[Fedora-directory-users] RE: Fedora-directory-users Digest, Vol 19, Issue 1
t b
mxheadroom at hotmail.com
Fri Dec 1 20:14:31 UTC 2006
My logs seem to indicate that the connection is being encrypted; I can ssh
to a client server and get the password prompt, but when I enter the
password it just returns me to the password prompt again
[01/Dec/2006:19:47:44 -0500] conn=650 fd=69 slot=69 connection from
xxx.xxx.xxx.xxx to xxx.xxx.xxx.xxx
[01/Dec/2006:19:47:44 -0500] conn=650 op=0 EXT oid="1.3.6.1.4.1.1466.20037"
name="startTLS"
[01/Dec/2006:19:47:44 -0500] conn=650 op=0 RESULT err=0 tag=120 nentries=0
etime=0
[01/Dec/2006:19:47:44 -0500] conn=650 SSL 256-bit AES
[01/Dec/2006:19:47:44 -0500] conn=650 op=1 UNBIND
[01/Dec/2006:19:47:44 -0500] conn=650 op=1 fd=69 closed - U1
If I disable TLS everything works fine, the client server can query the FDS
and auth the client properly
I am not sure if the problem has to do with the pam_ldap not properly
formatted or the cert file not in proper format
Does anyone have an example of what the pam_ldap config should look like? or
suggestions on checking whether the cert file is in proper format
Also what's the UNBIND shown in the logs?
Thanks
>From: fedora-directory-users-request at redhat.com
>Reply-To: fedora-directory-users at redhat.com
>To: fedora-directory-users at redhat.com
>Subject: Fedora-directory-users Digest, Vol 19, Issue 1
>Date: Fri, 1 Dec 2006 12:00:06 -0500 (EST)
>
>Send Fedora-directory-users mailing list submissions to
> fedora-directory-users at redhat.com
>
>To subscribe or unsubscribe via the World Wide Web, visit
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>or, via email, send a message with subject or body 'help' to
> fedora-directory-users-request at redhat.com
>
>You can reach the person managing the list at
> fedora-directory-users-owner at redhat.com
>
>When replying, please edit your Subject line so it is more specific
>than "Re: Contents of Fedora-directory-users digest..."
>
>
>Today's Topics:
>
> 1. pam_ldap with SSL/TLS (t b)
> 2. RE: pam_ldap with SSL/TLS (Morris, Patrick)
> 3. Re: pam_ldap with SSL/TLS (Richard Megginson)
> 4. Problem with SSL console in X in specific circumstances
> (Philip Kime)
> 5. FW: [Fedora-directory-users] Extracting details from
> ActiveDirectoryto FDS (Paxton, Darren)
> 6. alias in fedora directory server (patrick ndjientcheu ngandjui)
> 7. Re: FW: [Fedora-directory-users] Extracting details from
> ActiveDirectoryto FDS (Nicholas Byrne)
> 8. Re: Memory usage (koniczynek)
> 9. Re: Memory usage (David Boreham)
> 10. Re: Memory usage (koniczynek)
>
>
>----------------------------------------------------------------------
>
>Message: 1
>Date: Thu, 30 Nov 2006 12:31:50 -0500
>From: "t b" <mxheadroom at hotmail.com>
>Subject: [Fedora-directory-users] pam_ldap with SSL/TLS
>To: fedora-directory-users at redhat.com
>Message-ID: <BAY116-F322745E96D702ED748B1D0CDDB0 at phx.gbl>
>Content-Type: text/plain; format=flowed
>
>I am trying to setup pam_ldap to use TLS to communicate with the FDS, but
>having lots of problems doing so; it works if I use the unencrypted way but
>not if I use ldaps ( port 636 )
>
>I used the instructions at,
>http://directory.fedora.redhat.com/wiki/Howto:PAM
>
>Has anyone gotten PAM to work TLS
>
>
>Thanks
>
>_________________________________________________________________
>Buy, Load, Play. The new Sympatico / MSN Music Store works seamlessly with
>Windows Media Player. Just Click PLAY.
>http://musicstore.sympatico.msn.ca/content/viewer.aspx?cid=SMS_Sept192006
>
>
>
>------------------------------
>
>Message: 2
>Date: Thu, 30 Nov 2006 13:00:56 -0500
>From: "Morris, Patrick" <patrick.morris at hp.com>
>Subject: RE: [Fedora-directory-users] pam_ldap with SSL/TLS
>To: "General discussion list for the Fedora Directory server project."
> <fedora-directory-users at redhat.com>
>Message-ID:
> <CD18C81835E18A40A64C4A0D16A237BE05FE850D at ATAEXC01.americas.cpqcorp.net>
>
>Content-Type: text/plain; charset="US-ASCII"
>
> > I am trying to setup pam_ldap to use TLS to communicate with
> > the FDS, but having lots of problems doing so; it works if I
> > use the unencrypted way but not if I use ldaps ( port 636 )
>
>Someone should jump in here and correct me if I'm wrong, but I believe
>it's normal for TLS connections to happen on the standard LDAP port.
>You should be able to tell from your logs whether the connection is
>encrypted or not.
>
>
>
>------------------------------
>
>Message: 3
>Date: Thu, 30 Nov 2006 11:08:08 -0700
>From: Richard Megginson <rmeggins at redhat.com>
>Subject: Re: [Fedora-directory-users] pam_ldap with SSL/TLS
>To: "General discussion list for the Fedora Directory server project."
> <fedora-directory-users at redhat.com>
>Message-ID: <456F1E08.40601 at redhat.com>
>Content-Type: text/plain; charset="iso-8859-1"
>
>Morris, Patrick wrote:
> >> I am trying to setup pam_ldap to use TLS to communicate with
> >> the FDS, but having lots of problems doing so; it works if I
> >> use the unencrypted way but not if I use ldaps ( port 636 )
> >>
> >
> > Someone should jump in here and correct me if I'm wrong, but I believe
> > it's normal for TLS connections to happen on the standard LDAP port.
> > You should be able to tell from your logs whether the connection is
> > encrypted or not.
> >
>Yes. The LDAP "preferred" way is to use the startTLS extended operation
>which starts a TLS session on the non-secure port. This will be logged
>in the access log.
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
>-------------- next part --------------
>A non-text attachment was scrubbed...
>Name: smime.p7s
>Type: application/x-pkcs7-signature
>Size: 3178 bytes
>Desc: S/MIME Cryptographic Signature
>Url :
>https://www.redhat.com/archives/fedora-directory-users/attachments/20061130/0634e78a/smime.bin
>
>------------------------------
>
>Message: 4
>Date: Thu, 30 Nov 2006 18:02:55 -0800
>From: "Philip Kime" <pkime at Shopzilla.com>
>Subject: [Fedora-directory-users] Problem with SSL console in X in
> specific circumstances
>To: <fedora-directory-users at redhat.com>
>Message-ID:
> <9C0091F428E697439E7A773FFD083427435BE3 at szexchange.Shopzilla.inc>
>Content-Type: text/plain; charset="us-ascii"
>
>Here's the problem:
>
>Running startconsole (SSL) to a remote display on a PC X-server (xwin32)
>works fine and requires that my windows home dir on the PC X-server
>machine has .fedora-console/ containing cert8.db and key3.db, as you'd
>expect. If I rename this dir, the console hangs at the splash screen. So
>far, so good, all makes sense.
>
>If I try the same thing to cygwin's X server on same machine or to an X
>server on a Mac running OSX, startconsole always hangs as if it can't
>find ~/.fedora-console on the local machine. I've tried copying this dir
>to what cygwin/OSX thinks is the user's home dir but no luck. Where
>should I put the Cert db files under "real" UNIX X to get the SSL
>console to work? Also tried ~/.mmc as per the docs but I could never get
>this to work.
>
>PK
>
>--
>Philip Kime
>NOPS Systems Architect
>310 401 0407
>
>-------------- next part --------------
>An HTML attachment was scrubbed...
>URL:
>https://www.redhat.com/archives/fedora-directory-users/attachments/20061130/054ecbd6/attachment.html
>
>------------------------------
>
>Message: 5
>Date: Fri, 1 Dec 2006 08:04:30 -0000
>From: "Paxton, Darren" <Darren.Paxton at mercer.com>
>Subject: FW: [Fedora-directory-users] Extracting details from
> ActiveDirectoryto FDS
>To: <Fedora-directory-users at redhat.com>
>Message-ID:
> <52F7C07B119CF4439B7EFBFE0FB3256B027CBD02 at eidwpexms06.mercer.com>
>Content-Type: text/plain; charset="us-ascii"
>
>Skipped content of type multipart/alternative-------------- next part
>--------------
>--
>Fedora-directory-users mailing list
>Fedora-directory-users at redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>------------------------------
>
>Message: 6
>Date: Fri, 1 Dec 2006 08:10:42 +0000 (GMT)
>From: patrick ndjientcheu ngandjui <tchen_pat at yahoo.fr>
>Subject: [Fedora-directory-users] alias in fedora directory server
>To: Fedora-directory-users at redhat.com
>Message-ID: <20061201081042.78578.qmail at web25801.mail.ukl.yahoo.com>
>Content-Type: text/plain; charset="iso-8859-1"
>
>Hi,
>I would like to know how to use alias in fedora directory server.It seems
>that it is used for point to another entry in the directory,but i don't
>know how to use this feature.May someone helps me on this issue? I would
>really appreciate an example.
>
>Thanks
>
>
>
>
>
>
>
>
>___________________________________________________________________________
>Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions
>!
>Profitez des connaissances, des opinions et des expériences des internautes
>sur Yahoo! Questions/Réponses
>http://fr.answers.yahoo.com
>-------------- next part --------------
>An HTML attachment was scrubbed...
>URL:
>https://www.redhat.com/archives/fedora-directory-users/attachments/20061201/0fa54e4f/attachment.html
>
>------------------------------
>
>Message: 7
>Date: Fri, 01 Dec 2006 11:50:13 +0000
>From: Nicholas Byrne <nicholas.byrne at quadriga.com>
>Subject: Re: FW: [Fedora-directory-users] Extracting details from
> ActiveDirectoryto FDS
>To: "General discussion list for the Fedora Directory server project."
> <fedora-directory-users at redhat.com>
>Message-ID: <457016F5.5030202 at quadriga.com>
>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
>Your messages got through - you can confirm by checking the archives -
>https://www.redhat.com/archives/fedora-directory-users/
>
>I'm a new user as well so i'm afraid i can't answer your question, but
>if you keep asking i'm sure someone will know!
>Nick
>
>Paxton, Darren wrote:
> > Apologies for mailing yet again, however either my messages are not
> > getting through (something I don't believe as I keep getting the post
> > to the mailing list) - or for some reason, no one is willing to even
> > acknowledge my issue.
> >
> > In the spirit of the community - can someone at least acknowledge a
> > message as I find it quite disheartening that I have had no replies at
> > all even if just to point me somewhere for assistance.
> >
> > ------------------------------------------------------------------------
> > *From:* fedora-directory-users-bounces at redhat.com
> > [mailto:fedora-directory-users-bounces at redhat.com] *On Behalf Of
> > *Paxton, Darren
> > *Sent:* 30 November 2006 08:46
> > *To:* General discussion list for the Fedora Directory server project.
> > *Subject:* RE: [Fedora-directory-users] Extracting details from
> > ActiveDirectoryto FDS
> >
> > Hi
> >
> > Has anyone had any thoughts on my query or can point me in the right
> > direction?
> >
> > As is the nature of AD, I would have thought it is possible to extract
> > this information using a scope setting or something similar.
> >
> > Thanks
> >
> > Darren
> >
> >
>------------------------------------------------------------------------
> > *From:* fedora-directory-users-bounces at redhat.com
> > [mailto:fedora-directory-users-bounces at redhat.com] *On Behalf Of
> > *Paxton, Darren
> > *Sent:* 24 November 2006 14:56
> > *To:* fedora-directory-users at redhat.com
> > *Subject:* [Fedora-directory-users] Extracting details from Active
> > Directoryto FDS
> >
> > Hi all,
> >
> > I've been tinkering with integrating our Linux devices into our AD
> > domain for some time and I've hit a few brick walls, however I've
> > recently discovered FDS and the synchronisation features with AD.
> >
> > I've managed to set up a few replication jobs, however due to the
> > extensive nature of our AD, I've realised that the sync only takes
> > the group and user objects from the OU or CN being specified.
> >
> > Is there any way I can specify that it should traverse all
> > subtrees of an OU and extract all that information back into FDS?
> >
> > Thanks
> >
> > Darren
> >
> > --
> > Darren Paxton
> > EMEA Tier2
> > Red Hat Certified Engineer
> > VMware Certified Professional
> > MGTI Centralised ops
> >
> >
> > This e-mail and any attachments may be confidential or legally
> > privileged.If you received this message in error or are not the
> > intended recipient, you should destroy the email message and any
> > attachments or copies, and you are prohibited from retaining,
> > distributing, disclosing or using any information contained herein.
> > Please inform us of the erroneous delivery by return e-mail. Thank you
> > for your co-operation.
> >
> > Mercer Human Resource Consulting Limited is authorised and regulated
> > by the Financial Services Authority. Registered in England No. 984275.
> > Registered Office: 1 Tower Place West, Tower Place, London, EC3R 5BU.
> >
> > ------------------------------------------------------------------------
> >
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
> > ------------------------------------------------------------------------
> >
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
>
>
>
>This e-mail is the property of Quadriga Worldwide Ltd, intended for the
>addressee only and confidential. Any dissemination, copying or
>distribution of this message or any attachments is strictly prohibited.
>
>If you have received this message in error, please notify us immediately by
>replying to the message and deleting it from your computer.
>
>Messages sent to and from Quadriga may be monitored.
>
>Quadriga cannot guarantee any message delivery method is secure or
>error-free. Information could be intercepted, corrupted, lost, destroyed,
>arrive late or incomplete, or contain viruses.
>
>We do not accept responsibility for any errors or omissions in this message
>and/or attachment that arise as a result of transmission.
>
>You should carry out your own virus checks before opening any attachment.
>
>Any views or opinions presented are solely those of the author and do not
>necessarily represent those of Quadriga.
>
>
>
>------------------------------
>
>Message: 8
>Date: Fri, 01 Dec 2006 16:45:28 +0100
>From: koniczynek <koniczynek at uaznia.net>
>Subject: Re: [Fedora-directory-users] Memory usage
>To: "General discussion list for the Fedora Directory server project."
> <fedora-directory-users at redhat.com>
>Message-ID: <45704E18.3070705 at uaznia.net>
>Content-Type: text/plain; charset=ISO-8859-2; format=flowed
>
>Richard Megginson napisa³(a):
> > This is an excellent cache/memory tuning document from a Sun employee,
> > primarily targeted to Sun DS users, but almost all of the information is
> > relevant to Fedora DS (since they share a common lineage).
> >
> > http://www.directorymanager.org/blogs/ds_cache_sizing.pdf
>Lets say I heven't got much time lately so without thinking I've changed
>in dse.ldif
>nsslapd-import-cache-autosize from -1 to 1 and after restarting I've
>started to receive errors like: "3 Time limit exceeded" Someone do know
>what to do? ;)
>
>--
>xmpp/email: koniczynek at uaznia.net
>xmpp/email: koniczynek at gmail.com
>
>
>
>------------------------------
>
>Message: 9
>Date: Fri, 01 Dec 2006 09:15:14 -0700
>From: David Boreham <david_list at boreham.org>
>Subject: Re: [Fedora-directory-users] Memory usage
>To: "General discussion list for the Fedora Directory server project."
> <fedora-directory-users at redhat.com>
>Message-ID: <45705512.4070808 at boreham.org>
>Content-Type: text/plain; charset=ISO-8859-2; format=flowed
>
>koniczynek wrote:
>
> > Richard Megginson napisa³(a):
> >
> >> This is an excellent cache/memory tuning document from a Sun
> >> employee, primarily targeted to Sun DS users, but almost all of the
> >> information is relevant to Fedora DS (since they share a common
> >> lineage).
> >>
> >> http://www.directorymanager.org/blogs/ds_cache_sizing.pdf
> >
> > Lets say I heven't got much time lately so without thinking I've
> > changed in dse.ldif
> > nsslapd-import-cache-autosize from -1 to 1 and after restarting I've
> > started to receive errors like: "3 Time limit exceeded" Someone do
> > know what to do? ;)
> >
>Change it back ?
>
>
>
>
>
>------------------------------
>
>Message: 10
>Date: Fri, 01 Dec 2006 17:53:22 +0100
>From: koniczynek <koniczynek at uaznia.net>
>Subject: Re: [Fedora-directory-users] Memory usage
>To: "General discussion list for the Fedora Directory server project."
> <fedora-directory-users at redhat.com>
>Message-ID: <45705E02.7020709 at uaznia.net>
>Content-Type: text/plain; charset=ISO-8859-2
>
>David Boreham, dnia 2006-12-01 17:15 napisal:
> >> Lets say I heven't got much time lately so without thinking I've
> >> changed in dse.ldif
> >> nsslapd-import-cache-autosize from -1 to 1 and after restarting I've
> >> started to receive errors like: "3 Time limit exceeded" Someone do
> >> know what to do? ;)
> > Change it back ?
>man, please, show some respect ;) I did change it back, but to no avail.
>Also I can say (to stop further questions): yes, I've stopped the server
>before change.
>
>--
>email/xmpp: koniczynek at uaznia.net
>
>
>
>------------------------------
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users at redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
>End of Fedora-directory-users Digest, Vol 19, Issue 1
>*****************************************************
_________________________________________________________________
Off to school, going on a trip, or moving? Windows Live (MSN) Messenger lets
you stay in touch with friends and family wherever you go. Click here to
find out how to sign up! http://www.telusmobility.com/msnxbox/
More information about the Fedora-directory-users
mailing list