> Why? >>> >>> >> (server-enforced?) time limit is being exceeded (err=3) >> >>> How can I fix this? >>> >>> >> You don't provide enough info to understand why the server is going into >> timelimit without returning a single entry and with what appears to be >> zero elapsed time (etime=0). >> >> p. >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From nkinder at redhat.com Fri Dec 15 16:43:00 2006 From: nkinder at redhat.com (Nathan Kinder) Date: Fri, 15 Dec 2006 08:43:00 -0800 Subject: [Fedora-directory-users] Password Policy Question In-Reply-To: <1166110336.4527.22.camel@houuc8> References: <1166110336.4527.22.camel@houuc8> Message-ID: <4582D094.7010608@redhat.com> Stephen C. Rigler wrote: > Is it possible to specify different types of password encryption on a > subtree level from the that which is specified in the global policy? > Using 1.0.4, it seems that if I specify "crypt" on the global level, > specifying "sha" on a subtree level has no affect on the hashing > algorithm used on that subtree. > There is a bug open on this issue. We plan to address it in the next release. > Thanks, > Steve > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Dec 15 16:42:06 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 15 Dec 2006 09:42:06 -0700 Subject: [Fedora-directory-users] FDS newbie In-Reply-To: <20061214194729.86473.qmail@web50914.mail.yahoo.com> References: <20061214194729.86473.qmail@web50914.mail.yahoo.com> Message-ID: <4582D05E.8090408@redhat.com> Jonathan Loh wrote: > So I've decided to learn FDS by doing. But am running into trouble. > I can't log in to the console. > > Here's what I've done so far: > > I'm running FC3. > I have 1.5GB disk space which should not be a problem since it's about 200M per > > user and there's just one user > I also have 512M of Ram. > I'm running the 2.6.12-1.1381 version of the kernel. > installed j2sdk 1.4.2-13 > made the kernel and other fs tweaks listed on the directory.fedora.redhat.com > site. > installed fedora-ds 1.0.4 > > So I did the startconsole thing and couldn't login. The password was even copy > and pasted from /opt/fedora-ds/setup/myinstall.inf! > > nmap originally found my admin port when run within minutes of my initial setup > but 10-15 mins later the admin port was gone. > > I tried running setup/setup again and this time it did give me some errors. > But there are none in the errors or access log. Below is the edited output of > my last setup command. > > ----------------------------------------------- > > In order to reconfigure your installation, the Configuration Directory > Administrator password is required. Here is your current information: > > Configuration Directory: ldap://.:/o=NetscapeRoot > Configuration Administrator ID: admin > > At the prompt, please enter the password for the Configuration Administrator. > > administrator ID: admin > Password: > Converting slapd- to new format password file . . . > Copying new schema ldiffiles . . . > Starting slapd- . . . > > NMC_ErrInfo: > NMC_STATUS: -2 > > Start Slapd Starting Slapd server reconfiguration. > Info Slapd No old nsperl references found > Configuring Administration Server... > InstallInfo: Apache Directory "ApacheDir" is missing. > > You can now use the console. Here is the command to use to start the console: > cd /opt/fedora-ds > ./startconsole -u admin -a http://:/ > > INFO Finished with setup, logfile is setup/setup.log > ---------------------------------------------- > Any ideas? > Please post your admin server access and error log files, and the output of startconsole -D > > > ____________________________________________________________________________________ > Cheap talk? > Check out Yahoo! Messenger's low PC-to-Phone call rates. > http://voice.yahoo.com > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From srigler at marathonoil.com Fri Dec 15 16:57:32 2006 From: srigler at marathonoil.com (Stephen C. Rigler) Date: Fri, 15 Dec 2006 10:57:32 -0600 Subject: [Fedora-directory-users] Password Policy Question In-Reply-To: <4582D094.7010608@redhat.com> References: <1166110336.4527.22.camel@houuc8> <4582D094.7010608@redhat.com> Message-ID: <1166201852.17095.6.camel@houuc8> On Fri, 2006-12-15 at 08:43 -0800, Nathan Kinder wrote: > Stephen C. Rigler wrote: > > Is it possible to specify different types of password encryption on a > > subtree level from the that which is specified in the global policy? > > Using 1.0.4, it seems that if I specify "crypt" on the global level, > > specifying "sha" on a subtree level has no affect on the hashing > > algorithm used on that subtree. > > > There is a bug open on this issue. We plan to address it in the next > release. Thanks, Nathan. Any word on the timing for the next release? -Steve From davea at support.kcm.org Fri Dec 15 17:54:06 2006 From: davea at support.kcm.org (Dave Augustus) Date: Fri, 15 Dec 2006 11:54:06 -0600 Subject: [Fedora-directory-users] User is locked out- ERR 3 LDAP TIMELIMIT EXCEEDED In-Reply-To: <4582CFD8.9040406@redhat.com> References: <1166135136.32468.7.camel@kcm40202.kcmhq.org> <4581D62D.4050601@sys-net.it> <1166137951.32468.20.camel@kcm40202.kcmhq.org> <4582CFD8.9040406@redhat.com> Message-ID: <1166205246.4061.10.camel@kcm40202.kcmhq.org> Thanks, I added an attribute, "nstimelimit=-1" to the user, mscript and all is well. However, I did it from another server that it is setup with in a MM configuration. The replication occurred and the lockout stopped. Some background: This script does checks every 30 seconds. Having this occur so often is necessary because this DS is behind a load balancer and the results of the script update the load balancer with it status. If the script fails, the server is taken out of the load balancer. Another Question: This got me to think about applying this attribute at the OU level, instead of on each UID. Will that apply to ALL users in that OU ? Thanks, Dave From kj6loh at yahoo.com Fri Dec 15 19:32:02 2006 From: kj6loh at yahoo.com (Jonathan Loh) Date: Fri, 15 Dec 2006 11:32:02 -0800 (PST) Subject: [Fedora-directory-users] Re: Fedora-directory-users Digest, Vol 19, Issue 17 In-Reply-To: <20061215170007.35A7D73423@hormel.redhat.com> Message-ID: <20061215193202.46177.qmail@web50901.mail.yahoo.com> Richard wrote: >Please post your admin server access and error log files, and the output >of startconsole -D Did you want the whole access log? pretty big. 727 lines in ~40 mins. Though now I'm noticing a bunch of lines with err=32. Here's a snippet: > [15/Dec/2006:10:39:59 -0800] conn=0 op=15 SRCH base="o=NetscapeRoot" scope=0 filter="(objectClass=*)" attrs=ALL > [15/Dec/2006:10:39:59 -0800] conn=0 op=14 RESULT err=0 tag=103 nentries=0 etime=0 > [15/Dec/2006:10:39:59 -0800] conn=0 op=15 RESULT err=32 tag=101 nentries=0 etime=0 > [15/Dec/2006:10:39:59 -0800] conn=0 op=16 ADD dn="o=NetscapeRoot" > [15/Dec/2006:10:39:59 -0800] conn=0 op=16 RESULT err=0 tag=105 nentries=0 etime=0 Here's my errors file: > Fedora-Directory/1.0.4 B2006.312.435 > alphascorp.lchq.us:389 (/opt/fedora-ds/slapd-alphascorp) > [15/Dec/2006:10:39:57 -0800] - Fedora-Directory/1.0.4 B2006.312.435 starting up > [15/Dec/2006:10:39:58 -0800] - slapd started. Listening on All Interfaces port 389 for LDAP requests Thats is it, nothing much. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From kj6loh at yahoo.com Fri Dec 15 19:32:38 2006 From: kj6loh at yahoo.com (Jonathan Loh) Date: Fri, 15 Dec 2006 11:32:38 -0800 (PST) Subject: [Fedora-directory-users] Re: newbie question In-Reply-To: <20061215170007.35A7D73423@hormel.redhat.com> Message-ID: <955126.75615.qm@web50905.mail.yahoo.com> Richard wrote: >Please post your admin server access and error log files, and the output >of startconsole -D Did you want the whole access log? pretty big. 727 lines in ~40 mins. Though now I'm noticing a bunch of lines with err=32. Here's a snippet: > [15/Dec/2006:10:39:59 -0800] conn=0 op=15 SRCH base="o=NetscapeRoot" scope=0 filter="(objectClass=*)" attrs=ALL > [15/Dec/2006:10:39:59 -0800] conn=0 op=14 RESULT err=0 tag=103 nentries=0 etime=0 > [15/Dec/2006:10:39:59 -0800] conn=0 op=15 RESULT err=32 tag=101 nentries=0 etime=0 > [15/Dec/2006:10:39:59 -0800] conn=0 op=16 ADD dn="o=NetscapeRoot" > [15/Dec/2006:10:39:59 -0800] conn=0 op=16 RESULT err=0 tag=105 nentries=0 etime=0 Here's my errors file: > Fedora-Directory/1.0.4 B2006.312.435 > alphascorp.lchq.us:389 (/opt/fedora-ds/slapd-alphascorp) > [15/Dec/2006:10:39:57 -0800] - Fedora-Directory/1.0.4 B2006.312.435 starting up > [15/Dec/2006:10:39:58 -0800] - slapd started. Listening on All Interfaces port 389 for LDAP requests Thats is it, nothing much. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From rmeggins at redhat.com Fri Dec 15 19:46:35 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 15 Dec 2006 12:46:35 -0700 Subject: [Fedora-directory-users] Re: Fedora-directory-users Digest, Vol 19, Issue 17 In-Reply-To: <20061215193202.46177.qmail@web50901.mail.yahoo.com> References: <20061215193202.46177.qmail@web50901.mail.yahoo.com> Message-ID: <4582FB9B.2090709@redhat.com> Jonathan Loh wrote: > Richard wrote: > > >> Please post your admin server access and error log files, and the output >> of startconsole -D >> > > Did you want the whole access log? pretty big. > 727 lines in ~40 mins. > > Though now I'm noticing a bunch of lines with err=32. Here's a snippet: > That's just the operations that occur during setup. No problems there. >> [15/Dec/2006:10:39:59 -0800] conn=0 op=15 SRCH base="o=NetscapeRoot" scope=0 >> > filter="(objectClass=*)" attrs=ALL > >> [15/Dec/2006:10:39:59 -0800] conn=0 op=14 RESULT err=0 tag=103 nentries=0 >> > etime=0 > >> [15/Dec/2006:10:39:59 -0800] conn=0 op=15 RESULT err=32 tag=101 nentries=0 >> > etime=0 > >> [15/Dec/2006:10:39:59 -0800] conn=0 op=16 ADD dn="o=NetscapeRoot" >> [15/Dec/2006:10:39:59 -0800] conn=0 op=16 RESULT err=0 tag=105 nentries=0 >> > etime=0 > > > Here's my errors file: > > >> Fedora-Directory/1.0.4 B2006.312.435 >> alphascorp.lchq.us:389 (/opt/fedora-ds/slapd-alphascorp) >> > > >> [15/Dec/2006:10:39:57 -0800] - Fedora-Directory/1.0.4 B2006.312.435 starting >> > up > >> [15/Dec/2006:10:39:58 -0800] - slapd started. Listening on All Interfaces >> > port 389 for LDAP requests > > Thats is it, nothing much. > Actually, I was interested in your admin server access and error logs - admin-serv/logs > > > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ehall at ehsco.com Fri Dec 15 22:42:54 2006 From: ehall at ehsco.com (Eric A. Hall) Date: Fri, 15 Dec 2006 17:42:54 -0500 (EST) Subject: [Fedora-directory-users] make dies with NSS problems Message-ID: <54021.72.75.8.73.1166222574.squirrel@www.ehsco.com> Trying to build fds104 and NSS produces pages of errors. At the end of it all is the following: mod_nss.c:434: error: expected '{' at end of input make[2]: *** [mod_nss.lo] Error 1 make[2]: Leaving directory `/tmp/dsbuild-fds104/ds/mod_nss/work/mod_nss-1.0.5' make[1]: *** [build-work/mod_nss-1.0.5/Makefile] Error 2 make[1]: Leaving directory `/tmp/dsbuild-fds104/ds/mod_nss' make: *** [dep-../../ds/mod_nss] Error 2 Is this a known problem in the current release? Any workarounds? Thanks From rmeggins at redhat.com Fri Dec 15 23:15:23 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 15 Dec 2006 16:15:23 -0700 Subject: [Fedora-directory-users] make dies with NSS problems In-Reply-To: <54021.72.75.8.73.1166222574.squirrel@www.ehsco.com> References: <54021.72.75.8.73.1166222574.squirrel@www.ehsco.com> Message-ID: <45832C8B.6070002@redhat.com> Eric A. Hall wrote: > Trying to build fds104 and NSS produces pages of errors. At the end of it > all is the following: > What is your OS and version? Do you have httpd, httpd-devel, apr, and apr-devel installed? What is the output of /usr/sbin/httpd.worker -V? > mod_nss.c:434: error: expected '{' at end of input > make[2]: *** [mod_nss.lo] Error 1 > make[2]: Leaving directory > `/tmp/dsbuild-fds104/ds/mod_nss/work/mod_nss-1.0.5' > make[1]: *** [build-work/mod_nss-1.0.5/Makefile] Error 2 > make[1]: Leaving directory `/tmp/dsbuild-fds104/ds/mod_nss' > make: *** [dep-../../ds/mod_nss] Error 2 > > Is this a known problem in the current release? Any workarounds? > > Thanks > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From edlinuxguru at gmail.com Fri Dec 15 23:29:44 2006 From: edlinuxguru at gmail.com (Eddie C) Date: Fri, 15 Dec 2006 18:29:44 -0500 Subject: [Fedora-directory-users] Migration from i-planet 52 Message-ID: I recently did an ldif backup of our iplanet 52 database. Its about an 88 MB ldif file. I took this to a new FDS server Dell 850 3 ghz duel core 2 sata hard disks. I ran an ldapadd the data imported perfectly. Then I tried to cutover some systems and give the database some load. System went 200% processor Eventually I realized I was missing indexes so I added them through the graphical tool. The log seemed to do something like this generating index 1% generating index 2% .... generating index 49% Done Seemed weird that they would jump from 49% to Done At this point the new system was running at 100% processor But the queries are running faster on our old 440 MHZ sparc t1 server52 database I ran DB ERROR: db_verify: Page 30: out-of-order key at entry 498 DB ERROR: db_verify: DB->verify: db/o_com/channelcontentowner.db4: DB_VERIFY_BAD: Database verification failed then I tried db2_index. The program seemed to be in a tight loop complaining about 1 missing entry. I do not realize how the data can be so corrupted right after an import. These are someone generic symptoms. Any ideas? Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri Dec 15 23:52:24 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 15 Dec 2006 16:52:24 -0700 Subject: [Fedora-directory-users] Migration from i-planet 52 In-Reply-To: References: Message-ID: <45833538.3060301@redhat.com> Eddie C wrote: > I recently did an ldif backup of our iplanet 52 database. Its about an > 88 MB ldif file. > I took this to a new FDS server Dell 850 3 ghz duel core 2 sata hard > disks. > I ran an ldapadd the data imported perfectly. > Then I tried to cutover some systems and give the database some load. > > System went 200% processor > > Eventually I realized I was missing indexes so I added them through > the graphical tool. > > The log seemed to do something like this > generating index 1% > generating index 2% > .... > generating index 49% > Done > Seemed weird that they would jump from 49% to Done > At this point the new system was running at 100% processor > But the queries are running faster on our old 440 MHZ sparc t1 > server52 database > > I ran > DB ERROR: db_verify: Page 30: out-of-order key at entry 498 > DB ERROR: db_verify: DB->verify: db/o_com/channelcontentowner.db4: > DB_VERIFY_BAD: Database verification failed > > then I tried db2_index. The program seemed to be in a tight loop > complaining about 1 missing entry. > > I do not realize how the data can be so corrupted right after an import. > > These are someone generic symptoms. Any ideas? Thanks Try creating all of the required indexes first, then doing the import of your original LDIF. Not only will the import+index creation be much faster (than doing the import then creating the indexes one at a time), but I think your database corruption problems will vanish. > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From listman at nerdherdclan.com Sat Dec 16 00:35:16 2006 From: listman at nerdherdclan.com (listman) Date: Fri, 15 Dec 2006 16:35:16 -0800 (PST) Subject: [Fedora-directory-users] can't lookup UNIX group Domain Admins Message-ID: <1899.67.181.252.39.1166229316.squirrel@www.depfyffer.com> Can some one please point me in the right direction to fix this? I?ve searched samba group and the only thing I can find is something about having the right scripts but they don?t tell you where to get them or how to run them. Any help would be greatly appreciated. From craigwhite at azapple.com Sat Dec 16 00:54:00 2006 From: craigwhite at azapple.com (Craig White) Date: Fri, 15 Dec 2006 17:54:00 -0700 Subject: [Fedora-directory-users] can't lookup UNIX group Domain Admins In-Reply-To: <1899.67.181.252.39.1166229316.squirrel@www.depfyffer.com> References: <1899.67.181.252.39.1166229316.squirrel@www.depfyffer.com> Message-ID: <1166230440.24077.1.camel@lin-workstation.azapple.com> On Fri, 2006-12-15 at 16:35 -0800, listman wrote: > Can some one please point me in the right direction to fix this? I?ve > searched samba group and the only thing I can find is something about > having the right scripts but they don?t tell you where to get them or how > to run them. > Any help would be greatly appreciated. ---- sounds like you are looking for smbldap-tools from idealx Perhaps you are using packaging from a distribution that offers these tools or start here if that is indeed what you are looking for... http://sourceforge.net/projects/smbldap-tools Craig From ehall at ehsco.com Sat Dec 16 01:44:36 2006 From: ehall at ehsco.com (Eric A. Hall) Date: Fri, 15 Dec 2006 20:44:36 -0500 Subject: [Fedora-directory-users] Re: make dies with NSS problems In-Reply-To: <54021.72.75.8.73.1166222574.squirrel@www.ehsco.com> References: <54021.72.75.8.73.1166222574.squirrel@www.ehsco.com> Message-ID: <45834F84.50304@ehsco.com> Richard Megginson wrote: >> Eric A. Hall wrote: >> >> Trying to build fds104 and NSS produces pages of errors. At the end of >> it all is the following: > What is your OS and version? FC6 kernel-2.6.18-1.2849.fc6 > Do you have httpd, httpd-devel, apr, and apr-devel installed? I have httpd, apr and apr-devel installed. Do I need httpd-devel? > What is the output of /usr/sbin/httpd.worker -V? [ 20:43:23 -- unassigned-12:/root/ ] [ root# ] /usr/sbin/httpd.worker -V Server version: Apache/2.2.3 Server built: Sep 11 2006 09:44:40 Server's Module Magic Number: 20051115:3 Server loaded: APR 1.2.7, APR-Util 1.2.7 Compiled using: APR 1.2.7, APR-Util 1.2.7 Architecture: 64-bit Server MPM: Worker threaded: yes (fixed thread count) forked: yes (variable process count) Server compiled with.... -D APACHE_MPM_DIR="server/mpm/worker" -D APR_HAS_SENDFILE -D APR_HAS_MMAP -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) -D APR_USE_SYSVSEM_SERIALIZE -D APR_USE_PTHREAD_SERIALIZE -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT -D APR_HAS_OTHER_CHILD -D AP_HAVE_RELIABLE_PIPED_LOGS -D DYNAMIC_MODULE_LIMIT=128 -D HTTPD_ROOT="/etc/httpd" -D SUEXEC_BIN="/usr/sbin/suexec" -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" -D DEFAULT_ERRORLOG="logs/error_log" -D AP_TYPES_CONFIG_FILE="conf/mime.types" -D SERVER_CONFIG_FILE="conf/httpd.conf" -- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/ From listman at nerdherdclan.com Sat Dec 16 05:48:56 2006 From: listman at nerdherdclan.com (listman) Date: Fri, 15 Dec 2006 21:48:56 -0800 (PST) Subject: [Fedora-directory-users] can't lookup UNIX group Domain Admins In-Reply-To: <1166230440.24077.1.camel@lin-workstation.azapple.com> References: <1899.67.181.252.39.1166229316.squirrel@www.depfyffer.com> <1166230440.24077.1.camel@lin-workstation.azapple.com> Message-ID: <2639.67.181.252.39.1166248136.squirrel@www.depfyffer.com> > On Fri, 2006-12-15 at 16:35 -0800, listman wrote: >> Can some one please point me in the right direction to fix this? I???ve >> searched samba group and the only thing I can find is something about >> having the right scripts but they don???t tell you where to get them or >> how >> to run them. >> Any help would be greatly appreciated. > ---- > sounds like you are looking for smbldap-tools from idealx > > Perhaps you are using packaging from a distribution that offers these > tools or start here if that is indeed what you are looking for... > > http://sourceforge.net/projects/smbldap-tools > > Craig > Thanks Craig That does explain the scripts that I read about but it's not helping my problem any. I'm going through the samba doc on the FDS site and keep running into problems here and no one seems to know the answer. I have installed everything I need, configurd samba, ldap, bind, and everything else refrenced from the FDS site. I'm missing something thats isn't covered on the site but I dont know enough to figure out what it is. Heres my smb.conf file if that helps any.. [global] workgroup = DEPFYFFER security = user passdb backend = ldapsam:ldap://depfyffer.com ldap admin dn = cn=Directory Manager ldap suffix = dc=depfyffer,dc=com ldap user suffix = ou=People ldap machine suffix = ou=Computers ldap group suffix = ou=Groups add machine script = /usr/local/sbin/smbldap-useradd -w "%u" add user script = /usr/local/sbin/smbldap-useradd -m "%u" ldap delete dn = Yes #delete user script = /usr/local/sbin/smbldap-userdel "%u" add group script = /usr/local/sbin/smbldap-groupadd -p "%g" #delete group script = /usr/local/sbin/smbldap-groupdel "%g" add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u" add machine script = /usr/local/sbin/smbldap-useradd -w "%u" log file = /var/log/%m.log socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 os level = 33 domain logons = yes domain master = yes local master = yes preferred master = yes wins support = yes logon home = \\%L\%u\profiles logon path = \\%L\profiles\%u logon drive = H: template shell = /bin/false winbind use default domain = no [netlogon] path = /var/lib/samba/netlogon read only = yes browsable = no [profiles] path = /var/lib/samba/profiles read only = no create mask = 0600 directory mask = 0700 [homes] browsable = no writable = yes From listman at nerdherdclan.com Sat Dec 16 06:24:17 2006 From: listman at nerdherdclan.com (listman) Date: Fri, 15 Dec 2006 22:24:17 -0800 (PST) Subject: [Fedora-directory-users] can't lookup UNIX group Domain Admins In-Reply-To: <2639.67.181.252.39.1166248136.squirrel@www.depfyffer.com> References: <1899.67.181.252.39.1166229316.squirrel@www.depfyffer.com> <1166230440.24077.1.camel@lin-workstation.azapple.com> <2639.67.181.252.39.1166248136.squirrel@www.depfyffer.com> Message-ID: <59106.67.181.252.39.1166250257.squirrel@www.nerdherdclan.com> >> On Fri, 2006-12-15 at 16:35 -0800, listman wrote: >>> Can some one please point me in the right direction to fix this? I???ve >>> searched samba group and the only thing I can find is something about >>> having the right scripts but they don???t tell you where to get them or >>> how >>> to run them. >>> Any help would be greatly appreciated. >> ---- >> sounds like you are looking for smbldap-tools from idealx >> >> Perhaps you are using packaging from a distribution that offers these >> tools or start here if that is indeed what you are looking for... >> >> http://sourceforge.net/projects/smbldap-tools >> >> Craig >> > Thanks Craig > That does explain the scripts that I read about but it's not helping my > problem any. > I'm going through the samba doc on the FDS site and keep running into > problems here and no one seems to know the answer. I have installed > everything I need, configurd samba, ldap, bind, and everything else > refrenced from the FDS site. I'm missing something thats isn't covered on > the site but I dont know enough to figure out what it is. Heres my > smb.conf file if that helps any.. > > [global] > workgroup = DEPFYFFER > security = user > passdb backend = ldapsam:ldap://depfyffer.com > ldap admin dn = cn=Directory Manager > ldap suffix = dc=depfyffer,dc=com > ldap user suffix = ou=People > ldap machine suffix = ou=Computers > ldap group suffix = ou=Groups > > add machine script = /usr/local/sbin/smbldap-useradd -w "%u" > add user script = /usr/local/sbin/smbldap-useradd -m "%u" > ldap delete dn = Yes > #delete user script = /usr/local/sbin/smbldap-userdel "%u" > add group script = /usr/local/sbin/smbldap-groupadd -p "%g" > #delete group script = /usr/local/sbin/smbldap-groupdel "%g" > add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g" > delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" > "%g" > set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u" > add machine script = /usr/local/sbin/smbldap-useradd -w "%u" > > log file = /var/log/%m.log > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > > os level = 33 > domain logons = yes > domain master = yes > local master = yes > preferred master = yes > > wins support = yes > > logon home = \\%L\%u\profiles > logon path = \\%L\profiles\%u > logon drive = H: > > template shell = /bin/false > winbind use default domain = no > > [netlogon] > path = /var/lib/samba/netlogon > read only = yes > browsable = no > > [profiles] > path = /var/lib/samba/profiles > read only = no > create mask = 0600 > directory mask = 0700 > > [homes] > browsable = no > writable = yes > This may help also?? [root at depfyffer log]# smbpasswd -D 10 -a -m Netbios name list:- my_netbios_names[0]="DEPFYFFER" Attempting to register passdb backend ldapsam Successfully added passdb backend 'ldapsam' Attempting to register passdb backend ldapsam_compat Successfully added passdb backend 'ldapsam_compat' Attempting to register passdb backend NDS_ldapsam Successfully added passdb backend 'NDS_ldapsam' Attempting to register passdb backend NDS_ldapsam_compat Successfully added passdb backend 'NDS_ldapsam_compat' Attempting to register passdb backend smbpasswd Successfully added passdb backend 'smbpasswd' Attempting to register passdb backend tdbsam Successfully added passdb backend 'tdbsam' Attempting to find an passdb backend to match ldapsam:ldap://depfyffer.com (ldapsam) Found pdb backend ldapsam smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=DEPFYFFER))] smbldap_search_ext: base => [dc=depfyffer,dc=com], filter => [(&(objectClass=sambaDomain)(sambaDomainName=DEPFYFFER))], scope => [2] The connection to the LDAP server was closed smb_ldap_setup_connection: ldap://depfyffer.com smbldap_open_connection: connection opened ldap_connect_system: Binding to ldap server ldap://depfyffer.com as "cn=Directory Manager" ldap_connect_system: succesful connection to the LDAP server ldap_connect_system: LDAP server does not support paged results The LDAP server is succesfully connected smbldap_get_single_attribute: [sambaAlgorithmicRidBase] = [] pdb backend ldapsam:ldap://depfyffer.com has a valid init smbldap_search_ext: base => [dc=depfyffer,dc=com], filter => [(&(uid=root$)(objectclass=sambaSamAccount))], scope => [2] ldapsam_getsampwnam: Unable to locate user [root$] count=0 Failed to modify password entry for user root$ From craigwhite at azapple.com Sat Dec 16 16:30:57 2006 From: craigwhite at azapple.com (Craig White) Date: Sat, 16 Dec 2006 09:30:57 -0700 Subject: [Fedora-directory-users] can't lookup UNIX group Domain Admins In-Reply-To: <59106.67.181.252.39.1166250257.squirrel@www.nerdherdclan.com> References: <1899.67.181.252.39.1166229316.squirrel@www.depfyffer.com> <1166230440.24077.1.camel@lin-workstation.azapple.com> <2639.67.181.252.39.1166248136.squirrel@www.depfyffer.com> <59106.67.181.252.39.1166250257.squirrel@www.nerdherdclan.com> Message-ID: <1166286657.32362.6.camel@lin-workstation.azapple.com> On Fri, 2006-12-15 at 22:24 -0800, listman wrote: > >> On Fri, 2006-12-15 at 16:35 -0800, listman wrote: > >>> Can some one please point me in the right direction to fix this? I???ve > >>> searched samba group and the only thing I can find is something about > >>> having the right scripts but they don???t tell you where to get them or > >>> how > >>> to run them. > >>> Any help would be greatly appreciated. > >> ---- > >> sounds like you are looking for smbldap-tools from idealx > >> > >> Perhaps you are using packaging from a distribution that offers these > >> tools or start here if that is indeed what you are looking for... > >> > >> http://sourceforge.net/projects/smbldap-tools > >> > >> Craig > >> > > Thanks Craig > > That does explain the scripts that I read about but it's not helping my > > problem any. > > I'm going through the samba doc on the FDS site and keep running into > > problems here and no one seems to know the answer. I have installed > > everything I need, configurd samba, ldap, bind, and everything else > > refrenced from the FDS site. I'm missing something thats isn't covered on > > the site but I dont know enough to figure out what it is. Heres my > > smb.conf file if that helps any.. > > > > [global] > > workgroup = DEPFYFFER > > security = user > > passdb backend = ldapsam:ldap://depfyffer.com > > ldap admin dn = cn=Directory Manager > > ldap suffix = dc=depfyffer,dc=com > > ldap user suffix = ou=People > > ldap machine suffix = ou=Computers > > ldap group suffix = ou=Groups > > > > add machine script = /usr/local/sbin/smbldap-useradd -w "%u" > > add user script = /usr/local/sbin/smbldap-useradd -m "%u" > > ldap delete dn = Yes > > #delete user script = /usr/local/sbin/smbldap-userdel "%u" > > add group script = /usr/local/sbin/smbldap-groupadd -p "%g" > > #delete group script = /usr/local/sbin/smbldap-groupdel "%g" > > add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g" > > delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" > > "%g" > > set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u" > > add machine script = /usr/local/sbin/smbldap-useradd -w "%u" > > > > log file = /var/log/%m.log > > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > > > > os level = 33 > > domain logons = yes > > domain master = yes > > local master = yes > > preferred master = yes > > > > wins support = yes > > > > logon home = \\%L\%u\profiles > > logon path = \\%L\profiles\%u > > logon drive = H: > > > > template shell = /bin/false > > winbind use default domain = no > > > > [netlogon] > > path = /var/lib/samba/netlogon > > read only = yes > > browsable = no > > > > [profiles] > > path = /var/lib/samba/profiles > > read only = no > > create mask = 0600 > > directory mask = 0700 > > > > [homes] > > browsable = no > > writable = yes > > > > This may help also?? > > [root at depfyffer log]# smbpasswd -D 10 -a -m > Netbios name list:- > my_netbios_names[0]="DEPFYFFER" > Attempting to register passdb backend ldapsam > Successfully added passdb backend 'ldapsam' > Attempting to register passdb backend ldapsam_compat > Successfully added passdb backend 'ldapsam_compat' > Attempting to register passdb backend NDS_ldapsam > Successfully added passdb backend 'NDS_ldapsam' > Attempting to register passdb backend NDS_ldapsam_compat > Successfully added passdb backend 'NDS_ldapsam_compat' > Attempting to register passdb backend smbpasswd > Successfully added passdb backend 'smbpasswd' > Attempting to register passdb backend tdbsam > Successfully added passdb backend 'tdbsam' > Attempting to find an passdb backend to match ldapsam:ldap://depfyffer.com > (ldapsam) > Found pdb backend ldapsam > smbldap_search_domain_info: Searching > for:[(&(objectClass=sambaDomain)(sambaDomainName=DEPFYFFER))] > smbldap_search_ext: base => [dc=depfyffer,dc=com], filter => > [(&(objectClass=sambaDomain)(sambaDomainName=DEPFYFFER))], scope => [2] > The connection to the LDAP server was closed > smb_ldap_setup_connection: ldap://depfyffer.com > smbldap_open_connection: connection opened > ldap_connect_system: Binding to ldap server ldap://depfyffer.com as > "cn=Directory Manager" > ldap_connect_system: succesful connection to the LDAP server > ldap_connect_system: LDAP server does not support paged results > The LDAP server is succesfully connected > smbldap_get_single_attribute: [sambaAlgorithmicRidBase] = [] > pdb backend ldapsam:ldap://depfyffer.com has a valid init > smbldap_search_ext: base => [dc=depfyffer,dc=com], filter => > [(&(uid=root$)(objectclass=sambaSamAccount))], scope => [2] > ldapsam_getsampwnam: Unable to locate user [root$] count=0 > Failed to modify password entry for user root$ ---- assuming that you have installed smbldap-tools installed and configured properly (assuming facts not in evidence from the above), you would need to run smblpdap_populate which will automatically populate your LDAP with the needed configuration entries for Samba to work properly. Official Samba documentation lists the idealx tools (smbldap-tools) information here... http://samba.org/samba/docs/man/Samba-Guide/happy.html#sbeidealx and consider this section on making happy users... http://samba.org/samba/docs/man/Samba-Guide/happy.html#id2574922 Craig From listman at nerdherdclan.com Sat Dec 16 17:33:09 2006 From: listman at nerdherdclan.com (listman at nerdherdclan.com) Date: Sat, 16 Dec 2006 09:33:09 -0800 Subject: [Fedora-directory-users] can't lookup UNIX group Domain Admins Message-ID: <1166290389.8818@acts176.com> Craig White wrote .. > On Fri, 2006-12-15 at 22:24 -0800, listman wrote: > > >> On Fri, 2006-12-15 at 16:35 -0800, listman wrote: > > >>> Can some one please point me in the right direction to fix this? > I????????ve > > >>> searched samba group and the only thing I can find is something about > > >>> having the right scripts but they don????????t tell you where to > get them or > > >>> how > > >>> to run them. > > >>> Any help would be greatly appreciated. > > >> ---- > > >> sounds like you are looking for smbldap-tools from idealx > > >> > > >> Perhaps you are using packaging from a distribution that offers these > > >> tools or start here if that is indeed what you are looking for... > > >> > > >> http://sourceforge.net/projects/smbldap-tools > > >> > > >> Craig > > >> > > > Thanks Craig > > > That does explain the scripts that I read about but it's not helping > my > > > problem any. > > > I'm going through the samba doc on the FDS site and keep running into > > > problems here and no one seems to know the answer. I have installed > > > everything I need, configurd samba, ldap, bind, and everything else > > > refrenced from the FDS site. I'm missing something thats isn't covered > on > > > the site but I dont know enough to figure out what it is. Heres my > > > smb.conf file if that helps any.. > > > > > > [global] > > > workgroup = DEPFYFFER > > > security = user > > > passdb backend = ldapsam:ldap://depfyffer.com > > > ldap admin dn = cn=Directory Manager > > > ldap suffix = dc=depfyffer,dc=com > > > ldap user suffix = ou=People > > > ldap machine suffix = ou=Computers > > > ldap group suffix = ou=Groups > > > > > > add machine script = /usr/local/sbin/smbldap-useradd -w "%u" > > > add user script = /usr/local/sbin/smbldap-useradd -m "%u" > > > ldap delete dn = Yes > > > #delete user script = /usr/local/sbin/smbldap-userdel "%u" > > > add group script = /usr/local/sbin/smbldap-groupadd -p "%g" > > > #delete group script = /usr/local/sbin/smbldap-groupdel "%g" > > > add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" > "%g" > > > delete user from group script = /usr/local/sbin/smbldap-groupmod -x > "%u" > > > "%g" > > > set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" > "%u" > > > add machine script = /usr/local/sbin/smbldap-useradd -w "%u" > > > > > > log file = /var/log/%m.log > > > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > > > > > > os level = 33 > > > domain logons = yes > > > domain master = yes > > > local master = yes > > > preferred master = yes > > > > > > wins support = yes > > > > > > logon home = \\%L\%u\profiles > > > logon path = \\%L\profiles\%u > > > logon drive = H: > > > > > > template shell = /bin/false > > > winbind use default domain = no > > > > > > [netlogon] > > > path = /var/lib/samba/netlogon > > > read only = yes > > > browsable = no > > > > > > [profiles] > > > path = /var/lib/samba/profiles > > > read only = no > > > create mask = 0600 > > > directory mask = 0700 > > > > > > [homes] > > > browsable = no > > > writable = yes > > > > > > > This may help also?? > > > > [root at depfyffer log]# smbpasswd -D 10 -a -m > > Netbios name list:- > > my_netbios_names[0]="DEPFYFFER" > > Attempting to register passdb backend ldapsam > > Successfully added passdb backend 'ldapsam' > > Attempting to register passdb backend ldapsam_compat > > Successfully added passdb backend 'ldapsam_compat' > > Attempting to register passdb backend NDS_ldapsam > > Successfully added passdb backend 'NDS_ldapsam' > > Attempting to register passdb backend NDS_ldapsam_compat > > Successfully added passdb backend 'NDS_ldapsam_compat' > > Attempting to register passdb backend smbpasswd > > Successfully added passdb backend 'smbpasswd' > > Attempting to register passdb backend tdbsam > > Successfully added passdb backend 'tdbsam' > > Attempting to find an passdb backend to match ldapsam:ldap://depfyffer.com > > (ldapsam) > > Found pdb backend ldapsam > > smbldap_search_domain_info: Searching > > for:[(&(objectClass=sambaDomain)(sambaDomainName=DEPFYFFER))] > > smbldap_search_ext: base => [dc=depfyffer,dc=com], filter => > > [(&(objectClass=sambaDomain)(sambaDomainName=DEPFYFFER))], scope => [2] > > The connection to the LDAP server was closed > > smb_ldap_setup_connection: ldap://depfyffer.com > > smbldap_open_connection: connection opened > > ldap_connect_system: Binding to ldap server ldap://depfyffer.com as > > "cn=Directory Manager" > > ldap_connect_system: succesful connection to the LDAP server > > ldap_connect_system: LDAP server does not support paged results > > The LDAP server is succesfully connected > > smbldap_get_single_attribute: [sambaAlgorithmicRidBase] = [ exist>] > > pdb backend ldapsam:ldap://depfyffer.com has a valid init > > smbldap_search_ext: base => [dc=depfyffer,dc=com], filter => > > [(&(uid=root$)(objectclass=sambaSamAccount))], scope => [2] > > ldapsam_getsampwnam: Unable to locate user [root$] count=0 > > Failed to modify password entry for user root$ > ---- > assuming that you have installed smbldap-tools installed and configured > properly (assuming facts not in evidence from the above), you would need > to run smblpdap_populate which will automatically populate your LDAP > with the needed configuration entries for Samba to work properly. > > Official Samba documentation lists the idealx tools (smbldap-tools) > information here... > http://samba.org/samba/docs/man/Samba-Guide/happy.html#sbeidealx > > and consider this section on making happy users... > http://samba.org/samba/docs/man/Samba-Guide/happy.html#id2574922 > > Craig Thanks again Craig, It looks like I'm going to have to start fresh and just try the idealx route. Maybe I can learn enough about samba and ldap that route then move on to FDS after that. FDS seems a little too much for me, I think my biggest downfall is never being exposed to ldap, I've used samba quit a bit but never in this extent. Thanks again for all the pointers.. see ya next time. From nhosoi at redhat.com Sun Dec 17 00:39:01 2006 From: nhosoi at redhat.com (Noriko Hosoi) Date: Sat, 16 Dec 2006 16:39:01 -0800 Subject: [Fedora-directory-users] Migration from i-planet 52 In-Reply-To: <45833538.3060301@redhat.com> References: <45833538.3060301@redhat.com> Message-ID: <458491A5.6080609@redhat.com> Richard Megginson wrote: > Eddie C wrote: > >> I recently did an ldif backup of our iplanet 52 database. Its about >> an 88 MB ldif file. >> I took this to a new FDS server Dell 850 3 ghz duel core 2 sata hard >> disks. >> I ran an ldapadd the data imported perfectly. > Are there any reason to use ldapadd instead of ldif2db? ldif2db should be much faster... >> Then I tried to cutover some systems and give the database some load. >> >> System went 200% processor >> >> Eventually I realized I was missing indexes so I added them through >> the graphical tool. >> >> The log seemed to do something like this >> generating index 1% >> generating index 2% >> .... >> generating index 49% >> Done >> Seemed weird that they would jump from 49% to Done >> At this point the new system was running at 100% processor >> But the queries are running faster on our old 440 MHZ sparc t1 >> server52 database >> >> I ran >> DB ERROR: db_verify: Page 30: out-of-order key at entry 498 >> DB ERROR: db_verify: DB->verify: db/o_com/channelcontentowner.db4: >> DB_VERIFY_BAD: Database verification failed >> >> then I tried db2_index. The program seemed to be in a tight loop >> complaining about 1 missing entry. >> >> I do not realize how the data can be so corrupted right after an import. >> >> These are someone generic symptoms. Any ideas? Thanks > > Try creating all of the required indexes first, then doing the import > of your original LDIF. Not only will the import+index creation be > much faster (than doing the import then creating the indexes one at a > time), but I think your database corruption problems will vanish. > >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3237 bytes Desc: S/MIME Cryptographic Signature URL: From koniczynek at uaznia.net Sun Dec 17 15:46:34 2006 From: koniczynek at uaznia.net (koniczynek) Date: Sun, 17 Dec 2006 16:46:34 +0100 Subject: [Fedora-directory-users] ACL migration from OpenLDAP to FDS In-Reply-To: <457FBF3A.4010308@tedata.net> References: <457FBF3A.4010308@tedata.net> Message-ID: <4585665A.3080904@uaznia.net> Taymour A. El Erian, dnia 2006-12-13 09:52 napisal: > We have OpenLDAP installation which runs Qmail, Horde/IMP, FreeRADIUS. > We are looking into moving to FDS and had converted the schemas and > populated the database with sample entries. The problem is I do not know > how to migrate the current ACLs in OpenLDAP configuration files (we use > OpenLDAP 2.0.x) Does anybody know answer to this question? -- email/xmpp: koniczynek at uaznia.net From edlinuxguru at gmail.com Mon Dec 18 01:16:49 2006 From: edlinuxguru at gmail.com (Eddie C) Date: Sun, 17 Dec 2006 20:16:49 -0500 Subject: [Fedora-directory-users] Migration from i-planet 52 In-Reply-To: <458491A5.6080609@redhat.com> References: <45833538.3060301@redhat.com> <458491A5.6080609@redhat.com> Message-ID: The document I had suggested using ldapsearch and ldapadd to migrate data. If lidf2db commands are faster/better I will use them. >> Try creating all of the required indexes first, then doing the import of >> your original LDIF. I am willing to try this, but It is scary to me. I would have rather you said I must be doing something wrong...because.... Our LDAP database has been in production for 6 years. We add indexes to our i-planet on average twice a year due to new software or new features. Your advice is almost suggesting that adding new indexes can corrupt the database. I will try again from scratch using everyones advice of course. Thank you, Edward On 12/16/06, Noriko Hosoi wrote: > > Richard Megginson wrote: > > > Eddie C wrote: > > > >> I recently did an ldif backup of our iplanet 52 database. Its about > >> an 88 MB ldif file. > >> I took this to a new FDS server Dell 850 3 ghz duel core 2 sata hard > >> disks. > >> I ran an ldapadd the data imported perfectly. > > > Are there any reason to use ldapadd instead of ldif2db? ldif2db should > be much faster... > > >> Then I tried to cutover some systems and give the database some load. > >> > >> System went 200% processor > >> > >> Eventually I realized I was missing indexes so I added them through > >> the graphical tool. > >> > >> The log seemed to do something like this > >> generating index 1% > >> generating index 2% > >> .... > >> generating index 49% > >> Done > >> Seemed weird that they would jump from 49% to Done > >> At this point the new system was running at 100% processor > >> But the queries are running faster on our old 440 MHZ sparc t1 > >> server52 database > >> > >> I ran > >> DB ERROR: db_verify: Page 30: out-of-order key at entry 498 > >> DB ERROR: db_verify: DB->verify: db/o_com/channelcontentowner.db4: > >> DB_VERIFY_BAD: Database verification failed > >> > >> then I tried db2_index. The program seemed to be in a tight loop > >> complaining about 1 missing entry. > >> > >> I do not realize how the data can be so corrupted right after an > import. > >> > >> These are someone generic symptoms. Any ideas? Thanks > > > > Try creating all of the required indexes first, then doing the import > > of your original LDIF. Not only will the import+index creation be > > much faster (than doing the import then creating the indexes one at a > > time), but I think your database corruption problems will vanish. > > > >> > ------------------------------------------------------------------------ > >> > >> -- > >> Fedora-directory-users mailing list > >> Fedora-directory-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > > > >------------------------------------------------------------------------ > > > >-- > >Fedora-directory-users mailing list > >Fedora-directory-users at redhat.com > >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Dec 18 15:02:26 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 18 Dec 2006 08:02:26 -0700 Subject: [Fedora-directory-users] Re: make dies with NSS problems In-Reply-To: <45834F84.50304@ehsco.com> References: <54021.72.75.8.73.1166222574.squirrel@www.ehsco.com> <45834F84.50304@ehsco.com> Message-ID: <4586AD82.4030908@redhat.com> Eric A. Hall wrote: > Richard Megginson wrote: > > >>> Eric A. Hall wrote: >>> >>> Trying to build fds104 and NSS produces pages of errors. At the end of >>> it all is the following: >>> > > >> What is your OS and version? >> > > FC6 kernel-2.6.18-1.2849.fc6 > > >> Do you have httpd, httpd-devel, apr, and apr-devel installed? >> > > I have httpd, apr and apr-devel installed. Do I need httpd-devel? > Yes. The build uses /usr/bin/apxs which is provided by httpd-devel. > >> What is the output of /usr/sbin/httpd.worker -V? >> > > [ 20:43:23 -- unassigned-12:/root/ ] > [ root# ] /usr/sbin/httpd.worker -V > Server version: Apache/2.2.3 > Server built: Sep 11 2006 09:44:40 > Server's Module Magic Number: 20051115:3 > Server loaded: APR 1.2.7, APR-Util 1.2.7 > Compiled using: APR 1.2.7, APR-Util 1.2.7 > Architecture: 64-bit > Server MPM: Worker > threaded: yes (fixed thread count) > forked: yes (variable process count) > Server compiled with.... > -D APACHE_MPM_DIR="server/mpm/worker" > -D APR_HAS_SENDFILE > -D APR_HAS_MMAP > -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) > -D APR_USE_SYSVSEM_SERIALIZE > -D APR_USE_PTHREAD_SERIALIZE > -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT > -D APR_HAS_OTHER_CHILD > -D AP_HAVE_RELIABLE_PIPED_LOGS > -D DYNAMIC_MODULE_LIMIT=128 > -D HTTPD_ROOT="/etc/httpd" > -D SUEXEC_BIN="/usr/sbin/suexec" > -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" > -D DEFAULT_ERRORLOG="logs/error_log" > -D AP_TYPES_CONFIG_FILE="conf/mime.types" > -D SERVER_CONFIG_FILE="conf/httpd.conf" > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Dec 18 15:06:12 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 18 Dec 2006 08:06:12 -0700 Subject: [Fedora-directory-users] Migration from i-planet 52 In-Reply-To: References: <45833538.3060301@redhat.com> <458491A5.6080609@redhat.com> Message-ID: <4586AE64.503@redhat.com> Eddie C wrote: > The document I had suggested using ldapsearch and ldapadd to migrate > data. If lidf2db commands are faster/better I will use them. > > >> Try creating all of the required indexes first, then doing the > import of > >> your original LDIF. > > I am willing to try this, but It is scary to me. I would have rather > you said I must be doing something wrong...because.... > > Our LDAP database has been in production for 6 years. We add indexes > to our i-planet on average twice a year due to new software or new > features. Your advice is almost suggesting that adding new indexes can > corrupt the database. No, not exactly. I'm not really sure what went wrong. Feel free to try it again. It's just that for the initial data import, it's much faster to configure the indexes first, then use ldif2db to import the data and create the indexes at the same time. > > I will try again from scratch using everyones advice of course. > > Thank you, > Edward > > > > > > On 12/16/06, *Noriko Hosoi* < nhosoi at redhat.com > > wrote: > > Richard Megginson wrote: > > > Eddie C wrote: > > > >> I recently did an ldif backup of our iplanet 52 database. Its about > >> an 88 MB ldif file. > >> I took this to a new FDS server Dell 850 3 ghz duel core 2 sata > hard > >> disks. > >> I ran an ldapadd the data imported perfectly. > > > Are there any reason to use ldapadd instead of ldif2db? ldif2db > should > be much faster... > > >> Then I tried to cutover some systems and give the database some > load. > >> > >> System went 200% processor > >> > >> Eventually I realized I was missing indexes so I added them through > >> the graphical tool. > >> > >> The log seemed to do something like this > >> generating index 1% > >> generating index 2% > >> .... > >> generating index 49% > >> Done > >> Seemed weird that they would jump from 49% to Done > >> At this point the new system was running at 100% processor > >> But the queries are running faster on our old 440 MHZ sparc t1 > >> server52 database > >> > >> I ran > >> DB ERROR: db_verify: Page 30: out-of-order key at entry 498 > >> DB ERROR: db_verify: DB->verify: db/o_com/channelcontentowner.db4: > >> DB_VERIFY_BAD: Database verification failed > >> > >> then I tried db2_index. The program seemed to be in a tight loop > >> complaining about 1 missing entry. > >> > >> I do not realize how the data can be so corrupted right after > an import. > >> > >> These are someone generic symptoms. Any ideas? Thanks > > > > Try creating all of the required indexes first, then doing the > import > > of your original LDIF. Not only will the import+index creation be > > much faster (than doing the import then creating the indexes one > at a > > time), but I think your database corruption problems will vanish. > > > >> > ------------------------------------------------------------------------ > > >> > >> -- > >> Fedora-directory-users mailing list > >> Fedora-directory-users at redhat.com > > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > > > >------------------------------------------------------------------------ > > > >-- > >Fedora-directory-users mailing list > >Fedora-directory-users at redhat.com > > >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From david_list at boreham.org Mon Dec 18 15:38:57 2006 From: david_list at boreham.org (David Boreham) Date: Mon, 18 Dec 2006 08:38:57 -0700 Subject: [Fedora-directory-users] Migration from i-planet 52 In-Reply-To: References: Message-ID: <4586B611.60400@boreham.org> Eddie C wrote: > I ran > DB ERROR: db_verify: Page 30: out-of-order key at entry 498 > DB ERROR: db_verify: DB->verify: db/o_com/channelcontentowner.db4: > DB_VERIFY_BAD: Database verification failed I'm assuming that you are running the correct version of db_verify (it should perform a version check on the magic number in the region files, so I think it has to be the right one). My best guess here is that the process by which a new file is added to a running DB environment went wrong somehow. The details have changed a few times over the years and it is just possible that the current FDS code is not up to date. Potentially the 'problem' would be fixed by simply stopping and re-starting the server (because the environment would see all the files closed and then re-opened). I do know that the process for adding a new file to the environment is correctly followed in the newer code that deals with individual back-end restore from archive. Perhaps the online index code is not using the same underlying function. I haven't taken the time to examine the code though. The problem I'm thinking about arises when a file that was created using one db environment (a temporary one, such as is used when building an index), is opened within another environment, 'bad stuff' can happen along the lines of what you are seeing. There is state in the file that references the old environment, which is now stale vs. the new one. db_verify sees that and barfs. It is possible to avoid this happening but one has to be careful to make the right calls in the correct order (the details of which I forget now). As Rich and Noriko said, if you just re-import after creating the indices this issue (if it is indeed the one I'm thinking of) will be avoided because all the files are created at the same time under the same db environment. From siggi at betware.com Mon Dec 18 16:20:39 2006 From: siggi at betware.com (=?iso-8859-1?Q?Sigur=F0ur_Bjarnason?=) Date: Mon, 18 Dec 2006 16:20:39 -0000 Subject: [Fedora-directory-users] Fedora Directory Server as OS authentication Message-ID: <9AAC0D944FD6334FB8635228AE7110C04845@Exchange.betware.com> Hi all I have been testing the Fedora Directory server as central authentication for Redhat server environment, it works ok with the authentication but I need to know if there is any other way of managing users centrally and then with tool that can also manage access rights to the clients as well. Or is there maybe a simple way of using FDS in co-op with access rights program like SUDO ..or other ?.. or is using FDS not the recommended way to go here ? Please comment on this and give me suggestions I sure don't want to invent the wheel all over again!! Regards Siggi -------------- next part -------------- An HTML attachment was scrubbed... URL: From srigler at marathonoil.com Mon Dec 18 16:30:14 2006 From: srigler at marathonoil.com (Stephen C. Rigler) Date: Mon, 18 Dec 2006 10:30:14 -0600 Subject: [Fedora-directory-users] Fedora Directory Server as OS authentication In-Reply-To: <9AAC0D944FD6334FB8635228AE7110C04845@Exchange.betware.com> References: <9AAC0D944FD6334FB8635228AE7110C04845@Exchange.betware.com> Message-ID: <1166459414.26939.7.camel@houuc8> On Mon, 2006-12-18 at 16:20 +0000, Sigur?ur Bjarnason wrote: > Or is there maybe a simple way of using FDS in co-op with access > rights program like SUDO ..or other ?.. or is using FDS not the > recommended way to go here ? You can populate your directory with netgroup information which sudo can use. -Steve From koippa at gmail.com Mon Dec 18 16:37:00 2006 From: koippa at gmail.com (Kimmo Koivisto) Date: Mon, 18 Dec 2006 18:37:00 +0200 Subject: [Fedora-directory-users] Fedora Directory Server as OS authentication In-Reply-To: <9AAC0D944FD6334FB8635228AE7110C04845@Exchange.betware.com> References: <9AAC0D944FD6334FB8635228AE7110C04845@Exchange.betware.com> Message-ID: <200612181837.01258.koippa@gmail.com> On Monday 18 December 2006 18:20, Sigur?ur Bjarnason wrote: > Hi all Hi > > I have been testing the Fedora Directory server as central authentication > for Redhat server environment, it works ok with the authentication but I > need to know if there is any other way of managing users centrally and then > with tool that can also manage access rights to the clients as well. > > Or is there maybe a simple way of using FDS in co-op with access rights > program like SUDO ..or other ?.. or is using FDS not the recommended way to > go here ? You can control sudo rights from FDS, you just need sudo schema, sudo entries to the FDS and sudo that supports LDAP for rule storage. I took sudo from Fedora Core 4, enabled the LDAP support and re-compiled, it works fine. My sudo is sudo-1.6.8p8-2.4.i686.rpm. My servers are RHEL4ES. Best Regards Kimmo Koivisto From glenn at mail.txwes.edu Mon Dec 18 21:01:23 2006 From: glenn at mail.txwes.edu (Glenn) Date: Mon, 18 Dec 2006 15:01:23 -0600 Subject: [Fedora-directory-users] Standalone Windows Console? Message-ID: <20061218205416.M51070@mail.txwes.edu> Netscape Directory had a standalone application that gave Windows users access to the directory console. The 4.2 version of this app does not seem to work with Red Hat Directory Server 7.1SP3, and I'm wondering if there is a standalone console available that will. Thanks. -Glenn. From patrick.morris at hp.com Mon Dec 18 21:16:35 2006 From: patrick.morris at hp.com (Patrick Morris) Date: Mon, 18 Dec 2006 13:16:35 -0800 Subject: [Fedora-directory-users] Standalone Windows Console? In-Reply-To: <20061218205416.M51070@mail.txwes.edu> References: <20061218205416.M51070@mail.txwes.edu> Message-ID: <20061218211635.GV17454@pmorris.usa.hp.com> On Mon, 18 Dec 2006, Glenn wrote: > Netscape Directory had a standalone application that gave Windows users > access to the directory console. The 4.2 version of this app does not seem > to work with Red Hat Directory Server 7.1SP3, and I'm wondering if there is a > standalone console available that will. Thanks. -Glenn. The included console works on Windows, with a small amount of installation effort. It's in the FAQ: http://directory.fedora.redhat.com/wiki/Howto:WindowsConsole From edlinuxguru at gmail.com Mon Dec 18 21:12:10 2006 From: edlinuxguru at gmail.com (Eddie C) Date: Mon, 18 Dec 2006 16:12:10 -0500 Subject: [Fedora-directory-users] Re: Migration from i-planet 52 In-Reply-To: References: Message-ID: All, I tested this from scratch. I used the ldif_2db function which did work much faster! 112 seconds...rather then about 20 minutes. However I think the verify_db and db2_index functions are not in agreement. Create indexes. After my initial import. [root at ldap3 slapd-ldap3]# more out.after.final.txt ***************************************************************** verify-db: This tool should only be run if recovery start fails and the server is down. If you run this tool while the server is running, you may get false reports of corrupted files or other false errors. ***************************************************************** Verify log files in db ... Good Verify db/o_idsk_com/id2entry.db4 ... Good Verify db/userRoot/ancestorid.db4 ... Good Verify db/userRoot/entrydn.db4 ... Good Verify db/userRoot/cn.db4 ... Good Verify db/userRoot/numsubordinates.db4 ... Good Verify db/userRoot/aci.db4 ... Good Verify db/userRoot/parentid.db4 ... Good Verify db/userRoot/objectclass.db4 ... Good Verify db/userRoot/id2entry.db4 ... Good Verify db/userRoot/nsUniqueId.db4 ... Good Verify db/idsk_services/ancestorid.db4 ... DB ERROR: db_verify: Page 4: out-of-order key at entry 252 DB ERROR: db_verify: Page 7: out-of-order key at entry 194 DB ERROR: db_verify: Page 7: out-of-order key at entry 450 DB ERROR: db_verify: Page 11: out-of-order key at entry 69 DB ERROR: db_verify: Page 11: out-of-order key at entry 325 DB ERROR: db_verify: Page 11: out-of-order key at entry 581 DB ERROR: db_verify: Page 12: out-of-order key at entry 22 DB ERROR: db_verify: Page 16: out-of-order key at entry 249 DB ERROR: db_verify: Page 16: out-of-order key at entry 498 DB ERROR: db_verify: Page 16: out-of-order key at entry 754 DB ERROR: db_verify: Page 17: out-of-order key at entry 195 DB ERROR: db_verify: Page 17: out-of-order key at entry 451 DB ERROR: db_verify: Page 17: out-of-order key at entry 707 DB ERROR: db_verify: Page 18: out-of-order key at entry 148 DB ERROR: db_verify: Page 21: out-of-order key at entry 254 DB ERROR: db_verify: Page 21: out-of-order key at entry 510 DB ERROR: db_verify: Page 21: out-of-order key at entry 766 DB ERROR: db_verify: Page 22: out-of-order key at entry 207 DB ERROR: db_verify: Page 22: out-of-order key at entry 463 DB ERROR: db_verify: Page 22: out-of-order key at entry 719 DB ERROR: db_verify: Page 23: out-of-order key at entry 160 DB ERROR: db_verify: DB->verify: db/idsk_services/ancestorid.db4: DB_VERIFY_BAD: Database verification failed Secondary index file ancestorid.db4 in db/idsk_services is corrupted. Please run db2index(.pl) for reindexing. So then i reran db2index....verify_db again...same result. Edward On 12/15/06, Eddie C wrote: > > I recently did an ldif backup of our iplanet 52 database. Its about an 88 > MB ldif file. > I took this to a new FDS server Dell 850 3 ghz duel core 2 sata hard > disks. > I ran an ldapadd the data imported perfectly. > Then I tried to cutover some systems and give the database some load. > > System went 200% processor > > Eventually I realized I was missing indexes so I added them through the > graphical tool. > > The log seemed to do something like this > generating index 1% > generating index 2% > .... > generating index 49% > Done > Seemed weird that they would jump from 49% to Done > At this point the new system was running at 100% processor > But the queries are running faster on our old 440 MHZ sparc t1 server52 > database > > I ran > DB ERROR: db_verify: Page 30: out-of-order key at entry 498 > DB ERROR: db_verify: DB->verify: db/o_com/channelcontentowner.db4: > DB_VERIFY_BAD: Database verification failed > > then I tried db2_index. The program seemed to be in a tight loop > complaining about 1 missing entry. > > I do not realize how the data can be so corrupted right after an import. > > These are someone generic symptoms. Any ideas? Thanks > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nhosoi at redhat.com Mon Dec 18 22:35:42 2006 From: nhosoi at redhat.com (Noriko Hosoi) Date: Mon, 18 Dec 2006 14:35:42 -0800 Subject: [Fedora-directory-users] Re: Migration from i-planet 52 In-Reply-To: References: Message-ID: <458717BE.9060100@redhat.com> Eddie C wrote: > All, > > I tested this from scratch. > I used the ldif_2db function which did work much faster! 112 > seconds...rather then about 20 minutes. > However I think the verify_db and db2_index functions are not in > agreement. > > Create indexes. > After my initial import. > [root at ldap3 slapd-ldap3]# more out.after.final.txt > ***************************************************************** > verify-db: This tool should only be run if recovery start fails > and the server is down. If you run this tool while the server is > running, you may get false reports of corrupted files or other > false errors. > ***************************************************************** > Verify log files in db ... Good > Verify db/o_idsk_com/id2entry.db4 ... Good > Verify db/userRoot/ancestorid.db4 ... Good > Verify db/userRoot/entrydn.db4 ... Good > Verify db/userRoot/cn.db4 ... Good > Verify db/userRoot/numsubordinates.db4 ... Good > Verify db/userRoot/aci.db4 ... Good > Verify db/userRoot/parentid.db4 ... Good > Verify db/userRoot/objectclass.db4 ... Good > Verify db/userRoot/id2entry.db4 ... Good > Verify db/userRoot/nsUniqueId.db4 ... Good > Verify db/idsk_services/ancestorid.db4 ... > DB ERROR: db_verify: Page 4: out-of-order key at entry 252 > DB ERROR: db_verify: Page 7: out-of-order key at entry 194 > DB ERROR: db_verify: Page 7: out-of-order key at entry 450 > DB ERROR: db_verify: Page 11: out-of-order key at entry 69 > DB ERROR: db_verify: Page 11: out-of-order key at entry 325 > DB ERROR: db_verify: Page 11: out-of-order key at entry 581 > DB ERROR: db_verify: Page 12: out-of-order key at entry 22 > DB ERROR: db_verify: Page 16: out-of-order key at entry 249 > DB ERROR: db_verify: Page 16: out-of-order key at entry 498 > DB ERROR: db_verify: Page 16: out-of-order key at entry 754 > DB ERROR: db_verify: Page 17: out-of-order key at entry 195 > DB ERROR: db_verify: Page 17: out-of-order key at entry 451 > DB ERROR: db_verify: Page 17: out-of-order key at entry 707 > DB ERROR: db_verify: Page 18: out-of-order key at entry 148 > DB ERROR: db_verify: Page 21: out-of-order key at entry 254 > DB ERROR: db_verify: Page 21: out-of-order key at entry 510 > DB ERROR: db_verify: Page 21: out-of-order key at entry 766 > DB ERROR: db_verify: Page 22: out-of-order key at entry 207 > DB ERROR: db_verify: Page 22: out-of-order key at entry 463 > DB ERROR: db_verify: Page 22: out-of-order key at entry 719 > DB ERROR: db_verify: Page 23: out-of-order key at entry 160 > DB ERROR: db_verify: DB->verify: db/idsk_services/ancestorid.db4: > DB_VERIFY_BAD: Database verification failed > Secondary index file ancestorid.db4 in db/idsk_services is corrupted. > Please run db2index(.pl) for reindexing. > Is this after you imported your ldif file to the backend 'idsk_services'? When you imported the ldif file, did you get any errors from ldif2db? This is an sample output when we import Example.ldif. Did you see any messages other than these? [18/Dec/2006:04:00:48 -0800] - dblayer_instance_start: pagesize: 4096, pages: 1009265, procpages: 23476 [18/Dec/2006:04:00:48 -0800] - cache autosizing: import cache: 204800k [18/Dec/2006:04:00:48 -0800] - li_import_cache_autosize: 50, import_pages: 51200, pagesize: 4096 [18/Dec/2006:04:00:48 -0800] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [18/Dec/2006:04:00:48 -0800] - dblayer_instance_start: pagesize: 4096, pages: 1009265, procpages: 23476 [18/Dec/2006:04:00:48 -0800] - cache autosizing: import cache: 204800k [18/Dec/2006:04:00:48 -0800] - li_import_cache_autosize: 50, import_pages: 51200, pagesize: 4096 [18/Dec/2006:04:00:49 -0800] - import example: Beginning import job... [18/Dec/2006:04:00:49 -0800] - import example: Index buffering enabled with bucket size 100 [18/Dec/2006:04:00:49 -0800] - import example: Processing file "/export/DS7.2-24471/server/usr/share/fedora-ds/data/Example.ldif" [18/Dec/2006:04:00:49 -0800] - import example: Finished scanning file "/export/DS7.2-24471/server/usr/share/fedora-ds/data/Example.ldif" (160 entries) [18/Dec/2006:04:00:50 -0800] - import example: Workers finished; cleaning up... [18/Dec/2006:04:00:50 -0800] - import example: Workers cleaned up. [18/Dec/2006:04:00:50 -0800] - import example: Cleaning up producer thread... [18/Dec/2006:04:00:50 -0800] - import example: Indexing complete. Post-processing... [18/Dec/2006:04:00:50 -0800] - import example: Flushing caches... [18/Dec/2006:04:00:50 -0800] - import example: Closing files... [18/Dec/2006:04:00:51 -0800] - All database threads now stopped [18/Dec/2006:04:00:51 -0800] - import example: Import complete. Processed 160 entries in 2 seconds. (80.00 entries/sec) Thanks, --noriko > So then i reran db2index....verify_db again...same result. > > Edward > > > On 12/15/06, *Eddie C* > wrote: > > I recently did an ldif backup of our iplanet 52 database. Its > about an 88 MB ldif file. > I took this to a new FDS server Dell 850 3 ghz duel core 2 sata > hard disks. > I ran an ldapadd the data imported perfectly. > Then I tried to cutover some systems and give the database some load. > > System went 200% processor > > Eventually I realized I was missing indexes so I added them > through the graphical tool. > > The log seemed to do something like this > generating index 1% > generating index 2% > .... > generating index 49% > Done > Seemed weird that they would jump from 49% to Done > At this point the new system was running at 100% processor > But the queries are running faster on our old 440 MHZ sparc t1 > server52 database > > I ran > DB ERROR: db_verify: Page 30: out-of-order key at entry 498 > DB ERROR: db_verify: DB->verify: db/o_com/channelcontentowner.db4: > DB_VERIFY_BAD: Database verification failed > > then I tried db2_index. The program seemed to be in a tight loop > complaining about 1 missing entry. > > I do not realize how the data can be so corrupted right after an > import. > > These are someone generic symptoms. Any ideas? Thanks > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3237 bytes Desc: S/MIME Cryptographic Signature URL: From kj6loh at yahoo.com Tue Dec 19 05:53:30 2006 From: kj6loh at yahoo.com (Jonathan Loh) Date: Mon, 18 Dec 2006 21:53:30 -0800 (PST) Subject: [Fedora-directory-users] RE: ds newbie question In-Reply-To: <20061216054639.406D97327F@hormel.redhat.com> Message-ID: <571289.89768.qm@web50903.mail.yahoo.com> Ok here we are, for folks who've just joined the fray: I had a FC3 now updated to an FC6 box PIII(800) 512Mb Memory 16gb (I was off by a factor of 10 when I initially reported the problem) 2 to 3 users (this is a test machine) Under FC3 no apparent errors. The admin server just wouldn't take my password. Under FC6 it balks saying there is a lack of memory. The exact message is: GC Warning: Out of Memory! Returning NIL! OK. But according to the documentation this is enough memory for the system. http://www.redhat.com/docs/manuals/dir-server/install/7.1/ch.prereq.prereq.html#SN.PREREQ.32.BIT __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From kj6loh at yahoo.com Tue Dec 19 07:29:14 2006 From: kj6loh at yahoo.com (Jonathan Loh) Date: Mon, 18 Dec 2006 23:29:14 -0800 (PST) Subject: [Fedora-directory-users] RE: fds newbie Message-ID: <704821.77108.qm@web50901.mail.yahoo.com> Solved. I just used Sun's JDK. Thanks! __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From edlinuxguru at gmail.com Tue Dec 19 15:10:32 2006 From: edlinuxguru at gmail.com (Eddie C) Date: Tue, 19 Dec 2006 10:10:32 -0500 Subject: [Fedora-directory-users] Re: Migration from i-planet 52 In-Reply-To: <458717BE.9060100@redhat.com> References: <458717BE.9060100@redhat.com> Message-ID: >>Any errors? No as far as I can tell the import goes smooth. Our upstream applications seem to have no problem with the data it seems to be all imported. I am really troubleshooting and index and performance issues, I figure out of order keys could be slowing searches down. This a fairly large db 160000 entires) some objects have upwards of 20 attributes. db_verify and db_2index both run fairly quickly. It just seems like they cant both agree on what clean data looks like. FWI I upgraded to the latest 1.0.4 before all this testing. [18/Dec/2006:15:29:50 -0500] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [18/Dec/2006:15:29:50 -0500] - import idsk_services: Beginning import job... [18/Dec/2006:15:29:50 -0500] - import idsk_services: Index buffering enabled with bucket size 15 [18/Dec/2006:15:29:50 -0500] - import idsk_services: Processing file "/opt/idsk/downloads/idsk.services.com.ldif" [18/Dec/2006:15:29:50 -0500] - import idsk_services: Finished scanning file "/opt/idsk/downloads/idsk.services.com.ldif" (2037 entries) [18/Dec/2006:15:29:51 -0500] - import idsk_services: Workers finished; cleaning up... [18/Dec/2006:15:29:51 -0500] - import idsk_services: Workers cleaned up. [18/Dec/2006:15:29:51 -0500] - import idsk_services: Cleaning up producer thread... [18/Dec/2006:15:29:51 -0500] - import idsk_services: Indexing complete. Post-processing... [18/Dec/2006:15:29:51 -0500] - import idsk_services: Flushing caches... [18/Dec/2006:15:29:51 -0500] - import idsk_services: Closing files... [18/Dec/2006:15:29:51 -0500] - import idsk_services: Import complete. Processed 2037 entries in 1 seconds. (2037.00 entries/sec) [18/Dec/2006:15:30:28 -0500] - Bringing idsk_data offline... [18/Dec/2006:15:30:28 -0500] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [18/Dec/2006:15:30:28 -0500] - import idsk_data: Beginning import job... [18/Dec/2006:15:30:28 -0500] - import idsk_data: Index buffering enabled with bucket size 15 [18/Dec/2006:15:30:28 -0500] - import idsk_data: Processing file "/opt/idsk/downloads/idsk.com.ldif" [18/Dec/2006:15:30:48 -0500] - import idsk_data: Processed 77288 entries -- average rate 3680.4/sec, recent rate 3680.3/sec, hit ratio 0% [18/Dec/2006:15:31:13 -0500] - import idsk_data: Processed 141956 entries -- average rate 3086.0/sec, recent rate 3086.0/sec, hit ratio 100% [18/Dec/2006:15:31:35 -0500] - import idsk_data: Finished scanning file "/opt/idsk/downloads/idsk.com.ldif" (163684 entries) [18/Dec/2006:15:31:49 -0500] - import idsk_data: Workers finished; cleaning up... [18/Dec/2006:15:31:49 -0500] - import idsk_data: Workers cleaned up. [18/Dec/2006:15:31:49 -0500] - import idsk_data: Cleaning up producer thread... [18/Dec/2006:15:31:49 -0500] - import idsk_data: Indexing complete. Post-processing... [18/Dec/2006:15:32:20 -0500] - import idsk_data: Flushing caches... [18/Dec/2006:15:32:23 -0500] - import idsk_data: Closing files... [18/Dec/2006:15:32:24 -0500] - import idsk_data: Import complete. Processed 163684 entries in 116 seconds. (1411.07 entries/sec) Edward On 12/18/06, Noriko Hosoi wrote: > > Eddie C wrote: > > All, > > > > I tested this from scratch. > > I used the ldif_2db function which did work much faster! 112 > > seconds...rather then about 20 minutes. > > However I think the verify_db and db2_index functions are not in > > agreement. > > > > Create indexes. > > After my initial import. > > [root at ldap3 slapd-ldap3]# more out.after.final.txt > > ***************************************************************** > > verify-db: This tool should only be run if recovery start fails > > and the server is down. If you run this tool while the server is > > running, you may get false reports of corrupted files or other > > false errors. > > ***************************************************************** > > Verify log files in db ... Good > > Verify db/o_idsk_com/id2entry.db4 ... Good > > Verify db/userRoot/ancestorid.db4 ... Good > > Verify db/userRoot/entrydn.db4 ... Good > > Verify db/userRoot/cn.db4 ... Good > > Verify db/userRoot/numsubordinates.db4 ... Good > > Verify db/userRoot/aci.db4 ... Good > > Verify db/userRoot/parentid.db4 ... Good > > Verify db/userRoot/objectclass.db4 ... Good > > Verify db/userRoot/id2entry.db4 ... Good > > Verify db/userRoot/nsUniqueId.db4 ... Good > > Verify db/idsk_services/ancestorid.db4 ... > > DB ERROR: db_verify: Page 4: out-of-order key at entry 252 > > DB ERROR: db_verify: Page 7: out-of-order key at entry 194 > > DB ERROR: db_verify: Page 7: out-of-order key at entry 450 > > DB ERROR: db_verify: Page 11: out-of-order key at entry 69 > > DB ERROR: db_verify: Page 11: out-of-order key at entry 325 > > DB ERROR: db_verify: Page 11: out-of-order key at entry 581 > > DB ERROR: db_verify: Page 12: out-of-order key at entry 22 > > DB ERROR: db_verify: Page 16: out-of-order key at entry 249 > > DB ERROR: db_verify: Page 16: out-of-order key at entry 498 > > DB ERROR: db_verify: Page 16: out-of-order key at entry 754 > > DB ERROR: db_verify: Page 17: out-of-order key at entry 195 > > DB ERROR: db_verify: Page 17: out-of-order key at entry 451 > > DB ERROR: db_verify: Page 17: out-of-order key at entry 707 > > DB ERROR: db_verify: Page 18: out-of-order key at entry 148 > > DB ERROR: db_verify: Page 21: out-of-order key at entry 254 > > DB ERROR: db_verify: Page 21: out-of-order key at entry 510 > > DB ERROR: db_verify: Page 21: out-of-order key at entry 766 > > DB ERROR: db_verify: Page 22: out-of-order key at entry 207 > > DB ERROR: db_verify: Page 22: out-of-order key at entry 463 > > DB ERROR: db_verify: Page 22: out-of-order key at entry 719 > > DB ERROR: db_verify: Page 23: out-of-order key at entry 160 > > DB ERROR: db_verify: DB->verify: db/idsk_services/ancestorid.db4: > > DB_VERIFY_BAD: Database verification failed > > Secondary index file ancestorid.db4 in db/idsk_services is corrupted. > > Please run db2index(.pl) for reindexing. > > > Is this after you imported your ldif file to the backend 'idsk_services'? > > When you imported the ldif file, did you get any errors from ldif2db? > This is an sample output when we import Example.ldif. Did you see any > messages other than these? > [18/Dec/2006:04:00:48 -0800] - dblayer_instance_start: pagesize: 4096, > pages: 1009265, procpages: 23476 > [18/Dec/2006:04:00:48 -0800] - cache autosizing: import cache: 204800k > [18/Dec/2006:04:00:48 -0800] - li_import_cache_autosize: 50, > import_pages: 51200, pagesize: 4096 > [18/Dec/2006:04:00:48 -0800] - WARNING: Import is running with > nsslapd-db-private-import-mem on; No other process is allowed to access > the database > [18/Dec/2006:04:00:48 -0800] - dblayer_instance_start: pagesize: 4096, > pages: 1009265, procpages: 23476 > [18/Dec/2006:04:00:48 -0800] - cache autosizing: import cache: 204800k > [18/Dec/2006:04:00:48 -0800] - li_import_cache_autosize: 50, > import_pages: 51200, pagesize: 4096 > [18/Dec/2006:04:00:49 -0800] - import example: Beginning import job... > [18/Dec/2006:04:00:49 -0800] - import example: Index buffering enabled > with bucket size 100 > [18/Dec/2006:04:00:49 -0800] - import example: Processing file > "/export/DS7.2-24471/server/usr/share/fedora-ds/data/Example.ldif" > [18/Dec/2006:04:00:49 -0800] - import example: Finished scanning file > "/export/DS7.2-24471/server/usr/share/fedora-ds/data/Example.ldif" (160 > entries) > [18/Dec/2006:04:00:50 -0800] - import example: Workers finished; > cleaning up... > [18/Dec/2006:04:00:50 -0800] - import example: Workers cleaned up. > [18/Dec/2006:04:00:50 -0800] - import example: Cleaning up producer > thread... > [18/Dec/2006:04:00:50 -0800] - import example: Indexing complete. > Post-processing... > [18/Dec/2006:04:00:50 -0800] - import example: Flushing caches... > [18/Dec/2006:04:00:50 -0800] - import example: Closing files... > [18/Dec/2006:04:00:51 -0800] - All database threads now stopped > [18/Dec/2006:04:00:51 -0800] - import example: Import complete. > Processed 160 entries in 2 seconds. (80.00 entries/sec) > > Thanks, > --noriko > > So then i reran db2index....verify_db again...same result. > > > > Edward > > > > > > On 12/15/06, *Eddie C* > > wrote: > > > > I recently did an ldif backup of our iplanet 52 database. Its > > about an 88 MB ldif file. > > I took this to a new FDS server Dell 850 3 ghz duel core 2 sata > > hard disks. > > I ran an ldapadd the data imported perfectly. > > Then I tried to cutover some systems and give the database some > load. > > > > System went 200% processor > > > > Eventually I realized I was missing indexes so I added them > > through the graphical tool. > > > > The log seemed to do something like this > > generating index 1% > > generating index 2% > > .... > > generating index 49% > > Done > > Seemed weird that they would jump from 49% to Done > > At this point the new system was running at 100% processor > > But the queries are running faster on our old 440 MHZ sparc t1 > > server52 database > > > > I ran > > DB ERROR: db_verify: Page 30: out-of-order key at entry 498 > > DB ERROR: db_verify: DB->verify: db/o_com/channelcontentowner.db4: > > DB_VERIFY_BAD: Database verification failed > > > > then I tried db2_index. The program seemed to be in a tight loop > > complaining about 1 missing entry. > > > > I do not realize how the data can be so corrupted right after an > > import. > > > > These are someone generic symptoms. Any ideas? Thanks > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mjdshop at earthlink.net Wed Dec 20 09:08:14 2006 From: mjdshop at earthlink.net (MJD Shop Account) Date: Wed, 20 Dec 2006 04:08:14 -0500 Subject: [Fedora-directory-users] adding an attribute, howto? Message-ID: I would like to use the pam_passthru plugin to use kerberos authentication via pam_krb5, but am running into a few issues. I need to specify an attribute to use, as I have multiple realms--my uid is just a login name, for the kerberos to work I need @. I wasn't sure what to use for the attribute, and was thinking of hijacking the 'description' attribute for this purpose. However another posting to this list gave me the idea of just extending the schema with an additional attribute in 99user.ldif. I would likely want to copy the definition for 'uid' from, say class posixaccount, but rename it to krb5uid or something. Can anyone point me to detailed instructions? Is this trivial or difficult? I looked at the current schema files and was not sure what I wold need to copy to make it work, and how to add the new attribute explicitly to the class schema as an optional attribute. What are the consequences of adding such an attribute when replication is occurring? I assume I must extend the schema on each server, what happens if I neglect to extend the schema on one server and it receives replica info that has this new attribute populated for some users? I would also entertain the idea of having an attribute with just the realm (or a proxy for the realm), and constructing the krbuid equivalent via some operational attribute that constructs it via uid + "@" + realm on the fly, if this is possible. I might even be able to do this using existing location attribute or another existing attribute, I can easily determine the correct realm from corresponding location-specific info associated with each user. But, I don't know how to do this in practice. Also, if anyone has an example pam ldapserver file they could share, I would appreciate it. -Marty -------------- next part -------------- An HTML attachment was scrubbed... URL: From khankhn2 at gmail.com Wed Dec 20 09:42:19 2006 From: khankhn2 at gmail.com (Linux Kid) Date: Wed, 20 Dec 2006 14:42:19 +0500 Subject: [Fedora-directory-users] help about RedHat Directory Server Message-ID: <6bacfd1c0612200142h24edda9cs156c8c34cd9dd990@mail.gmail.com> I need help about how to users in Redhat Directory Server. 1. First to Add on a system with a command line [useradd] and then add in RDS 2. First add in RDS and then with useradd because i am getting this error. [root at station4 ~]# su - ali id: cannot find name for group ID 501 [ali at station4 ~]$ where station4 is client , and home directory of RDS server is mounted here. and that user is added in server. So why i am getting this error, kindly waiting for a fast reply. Regards Linux Kid -------------- next part -------------- An HTML attachment was scrubbed... URL: From igalvarez at gmail.com Wed Dec 20 13:16:43 2006 From: igalvarez at gmail.com (Israel Garcia) Date: Wed, 20 Dec 2006 08:16:43 -0500 Subject: [Fedora-directory-users] migrating users from Tru64 to Fedora DS Message-ID: <194a2c240612200516t28d67c30nf19a4b6a25b67492@mail.gmail.com> Hi, I have 4 Tru64 servers with a lot of users and I want to unify the authentication of them using FDS. My idea is to install FDS on a fedora server with replicas if possible. Have anybody done this before? Have FDS scripts to migrate users/home_directory/UID/GID from a passwd file? What do you recommend me? Can I use FDS as en LDAP server for Tru64 clients? thanks in advance regards; Israel From pbruna at it-linux.cl Thu Dec 21 13:56:42 2006 From: pbruna at it-linux.cl (Patricio A. Bruna) Date: Thu, 21 Dec 2006 10:56:42 -0300 (CLST) Subject: [Fedora-directory-users] Signed Documents Message-ID: <8898472.161166709402035.JavaMail.root@lisa.it-linux.cl> Im looking for a project that works with digital signed documents and can verify the identity against Fedora DS. anyone knows one? -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Dec 21 19:04:31 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 21 Dec 2006 12:04:31 -0700 Subject: [Fedora-directory-users] adding an attribute, howto? In-Reply-To: References: Message-ID: <458ADABF.4020809@redhat.com> MJD Shop Account wrote: > I would like to use the pam_passthru plugin to use kerberos > authentication via pam_krb5, but am running into a few issues. I need > to specify an attribute to use, as I have multiple realms--my uid is > just a login name, for the kerberos to work I need @. I > wasn't sure what to use for the attribute, and was thinking of > hijacking the 'description' attribute for this purpose. However > another posting to this list gave me the idea of just extending the > schema with an additional attribute in 99user.ldif. I would likely > want to copy the definition for 'uid' from, say class posixaccount, > but rename it to krb5uid or something. Can anyone point me to > detailed instructions? Is this trivial or difficult? I looked at the > current schema files and was not sure what I wold need to copy to make > it work, and how to add the new attribute explicitly to the class > schema as an optional attribute. It's not that difficult to create your own attribute. The hardest thing is creating your own OID. If you just try to copy the definition of uid without creating a unique OID, you will get lots of errors. Once you do that, you can just add your new attribute using ldapmodify. Not only will this add your new attribute type to 99user.ldif, but it will also ensure that it will be replicated. You should then create your own AUXILIARY objectclass that has your new attribute type as an allowed attribute, and add this objectclass to all users that you want to add the attribute to. Also add your objectclass definition using ldapmodify to ensure it is replicated properly. > > What are the consequences of adding such an attribute when replication > is occurring? I assume I must extend the schema on each server, what > happens if I neglect to extend the schema on one server and it > receives replica info that has this new attribute populated for some > users? Schema replication happens before data replication. > > I would also entertain the idea of having an attribute with just the > realm (or a proxy for the realm), and constructing the krbuid > equivalent via some operational attribute that constructs it via uid + > "@" + realm on the fly, if this is possible. I might even be able to > do this using existing location attribute or another existing > attribute, I can easily determine the correct realm from > corresponding location-specific info associated with each user. But, > I don't know how to do this in practice. This is not really possible. I suppose the right way to do this would be to extend the SASL mapping code to be used by pam passthrough. > > Also, if anyone has an example pam ldapserver file they could share, I > would appreciate it. > > -Marty > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Dec 21 19:16:49 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 21 Dec 2006 12:16:49 -0700 Subject: [Fedora-directory-users] Re: Migration from i-planet 52 In-Reply-To: References: <458717BE.9060100@redhat.com> Message-ID: <458ADDA1.8050501@redhat.com> Eddie C wrote: > >>Any errors? > No as far as I can tell the import goes smooth. Our upstream > applications seem to have no problem with the data it seems to be all > imported. > > I am really troubleshooting and index and performance issues, I figure > out of order keys could be slowing searches down. This a fairly large > db 160000 entires) some objects have upwards of 20 attributes. > > db_verify and db_2index both run fairly quickly. It just seems like > they cant both agree on what clean data looks like. > > FWI I upgraded to the latest 1.0.4 before all this testing. Just to confirm, was the server running when you ran db_verify? > > [18/Dec/2006:15:29:50 -0500] - WARNING: Import is running with > nsslapd-db-private-import-mem on; No other process is allowed to > access the database > [18/Dec/2006:15:29:50 -0500] - import idsk_services: Beginning import > job... > [18/Dec/2006:15:29:50 -0500] - import idsk_services: Index buffering > enabled with bucket size 15 > [18/Dec/2006:15:29:50 -0500] - import idsk_services: Processing file > "/opt/idsk/downloads/idsk.services.com.ldif" > [18/Dec/2006:15:29:50 -0500] - import idsk_services: Finished scanning > file "/opt/idsk/downloads/idsk.services.com.ldif" (2037 entries) > [18/Dec/2006:15:29:51 -0500] - import idsk_services: Workers finished; > cleaning up... > [18/Dec/2006:15:29:51 -0500] - import idsk_services: Workers cleaned up. > [18/Dec/2006:15:29:51 -0500] - import idsk_services: Cleaning up > producer thread... > [18/Dec/2006:15:29:51 -0500] - import idsk_services: Indexing > complete. Post-processing... > [18/Dec/2006:15:29:51 -0500] - import idsk_services: Flushing caches... > [18/Dec/2006:15:29:51 -0500] - import idsk_services: Closing files... > [18/Dec/2006:15:29:51 -0500] - import idsk_services: Import complete. > Processed 2037 entries in 1 seconds. ( 2037.00 entries/sec) > [18/Dec/2006:15:30:28 -0500] - Bringing idsk_data offline... > [18/Dec/2006:15:30:28 -0500] - WARNING: Import is running with > nsslapd-db-private-import-mem on; No other process is allowed to > access the database > [18/Dec/2006:15:30:28 -0500] - import idsk_data: Beginning import job... > [18/Dec/2006:15:30:28 -0500] - import idsk_data: Index buffering > enabled with bucket size 15 > [18/Dec/2006:15:30:28 -0500] - import idsk_data: Processing file > "/opt/idsk/downloads/idsk.com.ldif" > [18/Dec/2006:15:30:48 -0500] - import idsk_data: Processed 77288 > entries -- average rate 3680.4/sec, recent rate 3680.3/sec, hit ratio 0% > [18/Dec/2006:15:31:13 -0500] - import idsk_data: Processed 141956 > entries -- average rate 3086.0/sec, recent rate 3086.0/sec, hit ratio 100% > [18/Dec/2006:15:31:35 -0500] - import idsk_data: Finished scanning > file "/opt/idsk/downloads/idsk.com.ldif" (163684 entries) > [18/Dec/2006:15:31:49 -0500] - import idsk_data: Workers finished; > cleaning up... > [18/Dec/2006:15:31:49 -0500] - import idsk_data: Workers cleaned up. > [18/Dec/2006:15:31:49 -0500] - import idsk_data: Cleaning up producer > thread... > [18/Dec/2006:15:31:49 -0500] - import idsk_data: Indexing complete. > Post-processing... > [18/Dec/2006:15:32:20 -0500] - import idsk_data: Flushing caches... > [18/Dec/2006:15:32:23 -0500] - import idsk_data: Closing files... > [18/Dec/2006:15:32:24 -0500] - import idsk_data: Import complete. > Processed 163684 entries in 116 seconds. ( 1411.07 entries/sec) > > Edward > > On 12/18/06, *Noriko Hosoi* > wrote: > > Eddie C wrote: > > All, > > > > I tested this from scratch. > > I used the ldif_2db function which did work much faster! 112 > > seconds...rather then about 20 minutes. > > However I think the verify_db and db2_index functions are not in > > agreement. > > > > Create indexes. > > After my initial import. > > [root at ldap3 slapd-ldap3]# more out.after.final.txt > > ***************************************************************** > > verify-db: This tool should only be run if recovery start fails > > and the server is down. If you run this tool while the server is > > running, you may get false reports of corrupted files or other > > false errors. > > ***************************************************************** > > Verify log files in db ... Good > > Verify db/o_idsk_com/id2entry.db4 ... Good > > Verify db/userRoot/ancestorid.db4 ... Good > > Verify db/userRoot/entrydn.db4 ... Good > > Verify db/userRoot/cn.db4 ... Good > > Verify db/userRoot/numsubordinates.db4 ... Good > > Verify db/userRoot/aci.db4 ... Good > > Verify db/userRoot/parentid.db4 ... Good > > Verify db/userRoot/objectclass.db4 ... Good > > Verify db/userRoot/id2entry.db4 ... Good > > Verify db/userRoot/nsUniqueId.db4 ... Good > > Verify db/idsk_services/ancestorid.db4 ... > > DB ERROR: db_verify: Page 4: out-of-order key at entry 252 > > DB ERROR: db_verify: Page 7: out-of-order key at entry 194 > > DB ERROR: db_verify: Page 7: out-of-order key at entry 450 > > DB ERROR: db_verify: Page 11: out-of-order key at entry 69 > > DB ERROR: db_verify: Page 11: out-of-order key at entry 325 > > DB ERROR: db_verify: Page 11: out-of-order key at entry 581 > > DB ERROR: db_verify: Page 12: out-of-order key at entry 22 > > DB ERROR: db_verify: Page 16: out-of-order key at entry 249 > > DB ERROR: db_verify: Page 16: out-of-order key at entry 498 > > DB ERROR: db_verify: Page 16: out-of-order key at entry 754 > > DB ERROR: db_verify: Page 17: out-of-order key at entry 195 > > DB ERROR: db_verify: Page 17: out-of-order key at entry 451 > > DB ERROR: db_verify: Page 17: out-of-order key at entry 707 > > DB ERROR: db_verify: Page 18: out-of-order key at entry 148 > > DB ERROR: db_verify: Page 21: out-of-order key at entry 254 > > DB ERROR: db_verify: Page 21: out-of-order key at entry 510 > > DB ERROR: db_verify: Page 21: out-of-order key at entry 766 > > DB ERROR: db_verify: Page 22: out-of-order key at entry 207 > > DB ERROR: db_verify: Page 22: out-of-order key at entry 463 > > DB ERROR: db_verify: Page 22: out-of-order key at entry 719 > > DB ERROR: db_verify: Page 23: out-of-order key at entry 160 > > DB ERROR: db_verify: DB->verify: db/idsk_services/ancestorid.db4: > > DB_VERIFY_BAD: Database verification failed > > Secondary index file ancestorid.db4 in db/idsk_services is > corrupted. > > Please run db2index(.pl) for reindexing. > > > Is this after you imported your ldif file to the backend > 'idsk_services'? > > When you imported the ldif file, did you get any errors from ldif2db? > This is an sample output when we import Example.ldif. Did you see any > messages other than these? > [18/Dec/2006:04:00:48 -0800] - dblayer_instance_start: pagesize: 4096, > pages: 1009265, procpages: 23476 > [18/Dec/2006:04:00:48 -0800] - cache autosizing: import cache: > 204800k > [18/Dec/2006:04:00:48 -0800] - li_import_cache_autosize: 50, > import_pages: 51200, pagesize: 4096 > [18/Dec/2006:04:00:48 -0800] - WARNING: Import is running with > nsslapd-db-private-import-mem on; No other process is allowed to > access > the database > [18/Dec/2006:04:00:48 -0800] - dblayer_instance_start: pagesize: 4096, > pages: 1009265, procpages: 23476 > [18/Dec/2006:04:00:48 -0800] - cache autosizing: import cache: 204800k > [18/Dec/2006:04:00:48 -0800] - li_import_cache_autosize: 50, > import_pages: 51200, pagesize: 4096 > [18/Dec/2006:04:00:49 -0800] - import example: Beginning import job... > [18/Dec/2006:04:00:49 -0800] - import example: Index buffering enabled > with bucket size 100 > [18/Dec/2006:04:00:49 -0800] - import example: Processing file > "/export/DS7.2-24471/server/usr/share/fedora-ds/data/Example.ldif" > [18/Dec/2006:04:00:49 -0800] - import example: Finished scanning file > "/export/DS7.2-24471/server/usr/share/fedora-ds/data/Example.ldif" > (160 > entries) > [18/Dec/2006:04:00:50 -0800] - import example: Workers finished; > cleaning up... > [18/Dec/2006:04:00:50 -0800] - import example: Workers cleaned up. > [18/Dec/2006:04:00:50 -0800] - import example: Cleaning up producer > thread... > [18/Dec/2006:04:00:50 -0800] - import example: Indexing complete. > Post-processing... > [18/Dec/2006:04:00:50 -0800] - import example: Flushing caches... > [18/Dec/2006:04:00:50 -0800] - import example: Closing files... > [18/Dec/2006:04:00:51 -0800] - All database threads now stopped > [18/Dec/2006:04:00:51 -0800] - import example: Import complete. > Processed 160 entries in 2 seconds. (80.00 entries/sec) > > Thanks, > --noriko > > So then i reran db2index....verify_db again...same result. > > > > Edward > > > > > > On 12/15/06, *Eddie C* > > >> > wrote: > > > > I recently did an ldif backup of our iplanet 52 database. Its > > about an 88 MB ldif file. > > I took this to a new FDS server Dell 850 3 ghz duel core 2 sata > > hard disks. > > I ran an ldapadd the data imported perfectly. > > Then I tried to cutover some systems and give the database > some load. > > > > System went 200% processor > > > > Eventually I realized I was missing indexes so I added them > > through the graphical tool. > > > > The log seemed to do something like this > > generating index 1% > > generating index 2% > > .... > > generating index 49% > > Done > > Seemed weird that they would jump from 49% to Done > > At this point the new system was running at 100% processor > > But the queries are running faster on our old 440 MHZ sparc t1 > > server52 database > > > > I ran > > DB ERROR: db_verify: Page 30: out-of-order key at entry 498 > > DB ERROR: db_verify: DB->verify: > db/o_com/channelcontentowner.db4: > > DB_VERIFY_BAD: Database verification failed > > > > then I tried db2_index. The program seemed to be in a tight loop > > complaining about 1 missing entry. > > > > I do not realize how the data can be so corrupted right after an > > import. > > > > These are someone generic symptoms. Any ideas? Thanks > > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From mj at sci.fi Thu Dec 21 21:14:38 2006 From: mj at sci.fi (Mike Jackson) Date: Thu, 21 Dec 2006 23:14:38 +0200 Subject: [Fedora-directory-users] Signed Documents In-Reply-To: <8898472.161166709402035.JavaMail.root@lisa.it-linux.cl> References: <8898472.161166709402035.JavaMail.root@lisa.it-linux.cl> Message-ID: <458AF93E.4050507@sci.fi> Patricio A. Bruna wrote: > Im looking for a project that works with digital signed documents and > can verify the identity against Fedora DS. > anyone knows one? OpenOffice can sign and work with signed documents. Not sure how it does verification, other than via importing CA certificates... -- mike From stpierre at NebrWesleyan.edu Fri Dec 22 15:40:44 2006 From: stpierre at NebrWesleyan.edu (Chris St. Pierre) Date: Fri, 22 Dec 2006 09:40:44 -0600 (CST) Subject: [Fedora-directory-users] Persistent MMR problems Message-ID: A few months ago, I had a machine die suddenly when the power cord was tripped over. (Oops!) After that, I had some replication issues that I solved with the help of this list. Before long, they came back, and back, and back. Basically, I get a bunch of messages like this in the error logs: [22/Dec/2006:09:26:08 -0600] agmt="cn="Replication to zeppo.nebrwesleyan.edu (o=pab)"" (zeppo:389) - Can't locate CSN 458acc0e000000020000 in the changelog (DBrc=-30990). The consumer may need to be reinitialized. [22/Dec/2006:09:31:09 -0600] agmt="cn="Replication to chico.nebrwesleyan.edu (o=pab)"" (chico:389) - Can't locate CSN 458acc0e000000020000 in the changelog (DBrc=-30990). The consumer may need to be reinitialized. I get similar messages on every host in the 4-way MMR group. Each machine only complains about one CSN, but they're different CSNs on each machine. This morning, I took down all of the replication agreements, and reinitialized every host from one, which I temporarily treated as the authoritative master. Within minutes, these messages were appearing again. Does anyone have any ideas how to solve this once and for all? I've rebuilt my replication agreements countless times, and nothing seems to get them in sync. Any and all ideas are welcome. Thanks. Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University ---------------------------- Never send mail to thobrux at nebrwesleyan.edu From phil.lembo at gmail.com Fri Dec 22 16:28:24 2006 From: phil.lembo at gmail.com (Phil Lembo) Date: Fri, 22 Dec 2006 11:28:24 -0500 Subject: [Fedora-directory-users] Simple Paged Results Control Support in Future? Message-ID: Any chance we'll get to see support for Simple Paged Results Control in a future version of Fedora Directory? -- Phil Lembo -------------- next part -------------- An HTML attachment was scrubbed... URL: From david_list at boreham.org Fri Dec 22 16:30:59 2006 From: david_list at boreham.org (David Boreham) Date: Fri, 22 Dec 2006 09:30:59 -0700 Subject: [Fedora-directory-users] Simple Paged Results Control Support in Future? In-Reply-To: References: Message-ID: <458C0843.40606@boreham.org> Phil Lembo wrote: > Any chance we'll get to see support for Simple Paged Results Control > in a future version of Fedora Directory? It wouldn't be hard to implement because the existing VLV code could be mostly re-used. Are you looking to support an application that already uses simple paged results ? Or is there something you're looking for that VLV doesn't do ? From phil.lembo at gmail.com Fri Dec 22 17:16:04 2006 From: phil.lembo at gmail.com (Phil Lembo) Date: Fri, 22 Dec 2006 12:16:04 -0500 Subject: [Fedora-directory-users] Extracting details from ActiveDirectoryto FDS Message-ID: Darren: I wrote a Perl script using the Net::LDAP module and Kartik Subbrao's ldifdiff.pl (in Net::LDAP contrib section on search.cpan.org) to go the other way, updating AD from LDAP (in our case the FDS-related Sun Directory). The basic process I followed was to dump the contents of each directory to LDIF (after all, AD is "just another LDAP directory", ;-), transform the dns so that the source looks like the target (we get the dn by doing a search against the target on a attribute value common to both, in our case, AD CN = LDAP UID), then diffing the transformed files, and using the resulting diff to make my changes to the target. The current version is heavily customized for my company's environment so the code would probably be pretty useless to you, but if a barely competent Perl programmer like me could come up with something like this I'd guess that someone who *really* knew what they were doing could come up with something much better. There are also commercial products out there like Microsoft or Sun's metadirectory, and HP's LDAP Directory Synchronizer (LDSU) (see http://h20219.www2.hp.com/services/cache/11215-0-0-0-121.html). All of these are quite costly. The Sun product is freely downloadable but it is very complex and I'd wouldn't recommend exploring it without professional services assistance. You should also look at Sun's latest Directory Resource Kit, http://developers.sun.com/prodtech/dirserver/reference/techart/DSRK_52.html, which provides a number of tools that can be used together to synchronize disparate directories. The doc is a worthwhile read for getting you thinking about how you'd go about it in your environment. -- Phil Lembo -------------- next part -------------- An HTML attachment was scrubbed... URL: From ulf.weltman at hp.com Fri Dec 22 19:45:14 2006 From: ulf.weltman at hp.com (Ulf Weltman) Date: Fri, 22 Dec 2006 11:45:14 -0800 Subject: [Fedora-directory-users] Persistent MMR problems In-Reply-To: References: Message-ID: <458C35CA.5050001@hp.com> Does it definitely replicate a few changes correctly before the problem starts? It reminds me of a problem that used to occur with an earlier 6.21 release, but in that case the first change would not be replicated (changelog empty with no anchor at the head of the list), and the second would produce the error you're seeing. I don't think it'd help diagnosing the problem beyond noting that the change identified by that CSN really is missing, but if you're interested you can inspect the changelog running the dbscan tool on the /changelogdb/.db4 file. You should have as many .db4 files are you have replicas. You can also make the server dump it using the CL2LDIF task (see the template-cl-dump.pl script, requires perldap). Chris St. Pierre wrote: > A few months ago, I had a machine die suddenly when the power cord was > tripped over. (Oops!) After that, I had some replication issues that > I solved with the help of this list. Before long, they came back, and > back, and back. Basically, I get a bunch of messages like this in the > error logs: > > [22/Dec/2006:09:26:08 -0600] agmt="cn="Replication to > zeppo.nebrwesleyan.edu (o=pab)"" (zeppo:389) - Can't locate CSN > 458acc0e000000020000 in the changelog (DBrc=-30990). The consumer may > need to be reinitialized. > [22/Dec/2006:09:31:09 -0600] agmt="cn="Replication to > chico.nebrwesleyan.edu (o=pab)"" (chico:389) - Can't locate CSN > 458acc0e000000020000 in the changelog (DBrc=-30990). The consumer may > need to be reinitialized. > > I get similar messages on every host in the 4-way MMR group. Each > machine only complains about one CSN, but they're different CSNs on > each machine. > > This morning, I took down all of the replication agreements, and > reinitialized every host from one, which I temporarily treated as the > authoritative master. Within minutes, these messages were appearing > again. > > Does anyone have any ideas how to solve this once and for all? I've > rebuilt my replication agreements countless times, and nothing seems > to get them in sync. Any and all ideas are welcome. Thanks. > > Chris St. Pierre > Unix Systems Administrator > Nebraska Wesleyan University > ---------------------------- > Never send mail to thobrux at nebrwesleyan.edu > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From david_list at boreham.org Fri Dec 22 19:51:38 2006 From: david_list at boreham.org (David Boreham) Date: Fri, 22 Dec 2006 12:51:38 -0700 Subject: [Fedora-directory-users] Persistent MMR problems In-Reply-To: <458C35CA.5050001@hp.com> References: <458C35CA.5050001@hp.com> Message-ID: <458C374A.4090602@boreham.org> Ulf Weltman wrote: > Does it definitely replicate a few changes correctly before the > problem starts? It reminds me of a problem that used to occur with an > earlier 6.21 release, but in that case the first change would not be > replicated (changelog empty with no anchor at the head of the list), > and the second would produce the error you're seeing. > > I don't think it'd help diagnosing the problem beyond noting that the > change identified by that CSN really is missing, but if you're > interested you can inspect the changelog running the dbscan tool on > the /changelogdb/.db4 file. You should > have as many .db4 files are you have replicas. You can also make the > server dump it using the CL2LDIF task (see the template-cl-dump.pl > script, requires perldap). I agree it sounds like some bad changelog juju. It should be possible to nuke the changelog databases on all the replicas (doesn't re-init from a supplier do this ??). From dmacpher at vfs.com Sat Dec 23 02:52:03 2006 From: dmacpher at vfs.com (Derrick MacPherson) Date: Fri, 22 Dec 2006 18:52:03 -0800 Subject: [Fedora-directory-users] DNS? Message-ID: <000101c7263d$5343c7c0$64010a0a@dpc> I'm installing on a server I've got at home, and at the end of the setup I get the gethostbyname failed when creating the server; I'm assuming this is because the server is unable to get DNS cause there is none. Is there a way around this cause it seems like the setup doesn't finish properly? As well, if I go to redo the setup, is it better to uninstall, rpm -e the rpm, then reinstall, run the setup again? When I try to do the setup I get an error after it asks for the admin username and password, seems like it's trying to connect and access information that didn't get into the ldap? Thanks, I hope that all makes sense to someone. -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.15.26/598 - Release Date: 12/22/2006 3:22 PM From listman at nerdherdclan.com Sat Dec 23 05:14:43 2006 From: listman at nerdherdclan.com (listman) Date: Fri, 22 Dec 2006 21:14:43 -0800 (PST) Subject: [Fedora-directory-users] DNS? In-Reply-To: <000101c7263d$5343c7c0$64010a0a@dpc> References: <000101c7263d$5343c7c0$64010a0a@dpc> Message-ID: <1236.67.181.252.39.1166850883.squirrel@www.depfyffer.com> > I'm installing on a server I've got at home, and at the end of the setup I > get the gethostbyname failed when creating the server; I'm assuming this > is > because the server is unable to get DNS cause there is none. Is there a > way > around this cause it seems like the setup doesn't finish properly? > > As well, if I go to redo the setup, is it better to uninstall, rpm -e the > rpm, then reinstall, run the setup again? When I try to do the setup I get > an error after it asks for the admin username and password, seems like > it's > trying to connect and access information that didn't get into the ldap? > > Thanks, I hope that all makes sense to someone. > I ended up installing bind and configuring dns locally. I wasn't able to get all the pieces to fit without it. I'm still having a few problems but no longer from DNS. I thought there was a way to remove a server but dont recall off hand. I'm actually just running rpm -e but there is an uninstall script at /opt/fedora-ds/uninstall From stpierre at NebrWesleyan.edu Sat Dec 23 05:39:36 2006 From: stpierre at NebrWesleyan.edu (Chris St. Pierre) Date: Fri, 22 Dec 2006 23:39:36 -0600 (CST) Subject: [Fedora-directory-users] DNS? In-Reply-To: <000101c7263d$5343c7c0$64010a0a@dpc> References: <000101c7263d$5343c7c0$64010a0a@dpc> Message-ID: I haven't dealt with the DNS problem, but could you get around it with /etc/hosts? If all it's failing on is gethostbyname(thishost), then a proper /etc/hosts (and /etc/nsswitch.conf) should take care of that. FDS lives entirely in /opt/fedora-ds, so the easiest way to completely uninstall it is: # rpm -e fedora-ds # rm -rf /opt/fedora-ds Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University On Fri, 22 Dec 2006, Derrick MacPherson wrote: > I'm installing on a server I've got at home, and at the end of the setup I > get the gethostbyname failed when creating the server; I'm assuming this is > because the server is unable to get DNS cause there is none. Is there a way > around this cause it seems like the setup doesn't finish properly? > > As well, if I go to redo the setup, is it better to uninstall, rpm -e the > rpm, then reinstall, run the setup again? When I try to do the setup I get > an error after it asks for the admin username and password, seems like it's > trying to connect and access information that didn't get into the ldap? > > Thanks, I hope that all makes sense to someone. > > -- > No virus found in this outgoing message. > Checked by AVG Free Edition. > Version: 7.5.432 / Virus Database: 268.15.26/598 - Release Date: 12/22/2006 > 3:22 PM > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From phil.lembo at gmail.com Sat Dec 23 10:09:23 2006 From: phil.lembo at gmail.com (Phil Lembo) Date: Sat, 23 Dec 2006 05:09:23 -0500 Subject: [Fedora-directory-users] Simple Paged Results Control Support in Future? Message-ID: > > Date: Fri, 22 Dec 2006 09:30:59 -0700 > From: David Boreham > Subject: Re: [Fedora-directory-users] Simple Paged Results Control > Support in Future? > To: "General discussion list for the Fedora Directory server project." > > > Phil Lembo wrote: > > > Any chance we'll get to see support for Simple Paged Results Control > > in a future version of Fedora Directory? > > It wouldn't be hard to implement because the existing VLV code could be > mostly re-used. > > Are you looking to support an application that already uses simple paged > results ? > Or is there something you're looking for that VLV doesn't do ? > Just like to be able to use the same techniques for paging through different directories. Today I've got to maintain 2 different methods in any scripts that query both FDS and AD -- I know, I know, I should have modularized them long ago... Anyway, OpenLDAP and a couple of other proprietary directories also support SPRC, so the only one I've still got to shift over to VLV for is FDS (and it's proprietary cousins). -- Phil Lembo -------------- next part -------------- An HTML attachment was scrubbed... URL: From mike at subfocal.net Sat Dec 23 10:18:42 2006 From: mike at subfocal.net (Mike Mueller) Date: Sat, 23 Dec 2006 05:18:42 -0500 Subject: [Fedora-directory-users] Can't connect to admin server as Directory Manager Message-ID: I just did a fresh install of FDS 1.0.4 on a Gentoo Linux workstation (built manually, not from RPM). After running the setup script to install it, everything appears to be working, except I can't login to the admin console. I can connect to the server via the web browser on my admin port (9419) and authenticate fine there. However, when I start the console up, I do: User ID: cn=Directory Manager Password: Administration URL: http://hostname.domain.com:9419/ The dialog that I get says: "Cannot logon because of an incorrect User ID, Incorrect password or Directory problem. HttpException Response: HTTP/1.1 401 Authorization Required Status: 401 URL: http://hostname.domain.com:9419/admin-serv/authenticate" I made sure that the admin server isn't configured to block any hosts or IP addresses (set them both to '*' in the local.conf file). Here's what the error log says: [Sat Dec 23 05:09:46 2006] [notice] [client 192.168.2.1] admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.2.1 [Sat Dec 23 05:09:46 2006] [error] [client 192.168.2.1] user cn=Directory Manager not found: /admin-serv/authenticate How could the "cn=Directory Manager" user be not found? Doesn't it always exist? Yes, I used the default name for this user when I ran setup. Any input would be appreciated! Thanks, Mike From ersin.er at gmail.com Sat Dec 23 12:47:53 2006 From: ersin.er at gmail.com (Ersin Er) Date: Sat, 23 Dec 2006 14:47:53 +0200 Subject: [Fedora-directory-users] Using client web applications Message-ID: Hi, Is there any documentation related to installing/configuring/using dsgw, dsmlgw and orgchart? Thanks. -- Ersin From ersin.er at gmail.com Sat Dec 23 13:02:35 2006 From: ersin.er at gmail.com (Ersin Er) Date: Sat, 23 Dec 2006 15:02:35 +0200 Subject: [Fedora-directory-users] Re: Using client web applications In-Reply-To: References: Message-ID: OK, there is enough stuff here: http://www.redhat.com/docs/manuals/dir-server/orgchart/orgchart.html Cheers, On 12/23/06, Ersin Er wrote: > Hi, > > Is there any documentation related to installing/configuring/using > dsgw, dsmlgw and orgchart? > > Thanks. > > -- > Ersin > -- Ersin From ihateuninterruptiblesleep at gmail.com Mon Dec 25 03:10:17 2006 From: ihateuninterruptiblesleep at gmail.com (Bob Rossi) Date: Sun, 24 Dec 2006 22:10:17 -0500 Subject: [Fedora-directory-users] Can't connect to admin server as Directory Manager In-Reply-To: <20061224141515.GQ3022@cox.net> References: <20061224141515.GQ3022@cox.net> Message-ID: <99de6f1f0612241910m3727e485o78a21ffbd1d6e8e2@mail.gmail.com> Could it be uninterruptible sleep? Just think about it. > On Sat, Dec 23, 2006 at 05:18:42AM -0500, Mike Mueller wrote: > > I just did a fresh install of FDS 1.0.4 on a Gentoo Linux workstation > > (built manually, not from RPM). After running the setup script to > > install it, everything appears to be working, except I can't login to > > the admin console. I can connect to the server via the web browser on > > my admin port (9419) and authenticate fine there. > > > > However, when I start the console up, I do: > > > > User ID: cn=Directory Manager > > Password: > > Administration URL: http://hostname.domain.com:9419/ > > > > The dialog that I get says: > > > > "Cannot logon because of an incorrect User ID, > > Incorrect password or Directory problem. > > > > HttpException > > Response: HTTP/1.1 401 Authorization Required > > Status: 401 > > URL: http://hostname.domain.com:9419/admin-serv/authenticate" > > > > I made sure that the admin server isn't configured to block any hosts > > or IP addresses (set them both to '*' in the local.conf file). > > > > Here's what the error log says: > > > > [Sat Dec 23 05:09:46 2006] [notice] [client 192.168.2.1] > > admserv_host_ip_check: ap_get_remote_host could not resolve > > 192.168.2.1 > > [Sat Dec 23 05:09:46 2006] [error] [client 192.168.2.1] user > > cn=Directory Manager not found: /admin-serv/authenticate > > > > How could the "cn=Directory Manager" user be not found? Doesn't it > > always exist? Yes, I used the default name for this user when I ran > > setup. > > > > Any input would be appreciated! > > > > Thanks, > > Mike > From khankhn2 at gmail.com Tue Dec 26 08:30:40 2006 From: khankhn2 at gmail.com (Linux Kid) Date: Tue, 26 Dec 2006 13:30:40 +0500 Subject: [Fedora-directory-users] Fwd: Fedora-directory-users Digest, Vol 19, Issue 23 In-Reply-To: <20061220170006.BC82573638@hormel.redhat.com> References: <20061220170006.BC82573638@hormel.redhat.com> Message-ID: <6bacfd1c0612260030me5df5f8oee189d81986bc120@mail.gmail.com> Reminder # 01 help me plz Message: 2 Date: Wed, 20 Dec 2006 14:42:19 +0500 From: "Linux Kid" Subject: [Fedora-directory-users] help about RedHat Directory Server To: fedora-directory-users at redhat.com Message-ID: <6bacfd1c0612200142h24edda9cs156c8c34cd9dd990 at mail.gmail.com> Content-Type: text/plain; charset="iso-8859-1" I need help about how to users in Redhat Directory Server. 1. First to Add on a system with a command line [useradd] and then add in RDS 2. First add in RDS and then with useradd because i am getting this error. [root at station4 ~]# su - ali id: cannot find name for group ID 501 [ali at station4 ~]$ where station4 is client , and home directory of RDS server is mounted here. and that user is added in server. So why i am getting this error, kindly waiting for a fast reply. Regards Linux Kid -------------- next part -------------- An HTML attachment was scrubbed... URL: https://www.redhat.com/archives/fedora-directory-users/attachments/20061220/6532fe92/attachment.html -------------- next part -------------- An HTML attachment was scrubbed... URL: From wiskbroom at hotmail.com Tue Dec 26 14:52:03 2006 From: wiskbroom at hotmail.com (Vadim Pushkin) Date: Tue, 26 Dec 2006 14:52:03 +0000 Subject: [Fedora-directory-users] Need Help Migrating From NIS To FDS/AD In-Reply-To: <452BDBFD.705@broadcom.com> Message-ID: Hello Again All; I am still without migrating from an NIS environment to AD/FDS for all of my machines, Windows as well as Sparc/Solaris 8-10 and Linux machines. Back in October I started a thread that seemed to have gone nowhere and would like to restart this thread. It is my understanding that I must use FDS to serve as the middleware for auth and perms between my UNIX machines and my AD servers, I have four of them. I merely wish to have my Solaris and Linux machines use the credentials on the AD environment versus what I am doing now, YP/NIS. Has someone done this sucessfully? If so, may I ask if you found a doc anywhere describing this? Thank you, /vp >From: "George Holbert" > >Vadim, >This is a pretty big topic. >Gary Tay has put together some docs that are a great starting point: >http://web.singnet.com.sg/~garyttt/ > >Sun's docs regarding Solaris clients will also be useful for you: >http://docs.sun.com/app/docs/doc/816-4556 > >One other thing: > >>My goal is to migrate my Solaris and Linux machines onto the AD structure >>for user, group, hosts, networks and netgroups map use (perhaps other maps >>later). > >If you mean that you will be using AD as your directory server, you won't >necessarily need to run a separate directory server like FDS. > >Good luck! > > >Vadim Pushkin wrote: >>Hello All; >> >>My current environment is using NIS (not NIS+) on Sparc Solaris 8/10 and >>x86 Linux, with a separate AD structure. My goal is to migrate my Solaris >>and Linux machines onto the AD structure for user, group, hosts, networks >>and netgroups map use (perhaps other maps later). >> >>My questions are: >> >>1. Am I correct in believing that Fedora Dir Server is able to allow me >>to auth to my AD DC's? Or does FDS only perform as a conduit to the AD >>structure, either fine by me. >> >>2. What and where do I change to aloow this on my pam.conf on my Solaris >>and Linux servers? >> >>3. Where do I get the PAM modules to allow this to work? >> >>4. What additional software must I run on my RH/FC FDS server? Should I, >>or can I, run two servers in case one fails? >> >>5. Finally, does anyone have any written docs or a site that can help me? >> >> >>Thanks very much in advance, >> >>.vadim From ankur_agwal at yahoo.com Tue Dec 26 18:52:18 2006 From: ankur_agwal at yahoo.com (Ankur Agarwal) Date: Tue, 26 Dec 2006 10:52:18 -0800 (PST) Subject: [Fedora-directory-users] Password lockout and Account inactivation Message-ID: <548207.25864.qm@web54114.mail.yahoo.com> Hi, In my application i need to implement password lockout (after 3 unsuccessful attempts) and account inactivation by admin. I am using Weblogic security provider for authenticating my users residing in redhat LDAP. I have 2 questions: 1) Using directory management console i have set lockout account after 3 login attempts. Account does get locked out but i dont know which attribute gets set in user profile to indicate the same? 2) For account inactivation i am setting nsAccountLock=true. Is this correct? When i am trying to login i always get same exception that login failed. Is there a mechanism so that i can identify why login failed ie due to password lockout or account inactivation? regards, Ankur __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From ulf.weltman at hp.com Tue Dec 26 20:56:59 2006 From: ulf.weltman at hp.com (Ulf Weltman) Date: Tue, 26 Dec 2006 12:56:59 -0800 Subject: [Fedora-directory-users] Password lockout and Account inactivation In-Reply-To: <548207.25864.qm@web54114.mail.yahoo.com> References: <548207.25864.qm@web54114.mail.yahoo.com> Message-ID: <45918C9B.5080106@hp.com> Ankur Agarwal wrote: > Hi, > > In my application i need to implement password lockout (after 3 > unsuccessful attempts) and account inactivation by admin. I am using > Weblogic security provider for authenticating my users residing in > redhat LDAP. I have 2 questions: > > 1) Using directory management console i have set lockout account after > 3 login attempts. Account does get locked out but i dont know which > attribute gets set in user profile to indicate the same? The attribute accountUnlockTime gets set to a generalized timestamp. Depending on your policy it will either be the time when the user is due to be unlocked, or the magic timestamp 19700101000000Z if he's locked out forever. It's operational and needs to be requested if searched: ldapsearch [-x] -D "cn=directory manager" -w -b "(objectclass=*)" accountunlocktime > > 2) For account inactivation i am setting nsAccountLock=true. Is this > correct? > > When i am trying to login i always get same exception that login > failed. Is there a mechanism so that i can identify why login failed > ie due to password lockout or account inactivation? The LDAP result code is 53 (DSA unwilling to perform) when an inactivated user tries to bind. There's also some status text, "Account inactivated. Contact system administrator." In the case where the user is locked out due to incorrect passwords the code is 19 (constraint violation) with status text of "Exceed retry limit. Contact system administrator to reset." You can verify the output and result code with ldapsearch: ldapsearch [-x] -D -w -s base -b "" "(objectclass=*)" echo $? > > regards, > Ankur > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From bachelor_junaid at yahoo.com Wed Dec 27 08:28:54 2006 From: bachelor_junaid at yahoo.com (Junaid) Date: Wed, 27 Dec 2006 00:28:54 -0800 (PST) Subject: [Fedora-directory-users] Do any one know Solution Message-ID: <152888.92203.qm@web51413.mail.yahoo.com> Can any one help me, when i install FDS on FC4 and startconsole then following error occurs. Please tell me what to do to start console. the error is [root at fedorasix fedora-ds]# ./startconsole GC Warning: Out of Memory! Returning NIL! GC Warning: Out of Memory! Returning NIL! Exception in thread "main" GC Warning: Out of Memory! Returning NIL! java.lang.OutOfMemoryError GC Warning: Out of Memory! Returning NIL! *** Catastrophic failure while handling uncaught exception. GC Warning: Out of Memory! Returning NIL! [root at fedorasix fedora-ds]# I am waiting for reply.Thankx __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From khankhn2 at gmail.com Wed Dec 27 09:33:57 2006 From: khankhn2 at gmail.com (Linux Kid) Date: Wed, 27 Dec 2006 14:33:57 +0500 Subject: [Fedora-directory-users] Hello plz resolve my problem Message-ID: <6bacfd1c0612270133v6142e30eh369ca195647cc322@mail.gmail.com> I am Waiting for FDS help but no one is helping me. -------------- next part -------------- An HTML attachment was scrubbed... URL: From patrick.morris at hp.com Wed Dec 27 16:30:13 2006 From: patrick.morris at hp.com (Morris, Patrick) Date: Wed, 27 Dec 2006 11:30:13 -0500 Subject: [Fedora-directory-users] Re: User not found in LDAP In-Reply-To: <6bacfd1c0612260030me5df5f8oee189d81986bc120@mail.gmail.com> Message-ID: Does that group exist in LDAP? Have you configured the machine to look for it there? One of the reasons you're not getting responses is probably because you haven't mentioned anything you've done to troubleshoot this, any configuration you've done, or any specifics about the system(s) you're having trouble with. It makes it very difficult to know where to start. > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf > Of Linux Kid > Sent: Tuesday, December 26, 2006 12:31 AM > To: fedora-directory-users at redhat.com > Subject: [Fedora-directory-users] Fwd: Fedora-directory-users > Digest, Vol 19, Issue 23 > > > Reminder # 01 > > help me plz > > Message: 2 > Date: Wed, 20 Dec 2006 14:42:19 +0500 > From: "Linux Kid" > Subject: [Fedora-directory-users] help about RedHat Directory Server > To: fedora-directory-users at redhat.com > Message-ID: > <6bacfd1c0612200142h24edda9cs156c8c34cd9dd990 at mail.gmail.com > > Content-Type: text/plain; charset="iso-8859-1" > > I need help about how to users in Redhat Directory Server. > > 1. First to Add on a system with a command line [useradd] > and then add in > RDS > 2. First add in RDS and then with useradd because i am > getting this error. > > [root at station4 ~]# su - ali > id: cannot find name for group ID 501 > [ali at station4 ~]$ > > > where station4 is client , and home directory of RDS server > is mounted here. > and that user is added in server. > > So why i am getting this error, kindly waiting for a fast reply. > > Regards > Linux Kid > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > https://www.redhat.com/archives/fedora-directory-users/attachm > ents/20061220/6532fe92/attachment.html > > > > From nicholas.byrne at quadriga.com Wed Dec 27 16:39:12 2006 From: nicholas.byrne at quadriga.com (Nicholas Byrne) Date: Wed, 27 Dec 2006 16:39:12 +0000 Subject: [Fedora-directory-users] Fwd: Fedora-directory-users Digest, Vol 19, Issue 23 In-Reply-To: <6bacfd1c0612260030me5df5f8oee189d81986bc120@mail.gmail.com> References: <20061220170006.BC82573638@hormel.redhat.com> <6bacfd1c0612260030me5df5f8oee189d81986bc120@mail.gmail.com> Message-ID: <4592A1B0.7090200@quadriga.com> 1. I don't think you will be able to use the standard "useradd" command. It would need to be ldap enabled to insert an entry into the directory. You could script it or look for a script to do it. 2. Can you tell us a little more about your configuration - does the entry in the directory for "ali" have posix attributes enabled? What is the configuration in your /etc/nsswitch.conf and /etc/ldap.conf? If using SSL or TLS do you have the CA cert installed on the client? Linux Kid wrote: > > Reminder # 01 > > help me plz > > Message: 2 > Date: Wed, 20 Dec 2006 14:42:19 +0500 > From: "Linux Kid" > > Subject: [Fedora-directory-users] help about RedHat Directory Server > To: fedora-directory-users at redhat.com > > Message-ID: > <6bacfd1c0612200142h24edda9cs156c8c34cd9dd990 at mail.gmail.com > > > Content-Type: text/plain; charset="iso-8859-1" > > I need help about how to users in Redhat Directory Server. > > 1. First to Add on a system with a command line [useradd] and then > add in > RDS > 2. First add in RDS and then with useradd because i am getting this > error. > > [root at station4 ~]# su - ali > id: cannot find name for group ID 501 > [ali at station4 ~]$ > > > where station4 is client , and home directory of RDS server is mounted > here. > and that user is added in server. > > So why i am getting this error, kindly waiting for a fast reply. > > Regards > Linux Kid > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > https://www.redhat.com/archives/fedora-directory-users/attachments/20061220/6532fe92/attachment.html > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > This e-mail is the property of Quadriga Worldwide Ltd, intended for the addressee only and confidential. Any dissemination, copying or distribution of this message or any attachments is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer. Messages sent to and from Quadriga may be monitored. Quadriga cannot guarantee any message delivery method is secure or error-free. Information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. We do not accept responsibility for any errors or omissions in this message and/or attachment that arise as a result of transmission. You should carry out your own virus checks before opening any attachment. Any views or opinions presented are solely those of the author and do not necessarily represent those of Quadriga. From jimh at u.washington.edu Wed Dec 27 18:01:42 2006 From: jimh at u.washington.edu (Jim Hogan) Date: Wed, 27 Dec 2006 10:01:42 -0800 Subject: [Fedora-directory-users] Kerberos/Samba/LDAP? Was: FDS - using one password for Samba and Linux accounts In-Reply-To: <45633513.6000106@redhat.com> References: <45633513.6000106@redhat.com> Message-ID: <4592B506.3070909@u.washington.edu> I have a brand-new Samba 3.x domain working with LDAP/FDS backend; this is just for my small (university) department of ~350 users. The university operates an overarching Kerberos realm. My best possible case would be to use that Kerberos realm for authentication/password but continue to maintain department LDAP for actual user/group authorization/rights. If I can get everything to use people's existing university password, that would be very sweet; failing that, I have to give out about 300 passwords in the next month :( I see the FDS Kerberos Howto, and it seems to make Kerberos integration pretty simple, but what is not clear to me is whether it is possible to pass this Kerberos authentication through to Samba clients. The few references I see to Samba-Kerberos integration modify the smb.conf with direct references to kerberos realm and keytab that would seem to result in: Samba ----> Kerberos _____ <---- ________ where what I think I want is more like: Samba ----> LDAP ----> Kerberos _____ <---- ____ <---- ________ (sorry for the awful ASCII!) where I retain "passdb backend = ldapsam:ldap://x.x.x.x" as the user/group store, but where LDAP refers to Kerberos for authn/passwd. I was going to pose this question to the Samba users list, but I thought there might be more value to ask first whether anyone has worked on this in a FDS context. Not to say anything bad about other LDAP servers, but I can sometimes find it hard to map integration discussions that use OpenLDAP examples to my situation. So, anyone on the list running a completely integrated Samba/FDS/Kerberos setup that references an overarching Kerberos realm? Thanks, Jim Richard Megginson wrote: > Saravana Kumar wrote: >> Hi List, >> >> I have FDS configured in the server. There are windows and Linux >> client in >> our network. Windows users also have Linux. >> Linux clients are authenticating to fds. Samba server is running in a >> different server and refers to the fds server(ldapbackend). For >> windows i >> had to create a separate password with smbpasswd -a username for each >> user >> which means samba password can be different from Linux password. Also >> the >> password policy doesn't apply to the smbpasswd i create. >> >> Is there a way to use one password for both windows and linux logins? >> > No. This has been on our wishlist for some time now. > http://directory.fedora.redhat.com/wiki/Wishlist#Passwords >> TIA, >> SK >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> From dmacpher at vfs.com Wed Dec 27 18:10:31 2006 From: dmacpher at vfs.com (Derrick MacPherson) Date: Wed, 27 Dec 2006 10:10:31 -0800 Subject: [Fedora-directory-users] Do any one know Solution In-Reply-To: <152888.92203.qm@web51413.mail.yahoo.com> Message-ID: <005401c729e2$4c75ba40$64010a0a@dpc> check to see which java is being used, look under /etc/alternatives it should NOT be pointing to the system java, but the Sun or IBM version of Java _____ From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Junaid Sent: Wednesday, December 27, 2006 12:29 AM To: fedora-directory-users at redhat.com Subject: [Fedora-directory-users] Do any one know Solution Can any one help me, when i install FDS on FC4 and startconsole then following error occurs. Please tell me what to do to start console. the error is [root at fedorasix fedora-ds]# ./startconsole GC Warning: Out of Memory! Returning NIL! GC Warning: Out of Memory! Returning NIL! Exception in thread "main" GC Warning: Out of Memory! Returning NIL! java.lang.OutOfMemoryError GC Warning: Out of Memory! Returning NIL! *** Catastrophic failure while handling uncaught exception. GC Warning: Out of Memory! Returning NIL! [root at fedorasix fedora-ds]# I am waiting for reply.Thankx __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.15.28/604 - Release Date: 12/26/2006 12:23 PM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.15.28/605 - Release Date: 12/27/2006 12:21 PM -------------- next part -------------- An HTML attachment was scrubbed... URL: From mike at subfocal.net Thu Dec 28 10:45:48 2006 From: mike at subfocal.net (Mike Mueller) Date: Thu, 28 Dec 2006 05:45:48 -0500 Subject: [Fedora-directory-users] Can't connect to admin server as Directory Manager In-Reply-To: <99de6f1f0612241910m3727e485o78a21ffbd1d6e8e2@mail.gmail.com> References: <20061224141515.GQ3022@cox.net> <99de6f1f0612241910m3727e485o78a21ffbd1d6e8e2@mail.gmail.com> Message-ID: I hate to do this, but I'd really appreciate it if someone has any thoughs about my problem using the GUI admin console. I'm completely stuck. (In other words, "bump") Mike On 12/24/06, Bob Rossi wrote: > Could it be uninterruptible sleep? Just think about it. > > > On Sat, Dec 23, 2006 at 05:18:42AM -0500, Mike Mueller wrote: > > > I just did a fresh install of FDS 1.0.4 on a Gentoo Linux workstation > > > (built manually, not from RPM). After running the setup script to > > > install it, everything appears to be working, except I can't login to > > > the admin console. I can connect to the server via the web browser on > > > my admin port (9419) and authenticate fine there. > > > > > > However, when I start the console up, I do: > > > > > > User ID: cn=Directory Manager > > > Password: > > > Administration URL: http://hostname.domain.com:9419/ > > > > > > The dialog that I get says: > > > > > > "Cannot logon because of an incorrect User ID, > > > Incorrect password or Directory problem. > > > > > > HttpException > > > Response: HTTP/1.1 401 Authorization Required > > > Status: 401 > > > URL: http://hostname.domain.com:9419/admin-serv/authenticate" > > > > > > I made sure that the admin server isn't configured to block any hosts > > > or IP addresses (set them both to '*' in the local.conf file). > > > > > > Here's what the error log says: > > > > > > [Sat Dec 23 05:09:46 2006] [notice] [client 192.168.2.1] > > > admserv_host_ip_check: ap_get_remote_host could not resolve > > > 192.168.2.1 > > > [Sat Dec 23 05:09:46 2006] [error] [client 192.168.2.1] user > > > cn=Directory Manager not found: /admin-serv/authenticate > > > > > > How could the "cn=Directory Manager" user be not found? Doesn't it > > > always exist? Yes, I used the default name for this user when I ran > > > setup. > > > > > > Any input would be appreciated! > > > > > > Thanks, > > > Mike > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From hyc at symas.com Thu Dec 28 19:14:40 2006 From: hyc at symas.com (Howard Chu) Date: Thu, 28 Dec 2006 11:14:40 -0800 Subject: [Fedora-directory-users] Re: Kerberos/Samba/LDAP? Was: FDS - using one password for Samba In-Reply-To: <20061228170004.D1A717349C@hormel.redhat.com> References: <20061228170004.D1A717349C@hormel.redhat.com> Message-ID: <459417A0.5090907@symas.com> > Date: Wed, 27 Dec 2006 10:01:42 -0800 > From: Jim Hogan > I have a brand-new Samba 3.x domain working with LDAP/FDS backend; this > is just for my small (university) department of ~350 users. The > university operates an overarching Kerberos realm. My best possible > case would be to use that Kerberos realm for authentication/password but > continue to maintain department LDAP for actual user/group > authorization/rights. If I can get everything to use people's existing > university password, that would be very sweet; failing that, I have to > give out about 300 passwords in the next month :( > > I see the FDS Kerberos Howto, and it seems to make Kerberos integration > pretty simple, but what is not clear to me is whether it is possible to > pass this Kerberos authentication through to Samba clients. The few > references I see to Samba-Kerberos integration modify the smb.conf with > direct references to kerberos realm and keytab that would seem to result in: > > Samba ----> Kerberos > _____ <---- ________ > > where what I think I want is more like: > > Samba ----> LDAP ----> Kerberos > _____ <---- ____ <---- ________ > > (sorry for the awful ASCII!) where I retain "passdb backend = > ldapsam:ldap://x.x.x.x" as the user/group store, but where LDAP refers > to Kerberos for authn/passwd. > > I was going to pose this question to the Samba users list, but I thought > there might be more value to ask first whether anyone has worked on this > in a FDS context. Not to say anything bad about other LDAP servers, but > I can sometimes find it hard to map integration discussions that use > OpenLDAP examples to my situation. > > So, anyone on the list running a completely integrated > Samba/FDS/Kerberos setup that references an overarching Kerberos realm? You're confusing some of these steps. First of all, the direct Samba -> Kerberos route is only talking about a very special case - an SMB client with its own TGT, getting a service ticket from Kerberos for talking to Samba. In this case, Samba uses Kerberos as the actual client authentication mechanism. And as noted here: http://www.mail-archive.com/samba at lists.samba.org/msg80208.html this only works in Samba3 when Samba is talking to a real ActiveDirectory server. When Samba is configured to talk directly to LDAP, it only uses it as a data store, not as an authentication mechanism. In that case, it is expecting to find sambaNTPassword or sambaLMPassword attributes in the LDAP store, so that it can validate the authentication itself. As such, your Samba -> LDAP -> Kerberos picture doesn't apply. Currently the only way to have all of these things integrated in one place is to use the OpenLDAP server with smbk5pwd module, with Heimdal KDC using OpenLDAP as its data store, and Samba using OpenLDAP as its data store. I've contributed code to the Fedora project to assist them along these same lines but it's still missing secure ldapi:// support and a few other things, so AFAIK OpenLDAP is the only solution at the moment. The only way you could set things up so that authentication works as you want is if the clients send plaintext passwords over the wire. That's obviously a bad idea to begin with, and for recent clients (W2K etc) it's not even an option. If your existing Kerberos KDC is not Heimdal, and you don't have the option of migrating to Heimdal, then I think you're out of luck. I know that there's preliminary support for LDAP in recent MIT releases, but my experience with MIT Kerberos has been pretty unsatisfactory over the years. They only recently took steps to make their library thread-safe, and their library performance is still several times slower than Heimdal's, making it unsuitable for busy sites. Even if you decided to switch to using Heimdal integrated with LDAP, you still need the NTLM keys, which you cannot derive from the Kerberos keys, so I think you're looking at regenerating your ~300 passwords regardless. Of course, there's always the brute force approach of running a password cracker on the KDC database to try to guess the original plaintext. It's a self-defeating activity but I've been cajoled into doing it in the past. (It takes a long time, you may not successfully crack all the accounts, and succeeding only means that your users have poorly chosen passwords that they ought to change anyway.) -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/ From jimh at u.washington.edu Thu Dec 28 20:16:46 2006 From: jimh at u.washington.edu (Jim Hogan) Date: Thu, 28 Dec 2006 12:16:46 -0800 Subject: [Fedora-directory-users] Re: Kerberos/Samba/LDAP? Was: FDS - using one password for Samba In-Reply-To: <459417A0.5090907@symas.com> References: <20061228170004.D1A717349C@hormel.redhat.com> <459417A0.5090907@symas.com> Message-ID: <4594262E.4030905@u.washington.edu> Howard, Howard Chu wrote: >> Date: Wed, 27 Dec 2006 10:01:42 -0800 >> From: Jim Hogan >> I have a brand-new Samba 3.x domain working with LDAP/FDS backend; >> this is just for my small (university) department of ~350 users. >> The university operates an overarching Kerberos realm. My best >> possible case would be to use that Kerberos realm for >> authentication/password but continue to maintain department LDAP for >> actual user/group authorization/rights. If I can get everything to >> use people's existing university password, that would be very sweet; >> failing that, I have to give out about 300 passwords in the next >> month :( >> >> I see the FDS Kerberos Howto, and it seems to make Kerberos >> integration pretty simple, but what is not clear to me is whether it >> is possible to pass this Kerberos authentication through to Samba >> clients. The few references I see to Samba-Kerberos integration >> modify the smb.conf with direct references to kerberos realm and >> keytab that would seem to result in: >> Samba ----> Kerberos >> _____ <---- ________ >> where what I think I want is more like: >> Samba ----> LDAP ----> Kerberos >> _____ <---- ____ <---- ________ >> (sorry for the awful ASCII!) where I retain "passdb backend = >> ldapsam:ldap://x.x.x.x" as the user/group store, but where LDAP >> refers to Kerberos for authn/passwd. >> I was going to pose this question to the Samba users list, but I >> thought there might be more value to ask first whether anyone has >> worked on this in a FDS context. Not to say anything bad about other >> LDAP servers, but I can sometimes find it hard to map integration >> discussions that use OpenLDAP examples to my situation. >> So, anyone on the list running a completely integrated >> Samba/FDS/Kerberos setup that references an overarching Kerberos realm? > > You're confusing some of these steps. That happens on a regular basis :( To say that I understand Kerberos poorly would be charitable. > First of all, the direct Samba -> Kerberos route is only talking about > a very special case - an SMB client with its own TGT, getting a > service ticket from Kerberos for talking to Samba. In this case, Samba > uses Kerberos as the actual client authentication mechanism. And as > noted here: > http://www.mail-archive.com/samba at lists.samba.org/msg80208.html > this only works in Samba3 when Samba is talking to a real > ActiveDirectory server. Yes. While my little diagram might still hold some water from a "desired effect" basis, the more I looked at it, the more it seemed obvious that there would need to be a client TGT, not some imagined LDAP pass-through. > When Samba is configured to talk directly to LDAP, it only uses it as > a data store, not as an authentication mechanism. In that case, it is > expecting to find sambaNTPassword or sambaLMPassword attributes in the > LDAP store, so that it can validate the authentication itself. As > such, your Samba -> LDAP -> Kerberos picture doesn't apply. > > Currently the only way to have all of these things integrated in one > place is to use the OpenLDAP server with smbk5pwd module, with Heimdal > KDC using OpenLDAP as its data store, and Samba using OpenLDAP as its > data store. I've contributed code to the Fedora project to assist them > along these same lines but it's still missing secure ldapi:// support > and a few other things, so AFAIK OpenLDAP is the only solution at the > moment. Thanks for your contributions on all fronts. I debated OpenLDAP vs. FDS for some time, and wound up deploying FDS in part due to admin tools and some built-in self-service functionality. > The only way you could set things up so that authentication works as > you want is if the clients send plaintext passwords over the wire. > That's obviously a bad idea to begin with, and for recent clients (W2K > etc) it's not even an option. > > If your existing Kerberos KDC is not Heimdal, and you don't have the > option of migrating to Heimdal, then I think you're out of luck. The gent who can answer that question is on vacation, but I bet I am out of luck :) > I know that there's preliminary support for LDAP in recent MIT > releases, but my experience with MIT Kerberos has been pretty > unsatisfactory over the years. They only recently took steps to make > their library thread-safe, and their library performance is still > several times slower than Heimdal's, making it unsuitable for busy > sites. Even if you decided to switch to using Heimdal integrated with > LDAP, you still need the NTLM keys, which you cannot derive from the > Kerberos keys, so I think you're looking at regenerating your ~300 > passwords regardless. Some of the necessary steps here seem to imply a degree of control (NTLM Keys) over Kerberos infrastructure which I will never have. Whatever I do WRT our university Kerberos, it will have to be as a basic, unprivileged client. I don't know enough to contemplate whether ruuning our own Kerberos service of some type would be of any use. > Of course, there's always the brute force approach of running a > password cracker on the KDC database to try to guess the original > plaintext. It's a self-defeating activity but I've been cajoled into > doing it in the past. (It takes a long time, you may not successfully > crack all the accounts, and succeeding only means that your users have > poorly chosen passwords that they ought to change anyway.) I don't think any brute force is in my future ('tho you just reminded me to try to figure out why my smb.conf minimum password length isn't working!!) Thanks very much for this exhaustive reply. Being restless during this break week I posted a similar question to Samba list, but perhaps I can reference your response there to forestall any other time-consuming effort to reply..... Cheers, Jim From duncan at zenoss.com Sun Dec 31 03:11:49 2006 From: duncan at zenoss.com (Duncan McGreggor) Date: Sat, 30 Dec 2006 20:11:49 -0700 Subject: [Fedora-directory-users] New install with Admin Server issues Message-ID: Hey all, I'm having some troubles with the Admin Server (web). First, some details: * This is my first experience with FDS * I'm running Debian and followed the install instructions here: http://directory.fedora.redhat.com/wiki/Howto:DebianUbuntu * I created/installed the debian package from fedora- ds-1.0.4-1.RHEL3.i386.opt.rpm * I can run the java console application, login, create entries, etc. * I'm a python coder, not a java one, so I have no idea about the java stuff. Here are the issues I am seeing: 1) clicking on the "help" buttons on the java console results in a download dialog with the following message: The file "help" is of type application/octect-stream... 2) Clicking the "Restart" button (admin tasks) on the java console results in a 404 3) Attempting to visit the url http://myhost:62332/ results in a download dialog 4) If I download the file, open it and read it, it's a binary file. The file begins with the following: ELF,?484  (44?4????? ??????@D  ? ???((?(?  Q?td/lib/ld-linux.so. 2GNU And then later in the file, there is this: Error: %s NETSITE_ROOT%s%cdsgwNETSITE_ROOT not found%s%cdist%c% suxmccntmccwinmcc%s:%sHTTP_ACCEPT_LANGUAGE,r, Content-type: text/html