From dshackel at arbor.edu Wed Feb 1 15:01:44 2006 From: dshackel at arbor.edu (Daniel Shackelford) Date: Wed, 01 Feb 2006 10:01:44 -0500 Subject: [Fedora-directory-users] Re: Hosed sync with AD In-Reply-To: <20060131225723.C01DF73218@hormel.redhat.com> References: <20060131225723.C01DF73218@hormel.redhat.com> Message-ID: <43E0CD58.1060600@arbor.edu> Thank you David. Anyone able to address the other questions about ssl? I was able to use the system version of ldapsearch to connect securely to my domain controller from the FDS box. I can also connect the same way to FDS. I have read that the -81 error means that there is a problem with my server cert, or the ca cert that was used to create it. I have 2 server certs signed by different CAs (nothing self-signed), and I have tried them both. The CA certs are installed, and seem to be fine. I even exported on to use on the local openldap in order to test connections to the domain controller without a problem. Is FDS dependent on specific versions of libssl3.so or ?... The thing that confuses me the most is that it all seems to be working fine in every other case. I am still not sure there isn't a problem with my Win2003 domain controller... Ack! >Date: Tue, 31 Jan 2006 15:17:18 -0500 >From: Daniel Shackelford >Subject: [Fedora-directory-users] Hosed sync with AD >To: FedoraUsers >Message-ID: <43DFC5CE.1050909 at arbor.edu> >Content-Type: text/plain; charset=ISO-8859-1; format=flowed > >Hello... > >Earlier this month we had an issue with one of our domain controllers >(Win2003) and took it down. It was the one the directory server was >pointing to for synchronization. Ever since then, no sync has occurred >and I am back to getting the > >-81 (Peer's Certificate issuer is not recognized.) > >I have checked the DC, and all looks well. We were merely moving the >logs to another volume, so it should not have an effect on ldap >connections. I did some fiddling and at one point I removed the native >java since I had installed the IBM version. Jessie depended on it, so >that was removed as well. I have since gotten new certs and CA certs, >and installed them, but still no luck on the connection. Certutil no >longer worked, so I installed mozilla-nss, and now it does not work >for other reasons: > >NSS_Initialize failed: An I/O error occurred during security authorization. > >All certificate management via the console seems to work fine... > >So, my questions are: > >Is there a way to get my ssl libraries so they line up with what FDS wants? >Was jessie even involved in this issue? >I already have all our data in this directory, so is there a way for me >to get this thing syncing again without a wipe and reinstall? >If I delete the sync agreement, and create a new one, what happens on >the first sync? Will it just pick up where it left off, or will it >choke on all the objects that were a part of the previous sync >agreement? Will I have problems with my data since it has been over 10 >days since the last sync? > > > From basile.mathieu at siris.sorbonne.fr Wed Feb 1 15:49:23 2006 From: basile.mathieu at siris.sorbonne.fr (basile au siris) Date: Wed, 01 Feb 2006 16:49:23 +0100 Subject: [Fedora-directory-users] problem with startconsole Message-ID: <43E0D883.2010801@siris.sorbonne.fr> hi i install fds-7.0 on solaris 9 all works fine , but i have a strange problem with console i can start the console on the server i can start the console from windows box but i can t start it from linux box ( but i can start console from this linux box to another fds installation on solaris ) i ssh -X , startconsole -D , and i have the prompt fedora management console but never the login window if someone has an idea ( port 6000 is open , ssh forward X11 , and all machines are on the same vlan ) thanks basile From CConner at salem-health.com Wed Feb 1 15:52:28 2006 From: CConner at salem-health.com (Chris Conner) Date: Wed, 1 Feb 2006 10:52:28 -0500 Subject: [Fedora-directory-users] problem with startconsole Message-ID: <8E4D74AE5918D74E93152809755B33F501376D24@shssvd001.shs-ad.salem-health.com> Have you tried the -nologo option? Chris Chris Conner, M.A. Manager of Systems Support MCP, MCP+I, MCDBA, MCSE Salem Health Solutions cconner at salem-health.com 336-747-7572 866-747-7560 x7572 /(bb|[^b]{2})/ that is the Question -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of basile au siris Sent: Wednesday, February 01, 2006 10:49 AM To: fedora-directory-users at redhat.com Subject: [Fedora-directory-users] problem with startconsole hi i install fds-7.0 on solaris 9 all works fine , but i have a strange problem with console i can start the console on the server i can start the console from windows box but i can t start it from linux box ( but i can start console from this linux box to another fds installation on solaris ) i ssh -X , startconsole -D , and i have the prompt fedora management console but never the login window if someone has an idea ( port 6000 is open , ssh forward X11 , and all machines are on the same vlan ) thanks basile -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From CConner at salem-health.com Wed Feb 1 15:53:36 2006 From: CConner at salem-health.com (Chris Conner) Date: Wed, 1 Feb 2006 10:53:36 -0500 Subject: [Fedora-directory-users] problem with startconsole Message-ID: <8E4D74AE5918D74E93152809755B33F501376D25@shssvd001.shs-ad.salem-health.com> Sorry actually -x nologo is the option. I guess I should have checked first.... Hth C Chris Conner, M.A. Manager of Systems Support MCP, MCP+I, MCDBA, MCSE Salem Health Solutions cconner at salem-health.com 336-747-7572 866-747-7560 x7572 /(bb|[^b]{2})/ that is the Question -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Chris Conner Sent: Wednesday, February 01, 2006 10:52 AM To: General discussion list for the Fedora Directory server project. Subject: RE: [Fedora-directory-users] problem with startconsole Have you tried the -nologo option? Chris Chris Conner, M.A. Manager of Systems Support MCP, MCP+I, MCDBA, MCSE Salem Health Solutions cconner at salem-health.com 336-747-7572 866-747-7560 x7572 /(bb|[^b]{2})/ that is the Question -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of basile au siris Sent: Wednesday, February 01, 2006 10:49 AM To: fedora-directory-users at redhat.com Subject: [Fedora-directory-users] problem with startconsole hi i install fds-7.0 on solaris 9 all works fine , but i have a strange problem with console i can start the console on the server i can start the console from windows box but i can t start it from linux box ( but i can start console from this linux box to another fds installation on solaris ) i ssh -X , startconsole -D , and i have the prompt fedora management console but never the login window if someone has an idea ( port 6000 is open , ssh forward X11 , and all machines are on the same vlan ) thanks basile -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From basile.mathieu at siris.sorbonne.fr Wed Feb 1 15:54:35 2006 From: basile.mathieu at siris.sorbonne.fr (basile au siris) Date: Wed, 01 Feb 2006 16:54:35 +0100 Subject: [Fedora-directory-users] problem with startconsole In-Reply-To: <8E4D74AE5918D74E93152809755B33F501376D24@shssvd001.shs-ad.salem-health.com> References: <8E4D74AE5918D74E93152809755B33F501376D24@shssvd001.shs-ad.salem-health.com> Message-ID: <43E0D9BB.6030401@siris.sorbonne.fr> not better i can http://solaris9:managementport without problem very strange Chris Conner wrote: >Have you tried the -nologo option? > >Chris > > >Chris Conner, M.A. >Manager of Systems Support >MCP, MCP+I, MCDBA, MCSE >Salem Health Solutions >cconner at salem-health.com >336-747-7572 >866-747-7560 x7572 > >/(bb|[^b]{2})/ that is the Question > > > > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of basile >au siris >Sent: Wednesday, February 01, 2006 10:49 AM >To: fedora-directory-users at redhat.com >Subject: [Fedora-directory-users] problem with startconsole > >hi >i install fds-7.0 on solaris 9 >all works fine , but i have a strange problem with console i can start >the console on the server i can start the console from windows box but i >can t start it from linux box ( but i can start console from this linux >box to another fds installation on solaris ) i ssh -X , startconsole -D >, and i have the prompt fedora management console but never the login >window if someone has an idea ( port 6000 is open , ssh forward X11 , >and all machines are on the same vlan ) thanks basile > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From david_list at boreham.org Wed Feb 1 16:14:47 2006 From: david_list at boreham.org (David Boreham) Date: Wed, 01 Feb 2006 09:14:47 -0700 Subject: [Fedora-directory-users] Re: Hosed sync with AD In-Reply-To: <43E0CD58.1060600@arbor.edu> References: <20060131225723.C01DF73218@hormel.redhat.com> <43E0CD58.1060600@arbor.edu> Message-ID: <43E0DE77.6040000@boreham.org> Daniel Shackelford wrote: > Anyone able to address the other questions about ssl? I was able to > use the system version of ldapsearch to connect securely to my domain > controller from the FDS box. I can also connect the same way to FDS. > I have read that the -81 error means that there is a problem with my > server cert, or the ca cert that was used to create it. I have 2 > server certs signed by different CAs (nothing self-signed), and I have > tried them both. The CA certs are installed, and seem to be fine. I > even exported on to use on the local openldap in order to test > connections to the domain controller without a problem. I don't have any insight off the top of my head beyond what you've already tried. You could take a packet trace with ethereal or the like and see if there's anything interesting in the SSL handshake. > Is FDS dependent on specific versions of libssl3.so or ?... The thing > that confuses me the most is that it all seems to be working fine in > every other case. I am still not sure there isn't a problem with my > Win2003 domain controller... FDS should be used with the version of NSS that it was built against. There will be some minor functionality differences between NSS releases and bug fixes, but I wouldn't expect much sensitivity to NSS version as far as basic functionality like this goes. Bottom line is that if you can use the 'ldapsearch' command (the Mozilla version that ships with FDS), pointed at the same cert database that the server is using, to connect to your AD, then FDS's Winsync code should be able to connect too : the code paths are essentially identical. From dshackel at arbor.edu Wed Feb 1 18:43:04 2006 From: dshackel at arbor.edu (Daniel Shackelford) Date: Wed, 01 Feb 2006 13:43:04 -0500 Subject: [Fedora-directory-users] Re: Hosed sync with AD In-Reply-To: <20060201170011.4710473CB2@hormel.redhat.com> References: <20060201170011.4710473CB2@hormel.redhat.com> Message-ID: <43E10138.1010602@arbor.edu> ------------------------------ > I don't have any insight off the top of my head beyond what you've > already tried. > You could take a packet trace with ethereal or the like and see if > there's anything > interesting in the SSL handshake. >> Is FDS dependent on specific versions of libssl3.so or ?... The thing >> that confuses me the most is that it all seems to be working fine in >> every other case. I am still not sure there isn't a problem with my >> Win2003 domain controller... > > > FDS should be used with the version of NSS that it was built against. > There will be some minor functionality differences between NSS releases > and bug fixes, but I wouldn't expect much sensitivity to NSS version > as far as basic functionality like this goes. > > Bottom line is that if you can use the 'ldapsearch' command (the Mozilla > version that ships with FDS), pointed at the same cert database that the > server is using, to connect to your AD, then FDS's Winsync code should > be able to connect too : the code paths are essentially identical. Well, I think I found the problem... Here is the output of ssltap that captured a request to the DC: --> [ alloclen = 54 bytes (54 bytes of 54) [Wed Feb 1 12:39:36 2006] [ssl2] ClientHelloV2 { version = {0x03, 0x01} cipher-specs-length = 27 (0x1b) sid-length = 0 (0x00) challenge-length = 16 (0x10) cipher-suites = { (0x000004) SSL3/RSA/RC4-128/MD5 (0x00feff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA (0x00fefe) SSL3/RSA-FIPS/DES-CBC/SHA (0x000009) SSL3/RSA/DES56-CBC/SHA (0x000064) TLS/RSA-EXPORT1024/RC4-56/SHA (0x000062) TLS/RSA-EXPORT1024/DES56-CBC/SHA (0x000003) SSL3/RSA/RC4-40/MD5 (0x000006) SSL3/RSA/RC2CBC40/MD5 } session-id = { } challenge = { 0xc930 0x4121 0xe11d 0x443a 0x77b4 0xaef1 0x13b0 0xc017 } } ] <-- [ (2896 bytes, making 2896 of 4836) ] <-- [ (1945 bytes, making 4836 of 4836) SSLRecord { [Wed Feb 1 12:39:36 2006] type = 22 (handshake) version = { 3,1 } length = 4836 (0x12e4) handshake { type = 2 (server_hello) length = 70 (0x000046) ServerHello { server_version = {3, 1} random = {...} session ID = { length = 32 contents = {..} } cipher_suite = (0x0004) SSL3/RSA/RC4-128/MD5 } type = 11 (certificate) length = 1423 (0x00058f) CertificateChain { chainlength = 1420 (0x058c) Certificate { size = 1417 (0x0589) data = { saved in file 'cert.001' } } } type = 13 (certificate_request) length = 3327 (0x000cff) type = 14 (server_hello_done) length = 0 (0x000000) } } ] --> [ (7 bytes of 2) SSLRecord { [Wed Feb 1 12:39:36 2006] type = 21 (alert) version = { 3,1 } length = 2 (0x2) fatal: unknown CA } ] Looking through this looks like it is the FDS server that is saying that the CA is unknown, but it it refering to the response from the DC, or it's own certificate store? Looking at the dump of extended data from ssltap, the response from the DC indicates it is using a cert not signed by itself (a CA), but by another server that is not a DC, and in fact a non-critical server. The validity of that CA and all it's certificates expired at the time that FDS stopped synconizing. Why our Windows Admin is using CAs around the network willi-nillie is a mystery to me. I will get rid of that cert, and make sure that it is offering up a cert that is signed by a third party CA (like CACert.org) Thank you Dave. It looks like you were right about this being a stumper as long as we are looking for the problem on FDS. -- Daniel Shackelford Systems Administrator Technology Services Spring Arbor University 517 750-6648 "For even the Son of Man did not come to be served, but to serve, and to give His life a ransom for many" Mark 10:45 From oscar.valdez at duraflex-politex.com Wed Feb 1 20:11:16 2006 From: oscar.valdez at duraflex-politex.com (Oscar A. Valdez) Date: Wed, 01 Feb 2006 14:11:16 -0600 Subject: [Fedora-directory-users] Adding users after replacing NIS Message-ID: <1138824677.4038.15.camel@wzowski.duraflex-politex.com> I've followed the instructions in Gerald Carter's "LDAP System Administration", specifically those in Chapter 6: Replacing NIS. I've used PADL's scripts to migrate the info from /etc/passwd, /etc/shadow, and /etc/group into the DS server. My question now is, how do I add new users to the DS, with the necessary shadowAccount attributes? How do I generate the crypted userPassword, shadowLastChange, etc. values? -- Oscar A. Valdez From gholbert at broadcom.com Wed Feb 1 20:37:57 2006 From: gholbert at broadcom.com (George Holbert) Date: Wed, 01 Feb 2006 12:37:57 -0800 Subject: [Fedora-directory-users] Adding users after replacing NIS In-Reply-To: <1138824677.4038.15.camel@wzowski.duraflex-politex.com> References: <1138824677.4038.15.camel@wzowski.duraflex-politex.com> Message-ID: <43E11C25.1050708@broadcom.com> > > My question now is, how do I add new users to the DS... > To add data to your directory, including users, you can use whatever LDAP modification tool you like. The most basic option is the ldapmodify command, but depending on how often you add or update users, you will probably get tired of manually typing LDIF input for ldapmodify. You could also use the Fedora console, write your own scripts, or look into other LDAP admin programs (there are several). > ...with the necessary shadowAccount attributes? How do I generate the crypted userPassword, shadowLastChange, etc. values? Using your favorite LDAP admin program :), you can assign whatever initial values you want for the shadow attributes. If pam/nss_ldap is so configured on your Linux clients, the passwd command will update the shadow attributes when passwords are changed. Solaris 8 LDAP clients ignore shadow attributes, so you might not want to rely on LDAP-based shadow if you have Solaris 8 in your environment. Fedora DS can hash passwords several ways, including crypt. You can choose the default password hash in the Fedora console. The directory server will hash userPassword attributes with whatever hash you select. Note that changes to the default password hash are only effective for subsequent userPassword updates. In other words, changing the hash does not cause a re-hash of every userPassword attribute in the directory. -- George Oscar A. Valdez wrote: > I've followed the instructions in Gerald Carter's "LDAP System > Administration", specifically those in Chapter 6: Replacing NIS. > > I've used PADL's scripts to migrate the info > from /etc/passwd, /etc/shadow, and /etc/group into the DS server. My > question now is, how do I add new users to the DS, with the necessary > shadowAccount attributes? How do I generate the crypted userPassword, > shadowLastChange, etc. values? > From rspencer at auspicecorp.com Wed Feb 1 20:55:51 2006 From: rspencer at auspicecorp.com (Roger Spencer) Date: Wed, 01 Feb 2006 15:55:51 -0500 Subject: [Fedora-directory-users] automount (revisited) In-Reply-To: <43DFF2CF.40604@redhat.com> References: <43DFE899.5000203@auspicecorp.com> <43DFE9A3.5090703@redhat.com> <43DFEA63.1020800@auspicecorp.com> <43DFEBB8.7050205@redhat.com> <43DFED0B.9080401@auspicecorp.com> <43DFF2CF.40604@redhat.com> Message-ID: <43E12057.30207@auspicecorp.com> I removed the entire 63nisdomain.ldif file, since almost all of it duplicated attributes in the 10rfc2307bis.ldif, some with different oids (I believe I got it from the Solaris client install howto). I then replaced 10rc2307.ldif with the bis file and slapd started up fine. Only one problem with it so far, I can create an automountmap entry but can't create an automap entry underneath it using the admin interface. Throws a java.lang.NullPointerException. Creating an ldif file and importing it works fine though. Pete Rowley wrote: > Roger Spencer wrote: > >> None. Look's like both ldif files define nisDomain with a different >> oid. >> >> 10rfc2307bis.ldif - attributetypes: ( 1.3.6.1.1.1.1.30 NAME >> 'nisDomain' DESC 'NIS domain' SYNTAX >> 1.3.6.1.4.1.1466.115.121.1.26{256} ) >> >> 63nisDomain.ldif - attributeTypes: ( 1.3.6.1.4.1.1.1.1.12 SUP name >> NAME 'nisDomain' DESC 'NIS domain' SYNTAX >> 1.3.6.1.4.1.1466.115.121.1.26 ) >> > Well that's nasty. One of those nisDomain attribute types has to go - > I would take out the one from 63nisdomain.ldif and see if your > applications still work - they probably will since the vast majority > of applications never look at schema and simply assume that the > attribute type they reference by name is the type they believe it to > be. They have the same syntax so no issue there. > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From david_list at boreham.org Wed Feb 1 21:25:46 2006 From: david_list at boreham.org (David Boreham) Date: Wed, 01 Feb 2006 14:25:46 -0700 Subject: [Fedora-directory-users] Re: Hosed sync with AD In-Reply-To: <43E10138.1010602@arbor.edu> References: <20060201170011.4710473CB2@hormel.redhat.com> <43E10138.1010602@arbor.edu> Message-ID: <43E1275A.6060304@boreham.org> > The validity of that CA and all it's certificates expired at the time > that FDS stopped synconizing. Why our Windows Admin is using CAs > around the network willi-nillie is a mystery to me. I will get rid of > that cert, and make sure that it is offering up a cert that is signed > by a third party CA (like CACert.org) Interesting. I wish that somewhere we'd printed an error message that said 'the CA cert has expired'.. Windows has 'automatic' server cert issuing facilities, so it is possible that your admin did not realize exactly what had happened. From jo.de.troy at gmail.com Wed Feb 1 22:13:10 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Wed, 1 Feb 2006 23:13:10 +0100 Subject: [Fedora-directory-users] crash after succesfull pwdchange via ldappasswd Message-ID: Hello, I'm trying out different ways of changing password and looking at how these handle the policies (eg pwd history) I can succesfully change a password from the command line (passwd) on a Linux LDAP client When I try changing the password using ldappasswd the slapd process disappears after a succesfull change ( ldappasswd -x -h ldapserver -D 'uid=user2change,base' -A -S -W -ZZ 'uid=user2change,base' ) It ends with: ldappasswd: ldap_result: Can't contact LDAP server (-1) Which means slapd died. When I startup slapd on the server I can do an ldapsearch with the new password. Has anyone seen the same behaviour? Someone told me about a web gateway included in FDS to change password, at which URL can I find this? Should I specifically enable this webinterface? TIA, Jo -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Feb 1 22:27:34 2006 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 01 Feb 2006 15:27:34 -0700 Subject: [Fedora-directory-users] crash after succesfull pwdchange via ldappasswd In-Reply-To: References: Message-ID: <43E135D6.9070304@redhat.com> Jo De Troy wrote: > Hello, > > I'm trying out different ways of changing password and looking at how > these handle the policies (eg pwd history) > I can succesfully change a password from the command line (passwd) on > a Linux LDAP client > When I try changing the password using ldappasswd the slapd process > disappears after a succesfull change ( ldappasswd -x -h ldapserver -D > 'uid=user2change,base' -A -S -W -ZZ 'uid=user2change,base' ) > It ends with: > ldappasswd: ldap_result: Can't contact LDAP server (-1) > Which means slapd died. When I startup slapd on the server I can do an > ldapsearch with the new password. > Has anyone seen the same behaviour? Nope - sounds like a bug in FDS. > > Someone told me about a web gateway included in FDS to change > password, at which URL can I find this? Should I specifically enable > this webinterface? Yes. First, http://yourhost:adminserverport/ from your browser - this is the same url used by the console. Then, go to the Services for Admins - the Directory Gateway - it's not exclusively for admins. You can authenticate as a regular user, then view your entry. Allows self service stuff. One of the options on the user's edit page is to change password. > > TIA, > Jo > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From basile.mathieu at siris.sorbonne.fr Wed Feb 1 22:27:11 2006 From: basile.mathieu at siris.sorbonne.fr (Basile Mathieu) Date: Wed, 01 Feb 2006 23:27:11 +0100 Subject: [Fedora-directory-users] management console , xp , and tls Message-ID: <1138832831.43e135bfd348d@mail.sorbonne.fr> hi i use HOWTO for starting console with xp i try to use tls , but for certificates i have a problem i generate cacert with openssl , do two certificate's request in fds console and signed with cacert , and then install all in fds. All works fine , but i don t exactly know what i have to do for windows i have .mcc directory like in HOWTO , with key3 cert8 and secmod files. I try to copy db files from my fds ( /opt/fedora/servers/alias ) server in .mcc , try to rename then as key3 and cert8 but i always have [01/Feb/2006:22:46:50] failure (10229): Error receiving connection (SSL_ERROR_BAD_CERT_ALERT - SSL client cannot verify your certificate.) from yyy.yyy.yyy.yyy:1078 on xxx.xxx.xxx.xxx:port whati don t do in HOWTO is pk12util -i servercert.pfx -d C:\Documents and Settings\\.mcc but i thinks its for creating cert8 and key3 thanks for help basile -------------------------------------------------------- Ce message a ?t? envoy? par le Webmail Sorbonne via IMP. http://courrier.sorbonne.fr/ http://mail.sorbonne.fr/ From jo.de.troy at gmail.com Wed Feb 1 22:35:08 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Wed, 1 Feb 2006 23:35:08 +0100 Subject: [Fedora-directory-users] crash after succesfull pwdchange via ldappasswd Message-ID: Hi Rich, thanks for the quick reply. Do you need more info from me wrt behaviour I described? Has the password strength enforcement been submitted yet? Any idea if and when this will be included in a next release? And when could we expect such a release? I've read something about a plugin that would also change samba passwords in FDS, do you happen to know what the status of that is? Best Regards, Jo -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Feb 1 22:51:31 2006 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 01 Feb 2006 15:51:31 -0700 Subject: [Fedora-directory-users] crash after succesfull pwdchange via ldappasswd In-Reply-To: References: Message-ID: <43E13B73.4090703@redhat.com> Jo De Troy wrote: > Hi Rich, > > thanks for the quick reply. > Do you need more info from me wrt behaviour I described? We'll try to reproduce it and get back to you. If you like, please file a bug in http://bugzilla.redhat.com against Fedora Directory Server with the necessary steps to reproduce the problem. That way you'll get automatically notified of any changes in the status. > Has the password strength enforcement been submitted yet? Any idea if > and when this will be included in a next release? And when could we > expect such a release? Probably sometime by the end of the month. > I've read something about a plugin that would also change samba > passwords in FDS, do you happen to know what the status of that is? AFAIK, no one is working on it. > > > Best Regards, > Jo > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From sboggs at TrustedCS.com Wed Feb 1 23:10:04 2006 From: sboggs at TrustedCS.com (Scott Boggs) Date: Wed, 1 Feb 2006 18:10:04 -0500 Subject: [Fedora-directory-users] One Way Sync Message-ID: <36282A1733C57546BE392885C061859201024BA0@chaos.tcs.tcs-sec.com> Hello, I am interested in knowing if anyone is using the PassSync functionality in only one direction, making the Fedora-DS a consumer only to the Active Directory server. I am only interested in populating the Fedora-DS with the user account information and passwords; there is no need for me to go in the other direction. With that in mind, would I still create a 'Single Master' replication configuration or is there an alternate method since the Fedora-DS is really only the consumer and not a supplier? My guess is that a 'Single Master' configuration will still have to be created since the winsync code builds off the replication plug-in. If it turns out that the Fedora-DS must be a supplier, is there any method to stop the Fedora-DS from expecting the Active Directory system to have correctly sync'd databases? Other than the functionality of pushing passwords and accounts from my Fedora-DS system not being needed (in fact the AD server group will only allow my Fedora-DS to pull and not update) I am hoping that this could fix the "db vector errors" from occurring. Any suggestions from the Fedora-DS veterans' out there? Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Feb 1 22:20:26 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 01 Feb 2006 15:20:26 -0700 Subject: [Fedora-directory-users] One Way Sync In-Reply-To: <36282A1733C57546BE392885C061859201024BA0@chaos.tcs.tcs-sec.com> References: <36282A1733C57546BE392885C061859201024BA0@chaos.tcs.tcs-sec.com> Message-ID: <43E1342A.9050707@redhat.com> Scott Boggs wrote: > Hello, > > I am interested in knowing if anyone is using the PassSync > functionality in only one direction, making the Fedora-DS a consumer > only to the Active Directory server. I am only interested in > populating the Fedora-DS with the user account information and > passwords; there is no need for me to go in the other direction. With > that in mind, would I still create a ?Single Master? replication > configuration or is there an alternate method since the Fedora-DS is > really only the consumer and not a supplier? My guess is that a > ?Single Master? configuration will still have to be created since the > winsync code builds off the replication plug-in. If it turns out that > the Fedora-DS must be a supplier, is there any method to stop the > Fedora-DS from expecting the Active Directory system to have correctly > sync?d databases? > > Other than the functionality of pushing passwords and accounts from my > Fedora-DS system not being needed (in fact the AD server group will > only allow my Fedora-DS to pull and not update) I am hoping that this > could fix the ?db vector errors? from occurring. > What "db vector errors"? Are these coming from Fedora DS? > Any suggestions from the Fedora-DS veterans? out there? Thanks > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Feb 1 22:29:47 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 01 Feb 2006 15:29:47 -0700 Subject: [Fedora-directory-users] crash after succesfull pwdchange via ldappasswd In-Reply-To: References: Message-ID: <43E1365B.6070601@redhat.com> What version of Fedora DS are you using? I'm not able to reproduce this with version 1.0.1. Jo De Troy wrote: > Hello, > > I'm trying out different ways of changing password and looking at how > these handle the policies (eg pwd history) > I can succesfully change a password from the command line (passwd) on > a Linux LDAP client > When I try changing the password using ldappasswd the slapd process > disappears after a succesfull change ( ldappasswd -x -h ldapserver -D > 'uid=user2change,base' -A -S -W -ZZ 'uid=user2change,base' ) > It ends with: > ldappasswd: ldap_result: Can't contact LDAP server (-1) > Which means slapd died. When I startup slapd on the server I can do an > ldapsearch with the new password. > Has anyone seen the same behaviour? > > Someone told me about a web gateway included in FDS to change > password, at which URL can I find this? Should I specifically enable > this webinterface? > > TIA, > Jo > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From david_list at boreham.org Wed Feb 1 23:37:43 2006 From: david_list at boreham.org (David Boreham) Date: Wed, 01 Feb 2006 16:37:43 -0700 Subject: [Fedora-directory-users] One Way Sync In-Reply-To: <36282A1733C57546BE392885C061859201024BA0@chaos.tcs.tcs-sec.com> References: <36282A1733C57546BE392885C061859201024BA0@chaos.tcs.tcs-sec.com> Message-ID: <43E14647.90002@boreham.org> Scott Boggs wrote: > I am interested in knowing if anyone is using the PassSync > functionality in only one direction, making the Fedora-DS a consumer > only to the Active Directory server. I am only interested in > populating the Fedora-DS with the user account information and > passwords; there is no need for me to go in the other direction. With > that in mind, would I still create a 'Single Master' replication > configuration or is there an alternate method since the Fedora-DS is > really only the consumer and not a supplier? My guess is that a > 'Single Master' configuration will still have to be created since the > winsync code builds off the replication plug-in. If it turns out that > the Fedora-DS must be a supplier, is there any method to stop the > Fedora-DS from expecting the Active Directory system to have correctly > sync'd databases? > > > If you _only_ need passwords propagated from AD to FDS, then you can simply install only the PassSync service, and not configure any WinSync replication agreement. If you need that plus inbound sync updates from AD to FDS (e.g. new users, non-password attribute changes), then you can achieve the desired functionality only with a code change. It'd be a very simple code change I think though : just find the place where changelog records are read and processed for sending to AD. Comment out that code. I can't think of a reason why disabling outbound updates would break any of the inbound functionality, but I've only thought about it for a few minutes... -------------- next part -------------- An HTML attachment was scrubbed... URL: From Andrey.Ivanov at polytechnique.edu Thu Feb 2 09:24:09 2006 From: Andrey.Ivanov at polytechnique.edu (Andrey Ivanov) Date: Thu, 2 Feb 2006 10:24:09 +0100 Subject: [Fedora-directory-users] Kerberos database in FDS? Message-ID: <934543038.20060202102409@polytechnique.fr> Hi, I was wondering if anyone tried a configuration with Kerberos using LDAP as database. After some searching it seems that MIT kerberos is not capable to do that. However, Heimdal has a special option for that. The only problem is that this option is applicable only to openldap and only to unix socket connections. At least that's what is told in the doc and in numerous howtos. There is also a special schema extension for storing these data in openLDAP. I haven't found these objects (krb* or kerberos*) in FDS schema.... Can anyone tell anything about a possibility of using Kerberos with the key/principals database stored in Fedora Directory Server, please? Thank you Andrey Ivanov tel +33-(0)1-69-33-99-24 fax +33-(0)1-69-33-99-55 Direction des Systemes d'Information Ecole Polytechnique 91128 Palaiseau CEDEX France From basile.mathieu at siris.sorbonne.fr Thu Feb 2 10:19:40 2006 From: basile.mathieu at siris.sorbonne.fr (basile au siris) Date: Thu, 02 Feb 2006 11:19:40 +0100 Subject: [Fedora-directory-users] no response on port 636 Message-ID: <43E1DCBC.50900@siris.sorbonne.fr> hi i can ldapsearch -ZZZ without problem ( with fds or openldap command ) but when i try ldapsearch -D "cn=Manager" -p 636 , i have no response from the server i have to CTRL-C to stop the command. here are logs conn=21 fd=67 slot=67 SSL connection from 127.0.0.1 to 127.0.0.1 and nothing else happens thanks basile From Soeren.Malchow at interone.de Thu Feb 2 10:33:30 2006 From: Soeren.Malchow at interone.de (=?ISO-8859-1?Q?S=F6ren_Malchow?=) Date: Thu, 2 Feb 2006 11:33:30 +0100 Subject: [Fedora-directory-users] Problem with WindowsSync Message-ID: Hi, i have a problem with synching my AD Users. Everything seems to be fine, login ist ok, DS can reach AD, in a tcpdump i see a search request from the DS, but afterwards there is an answer from the AD server that says "Can't parse message ID: Wrong type for that item" the full initialization is reported as "sucessful" but no AD users show up in the DS anybdoy has an idea what i did wrong ? Regards soeren Soeren Malchow Head of Central Technical Services Interone Worldwide GmbH Schulterblatt 58 20357 Hamburg T +49.40.43 29 69 - 547 F +49.40.43 29 69 - 90 mailto:soeren.malchow at interone.de http://www.interone.de NOTE: Information contained in this message is confidential and may be legally privileged. If you are not the adressee indicated in this message (or responsible for the delivery of the message to such person), you may not copy, disclose or deliver this message or any part of it to anyone, in any form. In such case, you should delete this message and kindly notify the sender by reply Email. Opinions, conclusions and other information in this message that does not relate to the official business of BBDO Germany shall be understood as neither given nor endorsed by it. -------------- next part -------------- An HTML attachment was scrubbed... URL: From basile.mathieu at siris.sorbonne.fr Thu Feb 2 10:33:33 2006 From: basile.mathieu at siris.sorbonne.fr (basile au siris) Date: Thu, 02 Feb 2006 11:33:33 +0100 Subject: [Fedora-directory-users] no response on port 636 In-Reply-To: <43E1DCBC.50900@siris.sorbonne.fr> References: <43E1DCBC.50900@siris.sorbonne.fr> Message-ID: <43E1DFFD.4000107@siris.sorbonne.fr> have to put -Z with fds ldapsearch and -H ldaps://myserver in openldap ldapsearch basile au siris wrote: > hi > i can ldapsearch -ZZZ without problem ( with fds or openldap command ) > but when i try ldapsearch -D "cn=Manager" -p 636 , i have no response > from the server > i have to CTRL-C to stop the command. > here are logs > conn=21 fd=67 slot=67 SSL connection from 127.0.0.1 to 127.0.0.1 > and nothing else happens > thanks > basile > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From thierry.lanfranchi at wanadoo.fr Thu Feb 2 10:34:35 2006 From: thierry.lanfranchi at wanadoo.fr (Thierry LANFRANCHI) Date: Thu, 2 Feb 2006 11:34:35 +0100 (CET) Subject: [Fedora-directory-users] Server crash (and how-to reproduce) Message-ID: <30770893.1138876475828.JavaMail.www@wwinf1533> Hello, I've just managed to crash my slapd process and can reproduce the problem everytime I try, this way : I was playing with the languages tab on a user's properties window, I defined 'french' as the preference language and added afrikaans common name, first name and last name, and saved. I then reopened the properties window and proceeded to remove these 3 afrikaans attributes by emptying the 3 fields and clicking Save when a popup warned me about a problem communicating with the server. Actually the communication problem was just a slapd process crash. I can reproduce the crash at will, and for information, my configuration is the following : FDS 1.0.1 Centos 4.2 using the console from a winXP computer (local java, not deported X11 window) Last lines of the error log before crash with all logging options activated are : [02/Feb/2006:11:14:14 +0100] - Calling plugin 'Multimaster replication bepreoperation plugin' #0 type 451 [02/Feb/2006:11:14:14 +0100] - => entry_apply_mods_wsi [02/Feb/2006:11:14:14 +0100] - delete: givenname;lang-af [02/Feb/2006:11:14:14 +0100] - removing entire attribute givenname;lang-af [02/Feb/2006:11:14:14 +0100] - - [02/Feb/2006:11:14:14 +0100] - delete: sn;lang-af [02/Feb/2006:11:14:14 +0100] - removing entire attribute sn;lang-af [02/Feb/2006:11:14:14 +0100] - - [02/Feb/2006:11:14:14 +0100] - delete: cn;lang-af [02/Feb/2006:11:14:14 +0100] - removing entire attribute cn;lang-af [02/Feb/2006:11:14:14 +0100] - - [02/Feb/2006:11:14:14 +0100] - modifiersname: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot [02/Feb/2006:11:14:14 +0100] - replace: modifiersname [02/Feb/2006:11:14:14 +0100] - - [02/Feb/2006:11:14:14 +0100] - modifytimestamp: 20060202101411Z [02/Feb/2006:11:14:14 +0100] - replace: modifytimestamp [02/Feb/2006:11:14:14 +0100] - - [02/Feb/2006:11:14:14 +0100] - <= entry_apply_mods_wsi 0 [02/Feb/2006:11:14:14 +0100] - => plugin_call_syntax_filter_ava uid=45123487 [02/Feb/2006:11:14:14 +0100] - <= plugin_call_syntax_filter_ava 0 [02/Feb/2006:11:14:14 +0100] - => id2entry_add( 14, "uid=45123487,ou=utilisateurs,ou=infrastructure,dc=oie,dc=local" ) [02/Feb/2006:11:14:14 +0100] - -> attrcrypt_encrypt_entry [02/Feb/2006:11:14:14 +0100] - <- attrcrypt_encrypt_entry [02/Feb/2006:11:14:14 +0100] - <= id2entry_add 0 Don't hesitate to ask for more informations if needed, or more tests to run in order to get rid of that nasty bug :) Thanks in advance, Thierry From jo.de.troy at gmail.com Thu Feb 2 12:02:45 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Thu, 2 Feb 2006 13:02:45 +0100 Subject: [Fedora-directory-users] crash after succesfull pwdchange via ldappasswd Message-ID: Hi Rich, I'm using fedora-ds-1.0.1-1.RHEL4. Do you need config and/or log files from me? Which files do you need? /etc/ldap.conf /etc/openldap/ldap.conf /opt/fedora-ds/slapd-<>/logs/.. Just let me know what you need. Greetings, Jo -------------- next part -------------- An HTML attachment was scrubbed... URL: From sboggs at trustedcs.com Thu Feb 2 13:52:05 2006 From: sboggs at trustedcs.com (Scott Boggs) Date: Thu, 2 Feb 2006 13:52:05 +0000 (UTC) Subject: [Fedora-directory-users] Re: One Way Sync References: <36282A1733C57546BE392885C061859201024BA0@chaos.tcs.tcs-sec.com> <43E14647.90002@boreham.org> Message-ID: Great, I will have to look into it. when you say code change, are you speaking withing the replication plug-in? Thanks again. From rmeggins at redhat.com Thu Feb 2 14:38:28 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 02 Feb 2006 07:38:28 -0700 Subject: [Fedora-directory-users] Kerberos database in FDS? In-Reply-To: <934543038.20060202102409@polytechnique.fr> References: <934543038.20060202102409@polytechnique.fr> Message-ID: <43E21964.5050904@redhat.com> Andrey Ivanov wrote: >Hi, > >I was wondering if anyone tried a configuration with Kerberos using >LDAP as database. After some searching it seems that MIT kerberos is >not capable to do that. > Newer versions of MIT are better at this - they have more support for pluggable databases. >However, Heimdal has a special option for >that. The only problem is that this option is applicable only to >openldap and only to unix socket connections. At least that's what is >told in the doc and in numerous howtos. > That is correct. I suppose Heimdal could be hacked to use a regular tcp socket instead of the ldapi interface. >There is also a special schema >extension for storing these data in openLDAP. I haven't found these >objects (krb* or kerberos*) in FDS schema.... > > It's not included with Fedora DS, but you could easily convert it and add it. >Can anyone tell anything about a possibility of using Kerberos with >the key/principals database stored in Fedora Directory Server, please? > > >Thank you > >Andrey Ivanov >tel +33-(0)1-69-33-99-24 >fax +33-(0)1-69-33-99-55 > >Direction des Systemes d'Information >Ecole Polytechnique >91128 Palaiseau CEDEX >France > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Feb 2 14:39:37 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 02 Feb 2006 07:39:37 -0700 Subject: [Fedora-directory-users] no response on port 636 In-Reply-To: <43E1DCBC.50900@siris.sorbonne.fr> References: <43E1DCBC.50900@siris.sorbonne.fr> Message-ID: <43E219A9.90008@redhat.com> basile au siris wrote: > hi > i can ldapsearch -ZZZ without problem ( with fds or openldap command ) > but when i try ldapsearch -D "cn=Manager" -p 636 , i have no response > from the server > i have to CTRL-C to stop the command. Because you are attempting a non-SSL connection on the SSL port? Probably the server is waiting for the SSL handshake to occur, but you haven't told the client to perform this handshake. > here are logs > conn=21 fd=67 slot=67 SSL connection from 127.0.0.1 to 127.0.0.1 > and nothing else happens > thanks > basile > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From logastellus at yahoo.com Thu Feb 2 14:46:14 2006 From: logastellus at yahoo.com (Susan) Date: Thu, 2 Feb 2006 06:46:14 -0800 (PST) Subject: [Fedora-directory-users] ssl encryption without certs In-Reply-To: <43E0DE77.6040000@boreham.org> Message-ID: <20060202144614.45220.qmail@web52906.mail.yahoo.com> Hi. Is it possible to protect the passwords & other info during transit with SSL w/o certificates? I'm not concerned with a MITM attack against the FDS or clients misrepresenting themselves, only need to encrypt the password like ssh would. Can I do it without all the cert setup business? __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From rmeggins at redhat.com Thu Feb 2 15:05:40 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 02 Feb 2006 08:05:40 -0700 Subject: [Fedora-directory-users] crash after succesfull pwdchange via ldappasswd In-Reply-To: References: Message-ID: <43E21FC4.2060404@redhat.com> Jo De Troy wrote: > Hi Rich, > > I'm using fedora-ds-1.0.1-1.RHEL4. > Do you need config and/or log files from me? Which files do you need? > /etc/ldap.conf > /etc/openldap/ldap.conf > /opt/fedora-ds/slapd-<>/logs/.. > Just let me know what you need. Sure. Those files would be useful. Just attach them and your description of how to reproduce the bug to https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=179723 > > Greetings, > Jo > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From david_list at boreham.org Thu Feb 2 15:50:20 2006 From: david_list at boreham.org (David Boreham) Date: Thu, 02 Feb 2006 08:50:20 -0700 Subject: [Fedora-directory-users] Problem with WindowsSync In-Reply-To: References: Message-ID: <43E22A3C.1030209@boreham.org> S?ren Malchow wrote: > i have a problem with synching my AD Users. > > Everything seems to be fine, login ist ok, DS can reach AD, in a > tcpdump i see a search request from the DS, but afterwards there is an > answer from the AD server that says > > "Can't parse message ID: Wrong type for that item" Hi, can you post a bit more information about this ? Where exactly do you see that message ? From david_list at boreham.org Thu Feb 2 15:52:05 2006 From: david_list at boreham.org (David Boreham) Date: Thu, 02 Feb 2006 08:52:05 -0700 Subject: [Fedora-directory-users] Re: One Way Sync Message-ID: <43E22AA5.10907@boreham.org> Scott Boggs wrote: > Great, I will have to look into it. when you say code change, are you > speaking > withing the replication plug-in? Thanks again. > > > Here: http://cvs.fedora.redhat.com/lxr/dirsec/source/ldapserver/ldap/servers/plugins/replication/windows_inc_protocol.c#1262 Line 1263 is the call to windows_replay_update(). I think that if you comment out that call (or better add configuration infrastructure to allow it to be enabled or disabled from a flag in the agreement : try commenting out first...) then you should get the desired behavior. From david at boreham.org Thu Feb 2 15:48:50 2006 From: david at boreham.org (David Boreham) Date: Thu, 02 Feb 2006 08:48:50 -0700 Subject: [Fedora-directory-users] Re: One Way Sync In-Reply-To: References: <36282A1733C57546BE392885C061859201024BA0@chaos.tcs.tcs-sec.com> <43E14647.90002@boreham.org> Message-ID: <43E229E2.1030605@boreham.org> Scott Boggs wrote: >Great, I will have to look into it. when you say code change, are you speaking >withing the replication plug-in? Thanks again. > > > Here: http://cvs.fedora.redhat.com/lxr/dirsec/source/ldapserver/ldap/servers/plugins/replication/windows_inc_protocol.c#1262 Line 1263 is the call to windows_replay_update(). I think that if you comment out that call (or better add configuration infrastructure to allow it to be enabled or disabled from a flag in the agreement : try commenting out first...) then you should get the desired behavior. From jo.de.troy at gmail.com Thu Feb 2 16:35:33 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Thu, 2 Feb 2006 17:35:33 +0100 Subject: [Fedora-directory-users] crash after succesfull pwdchange via ldappasswd Message-ID: Rich, I have attached the config files and the log files Let me know if you need more info or if you want me to reprodure the issue with a higher debug level. Greetings, Jo -------------- next part -------------- An HTML attachment was scrubbed... URL: From prowley at redhat.com Thu Feb 2 19:11:30 2006 From: prowley at redhat.com (Pete Rowley) Date: Thu, 02 Feb 2006 11:11:30 -0800 Subject: [Fedora-directory-users] ssl encryption without certs In-Reply-To: <20060202144614.45220.qmail@web52906.mail.yahoo.com> References: <20060202144614.45220.qmail@web52906.mail.yahoo.com> Message-ID: <43E25962.4080608@redhat.com> Susan wrote: >Hi. Is it possible to protect the passwords & other info during transit with SSL w/o >certificates? I'm not concerned with a MITM attack against the FDS or clients misrepresenting >themselves, only need to encrypt the password like ssh would. Can I do it without all the cert >setup business? > > SSL and certs are tightly bound. If you cared to set up kerberos, a sasl bind would get you secure authentication and subsequent transport. BTW, please start a new thread rather than changing subject text on a reply - it really messes with threaded mail readers :) -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From sboggs at trustedcs.com Thu Feb 2 19:51:13 2006 From: sboggs at trustedcs.com (Scott Boggs) Date: Thu, 2 Feb 2006 19:51:13 +0000 (UTC) Subject: [Fedora-directory-users] Re: One Way Sync References: <43E22AA5.10907@boreham.org> Message-ID: Thanks Dave.. I will give it a try... From richard at ltrim.com Thu Feb 2 20:56:06 2006 From: richard at ltrim.com (Richard Prescott) Date: Thu, 02 Feb 2006 15:56:06 -0500 Subject: [Fedora-directory-users] Building RPMS on 64 Bit In-Reply-To: <1138747555.31425.31.camel@bje-fc4.overstock.com> References: <1138743697.31425.8.camel@bje-fc4.overstock.com> <43DFDA9A.8050701@redhat.com> <1138747555.31425.31.camel@bje-fc4.overstock.com> Message-ID: <1138913767.27041.62.camel@mahazael.intranet.ltrim.com> I would be pleased to help on this issue if someone have something to share... Richard On Tue, 2006-01-31 at 15:45 -0700, Brett Elsmore wrote: > Cool, thanks. > > > On Tue, 2006-01-31 at 14:46 -0700, Richard Megginson wrote: > > It doesn't yet work. We're working on it. > > > > Brett Elsmore wrote: > > > > >FDUG, > > > > > >Has anyone had success building rpm's on 64 bit ? > > > > > >I am getting the following error - > > > > > >Executing(%install): /bin/sh -e /var/tmp/rpm-tmp.38067 > > >+ umask 022 > > >+ cd /usr/src/redhat/BUILD > > >+ LANG=C > > >+ export LANG > > >+ unset DISPLAY > > >+ echo yes > > >+ echo yes > > >+ ./setup -b /usr/src/redhat/BUILD//opt/fedora-ds > > >/var/tmp/rpm-tmp.38067: line 30: ./setup: No such file or directory > > >error: Bad exit status from /var/tmp/rpm-tmp.38067 (%install) > > > > > >When I look at the spec file, like 80 states - > > >(echo yes ; echo yes) | ./setup -b $RPM_BUILD_ROOT/%{prefix} > > > > > >Thanks for any assistance. > > > > > > > > >-- > > >Fedora-directory-users mailing list > > >Fedora-directory-users at redhat.com > > >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From ahasenack at terra.com.br Fri Feb 3 02:04:01 2006 From: ahasenack at terra.com.br (Andreas Hasenack) Date: Fri, 3 Feb 2006 00:04:01 -0200 Subject: [Fedora-directory-users] Kerberos database in FDS? In-Reply-To: <43E21964.5050904@redhat.com> References: <934543038.20060202102409@polytechnique.fr> <43E21964.5050904@redhat.com> Message-ID: <200602030004.01736.ahasenack@terra.com.br> Em Quinta 02 Fevereiro 2006 12:38, Richard Megginson escreveu: > Andrey Ivanov wrote: > > >Hi, > > > >I was wondering if anyone tried a configuration with Kerberos using > >LDAP as database. After some searching it seems that MIT kerberos is > >not capable to do that. > > > Newer versions of MIT are better at this - they have more support for > pluggable databases. How newer? You are not talking about a stable release (like 1.4.x), are you? From rmeggins at redhat.com Fri Feb 3 02:50:48 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 02 Feb 2006 19:50:48 -0700 Subject: [Fedora-directory-users] Kerberos database in FDS? In-Reply-To: <200602030004.01736.ahasenack@terra.com.br> References: <934543038.20060202102409@polytechnique.fr> <43E21964.5050904@redhat.com> <200602030004.01736.ahasenack@terra.com.br> Message-ID: <43E2C508.1010306@redhat.com> Andreas Hasenack wrote: >Em Quinta 02 Fevereiro 2006 12:38, Richard Megginson escreveu: > > >>Andrey Ivanov wrote: >> >> >> >>>Hi, >>> >>>I was wondering if anyone tried a configuration with Kerberos using >>>LDAP as database. After some searching it seems that MIT kerberos is >>>not capable to do that. >>> >>> >>> >>Newer versions of MIT are better at this - they have more support for >>pluggable databases. >> >> > >How newer? You are not talking about a stable release (like 1.4.x), are you? > > I don't remember. Probably not - it's probably not stable yet. >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From Soeren.Malchow at interone.de Fri Feb 3 10:52:22 2006 From: Soeren.Malchow at interone.de (=?ISO-8859-1?Q?S=F6ren_Malchow?=) Date: Fri, 3 Feb 2006 11:52:22 +0100 Subject: [Fedora-directory-users] Problem with WindowsSync In-Reply-To: <43E22A3C.1030209@boreham.org> Message-ID: Hi, i can see this message when duming network traffic between DS and AD, and when i look at the dump with ethereal this message shows up thousands of time. Ok one after another 1. DS uses the AD user i used for sync to successfully bind to AD 2. The DS issues a search request for the correct Base DN 3. AD answers - 1. answer seems to be search result - 2. - nth answer seems to be individual CNs, but in this case i can see either "Can't parse message ID: Wrong type for that item" prepended by "Invalid LDAP packet" or "Can't parse sequence header: Wrong type for that item" prepended by "Invalid LDAP message" in ethereal. It seems as if it is not on the TCP Layer cause SYN packet look good and ACK later on as well soeren David Boreham Sent by: fedora-directory-users-bounces at redhat.com 02.02.2006 16:50 Please respond to david_list at boreham.org; Please respond to "General discussion list for the Fedora Directory server project." To "General discussion list for the Fedora Directory server project." cc Subject Re: [Fedora-directory-users] Problem with WindowsSync S?ren Malchow wrote: > i have a problem with synching my AD Users. > > Everything seems to be fine, login ist ok, DS can reach AD, in a > tcpdump i see a search request from the DS, but afterwards there is an > answer from the AD server that says > > "Can't parse message ID: Wrong type for that item" Hi, can you post a bit more information about this ? Where exactly do you see that message ? -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From danlipsitt at gmail.com Thu Feb 2 19:44:35 2006 From: danlipsitt at gmail.com (Dan Lipsitt) Date: Thu, 2 Feb 2006 14:44:35 -0500 Subject: [Fedora-directory-users] Error start-admin In-Reply-To: <43BEE3BF.9080807@redhat.com> References: <43BAA134.5090007@redhat.com> <43BEE3BF.9080807@redhat.com> Message-ID: On 1/6/06, Richard Megginson wrote: > It may be possible to build it. > http://directory.fedora.redhat.com/wiki/Building#One-Step_Build > Try adding USE_64=1 to the make command. I tried dsbuild with USE_64=1, but I got compilation failures in mozilla, which I have pasted below. I have several questions: - Is it possible to build just the FDS parts? I already have mozilla installed. - Has anyone reported a successful x86_64 build? - Do the 32-bit rpms work on 64-bit systems? -------- compile error follows ------------ /home/dan/down/dsbuild/ds/mozilla/work/mozilla/security/nss/../../dist/Linux2.6_x86_64_glibc_PTH_64_DBG.OBJ/include/prcpucfg.h:510:2: #error "Unknown CPU architecture" In file included from /home/dan/down/dsbuild/ds/mozilla/work/mozilla/security/nss/../../dist/Linux2.6_x86_64_glibc_PTH_64_DBG.OBJ/include/pratom.h:43, from /home/dan/down/dsbuild/ds/mozilla/work/mozilla/security/nss/../../dist/Linux2.6_x86_64_glibc_PTH_64_DBG.OBJ/include/nspr.h:38, from ../../../../pr/include/private/primpl.h:66, from ../../../../pr/src/io/prfdcach.c:35: /home/dan/down/dsbuild/ds/mozilla/work/mozilla/security/nss/../../dist/Linux2.6_x86_64_glibc_PTH_64_DBG.OBJ/include/prtypes.h:274:2: #error No suitable type for PRInt8/PRUint8 /home/dan/down/dsbuild/ds/mozilla/work/mozilla/security/nss/../../dist/Linux2.6_x86_64_glibc_PTH_64_DBG.OBJ/include/prtypes.h:299:2: #error No suitable type for PRInt16/PRUint16 /home/dan/down/dsbuild/ds/mozilla/work/mozilla/security/nss/../../dist/Linux2.6_x86_64_glibc_PTH_64_DBG.OBJ/include/prtypes.h:331:2: #error No suitable type for PRInt32/PRUint32 /home/dan/down/dsbuild/ds/mozilla/work/mozilla/security/nss/../../dist/Linux2.6_x86_64_glibc_PTH_64_DBG.OBJ/include/prtypes.h:394:2: #error 'sizeof(int)' not sufficient for platform use In file included from /home/dan/down/dsbuild/ds/mozilla/work/mozilla/security/nss/../../dist/Linux2.6_x86_64_glibc_PTH_64_DBG.OBJ/include/pratom.h:43, from /home/dan/down/dsbuild/ds/mozilla/work/mozilla/security/nss/../../dist/Linux2.6_x86_64_glibc_PTH_64_DBG.OBJ/include/nspr.h:38, from ../../../../pr/include/private/primpl.h:66, from ../../../../pr/src/io/prfdcach.c:35: /home/dan/down/dsbuild/ds/mozilla/work/mozilla/security/nss/../../dist/Linux2.6_x86_64_glibc_PTH_64_DBG.OBJ/include/prtypes.h:417: error: syntax error before "PROffset32" From rmeggins at redhat.com Fri Feb 3 14:44:15 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 03 Feb 2006 07:44:15 -0700 Subject: [Fedora-directory-users] Error start-admin In-Reply-To: References: <43BAA134.5090007@redhat.com> <43BEE3BF.9080807@redhat.com> Message-ID: <43E36C3F.3000001@redhat.com> Dan Lipsitt wrote: >On 1/6/06, Richard Megginson wrote: > > >>It may be possible to build it. >>http://directory.fedora.redhat.com/wiki/Building#One-Step_Build >>Try adding USE_64=1 to the make command. >> >> > >I tried dsbuild with USE_64=1, but I got compilation failures in >mozilla, which I have pasted below. > >I have several questions: > >- Is it possible to build just the FDS parts? I already have mozilla installed. > > No, I don't think so, unless you are prepared for some serious component fu. >- Has anyone reported a successful x86_64 build? > > Yes, but it requires a great deal of hacking. >- Do the 32-bit rpms work on 64-bit systems? > > Yes, they should. >-------- compile error follows ------------ > >/home/dan/down/dsbuild/ds/mozilla/work/mozilla/security/nss/../../dist/Linux2.6_x86_64_glibc_PTH_64_DBG.OBJ/include/prcpucfg.h:510:2: >#error "Unknown CPU architecture" >In file included from >/home/dan/down/dsbuild/ds/mozilla/work/mozilla/security/nss/../../dist/Linux2.6_x86_64_glibc_PTH_64_DBG.OBJ/include/pratom.h:43, > from >/home/dan/down/dsbuild/ds/mozilla/work/mozilla/security/nss/../../dist/Linux2.6_x86_64_glibc_PTH_64_DBG.OBJ/include/nspr.h:38, > from ../../../../pr/include/private/primpl.h:66, > from ../../../../pr/src/io/prfdcach.c:35: >/home/dan/down/dsbuild/ds/mozilla/work/mozilla/security/nss/../../dist/Linux2.6_x86_64_glibc_PTH_64_DBG.OBJ/include/prtypes.h:274:2: >#error No suitable type for PRInt8/PRUint8 >/home/dan/down/dsbuild/ds/mozilla/work/mozilla/security/nss/../../dist/Linux2.6_x86_64_glibc_PTH_64_DBG.OBJ/include/prtypes.h:299:2: >#error No suitable type for PRInt16/PRUint16 >/home/dan/down/dsbuild/ds/mozilla/work/mozilla/security/nss/../../dist/Linux2.6_x86_64_glibc_PTH_64_DBG.OBJ/include/prtypes.h:331:2: >#error No suitable type for PRInt32/PRUint32 >/home/dan/down/dsbuild/ds/mozilla/work/mozilla/security/nss/../../dist/Linux2.6_x86_64_glibc_PTH_64_DBG.OBJ/include/prtypes.h:394:2: >#error 'sizeof(int)' not sufficient for platform use >In file included from >/home/dan/down/dsbuild/ds/mozilla/work/mozilla/security/nss/../../dist/Linux2.6_x86_64_glibc_PTH_64_DBG.OBJ/include/pratom.h:43, > from >/home/dan/down/dsbuild/ds/mozilla/work/mozilla/security/nss/../../dist/Linux2.6_x86_64_glibc_PTH_64_DBG.OBJ/include/nspr.h:38, > from ../../../../pr/include/private/primpl.h:66, > from ../../../../pr/src/io/prfdcach.c:35: >/home/dan/down/dsbuild/ds/mozilla/work/mozilla/security/nss/../../dist/Linux2.6_x86_64_glibc_PTH_64_DBG.OBJ/include/prtypes.h:417: >error: syntax error before "PROffset32" > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From david_list at boreham.org Fri Feb 3 15:45:40 2006 From: david_list at boreham.org (David Boreham) Date: Fri, 03 Feb 2006 08:45:40 -0700 Subject: [Fedora-directory-users] Problem with WindowsSync In-Reply-To: References: Message-ID: <43E37AA4.5030602@boreham.org> S?ren Malchow wrote: > > i can see this message when duming network traffic between DS and AD, > and when i look at the dump with ethereal this message shows up > thousands of time. > > Ok one after another > > 1. DS uses the AD user i used for sync to successfully bind to AD > > 2. The DS issues a search request for the correct Base DN > > 3. AD answers > > - 1. answer seems to be search result > - 2. - nth answer seems to be individual CNs, but in this case > i can see either > > "Can't parse message ID: Wrong type for that item" > prepended by "Invalid LDAP packet" > or > "Can't parse sequence header: Wrong type for that > item" prepended by "Invalid LDAP message" > > in ethereal. > Ah, I see. I'd suspect a bug in ethereal : I've used it to decode the protocol stream between FDS and AD more times than I can remember, and haven't seen that error. It's as if ethereal is not decoding the packet correctly. Are you running a recent version of ethereal ? From sboggs at trustedcs.com Fri Feb 3 17:59:05 2006 From: sboggs at trustedcs.com (Scott Boggs) Date: Fri, 3 Feb 2006 17:59:05 +0000 (UTC) Subject: [Fedora-directory-users] POSTFIX and Prefilled data Message-ID: Hello, I am looking into a method of automating POSTFIX attributes being added to a user who is populated into the FDS from Active Directory with the windows/password sync capability provided by FDS. Is there any sort of plug-in that already exists which could do this? Or is there a method to pre-fill most of the POSIX fields which do not change often (home dir, user shell ect.)? I am hoping that I do not have to use a third party application or self made scripts to accomplish this. It would nice if I can continue to use the servers administrative GUI. On the subject of having to use a alternate method to control POSIX information, if it turns out that I won?t be able to use a automated method within the FDS?s console, I am thinking of pulling the server away from the console. If the choice is to pull the console functionality out of my FDS installation, how will that affect my ability to perform the replication functions needed for account and password synchronization? Thanks for you Time From rmeggins at redhat.com Fri Feb 3 18:05:09 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 03 Feb 2006 11:05:09 -0700 Subject: [Fedora-directory-users] POSTFIX and Prefilled data In-Reply-To: References: Message-ID: <43E39B55.5030703@redhat.com> Scott Boggs wrote: >Hello, > > I am looking into a method of automating POSTFIX attributes being added to a >user who is populated into the FDS from Active Directory with the >windows/password sync capability provided by FDS. Is there any sort of plug-in >that already exists which could do this? Or is there a method to pre-fill most >of the POSIX fields which do not change often (home dir, user shell ect.)? > > No, not that I know of, unless 3rd party products like Directory Administrator or GQ can do this. You would have to write a post-op add plug-in http://directory.fedora.redhat.com/wiki/Plugins to have this done automatically when the new entries are added. > I am hoping that I do not have to use a third party application or self made >scripts to accomplish this. It would nice if I can continue to use the servers >administrative GUI. > > The console can't do this either, but then it's a lot more work to have to edit each person manually with the GUI after they have been copied over from AD. >On the subject of having to use a alternate method to control POSIX information, >if it turns out that I won?t be able to use a automated method within the FDS?s >console, I am thinking of pulling the server away from the console. If the >choice is to pull the console functionality out of my FDS installation, how will >that affect my ability to perform the replication functions needed for account >and password synchronization? > > I'm not sure what you mean here. Why would not having an automated method of filling in POSIX information mean you would have to get rid of the console altogether? The console has many, many other features other than just editing user/group information. Every feature of the server can be administered in 3 ways: Using the console; using LDAP commands (from a script or using ldapmodify); shutting down the server and editing config/dse.ldif. >Thanks for you Time > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From Soeren.Malchow at interone.de Sat Feb 4 09:06:06 2006 From: Soeren.Malchow at interone.de (=?ISO-8859-1?Q?S=F6ren_Malchow?=) Date: Sat, 4 Feb 2006 10:06:06 +0100 Subject: [Fedora-directory-users] Problem with WindowsSync In-Reply-To: <43E37AA4.5030602@boreham.org> Message-ID: Yes i am running 0.10.13, which is almost the newest i think. Do you have any other idea how to debug this issue, since there is nothing in the logs. soeren David Boreham Sent by: fedora-directory-users-bounces at redhat.com 03.02.2006 16:45 Please respond to david_list at boreham.org; Please respond to "General discussion list for the Fedora Directory server project." To "General discussion list for the Fedora Directory server project." cc Subject Re: [Fedora-directory-users] Problem with WindowsSync S?ren Malchow wrote: > > i can see this message when duming network traffic between DS and AD, > and when i look at the dump with ethereal this message shows up > thousands of time. > > Ok one after another > > 1. DS uses the AD user i used for sync to successfully bind to AD > > 2. The DS issues a search request for the correct Base DN > > 3. AD answers > > - 1. answer seems to be search result > - 2. - nth answer seems to be individual CNs, but in this case > i can see either > > "Can't parse message ID: Wrong type for that item" > prepended by "Invalid LDAP packet" > or > "Can't parse sequence header: Wrong type for that > item" prepended by "Invalid LDAP message" > > in ethereal. > Ah, I see. I'd suspect a bug in ethereal : I've used it to decode the protocol stream between FDS and AD more times than I can remember, and haven't seen that error. It's as if ethereal is not decoding the packet correctly. Are you running a recent version of ethereal ? -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From logastellus at yahoo.com Mon Feb 6 16:28:34 2006 From: logastellus at yahoo.com (Susan) Date: Mon, 6 Feb 2006 08:28:34 -0800 (PST) Subject: [Fedora-directory-users] autofs & FDS Message-ID: <20060206162834.38720.qmail@web52904.mail.yahoo.com> Hi, all. Is there a faq entry/how-to on how to serve automount maps with FDS? It seems that I need the automount objectClass but where is the schema supporting that? I found this one: http://people.redhat.com/nalin/schema/autofs.schema is that what folks normally use? It seems that cosine.schema is a requirement.. should I steal that from an openldap rpm? Can the 10rfc2307 schema be used somehow? It comes with FDS which is nice but it's got all that nis stuff in there, not sure how relevant that would be with linux clients... Thanks for your help. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From flgomes at fazenda.sp.gov.br Mon Feb 6 17:36:47 2006 From: flgomes at fazenda.sp.gov.br (Fabio Gomes) Date: Mon, 6 Feb 2006 15:36:47 -0200 Subject: [Fedora-directory-users] Searchable archive Message-ID: <200602061536.47110.flgomes@fazenda.sp.gov.br> Hi list, Is there a searchable archive for this mailing list? I don't want to bother you all with redundant questions. Thx From mj at sci.fi Mon Feb 6 17:27:49 2006 From: mj at sci.fi (Mike Jackson) Date: Mon, 06 Feb 2006 19:27:49 +0200 Subject: [Fedora-directory-users] autofs & FDS In-Reply-To: <20060206162834.38720.qmail@web52904.mail.yahoo.com> References: <20060206162834.38720.qmail@web52904.mail.yahoo.com> Message-ID: <43E78715.3070400@sci.fi> Susan wrote: > Hi, all. Is there a faq entry/how-to on how to serve automount maps with FDS? > > It seems that I need the automount objectClass but where is the schema supporting that? I found > this one: > > http://people.redhat.com/nalin/schema/autofs.schema That schema can be used stand-alone in FDS. Just convert it with my script, and restart the FDS service: # ol-schema-migrate.pl autofs.schema > 80autofs.ldif # mv 80autofs.ldif /opt/fedora-ds/slapd-`hostname`/config/schema # /opt/fedora-ds/slapd-`hostname`/restart-slapd -- mike From mj at sci.fi Mon Feb 6 17:28:25 2006 From: mj at sci.fi (Mike Jackson) Date: Mon, 06 Feb 2006 19:28:25 +0200 Subject: [Fedora-directory-users] Searchable archive In-Reply-To: <200602061536.47110.flgomes@fazenda.sp.gov.br> References: <200602061536.47110.flgomes@fazenda.sp.gov.br> Message-ID: <43E78739.9070308@sci.fi> Fabio Gomes wrote: > Hi list, > > Is there a searchable archive for this mailing list? > > I don't want to bother you all with redundant questions. No, sadly, there is not. -- mike From nkinder at redhat.com Mon Feb 6 17:36:25 2006 From: nkinder at redhat.com (Nathan Kinder) Date: Mon, 06 Feb 2006 09:36:25 -0800 Subject: [Fedora-directory-users] Searchable archive In-Reply-To: <200602061536.47110.flgomes@fazenda.sp.gov.br> References: <200602061536.47110.flgomes@fazenda.sp.gov.br> Message-ID: <43E78919.3070601@redhat.com> Fabio Gomes wrote: >Hi list, > > Is there a searchable archive for this mailing list? > > There are archives available for online browsing as well as downloading at: https://www.redhat.com/archives/fedora-directory-users There is not an online search capability. -NGK > I don't want to bother you all with redundant questions. > > Thx > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From ch at code-heads.com Mon Feb 6 17:40:28 2006 From: ch at code-heads.com (CodeHeads) Date: Mon, 06 Feb 2006 12:40:28 -0500 Subject: [Fedora-directory-users] Searchable archive In-Reply-To: <43E78919.3070601@redhat.com> References: <200602061536.47110.flgomes@fazenda.sp.gov.br> <43E78919.3070601@redhat.com> Message-ID: <1139247629.2886.1.camel@FC5> On Mon, 2006-02-06 at 09:36 -0800, Nathan Kinder wrote: > Fabio Gomes wrote: > > >Hi list, > > > > Is there a searchable archive for this mailing list? > > > > > There are archives available for online browsing as well as downloading at: > > https://www.redhat.com/archives/fedora-directory-users > > There is not an online search capability. > > -NGK > > > I don't want to bother you all with redundant questions. > > > > Thx Use google like this: search string site:https://www.redhat.com/archives/fedora-directory-users That should work. -- Best regards, ~WILL~ Public Key: 0xC8E166BB Key: http://code-heads.com/keys/ch1.asc Linux Registered User: 406084 (http://counter.li.org/) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From flgomes at fazenda.sp.gov.br Mon Feb 6 18:16:42 2006 From: flgomes at fazenda.sp.gov.br (Fabio Gomes) Date: Mon, 6 Feb 2006 16:16:42 -0200 Subject: [Fedora-directory-users] Searchable archive In-Reply-To: <1139247629.2886.1.camel@FC5> References: <200602061536.47110.flgomes@fazenda.sp.gov.br> <43E78919.3070601@ redhat.com> <1139247629.2886.1.camel@FC5> Message-ID: <200602061616.42674.flgomes@fazenda.sp.gov.br> Em Seg 06 Fev 2006 15:40, CodeHeads escreveu: > On Mon, 2006-02-06 at 09:36 -0800, Nathan Kinder wrote: > > Fabio Gomes wrote: > > > > > > Is there a searchable archive for this mailing list? > > > > There are archives available for online browsing as well as downloading > > at: > > > > https://www.redhat.com/archives/fedora-directory-users > > > > There is not an online search capability. > > > > > I don't want to bother you all with redundant questions. > > > > > Use google like this: > search string > site:https://www.redhat.com/archives/fedora-directory-users > > That should work. Ok, guys. Thank you all. From mj at sci.fi Mon Feb 6 18:07:54 2006 From: mj at sci.fi (Mike Jackson) Date: Mon, 06 Feb 2006 20:07:54 +0200 Subject: [Fedora-directory-users] Searchable archive In-Reply-To: <1139247629.2886.1.camel@FC5> References: <200602061536.47110.flgomes@fazenda.sp.gov.br> <43E78919.3070601@redhat.com> <1139247629.2886.1.camel@FC5> Message-ID: <43E7907A.1050802@sci.fi> CodeHeads wrote: > Use google like this: > search string > site:https://www.redhat.com/archives/fedora-directory-users > > That should work. It does work; I just tested it. That is an ingenious idea! Too bad I never thought of using it before for mailman archives. We could even put a "search archives" box on the wiki, which would do that type of google search... -- mike From flgomes at fazenda.sp.gov.br Mon Feb 6 18:34:54 2006 From: flgomes at fazenda.sp.gov.br (Fabio Gomes) Date: Mon, 6 Feb 2006 16:34:54 -0200 Subject: [Fedora-directory-users] Searchable archive In-Reply-To: <43E7907A.1050802@sci.fi> References: <200602061536.47110.flgomes@fazenda.sp.gov.br> <1139247629.2886.1.camel@FC5> <43E7907A.1050802@sci.fi> Message-ID: <200602061634.54584.flgomes@fazenda.sp.gov.br> Em Seg 06 Fev 2006 16:07, Mike Jackson escreveu: > CodeHeads wrote: > > Use google like this: > > search string > > site:https://www.redhat.com/archives/fedora-directory-users > > > > That should work. > > It does work; I just tested it. That is an ingenious idea! Too bad I > never thought of using it before for mailman archives. > > We could even put a "search archives" box on the wiki, which would do > that type of google search... > > > -- > mike > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users What about MARC mailing list archives? http://marc.theaimsgroup.com/?q=about#Add Bye From flgomes at fazenda.sp.gov.br Mon Feb 6 18:35:08 2006 From: flgomes at fazenda.sp.gov.br (Fabio Gomes) Date: Mon, 6 Feb 2006 16:35:08 -0200 Subject: [Fedora-directory-users] Cases Message-ID: <200602061635.09044.flgomes@fazenda.sp.gov.br> Hi again, I'm about to migrate our Sun One DS to Fedora DS. The tests executed in my lab was pretty satisfactory. But I would like to hear your experiences with that software in prodution systems: - How long are you running FDS? - How many entries? - Did anyone migrate from Sun DS to FDS? I would really appretiate your comments. Thx. From logastellus at yahoo.com Mon Feb 6 18:35:17 2006 From: logastellus at yahoo.com (Susan) Date: Mon, 6 Feb 2006 10:35:17 -0800 (PST) Subject: [Fedora-directory-users] autofs & FDS In-Reply-To: <43E78715.3070400@sci.fi> Message-ID: <20060206183517.21229.qmail@web52906.mail.yahoo.com> --- Mike Jackson wrote: > > http://people.redhat.com/nalin/schema/autofs.schema > > > That schema can be used stand-alone in FDS. Just convert it with my > script, and restart the FDS service: > > # ol-schema-migrate.pl autofs.schema > 80autofs.ldif > # mv 80autofs.ldif /opt/fedora-ds/slapd-`hostname`/config/schema > # /opt/fedora-ds/slapd-`hostname`/restart-slapd > Thanks. However, I now get this: [root at cnyldap01 schema]# /opt/fedora-ds/slapd-cnyldap01/restart-slapd [06/Feb/2006:13:34:09 -0500] dse - The entry cn=schema in file /opt/fedora-ds/slapd-cnyldap01/config/schema/80autofs.ldif is invalid, error code 20 (Type or value exists) - object class automount: The OID "1.3.6.1.1.1.1.9" is also used by the attribute type "shadowInactive" Have you seen this error before? __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From logastellus at yahoo.com Mon Feb 6 18:36:35 2006 From: logastellus at yahoo.com (Susan) Date: Mon, 6 Feb 2006 10:36:35 -0800 (PST) Subject: [Fedora-directory-users] Searchable archive In-Reply-To: <200602061536.47110.flgomes@fazenda.sp.gov.br> Message-ID: <20060206183635.65717.qmail@web52903.mail.yahoo.com> --- Fabio Gomes wrote: > Hi list, > > Is there a searchable archive for this mailing list? > > I don't want to bother you all with redundant questions. > > Thx http://www.mail-archive.com/ __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From flgomes at fazenda.sp.gov.br Mon Feb 6 18:45:48 2006 From: flgomes at fazenda.sp.gov.br (Fabio Gomes) Date: Mon, 6 Feb 2006 16:45:48 -0200 Subject: [Fedora-directory-users] Searchable archive In-Reply-To: <20060206183635.65717.qmail@web52903.mail.yahoo.com> References: <20060206183635.65717.qmail@web52903.mail.yahoo.com> Message-ID: <200602061645.48696.flgomes@fazenda.sp.gov.br> Em Seg 06 Fev 2006 16:36, Susan escreveu: > --- Fabio Gomes wrote: > > Hi list, > > > > Is there a searchable archive for this mailing list? > > > > I don't want to bother you all with redundant questions. > > > > Thx > > http://www.mail-archive.com/ > Yay. I had forgot about mail-archve.com. Thank you. From prowley at redhat.com Mon Feb 6 19:04:57 2006 From: prowley at redhat.com (Pete Rowley) Date: Mon, 06 Feb 2006 11:04:57 -0800 Subject: [Fedora-directory-users] autofs & FDS In-Reply-To: <20060206183517.21229.qmail@web52906.mail.yahoo.com> References: <20060206183517.21229.qmail@web52906.mail.yahoo.com> Message-ID: <43E79DD9.9060003@redhat.com> Susan wrote: >--- Mike Jackson wrote: > > >>>http://people.redhat.com/nalin/schema/autofs.schema >>> >>> >>That schema can be used stand-alone in FDS. Just convert it with my >>script, and restart the FDS service: >> >># ol-schema-migrate.pl autofs.schema > 80autofs.ldif >># mv 80autofs.ldif /opt/fedora-ds/slapd-`hostname`/config/schema >># /opt/fedora-ds/slapd-`hostname`/restart-slapd >> >> >> > >Thanks. > >However, I now get this: >[root at cnyldap01 schema]# /opt/fedora-ds/slapd-cnyldap01/restart-slapd >[06/Feb/2006:13:34:09 -0500] dse - The entry cn=schema in file >/opt/fedora-ds/slapd-cnyldap01/config/schema/80autofs.ldif is invalid, error code 20 (Type or >value exists) - object class automount: The OID "1.3.6.1.1.1.1.9" is also used by the attribute >type "shadowInactive" > >Have you seen this error before? > > > It is conflicting with the RFC2307 schema. I don't know how this stuff perpetuates (and this nonsense is everywhere, I have seen at least two phony OIDs for this attribute alone) - but the automount attribute in the linked schema has an OID stolen from RFC2307 and assigned by IANA to shadowInactive. RFC2307bis is the first document to mention automount, and it designates automount schema thus: Attributetypes: ( 1.3.6.1.1.1.1.31 NAME 'automountMapName' DESC 'automount Map Name' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) ( 1.3.6.1.1.1.1.32 NAME 'automountKey' DESC 'Automount Key value' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) ( 1.3.6.1.1.1.1.33 NAME 'automountInformation' DESC 'Automount information' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) Objectclasses: ( 1.3.6.1.1.1.2.16 NAME 'automountMap' SUP top STRUCTURAL MUST ( automountMapName ) MAY description ) ( 1.3.6.1.1.1.2.17 NAME 'automount' SUP top STRUCTURAL DESC 'Automount information' MUST ( automountKey $ automountInformation ) MAY description ) -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From logastellus at yahoo.com Mon Feb 6 19:59:23 2006 From: logastellus at yahoo.com (Susan) Date: Mon, 6 Feb 2006 11:59:23 -0800 (PST) Subject: [Fedora-directory-users] autofs & FDS In-Reply-To: <43E79DD9.9060003@redhat.com> Message-ID: <20060206195923.59819.qmail@web52911.mail.yahoo.com> --- Pete Rowley wrote: > Susan wrote: > >However, I now get this: > >[root at cnyldap01 schema]# /opt/fedora-ds/slapd-cnyldap01/restart-slapd > >[06/Feb/2006:13:34:09 -0500] dse - The entry cn=schema in file > >/opt/fedora-ds/slapd-cnyldap01/config/schema/80autofs.ldif is invalid, error code 20 (Type or > >value exists) - object class automount: The OID "1.3.6.1.1.1.1.9" is also used by the attribute > >type "shadowInactive" > > > >Have you seen this error before? > > > > > > > It is conflicting with the RFC2307 schema. I don't know how this stuff > perpetuates (and this nonsense is everywhere, I have seen at least two > phony OIDs for this attribute alone) - but the automount attribute in > the linked schema has an OID stolen from RFC2307 and assigned by IANA to > shadowInactive. Got it. The problem is that the schema above is provided by what looks like a Redhat employee which lends some credence to it. > RFC2307bis is the first document to mention automount, and it designates > automount schema thus: so, should I just use the RFC2307bis schema then? I mean, looks like this RFC has expired and there doesn't seem to be a replacement for the autofs attributes and object classes. Uhm.. What's a gal to do then??? __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From gholbert at broadcom.com Mon Feb 6 20:26:29 2006 From: gholbert at broadcom.com (George Holbert) Date: Mon, 06 Feb 2006 12:26:29 -0800 Subject: [Fedora-directory-users] autofs & FDS In-Reply-To: <20060206195923.59819.qmail@web52911.mail.yahoo.com> References: <20060206195923.59819.qmail@web52911.mail.yahoo.com> Message-ID: <43E7B0F5.2040103@broadcom.com> > > Uhm.. What's a gal to do then??? AFAIK, there isn't yet a perfect answer, mostly because automount schema is not standard yet (though rfc2307bis is/was a proposed standard). If you are only supporting Linux clients, you probably don't need additional autofs schema. Linux autofs (at least in RedHat/Fedora) will look for objects with objectclass 'nisObject' when looking up automount info. This method dates back to the original RFC2307 (non-bis version), and might make your life easier as long as you don't expect to add Solaris clients to your environment. If you are supporting Solaris clients, you WILL need the 2307bis style automount schema, although Sun's version is NOT identical to the one at http://people.redhat.com/nalin/schema/autofs.schema. You can find the Solaris automount schema embedded in their 'idsconfig' script: http://cvs.opensolaris.org/source/xref/on/usr/src/cmd/ldap/ns_ldap/idsconfig.sh Some more discussions about storing automount info in a directory can be found at http://www.ldapguru.org, e.g.: http://www.ldapguru.org/modules/newbb/viewtopic.php?viewmode=flat&topic_id=2029&forum=6 Hopefully this will be a lot more straightforward in a few years, but for now the standard is a work-in-progress. -- George Susan wrote: > --- Pete Rowley wrote: > > >> Susan wrote: >> >>> However, I now get this: >>> [root at cnyldap01 schema]# /opt/fedora-ds/slapd-cnyldap01/restart-slapd >>> [06/Feb/2006:13:34:09 -0500] dse - The entry cn=schema in file >>> /opt/fedora-ds/slapd-cnyldap01/config/schema/80autofs.ldif is invalid, error code 20 (Type or >>> value exists) - object class automount: The OID "1.3.6.1.1.1.1.9" is also used by the attribute >>> type "shadowInactive" >>> >>> Have you seen this error before? >>> >>> >>> >>> >> It is conflicting with the RFC2307 schema. I don't know how this stuff >> perpetuates (and this nonsense is everywhere, I have seen at least two >> phony OIDs for this attribute alone) - but the automount attribute in >> the linked schema has an OID stolen from RFC2307 and assigned by IANA to >> shadowInactive. >> > > Got it. The problem is that the schema above is provided by what looks like a Redhat employee > which lends some credence to it. > > > >> RFC2307bis is the first document to mention automount, and it designates >> automount schema thus: >> > > so, should I just use the RFC2307bis schema then? I mean, looks like this RFC has expired and > there doesn't seem to be a replacement for the autofs attributes and object classes. > > Uhm.. What's a gal to do then??? > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From clonay at free.fr Tue Feb 7 15:43:13 2006 From: clonay at free.fr (Yann) Date: Tue, 07 Feb 2006 10:43:13 -0500 Subject: [Fedora-directory-users] Certificate authentication with SASL External Message-ID: <1139326993.43e8c011a579e@imp6-g19.free.fr> Hi all ! I use Fedora Directory Server 7.1 on Solaris 9, work great :-) I use certificate authentication on SSL with SASL external methode, work great when the corresponding DN entry in certificate) exist in LDAP directory. So, i tried to find a way to do that when no corresponding entry exist... but i can't find how to... I tried SASL mapping... special ACL perhaps ? I know it's possible because that work with openLDAP (or perhaps it's a bug :-) So, anyone have succesfull bind with certificate authentication with SASL external methode without correponding LDAP entry ? Thanks Yann Log ko without entry : [06/Feb/2006:22:13:02 +0000] conn=6 SSL 128-bit RC4; client CN=toto titi,OU=TEST,O=TEST; issuer O=TEST [06/Feb/2006:22:13:02 +0000] conn=6 SSL failed to map client certificate to LDAP DN (No such object) [06/Feb/2006:22:13:02 +0000] conn=6 op=0 BIND dn="cn=toto titi,OU=TEST,o=TEST" method=sasl version=3 mech=EXTERNAL [06/Feb/2006:22:13:02 +0000] conn=6 op=0 RESULT err=49 tag=97 nentries=0 etime=0 Log ok with a corresponding entry : [06/Feb/2006:16:16:58 +0000] conn=108 SSL 128-bit RC4; client CN=toto titi,OU=TEST,O=TEST; issuer O=TEST [06/Feb/2006:16:16:58 +0000] conn=108 SSL client bound as cn=toto titi,ou=TEST,o=TEST [06/Feb/2006:16:16:58 +0000] conn=108 op=0 BIND dn="cn=toto titi,ou=TEST,o=TEST" method=sasl version=3 mech=EXTERNAL From rmeggins at redhat.com Tue Feb 7 15:48:21 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 07 Feb 2006 08:48:21 -0700 Subject: [Fedora-directory-users] Certificate authentication with SASL External In-Reply-To: <1139326993.43e8c011a579e@imp6-g19.free.fr> References: <1139326993.43e8c011a579e@imp6-g19.free.fr> Message-ID: <43E8C145.3090501@redhat.com> Does this help - http://directory.fedora.redhat.com/wiki/Howto:CertMapping Yann wrote: >Hi all ! > >I use Fedora Directory Server 7.1 on Solaris 9, work great :-) >I use certificate authentication on SSL with SASL external methode, work great >when the corresponding DN entry in certificate) exist in LDAP directory. > >So, i tried to find a way to do that when no corresponding entry exist... but i >can't find how to... >I tried SASL mapping... >special ACL perhaps ? > >I know it's possible because that work with openLDAP (or perhaps it's a bug :-) > >So, anyone have succesfull bind with certificate authentication with SASL >external methode without correponding LDAP entry ? > >Thanks > >Yann > >Log ko without entry : > >[06/Feb/2006:22:13:02 +0000] conn=6 SSL 128-bit RC4; client CN=toto >titi,OU=TEST,O=TEST; issuer O=TEST >[06/Feb/2006:22:13:02 +0000] conn=6 SSL failed to map client certificate to LDAP >DN (No such object) >[06/Feb/2006:22:13:02 +0000] conn=6 op=0 BIND dn="cn=toto titi,OU=TEST,o=TEST" >method=sasl version=3 mech=EXTERNAL >[06/Feb/2006:22:13:02 +0000] conn=6 op=0 RESULT err=49 tag=97 nentries=0 etime=0 > > >Log ok with a corresponding entry : > >[06/Feb/2006:16:16:58 +0000] conn=108 SSL 128-bit RC4; client CN=toto >titi,OU=TEST,O=TEST; issuer O=TEST >[06/Feb/2006:16:16:58 +0000] conn=108 SSL client bound as cn=toto >titi,ou=TEST,o=TEST >[06/Feb/2006:16:16:58 +0000] conn=108 op=0 BIND dn="cn=toto titi,ou=TEST,o=TEST" >method=sasl version=3 mech=EXTERNAL > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From logastellus at yahoo.com Tue Feb 7 16:08:40 2006 From: logastellus at yahoo.com (Susan) Date: Tue, 7 Feb 2006 08:08:40 -0800 (PST) Subject: [Fedora-directory-users] autofs & FDS In-Reply-To: <43E7B0F5.2040103@broadcom.com> Message-ID: <20060207160840.57123.qmail@web52915.mail.yahoo.com> --- George Holbert wrote: > > > > Uhm.. What's a gal to do then??? > AFAIK, there isn't yet a perfect answer, mostly because automount schema > is not standard yet (though rfc2307bis is/was a proposed standard). > [..] > If you are supporting Solaris clients, you WILL need the 2307bis style > automount schema, although Sun's version is NOT identical to the one at > http://people.redhat.com/nalin/schema/autofs.schema. Yeah, I will be supporting solaris 10 in the future. I got the following schema from the HP's site: http://docs.hp.com/en/J4269-90051/ch02s09.html dn: cn=schema objectClasses: ( 1.3.6.1.1.1.2.16 NAME 'automountMap' DESC 'Automount Map information' SUP top STRUCTURAL MUST automountMapName MAY description X-ORIGIN 'user defined' ) objectClasses: ( 1.3.6.1.1.1.2.17 NAME 'automount' DESC 'Automount information' SUP top STRUCTURAL MUST ( automountKey $ automountInformation ) MAY description X-ORIGIN 'user defined' ) attributeTypes: ( 1.3.6.1.1.1.1.31 NAME 'automountMapName' DESC 'automount Map Name' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 1.3.6.1.1.1.1.32 NAME 'automountKey' DESC 'Automount Key value' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 1.3.6.1.1.1.1.33 NAME 'automountInformation' DESC 'Automount information' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'user defined' ) Perhaps it can be added to the wiki? Seems like it's much easier to copy & paste that, rather than trying to rip out the schema from the idsconfig... Thank you, George. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From clonay at free.fr Tue Feb 7 16:13:13 2006 From: clonay at free.fr (Yann) Date: Tue, 07 Feb 2006 11:13:13 -0500 Subject: [Fedora-directory-users] Certificate authentication with SASL External Message-ID: <1139328793.43e8c71968ec1@imp4-g19.free.fr> Thanks Richard, but this howto explain how to to match DN certificate to LDAP entry... my problem is; i don't want to have a corresponding entry in LDAP directory... I want to be identify only by the DN in the certificate, and match some ACL.. that all. No need to have an entry in the LDAP. If it's possible in DS... Yann > Does this help - http://directory.fedora.redhat.com/wiki/Howto:CertMapping From rcritten at redhat.com Tue Feb 7 16:49:17 2006 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 07 Feb 2006 11:49:17 -0500 Subject: [Fedora-directory-users] Certificate authentication with SASL External In-Reply-To: <1139328793.43e8c71968ec1@imp4-g19.free.fr> References: <1139328793.43e8c71968ec1@imp4-g19.free.fr> Message-ID: <43E8CF8D.20000@redhat.com> Yann wrote: > Thanks Richard, > > but this howto explain how to to match DN certificate to LDAP entry... my > problem is; i don't want to have a corresponding entry in LDAP directory... > > I want to be identify only by the DN in the certificate, and match some ACL.. > that all. No need to have an entry in the LDAP. > > If it's possible in DS... > So you want to bind to the directory server with a valid client certificate for a user that doesn't exist? For what purpose? rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From clonay at free.fr Tue Feb 7 18:27:55 2006 From: clonay at free.fr (Yann) Date: Tue, 07 Feb 2006 13:27:55 -0500 Subject: [Fedora-directory-users] Re: Certificate authentication with SASL Message-ID: <1139336875.43e8e6ab6a14b@imp4-g19.free.fr> Yes Bob, exactly. It's possible with DS ? Next, ACL are in charge of give good rights access to the user.... Yann >> Thanks Richard, >> >> but this howto explain how to to match DN certificate to LDAP entry... my >> problem is; i don't want to have a corresponding entry in LDAP directory... >> >> I want to be identify only by the DN in the certificate, and match some ACL.. >> that all. No need to have an entry in the LDAP. >> >> If it's possible in DS... >> > >So you want to bind to the directory server with a valid client >certificate for a user that doesn't exist? For what purpose? > >rob From prowley at redhat.com Tue Feb 7 18:33:59 2006 From: prowley at redhat.com (Pete Rowley) Date: Tue, 07 Feb 2006 10:33:59 -0800 Subject: [Fedora-directory-users] autofs & FDS In-Reply-To: <20060206195923.59819.qmail@web52911.mail.yahoo.com> References: <20060206195923.59819.qmail@web52911.mail.yahoo.com> Message-ID: <43E8E817.8070909@redhat.com> Susan wrote: >which lends some credence to it. > > > > Got it. The problem is that the schema above is provided by what looks > like a Redhat employee Yes. I have contacted the person who published that schema and it will be changed. However, due to the uncertainty surrounding RFC2307bis (some of its attribute OIDs are not actually assigned by the IANA yet) that schema will likely use Red Hat private OIDs until the situation becomes clearer. -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From clonay at free.fr Tue Feb 7 18:30:44 2006 From: clonay at free.fr (Yann) Date: Tue, 07 Feb 2006 13:30:44 -0500 Subject: [Fedora-directory-users] Certificate authentication with SASL External Message-ID: <1139337044.43e8e75478298@imp4-g19.free.fr> Yes Bob, exactly. It's possible with DS ? Next, ACL are in charge of give good rights access to the user.... Yann >> Thanks Richard, >> >> but this howto explain how to to match DN certificate to LDAP entry... my >> problem is; i don't want to have a corresponding entry in LDAP directory... >> >> I want to be identify only by the DN in the certificate, and match some ACL.. >> that all. No need to have an entry in the LDAP. >> >> If it's possible in DS... >> > >So you want to bind to the directory server with a valid client >certificate for a user that doesn't exist? For what purpose? > >rob From hyc at symas.com Tue Feb 7 20:02:29 2006 From: hyc at symas.com (Howard Chu) Date: Tue, 07 Feb 2006 12:02:29 -0800 Subject: [Fedora-directory-users] Re:Certificate authentication with SASL External In-Reply-To: <20060207170006.78CA4732A0@hormel.redhat.com> References: <20060207170006.78CA4732A0@hormel.redhat.com> Message-ID: <43E8FCD5.2000505@symas.com> > From: Rob Crittenden > > Yann wrote: > >> Thanks Richard, >> >> but this howto explain how to to match DN certificate to LDAP entry... my >> problem is; i don't want to have a corresponding entry in LDAP directory... >> >> I want to be identify only by the DN in the certificate, and match some ACL.. >> that all. No need to have an entry in the LDAP. >> >> If it's possible in DS... >> > > So you want to bind to the directory server with a valid client > certificate for a user that doesn't exist? For what purpose? > There is no reason to assume any connection between SASL identities and LDAP directory entries. Moreover, in a true distributed directory system, there's no reason to assume that an entry for a valid user is present on every DSA in the system. Of course, the folks who developed LDAP didn't understand this essential bit of X.500, so it's no surprise that you're unfamiliar with distributed authentication. Remember that authentication is not the same as authorization - having the valid certificate just proves who you are to the server; the server doesn't have to accord you any privileges/authorization just because of that. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/ From ABliss at preferredcare.org Tue Feb 7 22:11:03 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Tue, 7 Feb 2006 17:11:03 -0500 Subject: [Fedora-directory-users] Account lockout counters not replicating; how to unlock users? Message-ID: Here's my setup; 2 directory servers, 1 supplier, 1 consumer; I'm not sure why, but for some reason I'm not seeing password retry counters being replicated from the consumer to the supplier; here is what I've seen (I have fds setup to lock accounts after 5 bad password attempts, reset failure count after 15 minutes): -if a user types their password incorrectly on a server that binds first to a consumer, then their password retry count increments only on the consumer -if a user successfully binds to the server, then their password retry count does get reset This is a problem for a couple of reasons. If an account becomes locked out because of bad password attempts, I've tried deleting the attributes of passwordRetryCount and accountUnlockTime (http://directory.fedora.redhat.com/wiki/Howto:PasswordReset) from the supplier, however for some reason this is not replicated to the consumer (is this an indication of a different problem?) this is a problem as I have some of my linux servers to look to the supplier first for authentication, and then the consumer second, and visa versa for load balancing. According to fds documentation, account lockout counters may not work as expected in a multi master environment http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#10864 46 ; this is one of the reasons that I opted for a single master environment; please advise and thanks. Given the issues that I'm having, what is the best way to unlock accounts that have been locked due to bad password attempts? Aaron www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From robin-lists at robinbowes.com Tue Feb 7 21:40:40 2006 From: robin-lists at robinbowes.com (Robin Bowes) Date: Tue, 07 Feb 2006 21:40:40 +0000 Subject: [Fedora-directory-users] Re: Building RPMS on 64 Bit In-Reply-To: <43DFDA9A.8050701@redhat.com> References: <1138743697.31425.8.camel@bje-fc4.overstock.com> <43DFDA9A.8050701@redhat.com> Message-ID: Richard Megginson said the following on 01/31/2006 09:46 PM: > It doesn't yet work. We're working on it. Do you have any idea of timescale by when this will work? I ask because I want to roll out an LDAP solution to a client shortly and they're running FC4 on an x86_64 platform. If it's not likely to be soon, will the 32-bit RPMS work on x86_64? Thanks, R. From ABliss at preferredcare.org Tue Feb 7 22:58:56 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Tue, 7 Feb 2006 17:58:56 -0500 Subject: [Fedora-directory-users] Account lockout counters not replicating; how to unlock users? Message-ID: P.S. Normal replication is happening, as well as typical referrals from consumer to supplier (i.e. password changes). Any help with this will be much appreciated, as this is a rather huge problem right now. Thanks again. Aaron -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Bliss, Aaron Sent: Tuesday, February 07, 2006 5:11 PM To: General discussion list for the Fedora Directory server project. Subject: [Fedora-directory-users] Account lockout counters not replicating;how to unlock users? Here's my setup; 2 directory servers, 1 supplier, 1 consumer; I'm not sure why, but for some reason I'm not seeing password retry counters being replicated from the consumer to the supplier; here is what I've seen (I have fds setup to lock accounts after 5 bad password attempts, reset failure count after 15 minutes): -if a user types their password incorrectly on a server that binds first to a consumer, then their password retry count increments only on the consumer -if a user successfully binds to the server, then their password retry count does get reset This is a problem for a couple of reasons. If an account becomes locked out because of bad password attempts, I've tried deleting the attributes of passwordRetryCount and accountUnlockTime (http://directory.fedora.redhat.com/wiki/Howto:PasswordReset) from the supplier, however for some reason this is not replicated to the consumer (is this an indication of a different problem?) this is a problem as I have some of my linux servers to look to the supplier first for authentication, and then the consumer second, and visa versa for load balancing. According to fds documentation, account lockout counters may not work as expected in a multi master environment http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#10864 46 ; this is one of the reasons that I opted for a single master environment; please advise and thanks. Given the issues that I'm having, what is the best way to unlock accounts that have been locked due to bad password attempts? Aaron www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From ulf.weltman at hp.com Tue Feb 7 23:18:54 2006 From: ulf.weltman at hp.com (Ulf Weltman) Date: Tue, 07 Feb 2006 15:18:54 -0800 Subject: [Fedora-directory-users] Account lockout counters not replicating; how to unlock users? In-Reply-To: References: Message-ID: <43E92ADE.9050104@hp.com> Hello Aaron. Two separate things: I may have misunderstood your configuration, but nothing is replicated from a consumer to a master unless the consumer is actually configured as a hub with an agreement back to the supplier. You can use passthrough authentication trickery to cause binds to be performed at the master if you don't want bi-directional replication. Also, those three attributes (passwordRetryCount, retryCountResetTime, accountUnlockTime) are special and will not replicate in any case unless you set passwordIsGlobalPolicy to on in cn=config. Ulf Bliss, Aaron wrote: >P.S. Normal replication is happening, as well as typical referrals from >consumer to supplier (i.e. password changes). Any help with this will >be much appreciated, as this is a rather huge problem right now. Thanks >again. > >Aaron > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Bliss, >Aaron >Sent: Tuesday, February 07, 2006 5:11 PM >To: General discussion list for the Fedora Directory server project. >Subject: [Fedora-directory-users] Account lockout counters not >replicating;how to unlock users? > >Here's my setup; 2 directory servers, 1 supplier, 1 consumer; I'm not >sure why, but for some reason I'm not seeing password retry counters >being replicated from the consumer to the supplier; here is what I've >seen (I have fds setup to lock accounts after 5 bad password attempts, >reset failure count after 15 minutes): >-if a user types their password incorrectly on a server that binds first >to a consumer, then their password retry count increments only on the >consumer -if a user successfully binds to the server, then their >password retry count does get reset This is a problem for a couple of >reasons. If an account becomes locked out because of bad password >attempts, I've tried deleting the attributes of passwordRetryCount and >accountUnlockTime >(http://directory.fedora.redhat.com/wiki/Howto:PasswordReset) from the >supplier, however for some reason this is not replicated to the consumer >(is this an indication of a different problem?) this is a problem as I >have some of my linux servers to look to the supplier first for >authentication, and then the consumer second, and visa versa for load >balancing. According to fds documentation, account lockout counters may >not work as expected in a multi master environment >http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#10864 >46 ; this is one of the reasons that I opted for a single master >environment; please advise and thanks. Given the issues that I'm >having, what is the best way to unlock accounts that have been locked >due to bad password attempts? > >Aaron > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the >exclusive use of the individual or entity named above and may contain >privileged or confidential information. If the reader of this message >is not the intended recipient or the employee or agent responsible to >deliver it to the intended recipient, you are hereby notified that >dissemination, distribution or copying of this information is >prohibited. If you have received this communication in error, please >notify the sender immediately by telephone and destroy the copies you >received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > From david_list at boreham.org Tue Feb 7 23:34:00 2006 From: david_list at boreham.org (David Boreham) Date: Tue, 07 Feb 2006 16:34:00 -0700 Subject: [Fedora-directory-users] Re:Certificate authentication with SASL External In-Reply-To: <43E8FCD5.2000505@symas.com> References: <20060207170006.78CA4732A0@hormel.redhat.com> <43E8FCD5.2000505@symas.com> Message-ID: <43E92E68.2040104@boreham.org> > Remember that authentication is not the same as authorization - having > the valid certificate just proves who you are to the server; the > server doesn't have to accord you any privileges/authorization just > because of that. Correct, but the OP _wanted_ to make an authorization decision for this identity, not just perform authentication. I think what he wants is to be able to use the subject DN in the client's cert directly as the bind identity for access control purposes. This isn't supported. Not because the original developers missed some grand X.500 vision, but because nobody needed to do that (and haven't for 10 years, until now...). From ABliss at preferredcare.org Wed Feb 8 01:16:27 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Tue, 7 Feb 2006 20:16:27 -0500 Subject: [Fedora-directory-users] Account lockout counters not replicating; how to unlock users? Message-ID: Ulf, Thanks for getting back to me; yep, I understand that the consumer can never replicate information to the supplier (I wasn't very clear before, sorry about that); I set the passwordIsGlobalPolicy to on on both servers, and things are looking better; the passwordRetryCount, retryCountResetTime, accountUnlockTime attributes are now getting replicated properly from supplier to consumer, and deleting passwordRetryCount, retryCountResetTime attributes from the supplier does unlock accounts, however I'm still having a bit of a problem; what I've seen is that if a users account gets locked on the consumer because of bad password attempts, if that same user then attempts to login to a server that is configured to first attempt to bind to the supplier server, the user is allowed to login; What I see happening is that the passwordRetryCount, retryCountResetTime, accountUnlockTime attributes are set on the consumer properly, however these attributes are never set if the bad password attempts occur from a server that attempts to bind to the consumer first. Any ideas? Thanks again. Aaron -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Ulf Weltman Sent: Tuesday, February 07, 2006 6:19 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Account lockout counters not replicating;how to unlock users? Hello Aaron. Two separate things: I may have misunderstood your configuration, but nothing is replicated from a consumer to a master unless the consumer is actually configured as a hub with an agreement back to the supplier. You can use passthrough authentication trickery to cause binds to be performed at the master if you don't want bi-directional replication. Also, those three attributes (passwordRetryCount, retryCountResetTime, accountUnlockTime) are special and will not replicate in any case unless you set passwordIsGlobalPolicy to on in cn=config. Ulf Bliss, Aaron wrote: >P.S. Normal replication is happening, as well as typical referrals from >consumer to supplier (i.e. password changes). Any help with this will >be much appreciated, as this is a rather huge problem right now. >Thanks again. > >Aaron > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Bliss, >Aaron >Sent: Tuesday, February 07, 2006 5:11 PM >To: General discussion list for the Fedora Directory server project. >Subject: [Fedora-directory-users] Account lockout counters not >replicating;how to unlock users? > >Here's my setup; 2 directory servers, 1 supplier, 1 consumer; I'm not >sure why, but for some reason I'm not seeing password retry counters >being replicated from the consumer to the supplier; here is what I've >seen (I have fds setup to lock accounts after 5 bad password attempts, >reset failure count after 15 minutes): >-if a user types their password incorrectly on a server that binds >first to a consumer, then their password retry count increments only on >the consumer -if a user successfully binds to the server, then their >password retry count does get reset This is a problem for a couple of >reasons. If an account becomes locked out because of bad password >attempts, I've tried deleting the attributes of passwordRetryCount and >accountUnlockTime >(http://directory.fedora.redhat.com/wiki/Howto:PasswordReset) from the >supplier, however for some reason this is not replicated to the >consumer (is this an indication of a different problem?) this is a >problem as I have some of my linux servers to look to the supplier >first for authentication, and then the consumer second, and visa versa >for load balancing. According to fds documentation, account lockout >counters may not work as expected in a multi master environment >http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#1086 >4 >46 ; this is one of the reasons that I opted for a single master >environment; please advise and thanks. Given the issues that I'm >having, what is the best way to unlock accounts that have been locked >due to bad password attempts? > >Aaron > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for >the exclusive use of the individual or entity named above and may >contain privileged or confidential information. If the reader of this >message is not the intended recipient or the employee or agent >responsible to deliver it to the intended recipient, you are hereby >notified that dissemination, distribution or copying of this >information is prohibited. If you have received this communication in >error, please notify the sender immediately by telephone and destroy >the copies you received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From rmeggins at redhat.com Wed Feb 8 01:27:02 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 07 Feb 2006 18:27:02 -0700 Subject: [Fedora-directory-users] Account lockout counters not replicating; how to unlock users? In-Reply-To: References: Message-ID: <43E948E6.4060902@redhat.com> Bliss, Aaron wrote: >Ulf, Thanks for getting back to me; yep, I understand that the consumer >can never replicate information to the supplier (I wasn't very clear >before, sorry about that); I set the passwordIsGlobalPolicy to on on >both servers, and things are looking better; the passwordRetryCount, >retryCountResetTime, accountUnlockTime attributes are now getting >replicated properly from supplier to consumer, and deleting >passwordRetryCount, retryCountResetTime attributes from the supplier >does unlock accounts, however I'm still having a bit of a problem; what >I've seen is that if a users account gets locked on the consumer because >of bad password attempts, if that same user then attempts to login to a >server that is configured to first attempt to bind to the supplier >server, the user is allowed to login; What I see happening is that the >passwordRetryCount, retryCountResetTime, accountUnlockTime attributes >are set on the consumer properly, however these attributes are never set >if the bad password attempts occur from a server that attempts to bind >to the consumer first. Any ideas? Thanks again. > > Yes, this is a limitation of password policy. What you really want is for the consumer to pass the BIND request back to a master and have all of the password policy attributes computed on the master to be replicated to all other servers. Ulf, were you ever able to get Chain On Update to work in this configuration? http://directory.fedora.redhat.com/wiki/Howto:ChainOnUpdate >Aaron > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Ulf >Weltman >Sent: Tuesday, February 07, 2006 6:19 PM >To: General discussion list for the Fedora Directory server project. >Subject: Re: [Fedora-directory-users] Account lockout counters not >replicating;how to unlock users? > >Hello Aaron. Two separate things: >I may have misunderstood your configuration, but nothing is replicated >from a consumer to a master unless the consumer is actually configured >as a hub with an agreement back to the supplier. You can use >passthrough authentication trickery to cause binds to be performed at >the master if you don't want bi-directional replication. > >Also, those three attributes (passwordRetryCount, retryCountResetTime, >accountUnlockTime) are special and will not replicate in any case unless >you set passwordIsGlobalPolicy to on in cn=config. > >Ulf > >Bliss, Aaron wrote: > > > >>P.S. Normal replication is happening, as well as typical referrals from >> >> > > > >>consumer to supplier (i.e. password changes). Any help with this will >>be much appreciated, as this is a rather huge problem right now. >>Thanks again. >> >>Aaron >> >>-----Original Message----- >>From: fedora-directory-users-bounces at redhat.com >>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Bliss, >>Aaron >>Sent: Tuesday, February 07, 2006 5:11 PM >>To: General discussion list for the Fedora Directory server project. >>Subject: [Fedora-directory-users] Account lockout counters not >>replicating;how to unlock users? >> >>Here's my setup; 2 directory servers, 1 supplier, 1 consumer; I'm not >>sure why, but for some reason I'm not seeing password retry counters >>being replicated from the consumer to the supplier; here is what I've >>seen (I have fds setup to lock accounts after 5 bad password attempts, >>reset failure count after 15 minutes): >>-if a user types their password incorrectly on a server that binds >>first to a consumer, then their password retry count increments only on >> >> > > > >>the consumer -if a user successfully binds to the server, then their >>password retry count does get reset This is a problem for a couple of >>reasons. If an account becomes locked out because of bad password >>attempts, I've tried deleting the attributes of passwordRetryCount and >>accountUnlockTime >>(http://directory.fedora.redhat.com/wiki/Howto:PasswordReset) from the >>supplier, however for some reason this is not replicated to the >>consumer (is this an indication of a different problem?) this is a >>problem as I have some of my linux servers to look to the supplier >>first for authentication, and then the consumer second, and visa versa >>for load balancing. According to fds documentation, account lockout >>counters may not work as expected in a multi master environment >>http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#1086 >>4 >>46 ; this is one of the reasons that I opted for a single master >>environment; please advise and thanks. Given the issues that I'm >>having, what is the best way to unlock accounts that have been locked >>due to bad password attempts? >> >>Aaron >> >>www.preferredcare.org >>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>Power and Associates >> >>Confidentiality Notice: >>The information contained in this electronic message is intended for >>the exclusive use of the individual or entity named above and may >>contain privileged or confidential information. If the reader of this >>message is not the intended recipient or the employee or agent >>responsible to deliver it to the intended recipient, you are hereby >>notified that dissemination, distribution or copying of this >>information is prohibited. If you have received this communication in >>error, please notify the sender immediately by telephone and destroy >>the copies you received. >> >> >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> >> > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Feb 8 01:30:16 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 07 Feb 2006 18:30:16 -0700 Subject: [Fedora-directory-users] Re: Building RPMS on 64 Bit In-Reply-To: References: <1138743697.31425.8.camel@bje-fc4.overstock.com> <43DFDA9A.8050701@redhat.com> Message-ID: <43E949A8.6040509@redhat.com> Robin Bowes wrote: >Richard Megginson said the following on 01/31/2006 09:46 PM: > > >>It doesn't yet work. We're working on it. >> >> > >Do you have any idea of timescale by when this will work? > > Not sure. Pretty soon. >I ask because I want to roll out an LDAP solution to a client shortly >and they're running FC4 on an x86_64 platform. > >If it's not likely to be soon, will the 32-bit RPMS work on x86_64? > > Yes, the 32 bit RPMs should work on a 64 bit system. >Thanks, > >R. > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From hyc at symas.com Wed Feb 8 02:16:19 2006 From: hyc at symas.com (Howard Chu) Date: Tue, 07 Feb 2006 18:16:19 -0800 Subject: [Fedora-directory-users] Re:Certificate authentication with SASL External In-Reply-To: <20060208012808.EC8F772F62@hormel.redhat.com> References: <20060208012808.EC8F772F62@hormel.redhat.com> Message-ID: <43E95473.2050006@symas.com> > > From: David Boreham > >> > Remember that authentication is not the same as authorization - having >> > the valid certificate just proves who you are to the server; the >> > server doesn't have to accord you any privileges/authorization just >> > because of that. >> > > Correct, but the OP _wanted_ to make an authorization decision for this > identity, not just perform authentication. > Yes, I'm sure eventually the OP would want to make an authorization decision, but their complaint showed that they weren't even able to get past authentication. The fact that FDS doesn't support distributed authentication makes the authorization question a bit moot. > I think what he wants is to be able to use the subject DN in the > client's cert > directly as the bind identity for access control purposes. This isn't > supported. > Not because the original developers missed some grand X.500 vision, but > because > nobody needed to do that (and haven't for 10 years, until now...). Personal experience tells me that many people have needed distributed authentication in the past 10 years, and it's been used extensively in OpenLDAP for the past 6 or so. The folks who designed LDAP plainly didn't consider it, just as they didn't consider the majority of the implications of true distributed operation. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/ From rmeggins at redhat.com Wed Feb 8 03:04:13 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 07 Feb 2006 20:04:13 -0700 Subject: [Fedora-directory-users] Re:Certificate authentication with SASL External In-Reply-To: <43E95473.2050006@symas.com> References: <20060208012808.EC8F772F62@hormel.redhat.com> <43E95473.2050006@symas.com> Message-ID: <43E95FAD.5010407@redhat.com> Howard Chu wrote: >> >> From: David Boreham >> >> >>> > Remember that authentication is not the same as authorization - >>> having > the valid certificate just proves who you are to the >>> server; the > server doesn't have to accord you any >>> privileges/authorization just > because of that. >> >> >> Correct, but the OP _wanted_ to make an authorization decision for >> this identity, not just perform authentication. >> > > > Yes, I'm sure eventually the OP would want to make an authorization > decision, but their complaint showed that they weren't even able to > get past authentication. The fact that FDS doesn't support distributed > authentication makes the authorization question a bit moot. FDS does support certain types of distributed authentication - Kerberos (via GSSAPI) and pass through authentication. You can also pass authentication through to PAM. > >> I think what he wants is to be able to use the subject DN in the >> client's cert >> directly as the bind identity for access control purposes. This isn't >> supported. >> Not because the original developers missed some grand X.500 vision, >> but because >> nobody needed to do that (and haven't for 10 years, until now...). > > > Personal experience tells me that many people have needed distributed > authentication in the past 10 years, and it's been used extensively in > OpenLDAP for the past 6 or so. The folks who designed LDAP plainly > didn't consider it, just as they didn't consider the majority of the > implications of true distributed operation. > Ok. So, how exactly does OpenLDAP support this? saslauthd? -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From ulf.weltman at hp.com Wed Feb 8 03:06:44 2006 From: ulf.weltman at hp.com (Ulf Weltman) Date: Tue, 07 Feb 2006 19:06:44 -0800 Subject: [Fedora-directory-users] Account lockout counters not replicating; how to unlock users? In-Reply-To: <43E948E6.4060902@redhat.com> References: <43E948E6.4060902@redhat.com> Message-ID: <43E96044.8020206@hp.com> Richard Megginson wrote: > Bliss, Aaron wrote: > >> Ulf, Thanks for getting back to me; yep, I understand that the consumer >> can never replicate information to the supplier (I wasn't very clear >> before, sorry about that); I set the passwordIsGlobalPolicy to on on >> both servers, and things are looking better; the passwordRetryCount, >> retryCountResetTime, accountUnlockTime attributes are now getting >> replicated properly from supplier to consumer, and deleting >> passwordRetryCount, retryCountResetTime attributes from the supplier >> does unlock accounts, however I'm still having a bit of a problem; what >> I've seen is that if a users account gets locked on the consumer because >> of bad password attempts, if that same user then attempts to login to a >> server that is configured to first attempt to bind to the supplier >> server, the user is allowed to login; What I see happening is that the >> passwordRetryCount, retryCountResetTime, accountUnlockTime attributes >> are set on the consumer properly, however these attributes are never set >> if the bad password attempts occur from a server that attempts to bind >> to the consumer first. Any ideas? Thanks again. >> >> > Yes, this is a limitation of password policy. What you really want is > for the consumer to pass the BIND request back to a master and have > all of the password policy attributes computed on the master to be > replicated to all other servers. Ulf, were you ever able to get Chain > On Update to work in this configuration? > http://directory.fedora.redhat.com/wiki/Howto:ChainOnUpdate I think using the passthrough plugin to pass the bind back to a central point was the only solution I came up with but it needs a patch, it doesn't like getting controls back (Bugzilla #176302). For ChainOnUpdate I didn't see a way to get it to work for this case. The internal update that adds the PWP state didn't seem to get chained, only updates coming from external clients. > >> Aaron >> >> -----Original Message----- >> From: fedora-directory-users-bounces at redhat.com >> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Ulf >> Weltman >> Sent: Tuesday, February 07, 2006 6:19 PM >> To: General discussion list for the Fedora Directory server project. >> Subject: Re: [Fedora-directory-users] Account lockout counters not >> replicating;how to unlock users? >> >> Hello Aaron. Two separate things: >> I may have misunderstood your configuration, but nothing is replicated >> from a consumer to a master unless the consumer is actually configured >> as a hub with an agreement back to the supplier. You can use >> passthrough authentication trickery to cause binds to be performed at >> the master if you don't want bi-directional replication. >> >> Also, those three attributes (passwordRetryCount, retryCountResetTime, >> accountUnlockTime) are special and will not replicate in any case unless >> you set passwordIsGlobalPolicy to on in cn=config. >> >> Ulf >> >> Bliss, Aaron wrote: >> >> >> >>> P.S. Normal replication is happening, as well as typical referrals from >>> >> >> >> >> >>> consumer to supplier (i.e. password changes). Any help with this >>> will be much appreciated, as this is a rather huge problem right >>> now. Thanks again. >>> >>> Aaron >>> >>> -----Original Message----- >>> From: fedora-directory-users-bounces at redhat.com >>> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of >>> Bliss, Aaron >>> Sent: Tuesday, February 07, 2006 5:11 PM >>> To: General discussion list for the Fedora Directory server project. >>> Subject: [Fedora-directory-users] Account lockout counters not >>> replicating;how to unlock users? >>> >>> Here's my setup; 2 directory servers, 1 supplier, 1 consumer; I'm >>> not sure why, but for some reason I'm not seeing password retry >>> counters being replicated from the consumer to the supplier; here is >>> what I've seen (I have fds setup to lock accounts after 5 bad >>> password attempts, reset failure count after 15 minutes): >>> -if a user types their password incorrectly on a server that binds >>> first to a consumer, then their password retry count increments only on >>> >> >> >> >> >>> the consumer -if a user successfully binds to the server, then their >>> password retry count does get reset This is a problem for a couple >>> of reasons. If an account becomes locked out because of bad password >>> attempts, I've tried deleting the attributes of passwordRetryCount >>> and accountUnlockTime >>> (http://directory.fedora.redhat.com/wiki/Howto:PasswordReset) from >>> the supplier, however for some reason this is not replicated to the >>> consumer (is this an indication of a different problem?) this is a >>> problem as I have some of my linux servers to look to the supplier >>> first for authentication, and then the consumer second, and visa >>> versa for load balancing. According to fds documentation, account >>> lockout counters may not work as expected in a multi master environment >>> http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#1086 >>> 4 >>> 46 ; this is one of the reasons that I opted for a single master >>> environment; please advise and thanks. Given the issues that I'm >>> having, what is the best way to unlock accounts that have been >>> locked due to bad password attempts? >>> >>> Aaron >>> >>> www.preferredcare.org >>> "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>> Power and Associates >>> >>> Confidentiality Notice: >>> The information contained in this electronic message is intended for >>> the exclusive use of the individual or entity named above and may >>> contain privileged or confidential information. If the reader of >>> this message is not the intended recipient or the employee or agent >>> responsible to deliver it to the intended recipient, you are hereby >>> notified that dissemination, distribution or copying of this >>> information is prohibited. If you have received this communication >>> in error, please notify the sender immediately by telephone and >>> destroy the copies you received. >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >>> >> >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> www.preferredcare.org >> "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >> Power and Associates >> >> Confidentiality Notice: >> The information contained in this electronic message is intended for >> the exclusive use of the individual or entity named above and may >> contain privileged or confidential information. If the reader of >> this message is not the intended recipient or the employee or agent >> responsible to deliver it to the intended recipient, you are hereby >> notified that dissemination, distribution or copying of this >> information is prohibited. If you have received this communication >> in error, please notify the sender immediately by telephone and >> destroy the copies you received. >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> From rmeggins at redhat.com Wed Feb 8 03:09:57 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 07 Feb 2006 20:09:57 -0700 Subject: [Fedora-directory-users] Account lockout counters not replicating; how to unlock users? In-Reply-To: <43E96044.8020206@hp.com> References: <43E948E6.4060902@redhat.com> <43E96044.8020206@hp.com> Message-ID: <43E96105.3000805@redhat.com> Ulf Weltman wrote: > Richard Megginson wrote: > >> Bliss, Aaron wrote: >> >>> Ulf, Thanks for getting back to me; yep, I understand that the consumer >>> can never replicate information to the supplier (I wasn't very clear >>> before, sorry about that); I set the passwordIsGlobalPolicy to on on >>> both servers, and things are looking better; the passwordRetryCount, >>> retryCountResetTime, accountUnlockTime attributes are now getting >>> replicated properly from supplier to consumer, and deleting >>> passwordRetryCount, retryCountResetTime attributes from the supplier >>> does unlock accounts, however I'm still having a bit of a problem; what >>> I've seen is that if a users account gets locked on the consumer >>> because >>> of bad password attempts, if that same user then attempts to login to a >>> server that is configured to first attempt to bind to the supplier >>> server, the user is allowed to login; What I see happening is that the >>> passwordRetryCount, retryCountResetTime, accountUnlockTime attributes >>> are set on the consumer properly, however these attributes are never >>> set >>> if the bad password attempts occur from a server that attempts to bind >>> to the consumer first. Any ideas? Thanks again. >>> >>> >> Yes, this is a limitation of password policy. What you really want >> is for the consumer to pass the BIND request back to a master and >> have all of the password policy attributes computed on the master to >> be replicated to all other servers. Ulf, were you ever able to get >> Chain On Update to work in this configuration? >> http://directory.fedora.redhat.com/wiki/Howto:ChainOnUpdate > > > I think using the passthrough plugin to pass the bind back to a > central point was the only solution I came up with but it needs a > patch, it doesn't like getting controls back (Bugzilla #176302). > > For ChainOnUpdate I didn't see a way to get it to work for this case. > The internal update that adds the PWP state didn't seem to get > chained, only updates coming from external clients. Oh, that's right. We need to chain the bind requests. So the answer to the original question is - no - you cannot have global password policy yet. > >> >>> Aaron >>> >>> -----Original Message----- >>> From: fedora-directory-users-bounces at redhat.com >>> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Ulf >>> Weltman >>> Sent: Tuesday, February 07, 2006 6:19 PM >>> To: General discussion list for the Fedora Directory server project. >>> Subject: Re: [Fedora-directory-users] Account lockout counters not >>> replicating;how to unlock users? >>> >>> Hello Aaron. Two separate things: >>> I may have misunderstood your configuration, but nothing is replicated >>> from a consumer to a master unless the consumer is actually configured >>> as a hub with an agreement back to the supplier. You can use >>> passthrough authentication trickery to cause binds to be performed at >>> the master if you don't want bi-directional replication. >>> >>> Also, those three attributes (passwordRetryCount, retryCountResetTime, >>> accountUnlockTime) are special and will not replicate in any case >>> unless >>> you set passwordIsGlobalPolicy to on in cn=config. >>> >>> Ulf >>> >>> Bliss, Aaron wrote: >>> >>> >>> >>>> P.S. Normal replication is happening, as well as typical referrals >>>> from >>>> >>> >>> >>> >>> >>> >>>> consumer to supplier (i.e. password changes). Any help with this >>>> will be much appreciated, as this is a rather huge problem right >>>> now. Thanks again. >>>> >>>> Aaron >>>> >>>> -----Original Message----- >>>> From: fedora-directory-users-bounces at redhat.com >>>> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of >>>> Bliss, Aaron >>>> Sent: Tuesday, February 07, 2006 5:11 PM >>>> To: General discussion list for the Fedora Directory server project. >>>> Subject: [Fedora-directory-users] Account lockout counters not >>>> replicating;how to unlock users? >>>> >>>> Here's my setup; 2 directory servers, 1 supplier, 1 consumer; I'm >>>> not sure why, but for some reason I'm not seeing password retry >>>> counters being replicated from the consumer to the supplier; here >>>> is what I've seen (I have fds setup to lock accounts after 5 bad >>>> password attempts, reset failure count after 15 minutes): >>>> -if a user types their password incorrectly on a server that binds >>>> first to a consumer, then their password retry count increments >>>> only on >>>> >>> >>> >>> >>> >>> >>>> the consumer -if a user successfully binds to the server, then >>>> their password retry count does get reset This is a problem for a >>>> couple of reasons. If an account becomes locked out because of bad >>>> password attempts, I've tried deleting the attributes of >>>> passwordRetryCount and accountUnlockTime >>>> (http://directory.fedora.redhat.com/wiki/Howto:PasswordReset) from >>>> the supplier, however for some reason this is not replicated to the >>>> consumer (is this an indication of a different problem?) this is a >>>> problem as I have some of my linux servers to look to the supplier >>>> first for authentication, and then the consumer second, and visa >>>> versa for load balancing. According to fds documentation, account >>>> lockout counters may not work as expected in a multi master >>>> environment >>>> http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#1086 >>>> >>>> 4 >>>> 46 ; this is one of the reasons that I opted for a single master >>>> environment; please advise and thanks. Given the issues that I'm >>>> having, what is the best way to unlock accounts that have been >>>> locked due to bad password attempts? >>>> >>>> Aaron >>>> >>>> www.preferredcare.org >>>> "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>>> Power and Associates >>>> >>>> Confidentiality Notice: >>>> The information contained in this electronic message is intended >>>> for the exclusive use of the individual or entity named above and >>>> may contain privileged or confidential information. If the reader >>>> of this message is not the intended recipient or the employee or >>>> agent responsible to deliver it to the intended recipient, you are >>>> hereby notified that dissemination, distribution or copying of this >>>> information is prohibited. If you have received this communication >>>> in error, please notify the sender immediately by telephone and >>>> destroy the copies you received. >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>>> >>>> >>> >>> >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >>> www.preferredcare.org >>> "An Outstanding Member Experience," Preferred Care HMO Plans -- J. >>> D. Power and Associates >>> >>> Confidentiality Notice: >>> The information contained in this electronic message is intended for >>> the exclusive use of the individual or entity named above and may >>> contain privileged or confidential information. If the reader of >>> this message is not the intended recipient or the employee or agent >>> responsible to deliver it to the intended recipient, you are hereby >>> notified that dissemination, distribution or copying of this >>> information is prohibited. If you have received this communication >>> in error, please notify the sender immediately by telephone and >>> destroy the copies you received. >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From ABliss at preferredcare.org Wed Feb 8 04:18:26 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Tue, 7 Feb 2006 23:18:26 -0500 Subject: [Fedora-directory-users] Account lockout counters not replicating; how to unlock users? Message-ID: Hmm; thanks very much for your help; so what are my options? Changing from supplier/consumer to multi-master? Does the global password issue still exist in a multi-master environment? Are there any concerns with this? Or is the global password issue with supplier/consumer replication something that is or can be addressed? Thanks. Aaron -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Tuesday, February 07, 2006 10:10 PM To: Ulf Weltman Cc: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Account lockout counters not replicating;how to unlock users? Ulf Weltman wrote: > Richard Megginson wrote: > >> Bliss, Aaron wrote: >> >>> Ulf, Thanks for getting back to me; yep, I understand that the >>> consumer can never replicate information to the supplier (I wasn't >>> very clear before, sorry about that); I set the >>> passwordIsGlobalPolicy to on on both servers, and things are looking >>> better; the passwordRetryCount, retryCountResetTime, >>> accountUnlockTime attributes are now getting replicated properly >>> from supplier to consumer, and deleting passwordRetryCount, >>> retryCountResetTime attributes from the supplier does unlock >>> accounts, however I'm still having a bit of a problem; what I've >>> seen is that if a users account gets locked on the consumer because >>> of bad password attempts, if that same user then attempts to login >>> to a server that is configured to first attempt to bind to the >>> supplier server, the user is allowed to login; What I see happening >>> is that the passwordRetryCount, retryCountResetTime, >>> accountUnlockTime attributes are set on the consumer properly, >>> however these attributes are never set if the bad password attempts >>> occur from a server that attempts to bind to the consumer first. >>> Any ideas? Thanks again. >>> >>> >> Yes, this is a limitation of password policy. What you really want >> is for the consumer to pass the BIND request back to a master and >> have all of the password policy attributes computed on the master to >> be replicated to all other servers. Ulf, were you ever able to get >> Chain On Update to work in this configuration? >> http://directory.fedora.redhat.com/wiki/Howto:ChainOnUpdate > > > I think using the passthrough plugin to pass the bind back to a > central point was the only solution I came up with but it needs a > patch, it doesn't like getting controls back (Bugzilla #176302). > > For ChainOnUpdate I didn't see a way to get it to work for this case. > The internal update that adds the PWP state didn't seem to get > chained, only updates coming from external clients. Oh, that's right. We need to chain the bind requests. So the answer to the original question is - no - you cannot have global password policy yet. > >> >>> Aaron >>> >>> -----Original Message----- >>> From: fedora-directory-users-bounces at redhat.com >>> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Ulf >>> Weltman >>> Sent: Tuesday, February 07, 2006 6:19 PM >>> To: General discussion list for the Fedora Directory server project. >>> Subject: Re: [Fedora-directory-users] Account lockout counters not >>> replicating;how to unlock users? >>> >>> Hello Aaron. Two separate things: >>> I may have misunderstood your configuration, but nothing is >>> replicated from a consumer to a master unless the consumer is >>> actually configured as a hub with an agreement back to the supplier. >>> You can use passthrough authentication trickery to cause binds to be >>> performed at the master if you don't want bi-directional replication. >>> >>> Also, those three attributes (passwordRetryCount, >>> retryCountResetTime, >>> accountUnlockTime) are special and will not replicate in any case >>> unless you set passwordIsGlobalPolicy to on in cn=config. >>> >>> Ulf >>> >>> Bliss, Aaron wrote: >>> >>> >>> >>>> P.S. Normal replication is happening, as well as typical referrals >>>> from >>>> >>> >>> >>> >>> >>> >>>> consumer to supplier (i.e. password changes). Any help with this >>>> will be much appreciated, as this is a rather huge problem right >>>> now. Thanks again. >>>> >>>> Aaron >>>> >>>> -----Original Message----- >>>> From: fedora-directory-users-bounces at redhat.com >>>> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of >>>> Bliss, Aaron >>>> Sent: Tuesday, February 07, 2006 5:11 PM >>>> To: General discussion list for the Fedora Directory server project. >>>> Subject: [Fedora-directory-users] Account lockout counters not >>>> replicating;how to unlock users? >>>> >>>> Here's my setup; 2 directory servers, 1 supplier, 1 consumer; I'm >>>> not sure why, but for some reason I'm not seeing password retry >>>> counters being replicated from the consumer to the supplier; here >>>> is what I've seen (I have fds setup to lock accounts after 5 bad >>>> password attempts, reset failure count after 15 minutes): >>>> -if a user types their password incorrectly on a server that binds >>>> first to a consumer, then their password retry count increments >>>> only on >>>> >>> >>> >>> >>> >>> >>>> the consumer -if a user successfully binds to the server, then >>>> their password retry count does get reset This is a problem for a >>>> couple of reasons. If an account becomes locked out because of bad >>>> password attempts, I've tried deleting the attributes of >>>> passwordRetryCount and accountUnlockTime >>>> (http://directory.fedora.redhat.com/wiki/Howto:PasswordReset) from >>>> the supplier, however for some reason this is not replicated to the >>>> consumer (is this an indication of a different problem?) this is a >>>> problem as I have some of my linux servers to look to the supplier >>>> first for authentication, and then the consumer second, and visa >>>> versa for load balancing. According to fds documentation, account >>>> lockout counters may not work as expected in a multi master >>>> environment >>>> http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html# >>>> 1086 >>>> >>>> 4 >>>> 46 ; this is one of the reasons that I opted for a single master >>>> environment; please advise and thanks. Given the issues that I'm >>>> having, what is the best way to unlock accounts that have been >>>> locked due to bad password attempts? >>>> >>>> Aaron >>>> >>>> www.preferredcare.org >>>> "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>>> Power and Associates >>>> >>>> Confidentiality Notice: >>>> The information contained in this electronic message is intended >>>> for the exclusive use of the individual or entity named above and >>>> may contain privileged or confidential information. If the reader >>>> of this message is not the intended recipient or the employee or >>>> agent responsible to deliver it to the intended recipient, you are >>>> hereby notified that dissemination, distribution or copying of this >>>> information is prohibited. If you have received this communication >>>> in error, please notify the sender immediately by telephone and >>>> destroy the copies you received. >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>>> >>>> >>> >>> >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >>> www.preferredcare.org >>> "An Outstanding Member Experience," Preferred Care HMO Plans -- J. >>> D. Power and Associates >>> >>> Confidentiality Notice: >>> The information contained in this electronic message is intended for >>> the exclusive use of the individual or entity named above and may >>> contain privileged or confidential information. If the reader of >>> this message is not the intended recipient or the employee or agent >>> responsible to deliver it to the intended recipient, you are hereby >>> notified that dissemination, distribution or copying of this >>> information is prohibited. If you have received this communication >>> in error, please notify the sender immediately by telephone and >>> destroy the copies you received. >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> > > From rajkumars at asianetindia.com Wed Feb 8 09:21:32 2006 From: rajkumars at asianetindia.com (Rajkumar S) Date: Wed, 08 Feb 2006 14:51:32 +0530 Subject: [Fedora-directory-users] DS Console from a remote machine? Message-ID: <43E9B81C.1050502@asianetindia.com> Hi, I have installed fedora-ds in a remote machine in datacenter. The server does not have X installed, nor it is possible to access it from my place. So is it possible to get the Console running from my desktop (Debian Linux) PC ? What Steps are needed to get that working ? raj From d.bay at cablesurf.de Wed Feb 8 13:58:34 2006 From: d.bay at cablesurf.de (Dominik Bay) Date: Wed, 8 Feb 2006 14:58:34 +0100 Subject: [Fedora-directory-users] DS Console from a remote machine? In-Reply-To: <43E9B81C.1050502@asianetindia.com> References: <43E9B81C.1050502@asianetindia.com> Message-ID: <9CAE6091-2D78-460A-BC57-27F5044C156F@cablesurf.de> Hi Raj! Am 08.02.2006 um 10:21 schrieb Rajkumar S: > Hi, > > I have installed fedora-ds in a remote machine in datacenter. The > server does not have X installed, nor it is possible to access it > from my place. So is it possible to get the Console running from my > desktop (Debian Linux) PC ? What Steps are needed to get that working? Copy starconsole and java into one directory on your Workstation, set JAVA_HOME properly to the directory where the java binary and the libs are located. Then simply do a ./startconsole -a http.... HTH -- Mit freundlichen Gr??en / Kind regards Dominik Bay Cablesurf Technik -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: Signierter Teil der Nachricht URL: From rmeggins at redhat.com Wed Feb 8 14:26:35 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 08 Feb 2006 07:26:35 -0700 Subject: [Fedora-directory-users] Account lockout counters not replicating; how to unlock users? In-Reply-To: References: Message-ID: <43E9FF9B.7090302@redhat.com> Bliss, Aaron wrote: >Hmm; thanks very much for your help; so what are my options? Changing >from supplier/consumer to multi-master? > That would certainly solve the problem. >Does the global password issue >still exist in a multi-master environment? > No. >Are there any concerns with >this? Or is the global password issue with supplier/consumer >replication something that is or can be addressed? > AFAIK there is no other way to do it. We've got a couple of ways to do it that we're working on. >Thanks. > >Aaron > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard >Megginson >Sent: Tuesday, February 07, 2006 10:10 PM >To: Ulf Weltman >Cc: General discussion list for the Fedora Directory server project. >Subject: Re: [Fedora-directory-users] Account lockout counters not >replicating;how to unlock users? > >Ulf Weltman wrote: > > > >>Richard Megginson wrote: >> >> >> >>>Bliss, Aaron wrote: >>> >>> >>> >>>>Ulf, Thanks for getting back to me; yep, I understand that the >>>>consumer can never replicate information to the supplier (I wasn't >>>>very clear before, sorry about that); I set the >>>>passwordIsGlobalPolicy to on on both servers, and things are looking >>>> >>>> > > > >>>>better; the passwordRetryCount, retryCountResetTime, >>>>accountUnlockTime attributes are now getting replicated properly >>>>from supplier to consumer, and deleting passwordRetryCount, >>>>retryCountResetTime attributes from the supplier does unlock >>>>accounts, however I'm still having a bit of a problem; what I've >>>>seen is that if a users account gets locked on the consumer because >>>>of bad password attempts, if that same user then attempts to login >>>>to a server that is configured to first attempt to bind to the >>>>supplier server, the user is allowed to login; What I see happening >>>>is that the passwordRetryCount, retryCountResetTime, >>>>accountUnlockTime attributes are set on the consumer properly, >>>>however these attributes are never set if the bad password attempts >>>>occur from a server that attempts to bind to the consumer first. >>>>Any ideas? Thanks again. >>>> >>>> >>>> >>>> >>>Yes, this is a limitation of password policy. What you really want >>>is for the consumer to pass the BIND request back to a master and >>>have all of the password policy attributes computed on the master to >>>be replicated to all other servers. Ulf, were you ever able to get >>>Chain On Update to work in this configuration? >>>http://directory.fedora.redhat.com/wiki/Howto:ChainOnUpdate >>> >>> >>I think using the passthrough plugin to pass the bind back to a >>central point was the only solution I came up with but it needs a >>patch, it doesn't like getting controls back (Bugzilla #176302). >> >>For ChainOnUpdate I didn't see a way to get it to work for this case. >> >> > > > >>The internal update that adds the PWP state didn't seem to get >>chained, only updates coming from external clients. >> >> > >Oh, that's right. We need to chain the bind requests. > >So the answer to the original question is - no - you cannot have global >password policy yet. > > > >>>>Aaron >>>> >>>>-----Original Message----- >>>>From: fedora-directory-users-bounces at redhat.com >>>>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Ulf >>>>Weltman >>>>Sent: Tuesday, February 07, 2006 6:19 PM >>>>To: General discussion list for the Fedora Directory server project. >>>>Subject: Re: [Fedora-directory-users] Account lockout counters not >>>>replicating;how to unlock users? >>>> >>>>Hello Aaron. Two separate things: >>>>I may have misunderstood your configuration, but nothing is >>>>replicated from a consumer to a master unless the consumer is >>>>actually configured as a hub with an agreement back to the supplier. >>>> >>>> > > > >>>>You can use passthrough authentication trickery to cause binds to be >>>> >>>> > > > >>>>performed at the master if you don't want bi-directional >>>> >>>> >replication. > > >>>>Also, those three attributes (passwordRetryCount, >>>>retryCountResetTime, >>>>accountUnlockTime) are special and will not replicate in any case >>>>unless you set passwordIsGlobalPolicy to on in cn=config. >>>> >>>>Ulf >>>> >>>>Bliss, Aaron wrote: >>>> >>>> >>>> >>>> >>>> >>>>>P.S. Normal replication is happening, as well as typical referrals >>>>>from >>>>> >>>>> >>>>> >>>> >>>> >>>> >>>> >>>> >>>>>consumer to supplier (i.e. password changes). Any help with this >>>>>will be much appreciated, as this is a rather huge problem right >>>>>now. Thanks again. >>>>> >>>>>Aaron >>>>> >>>>>-----Original Message----- >>>>>From: fedora-directory-users-bounces at redhat.com >>>>>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of >>>>>Bliss, Aaron >>>>>Sent: Tuesday, February 07, 2006 5:11 PM >>>>>To: General discussion list for the Fedora Directory server >>>>> >>>>> >project. > > >>>>>Subject: [Fedora-directory-users] Account lockout counters not >>>>>replicating;how to unlock users? >>>>> >>>>>Here's my setup; 2 directory servers, 1 supplier, 1 consumer; I'm >>>>>not sure why, but for some reason I'm not seeing password retry >>>>>counters being replicated from the consumer to the supplier; here >>>>>is what I've seen (I have fds setup to lock accounts after 5 bad >>>>>password attempts, reset failure count after 15 minutes): >>>>>-if a user types their password incorrectly on a server that binds >>>>>first to a consumer, then their password retry count increments >>>>>only on >>>>> >>>>> >>>>> >>>> >>>> >>>> >>>> >>>> >>>>>the consumer -if a user successfully binds to the server, then >>>>>their password retry count does get reset This is a problem for a >>>>>couple of reasons. If an account becomes locked out because of bad >>>>>password attempts, I've tried deleting the attributes of >>>>>passwordRetryCount and accountUnlockTime >>>>>(http://directory.fedora.redhat.com/wiki/Howto:PasswordReset) from >>>>>the supplier, however for some reason this is not replicated to the >>>>> >>>>> > > > >>>>>consumer (is this an indication of a different problem?) this is a >>>>> >>>>> > > > >>>>>problem as I have some of my linux servers to look to the supplier >>>>>first for authentication, and then the consumer second, and visa >>>>>versa for load balancing. According to fds documentation, account >>>>>lockout counters may not work as expected in a multi master >>>>>environment >>>>>http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html# >>>>>1086 >>>>> >>>>>4 >>>>>46 ; this is one of the reasons that I opted for a single master >>>>>environment; please advise and thanks. Given the issues that I'm >>>>>having, what is the best way to unlock accounts that have been >>>>>locked due to bad password attempts? >>>>> >>>>>Aaron >>>>> >>>>>www.preferredcare.org >>>>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. >>>>> >>>>> >D. > > >>>>>Power and Associates >>>>> >>>>>Confidentiality Notice: >>>>>The information contained in this electronic message is intended >>>>>for the exclusive use of the individual or entity named above and >>>>>may contain privileged or confidential information. If the reader >>>>>of this message is not the intended recipient or the employee or >>>>>agent responsible to deliver it to the intended recipient, you are >>>>>hereby notified that dissemination, distribution or copying of this >>>>> >>>>> > > > >>>>>information is prohibited. If you have received this communication >>>>> >>>>> > > > >>>>>in error, please notify the sender immediately by telephone and >>>>>destroy the copies you received. >>>>> >>>>> >>>>>-- >>>>>Fedora-directory-users mailing list >>>>>Fedora-directory-users at redhat.com >>>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>>> >>>>>-- >>>>>Fedora-directory-users mailing list >>>>>Fedora-directory-users at redhat.com >>>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>>-- >>>>Fedora-directory-users mailing list >>>>Fedora-directory-users at redhat.com >>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>>> >>>>www.preferredcare.org >>>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. >>>>D. Power and Associates >>>> >>>>Confidentiality Notice: >>>>The information contained in this electronic message is intended for >>>> >>>> > > > >>>>the exclusive use of the individual or entity named above and may >>>>contain privileged or confidential information. If the reader of >>>>this message is not the intended recipient or the employee or agent >>>>responsible to deliver it to the intended recipient, you are hereby >>>>notified that dissemination, distribution or copying of this >>>>information is prohibited. If you have received this communication >>>>in error, please notify the sender immediately by telephone and >>>>destroy the copies you received. >>>> >>>> >>>>-- >>>>Fedora-directory-users mailing list >>>>Fedora-directory-users at redhat.com >>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>>> >>>> >> >> > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From d.bay at cablesurf.de Wed Feb 8 18:08:33 2006 From: d.bay at cablesurf.de (Dominik Bay) Date: Wed, 8 Feb 2006 19:08:33 +0100 Subject: [Fedora-directory-users] DS Console from a remote machine? In-Reply-To: <43EA2CB0.6050900@asianetindia.com> References: <43E9B81C.1050502@asianetindia.com> <9CAE6091-2D78-460A-BC57-27F5044C156F@cablesurf.de> <43EA2CB0.6050900@asianetindia.com> Message-ID: <0B3F3767-DEC3-41D2-A614-0BCDAD91A287@cablesurf.de> Sorry raj for mailling this directly to you Am 08.02.2006 um 18:38 schrieb Rajkumar S: > Dominik Bay wrote: >> Copy starconsole and java into one directory on your Workstation, >> set JAVA_HOME properly to the directory where the java binary and >> the libs are located. Then simply do a ./startconsole -a http.... > > Thanks for the tip Dominik. It worked! Nice to hear :-) And for all the Mac OSX Users here: export JAVA_HOME=/System/Library/Frameworks/JavaVM.framework/Versions/ 1.5.0/ cd ~/fedora-ds ./startconsole -u admin -a http://127.0.0.1:2341/ do the job :-) Just fyi. JAVA_HOME=/usr/bin doesn't work, /usr/bin/java is a script. And here is a diff for the startconsole script: liliana:~/fedora-ds eimann$ diff -u startconsole.orig startconsole.new --- startconsole.orig 2006-02-08 18:50:54.000000000 +0100 +++ startconsole.new 2006-02-08 18:51:44.000000000 +0100 @@ -31,7 +31,7 @@ # # Make sure java exists and is executable # -if [ ! -f $JAVA_HOME/bin/java -a ! -x $JAVA_HOME/bin/java ] +if [ ! -f $JAVA_HOME/Home/bin/java -a ! -x $JAVA_HOME/Home/bin/java ] then echo "$0: The java program is not in your path, or is not executable." exit 1 @@ -40,8 +40,8 @@ # # See if libjava and libjvm exist, and set the lib path. These are linked to by JSS. # -LIBJAVA_DIR=`find $JAVA_HOME -name libjava\.s[ol] | sed 's/\/libjava \.s.$//'` -LIBJVM_DIR=`find $JAVA_HOME -name libjvm\.s[ol] | sed 's/\/libjvm\.s. $//'` +LIBJAVA_DIR=`find $JAVA_HOME -name libjava.jnilib` +LIBJVM_DIR=`find $JAVA_HOME -name libjvm.dylib` if [ -z "$LIBJAVA_DIR" -a -z "$LIBJVM_DIR" ] then @@ -69,4 +69,4 @@ # # Launch the Console # -cd java; $JAVA_HOME/bin/java -ms8m -mx64m -cp .:./base.jar:./ mcc10_en.jar:./jss3.jar:./ldapjdk.jar:./mcc10.jar:./nmclf10_en.jar:./ nmclf10.jar -Djava.library.path=../lib -Djava.util.prefs.systemRoot=. -Djava.util.prefs.userRoot=. com.netscape.management.client.console.Console $* +cd java; $JAVA_HOME/Home/bin/java -ms8m -mx64m -cp .:./base.jar:./ mcc10_en.jar:./jss3.jar:./ldapjdk.jar:./mcc10.jar:./nmclf10_en.jar:./ nmclf10.jar -Djava.library.path=../lib -Djava.util.prefs.systemRoot=. -Djava.util.prefs.userRoot=. com.netscape.management.client.console.Console $* It's just quick and dirty, so please don't blame me ;-) -- Mit freundlichen Gr??en / Kind regards Dominik Bay Cablesurf Technik -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: Signierter Teil der Nachricht URL: From basile.mathieu at siris.sorbonne.fr Thu Feb 9 12:00:31 2006 From: basile.mathieu at siris.sorbonne.fr (basile au siris) Date: Thu, 09 Feb 2006 13:00:31 +0100 Subject: [Fedora-directory-users] problem with solaris 9 install Message-ID: <43EB2EDF.7020603@siris.sorbonne.fr> hi i have fds install on sunfire v440 with solaris9 fds works fine , but when i want to use fds as users database i have a problem : i use pam.conf , nsswitch.conf , ldap_client_file(cred) of another solaris9 install which works fine when i use this fds as users database for my other solaris 9 ( the one where all works ) all works fine it seems not to use the ldap_client_cred to bind to the directory ( all patchs are present , schema are the same on the two installation , i have same data in the directory ldaplist works ) i have no idea ( i thinks pam don t use well ldapclient ) here are logs when i try id user [09/Feb/2006:12:40:14 +0100] conn=107 fd=68 slot=68 connection from xxx.xxx.xxx.xxx to xxx.xxx.xxx.xxx [09/Feb/2006:12:40:14 +0100] conn=107 op=0 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedSASLMechanisms" [09/Feb/2006:12:40:14 +0100] conn=107 op=0 RESULT err=0 tag=101 nentries=1 etime=0 [09/Feb/2006:12:40:14 +0100] conn=107 op=1 UNBIND [09/Feb/2006:12:40:14 +0100] conn=107 op=1 fd=68 closed - U1 thanks basile From olivier at pref.nl Thu Feb 9 12:40:44 2006 From: olivier at pref.nl (Olivier Brugman) Date: Thu, 09 Feb 2006 13:40:44 +0100 Subject: [Fedora-directory-users] FDS on Ubuntu / Debian Message-ID: <1139488844.8267.11.camel@xenxdm.noc.pref.nl> Hi Folks, Thank you for this great software. It rocks! After installation on FC 3 and X/OS 4, i wanted to install FDS on Ubuntu and Debian GNU/Linux (Sarge), my platforms of preference. FWIW, this is how it worked for me: FDS-on-Ubuntu/Debian-howto ========================== This document describes howto install the Fedora Directory Server (FDS) on Ubuntu 5.10 (Breezy Badger) or Debian GNU/Linux Sarge. I presume you already have done a minimal installation of the OS of choise. Most steps to Ubuntu and Sarge are equal, however this howto is base on the installation of the 'sudo' package. As an alternative you can 'su -' on Debian and skip the sudo part of the commands. 1 Get the software ================== Download a prebuild rpm from http://directory.fedora.redhat.com/wiki/Download Choose the version suitable for Fedora Core 3 and RHEL4. For Debian GNU/Linux Sarge the rpm for RHEL3 is required (Ubuntu has libc6 version 2.3.5 while Sarge has version 2.3.2). 2 Install alien-package ======================= Alien is a tool that supports converting software in 'rpm' format to 'deb' format. sudo apt-get install alien 3 Build the fedora-ds .deb package ================================== sudo alien /YOURPATH/fedora-ds-1.0.1-1.RHEL4.i386.opt.rpm (Ubuntu) sudo alien /YOURPATH/fedora-ds-1.0.1-1.RHEL3.i386.opt.rpm (Debian Sarge) 4 Build dependencies ==================== The Fedora Directory Server needs 'libtermcap.so.2', so install it. sudo apt-get install termcap-compat Install the Sun Java SDK or JRE version 1.4.2. Don't forget to set the JAVA_HOME and PATH variables! The admin-server of FDS depends on Apache2 compiled conform the worker model, so let's install it sudo apt-get install apache2-mpm-worker As Fedora calls the daemon 'httpd' while Ubuntu calls it 'apache2' (like Debian), we want to create a symbolic link to satisfy FDS' setup utility. sudo ln -s /usr/sbin/apache2 /usr/sbin/httpd 5 Install .deb package ====================== sudo dpkg -i /YOURPATH/fedora-ds_1.0.1-2_i386.deb 6 Create a user and group for the daemon ======================================== sudo groupadd fds sudo useradd -s /bin/false -g fds fds 7 Run the setup program ======================= Now we want to configure the FDS. As the setup utility won't find the Apache2 modules on Debian/Ubuntu by default, we'll have to help it. First we'll create an install.inf file by running the setup utility with the '-k' option. sudo /opt/fedora-ds/setup/setup -k Choose '1' for as minimal questions as possible. Choose 'fds' when asked which user and group apply. After finalizing the setup wizard the directory server itself will be started as user 'fds'. It listens on the port you just configured (i chose port '389', the default LDAP-port). When done, copy the install.inf file to /opt sudo cp /opt/fedora-ds/setup/install.inf /opt sudo chmod 640 /opt/install.inf Then add this rule to the [admin] section of the file: ApacheRoot= /usr/lib/apache2 Afterwards rerun the setup utility with the following options: sudo /opt/fedora-ds/setup/setup -s -f /opt/install.inf 8 Adjust the admin-server's httpd.conf ====================================== We have to make some changes to the '/opt/fedora-ds/admin-serv/config/httpd.conf' file. Some modules do not have to be loaded as they are compiled in statically. So outcomment these lines: ... #LoadModule access_module /usr/lib/apache2/modules/mod_access.so #LoadModule auth_module /usr/lib/apache2/modules/mod_auth.so #LoadModule log_config_module /usr/lib/apache2/modules/mod_log_config.so #LoadModule env_module /usr/lib/apache2/modules/mod_env.so ... #LoadModule setenvif_module /usr/lib/apache2/modules/mod_setenvif.so #LoadModule mime_module /usr/lib/apache2/modules/mod_mime.so ... #LoadModule negotiation_module /usr/lib/apache2/modules/mod_negotiation.so #LoadModule dir_module /usr/lib/apache2/modules/mod_dir.so ... #LoadModule alias_module /usr/lib/apache2/modules/mod_alias.so ... 9 Now try to start the admin-server =================================== sudo /opt/fedora-ds/start-admin If it works, Good :-) If not, you probably didn't have enough coffee! Cheers, Olivier Brugman From glenn at sms.caltech.edu Fri Feb 10 02:29:18 2006 From: glenn at sms.caltech.edu (Glenn W. Bach) Date: Thu, 9 Feb 2006 18:29:18 -0800 (PST) Subject: [Fedora-directory-users] Search w/ empty base dn Message-ID: <62930.216.165.251.106.1139538558.squirrel@mail.sms.caltech.edu> I'm replacing an ldap server with Fedora Directory. The old one allows searches with the base dn empty. Is there a way to allow searches with a blank base dn in Fedora Directory? From del at babel.com.au Fri Feb 10 02:56:24 2006 From: del at babel.com.au (Del) Date: Fri, 10 Feb 2006 13:56:24 +1100 Subject: [Fedora-directory-users] Search w/ empty base dn In-Reply-To: <62930.216.165.251.106.1139538558.squirrel@mail.sms.caltech.edu> References: <62930.216.165.251.106.1139538558.squirrel@mail.sms.caltech.edu> Message-ID: <43EC00D8.1040106@babel.com.au> Glenn W. Bach wrote: > I'm replacing an ldap server with Fedora Directory. The old one allows > searches with the base dn empty. Is there a way to allow searches with a > blank base dn in Fedora Directory? It works for me, I do it all the time. You may need to set the search scope to "base" or you won't find anything. $ ldapsearch -x -b '' -s base vendorVersion # extended LDIF # # LDAPv3 # base <> with scope base # filter: (objectclass=*) # requesting: vendorVersion # # dn: vendorVersion: Fedora-Directory/1.0.1 B2005.342.165 This is using, just as an example, the ldapsearch command line tool from the openldap-clients RPM. Which LDAP client are you using? Another useful search with a blank base DN is for namingContexts, eg: ldapsearch -x -b '' -s base namingContexts -- Del From rmeggins at redhat.com Fri Feb 10 02:58:26 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 09 Feb 2006 19:58:26 -0700 Subject: [Fedora-directory-users] Search w/ empty base dn In-Reply-To: <62930.216.165.251.106.1139538558.squirrel@mail.sms.caltech.edu> References: <62930.216.165.251.106.1139538558.squirrel@mail.sms.caltech.edu> Message-ID: <43EC0152.1000807@redhat.com> Glenn W. Bach wrote: >I'm replacing an ldap server with Fedora Directory. The old one allows >searches with the base dn empty. Is there a way to allow searches with a >blank base dn in Fedora Directory? > > I'm assuming you mean the ability to perform a subtree search with a base dn of "". No, you cannot do this with Fedora DS. What is your old directory server? Does it do this by default or do you have to configure it to do so? >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From francois.beretti at gmail.com Fri Feb 10 07:20:43 2006 From: francois.beretti at gmail.com (=?ISO-8859-1?Q?Fran=E7ois_Beretti?=) Date: Fri, 10 Feb 2006 08:20:43 +0100 Subject: [Fedora-directory-users] Restore a backup in a multimaster replication topology Message-ID: <85d6be850602092320g613f9bb3m@mail.gmail.com> Hi, If someone delete data by doing a wrong operation, and this deleting is replicated in all the replicas, I want to restore the lost data from a backup, and I want the entries to have the same nsuniqueid than before. Of course, I want this import to be replicated to all the replicas. If possible, I want to be able to restore a subtree of the directory, and not the whole. Is it possible ? Thank you very much Fran?ois -------------- next part -------------- An HTML attachment was scrubbed... URL: From mj at sci.fi Fri Feb 10 07:56:05 2006 From: mj at sci.fi (mj at sci.fi) Date: Fri, 10 Feb 2006 09:56:05 +0200 (EET) Subject: [Fedora-directory-users] Restore a backup in a multimaster replication topology Message-ID: <2093118.1139558165355.JavaMail.mj@sci.fi> >If someone delete data by doing a wrong operation, and this deleting is >replicated in all the replicas, I want to restore the lost data from a >backup, and I want the entries to have the same nsuniqueid than before. Of >course, I want this import to be replicated to all the replicas. If >possible, I want to be able to restore a subtree of the directory, and not >the whole. The way I handle this in a multi-master setup is: 1. Restore machine 1 from backup 2. Re-initialize machines 2-4 from machine 1 I have written a perl script (and a module) which completely handles an MMR restore job over-the-wire. Restoring a 4-way MMR setup with 10k entries takes less than 5 minutes. I am the process of trying to open-source this tool (among others), but it may take a long time or may not happen at all. You can find out how to write it yourself by driving the operations with the admin console and sniffing the traffic with ethereal. Only suffixes can be restored from backup. If you have built your subtrees as suffixes, then you can restore at the subtree level. BR, Mike From rmeggins at redhat.com Fri Feb 10 15:09:22 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 10 Feb 2006 08:09:22 -0700 Subject: [Fedora-directory-users] FDS on Ubuntu / Debian In-Reply-To: <1139488844.8267.11.camel@xenxdm.noc.pref.nl> References: <1139488844.8267.11.camel@xenxdm.noc.pref.nl> Message-ID: <43ECACA2.5040106@redhat.com> http://directory.fedora.redhat.com/wiki/Howto:DebianUbuntu Thanks! Olivier Brugman wrote: >Hi Folks, > >Thank you for this great software. It rocks! >After installation on FC 3 and X/OS 4, i wanted to install FDS on Ubuntu >and Debian GNU/Linux (Sarge), my platforms of preference. > >FWIW, this is how it worked for me: > > > >FDS-on-Ubuntu/Debian-howto >========================== > >This document describes howto install the Fedora Directory Server (FDS) >on Ubuntu 5.10 (Breezy Badger) or Debian GNU/Linux Sarge. I presume you >already have done a minimal installation of the OS of choise. >Most steps to Ubuntu and Sarge are equal, however this howto is base on >the installation of the 'sudo' package. As an alternative you can 'su -' >on Debian and skip the sudo part of the commands. > >1 Get the software >================== >Download a prebuild rpm from >http://directory.fedora.redhat.com/wiki/Download Choose the version >suitable for Fedora Core 3 and RHEL4. For Debian GNU/Linux Sarge the rpm >for RHEL3 is required (Ubuntu has libc6 version 2.3.5 while Sarge has >version 2.3.2). > >2 Install alien-package >======================= >Alien is a tool that supports converting software in 'rpm' format to >'deb' format. >sudo apt-get install alien > >3 Build the fedora-ds .deb package >================================== >sudo alien /YOURPATH/fedora-ds-1.0.1-1.RHEL4.i386.opt.rpm (Ubuntu) >sudo alien /YOURPATH/fedora-ds-1.0.1-1.RHEL3.i386.opt.rpm (Debian Sarge) > >4 Build dependencies >==================== >The Fedora Directory Server needs 'libtermcap.so.2', so install it. >sudo apt-get install termcap-compat >Install the Sun Java SDK or JRE version 1.4.2. Don't forget to set the >JAVA_HOME and PATH variables! >The admin-server of FDS depends on Apache2 compiled conform the worker >model, so let's install it >sudo apt-get install apache2-mpm-worker >As Fedora calls the daemon 'httpd' while Ubuntu calls it 'apache2' (like >Debian), we want to create a symbolic link to satisfy FDS' setup >utility. >sudo ln -s /usr/sbin/apache2 /usr/sbin/httpd > >5 Install .deb package >====================== >sudo dpkg -i /YOURPATH/fedora-ds_1.0.1-2_i386.deb > >6 Create a user and group for the daemon >======================================== >sudo groupadd fds >sudo useradd -s /bin/false -g fds fds > >7 Run the setup program >======================= >Now we want to configure the FDS. As the setup utility won't find the >Apache2 modules on Debian/Ubuntu by default, we'll have to help it. >First we'll create an install.inf file by running the setup utility with >the '-k' option. >sudo /opt/fedora-ds/setup/setup -k >Choose '1' for as minimal questions as possible. >Choose 'fds' when asked which user and group apply. >After finalizing the setup wizard the directory server itself will be >started as user 'fds'. It listens on the port you just configured (i >chose port '389', the default LDAP-port). >When done, copy the install.inf file to /opt >sudo cp /opt/fedora-ds/setup/install.inf /opt >sudo chmod 640 /opt/install.inf >Then add this rule to the [admin] section of the file: >ApacheRoot= /usr/lib/apache2 >Afterwards rerun the setup utility with the following options: >sudo /opt/fedora-ds/setup/setup -s -f /opt/install.inf > >8 Adjust the admin-server's httpd.conf >====================================== >We have to make some changes to the >'/opt/fedora-ds/admin-serv/config/httpd.conf' file. >Some modules do not have to be loaded as they are compiled in >statically. So outcomment these lines: >... >#LoadModule access_module /usr/lib/apache2/modules/mod_access.so >#LoadModule auth_module /usr/lib/apache2/modules/mod_auth.so >#LoadModule log_config_module /usr/lib/apache2/modules/mod_log_config.so >#LoadModule env_module /usr/lib/apache2/modules/mod_env.so >... >#LoadModule setenvif_module /usr/lib/apache2/modules/mod_setenvif.so >#LoadModule mime_module /usr/lib/apache2/modules/mod_mime.so >... >#LoadModule >negotiation_module /usr/lib/apache2/modules/mod_negotiation.so >#LoadModule dir_module /usr/lib/apache2/modules/mod_dir.so >... >#LoadModule alias_module /usr/lib/apache2/modules/mod_alias.so >... > >9 Now try to start the admin-server >=================================== >sudo /opt/fedora-ds/start-admin > > >If it works, Good :-) >If not, you probably didn't have enough coffee! > >Cheers, >Olivier Brugman > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From clonay at free.fr Fri Feb 10 17:23:30 2006 From: clonay at free.fr (Yann) Date: Fri, 10 Feb 2006 12:23:30 -0500 Subject: [Fedora-directory-users] Certificate authentication with SASL External Message-ID: <1139592210.43eccc12e45a5@imp3-g19.free.fr> >>Remember that authentication is not the same as authorization - having the valid certificate just proves who you are to the server; the server doesn't have to accord you any privileges/authorization just because of that. >> >>Correct, but the OP _wanted_ to make an authorization decision for this identity, not just perform authentication. >>I think what he wants is to be able to use the subject DN in the client's cert directly as the bind identity for access control purposes. This isn't supported. >>Not because the original developers missed some grand X.500 vision, but because >>nobody needed to do that (and haven't for 10 years, until now...). Yes David, it's exactly what i want to do... So, it's not supported in FD :-( I tried to find another way to do that; ex: when i bind with a certificate with no match entry in the LDAP directory, FDS say: [10/Feb/2006:17:14:11 +0000] conn=510 SSL failed to map client certificate to LDAP DN (No such object) BUT, he's allow to view unprivilegied part of LDAP, because it's authenticated by SASL before... like an anonymous account. When he create an entry, the owner is "" (empty).. !? So, is it possible to change this "default mapping" to something else to do what i want to do ? :-) Thanks ! Yann From ABliss at preferredcare.org Fri Feb 10 17:42:40 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Fri, 10 Feb 2006 12:42:40 -0500 Subject: [Fedora-directory-users] Hp_ux authentication Message-ID: Were running fds in our environment, and authenticating our linux servers to our directory servers; we have a couple of hp_ux boxes (11i) here and I would like to configure them to also authenticate to fds; is this possible? If so can you point me to some documentation for configuring these boxes? Thanks very much. Aaron www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From mj at sci.fi Fri Feb 10 17:44:36 2006 From: mj at sci.fi (Mike Jackson) Date: Fri, 10 Feb 2006 19:44:36 +0200 Subject: [Fedora-directory-users] Hp_ux authentication In-Reply-To: References: Message-ID: <43ECD104.1070304@sci.fi> Bliss, Aaron wrote: > Were running fds in our environment, and authenticating our linux > servers to our directory servers; we have a couple of hp_ux boxes (11i) > here and I would like to configure them to also authenticate to fds; is > this possible? If so can you point me to some documentation for > configuring these boxes? Thanks very much. Sure, it's possible; I use it quite extensively. PADL wrote the LDAP-UX Integration for HP-UX. http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=J4269AA It is nearly like nss_ldap and pam_ldap, except that there is an "ldapclientd" which needs to be configured to proxy the LDAP connections. BR, -- mike From ulf.weltman at hp.com Fri Feb 10 18:40:14 2006 From: ulf.weltman at hp.com (Ulf Weltman) Date: Fri, 10 Feb 2006 10:40:14 -0800 Subject: [Fedora-directory-users] Hp_ux authentication In-Reply-To: <43ECD104.1070304@sci.fi> References: <43ECD104.1070304@sci.fi> Message-ID: <43ECDE0E.8000402@hp.com> Mike Jackson wrote: > Bliss, Aaron wrote: > >> Were running fds in our environment, and authenticating our linux >> servers to our directory servers; we have a couple of hp_ux boxes (11i) >> here and I would like to configure them to also authenticate to fds; is >> this possible? If so can you point me to some documentation for >> configuring these boxes? Thanks very much. > > > > Sure, it's possible; I use it quite extensively. PADL wrote the > LDAP-UX Integration for HP-UX. > > http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=J4269AA > > > > It is nearly like nss_ldap and pam_ldap, except that there is an > "ldapclientd" which needs to be configured to proxy the LDAP connections. > LDAP-UX was written by HP, you may be thinking of the bundled NIS Gateway with PADL origin. But yes, this package should serve your HP-UX LDAP integration needs. It has also shipped as part of the OE since last years 11i and 11i v2 updates. From ABliss at preferredcare.org Fri Feb 10 18:54:06 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Fri, 10 Feb 2006 13:54:06 -0500 Subject: [Fedora-directory-users] Question on indexes Message-ID: Does anyone see any concern about indexing uidnumber and gidnumber (create index equality index type)? I would guess that these are 2 attributes that are accessed quite frequently for getting ownership information of files and directories from clients. What do you guys think? Aaron www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From rmeggins at redhat.com Fri Feb 10 18:58:42 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 10 Feb 2006 11:58:42 -0700 Subject: [Fedora-directory-users] Question on indexes In-Reply-To: References: Message-ID: <43ECE262.8020304@redhat.com> Bliss, Aaron wrote: >Does anyone see any concern about indexing uidnumber and gidnumber >(create index equality index type)? I would guess that these are 2 >attributes that are accessed quite frequently for getting ownership >information of files and directories from clients. What do you guys >think? > > I think it's a good idea to index those attributes. >Aaron > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From glenn at caltech.edu Fri Feb 10 18:03:19 2006 From: glenn at caltech.edu (Glenn W. Bach) Date: Fri, 10 Feb 2006 10:03:19 -0800 Subject: [Fedora-directory-users] Search w/ empty base dn Message-ID: <43ECD567.9080102@caltech.edu> >> I'm replacing an ldap server with Fedora Directory. The old one allows searches with >> the base dn empty. Is there a way to allow searches with a blank base dn in Fedora >> Directory? > I'm assuming you mean the ability to perform a subtree search with a base dn of "". No, > you cannot do this with Fedora DS. What is your old directory server? Does it do this > by default or do you have to configure it to do so? Yes, -b '' We are actually replacing an Exchange 5.5 system that is pretending to be an ldap server. The unfortunate thing is that hundreds of users have their base dn blank, which is something Exchange can apparently deal with. I am not sure if it had to be specifically configured to allow this. So the bottom line sounds like we need to touch several hundred desktops if we want to transition away from Exchange. Sigh... Thanks. Glenn From rmeggins at redhat.com Fri Feb 10 19:05:52 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 10 Feb 2006 12:05:52 -0700 Subject: [Fedora-directory-users] Search w/ empty base dn In-Reply-To: <43ECD567.9080102@caltech.edu> References: <43ECD567.9080102@caltech.edu> Message-ID: <43ECE410.10108@redhat.com> Glenn W. Bach wrote: >>> I'm replacing an ldap server with Fedora Directory. The old one >>> allows searches with >>> the base dn empty. Is there a way to allow searches with a blank >>> base dn in Fedora >>> Directory? >> > >> I'm assuming you mean the ability to perform a subtree search with a >> base dn of "". No, >> you cannot do this with Fedora DS. What is your old directory server? >> Does it do this >> by default or do you have to configure it to do so? > > > Yes, -b '' > > We are actually replacing an Exchange 5.5 system that is pretending to > be an ldap server. > The unfortunate thing is that hundreds of users have their base dn > blank, which is > something Exchange can apparently deal with. I am not sure if it had > to be specifically configured to allow this. No, that explains it. > > So the bottom line sounds like we need to touch several hundred > desktops if we want to transition away from Exchange. Sigh... Perhaps not. OpenLDAP has the ability to act as an LDAP proxy and rewrite the base DN. I'm not sure how to do this, but probably someone on the openldap lists would know. Alternately, you could write a plug-in (datainterop) that maps incoming requests for base "" and sub scope to your real suffix. > > Thanks. > > Glenn > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From hyc at symas.com Sat Feb 11 17:17:10 2006 From: hyc at symas.com (Howard Chu) Date: Sat, 11 Feb 2006 09:17:10 -0800 Subject: [Fedora-directory-users] Search w/ empty base dn In-Reply-To: <20060211170005.0820472FD9@hormel.redhat.com> References: <20060211170005.0820472FD9@hormel.redhat.com> Message-ID: <43EE1C16.3040900@symas.com> > Date: Fri, 10 Feb 2006 12:05:52 -0700 > From: Richard Megginson > > Glenn W. Bach wrote: > > >>>> I'm replacing an ldap server with Fedora Directory. The old one >>>> allows searches with >>>> the base dn empty. Is there a way to allow searches with a blank >>>> base dn in Fedora >>>> Directory? >>>> >>> I'm assuming you mean the ability to perform a subtree search with a >>> base dn of "". No, >>> you cannot do this with Fedora DS. What is your old directory server? >>> Does it do this >>> by default or do you have to configure it to do so? >>> >> Yes, -b '' >> >> We are actually replacing an Exchange 5.5 system that is pretending to >> be an ldap server. >> The unfortunate thing is that hundreds of users have their base dn >> blank, which is >> something Exchange can apparently deal with. I am not sure if it had >> to be specifically configured to allow this. >> > > No, that explains it. > > >> So the bottom line sounds like we need to touch several hundred >> desktops if we want to transition away from Exchange. Sigh... >> > > Perhaps not. OpenLDAP has the ability to act as an LDAP proxy and > rewrite the base DN. I'm not sure how to do this, but probably someone > on the openldap lists would know. > OpenLDAP has a more relevant solution here: you can set a defaultsearchbase on slapd that is used when a search request comes in with an empty baseDN and non-base scope. This feature exists in OpenLDAP precisely because of all those misconfigured clients in the world. > Alternately, you could write a plug-in (datainterop) that maps incoming > requests for base "" and sub scope to your real suffix. > -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/ From dfulton at concepttechnologyinc.com Sun Feb 12 21:32:59 2006 From: dfulton at concepttechnologyinc.com (Darren Fulton) Date: Sun, 12 Feb 2006 15:32:59 -0600 (CST) Subject: [Fedora-directory-users] Looking for expanded upgrade to 1.0 procedure Message-ID: <9751522.01139779979715.JavaMail.root@host3.concepttechnologyinc.com> We've been running FDS beta in production for a while now. I'd like to upgrade to 1.0 and then get current, especially because after the last reboot, the admin-serv won't run anymore. The only upgrade instructions that I've been able to find are at the bottom of the 1.0 Release Notes: Unfortunately, rpm -U (rpm upgrade install) is not supported. You must perform a migration from the old version. Steps: 1. Backup your data, using the console or the db2bak command line (or Export to LDIF) 2. Make a copy of your server configuration - the slapd-instance/config/dse.ldif file 3. Backup your key/cert/module information - the /opt/fedora-ds/alias .db files (you can ignore the .so file) 4. Uninstall the previous version (e.g. rpm -e fedora-ds) 5. Install the new version (e.g. rpm -ivh fedora-ds-1.0-2.platform.i386.opt.rpm) 6. Add back your configuration to the new instance e.g. do a diff between your saved dse.ldif and the new one 7. Add back your saved key/cert/module .db files to /opt/fedora-ds/alias 8. Restore your saved data (or import from LDIF) These notes aren't enough detail for me to get the job done. Is there a detailed procedure somewhere or can one of you good people help me? I've looked through the mailing list archives, FDS docs, RHDS docs, and googled. I'd like something like this: mkdir /var/backup/fds cd /opt/fedora-ds/slapd-host2 ./db2bak /var/backup/fds blah blah rpm -e fedora-ds etc etc Specific things in the upgrade steps from the release notes that I don't feel good about are: Step 1 - I don't know how to do that, but I think I might have done it correctly. Step 4 - after rpm -e, it says some files may not have been removed and to remove them manually. Do you do rm -Rf /opt/fedora-ds? Step 6 - I don't know how to do that Step 8 - I don't know how to do that Thanks in advance! -- Best Regards, Darren Fulton From ABliss at preferredcare.org Sun Feb 12 23:20:09 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Sun, 12 Feb 2006 18:20:09 -0500 Subject: [Fedora-directory-users] See several of these in clients /var/log/messages Message-ID: I've noticed that since migrating to authenticate to fds, in clients /var/log/messages I see several of these per day; I have not heard of anyone being unable to login to the boxes, however I'm curious as to why these entries are showing up. Any ideas? Thanks. nss_ldap: reconnecting to LDAP server... nss_ldap: reconnected to LDAP server after 1 attempt(s) www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From rmeggins at redhat.com Mon Feb 13 02:04:07 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Sun, 12 Feb 2006 19:04:07 -0700 Subject: [Fedora-directory-users] Search w/ empty base dn In-Reply-To: <43EE1C16.3040900@symas.com> References: <20060211170005.0820472FD9@hormel.redhat.com> <43EE1C16.3040900@symas.com> Message-ID: <43EFE917.4030404@redhat.com> Howard Chu wrote: > >> Date: Fri, 10 Feb 2006 12:05:52 -0700 >> From: Richard Megginson >> >> Glenn W. Bach wrote: >> >> >> >>>>> I'm replacing an ldap server with Fedora Directory. The old one >>>>> allows searches with >>>>> the base dn empty. Is there a way to allow searches with a blank >>>>> base dn in Fedora >>>>> Directory? >>>>> >>>> >>>> I'm assuming you mean the ability to perform a subtree search with >>>> a base dn of "". No, >>>> you cannot do this with Fedora DS. What is your old directory >>>> server? Does it do this >>>> by default or do you have to configure it to do so? >>>> >>> >>> Yes, -b '' >>> >>> We are actually replacing an Exchange 5.5 system that is pretending >>> to be an ldap server. >>> The unfortunate thing is that hundreds of users have their base dn >>> blank, which is >>> something Exchange can apparently deal with. I am not sure if it had >>> to be specifically configured to allow this. >>> >> >> >> No, that explains it. >> >> >> >>> So the bottom line sounds like we need to touch several hundred >>> desktops if we want to transition away from Exchange. Sigh... >>> >> >> >> Perhaps not. OpenLDAP has the ability to act as an LDAP proxy and >> rewrite the base DN. I'm not sure how to do this, but probably >> someone on the openldap lists would know. >> > > > OpenLDAP has a more relevant solution here: you can set a > defaultsearchbase on slapd that is used when a search request comes in > with an empty baseDN and non-base scope. This feature exists in > OpenLDAP precisely because of all those misconfigured clients in the > world. Oh, well you can do that with Fedora DS as well: 1) stop-slapd 2) edit config/dse.ldif - in the first entry, the one with dn: (the empty dn), just add objectclass: extensibleObject defaultsearchbase: yoursuffix 3) start-slapd > >> Alternately, you could write a plug-in (datainterop) that maps >> incoming requests for base "" and sub scope to your real suffix. >> > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Feb 13 17:44:02 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 13 Feb 2006 10:44:02 -0700 Subject: [Fedora-directory-users] Looking for expanded upgrade to 1.0 procedure In-Reply-To: <9751522.01139779979715.JavaMail.root@host3.concepttechnologyinc.com> References: <9751522.01139779979715.JavaMail.root@host3.concepttechnologyinc.com> Message-ID: <43F0C562.1040704@redhat.com> Darren Fulton wrote: >We've been running FDS beta in production for a while now. I'd like to upgrade to 1.0 and then get current, especially because after the last reboot, the admin-serv won't run anymore. > What's the problem? Note that ns-slapd must be up and running and accepting connections before admin-serv will start. >The only upgrade instructions that I've been able to find are at the bottom of the 1.0 Release Notes: > > Unfortunately, rpm -U (rpm upgrade install) is not supported. You must perform a migration from the old version. Steps: > > 1. Backup your data, using the console or the db2bak command line (or Export to LDIF) > 2. Make a copy of your server configuration - the slapd-instance/config/dse.ldif file > 3. Backup your key/cert/module information - the /opt/fedora-ds/alias .db files (you can ignore the .so file) > 4. Uninstall the previous version (e.g. rpm -e fedora-ds) > 5. Install the new version (e.g. rpm -ivh fedora-ds-1.0-2.platform.i386.opt.rpm) > 6. Add back your configuration to the new instance e.g. do a diff between your saved dse.ldif and the new one > 7. Add back your saved key/cert/module .db files to /opt/fedora-ds/alias > 8. Restore your saved data (or import from LDIF) > >These notes aren't enough detail for me to get the job done. Is there a detailed procedure somewhere or can one of you good people help me? I've looked through the mailing list archives, FDS docs, RHDS docs, and googled. I'd like something like this: > > mkdir /var/backup/fds > cd /opt/fedora-ds/slapd-host2 > ./db2bak /var/backup/fds > blah blah > rpm -e fedora-ds > etc etc > > >Specific things in the upgrade steps from the release notes that I don't feel good about are: >Step 1 - I don't know how to do that, but I think I might have done it correctly. > > Yes, you are correct. >Step 4 - after rpm -e, it says some files may not have been removed and to remove them manually. Do you do rm -Rf /opt/fedora-ds? > > Yes. >Step 6 - I don't know how to do that > > cd /opt/fedora-ds/slapd-host2 ./stop-slapd diff -U 8 dse.ldif.saved config/dse.ldif > diffs # where dse.ldif.saved is the one you saved in step 2 above # now, take a look at the file diffs, and edit your config/dse.ldif with any pertinent changes in diffs ./start-slapd >Step 8 - I don't know how to do that > > cd /opt/fedora-ds/slapd-host2 ./stop-slapd ./bak2db /var/backup/fds ./start-slapd >Thanks in advance! > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From dfulton at concepttechnologyinc.com Mon Feb 13 17:52:12 2006 From: dfulton at concepttechnologyinc.com (Darren Fulton - CTI) Date: Mon, 13 Feb 2006 11:52:12 -0600 Subject: [Fedora-directory-users] Looking for expanded upgrade to 1.0 procedure In-Reply-To: <43F0C562.1040704@redhat.com> References: <9751522.01139779979715.JavaMail.root@host3.concepttechnologyinc.com> <43F0C562.1040704@redhat.com> Message-ID: <43F0C74C.10407@concepttechnologyinc.com> Richard Megginson wrote: > Darren Fulton wrote: > >> We've been running FDS beta in production for a while now. I'd like >> to upgrade to 1.0 and then get current, especially because after the >> last reboot, the admin-serv won't run anymore. >> > What's the problem? Note that ns-slapd must be up and running and > accepting connections before admin-serv will start. > >> The only upgrade instructions that I've been able to find are at the >> bottom of the 1.0 Release Notes: >> >> Unfortunately, rpm -U (rpm upgrade install) is not supported. You >> must perform a migration from the old version. Steps: >> >> 1. Backup your data, using the console or the db2bak command >> line (or Export to LDIF) >> 2. Make a copy of your server configuration - the >> slapd-instance/config/dse.ldif file >> 3. Backup your key/cert/module information - the >> /opt/fedora-ds/alias .db files (you can ignore the .so file) >> 4. Uninstall the previous version (e.g. rpm -e fedora-ds) >> 5. Install the new version (e.g. rpm -ivh >> fedora-ds-1.0-2.platform.i386.opt.rpm) >> 6. Add back your configuration to the new instance e.g. do a >> diff between your saved dse.ldif and the new one >> 7. Add back your saved key/cert/module .db files to >> /opt/fedora-ds/alias >> 8. Restore your saved data (or import from LDIF) >> >> These notes aren't enough detail for me to get the job done. Is >> there a detailed procedure somewhere or can one of you good people >> help me? I've looked through the mailing list archives, FDS docs, >> RHDS docs, and googled. I'd like something like this: >> >> mkdir /var/backup/fds >> cd /opt/fedora-ds/slapd-host2 >> ./db2bak /var/backup/fds >> blah blah >> rpm -e fedora-ds >> etc etc >> >> >> Specific things in the upgrade steps from the release notes that I >> don't feel good about are: >> Step 1 - I don't know how to do that, but I think I might have done >> it correctly. >> >> > Yes, you are correct. > >> Step 4 - after rpm -e, it says some files may not have been removed >> and to remove them manually. Do you do rm -Rf /opt/fedora-ds? >> >> > Yes. > >> Step 6 - I don't know how to do that >> >> > cd /opt/fedora-ds/slapd-host2 > ./stop-slapd > diff -U 8 dse.ldif.saved config/dse.ldif > diffs > # where dse.ldif.saved is the one you saved in step 2 above > # now, take a look at the file diffs, and edit your config/dse.ldif > with any pertinent changes in diffs > ./start-slapd > >> Step 8 - I don't know how to do that >> >> > cd /opt/fedora-ds/slapd-host2 > ./stop-slapd > ./bak2db /var/backup/fds > ./start-slapd > >> Thanks in advance! >> >> >> >------------------------------------------------------------------------ > Awesome. I'll try that and report back. As to why the admin-serv on the current install won't work anymore, I don't know. Nothing interesting in the logs, except that once upon a time, the log would include somthing about using IBM Java, but now that isn't showing. Probably not a big deal, because the upgrade will get it running via apache, so hopefully it is a non-issue. If you want more info for whatever reason, I'll be glad to provide it. -- Best Regards, Darren Fulton From prowley at redhat.com Mon Feb 13 19:29:29 2006 From: prowley at redhat.com (Pete Rowley) Date: Mon, 13 Feb 2006 11:29:29 -0800 Subject: [Fedora-directory-users] See several of these in clients /var/log/messages In-Reply-To: References: Message-ID: <43F0DE19.2040008@redhat.com> Bliss, Aaron wrote: >I've noticed that since migrating to authenticate to fds, in clients >/var/log/messages I see several of these per day; I have not heard of >anyone being unable to login to the boxes, however I'm curious as to why >these entries are showing up. Any ideas? Thanks. > > > I believe nss_ldap keeps an open ldap connection for a period of time in order to service multiple requests without the tear up/tear down overhead of tcp/ip. What you see in the logs is likely it being successful at reconnecting after a timeout of the connection i.e. normal operation. >nss_ldap: reconnecting to LDAP server... >nss_ldap: reconnected to LDAP server after 1 attempt(s) > > > -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From basile.mathieu at siris.sorbonne.fr Tue Feb 14 11:57:21 2006 From: basile.mathieu at siris.sorbonne.fr (basile au siris) Date: Tue, 14 Feb 2006 12:57:21 +0100 Subject: [Fedora-directory-users] ldap client with solaris 9 Message-ID: <43F1C5A1.3030303@siris.sorbonne.fr> i install fedora directory on two solaris 9 ( do it for 32 and 64 bits versions ) do exactly same things , have same pam.conf , nsswitch.conf , ldap_client_file and ldap_client_cred fds works fine on two installations , can ldaplist etc .... but for one of the installation , id , getent never works solaris search on fds but with an empty base , and it doesn t bind as proxyagent what could it be thanks , it s important basile From basile.mathieu at siris.sorbonne.fr Tue Feb 14 16:30:16 2006 From: basile.mathieu at siris.sorbonne.fr (basile au siris) Date: Tue, 14 Feb 2006 17:30:16 +0100 Subject: [Fedora-directory-users] ldap client with solaris 9 In-Reply-To: <43F1C5A1.3030303@siris.sorbonne.fr> References: <43F1C5A1.3030303@siris.sorbonne.fr> Message-ID: <43F20598.2090902@siris.sorbonne.fr> it was problem with nss_ldap.so.1 basile basile au siris wrote: > i install fedora directory on two solaris 9 ( do it for 32 and 64 bits > versions ) > do exactly same things , have same pam.conf , nsswitch.conf , > ldap_client_file and ldap_client_cred > fds works fine on two installations , can ldaplist etc .... > but for one of the installation , id , getent never works > solaris search on fds but with an empty base , and it doesn t bind as > proxyagent > what could it be > thanks , it s important > basile > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From nzahar at gmail.com Tue Feb 14 16:42:56 2006 From: nzahar at gmail.com (Nikos Zaharioudakis) Date: Tue, 14 Feb 2006 08:42:56 -0800 Subject: [Fedora-directory-users] NDS Message-ID: <2adff3550602140842kb83816vf28e913bfc5f187d@mail.gmail.com> Dear all is there a succesfull case with Novell NDS synchronasation?. Any feedback is really appreciated Best Regards, Zahariudakis Nikos -- ########################################3 Zaharioudakis Nikos mob: +30 6947204063 A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing on usenet and in e-mail? From felipe.alfaro at gmail.com Tue Feb 14 23:49:51 2006 From: felipe.alfaro at gmail.com (Felipe Alfaro Solana) Date: Wed, 15 Feb 2006 00:49:51 +0100 Subject: [Fedora-directory-users] Samba integration Message-ID: <6f6293f10602141549l4b661549u5cd535f5563a4a07@mail.gmail.com> Hello, I have seen Fedora Directory Server console has support for "NT User" attributes when creating a new user in the directory. However, it seems the enabling the "NT User" capability uses an objectclass named "ntuser" instead of using "sambaSamAccount", which is the correct objectclass for Samba 3.0 integration. Can this be changed? Also, Fedora Directory Server has a plugin for Password Modify (LDAP_EXTOP_PASSMOD) which requires the invoker to always supply the original password along the new password. This causes problems when trying to use password synchronization between Samba and FDS, since Samba can't supply the original password. Can this be changed? It seems to me the only way of fixing this is by modifying the source file sources/ldapserver/ldap/servers/slapd/passwd_extop.c, but the building process seems overwhelming for me to try. Any ideas? Thanks! From rmeggins at redhat.com Wed Feb 15 00:01:32 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 14 Feb 2006 17:01:32 -0700 Subject: [Fedora-directory-users] Samba integration In-Reply-To: <6f6293f10602141549l4b661549u5cd535f5563a4a07@mail.gmail.com> References: <6f6293f10602141549l4b661549u5cd535f5563a4a07@mail.gmail.com> Message-ID: <43F26F5C.5040602@redhat.com> Felipe Alfaro Solana wrote: >Hello, > >I have seen Fedora Directory Server console has support for "NT User" >attributes when creating a new user in the directory. However, it >seems the enabling the "NT User" capability uses an objectclass named >"ntuser" instead of using "sambaSamAccount", which is the correct >objectclass for Samba 3.0 integration. Can this be changed? > > NT user is for Windows synchronization (AD sync) - this is different than samba support. We are investigating adding support for samba to the console for a future release. >Also, Fedora Directory Server has a plugin for Password Modify >(LDAP_EXTOP_PASSMOD) which requires the invoker to always supply the >original password along the new password. This causes problems when >trying to use password synchronization between Samba and FDS, since >Samba can't supply the original password. Can this be changed? It >seems to me the only way of fixing this is by modifying the source >file sources/ldapserver/ldap/servers/slapd/passwd_extop.c, but the >building process seems overwhelming for me to try. > > This is probably a bug in the server. I can't remember if the IETF password modify draft says that the original password can be omitted (the server has it anyway, from the BIND operation), but other password modify extop clients expect to be able to only pass in the new password. >Any ideas? >Thanks! > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From felipe.alfaro at gmail.com Wed Feb 15 00:06:35 2006 From: felipe.alfaro at gmail.com (Felipe Alfaro Solana) Date: Wed, 15 Feb 2006 01:06:35 +0100 Subject: [Fedora-directory-users] Samba integration In-Reply-To: <43F26F5C.5040602@redhat.com> References: <6f6293f10602141549l4b661549u5cd535f5563a4a07@mail.gmail.com> <43F26F5C.5040602@redhat.com> Message-ID: <6f6293f10602141606n8301640t19a1e2c3daf4635e@mail.gmail.com> > >Samba can't supply the original password. Can this be changed? It > >seems to me the only way of fixing this is by modifying the source > >file sources/ldapserver/ldap/servers/slapd/passwd_extop.c, but the > >building process seems overwhelming for me to try. > > > > > This is probably a bug in the server. I can't remember if the IETF > password modify draft says that the original password can be omitted > (the server has it anyway, from the BIND operation), but other password > modify extop clients expect to be able to only pass in the new > password. I would say it's a bug, indeed (from the RFC3602): --- BEGIN --- 2. Password Modify Request and Response The Password Modify operation is an LDAPv3 Extended Operation [RFC2251, Section 4.12] and is identified by the OBJECT IDENTIFIER passwdModifyOID. This section details the syntax of the protocol request and response. passwdModifyOID OBJECT IDENTIFIER ::= 1.3.6.1.4.1.4203.1.11.1 PasswdModifyRequestValue ::= SEQUENCE { userIdentity [0] OCTET STRING OPTIONAL oldPasswd [1] OCTET STRING OPTIONAL newPasswd [2] OCTET STRING OPTIONAL } ... The userIdentity field, if present, SHALL contain an octet string representation of the user associated with the request. This string may or may not be an LDAPDN [RFC2253]. If no userIdentity field is present, the request acts up upon the password of the user currently associated with the LDAP session. The oldPasswd field, if present, SHALL contain the user's current password. ... --- END --- As you can see, the oldPasswd is an OPTIONAL ASN.1 attribute. Should I submit a bug report for this? Thanks! From rmeggins at redhat.com Wed Feb 15 00:06:47 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 14 Feb 2006 17:06:47 -0700 Subject: [Fedora-directory-users] Samba integration In-Reply-To: <6f6293f10602141606n8301640t19a1e2c3daf4635e@mail.gmail.com> References: <6f6293f10602141549l4b661549u5cd535f5563a4a07@mail.gmail.com> <43F26F5C.5040602@redhat.com> <6f6293f10602141606n8301640t19a1e2c3daf4635e@mail.gmail.com> Message-ID: <43F27097.7050806@redhat.com> Felipe Alfaro Solana wrote: >>>Samba can't supply the original password. Can this be changed? It >>>seems to me the only way of fixing this is by modifying the source >>>file sources/ldapserver/ldap/servers/slapd/passwd_extop.c, but the >>>building process seems overwhelming for me to try. >>> >>> >>> >>> >>This is probably a bug in the server. I can't remember if the IETF >>password modify draft says that the original password can be omitted >>(the server has it anyway, from the BIND operation), but other password >>modify extop clients expect to be able to only pass in the new >>password. >> >> > >I would say it's a bug, indeed (from the RFC3602): > >--- BEGIN --- >2. Password Modify Request and Response > > The Password Modify operation is an LDAPv3 Extended Operation > [RFC2251, Section 4.12] and is identified by the OBJECT IDENTIFIER > passwdModifyOID. This section details the syntax of the protocol > request and response. > > passwdModifyOID OBJECT IDENTIFIER ::= 1.3.6.1.4.1.4203.1.11.1 > > PasswdModifyRequestValue ::= SEQUENCE { > userIdentity [0] OCTET STRING OPTIONAL > oldPasswd [1] OCTET STRING OPTIONAL > newPasswd [2] OCTET STRING OPTIONAL } >... >The userIdentity field, if present, SHALL contain an octet string > representation of the user associated with the request. This string > may or may not be an LDAPDN [RFC2253]. If no userIdentity field is > present, the request acts up upon the password of the user currently > associated with the LDAP session. > > The oldPasswd field, if present, SHALL contain the user's current > password. >... >--- END --- > >As you can see, the oldPasswd is an OPTIONAL ASN.1 attribute. Should I >submit a bug report for this? > > Yes, please. >Thanks! > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From felipe.alfaro at gmail.com Wed Feb 15 00:21:02 2006 From: felipe.alfaro at gmail.com (Felipe Alfaro Solana) Date: Wed, 15 Feb 2006 01:21:02 +0100 Subject: [Fedora-directory-users] Samba integration In-Reply-To: <43F27097.7050806@redhat.com> References: <6f6293f10602141549l4b661549u5cd535f5563a4a07@mail.gmail.com> <43F26F5C.5040602@redhat.com> <6f6293f10602141606n8301640t19a1e2c3daf4635e@mail.gmail.com> <43F27097.7050806@redhat.com> Message-ID: <6f6293f10602141621v4617441cye8c24cd5c79d9083@mail.gmail.com> > >submit a bug report for this? > > > Yes, please. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=181587 From scott.boggs at gmail.com Wed Feb 15 05:30:05 2006 From: scott.boggs at gmail.com (Scott Boggs) Date: Tue, 14 Feb 2006 23:30:05 -0600 Subject: [Fedora-directory-users] Username Case Sensitivity Message-ID: <43f2bc64.514f02d7.2b06.24c9@mx.gmail.com> I am curious; I understand that LDAP does not enforce case sensitivity for user names or passwords. However, I am wondering if there is a method to enforce such a policy on fedora-ds? I noticed the behavior earlier this week and it reminded me this behavior in LDAP. I am using a older version of fds, any chance the newer version addresses this? Tks From jsummers at bachman.cs.ou.edu Wed Feb 15 14:20:57 2006 From: jsummers at bachman.cs.ou.edu (Jim Summers) Date: Wed, 15 Feb 2006 08:20:57 -0600 Subject: [Fedora-directory-users] Non Leaf Object Message-ID: <43F338C9.6070600@cs.ou.edu> Hello List, While working with some scripts for my development ldap. I was trying to remove the ou=People and got the following error: ldap_delete: Operation not allowed on non-leaf (66) The ldif file has two basic lines in it: ------ dn: ou=People,dc=xxx,dc=xxx,dc=xxx changetype: delete ------ I have used this same syntax to drop other ou's in the tree. So I wasn't sure why this ou is considered a non-leaf?? Or honestly I am not sure what a leaf is, in regards to ldap? Any good reading material? I could delete each entry in the People container and then re-populate, but that seems like a noisy way of doing things in regards to the multi master replicas I have running. Q. Why am I doing this? A. I am temporarily manually sync'ing a production iplanet 5.1 ldap. I had thought about trying the multi-master scripts from the HOW-TO's but I was a little hesistant. Hopefully by this summer I will be fully migrated over to the FDS-ldap. Ideas / suggestions? -- Jim Summers School of Computer Science-University of Oklahoma ------------------------------------------------- From rmeggins at redhat.com Wed Feb 15 14:53:39 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 15 Feb 2006 07:53:39 -0700 Subject: [Fedora-directory-users] Non Leaf Object In-Reply-To: <43F338C9.6070600@cs.ou.edu> References: <43F338C9.6070600@cs.ou.edu> Message-ID: <43F34073.6030204@redhat.com> Jim Summers wrote: > Hello List, > > While working with some scripts for my development ldap. I was trying > to remove the ou=People and got the following error: > > ldap_delete: Operation not allowed on non-leaf (66) > > The ldif file has two basic lines in it: > ------ > dn: ou=People,dc=xxx,dc=xxx,dc=xxx > changetype: delete > ------ > > I have used this same syntax to drop other ou's in the tree. So I > wasn't sure why this ou is considered a non-leaf?? Or honestly I am > not sure what a leaf is, in regards to ldap? A "leaf" entry is an entry with no children. A "non-leaf" entry is an entry with at least 1 child. LDAP does not allow you to delete an entry that has children. You must delete the children first before deleting the parent. > Any good reading material? > > I could delete each entry in the People container and then > re-populate, but that seems like a noisy way of doing things in > regards to the multi master replicas I have running. Depending on how many entries you have under your People container, you may find it faster to export to LDIF -> sed/awk/perl to remove the entries -> import modified LDIF file. > > Q. Why am I doing this? > A. I am temporarily manually sync'ing a production iplanet 5.1 ldap. > I had thought about trying the multi-master scripts from the HOW-TO's > but I was a little hesistant. Hopefully by this summer I will be > fully migrated over to the FDS-ldap. > > Ideas / suggestions? > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From mj at sci.fi Wed Feb 15 14:52:38 2006 From: mj at sci.fi (Mike Jackson) Date: Wed, 15 Feb 2006 16:52:38 +0200 Subject: [Fedora-directory-users] Non Leaf Object In-Reply-To: <43F338C9.6070600@cs.ou.edu> References: <43F338C9.6070600@cs.ou.edu> Message-ID: <43F34036.1000400@sci.fi> Jim Summers wrote: > Hello List, > > While working with some scripts for my development ldap. I was trying > to remove the ou=People and got the following error: > > ldap_delete: Operation not allowed on non-leaf (66) > > The ldif file has two basic lines in it: > ------ > dn: ou=People,dc=xxx,dc=xxx,dc=xxx > changetype: delete > ------ You can not delete an entry which has children. The current db backend does not support it. BR, -- mike From jsteer at bitscout.com Wed Feb 15 17:22:35 2006 From: jsteer at bitscout.com (Jon Steer) Date: Wed, 15 Feb 2006 12:22:35 -0500 Subject: [Fedora-directory-users] Password encryption mode changes Message-ID: <74e6f65d0602150922v1e23ce1esf295d567818679d7@mail.gmail.com> Hi, After I have changed the password encryption for a subtree from type SHA to cleartext, when should it take effect? When the next user is added or password changed? or when the server is restarted? thanks, jon From jsteer at bitscout.com Wed Feb 15 17:27:17 2006 From: jsteer at bitscout.com (Jon Steer) Date: Wed, 15 Feb 2006 12:27:17 -0500 Subject: [Fedora-directory-users] Freeradius authentcation with FDS - password types. Message-ID: <74e6f65d0602150927r192158d8y84f1eac931ec8797@mail.gmail.com> I am attempting to authenticate freeradius with FDS The issue seems to be the passwords that are handed back from FDS Environment: OS: Fedora 4 FreeRadius : 1.0.4 FDS: 1.0.1 I am using inetOrgPerson and passing back userPassword. But it seems that no matter which password encoding I use, freeRadius doesn't seem to understand it. Has anyone had luck with this? thanks, jon From Ulli.Horlacher at rus.uni-stuttgart.de Wed Feb 15 17:57:05 2006 From: Ulli.Horlacher at rus.uni-stuttgart.de (Ulli Horlacher) Date: Wed, 15 Feb 2006 18:57:05 +0100 Subject: [Fedora-directory-users] problems after server rename Message-ID: <20060215175705.GA22738@belwue.de> My boss forced me to rename the server hostname (I KNOW this is a stupid idea, but ...) and now I have the following situation: lanldap4:/opt/fedora-ds# ./start-admin lanldap4:/opt/fedora-ds# tail admin-serv/logs/error [Wed Feb 15 14:53:42 2006] [crit] mod_admserv_post_config(): unable to build user/group LDAP server info: unable to set User/Group baseDN Configuration Failed The admin server is not running and I cannot connect with startconsole. I suppose I have to change some configs (in /opt/fedora-ds/admin-serv/config ?) but which ones? -- -- Ullrich Horlacher --------------------- mailto:framstag at belwue.de -- BelWue Coordination phone: +49 711 685 5872 University of Stuttgart fax: +49 711 678 8363 -- Allmandring 3A, 70550 Stuttgart, Germany -- http://www.belwue.de/ -- From mj at sci.fi Wed Feb 15 18:02:40 2006 From: mj at sci.fi (Mike Jackson) Date: Wed, 15 Feb 2006 20:02:40 +0200 Subject: [Fedora-directory-users] problems after server rename In-Reply-To: <20060215175705.GA22738@belwue.de> References: <20060215175705.GA22738@belwue.de> Message-ID: <43F36CC0.6030802@sci.fi> Ulli Horlacher wrote: > My boss forced me to rename the server hostname (I KNOW this is a stupid > idea, but ...) and now I have the following situation: > > lanldap4:/opt/fedora-ds# ./start-admin > lanldap4:/opt/fedora-ds# tail admin-serv/logs/error > [Wed Feb 15 14:53:42 2006] [crit] mod_admserv_post_config(): unable to build user/group LDAP server info: unable to set User/Group baseDN > Configuration Failed > > The admin server is not running and I cannot connect with startconsole. > > I suppose I have to change some configs (in > /opt/fedora-ds/admin-serv/config ?) but which ones? This is most definitely not supported. I was able to change a server name only after first switching to a generic instance name. Still, it required modifications to 24 files in various places. I suggest you rename the server back to it's original name, start the directory, take an ldif export, completely remove the fds RPM and /opt/fedora-ds, rename the server, reinstall fds, and reload your ldif. Yes, it is a PITA. -- mike From prowley at redhat.com Wed Feb 15 19:22:36 2006 From: prowley at redhat.com (Pete Rowley) Date: Wed, 15 Feb 2006 11:22:36 -0800 Subject: [Fedora-directory-users] Password encryption mode changes In-Reply-To: <74e6f65d0602150922v1e23ce1esf295d567818679d7@mail.gmail.com> References: <74e6f65d0602150922v1e23ce1esf295d567818679d7@mail.gmail.com> Message-ID: <43F37F7C.80907@redhat.com> Jon Steer wrote: >Hi, > > After I have changed the password encryption for a subtree from type > SHA to cleartext, when should it take effect? When the next user is >added or password changed? or when the server is restarted? > > > When each password is changed. -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From prowley at redhat.com Wed Feb 15 19:30:56 2006 From: prowley at redhat.com (Pete Rowley) Date: Wed, 15 Feb 2006 11:30:56 -0800 Subject: [Fedora-directory-users] Freeradius authentcation with FDS - password types. In-Reply-To: <74e6f65d0602150927r192158d8y84f1eac931ec8797@mail.gmail.com> References: <74e6f65d0602150927r192158d8y84f1eac931ec8797@mail.gmail.com> Message-ID: <43F38170.7010502@redhat.com> Jon Steer wrote: >I am attempting to authenticate freeradius with FDS The issue seems >to be the passwords that are handed back from FDS > >Environment: > OS: Fedora 4 > FreeRadius : 1.0.4 > FDS: 1.0.1 > >I am using inetOrgPerson and passing back userPassword. But it seems >that no matter which password encoding I use, freeRadius doesn't seem >to understand it. > > > I am not quite sure what FreeRadius is trying to do here, but it is bad form to require that the server return the password attribute - it should only ever be tested against or otherwise manipulated by FDS. A quick google for "freeradius ldap" suggests that it does not in fact require clear text passwords and does a bind (as it should) for password tests : http://lists.cistron.nl/pipermail/freeradius-users/2002-July/008715.html As your other post indicates, requiring such things tends to lead to less security, including how you decide to store the passwords in FDS (which by default are deliberately stored using a one way hashing scheme) -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From del at babel.com.au Wed Feb 15 21:25:06 2006 From: del at babel.com.au (Del) Date: Thu, 16 Feb 2006 08:25:06 +1100 Subject: [Fedora-directory-users] Username Case Sensitivity In-Reply-To: <43f2bc64.514f02d7.2b06.24c9@mx.gmail.com> References: <43f2bc64.514f02d7.2b06.24c9@mx.gmail.com> Message-ID: <43F39C32.10609@babel.com.au> Scott Boggs wrote: > I am curious; I understand that LDAP does not enforce case sensitivity for > user names or passwords. > However, I am wondering if there is a method to enforce such a policy on > fedora-ds? I noticed the behavior earlier this week and it reminded me this > behavior in LDAP. I am using a older version of fds, any chance the newer > version addresses this? I would strongly recommend against doing this for user names (actually passwords are case sensitive). It's impossible to make user names in email addresses case sensitive (it breaks various RFCs) so there is no reason to make user names at the system end, where any possible MTA/MDA might live, case sensitive. -- Del From nzahar at gmail.com Thu Feb 16 08:38:00 2006 From: nzahar at gmail.com (Nikos Zaharioudakis) Date: Thu, 16 Feb 2006 08:38:00 +0000 Subject: [Fedora-directory-users] FDS & Novell Directory Server Message-ID: <2adff3550602160038xce8b1dah2e59151cbf5b0724@mail.gmail.com> Dear All, I am trying to find a way to migrate away from the old NDS (based on Novell 5.1) to other platforms and architectures. Is there a way to synchronise these two ? Because in the meanwhile I shall have them both working in parallel, until the migration is through. Any links, howtos or advice is highly appreciated ? Best Regards, -- ########################################3 Zaharioudakis Nikos mob: +30 6947204063 A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing on usenet and in e-mail? From del at babel.com.au Thu Feb 16 11:38:12 2006 From: del at babel.com.au (Del) Date: Thu, 16 Feb 2006 22:38:12 +1100 Subject: [Fedora-directory-users] FDS & Novell Directory Server In-Reply-To: <2adff3550602160038xce8b1dah2e59151cbf5b0724@mail.gmail.com> References: <2adff3550602160038xce8b1dah2e59151cbf5b0724@mail.gmail.com> Message-ID: <43F46424.3070104@babel.com.au> Nikos Zaharioudakis wrote: > Dear All, > > I am trying to find a way to migrate away from the old NDS (based on > Novell 5.1) to other platforms and architectures. Is there a way to > synchronise these two ? > Because in the meanwhile I shall have them both working in parallel, > until the migration is through. > > Any links, howtos or advice is highly appreciated ? http://wiki.babel.com.au/index.php?area=Linux_Projects&page=LdapImport That should handle the one-off import from NDS to FDS. You could hack with it somewhat so that it read its input from a config file rather than prompting you for input each time, and then you could run it, say, every hour to keep your NDS in sync with your FDS. It should be able to sync the other way as well. I have been meaning to do that in my copious spare time (TM) but in the interim, patches will be appreciated. I have only tested this with NDS running on Linux, but it should be the same with NDS running on Netware. -- Del From basile.mathieu at siris.sorbonne.fr Thu Feb 16 15:21:19 2006 From: basile.mathieu at siris.sorbonne.fr (basile au siris) Date: Thu, 16 Feb 2006 16:21:19 +0100 Subject: [Fedora-directory-users] problem with startconsole In-Reply-To: <8E4D74AE5918D74E93152809755B33F501376D25@shssvd001.shs-ad.salem-health.com> References: <8E4D74AE5918D74E93152809755B33F501376D25@shssvd001.shs-ad.salem-health.com> Message-ID: <43F4986F.4070406@siris.sorbonne.fr> i still cannot startconsole in ssh -X i can start it on the console can start it on windows i have no logs , no error message i just have Fedora-Management-Console/7.0 .... and it hangs i wait one hour but with no result thanks for help basile Chris Conner wrote: >Sorry actually -x nologo is the option. I guess I should have checked >first.... > >Hth > >C > > > >Chris Conner, M.A. >Manager of Systems Support >MCP, MCP+I, MCDBA, MCSE >Salem Health Solutions >cconner at salem-health.com >336-747-7572 >866-747-7560 x7572 > >/(bb|[^b]{2})/ that is the Question > > > > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Chris >Conner >Sent: Wednesday, February 01, 2006 10:52 AM >To: General discussion list for the Fedora Directory server project. >Subject: RE: [Fedora-directory-users] problem with startconsole > >Have you tried the -nologo option? > >Chris > > >Chris Conner, M.A. >Manager of Systems Support >MCP, MCP+I, MCDBA, MCSE >Salem Health Solutions >cconner at salem-health.com >336-747-7572 >866-747-7560 x7572 > >/(bb|[^b]{2})/ that is the Question > > > > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of basile >au siris >Sent: Wednesday, February 01, 2006 10:49 AM >To: fedora-directory-users at redhat.com >Subject: [Fedora-directory-users] problem with startconsole > >hi >i install fds-7.0 on solaris 9 >all works fine , but i have a strange problem with console i can start >the console on the server i can start the console from windows box but i >can t start it from linux box ( but i can start console from this linux >box to another fds installation on solaris ) i ssh -X , startconsole -D >, and i have the prompt fedora management console but never the login >window if someone has an idea ( port 6000 is open , ssh forward X11 , >and all machines are on the same vlan ) thanks basile > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From basile.mathieu at siris.sorbonne.fr Thu Feb 16 15:33:35 2006 From: basile.mathieu at siris.sorbonne.fr (basile au siris) Date: Thu, 16 Feb 2006 16:33:35 +0100 Subject: [Fedora-directory-users] problem with startconsole In-Reply-To: <43F4986F.4070406@siris.sorbonne.fr> References: <8E4D74AE5918D74E93152809755B33F501376D25@shssvd001.shs-ad.salem-health.com> <43F4986F.4070406@siris.sorbonne.fr> Message-ID: <43F49B4F.4080702@siris.sorbonne.fr> solve the problem it was display problem basile basile au siris wrote: > i still cannot startconsole in ssh -X > i can start it on the console > can start it on windows > i have no logs , no error message i just have > Fedora-Management-Console/7.0 .... > and it hangs > i wait one hour but with no result > thanks for help > basile > > Chris Conner wrote: > >> Sorry actually -x nologo is the option. I guess I should have checked >> first.... >> >> Hth >> >> C >> >> >> >> Chris Conner, M.A. >> Manager of Systems Support >> MCP, MCP+I, MCDBA, MCSE >> Salem Health Solutions >> cconner at salem-health.com >> 336-747-7572 >> 866-747-7560 x7572 >> >> /(bb|[^b]{2})/ that is the Question >> >> >> >> >> -----Original Message----- >> From: fedora-directory-users-bounces at redhat.com >> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Chris >> Conner >> Sent: Wednesday, February 01, 2006 10:52 AM >> To: General discussion list for the Fedora Directory server project. >> Subject: RE: [Fedora-directory-users] problem with startconsole >> >> Have you tried the -nologo option? >> Chris >> >> Chris Conner, M.A. >> Manager of Systems Support >> MCP, MCP+I, MCDBA, MCSE >> Salem Health Solutions >> cconner at salem-health.com >> 336-747-7572 >> 866-747-7560 x7572 >> >> /(bb|[^b]{2})/ that is the Question >> >> >> >> >> -----Original Message----- >> From: fedora-directory-users-bounces at redhat.com >> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of basile >> au siris >> Sent: Wednesday, February 01, 2006 10:49 AM >> To: fedora-directory-users at redhat.com >> Subject: [Fedora-directory-users] problem with startconsole >> >> hi >> i install fds-7.0 on solaris 9 >> all works fine , but i have a strange problem with console i can start >> the console on the server i can start the console from windows box but i >> can t start it from linux box ( but i can start console from this linux >> box to another fds installation on solaris ) i ssh -X , startconsole -D >> , and i have the prompt fedora management console but never the login >> window if someone has an idea ( port 6000 is open , ssh forward X11 , >> and all machines are on the same vlan ) thanks basile >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From doglesby at teleformix.com Thu Feb 16 15:29:29 2006 From: doglesby at teleformix.com (Dan Oglesby) Date: Thu, 16 Feb 2006 09:29:29 -0600 Subject: [Fedora-directory-users] PassSync service memory leak? Message-ID: <1140103769.3340.1.camel@doglesby3.tfmx.com> Has anyone else experienced a memory leak of the PassSync service on Windows 2003 servers? I have a system running the PassSync service that will use over 1GB of RAM if left alone for days at a time. --Dan From logastellus at yahoo.com Thu Feb 16 19:36:24 2006 From: logastellus at yahoo.com (Susan) Date: Thu, 16 Feb 2006 11:36:24 -0800 (PST) Subject: [Fedora-directory-users] solaris 10 SSL connections Message-ID: <20060216193624.6131.qmail@web52907.mail.yahoo.com> Hi, all. I've ssl enabled in FDS: # ldapsearch -D "cn=Directory Manager" -w adminpass -b "cn=encryption,cn=config" -h cnyitlin02 cn=* version: 1 dn: cn=encryption,cn=config objectClass: top objectClass: nsEncryptionConfig cn: encryption nsSSLSessionTimeout: 0 nsSSLClientAuth: allowed nsSSL2: off nsSSL3: on nsSSL3Ciphers: +rsa_rc4_128_md5,+rsa_3des_sha,+fortezza_null,-rsa_null_md5,+fo Currently, I have authenticationMethod: simple in my default profile. I can ssh/telnet w/o problems, authenticating from FDS (thank you, Gary Tay!) I've been having a real hard time getting Solaris SSL to work, however. I did the whole mozilla cert import thing, got the cert8.db (it's not 7), and key3.db, put them in /var/ldap However, even though this returns data: -bash-3.00# ldapsearch -b "dc=composers,dc=company,dc=com" -h cnyitlin02 -L "objectclass=*" -p 636 -Z version: 1 dn: dc=composers,dc=company,dc=com dn: cn=Directory Administrators, dc=composers,dc=company,dc=com dn: ou=Groups, dc=composers,dc=company,dc=com dn: ou=People, dc=composers,dc=company,dc=com dn: ou=profile,dc=composers,dc=company,dc=com dn: cn=proxyAgent,ou=profile,dc=composers,dc=company,dc=com dn: uid=test, ou=People, dc=composers,dc=company,dc=com It's not encrypted. I can see the traffic clear text in ethereal. Any ideas what the problem is? Has anybody gotten solaris ssl to work with FDS? Thank you. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From gholbert at broadcom.com Thu Feb 16 20:12:06 2006 From: gholbert at broadcom.com (George Holbert) Date: Thu, 16 Feb 2006 12:12:06 -0800 Subject: [Fedora-directory-users] solaris 10 SSL connections In-Reply-To: <20060216193624.6131.qmail@web52907.mail.yahoo.com> References: <20060216193624.6131.qmail@web52907.mail.yahoo.com> Message-ID: <43F4DC96.3030500@broadcom.com> The ldapsearch command doesn't look in /var/ldap for the cert db. It uses the current directory as the default cert db path. You can run ldapsearch from /var/ldap, or give it a "-P /var/ldap" argument to use the cert db in /var/ldap. Also, the -v arg might help you narrow down what's happening. Note that the Solaris ldap_cachemgr (i.e., the ldap name service client) daemon DOES use /var/ldap as its default directory to find cert db files. Also, Solaris 8 and 9 are very picky about which cert DB version they can use for ldap name service over SSL: it MUST be cert7.db as generated by earlier versions of the NSS tools. Solaris 10 might be able to use cert8.db. Susan wrote: > Hi, all. I've ssl enabled in FDS: > > # ldapsearch -D "cn=Directory Manager" -w adminpass -b "cn=encryption,cn=config" -h cnyitlin02 > cn=* > version: 1 > dn: cn=encryption,cn=config > objectClass: top > objectClass: nsEncryptionConfig > cn: encryption > nsSSLSessionTimeout: 0 > nsSSLClientAuth: allowed > nsSSL2: off > nsSSL3: on > nsSSL3Ciphers: +rsa_rc4_128_md5,+rsa_3des_sha,+fortezza_null,-rsa_null_md5,+fo > > Currently, I have authenticationMethod: simple in my default profile. I can ssh/telnet w/o > problems, authenticating from FDS (thank you, Gary Tay!) > > I've been having a real hard time getting Solaris SSL to work, however. I did the whole mozilla > cert import thing, got the cert8.db (it's not 7), and key3.db, put them in /var/ldap > > However, even though this returns data: > > -bash-3.00# ldapsearch -b "dc=composers,dc=company,dc=com" -h cnyitlin02 -L "objectclass=*" -p > 636 -Z > version: 1 > dn: dc=composers,dc=company,dc=com > dn: cn=Directory Administrators, dc=composers,dc=company,dc=com > dn: ou=Groups, dc=composers,dc=company,dc=com > dn: ou=People, dc=composers,dc=company,dc=com > dn: ou=profile,dc=composers,dc=company,dc=com > dn: cn=proxyAgent,ou=profile,dc=composers,dc=company,dc=com > dn: uid=test, ou=People, dc=composers,dc=company,dc=com > > It's not encrypted. I can see the traffic clear text in ethereal. > > Any ideas what the problem is? Has anybody gotten solaris ssl to work with FDS? > > Thank you. > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From logastellus at yahoo.com Thu Feb 16 20:28:30 2006 From: logastellus at yahoo.com (Susan) Date: Thu, 16 Feb 2006 12:28:30 -0800 (PST) Subject: [Fedora-directory-users] solaris 10 SSL connections In-Reply-To: <43F4DC96.3030500@broadcom.com> Message-ID: <20060216202830.73327.qmail@web52914.mail.yahoo.com> --- George Holbert wrote: > The ldapsearch command doesn't look in /var/ldap for the cert db. It > uses the current directory as the default cert db path. > You can run ldapsearch from /var/ldap, or give it a "-P /var/ldap" > argument to use the cert db in /var/ldap. yea, I tried that also, same result. It just doesn't encrypt the connection. > Also, the -v arg might help you narrow down what's happening. that doesn't add any more info. > by earlier versions of the NSS tools. Solaris 10 might be able to use > cert8.db. i've renamed cert8 to cert7, same thing. Everything goes clear text for some reason....? Now, if I take this exact same command, copy/paste into a linux box (I've to append -x for simple auth) then voila! it all get scrambled and ethereal says "invalid LDAP header," because it can't parse SSL on LDAP port. So, it looks like FDS is OK but the solaris is no good here... NO IDEA why.. George, do you have ssl-enabled solaris ldap auth working with FDS? __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From gholbert at broadcom.com Thu Feb 16 21:23:50 2006 From: gholbert at broadcom.com (George Holbert) Date: Thu, 16 Feb 2006 13:23:50 -0800 Subject: [Fedora-directory-users] solaris 10 SSL connections In-Reply-To: <20060216202830.73327.qmail@web52914.mail.yahoo.com> References: <20060216202830.73327.qmail@web52914.mail.yahoo.com> Message-ID: <43F4ED66.6080108@broadcom.com> > > i've renamed cert8 to cert7, same thing. Everything goes clear text for some reason....? yah, I wouldn't expect this to help. The file contents have more significance than the file name, and cert8 files aren't identical to cert7. However, I'm not sure this is the problem, since Solaris 10 might be able to use (or even require) cert8 files. All you need in the Solaris client cert db files is the CA certificate of the CA which signed your FDS server's certificate. I'd suggest using the certutil command, rather than Mozilla, to generate the cert db files. The following recipe has worked well for me: ****|# Create new cert and key DB files.|**| certutil -N -d /var/ldap|** *|# Add your ascii CA certificate to the cert DB. certutil -A -n "Susan's CA" -t "C,," -a -i ./susans-cacert.pem -d /var/ldap # List the contents of your cert DB. |***|certutil -L -d /var/ldap|** Try this first using certutil as included with Solaris 10 (/usr/sfw/bin/certutil). I think this will create a cert8 file. If cert8 doesn't seem to work, try generating a cert7 file with an older version of the certutil command. I've found that 3.3.2 is the latest version that will work for the Solaris 8 and 9 ldap name service client: http://www.mozilla.org/projects/security/pki/nss/release_notes_332.html Again, I'm not sure if the cert7/8 version problem is even an issue in Solaris 10, but it certainly is with 8 and 9. -- George Susan wrote: > --- George Holbert wrote: > > >> The ldapsearch command doesn't look in /var/ldap for the cert db. It >> uses the current directory as the default cert db path. >> You can run ldapsearch from /var/ldap, or give it a "-P /var/ldap" >> argument to use the cert db in /var/ldap. >> > > yea, I tried that also, same result. It just doesn't encrypt the connection. > > >> Also, the -v arg might help you narrow down what's happening. >> > > that doesn't add any more info. > > >> by earlier versions of the NSS tools. Solaris 10 might be able to use >> cert8.db. >> > > i've renamed cert8 to cert7, same thing. Everything goes clear text for some reason....? > > Now, if I take this exact same command, copy/paste into a linux box (I've to append -x for simple > auth) then voila! it all get scrambled and ethereal says "invalid LDAP header," because it can't > parse SSL on LDAP port. > > So, it looks like FDS is OK but the solaris is no good here... NO IDEA why.. > > George, do you have ssl-enabled solaris ldap auth working with FDS? > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From logastellus at yahoo.com Thu Feb 16 22:04:17 2006 From: logastellus at yahoo.com (Susan) Date: Thu, 16 Feb 2006 14:04:17 -0800 (PST) Subject: [Fedora-directory-users] solaris 10 SSL connections In-Reply-To: <43F4ED66.6080108@broadcom.com> Message-ID: <20060216220417.9892.qmail@web52914.mail.yahoo.com> --- George Holbert wrote: > *|# Add your ascii CA certificate to the cert DB. > certutil -A -n "Susan's CA" -t "C,," -a -i ./susans-cacert.pem -d /var/ldap > # List the contents of your cert DB. > |***|certutil -L -d /var/ldap|** did all that, imported w/o problems: -bash-3.00# /usr/sfw/bin/certutil -L -d /var/ldap CA certificate C,, ________________________________________________ However, this: ldapsearch -b "ou=profile,dc=composers,dc=company,dc=com" -h cnyitlin02 -L "cn=*" -Z -p 636 -P /var/ldap/ still transmits clear text. > Try this first using certutil as included with Solaris 10 > (/usr/sfw/bin/certutil). I think this will create a cert8 file. It does. Doesn't seem to do any good, however. how did you verify that SSL is working? Did you sniff it or what? __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From gholbert at broadcom.com Thu Feb 16 22:17:07 2006 From: gholbert at broadcom.com (George Holbert) Date: Thu, 16 Feb 2006 14:17:07 -0800 Subject: [Fedora-directory-users] solaris 10 SSL connections In-Reply-To: <20060216220417.9892.qmail@web52914.mail.yahoo.com> References: <20060216220417.9892.qmail@web52914.mail.yahoo.com> Message-ID: <43F4F9E3.5090201@broadcom.com> > > how did you verify that SSL is working? Did you sniff it or what? Yes, using snoop. I should say I didn't debug it using ldapsearch, so I'm still not sure what's going on with that in your case. But, since your end goal is ldap name service over SSL, have you tried that yet on the Solaris 10 client? If nothing else, it might spew some error messages (in /var/adm/messages) that give some new clues. Susan wrote: > --- George Holbert wrote: > > >> *|# Add your ascii CA certificate to the cert DB. >> certutil -A -n "Susan's CA" -t "C,," -a -i ./susans-cacert.pem -d /var/ldap >> # List the contents of your cert DB. >> |***|certutil -L -d /var/ldap|** >> > > did all that, imported w/o problems: > > -bash-3.00# /usr/sfw/bin/certutil -L -d /var/ldap > CA certificate C,, > > ________________________________________________ > > However, this: > > ldapsearch -b "ou=profile,dc=composers,dc=company,dc=com" -h cnyitlin02 -L "cn=*" -Z -p 636 -P > /var/ldap/ > > still transmits clear text. > > > >> Try this first using certutil as included with Solaris 10 >> (/usr/sfw/bin/certutil). I think this will create a cert8 file. >> > > > It does. Doesn't seem to do any good, however. > > how did you verify that SSL is working? Did you sniff it or what? > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From logastellus at yahoo.com Thu Feb 16 22:47:57 2006 From: logastellus at yahoo.com (Susan) Date: Thu, 16 Feb 2006 14:47:57 -0800 (PST) Subject: [Fedora-directory-users] solaris 10 SSL connections In-Reply-To: <43F4F9E3.5090201@broadcom.com> Message-ID: <20060216224757.65625.qmail@web52908.mail.yahoo.com> --- George Holbert wrote: > ldap name service over SSL, have you tried that yet on the Solaris 10 yea I tried, it doesn't work. My ldap_client_file: # # Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead. # NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_SERVERS= cnyitlin02 NS_LDAP_SEARCH_BASEDN= dc=composers,dc=company,dc=com NS_LDAP_AUTH= simple NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SEARCH_SCOPE= one NS_LDAP_SEARCH_TIME= 30 NS_LDAP_CACHETTL= 43200 NS_LDAP_PROFILE= default NS_LDAP_CREDENTIAL_LEVEL= proxy NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=People,dc=composers,dc=company,dc=com?one NS_LDAP_SERVICE_SEARCH_DESC= group: ou=group,dc=composers,dc=company,dc=com?one NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=People,dc=composers,dc=company,dc=com?one NS_LDAP_SERVICE_SEARCH_DESC= netgroup: ou=netgroup,dc=composers,dc=company,dc=com?one NS_LDAP_BIND_TIME= 2 now, that works: -bash-3.00# ldaplist dn: cn=Directory Administrators, dc=composers,dc=caxton,dc=com dn: ou=People, dc=composers,dc=caxton,dc=com dn: ou=profile,dc=composers,dc=caxton,dc=com dn: ou=Groups, dc=composers,dc=caxton,dc=com but once I change NS_LDAP_AUTH= to tls:simple and restart cachemgr, no more: -bash-3.00# ldaplist ldaplist: Object not found (Session error no available conn. ) from the messages file: Feb 16 17:19:12 unknown ldap_cachemgr[1443]: [ID 293258 daemon.warning] libsldap: Status: 81 Mesg: openConnection: simple bind failed - Can't contact LDAP server Feb 16 17:19:12 unknown ldap_cachemgr[1443]: [ID 292100 daemon.warning] libsldap: could not remove cnyitlin02 from servers list Feb 16 17:19:12 unknown ldap_cachemgr[1443]: [ID 293258 daemon.warning] libsldap: Status: 7 Mesg: Session error no available conn. Feb 16 17:19:12 unknown ldap_cachemgr[1443]: [ID 186574 daemon.error] Error: Unable to refresh profile:default: Session error no available conn. -bash-3.00# ldaplist ldaplist: Object not found (Session error no available conn.) -bash-3.00# ldapclient init Missing LDAP server address -bash-3.00# What do you think? btw, I also imported the server cert, just in case (didn't do anything) -bash-3.00# /usr/sfw/bin/certutil -L -d . CA certificate C,, Server-Cert C,, __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From gholbert at broadcom.com Thu Feb 16 23:03:00 2006 From: gholbert at broadcom.com (George Holbert) Date: Thu, 16 Feb 2006 15:03:00 -0800 Subject: [Fedora-directory-users] solaris 10 SSL connections In-Reply-To: <20060216224757.65625.qmail@web52908.mail.yahoo.com> References: <20060216224757.65625.qmail@web52908.mail.yahoo.com> Message-ID: <43F504A4.2050108@broadcom.com> Is "cnyitlin02" fully-qualified on your ldap server cert? i.e., is the certificate subject "cn=cnyitlin02.company.com,o=company..." If so, you must also use the fully-qualified name in your client config, e.g.: NS_LDAP_SERVERS= cnyitlin02.company.com instead of: NS_LDAP_SERVERS= cnyitlin02 If not, might be the cert DB version. Have you tried with a cert7 DB as generated by NSS 3.3.2? Also, it may help to start slapd with verbose debugging (I believe the -d switch). slapd will display the SSL error codes associated with your connection attempts, which you can google to match to a text description. Susan wrote: > --- George Holbert wrote: > >> ldap name service over SSL, have you tried that yet on the Solaris 10 >> > > yea I tried, it doesn't work. My ldap_client_file: > > # > # Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead. > # > NS_LDAP_FILE_VERSION= 2.0 > NS_LDAP_SERVERS= cnyitlin02 > NS_LDAP_SEARCH_BASEDN= dc=composers,dc=company,dc=com > NS_LDAP_AUTH= simple > NS_LDAP_SEARCH_REF= TRUE > NS_LDAP_SEARCH_SCOPE= one > NS_LDAP_SEARCH_TIME= 30 > NS_LDAP_CACHETTL= 43200 > NS_LDAP_PROFILE= default > NS_LDAP_CREDENTIAL_LEVEL= proxy > NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=People,dc=composers,dc=company,dc=com?one > NS_LDAP_SERVICE_SEARCH_DESC= group: ou=group,dc=composers,dc=company,dc=com?one > NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=People,dc=composers,dc=company,dc=com?one > NS_LDAP_SERVICE_SEARCH_DESC= netgroup: ou=netgroup,dc=composers,dc=company,dc=com?one > NS_LDAP_BIND_TIME= 2 > > now, that works: > > -bash-3.00# ldaplist > dn: cn=Directory Administrators, dc=composers,dc=caxton,dc=com > dn: ou=People, dc=composers,dc=caxton,dc=com > dn: ou=profile,dc=composers,dc=caxton,dc=com > dn: ou=Groups, dc=composers,dc=caxton,dc=com > > but once I change NS_LDAP_AUTH= to tls:simple and restart cachemgr, no more: > > -bash-3.00# ldaplist > ldaplist: Object not found (Session error no available conn. > ) > > from the messages file: > > Feb 16 17:19:12 unknown ldap_cachemgr[1443]: [ID 293258 daemon.warning] libsldap: Status: 81 > Mesg: openConnection: simple bind failed - Can't contact LDAP server > Feb 16 17:19:12 unknown ldap_cachemgr[1443]: [ID 292100 daemon.warning] libsldap: could not remove > cnyitlin02 from servers list > Feb 16 17:19:12 unknown ldap_cachemgr[1443]: [ID 293258 daemon.warning] libsldap: Status: 7 Mesg: > Session error no available conn. > Feb 16 17:19:12 unknown ldap_cachemgr[1443]: [ID 186574 daemon.error] Error: Unable to refresh > profile:default: Session error no available conn. > > -bash-3.00# ldaplist > ldaplist: Object not found (Session error no available conn.) > -bash-3.00# ldapclient init > Missing LDAP server address > -bash-3.00# > > > What do you think? > > btw, I also imported the server cert, just in case (didn't do anything) > > -bash-3.00# /usr/sfw/bin/certutil -L -d . > CA certificate C,, > Server-Cert C,, > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From felipe.alfaro at gmail.com Thu Feb 16 23:56:12 2006 From: felipe.alfaro at gmail.com (Felipe Alfaro Solana) Date: Fri, 17 Feb 2006 00:56:12 +0100 Subject: [Fedora-directory-users] Build error Message-ID: <6f6293f10602161556j527f24a1y95e1b849ab51ad9b@mail.gmail.com> Hi! I have downloaded dsbuild-fds101-1.tar.gz, but I'm unable to build Netscape SDK. It always fails with the same error, which seems to be the build process is unable to find file "nspr.h". I have attached a dump of the build process. Any ideas? Thanks! -------------- next part -------------- A non-text attachment was scrubbed... Name: output.bz2 Type: application/x-bzip2 Size: 19526 bytes Desc: not available URL: From rmeggins at redhat.com Fri Feb 17 00:12:46 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 16 Feb 2006 17:12:46 -0700 Subject: [Fedora-directory-users] Build error In-Reply-To: <6f6293f10602161556j527f24a1y95e1b849ab51ad9b@mail.gmail.com> References: <6f6293f10602161556j527f24a1y95e1b849ab51ad9b@mail.gmail.com> Message-ID: <43F514FE.4090703@redhat.com> Felipe Alfaro Solana wrote: >Hi! > >I have downloaded dsbuild-fds101-1.tar.gz, but I'm unable to build >Netscape SDK. It always fails with the same error, which seems to be >the build process is unable to find file "nspr.h". > > Edit dsbuild/ds/mozilla/Makefile - change where it says BUILDOPT=1 to say BUILD_OPT=1 instead. Then rm -rf dsbuild/ds/mozilla/work and make again >I have attached a dump of the build process. >Any ideas? > >Thanks! > > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From felipe.alfaro at gmail.com Fri Feb 17 11:04:06 2006 From: felipe.alfaro at gmail.com (Felipe Alfaro Solana) Date: Fri, 17 Feb 2006 12:04:06 +0100 Subject: [Fedora-directory-users] Build error In-Reply-To: <43F514FE.4090703@redhat.com> References: <6f6293f10602161556j527f24a1y95e1b849ab51ad9b@mail.gmail.com> <43F514FE.4090703@redhat.com> Message-ID: <6f6293f10602170304w62a71d16t4c47dd113579cc40@mail.gmail.com> > Edit dsbuild/ds/mozilla/Makefile - change where it says BUILDOPT=1 > to say BUILD_OPT=1 instead. Then rm -rf dsbuild/ds/mozilla/work > and make again Fine, thanks! But now I see another error when building ldapserver. Could please take a look at "output"? Thanks! PD: The patch you commited for bug https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=181587 isn't still included. -------------- next part -------------- A non-text attachment was scrubbed... Name: output Type: application/octet-stream Size: 9235 bytes Desc: not available URL: From danlipsitt at gmail.com Thu Feb 16 21:20:53 2006 From: danlipsitt at gmail.com (Dan Lipsitt) Date: Thu, 16 Feb 2006 16:20:53 -0500 Subject: [Fedora-directory-users] More x86_64 install woes Message-ID: I tried installing the 32-bit rpms on my 64-bit Xeon system as Richard Megginson suggested was possible in this thread: https://www.redhat.com/archives/fedora-directory-users/2006-February/msg00042.html I encountered the following problems: Setup failed (but completed), giving the following messages: ---------------------------- [slapd-gause]: starting up server ... [slapd-gause]: Fedora-Directory/1.0.1 B2005.342.165 [slapd-gause]: gause.esm.harvard.edu:389 (/opt/fedora-ds/slapd-gause) [slapd-gause]: [slapd-gause]: [03/Feb/2006:14:39:40 -0500] - Fedora-Directory/1.0.1 B2005.342.165 starting up [slapd-gause]: [03/Feb/2006:14:39:42 -0500] - slapd started. Listening on All Interfaces port 389 for LDAP requests Your new directory server has been started. Created new Directory Server Start Slapd Starting Slapd server configuration. Fatal Slapd ERROR: Ldap authentication failed for url ldap://gause.esm.harvard.edu:389/o=NetscapeRoot user id admin (151:Unknown error.) Fatal Slapd Did not add Directory Server information to Configuration Server. Configuring Administration Server... Setting up Administration Server Instance... ERROR: Administration Server configuration failed. See install.log. ---------------------------- I tried to start the console anyway, but my java VM crashed: ---------------------------- $ ./startconsole -u admin -a http://gause.esm.harvard.edu:1389/ # [thread 1077664096 also had an error] # An unexpected error has been detected by HotSpot Virtual Machine: # # SIGILL (0x4) at pc=0x0000002a958b3665, pid=15189, tid=1076611424 # # Java VM: Java HotSpot(TM) 64-Bit Server VM (1.5.0-b64 mixed mode) # Problematic frame: # V [libjvm.so+0x336665] # # An error report file with more information is saved as hs_err_pid15189.log # # If you would like to submit a bug report, please visit: # http://java.sun.com/webapps/bugreport/crash.jsp # ./startconsole: line 72: 15189 Aborted $JAVA_HOME/bin/java -ms8m -mx64m -cp .:./base.jar:./mcc10_en.jar:./jss3.jar:./ldapjdk.jar:./mcc10.jar:./nmclf10_en.jar:./nmclf10.jar -Djava.library.path=../lib -Djava.util.prefs.systemRoot=. -Djava.util.prefs.userRoot=. com.netscape.management.client.console.Console $* ---------------------------- Any suggestions? Thanks, Dan From rmeggins at redhat.com Fri Feb 17 14:05:18 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 17 Feb 2006 07:05:18 -0700 Subject: [Fedora-directory-users] Build error In-Reply-To: <6f6293f10602170304w62a71d16t4c47dd113579cc40@mail.gmail.com> References: <6f6293f10602161556j527f24a1y95e1b849ab51ad9b@mail.gmail.com> <43F514FE.4090703@redhat.com> <6f6293f10602170304w62a71d16t4c47dd113579cc40@mail.gmail.com> Message-ID: <43F5D81E.9080305@redhat.com> Edit dsbuild/ds/ldapserver/Makefile Add this ifeq ($(DEBUG), optimize) BUILD_ARGS += BUILD_DEBUG=optimize endif Near where it says ifndef DEBUG BUILD_ARGS += BUILD_DEBUG=optimize endif Then make again Felipe Alfaro Solana wrote: >>Edit dsbuild/ds/mozilla/Makefile - change where it says BUILDOPT=1 >>to say BUILD_OPT=1 instead. Then rm -rf dsbuild/ds/mozilla/work >>and make again >> >> > >Fine, thanks! But now I see another error when building ldapserver. >Could please take a look at "output"? Thanks! > >PD: The patch you commited for bug >https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=181587 isn't >still included. > > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Feb 17 14:56:14 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 17 Feb 2006 07:56:14 -0700 Subject: [Fedora-directory-users] More x86_64 install woes In-Reply-To: References: Message-ID: <43F5E40E.7010801@redhat.com> Dan Lipsitt wrote: >I tried installing the 32-bit rpms on my 64-bit Xeon system as Richard >Megginson suggested was possible in this thread: > >https://www.redhat.com/archives/fedora-directory-users/2006-February/msg00042.html > >I encountered the following problems: > >Setup failed (but completed), giving the following messages: > >---------------------------- >[slapd-gause]: starting up server ... >[slapd-gause]: Fedora-Directory/1.0.1 B2005.342.165 >[slapd-gause]: gause.esm.harvard.edu:389 (/opt/fedora-ds/slapd-gause) >[slapd-gause]: >[slapd-gause]: [03/Feb/2006:14:39:40 -0500] - Fedora-Directory/1.0.1 >B2005.342.165 starting up >[slapd-gause]: [03/Feb/2006:14:39:42 -0500] - slapd started. >Listening on All Interfaces port 389 for LDAP requests >Your new directory server has been started. >Created new Directory Server >Start Slapd Starting Slapd server configuration. >Fatal Slapd ERROR: Ldap authentication failed for url >ldap://gause.esm.harvard.edu:389/o=NetscapeRoot user id admin >(151:Unknown error.) > > This is usually due to DNS or NSS hostname resolution misconfiguration. >Fatal Slapd Did not add Directory Server information to Configuration Server. >Configuring Administration Server... >Setting up Administration Server Instance... >ERROR: Administration Server configuration failed. See install.log. >---------------------------- > >I tried to start the console anyway, but my java VM crashed: > >---------------------------- >$ ./startconsole -u admin -a http://gause.esm.harvard.edu:1389/ ># >[thread 1077664096 also had an error] ># An unexpected error has been detected by HotSpot Virtual Machine: ># ># SIGILL (0x4) at pc=0x0000002a958b3665, pid=15189, tid=1076611424 ># ># Java VM: Java HotSpot(TM) 64-Bit Server VM (1.5.0-b64 mixed mode) ># Problematic frame: ># V [libjvm.so+0x336665] ># ># An error report file with more information is saved as hs_err_pid15189.log ># ># If you would like to submit a bug report, please visit: ># http://java.sun.com/webapps/bugreport/crash.jsp ># >./startconsole: line 72: 15189 Aborted >$JAVA_HOME/bin/java -ms8m -mx64m -cp >.:./base.jar:./mcc10_en.jar:./jss3.jar:./ldapjdk.jar:./mcc10.jar:./nmclf10_en.jar:./nmclf10.jar >-Djava.library.path=../lib -Djava.util.prefs.systemRoot=. >-Djava.util.prefs.userRoot=. >com.netscape.management.client.console.Console $* >---------------------------- > >Any suggestions? > > Well, the console won't work because installation did not complete successfully, but that is not related to the JVM crash. Are there any other 64bit Javas that you can try? Does that JVM work with any other Java apps? >Thanks, >Dan > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From felipe.alfaro at gmail.com Fri Feb 17 15:25:13 2006 From: felipe.alfaro at gmail.com (Felipe Alfaro Solana) Date: Fri, 17 Feb 2006 16:25:13 +0100 Subject: [Fedora-directory-users] Build error In-Reply-To: <43F5D81E.9080305@redhat.com> References: <6f6293f10602161556j527f24a1y95e1b849ab51ad9b@mail.gmail.com> <43F514FE.4090703@redhat.com> <6f6293f10602170304w62a71d16t4c47dd113579cc40@mail.gmail.com> <43F5D81E.9080305@redhat.com> Message-ID: <6f6293f10602170725n49fe15d2m90dfe1f7d63f0b4a@mail.gmail.com> Thank you very much, Richard. I have been able to compile FDS successfully with your help. Now, talking about the changes I had to apply to some files, is this normal for an automated build of FDS? Will these changes be integrated into FDS? Also, I have tested your changes to passwd_extop.c and their work fine. Now, I'm able to sync passwords between SAMBA and FDS. From rmeggins at redhat.com Fri Feb 17 15:33:22 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 17 Feb 2006 08:33:22 -0700 Subject: [Fedora-directory-users] Build error In-Reply-To: <6f6293f10602170725n49fe15d2m90dfe1f7d63f0b4a@mail.gmail.com> References: <6f6293f10602161556j527f24a1y95e1b849ab51ad9b@mail.gmail.com> <43F514FE.4090703@redhat.com> <6f6293f10602170304w62a71d16t4c47dd113579cc40@mail.gmail.com> <43F5D81E.9080305@redhat.com> <6f6293f10602170725n49fe15d2m90dfe1f7d63f0b4a@mail.gmail.com> Message-ID: <43F5ECC2.4070908@redhat.com> Felipe Alfaro Solana wrote: >Thank you very much, Richard. > >I have been able to compile FDS successfully with your help. Now, >talking about the changes I had to apply to some files, is this normal >for an automated build of FDS? Will these changes be integrated into >FDS? > > The changes will be integrated into the new version of dsbuild we are working on. >Also, I have tested your changes to passwd_extop.c and their work >fine. Now, I'm able to sync passwords between SAMBA and FDS. > > Excellent! That's good to hear. Thanks for your testing help. >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From felipe.alfaro at gmail.com Fri Feb 17 15:46:24 2006 From: felipe.alfaro at gmail.com (Felipe Alfaro Solana) Date: Fri, 17 Feb 2006 16:46:24 +0100 Subject: [Fedora-directory-users] Build error In-Reply-To: <43F5ECC2.4070908@redhat.com> References: <6f6293f10602161556j527f24a1y95e1b849ab51ad9b@mail.gmail.com> <43F514FE.4090703@redhat.com> <6f6293f10602170304w62a71d16t4c47dd113579cc40@mail.gmail.com> <43F5D81E.9080305@redhat.com> <6f6293f10602170725n49fe15d2m90dfe1f7d63f0b4a@mail.gmail.com> <43F5ECC2.4070908@redhat.com> Message-ID: <6f6293f10602170746q42efe86y89c22901d25ac4d0@mail.gmail.com> > The changes will be integrated into the new version of dsbuild we are > working on. Great! > >Also, I have tested your changes to passwd_extop.c and their work > >fine. Now, I'm able to sync passwords between SAMBA and FDS. > > > Excellent! That's good to hear. Thanks for your testing help. Nah! It's been pretty easy after all :-) From brett at elsmob.com Fri Feb 17 20:51:57 2006 From: brett at elsmob.com (Brett Elsmore) Date: Fri, 17 Feb 2006 13:51:57 -0700 Subject: [Fedora-directory-users] More x86_64 install woes In-Reply-To: References: Message-ID: <1140209517.15573.161.camel@bje-fc4.overstock.com> Dan, I have actually got a little further than this. I downloaded both the 64 bit and 32 bit jdk's from sun, the non-rpm. Once you do this, set your java env variables to point to the 32 bit version instead of the 64. I get an error trying to do a ldapsearch - ./shared/bin/ldapsearch: error while loading shared libraries: libldap50.so: cannot open shared object file: No such file or directory This is where I stopped. Brett On Thu, 2006-02-16 at 16:20 -0500, Dan Lipsitt wrote: > I tried installing the 32-bit rpms on my 64-bit Xeon system as Richard > Megginson suggested was possible in this thread: > > https://www.redhat.com/archives/fedora-directory-users/2006-February/msg00042.html > > I encountered the following problems: > > Setup failed (but completed), giving the following messages: > > ---------------------------- > [slapd-gause]: starting up server ... > [slapd-gause]: Fedora-Directory/1.0.1 B2005.342.165 > [slapd-gause]: gause.esm.harvard.edu:389 (/opt/fedora-ds/slapd-gause) > [slapd-gause]: > [slapd-gause]: [03/Feb/2006:14:39:40 -0500] - Fedora-Directory/1.0.1 > B2005.342.165 starting up > [slapd-gause]: [03/Feb/2006:14:39:42 -0500] - slapd started. > Listening on All Interfaces port 389 for LDAP requests > Your new directory server has been started. > Created new Directory Server > Start Slapd Starting Slapd server configuration. > Fatal Slapd ERROR: Ldap authentication failed for url > ldap://gause.esm.harvard.edu:389/o=NetscapeRoot user id admin > (151:Unknown error.) > Fatal Slapd Did not add Directory Server information to Configuration Server. > Configuring Administration Server... > Setting up Administration Server Instance... > ERROR: Administration Server configuration failed. See install.log. > ---------------------------- > > I tried to start the console anyway, but my java VM crashed: > > ---------------------------- > $ ./startconsole -u admin -a http://gause.esm.harvard.edu:1389/ > # > [thread 1077664096 also had an error] > # An unexpected error has been detected by HotSpot Virtual Machine: > # > # SIGILL (0x4) at pc=0x0000002a958b3665, pid=15189, tid=1076611424 > # > # Java VM: Java HotSpot(TM) 64-Bit Server VM (1.5.0-b64 mixed mode) > # Problematic frame: > # V [libjvm.so+0x336665] > # > # An error report file with more information is saved as hs_err_pid15189.log > # > # If you would like to submit a bug report, please visit: > # http://java.sun.com/webapps/bugreport/crash.jsp > # > ./startconsole: line 72: 15189 Aborted > $JAVA_HOME/bin/java -ms8m -mx64m -cp > .:./base.jar:./mcc10_en.jar:./jss3.jar:./ldapjdk.jar:./mcc10.jar:./nmclf10_en.jar:./nmclf10.jar > -Djava.library.path=../lib -Djava.util.prefs.systemRoot=. > -Djava.util.prefs.userRoot=. > com.netscape.management.client.console.Console $* > ---------------------------- > > Any suggestions? > > Thanks, > Dan > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > !DSPAM:504,43f5d1aa50461804284693! From rmeggins at redhat.com Fri Feb 17 21:16:49 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 17 Feb 2006 14:16:49 -0700 Subject: [Fedora-directory-users] More x86_64 install woes In-Reply-To: <1140209517.15573.161.camel@bje-fc4.overstock.com> References: <1140209517.15573.161.camel@bje-fc4.overstock.com> Message-ID: <43F63D41.4090208@redhat.com> Brett Elsmore wrote: >Dan, > >I have actually got a little further than this. I downloaded both the >64 bit and 32 bit jdk's from sun, the non-rpm. Once you do this, set >your java env variables to point to the 32 bit version instead of the >64. > >I get an error trying to do a ldapsearch - > >./shared/bin/ldapsearch: error while loading shared libraries: >libldap50.so: cannot open shared object file: No such file or directory > > We currently use relative rpaths in the executables, so you have to either set LD_LIBRARY_PATH /opt/fedora-ds/shared/lib or cd shared/lib ; ./ldapsearch ... >This is where I stopped. > >Brett > >On Thu, 2006-02-16 at 16:20 -0500, Dan Lipsitt wrote: > > >>I tried installing the 32-bit rpms on my 64-bit Xeon system as Richard >>Megginson suggested was possible in this thread: >> >>https://www.redhat.com/archives/fedora-directory-users/2006-February/msg00042.html >> >>I encountered the following problems: >> >>Setup failed (but completed), giving the following messages: >> >>---------------------------- >>[slapd-gause]: starting up server ... >>[slapd-gause]: Fedora-Directory/1.0.1 B2005.342.165 >>[slapd-gause]: gause.esm.harvard.edu:389 (/opt/fedora-ds/slapd-gause) >>[slapd-gause]: >>[slapd-gause]: [03/Feb/2006:14:39:40 -0500] - Fedora-Directory/1.0.1 >>B2005.342.165 starting up >>[slapd-gause]: [03/Feb/2006:14:39:42 -0500] - slapd started. >>Listening on All Interfaces port 389 for LDAP requests >>Your new directory server has been started. >>Created new Directory Server >>Start Slapd Starting Slapd server configuration. >>Fatal Slapd ERROR: Ldap authentication failed for url >>ldap://gause.esm.harvard.edu:389/o=NetscapeRoot user id admin >>(151:Unknown error.) >>Fatal Slapd Did not add Directory Server information to Configuration Server. >>Configuring Administration Server... >>Setting up Administration Server Instance... >>ERROR: Administration Server configuration failed. See install.log. >>---------------------------- >> >>I tried to start the console anyway, but my java VM crashed: >> >>---------------------------- >>$ ./startconsole -u admin -a http://gause.esm.harvard.edu:1389/ >># >>[thread 1077664096 also had an error] >># An unexpected error has been detected by HotSpot Virtual Machine: >># >># SIGILL (0x4) at pc=0x0000002a958b3665, pid=15189, tid=1076611424 >># >># Java VM: Java HotSpot(TM) 64-Bit Server VM (1.5.0-b64 mixed mode) >># Problematic frame: >># V [libjvm.so+0x336665] >># >># An error report file with more information is saved as hs_err_pid15189.log >># >># If you would like to submit a bug report, please visit: >># http://java.sun.com/webapps/bugreport/crash.jsp >># >>./startconsole: line 72: 15189 Aborted >>$JAVA_HOME/bin/java -ms8m -mx64m -cp >>.:./base.jar:./mcc10_en.jar:./jss3.jar:./ldapjdk.jar:./mcc10.jar:./nmclf10_en.jar:./nmclf10.jar >>-Djava.library.path=../lib -Djava.util.prefs.systemRoot=. >>-Djava.util.prefs.userRoot=. >>com.netscape.management.client.console.Console $* >>---------------------------- >> >>Any suggestions? >> >>Thanks, >>Dan >> >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >>!DSPAM:504,43f5d1aa50461804284693! >> >> > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From danlipsitt at gmail.com Fri Feb 17 21:40:52 2006 From: danlipsitt at gmail.com (Dan Lipsitt) Date: Fri, 17 Feb 2006 16:40:52 -0500 Subject: [Fedora-directory-users] install problem: can't start admin server Message-ID: I've put aside my attempts to install on em64t for the moment and tried installing on a 32-bit machine running Fedora Core 4. I get this error during the rpm install: ----- snip ---- [slapd-www]: [16/Feb/2006:16:39:24 -0500] - Fedora-Directory/1.0.1 B2005.342.165 starting up [slapd-www]: [16/Feb/2006:16:39:24 -0500] - slapd started. Listening on All Interfaces port 389 for LDAP requests Your new directory server has been started. Created new Directory Server Start Slapd Starting Slapd server configuration. Success Slapd Added Directory Server information to Configuration Server. Configuring Administration Server... Setting up Administration Server Instance... Configuring Administration Tasks in Directory Server... Configuring Global Parameters in Directory Server... Can't start Admin server [/opt/fedora-ds/start-admin > /tmp/filewvJ2og 2>&1] (error: No such file or directory)You can now use the console. Here is the command to use to start the console: ---- snip ---- Also, if I cd to /opt/fedora-ds and run start admin, I get no messages on the console, but if I then run restart-admin it then says "server not running" Dan From rmeggins at redhat.com Fri Feb 17 21:44:06 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 17 Feb 2006 14:44:06 -0700 Subject: [Fedora-directory-users] install problem: can't start admin server In-Reply-To: References: Message-ID: <43F643A6.1040305@redhat.com> This probably means you need to disable selinux. http://directory.fedora.redhat.com/wiki/Install_Guide#SELinux_Issues Dan Lipsitt wrote: >I've put aside my attempts to install on em64t for the moment and >tried installing on a 32-bit machine running Fedora Core 4. > >I get this error during the rpm install: > >----- snip ---- >[slapd-www]: [16/Feb/2006:16:39:24 -0500] - Fedora-Directory/1.0.1 >B2005.342.165 starting up >[slapd-www]: [16/Feb/2006:16:39:24 -0500] - slapd started. Listening >on All Interfaces port 389 for LDAP requests >Your new directory server has been started. >Created new Directory Server >Start Slapd Starting Slapd server configuration. >Success Slapd Added Directory Server information to Configuration Server. >Configuring Administration Server... >Setting up Administration Server Instance... >Configuring Administration Tasks in Directory Server... >Configuring Global Parameters in Directory Server... >Can't start Admin server [/opt/fedora-ds/start-admin > /tmp/filewvJ2og >2>&1] (error: No such file or directory)You can now use the console. >Here is the command to use to start the console: >---- snip ---- > >Also, if I cd to /opt/fedora-ds and run start admin, I get no messages >on the console, but if I then run restart-admin it then says "server >not running" > >Dan > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From mj at sci.fi Sun Feb 19 12:58:29 2006 From: mj at sci.fi (Mike Jackson) Date: Sun, 19 Feb 2006 14:58:29 +0200 Subject: [Fedora-directory-users] Updated HOWTO for Daemontools: Running Administration Server Message-ID: <43F86B75.9020106@sci.fi> Hi, I updated the HOWTO on the wiki so that the Apache based Administration Server with comes with 1.x can also be started and supervised with svscan (Daemontools). Running the services under Daemontools provides a rock-solid solution for guaranteeing service availability, as well as gaining fine grained control over logging. The HOWTO takes into account the fact that Administration Server has a startup and runtime dependency to Directory Server. The starup dependency checking is implemented with a tool called svwaitup, part of the runit package. http://directory.fedora.redhat.com/wiki/Howto:Daemontools Please test and report to this list if there are any problems. BR, Mike From ABliss at preferredcare.org Sun Feb 19 22:46:21 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Sun, 19 Feb 2006 17:46:21 -0500 Subject: [Fedora-directory-users] Some password policy enforcement information questions Message-ID: Some more trouble with password expiration warnings; I have passwords warnings being displayed to users when they use passwords, however users configured to use key authentication do not receive this warnings; has anyone seen this before? This is of course going to be a very big problem for me. Any ideas? Thanks again. Aaron -----Original Message----- From: Bliss, Aaron Sent: Wednesday, January 25, 2006 7:48 PM To: General discussion list for the Fedora Directory server project. Subject: RE: [Fedora-directory-users] Some password policy enforcement information questions Turns out the issue I was having was with my clients; I'm not sure why, but the administrator before me had "UseLogin Yes" set in /etc/ssh/sshd_config; commenting this out immediately started generating password warnings to users (as configured by the directory server); does anyone know what the UseLogin option is used for? Thanks. Aaron -----Original Message----- From: Bliss, Aaron Sent: Thursday, January 19, 2006 3:15 PM To: 'General discussion list for the Fedora Directory server project.' Subject: RE: [Fedora-directory-users] Some password policy enforcement information questions Thanks very much for the explanation; makes much sense to me now; I did some playing around, and got the directory server to spit out to me that your password is going to expire in x amount of days. Thanks again. Aaron -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Thursday, January 19, 2006 2:35 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Some password policy enforcement information questions It looks like the way it works is this: When you have enabled password warning, an operational attribute called "passwordExpWarned" is created in the user's entry. The value will be 0 until the user does a successful BIND operation and the time between now and the configured password expiration time is less than or equal to the configured password warning time. When this happens, the warning will be sent, the value of passwordExpWarned will be changed to 1, and the operational attribute passwordExpirationTime in the user's entry will be set to the time at which the password will expire. When the user changes the password, passwordExpWarned will be reset to 0 and passwordExpirationTime will be set to the new expiration time. Bliss, Aaron wrote: >If I've configured a correct password policy and the warning attribute >is not getting updated, should this be considered a bug? > >Aaron > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard >Megginson >Sent: Thursday, January 19, 2006 1:48 PM >To: General discussion list for the Fedora Directory server project. >Subject: Re: [Fedora-directory-users] Some password policy enforcement >information questions > >Bliss, Aaron wrote: > > > >>Please forgive me if I'm asking silly newbie questions, however I'm >>trying to understand exactly what I'm seeing thru fds; first the >>policy >> >> > > > >>I've configured on the directory using the fds console: >>I've enabled fine-grain password policy for the data unit, including >>password history enforcement, password expiration after 90 days, >>password warning 14 days before password expires, check password >>syntax, account lockout policy enabled after 3 login failures for 120 >>minutes and reset failure count after 15 minutes. >> >>Everything seems to be working except for send password warning; in the >>client's ldap.conf file, I've enabled pam_lookup_policy yes. >> >>Looking at account information attributes for a user, passwordexpwarnd >>value is 0; I've reset users password to try to initialize the >>password >> >> > > > >>policy, however this value never seems to change. According to this >>documentation >>http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#107 >>7 >>0 >>81 I believe that this attribute is stored in seconds. Is this true? >> >> >> >> >Yes. > > > >>If so, what can I do to ensure this attribute is getting updated >>(assuming that this is the attribute responsible for triggering >>password expiration warning). >> >> >> >> >I'm not really sure. > > > >>Second issue/question: >>I've looked at this wiki >>http://directory.fedora.redhat.com/wiki/Howto:PAM and near the very >>bottom it mentions adding the following >> >>dn: cn=config >>changetype: modify >>add: passwordExp >>passwordExp: on >>- >>add: passwordMaxAge >>passwordMaxAge: 8640000 (this I believe would give a password max age >>of 100 days) >> >>Do I need to add these attributes even though I've configured the >>password policy using fds console has done this for me. Is this the >>case, I see don't these attributes in the gui, however I do see >>passwordexpirationtime as an attribute and is set to 90 days from now >>(I'm want to ensure that accounts are indeed locked after passwords >>have expired). >> >> >> >> >Those attributes are only for global (default) password policy - what >you have set for fine grained password policy will override those. > > > >>Also, Jim Summers posted to this group that he saw an issue with >>shadowpasswd / shadowexpire fields not being updated >>https://www.redhat.com/archives/fedora-directory-users/2005-December/m >>s >>g >>00367.html >> >>Can anyone tell me what these fields are used for, as I don't see any >>mention of them in this documentation >>http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#107 >>7 >>0 >>81 >> >> >> >> >Right. They are a PAM/posix thing - FDS treats them as any other data >- it doesn't update them from it's own password policy. > > > >>Thanks again very much. >> >>Aaron >> >> >> >> >>www.preferredcare.org >>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>Power and Associates >> >>Confidentiality Notice: >>The information contained in this electronic message is intended for >> >> >the exclusive use of the individual or entity named above and may >contain privileged or confidential information. If the reader of this >message is not the intended recipient or the employee or agent >responsible to deliver it to the intended recipient, you are hereby >notified that dissemination, distribution or copying of this >information is prohibited. If you have received this communication in >error, please notify the sender immediately by telephone and destroy >the copies you received. > > >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> > > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From ABliss at preferredcare.org Mon Feb 20 02:23:11 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Sun, 19 Feb 2006 21:23:11 -0500 Subject: [Fedora-directory-users] Some password policy enforcement information questions Message-ID: Well, out of fear of not getting this work (and due to the fact that fds is now completely in production in my environment), I had to find a way that will always work; so I put together a script that will query the directory server to see if passwordExpWarned=1, which means that there is a global password policy and that the system would have sent the user a password warning; as such, if this attribute=1, warn the user that their password is going to expire; in my environment, this means their password is going to expire in less than 2 weeks; so I'll tell them that, and also tell them exactly when their password will expire; I didn't see any easy way to deal with new years and what not, so I didn't try to get fancy and subtract today's date from passwordexpiration date (although I included the date and formatted in preparation for this), although I'm sure you guys are much better than I am at programming and whatnot and can improve upon this. At any rate, it's better than nothing for my users. Aaron #!/bin/bash #use this script in order to figure out when the users #password is going to expire and give them a heads up about it myvar1=`date +%Y` myvar2=`date +%m` myvar3=`date +%d` myvar4=$myvar1$myvar2$myvar3 #figure out who the user is mynam=`whoami` #figure out exactly when their password is going to expire pswar=`ldapsearch -x "(uid=$mynam)" passwordexpirationtime | grep passwordexpirationtime | grep -v '#' | awk '{print $2}' | cut -c 1-8` pswarn1=`ldapsearch -x "(uid=$mynam)" passwordExpWarned | grep passwordExpWarned | grep -v '#' | awk '{print $2}'` if [ $pswarn1=1 ] ; then # echo "your in trouble" echo "Your password is going to expire in less than 2 weeks" echo "It's set to expire on $pswar" fi #it might be desirable later on to subtract todays formatted date myvar4 from #pswar however i'm not to confident in dealing with year changes #echo $pswarn1 #echo $pswar #echo $myvar4 -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Bliss, Aaron Sent: Sunday, February 19, 2006 5:46 PM To: General discussion list for the Fedora Directory server project. Subject: RE: [Fedora-directory-users] Some password policy enforcement information questions Some more trouble with password expiration warnings; I have passwords warnings being displayed to users when they use passwords, however users configured to use key authentication do not receive this warnings; has anyone seen this before? This is of course going to be a very big problem for me. Any ideas? Thanks again. Aaron -----Original Message----- From: Bliss, Aaron Sent: Wednesday, January 25, 2006 7:48 PM To: General discussion list for the Fedora Directory server project. Subject: RE: [Fedora-directory-users] Some password policy enforcement information questions Turns out the issue I was having was with my clients; I'm not sure why, but the administrator before me had "UseLogin Yes" set in /etc/ssh/sshd_config; commenting this out immediately started generating password warnings to users (as configured by the directory server); does anyone know what the UseLogin option is used for? Thanks. Aaron -----Original Message----- From: Bliss, Aaron Sent: Thursday, January 19, 2006 3:15 PM To: 'General discussion list for the Fedora Directory server project.' Subject: RE: [Fedora-directory-users] Some password policy enforcement information questions Thanks very much for the explanation; makes much sense to me now; I did some playing around, and got the directory server to spit out to me that your password is going to expire in x amount of days. Thanks again. Aaron -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Thursday, January 19, 2006 2:35 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Some password policy enforcement information questions It looks like the way it works is this: When you have enabled password warning, an operational attribute called "passwordExpWarned" is created in the user's entry. The value will be 0 until the user does a successful BIND operation and the time between now and the configured password expiration time is less than or equal to the configured password warning time. When this happens, the warning will be sent, the value of passwordExpWarned will be changed to 1, and the operational attribute passwordExpirationTime in the user's entry will be set to the time at which the password will expire. When the user changes the password, passwordExpWarned will be reset to 0 and passwordExpirationTime will be set to the new expiration time. Bliss, Aaron wrote: >If I've configured a correct password policy and the warning attribute >is not getting updated, should this be considered a bug? > >Aaron > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard >Megginson >Sent: Thursday, January 19, 2006 1:48 PM >To: General discussion list for the Fedora Directory server project. >Subject: Re: [Fedora-directory-users] Some password policy enforcement >information questions > >Bliss, Aaron wrote: > > > >>Please forgive me if I'm asking silly newbie questions, however I'm >>trying to understand exactly what I'm seeing thru fds; first the >>policy >> >> > > > >>I've configured on the directory using the fds console: >>I've enabled fine-grain password policy for the data unit, including >>password history enforcement, password expiration after 90 days, >>password warning 14 days before password expires, check password >>syntax, account lockout policy enabled after 3 login failures for 120 >>minutes and reset failure count after 15 minutes. >> >>Everything seems to be working except for send password warning; in the >>client's ldap.conf file, I've enabled pam_lookup_policy yes. >> >>Looking at account information attributes for a user, passwordexpwarnd >>value is 0; I've reset users password to try to initialize the >>password >> >> > > > >>policy, however this value never seems to change. According to this >>documentation >>http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#107 >>7 >>0 >>81 I believe that this attribute is stored in seconds. Is this true? >> >> >> >> >Yes. > > > >>If so, what can I do to ensure this attribute is getting updated >>(assuming that this is the attribute responsible for triggering >>password expiration warning). >> >> >> >> >I'm not really sure. > > > >>Second issue/question: >>I've looked at this wiki >>http://directory.fedora.redhat.com/wiki/Howto:PAM and near the very >>bottom it mentions adding the following >> >>dn: cn=config >>changetype: modify >>add: passwordExp >>passwordExp: on >>- >>add: passwordMaxAge >>passwordMaxAge: 8640000 (this I believe would give a password max age >>of 100 days) >> >>Do I need to add these attributes even though I've configured the >>password policy using fds console has done this for me. Is this the >>case, I see don't these attributes in the gui, however I do see >>passwordexpirationtime as an attribute and is set to 90 days from now >>(I'm want to ensure that accounts are indeed locked after passwords >>have expired). >> >> >> >> >Those attributes are only for global (default) password policy - what >you have set for fine grained password policy will override those. > > > >>Also, Jim Summers posted to this group that he saw an issue with >>shadowpasswd / shadowexpire fields not being updated >>https://www.redhat.com/archives/fedora-directory-users/2005-December/m >>s >>g >>00367.html >> >>Can anyone tell me what these fields are used for, as I don't see any >>mention of them in this documentation >>http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#107 >>7 >>0 >>81 >> >> >> >> >Right. They are a PAM/posix thing - FDS treats them as any other data >- it doesn't update them from it's own password policy. > > > >>Thanks again very much. >> >>Aaron >> >> >> >> >>www.preferredcare.org >>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>Power and Associates >> >>Confidentiality Notice: >>The information contained in this electronic message is intended for >> >> >the exclusive use of the individual or entity named above and may >contain privileged or confidential information. If the reader of this >message is not the intended recipient or the employee or agent >responsible to deliver it to the intended recipient, you are hereby >notified that dissemination, distribution or copying of this >information is prohibited. If you have received this communication in >error, please notify the sender immediately by telephone and destroy >the copies you received. > > >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> > > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From rmeggins at redhat.com Mon Feb 20 15:07:44 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 20 Feb 2006 08:07:44 -0700 Subject: [Fedora-directory-users] Some password policy enforcement information questions In-Reply-To: References: Message-ID: <43F9DB40.4010000@redhat.com> Bliss, Aaron wrote: >Some more trouble with password expiration warnings; I have passwords >warnings being displayed to users when they use passwords, however users >configured to use key authentication > Do you mean ssh? >do not receive this warnings; has >anyone seen this before? This is of course going to be a very big >problem for me. Any ideas? Thanks again. > > >Aaron > >-----Original Message----- >From: Bliss, Aaron >Sent: Wednesday, January 25, 2006 7:48 PM >To: General discussion list for the Fedora Directory server project. >Subject: RE: [Fedora-directory-users] Some password policy enforcement >information questions > >Turns out the issue I was having was with my clients; I'm not sure why, >but the administrator before me had "UseLogin Yes" set in >/etc/ssh/sshd_config; commenting this out immediately started generating >password warnings to users (as configured by the directory server); does >anyone know what the UseLogin option is used for? Thanks. > >Aaron > >-----Original Message----- >From: Bliss, Aaron >Sent: Thursday, January 19, 2006 3:15 PM >To: 'General discussion list for the Fedora Directory server project.' >Subject: RE: [Fedora-directory-users] Some password policy enforcement >information questions > >Thanks very much for the explanation; makes much sense to me now; I did >some playing around, and got the directory server to spit out to me that >your password is going to expire in x amount of days. Thanks again. > >Aaron > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard >Megginson >Sent: Thursday, January 19, 2006 2:35 PM >To: General discussion list for the Fedora Directory server project. >Subject: Re: [Fedora-directory-users] Some password policy enforcement >information questions > >It looks like the way it works is this: >When you have enabled password warning, an operational attribute called >"passwordExpWarned" is created in the user's entry. The value will be 0 >until the user does a successful BIND operation and the time between now >and the configured password expiration time is less than or equal to the >configured password warning time. When this happens, the warning will >be sent, the value of passwordExpWarned will be changed to 1, and the >operational attribute passwordExpirationTime in the user's entry will be >set to the time at which the password will expire. When the user >changes the password, passwordExpWarned will be reset to 0 and >passwordExpirationTime will be set to the new expiration time. > >Bliss, Aaron wrote: > > > >>If I've configured a correct password policy and the warning attribute >>is not getting updated, should this be considered a bug? >> >>Aaron >> >>-----Original Message----- >>From: fedora-directory-users-bounces at redhat.com >>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard >> >> > > > >>Megginson >>Sent: Thursday, January 19, 2006 1:48 PM >>To: General discussion list for the Fedora Directory server project. >>Subject: Re: [Fedora-directory-users] Some password policy enforcement >>information questions >> >>Bliss, Aaron wrote: >> >> >> >> >> >>>Please forgive me if I'm asking silly newbie questions, however I'm >>>trying to understand exactly what I'm seeing thru fds; first the >>>policy >>> >>> >>> >>> >> >> >> >> >>>I've configured on the directory using the fds console: >>>I've enabled fine-grain password policy for the data unit, including >>>password history enforcement, password expiration after 90 days, >>>password warning 14 days before password expires, check password >>>syntax, account lockout policy enabled after 3 login failures for 120 >>>minutes and reset failure count after 15 minutes. >>> >>>Everything seems to be working except for send password warning; in >>> >>> >the > > >>>client's ldap.conf file, I've enabled pam_lookup_policy yes. >>> >>>Looking at account information attributes for a user, passwordexpwarnd >>> >>> > > > >>>value is 0; I've reset users password to try to initialize the >>>password >>> >>> >>> >>> >> >> >> >> >>>policy, however this value never seems to change. According to this >>>documentation >>>http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#107 >>>7 >>>0 >>>81 I believe that this attribute is stored in seconds. Is this true? >>> >>> >>> >>> >>> >>> >>Yes. >> >> >> >> >> >>>If so, what can I do to ensure this attribute is getting updated >>>(assuming that this is the attribute responsible for triggering >>>password expiration warning). >>> >>> >>> >>> >>> >>> >>I'm not really sure. >> >> >> >> >> >>>Second issue/question: >>>I've looked at this wiki >>>http://directory.fedora.redhat.com/wiki/Howto:PAM and near the very >>>bottom it mentions adding the following >>> >>>dn: cn=config >>>changetype: modify >>>add: passwordExp >>>passwordExp: on >>>- >>>add: passwordMaxAge >>>passwordMaxAge: 8640000 (this I believe would give a password max age >>>of 100 days) >>> >>>Do I need to add these attributes even though I've configured the >>>password policy using fds console has done this for me. Is this the >>>case, I see don't these attributes in the gui, however I do see >>>passwordexpirationtime as an attribute and is set to 90 days from now >>>(I'm want to ensure that accounts are indeed locked after passwords >>>have expired). >>> >>> >>> >>> >>> >>> >>Those attributes are only for global (default) password policy - what >>you have set for fine grained password policy will override those. >> >> >> >> >> >>>Also, Jim Summers posted to this group that he saw an issue with >>>shadowpasswd / shadowexpire fields not being updated >>>https://www.redhat.com/archives/fedora-directory-users/2005-December/m >>>s >>>g >>>00367.html >>> >>>Can anyone tell me what these fields are used for, as I don't see any >>>mention of them in this documentation >>>http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#107 >>>7 >>>0 >>>81 >>> >>> >>> >>> >>> >>> >>Right. They are a PAM/posix thing - FDS treats them as any other data >>- it doesn't update them from it's own password policy. >> >> >> >> >> >>>Thanks again very much. >>> >>>Aaron >>> >>> >>> >>> >>>www.preferredcare.org >>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>>Power and Associates >>> >>>Confidentiality Notice: >>>The information contained in this electronic message is intended for >>> >>> >>> >>> >>the exclusive use of the individual or entity named above and may >>contain privileged or confidential information. If the reader of this >>message is not the intended recipient or the employee or agent >>responsible to deliver it to the intended recipient, you are hereby >>notified that dissemination, distribution or copying of this >>information is prohibited. If you have received this communication in >>error, please notify the sender immediately by telephone and destroy >>the copies you received. >> >> >> >> >>>-- >>>Fedora-directory-users mailing list >>>Fedora-directory-users at redhat.com >>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >>> >>> >>> >>www.preferredcare.org >>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>Power and Associates >> >>Confidentiality Notice: >>The information contained in this electronic message is intended for >> >> >the exclusive use of the individual or entity named above and may >contain privileged or confidential information. If the reader of this >message is not the intended recipient or the employee or agent >responsible to deliver it to the intended recipient, you are hereby >notified that dissemination, distribution or copying of this information >is prohibited. If you have received this communication in error, please >notify the sender immediately by telephone and destroy the copies you >received. > > >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> > > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From ABliss at preferredcare.org Mon Feb 20 15:34:51 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Mon, 20 Feb 2006 10:34:51 -0500 Subject: [Fedora-directory-users] Some password policy enforcement information questions Message-ID: Yep, this issue occurs over ssh. Aaron -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Monday, February 20, 2006 10:08 AM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Some password policy enforcement information questions Bliss, Aaron wrote: >Some more trouble with password expiration warnings; I have passwords >warnings being displayed to users when they use passwords, however >users configured to use key authentication > Do you mean ssh? >do not receive this warnings; has >anyone seen this before? This is of course going to be a very big >problem for me. Any ideas? Thanks again. > > >Aaron > >-----Original Message----- >From: Bliss, Aaron >Sent: Wednesday, January 25, 2006 7:48 PM >To: General discussion list for the Fedora Directory server project. >Subject: RE: [Fedora-directory-users] Some password policy enforcement >information questions > >Turns out the issue I was having was with my clients; I'm not sure why, >but the administrator before me had "UseLogin Yes" set in >/etc/ssh/sshd_config; commenting this out immediately started >generating password warnings to users (as configured by the directory >server); does anyone know what the UseLogin option is used for? Thanks. > >Aaron > >-----Original Message----- >From: Bliss, Aaron >Sent: Thursday, January 19, 2006 3:15 PM >To: 'General discussion list for the Fedora Directory server project.' >Subject: RE: [Fedora-directory-users] Some password policy enforcement >information questions > >Thanks very much for the explanation; makes much sense to me now; I did >some playing around, and got the directory server to spit out to me >that your password is going to expire in x amount of days. Thanks again. > >Aaron > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard >Megginson >Sent: Thursday, January 19, 2006 2:35 PM >To: General discussion list for the Fedora Directory server project. >Subject: Re: [Fedora-directory-users] Some password policy enforcement >information questions > >It looks like the way it works is this: >When you have enabled password warning, an operational attribute called >"passwordExpWarned" is created in the user's entry. The value will be >0 until the user does a successful BIND operation and the time between >now and the configured password expiration time is less than or equal >to the configured password warning time. When this happens, the >warning will be sent, the value of passwordExpWarned will be changed to >1, and the operational attribute passwordExpirationTime in the user's >entry will be set to the time at which the password will expire. When >the user changes the password, passwordExpWarned will be reset to 0 and >passwordExpirationTime will be set to the new expiration time. > >Bliss, Aaron wrote: > > > >>If I've configured a correct password policy and the warning attribute >>is not getting updated, should this be considered a bug? >> >>Aaron >> >>-----Original Message----- >>From: fedora-directory-users-bounces at redhat.com >>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of >>Richard >> >> > > > >>Megginson >>Sent: Thursday, January 19, 2006 1:48 PM >>To: General discussion list for the Fedora Directory server project. >>Subject: Re: [Fedora-directory-users] Some password policy enforcement >>information questions >> >>Bliss, Aaron wrote: >> >> >> >> >> >>>Please forgive me if I'm asking silly newbie questions, however I'm >>>trying to understand exactly what I'm seeing thru fds; first the >>>policy >>> >>> >>> >>> >> >> >> >> >>>I've configured on the directory using the fds console: >>>I've enabled fine-grain password policy for the data unit, including >>>password history enforcement, password expiration after 90 days, >>>password warning 14 days before password expires, check password >>>syntax, account lockout policy enabled after 3 login failures for 120 >>>minutes and reset failure count after 15 minutes. >>> >>>Everything seems to be working except for send password warning; in >>> >>> >the > > >>>client's ldap.conf file, I've enabled pam_lookup_policy yes. >>> >>>Looking at account information attributes for a user, >>>passwordexpwarnd >>> >>> > > > >>>value is 0; I've reset users password to try to initialize the >>>password >>> >>> >>> >>> >> >> >> >> >>>policy, however this value never seems to change. According to this >>>documentation >>>http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#10 >>>7 >>>7 >>>0 >>>81 I believe that this attribute is stored in seconds. Is this true? >>> >>> >>> >>> >>> >>> >>Yes. >> >> >> >> >> >>>If so, what can I do to ensure this attribute is getting updated >>>(assuming that this is the attribute responsible for triggering >>>password expiration warning). >>> >>> >>> >>> >>> >>> >>I'm not really sure. >> >> >> >> >> >>>Second issue/question: >>>I've looked at this wiki >>>http://directory.fedora.redhat.com/wiki/Howto:PAM and near the very >>>bottom it mentions adding the following >>> >>>dn: cn=config >>>changetype: modify >>>add: passwordExp >>>passwordExp: on >>>- >>>add: passwordMaxAge >>>passwordMaxAge: 8640000 (this I believe would give a password max age >>>of 100 days) >>> >>>Do I need to add these attributes even though I've configured the >>>password policy using fds console has done this for me. Is this the >>>case, I see don't these attributes in the gui, however I do see >>>passwordexpirationtime as an attribute and is set to 90 days from now >>>(I'm want to ensure that accounts are indeed locked after passwords >>>have expired). >>> >>> >>> >>> >>> >>> >>Those attributes are only for global (default) password policy - what >>you have set for fine grained password policy will override those. >> >> >> >> >> >>>Also, Jim Summers posted to this group that he saw an issue with >>>shadowpasswd / shadowexpire fields not being updated >>>https://www.redhat.com/archives/fedora-directory-users/2005-December/ >>>m >>>s >>>g >>>00367.html >>> >>>Can anyone tell me what these fields are used for, as I don't see any >>>mention of them in this documentation >>>http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#10 >>>7 >>>7 >>>0 >>>81 >>> >>> >>> >>> >>> >>> >>Right. They are a PAM/posix thing - FDS treats them as any other data >>- it doesn't update them from it's own password policy. >> >> >> >> >> >>>Thanks again very much. >>> >>>Aaron >>> >>> >>> >>> >>>www.preferredcare.org >>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>>Power and Associates >>> >>>Confidentiality Notice: >>>The information contained in this electronic message is intended for >>> >>> >>> >>> >>the exclusive use of the individual or entity named above and may >>contain privileged or confidential information. If the reader of this >>message is not the intended recipient or the employee or agent >>responsible to deliver it to the intended recipient, you are hereby >>notified that dissemination, distribution or copying of this >>information is prohibited. If you have received this communication in >>error, please notify the sender immediately by telephone and destroy >>the copies you received. >> >> >> >> >>>-- >>>Fedora-directory-users mailing list >>>Fedora-directory-users at redhat.com >>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >>> >>> >>> >>www.preferredcare.org >>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>Power and Associates >> >>Confidentiality Notice: >>The information contained in this electronic message is intended for >> >> >the exclusive use of the individual or entity named above and may >contain privileged or confidential information. If the reader of this >message is not the intended recipient or the employee or agent >responsible to deliver it to the intended recipient, you are hereby >notified that dissemination, distribution or copying of this >information is prohibited. If you have received this communication in >error, please notify the sender immediately by telephone and destroy >the copies you received. > > >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> > > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From sboggs at trustedcs.com Mon Feb 20 17:18:24 2006 From: sboggs at trustedcs.com (Scott Boggs) Date: Mon, 20 Feb 2006 17:18:24 +0000 (UTC) Subject: [Fedora-directory-users] Re: Username Case Sensitivity References: <43f2bc64.514f02d7.2b06.24c9@mx.gmail.com> <43F39C32.10609@babel.com.au> Message-ID: Del babel.com.au> writes: > > Scott Boggs wrote: > > I am curious; I understand that LDAP does not enforce case sensitivity for > > user names or passwords. > > However, I am wondering if there is a method to enforce such a policy on > > fedora-ds? I noticed the behavior earlier this week and it reminded me this > > behavior in LDAP. I am using a older version of fds, any chance the newer > > version addresses this? > > I would strongly recommend against doing this for user names (actually > passwords are case sensitive). It's impossible to make user names in > email addresses case sensitive (it breaks various RFCs) so there is no > reason to make user names at the system end, where any possible MTA/MDA > might live, case sensitive. > I understand the reasons behind the case-sensitivity enforcement. However, I need to find a method to enforce case with the usernames. There will be no email interaction involved. Any suggestions? Thanks From rmeggins at redhat.com Mon Feb 20 17:30:01 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 20 Feb 2006 10:30:01 -0700 Subject: [Fedora-directory-users] Re: Username Case Sensitivity In-Reply-To: References: <43f2bc64.514f02d7.2b06.24c9@mx.gmail.com> <43F39C32.10609@babel.com.au> Message-ID: <43F9FC99.2000102@redhat.com> Scott Boggs wrote: >Del babel.com.au> writes: > > > >>Scott Boggs wrote: >> >> >>>I am curious; I understand that LDAP does not enforce case sensitivity for >>>user names or passwords. >>>However, I am wondering if there is a method to enforce such a policy on >>>fedora-ds? I noticed the behavior earlier this week and it reminded me this >>>behavior in LDAP. I am using a older version of fds, any chance the newer >>>version addresses this? >>> >>> No, the newer version does not address this. Passwords are already case sensitive. As for user names, what attribute were you planning to use? >>I would strongly recommend against doing this for user names (actually >>passwords are case sensitive). It's impossible to make user names in >>email addresses case sensitive (it breaks various RFCs) so there is no >>reason to make user names at the system end, where any possible MTA/MDA >>might live, case sensitive. >> >> >> > >I understand the reasons behind the case-sensitivity enforcement. However, I >need to find a method to enforce case with the usernames. There will be no >email interaction involved. Any suggestions? Thanks > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From sboggs at trustedcs.com Mon Feb 20 17:38:25 2006 From: sboggs at trustedcs.com (Scott Boggs) Date: Mon, 20 Feb 2006 17:38:25 +0000 (UTC) Subject: [Fedora-directory-users] Re: Username Case Sensitivity References: <43f2bc64.514f02d7.2b06.24c9@mx.gmail.com> <43F39C32.10609@babel.com.au> <43F9FC99.2000102@redhat.com> Message-ID: Richard Megginson redhat.com> writes: > > > Scott Boggs wrote: > > >Del babel.com.au> writes: > > > > > > > No, the newer version does not address this. Passwords are already case > sensitive. As for user names, what attribute were you planning to use? > I am needing to force the usernames to all lowercase I was thinking that it related to this "OID: 1.3.6.1.4.1.1466.115.121.1.26" (IA5string syntax) am I off base? From rmeggins at redhat.com Mon Feb 20 17:40:33 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 20 Feb 2006 10:40:33 -0700 Subject: [Fedora-directory-users] Re: Username Case Sensitivity In-Reply-To: References: <43f2bc64.514f02d7.2b06.24c9@mx.gmail.com> <43F39C32.10609@babel.com.au> <43F9FC99.2000102@redhat.com> Message-ID: <43F9FF11.3070704@redhat.com> Scott Boggs wrote: >Richard Megginson redhat.com> writes: > > > >>Scott Boggs wrote: >> >> >> >>>Del babel.com.au> writes: >>> >>> >>> >>> >>> > > > >>No, the newer version does not address this. Passwords are already case >>sensitive. As for user names, what attribute were you planning to use? >> >> >> > > > >I am needing to force the usernames to all lowercase I was thinking that it >related to this "OID: 1.3.6.1.4.1.1466.115.121.1.26" (IA5string syntax) am I off >base? > > For what attribute? >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From sboggs at trustedcs.com Mon Feb 20 17:52:28 2006 From: sboggs at trustedcs.com (Scott Boggs) Date: Mon, 20 Feb 2006 17:52:28 +0000 (UTC) Subject: [Fedora-directory-users] Re: Username Case Sensitivity References: <43f2bc64.514f02d7.2b06.24c9@mx.gmail.com> <43F39C32.10609@babel.com.au> <43F9FC99.2000102@redhat.com> <43F9FF11.3070704@redhat.com> Message-ID: Richard Megginson redhat.com> writes: > > Scott Boggs wrote: > > >Richard Megginson redhat.com> writes: > > > > > > > > > > > For what attribute? > I'm sorry the attirbute is "uid", my configuration is pretty much the same as installed. From rmeggins at redhat.com Mon Feb 20 17:56:28 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 20 Feb 2006 10:56:28 -0700 Subject: [Fedora-directory-users] Re: Username Case Sensitivity In-Reply-To: References: <43f2bc64.514f02d7.2b06.24c9@mx.gmail.com> <43F39C32.10609@babel.com.au> <43F9FC99.2000102@redhat.com> <43F9FF11.3070704@redhat.com> Message-ID: <43FA02CC.801@redhat.com> Scott Boggs wrote: >Richard Megginson redhat.com> writes: > > > >>Scott Boggs wrote: >> >> >> >>>Richard Megginson redhat.com> writes: >>> >>> >>> >>> >>> > > > > > >>> >>> >>> >>> >>For what attribute? >> >> >> > >I'm sorry the attirbute is "uid", my configuration is pretty much the same as >installed. > > Ok. I suppose you could change the syntax of that attribute, but that is strongly discouraged. What is your application that requires all lower case uids? > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From jclowser at unitedmessaging.com Mon Feb 20 18:11:55 2006 From: jclowser at unitedmessaging.com (Jeff Clowser) Date: Mon, 20 Feb 2006 13:11:55 -0500 Subject: [Fedora-directory-users] Re: Username Case Sensitivity In-Reply-To: References: <43f2bc64.514f02d7.2b06.24c9@mx.gmail.com> <43F39C32.10609@babel.com.au> Message-ID: <43FA066B.6070807@unitedmessaging.com> Scott Boggs wrote: >Del babel.com.au> writes: > > > >>Scott Boggs wrote: >> >> >>>I am curious; I understand that LDAP does not enforce case sensitivity for >>>user names or passwords. >>>However, I am wondering if there is a method to enforce such a policy on >>>fedora-ds? I noticed the behavior earlier this week and it reminded me this >>>behavior in LDAP. I am using a older version of fds, any chance the newer >>>version addresses this? >>> >>> >>I would strongly recommend against doing this for user names (actually >>passwords are case sensitive). It's impossible to make user names in >>email addresses case sensitive (it breaks various RFCs) so there is no >>reason to make user names at the system end, where any possible MTA/MDA >>might live, case sensitive. >> >> >> > >I understand the reasons behind the case-sensitivity enforcement. However, I >need to find a method to enforce case with the usernames. There will be no >email interaction involved. Any suggestions? Thanks > > Username (specifically, the uid attribute) is configured as case insensative in the server schema - i.e. the definition of the uid attribute defines it as case insensative. This is a schema configuration issue, not a code issue or option (i.e. not something that a new version of software will change). I believe the uid attribute is defined in 00core.ldif. You probably _could_ change the definition of the attribute to make it case sensative. However, as others here have said, I'd strongly recommend not doing this - it violates rfc's, and any off-the-shelf apps you plan to integrate against your directory now or in the future may very well break in some way, possibly in unexpected ways or at unexpected times. I'd only do this if you are using this non-standard schema directory purely for internally developed apps, and only if you never plan to deploy/distribute that app outside your own organization, and even then, I'd still recommend against it for whoever inherits it from you some day in the future, or if you upgrade your directory and forget to make this modification next time around. However, if this is a purely internal app, you have full freedom to use whatever custom schema you want. Given that freedom though, I would recommend instead doing something like the following instead of modifying standard schema: 1. Create an "altuid" attribute (or whatever you want to call it) that is in the format you want - case sensative, etc. 2. Create a new objectclass, say inherited from objectclass inetorgperson. 3. Add altuid as an attribute of that objectclass. Use this objectclass when you define your users. >I am needing to force the usernames to all lowercase I was thinking that it >related to this "OID: 1.3.6.1.4.1.1466.115.121.1.26" (IA5string syntax) am I off >base? > Do you need usernames to be case sensative, or do you need them to be all lowercase? Very different thing - if you need them to be case sensative, you can do one of the things I mentioned above. If you need them to be strictly lower case, whatever you use to create users in the directory needs to validate usernames and only put in usernames that are lower case - i.e. create a custom web front end in php, perl, etc for managing users. When it creates new user entries, have that interface lowercase usernames before putting it in the uid attribute and creating the user entry. Can you expand a bit on what your application is or why it needs this? What about your application, environment, etc is driving a need for case sensative uid's or lowercase uids. Is it an issue of syncing with another environment that has these requirements/format, etc? If we knew more about what is driving this need, we may be able to provide more useful advise or suggestions. - Jeff From sboggs at trustedcs.com Mon Feb 20 18:12:26 2006 From: sboggs at trustedcs.com (Scott Boggs) Date: Mon, 20 Feb 2006 18:12:26 +0000 (UTC) Subject: [Fedora-directory-users] Re: Username Case Sensitivity References: <43f2bc64.514f02d7.2b06.24c9@mx.gmail.com> <43F39C32.10609@babel.com.au> <43F9FC99.2000102@redhat.com> <43F9FF11.3070704@redhat.com> <43FA02CC.801@redhat.com> Message-ID: > Ok. I suppose you could change the syntax of that attribute, but that > is strongly discouraged. What is your application that requires all > lower case uids? > Not really a application, but having to meet a site security policy. thank you. From sboggs at trustedcs.com Mon Feb 20 18:15:56 2006 From: sboggs at trustedcs.com (Scott Boggs) Date: Mon, 20 Feb 2006 18:15:56 +0000 (UTC) Subject: [Fedora-directory-users] Re: Username Case Sensitivity References: <43f2bc64.514f02d7.2b06.24c9@mx.gmail.com> <43F39C32.10609@babel.com.au> <43FA066B.6070807@unitedmessaging.com> Message-ID: Jeff Clowser unitedmessaging.com> writes: > Thank you, this is great information. From sboggs at trustedcs.com Mon Feb 20 19:25:58 2006 From: sboggs at trustedcs.com (Scott Boggs) Date: Mon, 20 Feb 2006 19:25:58 +0000 (UTC) Subject: [Fedora-directory-users] Re: Username Case Sensitivity References: <43f2bc64.514f02d7.2b06.24c9@mx.gmail.com> <43F39C32.10609@babel.com.au> <43FA066B.6070807@unitedmessaging.com> Message-ID: Jeff Clowser unitedmessaging.com> writes: > > > > > Do you need usernames to be case sensative, or do you need them to be > all lowercase? Very different thing - if you need them to be case > sensative, you can do one of the things I mentioned above. If you need > them to be strictly lower case, whatever you use to create users in the > directory needs to validate usernames and only put in usernames that are > lower case - i.e. create a custom web front end in php, perl, etc for > managing users. When it creates new user entries, have that interface > lowercase usernames before putting it in the uid attribute and creating > the user entry. > > Can you expand a bit on what your application is or why it needs this? > What about your application, environment, etc is driving a need for case > sensative uid's or lowercase uids. Is it an issue of syncing with > another environment that has these requirements/format, etc? If we knew > more about what is driving this need, we may be able to provide more > useful advise or suggestions. > > - Jeff > > We have some internal security applications which have issues if a user logs in with incorrect case in their username. The site policy dictates the the usernames must all be lowercase, but if a user types it incorrectly an adds a uppercase instead of lowercase they have issues. I think a unique (non-standard) use of the attribute should do what I need. I will look at the 00core.ldif as you have suggested. thank you very much From sboggs at trustedcs.com Mon Feb 20 20:36:15 2006 From: sboggs at trustedcs.com (Scott Boggs) Date: Mon, 20 Feb 2006 20:36:15 +0000 (UTC) Subject: [Fedora-directory-users] Re: Username Case Sensitivity References: <43f2bc64.514f02d7.2b06.24c9@mx.gmail.com> <43F39C32.10609@babel.com.au> <43F9FC99.2000102@redhat.com> <43F9FF11.3070704@redhat.com> <43FA02CC.801@redhat.com> Message-ID: Scott Boggs trustedcs.com> writes: > > > > Ok. I suppose you could change the syntax of that attribute, but that > > is strongly discouraged. What is your application that requires all > > lower case uids? > > > > Not really a application, but having to meet a site security policy. > > thank you. > > Thank you to everyone for helping me out with this (non-traditional) solution for my username case sensitivity issue. Following what Jeff outlined I am approaching my new oid for a new attribute 'altuid' with the syntax for 2.5.13.5 (caseExactMatch) and 2.5.13.7 (caseExactSubstringMatch). Since these are standard matching rules will I have to define them in anyway for FDS to use them? and just to double check , would there be any reason I should not use these syntax definitions? Last thing I want to do is screw up my FDS. Thanks again for everyone's time. To clarify, my FDS will not be interacting outside it's private realm and not with any applications, so I am hoping this approach is viable for my FDS From sboggs at trustedcs.com Tue Feb 21 16:06:40 2006 From: sboggs at trustedcs.com (Scott Boggs) Date: Tue, 21 Feb 2006 16:06:40 +0000 (UTC) Subject: [Fedora-directory-users] Extending the Schema Message-ID: I used another thread to discuss forcing the schema to adhear to caseSensitivity. As pointed out by the responses from many of the FDS vets out there, breaking the RFC would be bad. I am looking for another solution to enforcing exact matches for my users during the login process (non-case specific). This is strictly to support site security policy and not a result of any application integration. To stay in compliance with RFC standards and to save myself headaches down the road, I need to know if I can change the syntax for the attribute 'uid' to follow something like distinguishedNameMatch for attribute type specification or is there another method to match uid exactly (i.e uid=Test where "Test" not "test" must be used to login). Would applying the schema in this manner violate any RFC standards? Again I am simply trying to enforce a exact character input during login and not trying to change LDAP to enforce any form of case matching. Thanks for all the help on this question. From sboggs at trustedcs.com Tue Feb 21 16:51:18 2006 From: sboggs at trustedcs.com (Scott Boggs) Date: Tue, 21 Feb 2006 16:51:18 +0000 (UTC) Subject: [Fedora-directory-users] Re: Extending the Schema References: Message-ID: Scott Boggs trustedcs.com> writes: > To stay in compliance with RFC standards and to save myself headaches down the > road, I need to know if I can change the syntax for the attribute 'uid' to > follow something like distinguishedNameMatch for attribute type specification or > is there another method to match uid exactly (i.e uid=Test where "Test" not > "test" must be used to login). I suppose another approach might be a plugin, anyone have any background on any existing plugins that would meet the goal of enforcing exact character input for login? thanks again for all the trouble. From david_list at boreham.org Tue Feb 21 17:10:13 2006 From: david_list at boreham.org (David Boreham) Date: Tue, 21 Feb 2006 10:10:13 -0700 Subject: [Fedora-directory-users] Re: Extending the Schema In-Reply-To: References: Message-ID: <43FB4975.90109@boreham.org> I think you should be able to just change the syntax for 'uid' to case sensitive. Of course that might break something somewhere. e.g. the console/admin server may have made assumptions about uid being case insensitive. As for not complying with the RFCs that's really not a big concern since you actually _want_ your usernames to be case sensitive. From ABliss at preferredcare.org Tue Feb 21 19:04:06 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Tue, 21 Feb 2006 14:04:06 -0500 Subject: [Fedora-directory-users] Fedora directory server remote denial of server Message-ID: Can you tell me if fds 1.0.1 is affected by this? If so, any near plans for a fix. Thanks. Aaron http://www.securityfocus.com/bid/16677 www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From rmeggins at redhat.com Tue Feb 21 19:07:16 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 21 Feb 2006 12:07:16 -0700 Subject: [Fedora-directory-users] Fedora directory server remote denial of server In-Reply-To: References: Message-ID: <43FB64E4.202@redhat.com> Bliss, Aaron wrote: >Can you tell me if fds 1.0.1 is affected by this? > Yes. >If so, any near plans >for a fix. Thanks. > > Yes. We are going to be fixing this very, very soon. >Aaron > >http://www.securityfocus.com/bid/16677 > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From ABliss at preferredcare.org Tue Feb 21 19:09:35 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Tue, 21 Feb 2006 14:09:35 -0500 Subject: [Fedora-directory-users] Fedora directory server remote denial of server Message-ID: Great, thanks for the quick feedback. Aaron -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Tuesday, February 21, 2006 2:07 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Fedora directory server remote denial of server Bliss, Aaron wrote: >Can you tell me if fds 1.0.1 is affected by this? > Yes. >If so, any near plans >for a fix. Thanks. > > Yes. We are going to be fixing this very, very soon. >Aaron > >http://www.securityfocus.com/bid/16677 > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From mmontgomery at theplanet.com Tue Feb 21 21:30:49 2006 From: mmontgomery at theplanet.com (Michael Montgomery) Date: Tue, 21 Feb 2006 15:30:49 -0600 Subject: [Fedora-directory-users] solaris 10 SSL connections In-Reply-To: <43F504A4.2050108@broadcom.com> References: <20060216224757.65625.qmail@web52908.mail.yahoo.com> <43F504A4.2050108@broadcom.com> Message-ID: <43FB8689.6000508@theplanet.com> I'm really not sure if this will help, but here are the full instructions I used to get this working on a clean solaris 9 install (I haven't given it a shot on solaris 10 yet) Download the nspr, and nss packages for Solaris 9 here (http://sourceforge.net/project/showfiles.php?group_id=19386) and install them. Get Sun one Resource Kit here: http://www.sun.com/download/products.xml?id=3f74a0db And install it. Next run this command to setup your certificate database: # LD_LIBRARY_PATH=/usr/lib:/usr/local/lib ; export LD_LIBRARY_PATH # /opt/sunone/lib/nss/bin/certutil -N -d /var/ldap Add hosts entry to /etc/hosts for Ldap server, ** matching the certificate name ** (in my case, server-cert). You'll get this error, which will let you know the name you need to put in /etc/hosts: (I couldn't 'pull' it from the cert in any way) Feb 15 13:31:28 unknown sendmail[2061]: libldap: CERT_VerifyCertName: cert server name 'server-cert' does not match 'corporate-ds': SSL connection denied Get CA cert from directory using these commands: [root at corporate-ds alias]# pwd /opt/fedora-ds/alias [root at corporate-ds alias]# ../shared/bin/certutil -L -d . -n "CA certificate" -r > /root/cert.der Copy it to the solaris server, and import it with this: # /opt/sunone/lib/nss/bin/certutil -A -n "CA certificate" -i /export/home/mmont/cert.der -t "CTu,u,u" -d /var/ldap/ Run this command to set ldap client settings on the machine: # ldapclient -v manual -a authenticationMethod=tls:simple -a credentialLevel=proxy \ -a defaultSearchBase="dc=inside,dc=yourdomain,dc=com" \ -a domainName=yourdomain.com -a followReferrals=false \ -a serviceSearchDescriptor="netgroup: ou=netgroup,dc=inside,dc=yourdomain,dc=com" \ -a preferredServerList=10.5.1.18 -a serviceAuthenticationMethod=pam_ldap:tls:simple \ -a proxyPassword=blahblahblah -a proxyDn=cn=proxyagent,ou=profile,dc=inside,dc=yourdomain,dc=com Restart ldap.client: # /etc/init.d/ldap.client stop ; sleep 2 ; /etc/init.d/ldap.client start That should do it. Test settings with id, getent, or ldaplist: (You must be root, or sudo to use ldaplist) # ldaplist -l passwd yournamehere (This should list your entry in the ldap dir) I hope this helps someone, and I'm sure I'll attempt to get solaris 10 working at some point soon. From danlipsitt at gmail.com Wed Feb 22 00:03:08 2006 From: danlipsitt at gmail.com (Dan Lipsitt) Date: Tue, 21 Feb 2006 19:03:08 -0500 Subject: [Fedora-directory-users] self-signed certificates Message-ID: It appears that the setup utility now creates self-signed certificates in the alias directory, making the certutil instructions moot. Is that correct? My alias directory contains the following files: ------ $ cd /opt/fedora-ds/alias/ $ ls -la total 420 drwxr-xr-x 2 nobody nobody 4096 Feb 21 17:16 . drwxr-xr-x 15 root root 4096 Feb 21 16:57 .. -rw------- 1 nobody nobody 65536 Feb 21 17:16 admin-serv-roam104-178-cert8.db -rw------- 1 nobody nobody 16384 Feb 21 17:16 admin-serv-roam104-178-key3.db -rwxr-xr-x 1 root nobody 196340 Dec 8 11:04 libnssckbi.so -rw------- 1 nobody nobody 16384 Feb 21 16:57 secmod.db -rw------- 1 nobody nobody 65536 Feb 21 16:57 slapd-roam104-178-cert8.db -rw------- 1 nobody nobody 16384 Feb 21 16:57 slapd-roam104-178-key3.db ------ I didn't create any of these files myself. My problem is that no certificate shows up in the drop-down menu under Encryption in the Admin Server console. As you can see, my hostname has a dash in it. Could that be causing problems? Or do I need to use certutil manually? Thanks, Dan From nkinder at redhat.com Wed Feb 22 00:09:54 2006 From: nkinder at redhat.com (Nathan Kinder) Date: Tue, 21 Feb 2006 16:09:54 -0800 Subject: [Fedora-directory-users] self-signed certificates In-Reply-To: References: Message-ID: <43FBABD2.6020307@redhat.com> Dan Lipsitt wrote: >It appears that the setup utility now creates self-signed certificates >in the alias directory, making the certutil instructions moot. Is that >correct? My alias directory contains the following files: > > No, that's not correct. See below. >------ >$ cd /opt/fedora-ds/alias/ >$ ls -la >total 420 >drwxr-xr-x 2 nobody nobody 4096 Feb 21 17:16 . >drwxr-xr-x 15 root root 4096 Feb 21 16:57 .. >-rw------- 1 nobody nobody 65536 Feb 21 17:16 admin-serv-roam104-178-cert8.db >-rw------- 1 nobody nobody 16384 Feb 21 17:16 admin-serv-roam104-178-key3.db >-rwxr-xr-x 1 root nobody 196340 Dec 8 11:04 libnssckbi.so >-rw------- 1 nobody nobody 16384 Feb 21 16:57 secmod.db >-rw------- 1 nobody nobody 65536 Feb 21 16:57 slapd-roam104-178-cert8.db >-rw------- 1 nobody nobody 16384 Feb 21 16:57 slapd-roam104-178-key3.db >------ > >I didn't create any of these files myself. > >My problem is that no certificate shows up in the drop-down menu under >Encryption in the Admin Server console. > >As you can see, my hostname has a dash in it. Could that be causing >problems? Or do I need to use certutil manually? > > You still need to use certutil to create your certs. Those are empty database files. -NGK >Thanks, >Dan > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From logastellus at yahoo.com Wed Feb 22 13:30:24 2006 From: logastellus at yahoo.com (Susan) Date: Wed, 22 Feb 2006 05:30:24 -0800 (PST) Subject: [Fedora-directory-users] solaris 10 SSL connections In-Reply-To: <43FB8689.6000508@theplanet.com> Message-ID: <20060222133024.60429.qmail@web52913.mail.yahoo.com> Thank you, Michael. I've just about given up on solaris 10 ssl and the utilities that come with it. It simply DOES. NOT. WORK. I will give your directions a try. Thanks again in advance. --- Michael Montgomery wrote: > I'm really not sure if this will help, but here are the full > instructions I used to get this working on a clean solaris 9 install (I > haven't given it a shot on solaris 10 yet) > > Download the nspr, and nss packages for Solaris 9 here > (http://sourceforge.net/project/showfiles.php?group_id=19386) > and install them. > > Get Sun one Resource Kit here: > http://www.sun.com/download/products.xml?id=3f74a0db > And install it. > > Next run this command to setup your certificate database: > > # LD_LIBRARY_PATH=/usr/lib:/usr/local/lib ; export LD_LIBRARY_PATH > # /opt/sunone/lib/nss/bin/certutil -N -d /var/ldap > > Add hosts entry to /etc/hosts for Ldap server, ** matching the > certificate name ** (in my case, server-cert). > You'll get this error, which will let you know the name you need to put > in /etc/hosts: (I couldn't 'pull' it from the cert in any way) > > Feb 15 13:31:28 unknown sendmail[2061]: libldap: CERT_VerifyCertName: > cert server name 'server-cert' does not match 'corporate-ds': SSL > connection denied > > Get CA cert from directory using these commands: > > [root at corporate-ds alias]# pwd > /opt/fedora-ds/alias > [root at corporate-ds alias]# ../shared/bin/certutil -L -d . -n "CA > certificate" -r > /root/cert.der > > Copy it to the solaris server, and import it with this: > > # /opt/sunone/lib/nss/bin/certutil -A -n "CA certificate" -i > /export/home/mmont/cert.der -t "CTu,u,u" -d /var/ldap/ > Run this command to set ldap client settings on the machine: > > # ldapclient -v manual -a authenticationMethod=tls:simple -a > credentialLevel=proxy \ > -a defaultSearchBase="dc=inside,dc=yourdomain,dc=com" \ > -a domainName=yourdomain.com -a followReferrals=false \ > -a serviceSearchDescriptor="netgroup: > ou=netgroup,dc=inside,dc=yourdomain,dc=com" \ > -a preferredServerList=10.5.1.18 -a > serviceAuthenticationMethod=pam_ldap:tls:simple \ > -a proxyPassword=blahblahblah -a > proxyDn=cn=proxyagent,ou=profile,dc=inside,dc=yourdomain,dc=com > > Restart ldap.client: > > # /etc/init.d/ldap.client stop ; sleep 2 ; /etc/init.d/ldap.client start > > That should do it. Test settings with id, getent, or ldaplist: (You must > be root, or sudo to use ldaplist) > > # ldaplist -l passwd yournamehere > (This should list your entry in the ldap dir) > > I hope this helps someone, and I'm sure I'll attempt to get solaris 10 > working at some point soon. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From logastellus at yahoo.com Wed Feb 22 13:35:44 2006 From: logastellus at yahoo.com (Susan) Date: Wed, 22 Feb 2006 05:35:44 -0800 (PST) Subject: [Fedora-directory-users] self-signed certificates In-Reply-To: <43FBABD2.6020307@redhat.com> Message-ID: <20060222133544.86572.qmail@web52915.mail.yahoo.com> --- Nathan Kinder wrote: > Dan Lipsitt wrote: > Yea. I had to do it so often, that I've scripted it: Put your cert DB password in pwdfile.txt, put some noise in the noise file and run this. I think these may be a little different from the manual, I got the syntax from Rich M. It works though. One thing I don't understand still is the purpose of the pk12util... I run it because the wiki says to run it. No idea what it's for, however. ____________________contents of cert gen script______________ [root at cnyldap01 alias]# cat certs.sh #!/bin/sh ../shared/bin/certutil -N -d . -f pwdfile.txt ../shared/bin/certutil -G -d . -z noise.txt -f pwdfile.txt ../shared/bin/certutil -S -n "CA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d . -z noise.txt -f pwdfile.txt ../shared/bin/certutil -S -n "Server-Cert" -s "cn=server-cert" -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d . -z noise.txt -f pwdfile.txt echo moving key.. mv key3.db slapd-`-hostname -s`-key3.db mv cert8.db slapd-`hostname -s`-cert8.db ln -s slapd-`hostname -s`-key3.db key3.db ln -s slapd-`hostname -s`-cert8.db cert8.db echo pk.. ../shared/bin/pk12util -d . -P slapd-`hostname -s`- -o servercert.pfx -n Server-Cert ____________________end of contents of cert gen script______________ __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From rmeggins at redhat.com Wed Feb 22 14:34:50 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 22 Feb 2006 07:34:50 -0700 Subject: [Fedora-directory-users] self-signed certificates In-Reply-To: <20060222133544.86572.qmail@web52915.mail.yahoo.com> References: <20060222133544.86572.qmail@web52915.mail.yahoo.com> Message-ID: <43FC768A.206@redhat.com> Susan wrote: >--- Nathan Kinder wrote: > > > >>Dan Lipsitt wrote: >> >> >> > >Yea. I had to do it so often, that I've scripted it: > >Put your cert DB password in pwdfile.txt, put some noise in the noise file and run this. > >I think these may be a little different from the manual, I got the syntax from Rich M. It works >though. > >One thing I don't understand still is the purpose of the pk12util... I run it because the wiki >says to run it. No idea what it's for, however. > > It's really just for backup purposes. You can backup your key and cert db files instead. > >____________________contents of cert gen script______________ >[root at cnyldap01 alias]# cat certs.sh >#!/bin/sh >../shared/bin/certutil -N -d . -f pwdfile.txt >../shared/bin/certutil -G -d . -z noise.txt -f pwdfile.txt >../shared/bin/certutil -S -n "CA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d . -z >noise.txt -f pwdfile.txt >../shared/bin/certutil -S -n "Server-Cert" -s "cn=server-cert" -c "CA certificate" -t "u,u,u" -m >1001 -v 120 -d . -z noise.txt -f pwdfile.txt >echo moving key.. > >mv key3.db slapd-`-hostname -s`-key3.db >mv cert8.db slapd-`hostname -s`-cert8.db >ln -s slapd-`hostname -s`-key3.db key3.db >ln -s slapd-`hostname -s`-cert8.db cert8.db >echo pk.. >../shared/bin/pk12util -d . -P slapd-`hostname -s`- -o servercert.pfx -n Server-Cert >____________________end of contents of cert gen script______________ > > >__________________________________________________ >Do You Yahoo!? >Tired of spam? Yahoo! Mail has the best spam protection around >http://mail.yahoo.com > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From logastellus at yahoo.com Wed Feb 22 15:06:38 2006 From: logastellus at yahoo.com (Susan) Date: Wed, 22 Feb 2006 07:06:38 -0800 (PST) Subject: [Fedora-directory-users] solaris 10 SSL connections In-Reply-To: <43FB8689.6000508@theplanet.com> Message-ID: <20060222150638.93715.qmail@web52911.mail.yahoo.com> These instructions work!!! Thank you very much. Michael & George both have been very helpful. Perhaps we can put these instructions up on a wiki? Now that it's verified that they work for solaris 10. I've sniffed the traffic, it definitely is encrypted. The sad story is that the utils that come with Solaris 10 don't work. ldaplist and search don't recognize the cert db created by /usr/sfw/bin/certutil that comes with solaris 10. --- Michael Montgomery wrote: > I'm really not sure if this will help, but here are the full > instructions I used to get this working on a clean solaris 9 install (I > haven't given it a shot on solaris 10 yet) > > Download the nspr, and nss packages for Solaris 9 here > (http://sourceforge.net/project/showfiles.php?group_id=19386) > and install them. > > Get Sun one Resource Kit here: > http://www.sun.com/download/products.xml?id=3f74a0db > And install it. > > Next run this command to setup your certificate database: > > # LD_LIBRARY_PATH=/usr/lib:/usr/local/lib ; export LD_LIBRARY_PATH > # /opt/sunone/lib/nss/bin/certutil -N -d /var/ldap > > Add hosts entry to /etc/hosts for Ldap server, ** matching the > certificate name ** (in my case, server-cert). > You'll get this error, which will let you know the name you need to put > in /etc/hosts: (I couldn't 'pull' it from the cert in any way) > > Feb 15 13:31:28 unknown sendmail[2061]: libldap: CERT_VerifyCertName: > cert server name 'server-cert' does not match 'corporate-ds': SSL > connection denied > > Get CA cert from directory using these commands: > > [root at corporate-ds alias]# pwd > /opt/fedora-ds/alias > [root at corporate-ds alias]# ../shared/bin/certutil -L -d . -n "CA > certificate" -r > /root/cert.der > > Copy it to the solaris server, and import it with this: > > # /opt/sunone/lib/nss/bin/certutil -A -n "CA certificate" -i > /export/home/mmont/cert.der -t "CTu,u,u" -d /var/ldap/ > Run this command to set ldap client settings on the machine: > > # ldapclient -v manual -a authenticationMethod=tls:simple -a > credentialLevel=proxy \ > -a defaultSearchBase="dc=inside,dc=yourdomain,dc=com" \ > -a domainName=yourdomain.com -a followReferrals=false \ > -a serviceSearchDescriptor="netgroup: > ou=netgroup,dc=inside,dc=yourdomain,dc=com" \ > -a preferredServerList=10.5.1.18 -a > serviceAuthenticationMethod=pam_ldap:tls:simple \ > -a proxyPassword=blahblahblah -a > proxyDn=cn=proxyagent,ou=profile,dc=inside,dc=yourdomain,dc=com > > Restart ldap.client: > > # /etc/init.d/ldap.client stop ; sleep 2 ; /etc/init.d/ldap.client start > > That should do it. Test settings with id, getent, or ldaplist: (You must > be root, or sudo to use ldaplist) > > # ldaplist -l passwd yournamehere > (This should list your entry in the ldap dir) > > I hope this helps someone, and I'm sure I'll attempt to get solaris 10 > working at some point soon. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From dfulton at concepttechnologyinc.com Wed Feb 22 16:12:58 2006 From: dfulton at concepttechnologyinc.com (Darren Fulton - CTI) Date: Wed, 22 Feb 2006 10:12:58 -0600 Subject: [Fedora-directory-users] Looking for expanded upgrade to 1.0 procedure In-Reply-To: <43F0C562.1040704@redhat.com> References: <9751522.01139779979715.JavaMail.root@host3.concepttechnologyinc.com> <43F0C562.1040704@redhat.com> Message-ID: <43FC8D8A.4020300@concepttechnologyinc.com> Richard Megginson wrote: > Darren Fulton wrote: > >> We've been running FDS beta in production for a while now. I'd like >> to upgrade to 1.0 and then get current, especially because after the >> last reboot, the admin-serv won't run anymore. >> > What's the problem? Note that ns-slapd must be up and running and > accepting connections before admin-serv will start. > >> The only upgrade instructions that I've been able to find are at the >> bottom of the 1.0 Release Notes: >> >> Unfortunately, rpm -U (rpm upgrade install) is not supported. You >> must perform a migration from the old version. Steps: >> >> 1. Backup your data, using the console or the db2bak command >> line (or Export to LDIF) >> 2. Make a copy of your server configuration - the >> slapd-instance/config/dse.ldif file >> 3. Backup your key/cert/module information - the >> /opt/fedora-ds/alias .db files (you can ignore the .so file) >> 4. Uninstall the previous version (e.g. rpm -e fedora-ds) >> 5. Install the new version (e.g. rpm -ivh >> fedora-ds-1.0-2.platform.i386.opt.rpm) >> 6. Add back your configuration to the new instance e.g. do a >> diff between your saved dse.ldif and the new one >> 7. Add back your saved key/cert/module .db files to >> /opt/fedora-ds/alias >> 8. Restore your saved data (or import from LDIF) >> >> These notes aren't enough detail for me to get the job done. Is >> there a detailed procedure somewhere or can one of you good people >> help me? I've looked through the mailing list archives, FDS docs, >> RHDS docs, and googled. I'd like something like this: >> >> mkdir /var/backup/fds >> cd /opt/fedora-ds/slapd-host2 >> ./db2bak /var/backup/fds >> blah blah >> rpm -e fedora-ds >> etc etc >> >> >> Specific things in the upgrade steps from the release notes that I >> don't feel good about are: >> Step 1 - I don't know how to do that, but I think I might have done >> it correctly. >> >> > Yes, you are correct. > >> Step 4 - after rpm -e, it says some files may not have been removed >> and to remove them manually. Do you do rm -Rf /opt/fedora-ds? >> >> > Yes. > >> Step 6 - I don't know how to do that >> >> > cd /opt/fedora-ds/slapd-host2 > ./stop-slapd > diff -U 8 dse.ldif.saved config/dse.ldif > diffs > # where dse.ldif.saved is the one you saved in step 2 above > # now, take a look at the file diffs, and edit your config/dse.ldif > with any pertinent changes in diffs > ./start-slapd > >> Step 8 - I don't know how to do that >> >> > cd /opt/fedora-ds/slapd-host2 > ./stop-slapd > ./bak2db /var/backup/fds > ./start-slapd > >> Thanks in advance! >> >> >> > > Here is what I remember about the upgrade: I got the upgrade done but it wasn't smooth. No fault of the software I'm sure, just my lack of LDAP experience. # now, take a look at the file diffs, and edit your config/dse.ldif with any pertinent changes in diffs ./start-slapd It wouldn't restart at this point. I think it was due to having, prior to the upgrade, performed the steps in the SSL and Samba How-to's. I removed my changes to the new dse.ldif and started slapd. I think I also had to remove the files that I restored to the alias directory. cd /opt/fedora-ds/slapd-host2 ./stop-slapd ./bak2db /var/backup/fds ./start-slapd This part went well. I then restored the old 61samba.ldif to the schema directory and at that point stuff was mostly working properly, except for logging into the web admin wouldn't work. I had to loosen up the permissions on the directory /opt/fedora-ds/bin/slapd/authck to get that working. One remaining weird thing that I've found. To run the Java "Console" tool I change directory to /opt/fedora-ds and run ./startconsole and login. When I do that, the console is empty. There is nothing at all listed in "Servers and Applications". It is just bare. However, when I cd into /opt/fedora-ds/$fedora-ds_some_backup_that_I_made_prior_to_the_upgrade, run the ./startconsole command and connect to the same host on the same port with the same credentials, it looks as I expect it to look, listing my domain name, host name, server group, etc. So for now I'm just running startconsole from the old backup folder. Thanks for the help. -- Best Regards, Darren Fulton From logastellus at yahoo.com Wed Feb 22 21:21:38 2006 From: logastellus at yahoo.com (Susan) Date: Wed, 22 Feb 2006 13:21:38 -0800 (PST) Subject: [Fedora-directory-users] allowing users to change their own passwords (solaris 10) Message-ID: <20060222212138.52365.qmail@web52905.mail.yahoo.com> Well, I've gotten authentication working for solaris 10 & FDS. (Thank you, everybody) As root, I can change any user's password and that works. As a regular user, however, no luck: -bash-3.00$ passwd passwd: Changing password for test passwd: Sorry, wrong passwd Permission denied -bash-3.00$ passwd -r ldap passwd: Changing password for test passwd: Sorry, wrong passwd Permission denied -bash-3.00$ I've this aci: (targetattr="carLicense ||description ||displayName ||facsimileTelephoneNumber ||homePhone ||homePostalAddress ||initials ||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo ||postOfficeBox ||postalAddress ||postalCode ||preferredDeliveryMethod ||preferredLanguage ||registeredAddress ||roomNumber ||secretary ||seeAlso ||st ||street ||telephoneNumber ||telexNumber ||title ||userCertificate ||userPassword ||userSMIMECertificate ||x500UniqueIdentifier")(version 3.0; acl "Enable self write for common attributes"; allow (write) userdn="ldap:///self";) Doesn't seem to be doing anything, even though userPassword is in there. Btw, in Linux, non-root users can change their passwords just fine! I've also two of these ACIs which I got from Gary Tay's site: (target="ldap:///dc=company,dc=com")(targetattr="userPassword")(version 3.0; acl LDAP_Naming_Services_proxy_password_read; allow (compare,search) userdn = "ldap:///cn=proxyagent,ou=profile,dc=company,dc=com";) (targetattr = "cn||uid||uidNumber||gidNumber||homeDirectory||shadowLastChange||shadowMin||shadowMax||shadowWarning||shadowInactive||shadowExpire||shadowFlag||memberUid")(version 3.0; acl LDAP_Naming_Services_deny_write_access;deny (write) userdn = "ldap:///self";) They seem to doing nothing either, i.e. removing them neither fixes nor breaks anything. Nothing in server/client logs either... Any ideas? __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From sboggs at trustedcs.com Wed Feb 22 21:22:56 2006 From: sboggs at trustedcs.com (Scott Boggs) Date: Wed, 22 Feb 2006 21:22:56 +0000 (UTC) Subject: [Fedora-directory-users] Re: Extending the Schema References: Message-ID: Scott Boggs trustedcs.com> writes: Would a possible solution to enforce case sensitivity at user login be to use the Case Exact String Syntax Plug-in that is listed in administrators guide? Anyone ever done so? Tks again From rmeggins at redhat.com Wed Feb 22 21:28:05 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 22 Feb 2006 14:28:05 -0700 Subject: [Fedora-directory-users] Re: Extending the Schema In-Reply-To: References: Message-ID: <43FCD765.9030302@redhat.com> Scott Boggs wrote: >Scott Boggs trustedcs.com> writes: > >Would a possible solution to enforce case sensitivity at user login >be to use the Case Exact String Syntax Plug-in >that is listed in administrators guide? > > The syntax plug-ins do not enforce their particular syntax in the sense of rejecting attribute values that do not match their specified syntax. They merely provide comparison, collation, and index key generation. >Anyone ever done so? >Tks again > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From david_list at boreham.org Wed Feb 22 21:31:13 2006 From: david_list at boreham.org (David Boreham) Date: Wed, 22 Feb 2006 14:31:13 -0700 Subject: [Fedora-directory-users] Re: Extending the Schema In-Reply-To: <43FCD765.9030302@redhat.com> References: <43FCD765.9030302@redhat.com> Message-ID: <43FCD821.60903@boreham.org> Richard Megginson wrote: > Scott Boggs wrote: > >> Scott Boggs trustedcs.com> writes: >> >> Would a possible solution to enforce case sensitivity at user login >> be to use the Case Exact String Syntax Plug-in that is listed in >> administrators guide? >> > The syntax plug-ins do not enforce their particular syntax in the > sense of rejecting attribute values that do not match their specified > syntax. They merely provide comparison, collation, and index key > generation. But any client that is authenticating on behalf of users should see the 'correct' behavior, no ? For example if a search for 'uid=Foo' were done, it would not match an entry with uid=foo. From gholbert at broadcom.com Wed Feb 22 21:29:00 2006 From: gholbert at broadcom.com (George Holbert) Date: Wed, 22 Feb 2006 13:29:00 -0800 Subject: [Fedora-directory-users] allowing users to change their own passwords (solaris 10) In-Reply-To: <20060222212138.52365.qmail@web52905.mail.yahoo.com> References: <20060222212138.52365.qmail@web52905.mail.yahoo.com> Message-ID: <43FCD79C.7070903@broadcom.com> Susan, What does your PAM password stack look like on the Solaris 10 client? -- George Susan wrote: > Well, I've gotten authentication working for solaris 10 & FDS. (Thank you, everybody) > > As root, I can change any user's password and that works. As a regular user, however, no luck: > > -bash-3.00$ passwd > passwd: Changing password for test > passwd: Sorry, wrong passwd > Permission denied > > -bash-3.00$ passwd -r ldap > passwd: Changing password for test > passwd: Sorry, wrong passwd > Permission denied > -bash-3.00$ > > I've this aci: > > (targetattr="carLicense ||description ||displayName ||facsimileTelephoneNumber ||homePhone > ||homePostalAddress ||initials ||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo > ||postOfficeBox ||postalAddress ||postalCode ||preferredDeliveryMethod ||preferredLanguage > ||registeredAddress ||roomNumber ||secretary ||seeAlso ||st ||street ||telephoneNumber > ||telexNumber ||title ||userCertificate ||userPassword ||userSMIMECertificate > ||x500UniqueIdentifier")(version 3.0; acl "Enable self write for common attributes"; allow (write) > userdn="ldap:///self";) > > Doesn't seem to be doing anything, even though userPassword is in there. Btw, in Linux, non-root > users can change their passwords just fine! > > I've also two of these ACIs which I got from Gary Tay's site: > > (target="ldap:///dc=company,dc=com")(targetattr="userPassword")(version 3.0; acl > LDAP_Naming_Services_proxy_password_read; allow (compare,search) userdn = > "ldap:///cn=proxyagent,ou=profile,dc=company,dc=com";) > > (targetattr = > "cn||uid||uidNumber||gidNumber||homeDirectory||shadowLastChange||shadowMin||shadowMax||shadowWarning||shadowInactive||shadowExpire||shadowFlag||memberUid")(version > 3.0; acl LDAP_Naming_Services_deny_write_access;deny (write) userdn = "ldap:///self";) > > They seem to doing nothing either, i.e. removing them neither fixes nor breaks anything. > > Nothing in server/client logs either... > > Any ideas? > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From rmeggins at redhat.com Wed Feb 22 21:47:26 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 22 Feb 2006 14:47:26 -0700 Subject: [Fedora-directory-users] Re: Extending the Schema In-Reply-To: <43FCD821.60903@boreham.org> References: <43FCD765.9030302@redhat.com> <43FCD821.60903@boreham.org> Message-ID: <43FCDBEE.7000005@redhat.com> David Boreham wrote: > Richard Megginson wrote: > >> Scott Boggs wrote: >> >>> Scott Boggs trustedcs.com> writes: >>> >>> Would a possible solution to enforce case sensitivity at user login >>> be to use the Case Exact String Syntax Plug-in that is listed in >>> administrators guide? >> >> The syntax plug-ins do not enforce their particular syntax in the >> sense of rejecting attribute values that do not match their specified >> syntax. They merely provide comparison, collation, and index key >> generation. > > > But any client that is authenticating on behalf of users should see the > 'correct' behavior, no ? For example if a search for 'uid=Foo' were > done, it would not match an entry with uid=foo. Right. But that's controlled by the syntax setting for the attribute in the schema. Basically, when you tell the schema to use syntax OID x.y.z, that x.y.z corresponds to a particular syntax plugin. > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From logastellus at yahoo.com Wed Feb 22 22:28:44 2006 From: logastellus at yahoo.com (Susan) Date: Wed, 22 Feb 2006 14:28:44 -0800 (PST) Subject: [Fedora-directory-users] allowing users to change their own passwords (solaris 10) In-Reply-To: <43FCD79C.7070903@broadcom.com> Message-ID: <20060222222844.77822.qmail@web52908.mail.yahoo.com> I got it from docs.sun.com: -bash-3.00# cat /etc/pam.conf # # Authentication management # # login service (explicit because of pam_dial_auth) # login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_dial_auth.so.1 login auth required pam_unix_cred.so.1 login auth sufficient pam_unix_auth.so.1 login auth required pam_ldap.so.1 # # rlogin service (explicit because of pam_rhost_auth) # rlogin auth sufficient pam_rhosts_auth.so.1 rlogin auth requisite pam_authtok_get.so.1 rlogin auth required pam_dhkeys.so.1 rlogin auth required pam_unix_cred.so.1 rlogin auth sufficient pam_unix_auth.so.1 rlogin auth required pam_ldap.so.1 # # rsh service (explicit because of pam_rhost_auth, # and pam_unix_auth for meaningful pam_setcred) # rsh auth sufficient pam_rhosts_auth.so.1 rsh auth required pam_unix_cred.so.1 # # PPP service (explicit because of pam_dial_auth) # ppp auth requisite pam_authtok_get.so.1 ppp auth required pam_dhkeys.so.1 ppp auth required pam_dial_auth.so.1 ppp auth sufficient pam_unix_auth.so.1 ppp auth required pam_ldap.so.1 # # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authentication # other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_unix_auth.so.1 other auth required pam_ldap.so.1 # # passwd command (explicit because of a different authentication module) # passwd auth sufficient pam_passwd_auth.so.1 passwd auth required pam_ldap.so.1 # # cron service (explicit because of non-usage of pam_roles.so.1) # cron account required pam_unix_account.so.1 # # Default definition for Account management # Used when service name is not explicitly mentioned for account management # other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 # --- George Holbert wrote: > Susan, > > What does your PAM password stack look like on the Solaris 10 client? > -- George > > Susan wrote: > > Well, I've gotten authentication working for solaris 10 & FDS. (Thank you, everybody) > > > > As root, I can change any user's password and that works. As a regular user, however, no > luck: > > > > -bash-3.00$ passwd > > passwd: Changing password for test > > passwd: Sorry, wrong passwd > > Permission denied > > > > -bash-3.00$ passwd -r ldap > > passwd: Changing password for test > > passwd: Sorry, wrong passwd > > Permission denied > > -bash-3.00$ > > > > I've this aci: > > > > (targetattr="carLicense ||description ||displayName ||facsimileTelephoneNumber ||homePhone > > ||homePostalAddress ||initials ||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo > > ||postOfficeBox ||postalAddress ||postalCode ||preferredDeliveryMethod ||preferredLanguage > > ||registeredAddress ||roomNumber ||secretary ||seeAlso ||st ||street ||telephoneNumber > > ||telexNumber ||title ||userCertificate ||userPassword ||userSMIMECertificate > > ||x500UniqueIdentifier")(version 3.0; acl "Enable self write for common attributes"; allow > (write) > > userdn="ldap:///self";) > > > > Doesn't seem to be doing anything, even though userPassword is in there. Btw, in Linux, > non-root > > users can change their passwords just fine! > > > > I've also two of these ACIs which I got from Gary Tay's site: > > > > (target="ldap:///dc=company,dc=com")(targetattr="userPassword")(version 3.0; acl > > LDAP_Naming_Services_proxy_password_read; allow (compare,search) userdn = > > "ldap:///cn=proxyagent,ou=profile,dc=company,dc=com";) > > > > (targetattr = > > > "cn||uid||uidNumber||gidNumber||homeDirectory||shadowLastChange||shadowMin||shadowMax||shadowWarning||shadowInactive||shadowExpire||shadowFlag||memberUid")(version > > 3.0; acl LDAP_Naming_Services_deny_write_access;deny (write) userdn = "ldap:///self";) > > > > They seem to doing nothing either, i.e. removing them neither fixes nor breaks anything. > > > > Nothing in server/client logs either... > > > > Any ideas? > > > > __________________________________________________ > > Do You Yahoo!? > > Tired of spam? Yahoo! Mail has the best spam protection around > > http://mail.yahoo.com > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From gholbert at broadcom.com Wed Feb 22 22:42:05 2006 From: gholbert at broadcom.com (George Holbert) Date: Wed, 22 Feb 2006 14:42:05 -0800 Subject: [Fedora-directory-users] allowing users to change their own passwords (solaris 10) In-Reply-To: <20060222222844.77822.qmail@web52908.mail.yahoo.com> References: <20060222222844.77822.qmail@web52908.mail.yahoo.com> Message-ID: <43FCE8BD.90706@broadcom.com> It looks like you're missing a password stack in your /etc/pam.conf. I think you got the example pam.conf here: http://docs.sun.com/app/docs/doc/816-4556/6maort2tb?a=view ...but did you omit the bottom portion of the file? This part: # # Default definition for Session management # Used when service name is not explicitly mentioned for session management # other session required pam_unix_session.so.1 # # Default definition for Password management # Used when service name is not explicitly mentioned for password management # other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password required pam_authtok_store.so.1 Susan wrote: > I got it from docs.sun.com: > > -bash-3.00# cat /etc/pam.conf > # > # Authentication management > # > # login service (explicit because of pam_dial_auth) > # > login auth requisite pam_authtok_get.so.1 > login auth required pam_dhkeys.so.1 > login auth required pam_dial_auth.so.1 > login auth required pam_unix_cred.so.1 > login auth sufficient pam_unix_auth.so.1 > login auth required pam_ldap.so.1 > # > # rlogin service (explicit because of pam_rhost_auth) > # > rlogin auth sufficient pam_rhosts_auth.so.1 > rlogin auth requisite pam_authtok_get.so.1 > rlogin auth required pam_dhkeys.so.1 > rlogin auth required pam_unix_cred.so.1 > rlogin auth sufficient pam_unix_auth.so.1 > rlogin auth required pam_ldap.so.1 > # > # rsh service (explicit because of pam_rhost_auth, > # and pam_unix_auth for meaningful pam_setcred) > # > rsh auth sufficient pam_rhosts_auth.so.1 > rsh auth required pam_unix_cred.so.1 > # > # PPP service (explicit because of pam_dial_auth) > # > ppp auth requisite pam_authtok_get.so.1 > ppp auth required pam_dhkeys.so.1 > ppp auth required pam_dial_auth.so.1 > ppp auth sufficient pam_unix_auth.so.1 > ppp auth required pam_ldap.so.1 > # > # Default definitions for Authentication management > # Used when service name is not explicitly mentioned for authentication > # > other auth requisite pam_authtok_get.so.1 > other auth required pam_dhkeys.so.1 > other auth required pam_unix_cred.so.1 > other auth sufficient pam_unix_auth.so.1 > other auth required pam_ldap.so.1 > # > # passwd command (explicit because of a different authentication module) > # > passwd auth sufficient pam_passwd_auth.so.1 > passwd auth required pam_ldap.so.1 > # > # cron service (explicit because of non-usage of pam_roles.so.1) > # > cron account required pam_unix_account.so.1 > # > # Default definition for Account management > # Used when service name is not explicitly mentioned for account management > # > other account requisite pam_roles.so.1 > other account required pam_unix_account.so.1 > # > > > --- George Holbert wrote: > >> Susan, >> >> What does your PAM password stack look like on the Solaris 10 client? >> -- George >> >> Susan wrote: >> >>> Well, I've gotten authentication working for solaris 10 & FDS. (Thank you, everybody) >>> >>> As root, I can change any user's password and that works. As a regular user, however, no >>> >> luck: >> >>> -bash-3.00$ passwd >>> passwd: Changing password for test >>> passwd: Sorry, wrong passwd >>> Permission denied >>> >>> -bash-3.00$ passwd -r ldap >>> passwd: Changing password for test >>> passwd: Sorry, wrong passwd >>> Permission denied >>> -bash-3.00$ >>> >>> I've this aci: >>> >>> (targetattr="carLicense ||description ||displayName ||facsimileTelephoneNumber ||homePhone >>> ||homePostalAddress ||initials ||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo >>> ||postOfficeBox ||postalAddress ||postalCode ||preferredDeliveryMethod ||preferredLanguage >>> ||registeredAddress ||roomNumber ||secretary ||seeAlso ||st ||street ||telephoneNumber >>> ||telexNumber ||title ||userCertificate ||userPassword ||userSMIMECertificate >>> ||x500UniqueIdentifier")(version 3.0; acl "Enable self write for common attributes"; allow >>> >> (write) >> >>> userdn="ldap:///self";) >>> >>> Doesn't seem to be doing anything, even though userPassword is in there. Btw, in Linux, >>> >> non-root >> >>> users can change their passwords just fine! >>> >>> I've also two of these ACIs which I got from Gary Tay's site: >>> >>> (target="ldap:///dc=company,dc=com")(targetattr="userPassword")(version 3.0; acl >>> LDAP_Naming_Services_proxy_password_read; allow (compare,search) userdn = >>> "ldap:///cn=proxyagent,ou=profile,dc=company,dc=com";) >>> >>> (targetattr = >>> >>> > "cn||uid||uidNumber||gidNumber||homeDirectory||shadowLastChange||shadowMin||shadowMax||shadowWarning||shadowInactive||shadowExpire||shadowFlag||memberUid")(version > >>> 3.0; acl LDAP_Naming_Services_deny_write_access;deny (write) userdn = "ldap:///self";) >>> >>> They seem to doing nothing either, i.e. removing them neither fixes nor breaks anything. >>> >>> Nothing in server/client logs either... >>> >>> Any ideas? >>> >>> __________________________________________________ >>> Do You Yahoo!? >>> Tired of spam? Yahoo! Mail has the best spam protection around >>> http://mail.yahoo.com >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From prowley at redhat.com Wed Feb 22 22:48:12 2006 From: prowley at redhat.com (Pete Rowley) Date: Wed, 22 Feb 2006 14:48:12 -0800 Subject: [Fedora-directory-users] allowing users to change their own passwords (solaris 10) In-Reply-To: <20060222222844.77822.qmail@web52908.mail.yahoo.com> References: <20060222222844.77822.qmail@web52908.mail.yahoo.com> Message-ID: <43FCEA2C.6040202@redhat.com> Susan wrote: ># passwd command (explicit because of a different authentication module) ># >passwd auth sufficient pam_passwd_auth.so.1 >passwd auth required pam_ldap.so.1 > > You have no password directives - auth is for authentication only. passwd password sufficient pam_passwd_auth.so.1 passwd password required pam_ldap.so.1 -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From logastellus at yahoo.com Thu Feb 23 14:15:53 2006 From: logastellus at yahoo.com (Susan) Date: Thu, 23 Feb 2006 06:15:53 -0800 (PST) Subject: [Fedora-directory-users] allowing users to change their own passwords (solaris 10) In-Reply-To: <43FCE8BD.90706@broadcom.com> Message-ID: <20060223141553.30854.qmail@web52915.mail.yahoo.com> No, looks like I messed up on copy & paste: -bash-3.00# tail /etc/pam.conf # Used when service name is not explicitly mentioned for password management # other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password required pam_authtok_store.so.1 # # Support for Kerberos V5 authentication and example configurations can # be found in the pam_krb5(5) man page under the "EXAMPLES" section. # I have it. ______________________________________________________ --- George Holbert wrote: > It looks like you're missing a password stack in your /etc/pam.conf. > > I think you got the example pam.conf here: > http://docs.sun.com/app/docs/doc/816-4556/6maort2tb?a=view > ...but did you omit the bottom portion of the file? > > This part: > > # > # Default definition for Session management > # Used when service name is not explicitly mentioned for session management > # > other session required pam_unix_session.so.1 > # > # Default definition for Password management > # Used when service name is not explicitly mentioned for password management > # > other password required pam_dhkeys.so.1 > other password requisite pam_authtok_get.so.1 > other password requisite pam_authtok_check.so.1 > other password required pam_authtok_store.so.1 > > > > Susan wrote: > > I got it from docs.sun.com: > > > > -bash-3.00# cat /etc/pam.conf > > # > > # Authentication management > > # > > # login service (explicit because of pam_dial_auth) > > # > > login auth requisite pam_authtok_get.so.1 > > login auth required pam_dhkeys.so.1 > > login auth required pam_dial_auth.so.1 > > login auth required pam_unix_cred.so.1 > > login auth sufficient pam_unix_auth.so.1 > > login auth required pam_ldap.so.1 > > # > > # rlogin service (explicit because of pam_rhost_auth) > > # > > rlogin auth sufficient pam_rhosts_auth.so.1 > > rlogin auth requisite pam_authtok_get.so.1 > > rlogin auth required pam_dhkeys.so.1 > > rlogin auth required pam_unix_cred.so.1 > > rlogin auth sufficient pam_unix_auth.so.1 > > rlogin auth required pam_ldap.so.1 > > # > > # rsh service (explicit because of pam_rhost_auth, > > # and pam_unix_auth for meaningful pam_setcred) > > # > > rsh auth sufficient pam_rhosts_auth.so.1 > > rsh auth required pam_unix_cred.so.1 > > # > > # PPP service (explicit because of pam_dial_auth) > > # > > ppp auth requisite pam_authtok_get.so.1 > > ppp auth required pam_dhkeys.so.1 > > ppp auth required pam_dial_auth.so.1 > > ppp auth sufficient pam_unix_auth.so.1 > > ppp auth required pam_ldap.so.1 > > # > > # Default definitions for Authentication management > > # Used when service name is not explicitly mentioned for authentication > > # > > other auth requisite pam_authtok_get.so.1 > > other auth required pam_dhkeys.so.1 > > other auth required pam_unix_cred.so.1 > > other auth sufficient pam_unix_auth.so.1 > > other auth required pam_ldap.so.1 > > # > > # passwd command (explicit because of a different authentication module) > > # > > passwd auth sufficient pam_passwd_auth.so.1 > > passwd auth required pam_ldap.so.1 > > # > > # cron service (explicit because of non-usage of pam_roles.so.1) > > # > > cron account required pam_unix_account.so.1 > > # > > # Default definition for Account management > > # Used when service name is not explicitly mentioned for account management > > # > > other account requisite pam_roles.so.1 > > other account required pam_unix_account.so.1 > > # > > > > > > --- George Holbert wrote: > > > >> Susan, > >> > >> What does your PAM password stack look like on the Solaris 10 client? > >> -- George > >> > >> Susan wrote: > >> > >>> Well, I've gotten authentication working for solaris 10 & FDS. (Thank you, everybody) > >>> > >>> As root, I can change any user's password and that works. As a regular user, however, no > >>> > >> luck: > >> > >>> -bash-3.00$ passwd > >>> passwd: Changing password for test > >>> passwd: Sorry, wrong passwd > >>> Permission denied > >>> > >>> -bash-3.00$ passwd -r ldap > >>> passwd: Changing password for test > >>> passwd: Sorry, wrong passwd > >>> Permission denied > >>> -bash-3.00$ > >>> > >>> I've this aci: > >>> > >>> (targetattr="carLicense ||description ||displayName ||facsimileTelephoneNumber ||homePhone > >>> ||homePostalAddress ||initials ||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo > >>> ||postOfficeBox ||postalAddress ||postalCode ||preferredDeliveryMethod ||preferredLanguage > >>> ||registeredAddress ||roomNumber ||secretary ||seeAlso ||st ||street ||telephoneNumber > >>> ||telexNumber ||title ||userCertificate ||userPassword ||userSMIMECertificate > >>> ||x500UniqueIdentifier")(version 3.0; acl "Enable self write for common attributes"; allow > >>> > >> (write) > >> > >>> userdn="ldap:///self";) > >>> > >>> Doesn't seem to be doing anything, even though userPassword is in there. Btw, in Linux, > >>> > >> non-root > >> > >>> users can change their passwords just fine! > >>> > >>> I've also two of these ACIs which I got from Gary Tay's site: > >>> > >>> (target="ldap:///dc=company,dc=com")(targetattr="userPassword")(version 3.0; acl > >>> LDAP_Naming_Services_proxy_password_read; allow (compare,search) userdn = > >>> "ldap:///cn=proxyagent,ou=profile,dc=company,dc=com";) > >>> > >>> (targetattr = > >>> > >>> > > > "cn||uid||uidNumber||gidNumber||homeDirectory||shadowLastChange||shadowMin||shadowMax||shadowWarning||shadowInactive||shadowExpire||shadowFlag||memberUid")(version > > > >>> 3.0; acl LDAP_Naming_Services_deny_write_access;deny (write) userdn = "ldap:///self";) > >>> > >>> They seem to doing nothing either, i.e. removing them neither fixes nor breaks anything. > >>> > >>> Nothing in server/client logs either... > >>> > >>> Any ideas? > >>> > >>> __________________________________________________ > >>> Do You Yahoo!? > >>> Tired of spam? Yahoo! Mail has the best spam protection around > >>> http://mail.yahoo.com > >>> > >>> -- > >>> Fedora-directory-users mailing list > >>> Fedora-directory-users at redhat.com > >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>> > >>> > >>> > >> -- > >> Fedora-directory-users mailing list > >> Fedora-directory-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > >> > > > > > > __________________________________________________ > > Do You Yahoo!? > > Tired of spam? Yahoo! Mail has the best spam protection around > > http://mail.yahoo.com > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From francois.beretti at gmail.com Thu Feb 23 14:17:26 2006 From: francois.beretti at gmail.com (=?ISO-8859-1?Q?Fran=E7ois_Beretti?=) Date: Thu, 23 Feb 2006 15:17:26 +0100 Subject: [Fedora-directory-users] TLS authentication without a user mapped Message-ID: <85d6be850602230617h473de439p@mail.gmail.com> Hi, is it possible to do a SASL/EXTERNAL bind with a TLS certificate, while no user in the directory is mapped to the certificate DN ? If yes, is it possible then to give rights to certificate DN (so, to a DN that is not in the directory) ? I would like this if I don't want to store users in a directory (because they already are in another one. Thank you Fran?ois From rmeggins at redhat.com Thu Feb 23 14:54:51 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 23 Feb 2006 07:54:51 -0700 Subject: [Fedora-directory-users] TLS authentication without a user mapped In-Reply-To: <85d6be850602230617h473de439p@mail.gmail.com> References: <85d6be850602230617h473de439p@mail.gmail.com> Message-ID: <43FDCCBB.7090305@redhat.com> Fran?ois Beretti wrote: >Hi, > >is it possible to do a SASL/EXTERNAL bind with a TLS certificate, >while no user in the directory is mapped to the certificate DN ? > > No. The code currently requires an entry, and furthermore requires that entry has a userCertificate attribute whose value matches the client certificate. >If yes, is it possible then to give rights to certificate DN (so, to a >DN that is not in the directory) ? > >I would like this if I don't want to store users in a directory >(because they already are in another one. > > But you do want to use the access control features of Fedora DS on that identity. You are the second person to ask about this recently. This would probably involve quite a few code changes: 1) The client cert auth code would have to allow access by non-existent users. Perhaps we could use the cert db to optionally look up the certificate for comparison. 2) The access control code would have to allow access by non-existent users. If the identity store is another LDAP server, you may be able to use chaining. >Thank you > >Fran?ois > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From logastellus at yahoo.com Thu Feb 23 14:58:50 2006 From: logastellus at yahoo.com (Susan) Date: Thu, 23 Feb 2006 06:58:50 -0800 (PST) Subject: [Fedora-directory-users] allowing users to change their own passwords (solaris 10) In-Reply-To: <43FCEA2C.6040202@redhat.com> Message-ID: <20060223145850.36371.qmail@web52905.mail.yahoo.com> Alright, I added that, didn't do anything though: -bash-3.00# grep passwd /etc/pam.conf # passwd command (explicit because of a different authentication module) passwd auth sufficient pam_passwd_auth.so.1 passwd auth required pam_ldap.so.1 passwd password sufficient pam_passwd_auth.so.1 passwd password required pam_ldap.so.1 -bash-3.00$ passwd passwd: Changing password for test passwd: Sorry, wrong passwd Permission denied -bash-3.00$ passwd -r ldap passwd: Changing password for test passwd: Sorry, wrong passwd Permission denied -bash-3.00$ --- Pete Rowley wrote: > Susan wrote: > > ># passwd command (explicit because of a different authentication module) > ># > >passwd auth sufficient pam_passwd_auth.so.1 > >passwd auth required pam_ldap.so.1 > > > > > You have no password directives - auth is for authentication only. > > passwd password sufficient pam_passwd_auth.so.1 > > passwd password required pam_ldap.so.1 > > > -- > Pete > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From david_list at boreham.org Thu Feb 23 15:13:40 2006 From: david_list at boreham.org (David Boreham) Date: Thu, 23 Feb 2006 08:13:40 -0700 Subject: [Fedora-directory-users] TLS authentication without a user mapped In-Reply-To: <85d6be850602230617h473de439p@mail.gmail.com> References: <85d6be850602230617h473de439p@mail.gmail.com> Message-ID: <43FDD124.9060404@boreham.org> Fran?ois Beretti wrote: >I would like this if I don't want to store users in a directory >(because they already are in another one. > > This would be a new feature. You'd need to write code to implement it (or someone would). Problem is that there are a bunch of places in the code where the existance of an entry with the bind identity is assumed. So it wouldn't be quite as simple as taking the cert DN and copying it into the bind DN for the session. From logastellus at yahoo.com Thu Feb 23 22:39:07 2006 From: logastellus at yahoo.com (Susan) Date: Thu, 23 Feb 2006 14:39:07 -0800 (PST) Subject: [Fedora-directory-users] allowing users to change their own passwords (solaris 10) In-Reply-To: <20060223145850.36371.qmail@web52905.mail.yahoo.com> Message-ID: <20060223223907.69623.qmail@web52910.mail.yahoo.com> Turned pam debugging on, I see this now: Feb 23 17:36:04 unknown passwd[1187]: [ID 293258 user.warning] libsldap: Status: 91 Mesg: openConnection: failed to initialize TLS security (An I/O error occurred during security authorization.) Feb 23 17:36:04 unknown passwd[1187]: [ID 293258 user.warning] libsldap: Status: 7 Mesg: Session error no available conn. Feb 23 17:36:04 unknown passwd[1187]: [ID 993883 user.debug] passwd_auth: __user_to_authenticate returned 13 Feb 23 17:36:04 unknown passwd[1187]: [ID 239966 auth.debug] PAM[1187]: pam_authenticate(29748, 0): error No account present for user Feb 23 17:36:04 unknown passwd[1187]: [ID 285619 auth.debug] ldap pam_sm_authenticate(passwd test), flags = 0 Feb 23 17:36:04 unknown passwd[1187]: [ID 647000 auth.debug] ldap pam_sm_authenticate(passwd test), AUTHTOK not set Feb 23 17:36:04 unknown passwd[1187]: [ID 239966 auth.debug] PAM[1187]: pam_authenticate(29748, 0): error Authentication failed Feb 23 17:36:04 unknown passwd[1187]: [ID 909073 auth.debug] PAM[1187]: pam_set_item(29748:authtok) Feb 23 17:36:04 unknown passwd[1187]: [ID 557867 auth.debug] PAM[1187]: pam_end(29748): status = Success Why would it fail to initialize TLS security? root works fine... Is there an env var I'm missing? --- Susan wrote: > Alright, I added that, didn't do anything though: > > -bash-3.00# grep passwd /etc/pam.conf > # passwd command (explicit because of a different authentication module) > passwd auth sufficient pam_passwd_auth.so.1 > passwd auth required pam_ldap.so.1 > passwd password sufficient pam_passwd_auth.so.1 > passwd password required pam_ldap.so.1 > > -bash-3.00$ passwd > passwd: Changing password for test > passwd: Sorry, wrong passwd > Permission denied > -bash-3.00$ passwd -r ldap > passwd: Changing password for test > passwd: Sorry, wrong passwd > Permission denied > -bash-3.00$ > > > > --- Pete Rowley wrote: > > > Susan wrote: > > > > ># passwd command (explicit because of a different authentication module) > > ># > > >passwd auth sufficient pam_passwd_auth.so.1 > > >passwd auth required pam_ldap.so.1 > > > > > > > > You have no password directives - auth is for authentication only. > > > > passwd password sufficient pam_passwd_auth.so.1 > > > > passwd password required pam_ldap.so.1 > > > > > > -- > > Pete > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From prowley at redhat.com Thu Feb 23 22:42:26 2006 From: prowley at redhat.com (Pete Rowley) Date: Thu, 23 Feb 2006 14:42:26 -0800 Subject: [Fedora-directory-users] allowing users to change their own passwords (solaris 10) In-Reply-To: <20060223223907.69623.qmail@web52910.mail.yahoo.com> References: <20060223223907.69623.qmail@web52910.mail.yahoo.com> Message-ID: <43FE3A52.4000808@redhat.com> Susan wrote: >Why would it fail to initialize TLS security? root works fine... Is there an env var I'm >missing? > > > Permissions for local files? Try getting a TLS ldapsearch to work first. -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From gholbert at broadcom.com Thu Feb 23 23:10:18 2006 From: gholbert at broadcom.com (George Holbert) Date: Thu, 23 Feb 2006 15:10:18 -0800 Subject: [Fedora-directory-users] allowing users to change their own passwords (solaris 10) In-Reply-To: <43FE3A52.4000808@redhat.com> References: <20060223223907.69623.qmail@web52910.mail.yahoo.com> <43FE3A52.4000808@redhat.com> Message-ID: <43FE40DA.4070906@broadcom.com> Ah yes, Check permission on /var/ldap/cert7.db and /var/ldap/key3.db. They should be mode 644. Pete Rowley wrote: > Susan wrote: > >> Why would it fail to initialize TLS security? root works fine... Is >> there an env var I'm >> missing? >> >> >> > Permissions for local files? Try getting a TLS ldapsearch to work first. > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From basile.mathieu at siris.sorbonne.fr Fri Feb 24 11:16:47 2006 From: basile.mathieu at siris.sorbonne.fr (basile au siris) Date: Fri, 24 Feb 2006 12:16:47 +0100 Subject: [Fedora-directory-users] sendmail alias in fds Message-ID: <43FEEB1F.1060801@siris.sorbonne.fr> hi i try to use sendmail with sendamail alias in fds and have problems here are definition of alias dn: sendmailMTAKey=Basile.Mathieu,dc=siris,dc=sorbonne,dc=fr sendmailMTAAliasGrouping: aliases sendmailMTAAliasGrouping: revaliases sendmailMTAHost: sorbon2.sorbonne.fr sendmailMTAKey: Basile.Mathieu sendmailMTAAliasValue: bmathieu objectClass: top objectClass: sendmailMTA objectClass: sendmailMTAAlias objectClass: sendmailMTAAliasObject dn: sendmailMTAKey=bmathieu,dc=siris,dc=sorbonne,dc=fr sendmailMTAAliasGrouping: aliases sendmailMTAAliasGrouping: revaliases sendmailMTAHost: sorbon2.sorbonne.fr sendmailMTAKey: bmathieu sendmailMTAAliasValue: bmathieu objectClass: top objectClass: sendmailMTA objectClass: sendmailMTAAlias objectClass: sendmailMTAAliasObject dn: sendmailMTAKey=Alain.Lierre,dc=paris4,dc=sorbonne,dc=fr sendmailMTAAliasGrouping: aliases sendmailMTAAliasGrouping: revaliases sendmailMTAHost: sorbon2.sorbonne.fr sendmailMTAKey: Alain.Lierre sendmailMTAAliasValue: alierre objectClass: top objectClass: sendmailMTA objectClass: sendmailMTAAlias objectClass: sendmailMTAAliasObject dn: sendmailMTAKey=alierre,dc=paris4,dc=sorbonne,dc=fr sendmailMTAAliasGrouping: aliases sendmailMTAAliasGrouping: revaliases sendmailMTAHost: sorbon2.sorbonne.fr sendmailMTAKey: alierre sendmailMTAAliasValue: alierre objectClass: top objectClass: sendmailMTA objectClass: sendmailMTAAlias objectClass: sendmailMTAAliasObject here i test email with sendmail #/usr/lib/sendmail -bv -C /etc/mail/sendmail-tx.cf Alain.Lierre at sorbon2.sorbonne.fr Alain.Lierre at sorbon2.sorbonne.fr... User unknown sorbon2 # /usr/lib/sendmail -bv -C /etc/mail/sendmail-tx.cf Basile.mathieu at sorbon2.sorbonne.fr bmathieu... deliverable: mailer local, user bmathieu why the first alias is not recognize user bmathieu and alierre are defined search base is dc=sorbonne,dc=fr and here are logs of fds [24/Feb/2006:11:57:50 +0100] conn=2307 fd=64 slot=64 connection from 195.220.107.251 to 195.220.107.251 [24/Feb/2006:11:57:50 +0100] conn=2307 op=0 BIND dn="cn=proxyagent,ou=profile,dc=sorbonne,dc=fr" method=128 version=3 [24/Feb/2006:11:57:50 +0100] conn=2307 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=proxyagent,ou=profile,dc=sorbonne,dc=fr" [24/Feb/2006:11:57:50 +0100] conn=2307 op=1 SRCH base=" ou=People,dc=sorbonne,dc=fr" scope=1 filter="(&(objectClass=posixAccount)(uid=mailnull))" attrs="cn uid uidNumber gidNumber gecos description homeDirectory loginShell" [24/Feb/2006:11:57:50 +0100] conn=2307 op=1 RESULT err=0 tag=101 nentries=0 etime=0 [24/Feb/2006:11:57:50 +0100] conn=2307 op=2 UNBIND [24/Feb/2006:11:57:50 +0100] conn=2307 op=2 fd=64 closed - U1 [24/Feb/2006:11:57:50 +0100] conn=2308 fd=65 slot=65 connection from 195.220.107.251 to 195.220.107.251 [24/Feb/2006:11:57:50 +0100] conn=2308 op=0 BIND dn="cn=proxyagent,ou=profile,dc=sorbonne,dc=fr" method=128 version=3 [24/Feb/2006:11:57:50 +0100] conn=2308 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=proxyagent,ou=profile,dc=sorbonne,dc=fr" [24/Feb/2006:11:57:50 +0100] conn=2308 op=1 SRCH base=" ou=People,dc=sorbonne,dc=fr" scope=1 filter="(&(objectClass=posixAccount)(uid=sendmail))" attrs="cn uid uidNumber gidNumber gecos description homeDirectory loginShell" [24/Feb/2006:11:57:50 +0100] conn=2308 op=1 RESULT err=0 tag=101 nentries=0 etime=0 [24/Feb/2006:11:57:50 +0100] conn=2308 op=2 UNBIND [24/Feb/2006:11:57:50 +0100] conn=2308 op=2 fd=65 closed - U1 [24/Feb/2006:11:57:50 +0100] conn=2309 fd=64 slot=64 connection from 195.220.107.251 to 195.220.107.251 [24/Feb/2006:11:57:50 +0100] conn=2309 op=0 BIND dn="" method=128 version=2 [24/Feb/2006:11:57:50 +0100] conn=2309 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [24/Feb/2006:11:57:50 +0100] conn=2309 op=1 SRCH base="dc=sorbonne,dc=fr" scope=2 filter="(&(objectClass=sendmailMTAAliasObject)(sendmailMTAAliasGrouping=revaliases)(|(sendmailMTACluster=)(sendmailMTAHost=sorbon2.sorbonne.fr))(sendmailMTAKey=root))" attrs="sendmailMTAAliasValue" [24/Feb/2006:11:57:51 +0100] conn=2310 fd=65 slot=65 connection from 195.220.107.251 to 195.220.107.251 [24/Feb/2006:11:57:51 +0100] conn=2310 op=0 BIND dn="" method=128 version=2 [24/Feb/2006:11:57:51 +0100] conn=2310 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [24/Feb/2006:11:57:51 +0100] conn=2310 op=1 SRCH base="dc=sorbonne, dc=fr" scope=2 filter="(&(objectClass=sendmailMTAAliasObject)(sendmailMTAAliasGrouping=aliases)(|(sendmailMTACluster=)(sendmailMTAHost=sorbon2.sorbonne.fr))(sendmailMTAKey=alain.lierre))" attrs="sendmailMTAAliasValue" [24/Feb/2006:11:57:52 +0100] conn=2309 op=1 RESULT err=4 tag=101 nentries=28 etime=2 notes=U [24/Feb/2006:11:57:53 +0100] conn=2311 fd=66 slot=66 connection from 195.220.107.251 to 195.220.107.251 [24/Feb/2006:11:57:53 +0100] conn=2311 op=0 BIND dn="cn=proxyagent,ou=profile,dc=sorbonne,dc=fr" method=128 version=3 [24/Feb/2006:11:57:53 +0100] conn=2311 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=proxyagent,ou=profile,dc=sorbonne,dc=fr" [24/Feb/2006:11:57:53 +0100] conn=2311 op=1 SRCH base=" ou=People,dc=sorbonne,dc=fr" scope=1 filter="(&(objectClass=posixAccount)(uid=alain.lierre))" attrs="cn uid uidNumber gidNumber gecos description homeDirectory loginShell" [24/Feb/2006:11:57:53 +0100] conn=2311 op=1 RESULT err=0 tag=101 nentries=0 etime=0 [24/Feb/2006:11:57:53 +0100] conn=2310 op=2 UNBIND [24/Feb/2006:11:57:53 +0100] conn=2310 op=2 fd=65 closed - U1 [24/Feb/2006:11:57:53 +0100] conn=2309 op=2 UNBIND [24/Feb/2006:11:57:53 +0100] conn=2309 op=2 fd=64 closed - U1 [24/Feb/2006:11:57:53 +0100] conn=2311 op=2 UNBIND [24/Feb/2006:11:57:53 +0100] conn=2311 op=2 fd=66 closed - U1 [24/Feb/2006:11:57:53 +0100] conn=2310 op=1 RESULT err=4 tag=101 nentries=0 etime=2 notes=U [24/Feb/2006:11:58:01 +0100] conn=2312 fd=64 slot=64 connection from 195.220.107.251 to 195.220.107.251 [24/Feb/2006:11:58:01 +0100] conn=2312 op=0 BIND dn="cn=proxyagent,ou=profile,dc=sorbonne,dc=fr" method=128 version=3 [24/Feb/2006:11:58:01 +0100] conn=2312 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=proxyagent,ou=profile,dc=sorbonne,dc=fr" [24/Feb/2006:11:58:01 +0100] conn=2312 op=1 SRCH base=" ou=People,dc=sorbonne,dc=fr" scope=1 filter="(&(objectClass=posixAccount)(uid=mailnull))" attrs="cn uid uidNumber gidNumber gecos description homeDirectory loginShell" [24/Feb/2006:11:58:01 +0100] conn=2312 op=1 RESULT err=0 tag=101 nentries=0 etime=0 [24/Feb/2006:11:58:01 +0100] conn=2313 fd=65 slot=65 connection from 195.220.107.251 to 195.220.107.251 [24/Feb/2006:11:58:01 +0100] conn=2312 op=2 UNBIND [24/Feb/2006:11:58:01 +0100] conn=2312 op=2 fd=64 closed - U1 [24/Feb/2006:11:58:01 +0100] conn=2313 op=0 BIND dn="cn=proxyagent,ou=profile,dc=sorbonne,dc=fr" method=128 version=3 [24/Feb/2006:11:58:01 +0100] conn=2313 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=proxyagent,ou=profile,dc=sorbonne,dc=fr" [24/Feb/2006:11:58:01 +0100] conn=2313 op=1 SRCH base=" ou=People,dc=sorbonne,dc=fr" scope=1 filter="(&(objectClass=posixAccount)(uid=sendmail))" attrs="cn uid uidNumber gidNumber gecos description homeDirectory loginShell" [24/Feb/2006:11:58:01 +0100] conn=2313 op=1 RESULT err=0 tag=101 nentries=0 etime=0 [24/Feb/2006:11:58:01 +0100] conn=2313 op=2 UNBIND [24/Feb/2006:11:58:01 +0100] conn=2313 op=2 fd=65 closed - U1 [24/Feb/2006:11:58:01 +0100] conn=2314 fd=64 slot=64 connection from 195.220.107.251 to 195.220.107.251 [24/Feb/2006:11:58:01 +0100] conn=2314 op=0 BIND dn="" method=128 version=2 [24/Feb/2006:11:58:01 +0100] conn=2314 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [24/Feb/2006:11:58:01 +0100] conn=2314 op=1 SRCH base="dc=sorbonne,dc=fr" scope=2 filter="(&(objectClass=sendmailMTAAliasObject)(sendmailMTAAliasGrouping=revaliases)(|(sendmailMTACluster=)(sendmailMTAHost=sorbon2.sorbonne.fr))(sendmailMTAKey=root))" attrs="sendmailMTAAliasValue" [24/Feb/2006:11:58:02 +0100] conn=2315 fd=65 slot=65 connection from 195.220.107.251 to 195.220.107.251 [24/Feb/2006:11:58:02 +0100] conn=2315 op=0 BIND dn="" method=128 version=2 [24/Feb/2006:11:58:02 +0100] conn=2315 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [24/Feb/2006:11:58:02 +0100] conn=2315 op=1 SRCH base="dc=sorbonne, dc=fr" scope=2 filter="(&(objectClass=sendmailMTAAliasObject)(sendmailMTAAliasGrouping=aliases)(|(sendmailMTACluster=)(sendmailMTAHost=sorbon2.sorbonne.fr))(sendmailMTAKey=basile.mathieu))" attrs="sendmailMTAAliasValue" [24/Feb/2006:11:58:03 +0100] conn=2314 op=1 RESULT err=4 tag=101 nentries=28 etime=2 notes=U [24/Feb/2006:11:58:04 +0100] conn=2315 op=2 SRCH base="dc=sorbonne, dc=fr" scope=2 filter="(&(objectClass=sendmailMTAAliasObject)(sendmailMTAAliasGrouping=aliases)(|(sendmailMTACluster=)(sendmailMTAHost=sorbon2.sorbonne.fr))(sendmailMTAKey=bmathieu))" attrs="sendmailMTAAliasValue" [24/Feb/2006:11:58:04 +0100] conn=2315 op=1 RESULT err=4 tag=101 nentries=1 etime=2 notes=U [24/Feb/2006:11:58:05 +0100] conn=2316 fd=66 slot=66 connection from 195.220.107.251 to 195.220.107.251 [24/Feb/2006:11:58:05 +0100] conn=2316 op=0 BIND dn="cn=proxyagent,ou=profile,dc=sorbonne,dc=fr" method=128 version=3 [24/Feb/2006:11:58:05 +0100] conn=2316 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=proxyagent,ou=profile,dc=sorbonne,dc=fr" [24/Feb/2006:11:58:05 +0100] conn=2316 op=1 SRCH base=" ou=People,dc=sorbonne,dc=fr" scope=1 filter="(&(objectClass=posixAccount)(uid=bmathieu))" attrs="cn uid uidNumber gidNumber gecos description homeDirectory loginShell" [24/Feb/2006:11:58:05 +0100] conn=2316 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [24/Feb/2006:11:58:05 +0100] conn=2316 op=2 UNBIND [24/Feb/2006:11:58:05 +0100] conn=2316 op=2 fd=66 closed - U1 [24/Feb/2006:11:58:05 +0100] conn=2315 op=3 SRCH base="dc=sorbonne, dc=fr" scope=2 filter="(&(objectClass=sendmailMTAAliasObject)(sendmailMTAAliasGrouping=aliases)(|(sendmailMTACluster=)(sendmailMTAHost=sorbon2.sorbonne.fr))(sendmailMTAKey=owner-bmathieu))" attrs="sendmailMTAAliasValue" [24/Feb/2006:11:58:06 +0100] conn=2315 op=2 RESULT err=4 tag=101 nentries=1 etime=2 notes=U [24/Feb/2006:11:58:07 +0100] conn=2315 op=4 SRCH base="dc=sorbonne, dc=fr" scope=2 filter="(&(objectClass=sendmailMTAAliasObject)(sendmailMTAAliasGrouping=aliases)(|(sendmailMTACluster=)(sendmailMTAHost=sorbon2.sorbonne.fr))(sendmailMTAKey=owner-basile.mathieu))" attrs="sendmailMTAAliasValue" [24/Feb/2006:11:58:07 +0100] conn=2315 op=3 RESULT err=4 tag=101 nentries=0 etime=2 notes=U [24/Feb/2006:11:58:08 +0100] conn=2315 op=5 UNBIND [24/Feb/2006:11:58:08 +0100] conn=2315 op=5 fd=65 closed - U1 [24/Feb/2006:11:58:08 +0100] conn=2314 op=2 UNBIND [24/Feb/2006:11:58:08 +0100] conn=2314 op=2 fd=64 closed - U1 [24/Feb/2006:11:58:08 +0100] conn=2315 op=4 RESULT err=4 tag=101 nentries=0 etime=1 notes=U thanks for help basile From basile.mathieu at siris.sorbonne.fr Fri Feb 24 11:30:12 2006 From: basile.mathieu at siris.sorbonne.fr (basile au siris) Date: Fri, 24 Feb 2006 12:30:12 +0100 Subject: [Fedora-directory-users] sendmail alias in fds Message-ID: <43FEEE44.7@siris.sorbonne.fr> here are mail.log : Feb 24 12:25:30 sorbon2 sendmail[2222]: [ID 293258 mail.error] libsldap: Status: 91 Mesg: Error 0 Feb 24 12:25:30 sorbon2 sendmail[2222]: [ID 293258 mail.error] libsldap: Status: 91 Mesg: Bad file number Feb 24 12:25:30 sorbon2 sendmail[2222]: [ID 293258 mail.error] libsldap: Status: 7 Mesg: Session error no available conn. Feb 24 12:25:30 sorbon2 sendmail[2222]: [ID 801593 mail.warning] k1OBPLbV002222: forward /dev/null/.forward: World writable directory Feb 24 12:25:39 sorbon2 sendmail[2223]: [ID 801593 mail.notice] k1OBPavK002223: alain.lierre at sorbon2.sorbonne.fr... User unknown basile From logastellus at yahoo.com Fri Feb 24 14:03:48 2006 From: logastellus at yahoo.com (Susan) Date: Fri, 24 Feb 2006 06:03:48 -0800 (PST) Subject: [Fedora-directory-users] allowing users to change their own passwords (solaris 10) In-Reply-To: <43FE40DA.4070906@broadcom.com> Message-ID: <20060224140348.22749.qmail@web52911.mail.yahoo.com> Yea, I checked that, it was already set correctly: -bash-3.00# ls -l /var/ldap/*.db -rw-r--r-- 1 root root 65536 Feb 22 09:45 /var/ldap/cert8.db -rw-r--r-- 1 root root 32768 Feb 22 09:45 /var/ldap/key3.db -rw-r--r-- 1 root root 32768 Feb 22 09:38 /var/ldap/secmod.db -bash-3.00# ls -ld /var/ldap/ drwxr-xr-x 3 root sys 512 Feb 22 09:49 /var/ldap/ and ldapsearch -Z works fine, as non-root. The strange thing is that in the pam debug log, I see this: Feb 24 08:52:03 unknown passwd[1227]: [ID 293258 user.warning] libsldap: Status: 91 Mesg: openConnection: failed to initialize TLS security (An I/O error occurred during security authorization.) Feb 24 08:52:03 unknown passwd[1227]: [ID 292100 user.warning] libsldap: could not remove ldap-serv from servers list Feb 24 08:52:03 unknown passwd[1227]: [ID 293258 user.warning] libsldap: Status: 7 Mesg: Session error no available conn. Feb 24 08:52:03 unknown passwd[1227]: [ID 993883 user.debug] passwd_auth: __user_to_authenticate returned 13 Feb 24 08:52:03 unknown passwd[1227]: [ID 238438 auth.debug] PAM[1227]: pam_authenticate(29748, 0): error No account present for user Feb 24 08:52:03 unknown passwd[1227]: [ID 285619 auth.debug] ldap pam_sm_authenticate(passwd test), flags = 0 Feb 24 08:52:03 unknown passwd[1227]: [ID 647000 auth.debug] ldap pam_sm_authenticate(passwd test), AUTHTOK not set Feb 24 08:52:03 unknown passwd[1227]: [ID 238438 auth.debug] PAM[1227]: pam_authenticate(29748, 0): error Authentication failed Several things stand out. 1st, the TLS business. If root works, why wouldn't non-root users work also?? 2nd, what does it mean "error No account present for user"?? is it trying to change local password? Even though I explicitly say passwd -r ldap ? 3rd, why is it trying to remove my fds server from some list and what is that list? I'm thinking that before letting me change my password, it's trying to make me enter my current password and bombs immediately: passwd_auth: __user_to_authenticate returned 13 So... I'm kind of stuck here... Thank you, guys. --- George Holbert wrote: > Ah yes, > > Check permission on /var/ldap/cert7.db and /var/ldap/key3.db. > > They should be mode 644. > > Pete Rowley wrote: > > Susan wrote: > > > >> Why would it fail to initialize TLS security? root works fine... Is > >> there an env var I'm > >> missing? > >> > >> > >> > > Permissions for local files? Try getting a TLS ldapsearch to work first. > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From basile.mathieu at siris.sorbonne.fr Fri Feb 24 14:53:49 2006 From: basile.mathieu at siris.sorbonne.fr (basile au siris) Date: Fri, 24 Feb 2006 15:53:49 +0100 Subject: [Fedora-directory-users] sendmail alias in fds Message-ID: <43FF1DFD.2050904@siris.sorbonne.fr> i explain our strange problem a little more we have a top level domain sorbonne.fr , and domain under this one like siris.sorbonne.fr or etab.sorbonne.fr alias works for domain siris and not for the others ( and not for top level sorbonne ) i delete domain siris , and the alias works for other domains , but not for all what happens is that sendmail search the sendmailMTAKey , and get the sendmailMATAliasValue , and then search this value as key , and then search this value as uid when it don t works , it doesn t search the value as key , and just search the alias as uid , which doesn t exist example key=basile.mathieu search key=basile.mathieu , attrs=value obtain bmathieu search key=bmathieu , attrs=value obtain bmathieu search uid=bmathieu works key=toto.exemple search key=toto.exemple ,attrs=value search uid=toto.exemple does not find dont works it s very strange From rmeggins at redhat.com Fri Feb 24 15:09:53 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 24 Feb 2006 08:09:53 -0700 Subject: [Fedora-directory-users] sendmail alias in fds In-Reply-To: <43FEEB1F.1060801@siris.sorbonne.fr> References: <43FEEB1F.1060801@siris.sorbonne.fr> Message-ID: <43FF21C1.3050409@redhat.com> basile au siris wrote: > hi > i try to use sendmail with sendamail alias in fds and have problems > here are definition of alias > > dn: sendmailMTAKey=Basile.Mathieu,dc=siris,dc=sorbonne,dc=fr > sendmailMTAAliasGrouping: aliases > sendmailMTAAliasGrouping: revaliases > sendmailMTAHost: sorbon2.sorbonne.fr > sendmailMTAKey: Basile.Mathieu > sendmailMTAAliasValue: bmathieu > objectClass: top > objectClass: sendmailMTA > objectClass: sendmailMTAAlias > objectClass: sendmailMTAAliasObject > > dn: sendmailMTAKey=bmathieu,dc=siris,dc=sorbonne,dc=fr > sendmailMTAAliasGrouping: aliases > sendmailMTAAliasGrouping: revaliases > sendmailMTAHost: sorbon2.sorbonne.fr > sendmailMTAKey: bmathieu > sendmailMTAAliasValue: bmathieu > objectClass: top > objectClass: sendmailMTA > objectClass: sendmailMTAAlias > objectClass: sendmailMTAAliasObject > > dn: sendmailMTAKey=Alain.Lierre,dc=paris4,dc=sorbonne,dc=fr > sendmailMTAAliasGrouping: aliases > sendmailMTAAliasGrouping: revaliases > sendmailMTAHost: sorbon2.sorbonne.fr > sendmailMTAKey: Alain.Lierre > sendmailMTAAliasValue: alierre > objectClass: top > objectClass: sendmailMTA > objectClass: sendmailMTAAlias > objectClass: sendmailMTAAliasObject > > dn: sendmailMTAKey=alierre,dc=paris4,dc=sorbonne,dc=fr > sendmailMTAAliasGrouping: aliases > sendmailMTAAliasGrouping: revaliases > sendmailMTAHost: sorbon2.sorbonne.fr > sendmailMTAKey: alierre > sendmailMTAAliasValue: alierre > objectClass: top > objectClass: sendmailMTA > objectClass: sendmailMTAAlias > objectClass: sendmailMTAAliasObject > > > here i test email with sendmail > > #/usr/lib/sendmail -bv -C /etc/mail/sendmail-tx.cf > Alain.Lierre at sorbon2.sorbonne.fr > Alain.Lierre at sorbon2.sorbonne.fr... User unknown sorbon2 > # /usr/lib/sendmail -bv -C /etc/mail/sendmail-tx.cf > Basile.mathieu at sorbon2.sorbonne.fr > bmathieu... deliverable: mailer local, user bmathieu > > why the first alias is not recognize > user bmathieu and alierre are defined > search base is dc=sorbonne,dc=fr > > and here are logs of fds > > [24/Feb/2006:11:57:50 +0100] conn=2307 fd=64 slot=64 connection from > 195.220.107.251 to 195.220.107.251 > [24/Feb/2006:11:57:50 +0100] conn=2307 op=0 BIND > dn="cn=proxyagent,ou=profile,dc=sorbonne,dc=fr" method=128 version=3 > [24/Feb/2006:11:57:50 +0100] conn=2307 op=0 RESULT err=0 tag=97 > nentries=0 etime=0 dn="cn=proxyagent,ou=profile,dc=sorbonne,dc=fr" > [24/Feb/2006:11:57:50 +0100] conn=2307 op=1 SRCH base=" > ou=People,dc=sorbonne,dc=fr" scope=1 > filter="(&(objectClass=posixAccount)(uid=mailnull))" attrs="cn uid > uidNumber gidNumber gecos description homeDirectory loginShell" > [24/Feb/2006:11:57:50 +0100] conn=2307 op=1 RESULT err=0 tag=101 > nentries=0 etime=0 > [24/Feb/2006:11:57:50 +0100] conn=2307 op=2 UNBIND > [24/Feb/2006:11:57:50 +0100] conn=2307 op=2 fd=64 closed - U1 > [24/Feb/2006:11:57:50 +0100] conn=2308 fd=65 slot=65 connection from > 195.220.107.251 to 195.220.107.251 > [24/Feb/2006:11:57:50 +0100] conn=2308 op=0 BIND > dn="cn=proxyagent,ou=profile,dc=sorbonne,dc=fr" method=128 version=3 > [24/Feb/2006:11:57:50 +0100] conn=2308 op=0 RESULT err=0 tag=97 > nentries=0 etime=0 dn="cn=proxyagent,ou=profile,dc=sorbonne,dc=fr" > [24/Feb/2006:11:57:50 +0100] conn=2308 op=1 SRCH base=" > ou=People,dc=sorbonne,dc=fr" scope=1 > filter="(&(objectClass=posixAccount)(uid=sendmail))" attrs="cn uid > uidNumber gidNumber gecos description homeDirectory loginShell" > [24/Feb/2006:11:57:50 +0100] conn=2308 op=1 RESULT err=0 tag=101 > nentries=0 etime=0 > [24/Feb/2006:11:57:50 +0100] conn=2308 op=2 UNBIND > [24/Feb/2006:11:57:50 +0100] conn=2308 op=2 fd=65 closed - U1 > [24/Feb/2006:11:57:50 +0100] conn=2309 fd=64 slot=64 connection from > 195.220.107.251 to 195.220.107.251 > [24/Feb/2006:11:57:50 +0100] conn=2309 op=0 BIND dn="" method=128 > version=2 > [24/Feb/2006:11:57:50 +0100] conn=2309 op=0 RESULT err=0 tag=97 > nentries=0 etime=0 dn="" > [24/Feb/2006:11:57:50 +0100] conn=2309 op=1 SRCH > base="dc=sorbonne,dc=fr" scope=2 > filter="(&(objectClass=sendmailMTAAliasObject)(sendmailMTAAliasGrouping=revaliases)(|(sendmailMTACluster=)(sendmailMTAHost=sorbon2.sorbonne.fr))(sendmailMTAKey=root))" > attrs="sendmailMTAAliasValue" > [24/Feb/2006:11:57:51 +0100] conn=2310 fd=65 slot=65 connection from > 195.220.107.251 to 195.220.107.251 > [24/Feb/2006:11:57:51 +0100] conn=2310 op=0 BIND dn="" method=128 > version=2 > [24/Feb/2006:11:57:51 +0100] conn=2310 op=0 RESULT err=0 tag=97 > nentries=0 etime=0 dn="" > [24/Feb/2006:11:57:51 +0100] conn=2310 op=1 SRCH base="dc=sorbonne, > dc=fr" scope=2 > filter="(&(objectClass=sendmailMTAAliasObject)(sendmailMTAAliasGrouping=aliases)(|(sendmailMTACluster=)(sendmailMTAHost=sorbon2.sorbonne.fr))(sendmailMTAKey=alain.lierre))" > attrs="sendmailMTAAliasValue" > [24/Feb/2006:11:57:52 +0100] conn=2309 op=1 RESULT err=4 tag=101 > nentries=28 etime=2 notes=U > [24/Feb/2006:11:57:53 +0100] conn=2311 fd=66 slot=66 connection from > 195.220.107.251 to 195.220.107.251 > [24/Feb/2006:11:57:53 +0100] conn=2311 op=0 BIND > dn="cn=proxyagent,ou=profile,dc=sorbonne,dc=fr" method=128 version=3 > [24/Feb/2006:11:57:53 +0100] conn=2311 op=0 RESULT err=0 tag=97 > nentries=0 etime=0 dn="cn=proxyagent,ou=profile,dc=sorbonne,dc=fr" > [24/Feb/2006:11:57:53 +0100] conn=2311 op=1 SRCH base=" > ou=People,dc=sorbonne,dc=fr" scope=1 > filter="(&(objectClass=posixAccount)(uid=alain.lierre))" attrs="cn uid > uidNumber gidNumber gecos description homeDirectory loginShell" > [24/Feb/2006:11:57:53 +0100] conn=2311 op=1 RESULT err=0 tag=101 > nentries=0 etime=0 > [24/Feb/2006:11:57:53 +0100] conn=2310 op=2 UNBIND > [24/Feb/2006:11:57:53 +0100] conn=2310 op=2 fd=65 closed - U1 > [24/Feb/2006:11:57:53 +0100] conn=2309 op=2 UNBIND > [24/Feb/2006:11:57:53 +0100] conn=2309 op=2 fd=64 closed - U1 > [24/Feb/2006:11:57:53 +0100] conn=2311 op=2 UNBIND > [24/Feb/2006:11:57:53 +0100] conn=2311 op=2 fd=66 closed - U1 > [24/Feb/2006:11:57:53 +0100] conn=2310 op=1 RESULT err=4 tag=101 > nentries=0 etime=2 notes=U > [24/Feb/2006:11:58:01 +0100] conn=2312 fd=64 slot=64 connection from > 195.220.107.251 to 195.220.107.251 > [24/Feb/2006:11:58:01 +0100] conn=2312 op=0 BIND > dn="cn=proxyagent,ou=profile,dc=sorbonne,dc=fr" method=128 version=3 > [24/Feb/2006:11:58:01 +0100] conn=2312 op=0 RESULT err=0 tag=97 > nentries=0 etime=0 dn="cn=proxyagent,ou=profile,dc=sorbonne,dc=fr" > [24/Feb/2006:11:58:01 +0100] conn=2312 op=1 SRCH base=" > ou=People,dc=sorbonne,dc=fr" scope=1 > filter="(&(objectClass=posixAccount)(uid=mailnull))" attrs="cn uid > uidNumber gidNumber gecos description homeDirectory loginShell" > [24/Feb/2006:11:58:01 +0100] conn=2312 op=1 RESULT err=0 tag=101 > nentries=0 etime=0 > [24/Feb/2006:11:58:01 +0100] conn=2313 fd=65 slot=65 connection from > 195.220.107.251 to 195.220.107.251 > [24/Feb/2006:11:58:01 +0100] conn=2312 op=2 UNBIND > [24/Feb/2006:11:58:01 +0100] conn=2312 op=2 fd=64 closed - U1 > [24/Feb/2006:11:58:01 +0100] conn=2313 op=0 BIND > dn="cn=proxyagent,ou=profile,dc=sorbonne,dc=fr" method=128 version=3 > [24/Feb/2006:11:58:01 +0100] conn=2313 op=0 RESULT err=0 tag=97 > nentries=0 etime=0 dn="cn=proxyagent,ou=profile,dc=sorbonne,dc=fr" > [24/Feb/2006:11:58:01 +0100] conn=2313 op=1 SRCH base=" > ou=People,dc=sorbonne,dc=fr" scope=1 > filter="(&(objectClass=posixAccount)(uid=sendmail))" attrs="cn uid > uidNumber gidNumber gecos description homeDirectory loginShell" > [24/Feb/2006:11:58:01 +0100] conn=2313 op=1 RESULT err=0 tag=101 > nentries=0 etime=0 > [24/Feb/2006:11:58:01 +0100] conn=2313 op=2 UNBIND > [24/Feb/2006:11:58:01 +0100] conn=2313 op=2 fd=65 closed - U1 > [24/Feb/2006:11:58:01 +0100] conn=2314 fd=64 slot=64 connection from > 195.220.107.251 to 195.220.107.251 > [24/Feb/2006:11:58:01 +0100] conn=2314 op=0 BIND dn="" method=128 > version=2 > [24/Feb/2006:11:58:01 +0100] conn=2314 op=0 RESULT err=0 tag=97 > nentries=0 etime=0 dn="" > [24/Feb/2006:11:58:01 +0100] conn=2314 op=1 SRCH > base="dc=sorbonne,dc=fr" scope=2 > filter="(&(objectClass=sendmailMTAAliasObject)(sendmailMTAAliasGrouping=revaliases)(|(sendmailMTACluster=)(sendmailMTAHost=sorbon2.sorbonne.fr))(sendmailMTAKey=root))" > attrs="sendmailMTAAliasValue" > [24/Feb/2006:11:58:02 +0100] conn=2315 fd=65 slot=65 connection from > 195.220.107.251 to 195.220.107.251 > [24/Feb/2006:11:58:02 +0100] conn=2315 op=0 BIND dn="" method=128 > version=2 > [24/Feb/2006:11:58:02 +0100] conn=2315 op=0 RESULT err=0 tag=97 > nentries=0 etime=0 dn="" > [24/Feb/2006:11:58:02 +0100] conn=2315 op=1 SRCH base="dc=sorbonne, > dc=fr" scope=2 > filter="(&(objectClass=sendmailMTAAliasObject)(sendmailMTAAliasGrouping=aliases)(|(sendmailMTACluster=)(sendmailMTAHost=sorbon2.sorbonne.fr))(sendmailMTAKey=basile.mathieu))" > attrs="sendmailMTAAliasValue" > [24/Feb/2006:11:58:03 +0100] conn=2314 op=1 RESULT err=4 tag=101 > nentries=28 etime=2 notes=U > [24/Feb/2006:11:58:04 +0100] conn=2315 op=2 SRCH base="dc=sorbonne, > dc=fr" scope=2 > filter="(&(objectClass=sendmailMTAAliasObject)(sendmailMTAAliasGrouping=aliases)(|(sendmailMTACluster=)(sendmailMTAHost=sorbon2.sorbonne.fr))(sendmailMTAKey=bmathieu))" > attrs="sendmailMTAAliasValue" > [24/Feb/2006:11:58:04 +0100] conn=2315 op=1 RESULT err=4 tag=101 > nentries=1 etime=2 notes=U > [24/Feb/2006:11:58:05 +0100] conn=2316 fd=66 slot=66 connection from > 195.220.107.251 to 195.220.107.251 > [24/Feb/2006:11:58:05 +0100] conn=2316 op=0 BIND > dn="cn=proxyagent,ou=profile,dc=sorbonne,dc=fr" method=128 version=3 > [24/Feb/2006:11:58:05 +0100] conn=2316 op=0 RESULT err=0 tag=97 > nentries=0 etime=0 dn="cn=proxyagent,ou=profile,dc=sorbonne,dc=fr" > [24/Feb/2006:11:58:05 +0100] conn=2316 op=1 SRCH base=" > ou=People,dc=sorbonne,dc=fr" scope=1 > filter="(&(objectClass=posixAccount)(uid=bmathieu))" attrs="cn uid > uidNumber gidNumber gecos description homeDirectory loginShell" > [24/Feb/2006:11:58:05 +0100] conn=2316 op=1 RESULT err=0 tag=101 > nentries=1 etime=0 > [24/Feb/2006:11:58:05 +0100] conn=2316 op=2 UNBIND > [24/Feb/2006:11:58:05 +0100] conn=2316 op=2 fd=66 closed - U1 > [24/Feb/2006:11:58:05 +0100] conn=2315 op=3 SRCH base="dc=sorbonne, > dc=fr" scope=2 > filter="(&(objectClass=sendmailMTAAliasObject)(sendmailMTAAliasGrouping=aliases)(|(sendmailMTACluster=)(sendmailMTAHost=sorbon2.sorbonne.fr))(sendmailMTAKey=owner-bmathieu))" > attrs="sendmailMTAAliasValue" > [24/Feb/2006:11:58:06 +0100] conn=2315 op=2 RESULT err=4 tag=101 > nentries=1 etime=2 notes=U > [24/Feb/2006:11:58:07 +0100] conn=2315 op=4 SRCH base="dc=sorbonne, > dc=fr" scope=2 > filter="(&(objectClass=sendmailMTAAliasObject)(sendmailMTAAliasGrouping=aliases)(|(sendmailMTACluster=)(sendmailMTAHost=sorbon2.sorbonne.fr))(sendmailMTAKey=owner-basile.mathieu))" > attrs="sendmailMTAAliasValue" > [24/Feb/2006:11:58:07 +0100] conn=2315 op=3 RESULT err=4 tag=101 > nentries=0 etime=2 notes=U 1) err=4 is LDAP_SIZELIMIT_EXCEEDED - in this case, probably a look through limit problem due to 2) below 2) notes=U means unindexed search 3) (sendmailMTACluster=) is an invalid search filter I'm not sure where the bad search filter is coming from, but you should index the attributes sendmailMTAAliasGrouping, sendmailMTACluster, sendmailMTAHost, sendmailMTAKey, and any other attrs that sendmail may search on. > [24/Feb/2006:11:58:08 +0100] conn=2315 op=5 UNBIND > [24/Feb/2006:11:58:08 +0100] conn=2315 op=5 fd=65 closed - U1 > [24/Feb/2006:11:58:08 +0100] conn=2314 op=2 UNBIND > [24/Feb/2006:11:58:08 +0100] conn=2314 op=2 fd=64 closed - U1 > [24/Feb/2006:11:58:08 +0100] conn=2315 op=4 RESULT err=4 tag=101 > nentries=0 etime=1 notes=U > > thanks for help > basile > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From kimmo.koivisto at surfeu.fi Fri Feb 24 17:03:11 2006 From: kimmo.koivisto at surfeu.fi (Kimmo Koivisto) Date: Fri, 24 Feb 2006 19:03:11 +0200 Subject: [Fedora-directory-users] Admin console and problem with allowed ip/host, can't log in anymore :=) Message-ID: <200602241903.11779.kimmo.koivisto@surfeu.fi> Hello I have FDS 1.0.1 installed to RHEL4ES and I managed to deny admin console connections from anywhere :) I have domain ton.fi and by default admin server seems to allow connections only from *.ton.fi. I need to connect admin server from anywhere and I thought that I could add * to the allowed host list... I did it with admin console. After I applied changes, I no longer could log in to the admin console, even from localhost, error log says: [Fri Feb 24 08:41:21 2006] [notice] Access Host filter is: (*.ton.fi|*) [Fri Feb 24 08:41:21 2006] [notice] Access Address filter is: * [Fri Feb 24 08:41:22 2006] [notice] Access Host filter is: (*.ton.fi|*) [Fri Feb 24 08:41:22 2006] [notice] Access Address filter is: * [Fri Feb 24 08:41:22 2006] [notice] Apache/2.0 configured -- resuming normal operations [Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1] admserv_host_ip_check: ap_get_remote_host could not resolve 127.0.0.1 [Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1] admserv_host_ip_check: host [ldap2.ton.fi] did not match pattern [(*.ton.fi|*)] -will scan aliases [Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1] admserv_host_ip_check: host alias [ldap2] did not match pattern [(*.ton.fi|*)] [Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1] admserv_host_ip_check: host alias [localhost.localdomain] did not match pattern [(*.ton.fi|*)] [Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1] admserv_host_ip_check: host alias [localhost] did not match pattern [(*.ton.fi|*)] [Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1] admserv_host_ip_check: host alias [ldapsrv] did not match pattern [(*.ton.fi|*)] [Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1] admserv_host_ip_check: host alias [*] did not match pattern [(*.ton.fi|*)] [Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1] admserv_host_ip_check: Unauthorized host ip=127.0.0.1, connection I tried to modify local.conf but it is always overwritten when I restart admin server. How to remove that * from the settings and what is the proper way to allow connections to admin server from anywhere. Admin connections are restricted with IPsec, FDS can allow it from anywhere, no problems with security. I was able to migrate from IBM LDAP to FDS and I'm really happy. I did not like IBM's multimaster replication, too many problems and did not know where to get support. FDS and mmr just works. Thanks for the great product :) Best Regards Kimmo Koivisto From rmeggins at redhat.com Fri Feb 24 17:12:23 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 24 Feb 2006 10:12:23 -0700 Subject: [Fedora-directory-users] Admin console and problem with allowed ip/host, can't log in anymore :=) In-Reply-To: <200602241903.11779.kimmo.koivisto@surfeu.fi> References: <200602241903.11779.kimmo.koivisto@surfeu.fi> Message-ID: <43FF3E77.5000901@redhat.com> Kimmo Koivisto wrote: >Hello > >I have FDS 1.0.1 installed to RHEL4ES and I managed to deny admin console >connections from anywhere :) > >I have domain ton.fi and by default admin server seems to allow connections >only from *.ton.fi. I need to connect admin server from anywhere and I >thought that I could add * to the allowed host list... I did it with admin >console. > > This is bug https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=182556 which has been recently fixed. You need to change your host access filter back to simply "*". See http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt for more information. >After I applied changes, I no longer could log in to the admin console, even >from localhost, error log says: > >[Fri Feb 24 08:41:21 2006] [notice] Access Host filter is: (*.ton.fi|*) >[Fri Feb 24 08:41:21 2006] [notice] Access Address filter is: * >[Fri Feb 24 08:41:22 2006] [notice] Access Host filter is: (*.ton.fi|*) >[Fri Feb 24 08:41:22 2006] [notice] Access Address filter is: * >[Fri Feb 24 08:41:22 2006] [notice] Apache/2.0 configured -- resuming >normal operations >[Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1] >admserv_host_ip_check: ap_get_remote_host could not resolve 127.0.0.1 >[Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1] >admserv_host_ip_check: host [ldap2.ton.fi] did not match pattern >[(*.ton.fi|*)] -will scan aliases >[Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1] >admserv_host_ip_check: host alias [ldap2] did not match pattern >[(*.ton.fi|*)] >[Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1] >admserv_host_ip_check: host alias [localhost.localdomain] did not match >pattern [(*.ton.fi|*)] >[Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1] >admserv_host_ip_check: host alias [localhost] did not match pattern >[(*.ton.fi|*)] >[Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1] >admserv_host_ip_check: host alias [ldapsrv] did not match pattern >[(*.ton.fi|*)] >[Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1] >admserv_host_ip_check: host alias [*] did not match pattern >[(*.ton.fi|*)] >[Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1] >admserv_host_ip_check: Unauthorized host ip=127.0.0.1, connection > > >I tried to modify local.conf but it is always overwritten when I restart admin >server. > > Yep. You have to modify the data in LDAP - local.conf is really just a read-only cache. See http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt >How to remove that * from the settings and what is the proper way to allow >connections to admin server from anywhere. Admin connections are restricted >with IPsec, FDS can allow it from anywhere, no problems with security. > >I was able to migrate from IBM LDAP to FDS and I'm really happy. I did not >like IBM's multimaster replication, too many problems and did not know where >to get support. FDS and mmr just works. >Thanks for the great product :) > > What version of IBM LDAP were you using? Any problems with data or schema during migration? What were the problems with IBM replication? >Best Regards >Kimmo Koivisto > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From kimmo.koivisto at surfeu.fi Fri Feb 24 18:05:56 2006 From: kimmo.koivisto at surfeu.fi (Kimmo Koivisto) Date: Fri, 24 Feb 2006 20:05:56 +0200 Subject: [Fedora-directory-users] Admin console and problem with allowed ip/host, can't log in anymore :=) In-Reply-To: <43FF3E77.5000901@redhat.com> References: <200602241903.11779.kimmo.koivisto@surfeu.fi> <43FF3E77.5000901@redhat.com> Message-ID: <200602242005.56903.kimmo.koivisto@surfeu.fi> Richard Megginson kirjoitti viestiss??n (l?hetysaika Friday 24 February 2006 19:12): > This is bug https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=182556 > which has been recently fixed. You need to change your host access > filter back to simply "*". See > http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt for > more information. Thank you, editing configuration via LDAP did do the trick. > >I was able to migrate from IBM LDAP to FDS and I'm really happy. I did not > >like IBM's multimaster replication, too many problems and did not know > > where to get support. FDS and mmr just works. > >Thanks for the great product :) > > What version of IBM LDAP were you using? Any problems with data or > schema during migration? What were the problems with IBM replication? I had IBM DS 5.2 (I have had also 3.x and 4.x before), also running RHEL 4. There was not much data and only one own objetclass with couple of attributes, no problems migrating. Or actually I had minor problems, first I tried to update schema with ldapadd and ldapmodify without success. And I had critical environment, not much time to solve problems. Then I just copied my schema file to the schema directory and it worked. To be honest, I was a little fed up to the IBM DS after four years of usage, sometimes I had hardware failure in some peer and after it was fixed, that peer could not replicate and I had no skills to fix it. In addition, I have had problems with exporting and importing data with IBM's db2ldif and ldif2db tools, sometimes some data such as group memberships were lost etc. I had no support for the product, I just had to live with those problems. Because of my limited skills I need good support and that is one of the main reasons migrating to FDS. I asked my question friday night 7:03 PM and got working solution 9 minutes later, what commercial support could do better :) Thanks again, Kimmo Koivisto From sboggs at trustedcs.com Fri Feb 24 18:17:59 2006 From: sboggs at trustedcs.com (Scott Boggs) Date: Fri, 24 Feb 2006 18:17:59 +0000 (UTC) Subject: [Fedora-directory-users] dumping the data base Message-ID: Hello, I am attempting to pull the schema of my FDS, I am use to using a command such as 'ldapsearch -x -s base -b "" subschemasubentry' or 'ldapsearch -b "cn=subschema" attributetypes' Can anyone shine any light on how my syntax is wrong with these commands. I am trying to pull the subschema to show the various attribute definitions. I am sure I have just missed how to do it in the docs. Thanks in advance From logastellus at yahoo.com Fri Feb 24 18:32:18 2006 From: logastellus at yahoo.com (Susan) Date: Fri, 24 Feb 2006 10:32:18 -0800 (PST) Subject: [Fedora-directory-users] Admin console and problem with allowed ip/host, can't log in anymore :=) In-Reply-To: <200602242005.56903.kimmo.koivisto@surfeu.fi> Message-ID: <20060224183218.12476.qmail@web52913.mail.yahoo.com> --- Kimmo Koivisto wrote: > I asked my question friday night 7:03 PM and got working solution 9 minutes > later, what commercial support could do better :) It's interesting you say that. I can honestly say, I've gotten far, FAR superior help & support from this forum and from GFS forum than from my paid contracts at HP, EMC, SUN & redhat. Sun has gotten better, HP is kinda OK. Redhat on the phone is not bad but it is atrocious over the web. I've had redhat queries gone unacknowledged even for months on end, simply because they were submitted online. I think that's what mgmnt needs to understand. Just because you PAY for something, doesn't mean you get it. I've had an acknowledged bug sitting in HP's openview queue since november and there's no sign that anybody's even working on it, despite HP admitting that it's a bug. Hopefully resistance to open source support can be overcome some day. Right now, there's too much bias against it in prod deployments. Management feels like if there's no salesperson to yell at, nothing will happen. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From mj at sci.fi Fri Feb 24 18:34:20 2006 From: mj at sci.fi (Mike Jackson) Date: Fri, 24 Feb 2006 20:34:20 +0200 Subject: [Fedora-directory-users] Admin console and problem with allowed ip/host, can't log in anymore :=) In-Reply-To: <200602242005.56903.kimmo.koivisto@surfeu.fi> References: <200602241903.11779.kimmo.koivisto@surfeu.fi> <43FF3E77.5000901@redhat.com> <200602242005.56903.kimmo.koivisto@surfeu.fi> Message-ID: <43FF51AC.60502@sci.fi> Kimmo Koivisto wrote: > Because of my limited skills I need good support and that is one of the main > reasons migrating to FDS. The documentation is quite good: http://www.redhat.com/docs/manuals/dir-server/ Redhat DS and Fedora DS are the same thing, FDS just gets updated more often... And we usually are pretty friendly on the mailing list, even when the questions are off-topic or FAQs. > I asked my question friday night 7:03 PM and got working solution 9 minutes > later, what commercial support could do better :) I guess you noticed that there are lots of howtos on: http://directory.fedora.redhat.com/wiki/Documentation We are pretty active on the IRC channel as well: irc://irc.freenode.net/fedora-ds Welcome to the FDS community :-) BR, -- mike From rmeggins at redhat.com Fri Feb 24 18:56:40 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 24 Feb 2006 11:56:40 -0700 Subject: [Fedora-directory-users] dumping the data base In-Reply-To: References: Message-ID: <43FF56E8.9080902@redhat.com> Scott Boggs wrote: >Hello, > > I am attempting to pull the schema of my FDS, I am use to using a command such >as 'ldapsearch -x -s base -b "" subschemasubentry' or 'ldapsearch -b >"cn=subschema" attributetypes' > > You first have to find out what the subschemasubentry suffix is: ldapsearch -x -s base -b "" subschemasubentry dn: subschemasubentry: cn=schema Then, you can query cn=schema: ldapsearch -x -s base -b "" attributeTypes objectClasses > Can anyone shine any light on how my syntax is wrong with these commands. I am >trying to pull the subschema to show the various attribute definitions. > > I am sure I have just missed how to do it in the docs. > >Thanks in advance > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Feb 24 18:57:10 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 24 Feb 2006 11:57:10 -0700 Subject: [Fedora-directory-users] dumping the data base In-Reply-To: References: Message-ID: <43FF5706.4080907@redhat.com> Scott Boggs wrote: >Hello, > > I am attempting to pull the schema of my FDS, I am use to using a command such >as 'ldapsearch -x -s base -b "" subschemasubentry' or 'ldapsearch -b >"cn=subschema" attributetypes' > > You first have to find out what the subschemasubentry suffix is: ldapsearch -x -s base -b "" subschemasubentry dn: subschemasubentry: cn=schema Then, you can query cn=schema: ldapsearch -x -s base -b "cn=schema" attributeTypes objectClasses > Can anyone shine any light on how my syntax is wrong with these commands. I am >trying to pull the subschema to show the various attribute definitions. > > I am sure I have just missed how to do it in the docs. > >Thanks in advance > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From sboggs at trustedcs.com Fri Feb 24 19:33:40 2006 From: sboggs at trustedcs.com (Scott Boggs) Date: Fri, 24 Feb 2006 19:33:40 +0000 (UTC) Subject: [Fedora-directory-users] Re: dumping the data base References: <43FF5706.4080907@redhat.com> Message-ID: Richard Megginson redhat.com> writes: > > > > > > You first have to find out what the subschemasubentry suffix is: > ldapsearch -x -s base -b "" subschemasubentry > dn: > subschemasubentry: cn=schema > > Then, you can query cn=schema: > ldapsearch -x -s base -b "cn=schema" attributeTypes objectClasses > I must really be screwing something up, when I type: "ldapsearch -x -s base -b "" subschemasubentry" I get the following error: ldap search: Bad search filter When I perform the following search, I get the same error: "ldapsearch -x -s base -b "cn=schema" attributeTypes objectClasses ldap search: Bad search filter This FDS is pretty much a basic build, so I have not really changed anything. I am runnning the ldapsearch command from within the /opt/fedora-ds/shared/bin directory, if that makes any difference. thanks much for your advice, I am just trying to pull the definitions for the attributes, I believe this would be the correct method.. From logastellus at yahoo.com Fri Feb 24 19:53:10 2006 From: logastellus at yahoo.com (Susan) Date: Fri, 24 Feb 2006 11:53:10 -0800 (PST) Subject: [Fedora-directory-users] Re: dumping the data base In-Reply-To: Message-ID: <20060224195310.97730.qmail@web52902.mail.yahoo.com> --- Scott Boggs wrote: > Richard Megginson redhat.com> writes: > > > > > > > > > > > You first have to find out what the subschemasubentry suffix is: > > ldapsearch -x -s base -b "" subschemasubentry > > dn: > > subschemasubentry: cn=schema > > > > Then, you can query cn=schema: > > ldapsearch -x -s base -b "cn=schema" attributeTypes objectClasses > > > > > I must really be screwing something up, when I type: > "ldapsearch -x -s base -b "" subschemasubentry" I get the following error: there are two ldapsearch'es, you know. There's also one in /usr/bin/ldapsearch, comes with openldap-clients package. Running /usr/bin/ldapsearch -x -b "dc=foo,dc=com" should return your tree, at least. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From sboggs at trustedcs.com Fri Feb 24 20:17:03 2006 From: sboggs at trustedcs.com (Scott Boggs) Date: Fri, 24 Feb 2006 20:17:03 +0000 (UTC) Subject: [Fedora-directory-users] Re: dumping the data base References: <20060224195310.97730.qmail@web52902.mail.yahoo.com> Message-ID: Susan yahoo.com> writes: > > there are two ldapsearch'es, you know. > > There's also one in /usr/bin/ldapsearch, comes with openldap-clients package. > > Running /usr/bin/ldapsearch -x -b "dc=foo,dc=com" should return your tree, at least. > Thanks From sboggs at trustedcs.com Fri Feb 24 20:37:15 2006 From: sboggs at trustedcs.com (Scott Boggs) Date: Fri, 24 Feb 2006 20:37:15 +0000 (UTC) Subject: [Fedora-directory-users] Re: dumping the data base References: <43FF5706.4080907@redhat.com> Message-ID: Richard Megginson redhat.com> writes: > > Scott Boggs wrote: > I have been looking at the 00core.ldif to see if there is a method of editing attributed definition, but I only see definitions for objectclasses. Where does FDS store the individual attribute definitions? From prowley at redhat.com Fri Feb 24 20:46:20 2006 From: prowley at redhat.com (Pete Rowley) Date: Fri, 24 Feb 2006 12:46:20 -0800 Subject: [Fedora-directory-users] Re: dumping the data base In-Reply-To: References: <43FF5706.4080907@redhat.com> Message-ID: <43FF709C.1090907@redhat.com> Scott Boggs wrote: >Richard Megginson redhat.com> writes: > > > >>Scott Boggs wrote: >> >> >> > > >I have been looking at the 00core.ldif to see if there is a method of editing >attributed definition, but I only see definitions for objectclasses. Where does >FDS store the individual attribute definitions? > > > In the attributetypes attribute (as objectclasses are stored in the objectclasses attribute). There are most definitely attributes defined in 00core.ldif since attributes have to be defined before you define objectclasses that rely on them. -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From sboggs at trustedcs.com Fri Feb 24 20:59:41 2006 From: sboggs at trustedcs.com (Scott Boggs) Date: Fri, 24 Feb 2006 20:59:41 +0000 (UTC) Subject: [Fedora-directory-users] Re: dumping the data base References: <43FF5706.4080907@redhat.com> <43FF709C.1090907@redhat.com> Message-ID: Pete Rowley redhat.com> writes: > In the attributetypes attribute (as objectclasses are stored in the > objectclasses attribute). There are most definitely attributes defined > in 00core.ldif since attributes have to be defined before you define > objectclasses that rely on them. > So if I wanted to change the actual attributetype definition, I could'nt? I know it would violate the RFC, but I thought still had access to the core definition like with the core.ldif of openldap. From rmeggins at redhat.com Fri Feb 24 21:29:11 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 24 Feb 2006 14:29:11 -0700 Subject: [Fedora-directory-users] Re: dumping the data base In-Reply-To: References: <43FF5706.4080907@redhat.com> Message-ID: <43FF7AA7.90301@redhat.com> Scott Boggs wrote: >Richard Megginson redhat.com> writes: > > > >>> >>> >>> >>> >>You first have to find out what the subschemasubentry suffix is: >>ldapsearch -x -s base -b "" subschemasubentry >>dn: >>subschemasubentry: cn=schema >> >>Then, you can query cn=schema: >>ldapsearch -x -s base -b "cn=schema" attributeTypes objectClasses >> >> >> > > >I must really be screwing something up, when I type: >"ldapsearch -x -s base -b "" subschemasubentry" I get the following error: > >ldap search: Bad search filter > >When I perform the following search, I get the same error: > >"ldapsearch -x -s base -b "cn=schema" attributeTypes objectClasses > >ldap search: Bad search filter > >This FDS is pretty much a basic build, so I have not really changed anything. > > Oh, sorry. From your previous email, it looked like you had set up some sort of default search filter. You need to use "objectclass=*" for your search filter. >I am runnning the ldapsearch command from within the /opt/fedora-ds/shared/bin >directory, if that makes any difference. > >thanks much for your advice, I am just trying to pull the definitions for the >attributes, I believe this would be the correct method.. > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From prowley at redhat.com Fri Feb 24 21:32:54 2006 From: prowley at redhat.com (Pete Rowley) Date: Fri, 24 Feb 2006 13:32:54 -0800 Subject: [Fedora-directory-users] Re: dumping the data base In-Reply-To: References: <43FF5706.4080907@redhat.com> <43FF709C.1090907@redhat.com> Message-ID: <43FF7B86.5010801@redhat.com> Scott Boggs wrote: >Pete Rowley redhat.com> writes: > > > >>In the attributetypes attribute (as objectclasses are stored in the >>objectclasses attribute). There are most definitely attributes defined >>in 00core.ldif since attributes have to be defined before you define >>objectclasses that rely on them. >> >> >> > >So if I wanted to change the actual attributetype definition, I could'nt? I know >it would violate the RFC, but I thought still had access to the core definition >like with the core.ldif of openldap. > > > Yes you can. I think perhaps your confusion comes from the fact the "objectclass" type is the first attribute type defined in the file: attributeTypes: ( 2.5.4.0 NAME 'objectClass' DESC 'Standard LDAP attribute type' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 X-ORIGIN 'RFC 2256' ) Note "attributeTypes:" at the beginning - you are quite free to change whatever you wish, noting the dire warnings given previously :) -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From sboggs at trustedcs.com Fri Feb 24 21:37:32 2006 From: sboggs at trustedcs.com (Scott Boggs) Date: Fri, 24 Feb 2006 21:37:32 +0000 (UTC) Subject: [Fedora-directory-users] Re: dumping the data base References: <43FF5706.4080907@redhat.com> <43FF709C.1090907@redhat.com> <43FF7B86.5010801@redhat.com> Message-ID: Pete Rowley redhat.com> writes: > > Note "attributeTypes:" at the beginning - you are quite free to change > whatever you wish, noting the dire warnings given previously :) > Great I see it. Thanks you really helped me understand.. From ABliss at preferredcare.org Sat Feb 25 01:21:30 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Fri, 24 Feb 2006 20:21:30 -0500 Subject: [Fedora-directory-users] Some password policy enforcement information questions Message-ID: Well, it turns out that the passwordExpWarned attribute doesn't get changed either if a user authenticates to a server with a key via ssh; so I had to redesign how the script works; I figured that it's probably best to give the users the actual number of days they have before their password will expire. I've actually turned it into 2 scripts, the bash script is used to query the ldap server for password expiration info, and it passes this value to the perl script; Calling this from /etc/profile should work just fine. I thought this might be helpful to other users (perl script was tough for me, as I've never really scripted in perl but couldn't figure out a way to do in bash), so here you go: #!/bin/bash #use this script in order to figure out when the users #password is going to expire and give them a heads up about it #figure out who the user is mynam=`whoami` #create some exceptions to this rule so that they don't get a phony messsage if [ $mynam = root ] ; then exit fi #pswarn1=`ldapsearch -x -ZZ "(uid=$mynam)" passwordExpWarned | grep passwordExpWarned | grep -v '#' | awk '{print $2}'` #figure out exactly when their password is going to expire pswar=`ldapsearch -x -ZZ "(uid=$mynam)" passwordexpirationtime | grep passwordexpirationtime | grep -v '#' | awk '{print $2}' | cut -c 1-8` #setup some variables pwmonth=`echo $pswar | cut -c 5-6` pwday=`echo $pswar | cut -c 7-8` pwyear=`echo $pswar | cut -c 1-4` #perl script expects input year month day /usr/local/sbin/ck_pass1.pl $pwyear $pwmonth $pwday exit 0 #! /usr/bin/perl use strict; use warnings; use Time::Local; #epoch secs for 2 weeks equal 1209600 #setup vars that were passed in year, month, day in that order my $varpass0 = $ARGV[0]; my $varpass1 = $ARGV[1]; my $varpass2 = $ARGV[2]; #timelocal doesn't work for dates past the year 2038 if ($varpass0 >= 2038) { print "year passed is too much for this script\n"; exit 0; } #get todays date and format it properly #beaware localtime is going to format year-1900 and month-1 my ($mday,$mmonth,$myear) = (localtime(time)) [3,4,5]; my $epdate = timelocal (0,0,0,$mday,$mmonth,$myear); #get epoch date for when password will expire #we have to format what was passed to us to make it usable by timelocal my $varpass00 = $varpass0 - 1900; my $varpass11 = $varpass1 - 1; my $passexp = timelocal (0,0,0,$varpass2,$varpass11,$varpass00); #subtract password expiration from today and see what we get my $passans = $passexp - $epdate; my $finans2 = $passans / 86400; #lets see where we stand #and send a warning to the end users if necessary if ($passans <= 1209600) { printf "Warning, Your Ldap password will expire in %.0f", $finans2; print " days\n"; } -----Original Message----- From: Bliss, Aaron Sent: Monday, February 20, 2006 10:35 AM To: 'General discussion list for the Fedora Directory server project.' Subject: RE: [Fedora-directory-users] Some password policy enforcement information questions Yep, this issue occurs over ssh. Aaron -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Monday, February 20, 2006 10:08 AM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Some password policy enforcement information questions Bliss, Aaron wrote: >Some more trouble with password expiration warnings; I have passwords >warnings being displayed to users when they use passwords, however >users configured to use key authentication > Do you mean ssh? >do not receive this warnings; has >anyone seen this before? This is of course going to be a very big >problem for me. Any ideas? Thanks again. > > >Aaron > >-----Original Message----- >From: Bliss, Aaron >Sent: Wednesday, January 25, 2006 7:48 PM >To: General discussion list for the Fedora Directory server project. >Subject: RE: [Fedora-directory-users] Some password policy enforcement >information questions > >Turns out the issue I was having was with my clients; I'm not sure why, >but the administrator before me had "UseLogin Yes" set in >/etc/ssh/sshd_config; commenting this out immediately started >generating password warnings to users (as configured by the directory >server); does anyone know what the UseLogin option is used for? Thanks. > >Aaron > >-----Original Message----- >From: Bliss, Aaron >Sent: Thursday, January 19, 2006 3:15 PM >To: 'General discussion list for the Fedora Directory server project.' >Subject: RE: [Fedora-directory-users] Some password policy enforcement >information questions > >Thanks very much for the explanation; makes much sense to me now; I did >some playing around, and got the directory server to spit out to me >that your password is going to expire in x amount of days. Thanks again. > >Aaron > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard >Megginson >Sent: Thursday, January 19, 2006 2:35 PM >To: General discussion list for the Fedora Directory server project. >Subject: Re: [Fedora-directory-users] Some password policy enforcement >information questions > >It looks like the way it works is this: >When you have enabled password warning, an operational attribute called >"passwordExpWarned" is created in the user's entry. The value will be >0 until the user does a successful BIND operation and the time between >now and the configured password expiration time is less than or equal >to the configured password warning time. When this happens, the >warning will be sent, the value of passwordExpWarned will be changed to >1, and the operational attribute passwordExpirationTime in the user's >entry will be set to the time at which the password will expire. When >the user changes the password, passwordExpWarned will be reset to 0 and >passwordExpirationTime will be set to the new expiration time. > >Bliss, Aaron wrote: > > > >>If I've configured a correct password policy and the warning attribute >>is not getting updated, should this be considered a bug? >> >>Aaron >> >>-----Original Message----- >>From: fedora-directory-users-bounces at redhat.com >>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of >>Richard >> >> > > > >>Megginson >>Sent: Thursday, January 19, 2006 1:48 PM >>To: General discussion list for the Fedora Directory server project. >>Subject: Re: [Fedora-directory-users] Some password policy enforcement >>information questions >> >>Bliss, Aaron wrote: >> >> >> >> >> >>>Please forgive me if I'm asking silly newbie questions, however I'm >>>trying to understand exactly what I'm seeing thru fds; first the >>>policy >>> >>> >>> >>> >> >> >> >> >>>I've configured on the directory using the fds console: >>>I've enabled fine-grain password policy for the data unit, including >>>password history enforcement, password expiration after 90 days, >>>password warning 14 days before password expires, check password >>>syntax, account lockout policy enabled after 3 login failures for 120 >>>minutes and reset failure count after 15 minutes. >>> >>>Everything seems to be working except for send password warning; in >>> >>> >the > > >>>client's ldap.conf file, I've enabled pam_lookup_policy yes. >>> >>>Looking at account information attributes for a user, >>>passwordexpwarnd >>> >>> > > > >>>value is 0; I've reset users password to try to initialize the >>>password >>> >>> >>> >>> >> >> >> >> >>>policy, however this value never seems to change. According to this >>>documentation >>>http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#10 >>>7 >>>7 >>>0 >>>81 I believe that this attribute is stored in seconds. Is this true? >>> >>> >>> >>> >>> >>> >>Yes. >> >> >> >> >> >>>If so, what can I do to ensure this attribute is getting updated >>>(assuming that this is the attribute responsible for triggering >>>password expiration warning). >>> >>> >>> >>> >>> >>> >>I'm not really sure. >> >> >> >> >> >>>Second issue/question: >>>I've looked at this wiki >>>http://directory.fedora.redhat.com/wiki/Howto:PAM and near the very >>>bottom it mentions adding the following >>> >>>dn: cn=config >>>changetype: modify >>>add: passwordExp >>>passwordExp: on >>>- >>>add: passwordMaxAge >>>passwordMaxAge: 8640000 (this I believe would give a password max age >>>of 100 days) >>> >>>Do I need to add these attributes even though I've configured the >>>password policy using fds console has done this for me. Is this the >>>case, I see don't these attributes in the gui, however I do see >>>passwordexpirationtime as an attribute and is set to 90 days from now >>>(I'm want to ensure that accounts are indeed locked after passwords >>>have expired). >>> >>> >>> >>> >>> >>> >>Those attributes are only for global (default) password policy - what >>you have set for fine grained password policy will override those. >> >> >> >> >> >>>Also, Jim Summers posted to this group that he saw an issue with >>>shadowpasswd / shadowexpire fields not being updated >>>https://www.redhat.com/archives/fedora-directory-users/2005-December/ >>>m >>>s >>>g >>>00367.html >>> >>>Can anyone tell me what these fields are used for, as I don't see any >>>mention of them in this documentation >>>http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#10 >>>7 >>>7 >>>0 >>>81 >>> >>> >>> >>> >>> >>> >>Right. They are a PAM/posix thing - FDS treats them as any other data >>- it doesn't update them from it's own password policy. >> >> >> >> >> >>>Thanks again very much. >>> >>>Aaron >>> >>> >>> >>> >>>www.preferredcare.org >>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>>Power and Associates >>> >>>Confidentiality Notice: >>>The information contained in this electronic message is intended for >>> >>> >>> >>> >>the exclusive use of the individual or entity named above and may >>contain privileged or confidential information. If the reader of this >>message is not the intended recipient or the employee or agent >>responsible to deliver it to the intended recipient, you are hereby >>notified that dissemination, distribution or copying of this >>information is prohibited. If you have received this communication in >>error, please notify the sender immediately by telephone and destroy >>the copies you received. >> >> >> >> >>>-- >>>Fedora-directory-users mailing list >>>Fedora-directory-users at redhat.com >>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >>> >>> >>> >>www.preferredcare.org >>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>Power and Associates >> >>Confidentiality Notice: >>The information contained in this electronic message is intended for >> >> >the exclusive use of the individual or entity named above and may >contain privileged or confidential information. If the reader of this >message is not the intended recipient or the employee or agent >responsible to deliver it to the intended recipient, you are hereby >notified that dissemination, distribution or copying of this >information is prohibited. If you have received this communication in >error, please notify the sender immediately by telephone and destroy >the copies you received. > > >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> > > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From mj at sci.fi Sat Feb 25 09:58:53 2006 From: mj at sci.fi (Mike Jackson) Date: Sat, 25 Feb 2006 11:58:53 +0200 Subject: [Fedora-directory-users] Some password policy enforcement information questions In-Reply-To: References: Message-ID: <44002A5D.5070404@sci.fi> Bliss, Aaron wrote: > > /etc/profile should work just fine. I thought this might be helpful to > other users (perl script was tough for me, as I've never really scripted > in perl but couldn't figure out a way to do in bash), so here you go: As it turns out, perl hacking is my hobby :-) Here is your script, improved a bit, and with command line option parsing included. #!/usr/bin/perl -w use strict; use Getopt::Long; use Time::Local; my %o; GetOptions( \%o, 'year=i', 'month=i', 'day=i', ); my $year = $o{year}; # exp year my $month = $o{month}; # exp month my $day = $o{day}; # exp day if (!($year && $month && $day)) { die "Usage: $0 --year YYYY --month MM --day DD\n"; } my $maxyear = 2038; # highest year for 32-bit systems my $warning = 14; # warning window in days if ($year >= $maxyear) { die "Max year is $maxyear\n" } $month -= 1; my $ep_exp = timelocal(0,0,0,$day,$month,$year); my $ep_cur = timelocal(0,0,0, (localtime(time)) [3,4,5]); # calculate the difference and send a warning if necessary my $days = ($ep_exp - $ep_cur) / 86400; if ($days <= $warning) { print "Warning: Your LDAP password expires in $days days\n"; } -- mike From scott.boggs at gmail.com Mon Feb 27 04:50:01 2006 From: scott.boggs at gmail.com (Scott) Date: Sun, 26 Feb 2006 22:50:01 -0600 Subject: [Fedora-directory-users] Cos? or plug-in issue? Message-ID: <000001c63b59$48f93ea0$fd0110ac@officecomputer> I have been working with updating the attributeType 'uid' to conform the a "caseExactMatch" setting. I understand that this does agree with RFC standards, but this Directory Server will not be interacting with any ldap applications. The primary purpose is user authentication. I must be missing something on how the Directory Server (fedora-ds) defines the attributes. I was under the impression I could just update the 00core.ldif entry and the new matching rule would then be applied. This has proven not to be the case, I think it might have to do with the server interacts with the plugins or the CoS which needs to be addressed. Anyone who could educate me on a method to enforce case sensitivity for the attribute uid, it would help me out greatly. I have read everything I can find on the subject and it just does not seem to be documented (not in a direct manner anyway). This is how the attribute appears in the 00core.ldif after I attempted to change the attribute definition but it does not seem to have any effect. attributeTypes: ( 0.9.2342.19200300.100.1.1 NAME ( 'uid' 'userid' ) DESC 'Standard LDAP attribute type' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'RFC 1274' ) Thanks in advance to anyone who can point me in the correct direction, I must be making this more difficult then it needs to be. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rnappert at juniper.net Mon Feb 27 14:50:39 2006 From: rnappert at juniper.net (Reinhard Nappert) Date: Mon, 27 Feb 2006 09:50:39 -0500 Subject: [Fedora-directory-users] Disabling vlv support Message-ID: <6157E7BE4F8B9548AAE5EB84DBF5D46AF92364@pion.jnpr.net> Hi, I want to disable the virtual list view support. I would think that you would just delete the appropriate OID (supportedControl attribute) from the rootDSE object. However, the directory does not allow me to do that, due to access control restrictions. I try to perform this modification with the "super-administrator" account (cn=Directory Manager). Can anybody point me to a way how the vlv feature can be disabled? Thanks -Reinhard -------------- next part -------------- An HTML attachment was scrubbed... URL: From mj at sci.fi Mon Feb 27 14:54:56 2006 From: mj at sci.fi (Mike Jackson) Date: Mon, 27 Feb 2006 16:54:56 +0200 Subject: [Fedora-directory-users] Disabling vlv support In-Reply-To: <6157E7BE4F8B9548AAE5EB84DBF5D46AF92364@pion.jnpr.net> References: <6157E7BE4F8B9548AAE5EB84DBF5D46AF92364@pion.jnpr.net> Message-ID: <440312C0.6010700@sci.fi> Reinhard Nappert wrote: > Hi, > > I want to disable the virtual list view support. I would think that you > would just delete the appropriate OID (supportedControl attribute) from > the rootDSE object. However, the directory does not allow me to do that, > due to access control restrictions. I try to perform this modification > with the "super-administrator" account (cn=Directory Manager). > > Can anybody point me to a way how the vlv feature can be disabled? Beware that this is completely untested, but you can test it yourself if this is important to you :-) Just remove the cn=views,cn=plugins,cn=config object and then restart the slapd daemon. BR, Mike -- http://www.netauth.com - LDAP Directory Consulting From rmeggins at redhat.com Mon Feb 27 15:06:38 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 27 Feb 2006 08:06:38 -0700 Subject: [Fedora-directory-users] Disabling vlv support In-Reply-To: <440312C0.6010700@sci.fi> References: <6157E7BE4F8B9548AAE5EB84DBF5D46AF92364@pion.jnpr.net> <440312C0.6010700@sci.fi> Message-ID: <4403157E.8000106@redhat.com> Mike Jackson wrote: > Reinhard Nappert wrote: > >> Hi, >> >> I want to disable the virtual list view support. I would think that >> you would just delete the appropriate OID (supportedControl >> attribute) from the rootDSE object. However, the directory does not >> allow me to do that, due to access control restrictions. I try to >> perform this modification with the "super-administrator" account >> (cn=Directory Manager). >> >> Can anybody point me to a way how the vlv feature can be disabled? > > > > Beware that this is completely untested, but you can test it yourself > if this is important to you :-) > > Just remove the cn=views,cn=plugins,cn=config object and then restart > the slapd daemon. Views and VLV (Virtual List Views) are different. Views allows you to impose a hierarchical DIT upon a flat tree (virtually). VLV is paged search results. > > > BR, > Mike > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From mj at sci.fi Mon Feb 27 15:09:49 2006 From: mj at sci.fi (Mike Jackson) Date: Mon, 27 Feb 2006 17:09:49 +0200 Subject: [Fedora-directory-users] Disabling vlv support In-Reply-To: <4403157E.8000106@redhat.com> References: <6157E7BE4F8B9548AAE5EB84DBF5D46AF92364@pion.jnpr.net> <440312C0.6010700@sci.fi> <4403157E.8000106@redhat.com> Message-ID: <4403163D.5000102@sci.fi> Richard Megginson wrote: > Views and VLV (Virtual List Views) are different. Views allows you to > impose a hierarchical DIT upon a flat tree (virtually). VLV is paged > search results. > Right. So, do you Rich have any tips how to disable VLV? Although I still don't see the reason why somebody would want to do this. Are there misbehaving clients on your network, or what? -- mike From rmeggins at redhat.com Mon Feb 27 15:14:55 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 27 Feb 2006 08:14:55 -0700 Subject: [Fedora-directory-users] Disabling vlv support In-Reply-To: <4403163D.5000102@sci.fi> References: <6157E7BE4F8B9548AAE5EB84DBF5D46AF92364@pion.jnpr.net> <440312C0.6010700@sci.fi> <4403157E.8000106@redhat.com> <4403163D.5000102@sci.fi> Message-ID: <4403176F.7030802@redhat.com> Mike Jackson wrote: > Richard Megginson wrote: > >> Views and VLV (Virtual List Views) are different. Views allows you >> to impose a hierarchical DIT upon a flat tree (virtually). VLV is >> paged search results. >> > > Right. > > So, do you Rich have any tips how to disable VLV? > > Although I still don't see the reason why somebody would want to do > this. Are there misbehaving clients on your network, or what? Could be. Outlook uses VLV for address book searches. I don't think there is a way to disable VLV. > > -- > mike > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From david_list at boreham.org Mon Feb 27 15:33:26 2006 From: david_list at boreham.org (David Boreham) Date: Mon, 27 Feb 2006 08:33:26 -0700 Subject: [Fedora-directory-users] Disabling vlv support In-Reply-To: <6157E7BE4F8B9548AAE5EB84DBF5D46AF92364@pion.jnpr.net> References: <6157E7BE4F8B9548AAE5EB84DBF5D46AF92364@pion.jnpr.net> Message-ID: <44031BC6.3040401@boreham.org> An HTML attachment was scrubbed... URL: From jclowser at unitedmessaging.com Mon Feb 27 15:35:57 2006 From: jclowser at unitedmessaging.com (Jeff Clowser) Date: Mon, 27 Feb 2006 10:35:57 -0500 Subject: [Fedora-directory-users] Disabling vlv support In-Reply-To: <4403163D.5000102@sci.fi> References: <6157E7BE4F8B9548AAE5EB84DBF5D46AF92364@pion.jnpr.net> <440312C0.6010700@sci.fi> <4403157E.8000106@redhat.com> <4403163D.5000102@sci.fi> Message-ID: <44031C5D.2000006@unitedmessaging.com> Mike Jackson wrote: > Richard Megginson wrote: > >> Views and VLV (Virtual List Views) are different. Views allows you >> to impose a hierarchical DIT upon a flat tree (virtually). VLV is >> paged search results. >> > > Right. > > So, do you Rich have any tips how to disable VLV? > > Although I still don't see the reason why somebody would want to do > this. Are there misbehaving clients on your network, or what? > Outlook uses VLV's, but if the VLV indexes it uses are not actually created, you get really bad performance and some "wierd" errors in outlook. Assuming outlook only uses this if the server says it supports VLV controls, disabling this in theory would make outlook "work better" than with vlv's supported by the server, but no vlv index created. The other app that uses VLV's that I know of is the Directory server java console. If you disable VLV's it can affect performance there as well. What is the reason you want to disable VLV's? If it is because of Outlook, it would actually be better overall to create the VLV indexes that outlook uses - they are fairly easy to create, and outlook's use of vlv indexes is pretty consistent. FWIW, Outlook uses VLV indexes for it's ldap addressbook functionality, but one other bit of tuning you need to do for Outlook is index the displayname attribute (even if you have no entries in the server with a displayname value, you need to index the attribute to prevent a sequential search of entries to realize this). - Jeff - Jeff From rnappert at juniper.net Mon Feb 27 15:59:01 2006 From: rnappert at juniper.net (Reinhard Nappert) Date: Mon, 27 Feb 2006 10:59:01 -0500 Subject: [Fedora-directory-users] Disabling vlv support Message-ID: <6157E7BE4F8B9548AAE5EB84DBF5D46AF92371@pion.jnpr.net> Unfortunately there is a bug (iPlanet/SUN Directory Server used to have the same bug, but it was fixed recently). In case you perform vlv searches and modifications occur at the same time the server hangs. Have a look at the release notes (http://docs.sun.com/source/819-1814-10/relnotes_ds51sp4.html) bug-id 4973380. Therefore, I do not want to accept any vlv requests. Cheers -Reinhard -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Mike Jackson Sent: Monday, February 27, 2006 10:10 AM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Disabling vlv support Richard Megginson wrote: > Views and VLV (Virtual List Views) are different. Views allows you to > impose a hierarchical DIT upon a flat tree (virtually). VLV is paged > search results. > Right. So, do you Rich have any tips how to disable VLV? Although I still don't see the reason why somebody would want to do this. Are there misbehaving clients on your network, or what? -- mike -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From david_list at boreham.org Mon Feb 27 16:07:06 2006 From: david_list at boreham.org (David Boreham) Date: Mon, 27 Feb 2006 09:07:06 -0700 Subject: [Fedora-directory-users] Disabling vlv support In-Reply-To: <6157E7BE4F8B9548AAE5EB84DBF5D46AF92371@pion.jnpr.net> References: <6157E7BE4F8B9548AAE5EB84DBF5D46AF92371@pion.jnpr.net> Message-ID: <440323AA.4070204@boreham.org> Reinhard Nappert wrote: >Unfortunately there is a bug (iPlanet/SUN Directory Server used to have >the same bug, but it was fixed recently). In case you perform vlv >searches and modifications occur at the same time the server hangs. Have >a look at the release notes >(http://docs.sun.com/source/819-1814-10/relnotes_ds51sp4.html) bug-id >4973380. Therefore, I do not want to accept any vlv requests. > > This must be related to _indexed_ vlv requests concurrent with updates. I don't believe that a non-indexed vlv request can deadlock an update. Anyway, why don't you file the bug against FDS and get it fixed ???? (If you're sure that the bug is present in FDS then presumably you have a reproduction case that can be pased into the bug report). Is there a public Sun bugzilla where we can look at their bug report ? (I believe the answer to that is no, but perhaps I'm not looking hard enough...) From prowley at redhat.com Mon Feb 27 20:08:24 2006 From: prowley at redhat.com (Pete Rowley) Date: Mon, 27 Feb 2006 12:08:24 -0800 Subject: [Fedora-directory-users] Cos? or plug-in issue? In-Reply-To: <000001c63b59$48f93ea0$fd0110ac@officecomputer> References: <000001c63b59$48f93ea0$fd0110ac@officecomputer> Message-ID: <44035C38.7060709@redhat.com> Scott wrote: > I must be missing something on how the Directory Server (fedora-ds) > defines the attributes. I was under the impression I could just update > the 00core.ldif entry and the new matching rule would then be applied. > This has proven not to be the case, I think it might have to do with > the server interacts with the plugins or the CoS which needs to be > addressed. > What exactly failed and how? -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From scott.boggs at gmail.com Tue Feb 28 17:17:58 2006 From: scott.boggs at gmail.com (Scott) Date: Tue, 28 Feb 2006 17:17:58 +0000 (UTC) Subject: [Fedora-directory-users] Re: Cos? or plug-in issue? References: <000001c63b59$48f93ea0$fd0110ac@officecomputer> <44035C38.7060709@redhat.com> Message-ID: Pete Rowley redhat.com> writes: > > Scott wrote: > > > I must be missing something on how the Directory Server (fedora-ds) > > defines the attributes. I was under the impression I could just update > > the 00core.ldif entry and the new matching rule would then be applied. > > This has proven not to be the case, I think it might have to do with > > the server interacts with the plugins or the CoS which needs to be > > addressed. > > > What exactly failed and how? > When I apply the caseExactMatch definition to the attribute, I expected it to enforce the matching rule. However it did not seem to have any effect. I tested it both with the schema checking on and off. I ended up using the default attributeType and I just changed the SYNTAX to 1.3.6.1.4.1.1466.115.121.1.26. This seems to enforce the case for the uid. I think I was under the mis- understanding that I could tweak the attribute type specifically to meet my sites needs. I have been reading up on the CoS and I think this is where I went wrong. Is there an alternate method to provide granular control over attributeTypes, or is the FDS tied to the CoS model? The entry I am talking about is listed below. Thanks attributeTypes: ( 0.9.2342.19200300.100.1.1 NAME ( 'uid' 'userid' ) DESC 'Standard LDAP attribute type' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'RFC 1274' ) From prowley at redhat.com Tue Feb 28 22:02:33 2006 From: prowley at redhat.com (Pete Rowley) Date: Tue, 28 Feb 2006 14:02:33 -0800 Subject: [Fedora-directory-users] Re: Cos? or plug-in issue? In-Reply-To: References: <000001c63b59$48f93ea0$fd0110ac@officecomputer> <44035C38.7060709@redhat.com> Message-ID: <4404C879.8080803@redhat.com> Scott wrote: >Pete Rowley redhat.com> writes: > > > >>Scott wrote: >> >> >> >>>I must be missing something on how the Directory Server (fedora-ds) >>>defines the attributes. I was under the impression I could just update >>>the 00core.ldif entry and the new matching rule would then be applied. >>>This has proven not to be the case, I think it might have to do with >>>the server interacts with the plugins or the CoS which needs to be >>>addressed. >>> >>> >>> >>What exactly failed and how? >> >> >> > >When I apply the caseExactMatch definition to the attribute, I expected it to >enforce the matching rule. However it did not seem to have any effect. I >tested it both with the schema checking on and off. I ended up using the >default attributeType and I just changed the SYNTAX to >1.3.6.1.4.1.1466.115.121.1.26. >This seems to enforce the case for the uid. I think I was under the mis- >understanding that I could tweak the attribute type specifically to meet my >sites needs. I have been reading up on the CoS and I think this is where I >went wrong. Is there an alternate method to provide granular control over >attributeTypes, or is the FDS tied to the CoS model? The entry I am talking >about is listed below. Thanks > > Class of service has nothing to do with schema. It is a mechanism for sharing attribute / value pairs among a group of entries so that an administrator has one place to change those attribute value pairs. The only place CoS gets involved with schema is when schema checking is on, when it will ensure the attribute / value pairs it provides are allowed to appear in the entry. I am at a loss to explain why changing the syntax from DirectoryString to IA5String would suddenly produce the results you were expecting. Are you restarting the server between changes to the schema files? -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From scott.boggs at gmail.com Tue Feb 28 23:30:29 2006 From: scott.boggs at gmail.com (Scott) Date: Tue, 28 Feb 2006 23:30:29 +0000 (UTC) Subject: [Fedora-directory-users] Re: Cos? or plug-in issue? References: <000001c63b59$48f93ea0$fd0110ac@officecomputer> <44035C38.7060709@redhat.com> <4404C879.8080803@redhat.com> Message-ID: Pete Rowley redhat.com> writes: > > >When I apply the caseExactMatch definition to the attribute, I expected it to > >enforce the matching rule. However it did not seem to have any effect. I > >tested it both with the schema checking on and off. I ended up using the > >default attributeType and I just changed the SYNTAX to > >1.3.6.1.4.1.1466.115.121.1.26. > >This seems to enforce the case for the uid. I think I was under the mis- > >understanding that I could tweak the attribute type specifically to meet my > >sites needs. I have been reading up on the CoS and I think this is where I > >went wrong. Is there an alternate method to provide granular control over > >attributeTypes, or is the FDS tied to the CoS model? The entry I am talking > >about is listed below. Thanks > > > > > Class of service has nothing to do with schema. It is a mechanism for > sharing attribute / value pairs among a group of entries so that an > administrator has one place to change those attribute value pairs. The > only place CoS gets involved with schema is when schema checking is on, > when it will ensure the attribute / value pairs it provides are allowed > to appear in the entry. > > I am at a loss to explain why changing the syntax from DirectoryString > to IA5String would suddenly produce the results you were expecting. Are > you restarting the server between changes to the schema files? > Well if that is the case and there is no underlying mechanisims that I was exluding I am really discouraged with the ability to provide customization. Do you see anyting wrong with how I attempted to define the attribute that could have been causing the issue? It has to be something I am leaving out. Yes I restarted everytime. The onlytime I can get it to enforce the case is with the IA5String. Since the IA5String seems to be working, do you see any problem with me leaving it defined? Thanks again