From jeff.applewhite at motricity.com Mon Jan 2 04:43:25 2006 From: jeff.applewhite at motricity.com (Jeff Applewhite) Date: Sun, 01 Jan 2006 23:43:25 -0500 Subject: [Fedora-directory-users] Kerberos plugin Message-ID: <43B8AF6D.9090309@motricity.com> Hi There, Is anyone out there using a Kerberos plugin to handle authentication? If so which one? Thanks, Jeff Applewhite From nhosoi at redhat.com Mon Jan 2 17:48:02 2006 From: nhosoi at redhat.com (Noriko Hosoi) Date: Mon, 02 Jan 2006 09:48:02 -0800 Subject: [Fedora-directory-users] error installing FDS 1.0.1 from rpm In-Reply-To: <43B179C0.2040107@herzumsoftware.com> References: <43B074A3.6010704@gmail.com> <43B179C0.2040107@herzumsoftware.com> Message-ID: <43B96752.8050704@redhat.com> Do you happen to have /opt/fedora-ds/admin-serv/ directory? If so, it calls stop-admin in the pre-install phase. If that's the case, could you clean up /opt/fedora-ds and try rpm install again? --noriko Kieran Murphy wrote: > Trying to install FDS 1.0.1 from rpm on Fedora Core 4, I get the > following error: > >> [root at localhost kieran]# rpm -ivh fedora-ds-1.0.1-1.FC4.i386.opt.rpm >> Preparing... >> ########################################### [100%] >> /var/tmp/rpm-tmp.3816: line 19: /opt/fedora-ds/stop-admin: No such >> file or directory >> error: %pre(fedora-ds-1.0.1-1.Linux.i386) scriptlet failed, exit >> status 127 >> error: install: %pre scriptlet failed (2), skipping >> fedora-ds-1.0.1-1.Linux > > > I get the same response trying to install v. 1.0. I can install 7.1 > without issue. > > Any thoughts? > > Thanks in advance - Kieran > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From rmeggins at redhat.com Tue Jan 3 15:02:13 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 03 Jan 2006 08:02:13 -0700 Subject: [Fedora-directory-users] Server-Side ACLs for pam_ldap logins. In-Reply-To: <1135789647.3537.11.camel@localhost> References: <43B074A3.6010704@gmail.com> <1135789647.3537.11.camel@localhost> Message-ID: <43BA91F5.1090909@redhat.com> Does this help? http://directory.fedora.redhat.com/wiki/Howto:Posix Michael Montgomery wrote: >I've been searching through both the openldap, and this mailing list for >any reference to defining server-side ACLs to allow/restrict access to >certain computers, or groups of computers based on the group that the >user is associated with. One reference I found was this: > >http://www.openldap.org/lists/openldap-software/200408/msg00280.html > >But there are no responses to this query. > >Neither the OReilly, or the "Understanding and Deploying Ldap Directory >Services" books I have make any solid mention of this either, and online >searching has uncovered little, at best. > >Does anyone have any ideas if this is even possible, and if it is, are >there any references I can use as a template to begin implementation and >testing of this? > >Thanks for any help you can offer. > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Jan 3 15:04:38 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 03 Jan 2006 08:04:38 -0700 Subject: [Fedora-directory-users] Kerberos plugin In-Reply-To: <43B8AF6D.9090309@motricity.com> References: <43B8AF6D.9090309@motricity.com> Message-ID: <43BA9286.4020505@redhat.com> Jeff Applewhite wrote: > Hi There, > > Is anyone out there using a Kerberos plugin to handle authentication? > If so which one? A Kerberos plug-in where? To Fedora DS? To PAM? Note that Fedora DS will allow you to authenticate with your Kerberos credentials - no plug-in is required, just some configuration. http://directory.fedora.redhat.com/wiki/Howto:Kerberos > > Thanks, > > Jeff Applewhite > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Jan 3 16:07:16 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 03 Jan 2006 09:07:16 -0700 Subject: [Fedora-directory-users] Error start-admin In-Reply-To: References: Message-ID: <43BAA134.5090007@redhat.com> Douglas Hussey wrote: > > I have made a fresh install of the latest DS version. I get the > following error when I attempt to start the admin server, what is > strange is the previous version runs fine on this machine 7.1-2. We > are running Redhat V4 AMD_64. JDK 1.5.0_05 > > ERROR: ld.so: object '/opt/fedora-ds/bin/admin/lib/libssl3.so' from > LD_PRELOAD cannot be preloaded: ignored. > ERROR: ld.so: object '/opt/fedora-ds/bin/admin/lib/libldap50.so' from > LD_PRELOAD cannot be preloaded: ignored. > Syntax error on line 150 of /opt/fedora-ds/admin-serv/config/httpd.conf: > Cannot load /opt/fedora-ds/bin/admin/lib/libmodrestartd.so into > server: /opt/fedora-ds/bin/admin/lib/libmodrestartd.so: cannot open > shared object file: No such file or directory Hm - I guess ld.so doesn't like the 32 bit shared libraries. We are working on a 64 bit version. Don't have a date yet. > > > Thanks > Doug > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Jan 3 17:05:14 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 03 Jan 2006 10:05:14 -0700 Subject: [Fedora-directory-users] Another console issue In-Reply-To: <7815b00c17092668bbe53d805a35140c@expresso.pr.gov.br> References: <7815b00c17092668bbe53d805a35140c@expresso.pr.gov.br> Message-ID: <43BAAECA.80608@redhat.com> Marcio Kabke Pinheiro wrote: > After Aaron?s tip, no more log erros, but after I?ve entered the admin > user and password, the console hangs, and in the Windows console > window opened by the .bat file (remembering, I?m using a Windows > machine to run the Management Console), appers the error: > ======================================= > C:\celepar\fedora directory\console\java>java -ms8m -mx64m -cp > .;.\nmclf70.jar; > .\base.jar;.\ldapjdk.jar;.\mcc70.jar;.\nmclf70_en.jar;.\mcc70_en.jar;.\jss3.jar > -Djava.library.path=..\lib\jss -Djava.util.prefs.systemRoot=.\.java > -Djava.util. > prefs.userRoot=. com.netscape.management.client.console.Console -a > http://10.15. > 20.128:4616 Should be using the *10.jar and *10_en.jar files if you are using Fedora DS 1.0.1. I've updated the instructions to reflect this. I don't know if you can use the *70*.jar files to manage a Fedora DS 1.0.1 server. http://directory.fedora.redhat.com/wiki/Howto:WindowsConsole > Exception in thread "main" java.lang.NumberFormatException: multiple > points > at sun.misc.FloatingDecimal.readJavaFormatString(Unknown Source) > at java.lang.Double.parseDouble(Unknown Source) > at > com.netscape.management.client.console.Console.checkHelpSystem(Unknow > n Source) > at > com.netscape.management.client.console.Console.initialize(Unknown Sou > rce) > at > com.netscape.management.client.console.Console.(Unknown Source) > > at com.netscape.management.client.console.Console.main(Unknown > Source) > ================================== > First I remembered that I was using the old console code, and copied > the new code from the new FDS install (the /bin and /lib folders), but > the error was the same. Second, I?ve upgraded the Java version of my > machine - was 1.4.2_3, now it?s 1.5.0_06. Same error. > > Any thoughts? > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Jan 3 17:11:16 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 03 Jan 2006 10:11:16 -0700 Subject: [Fedora-directory-users] Chain On Update problem In-Reply-To: <43B074A3.6010704@gmail.com> References: <43B074A3.6010704@gmail.com> Message-ID: <43BAB034.2050709@redhat.com> ILoveJython wrote: > I have read the document: > > Howto:ChainOnUpdate - Fedora Directory Server > > > and have been unable to get it to work. When I attempt a write to the > consumer it makes the change on the > consumer and does not update the master. This is bad. If the consumer is configured to be a read only consumer you should not be able to make a change on it. You should either get a referral returned from the consumer to the client program which the client program will follow to make the change on the master, or, if chain on update is working, you will see the operation on the consumer and the same corresponding operation sent to the master. > With the next change on the master of any kind, > the mapping tree entry for this suffix changes from "nsslapd-state: > backend" to "nsslapd-state: referral on update". > Once this state changes, my client complains that it cannot update, > since it cannot follow referrals. Ulf, you've been able to get this running, right? > > In addition, there are no log entries on the master to indicate any > activity back from the consumer to the master, i.e. > a proxy login. > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From mmontgomery at theplanet.com Tue Jan 3 18:19:58 2006 From: mmontgomery at theplanet.com (Michael Montgomery) Date: Tue, 03 Jan 2006 12:19:58 -0600 Subject: [Fedora-directory-users] Server-Side ACLs for pam_ldap logins. In-Reply-To: <43BA91F5.1090909@redhat.com> References: <43B074A3.6010704@gmail.com> <1135789647.3537.11.camel@localhost> <43BA91F5.1090909@redhat.com> Message-ID: <1136312398.12696.15.camel@localhost> I do agree that this is closer to what I'm looking for, but the first problem I see is that I wanted to allow Groups of people to login to Groups of servers like: cn=www,ou=Group,dc=example,dc=com is a group of www servers. cn=Unix,ou=Group,dc=example,dc=com is a group of Unix users. So basically, on the people in the Unix group, can login to the www servers, and so forth. Is there any way, other than client side pam modules, such as: http://www.splitbrain.org/projects/pam_require That will allow this to work? Thanks again everyone. On Tue, 2006-01-03 at 08:02 -0700, Richard Megginson wrote: > Does this help? http://directory.fedora.redhat.com/wiki/Howto:Posix > > Michael Montgomery wrote: > > >I've been searching through both the openldap, and this mailing list for > >any reference to defining server-side ACLs to allow/restrict access to > >certain computers, or groups of computers based on the group that the > >user is associated with. One reference I found was this: > > > >http://www.openldap.org/lists/openldap-software/200408/msg00280.html > > > >But there are no responses to this query. > > > >Neither the OReilly, or the "Understanding and Deploying Ldap Directory > >Services" books I have make any solid mention of this either, and online > >searching has uncovered little, at best. > > > >Does anyone have any ideas if this is even possible, and if it is, are > >there any references I can use as a template to begin implementation and > >testing of this? > > > >Thanks for any help you can offer. > > > >-- > >Fedora-directory-users mailing list > >Fedora-directory-users at redhat.com > >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From rmeggins at redhat.com Tue Jan 3 18:29:23 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 03 Jan 2006 11:29:23 -0700 Subject: [Fedora-directory-users] Server-Side ACLs for pam_ldap logins. In-Reply-To: <1136312398.12696.15.camel@localhost> References: <43B074A3.6010704@gmail.com> <1135789647.3537.11.camel@localhost> <43BA91F5.1090909@redhat.com> <1136312398.12696.15.camel@localhost> Message-ID: <43BAC283.9060900@redhat.com> Michael Montgomery wrote: >I do agree that this is closer to what I'm looking for, but the first >problem I see is that I wanted to allow Groups of people to login to >Groups of servers like: > >cn=www,ou=Group,dc=example,dc=com is a group of www servers. >cn=Unix,ou=Group,dc=example,dc=com is a group of Unix users. > >So basically, on the people in the Unix group, can login to the www >servers, and so forth. > > Right. The host attribute is per user. You could set up a Roles for your users, and use Class of Service to automatically add the host attribute to the role members. >Is there any way, other than client side pam modules, such as: >http://www.splitbrain.org/projects/pam_require >That will allow this to work? > >Thanks again everyone. > >On Tue, 2006-01-03 at 08:02 -0700, Richard Megginson wrote: > > >>Does this help? http://directory.fedora.redhat.com/wiki/Howto:Posix >> >>Michael Montgomery wrote: >> >> >> >>>I've been searching through both the openldap, and this mailing list for >>>any reference to defining server-side ACLs to allow/restrict access to >>>certain computers, or groups of computers based on the group that the >>>user is associated with. One reference I found was this: >>> >>>http://www.openldap.org/lists/openldap-software/200408/msg00280.html >>> >>>But there are no responses to this query. >>> >>>Neither the OReilly, or the "Understanding and Deploying Ldap Directory >>>Services" books I have make any solid mention of this either, and online >>>searching has uncovered little, at best. >>> >>>Does anyone have any ideas if this is even possible, and if it is, are >>>there any references I can use as a template to begin implementation and >>>testing of this? >>> >>>Thanks for any help you can offer. >>> >>>-- >>>Fedora-directory-users mailing list >>>Fedora-directory-users at redhat.com >>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >>> >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From mmontgomery at theplanet.com Tue Jan 3 18:35:00 2006 From: mmontgomery at theplanet.com (Michael Montgomery) Date: Tue, 03 Jan 2006 12:35:00 -0600 Subject: [Fedora-directory-users] Server-Side ACLs for pam_ldap logins. In-Reply-To: <43BAC283.9060900@redhat.com> References: <43B074A3.6010704@gmail.com> <1135789647.3537.11.camel@localhost> <43BA91F5.1090909@redhat.com> <1136312398.12696.15.camel@localhost> <43BAC283.9060900@redhat.com> Message-ID: <1136313301.12696.19.camel@localhost> Thanks for the response. I'll read up on this, and see if I can get this working. On Tue, 2006-01-03 at 11:29 -0700, Richard Megginson wrote: > Michael Montgomery wrote: > > >I do agree that this is closer to what I'm looking for, but the first > >problem I see is that I wanted to allow Groups of people to login to > >Groups of servers like: > > > >cn=www,ou=Group,dc=example,dc=com is a group of www servers. > >cn=Unix,ou=Group,dc=example,dc=com is a group of Unix users. > > > >So basically, on the people in the Unix group, can login to the www > >servers, and so forth. > > > > > Right. The host attribute is per user. You could set up a Roles for > your users, and use Class of Service to automatically add the host > attribute to the role members. From HaneJ at gsicommerce.com Tue Jan 3 18:54:32 2006 From: HaneJ at gsicommerce.com (Jason Hane) Date: Tue, 3 Jan 2006 13:54:32 -0500 Subject: [Fedora-directory-users] Server-Side ACLs for pam_ldap logins. Message-ID: I had a similar question a few weeks ago. I wanted to be able to assign a list of users access to only a specific number of computers. This is the response I got from Gary Tay: FDS is very similar to SUN ONE DS5.2, I think netgroup (+ at netgroupXXX in /etc/passwd and /etc/shadow and "compat" keyword in /etc/nsswitch.conf) LDAP maps could be setup to achieve what you want, it has been used by many DS5.2 administrators See: http://web.singnet.com.sg/~garyttt/Installing%20and%20configuring%20Open LDAP%20for%20RedHat%20Enterprise%20Linux3.htm Step 5Y: Configure "netgroup" to work with RedHat or Solaris Native LDAP Clients (i.e. controlling user access to host using netgroup LDAP maps) Also see: http://swforum.sun.com/jive/thread.jspa?threadID=52764&messageID=223846# 223846 Configuring LDAP netgroups Gary -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Michael Montgomery Sent: Tuesday, January 03, 2006 1:35 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Server-Side ACLs for pam_ldap logins. Thanks for the response. I'll read up on this, and see if I can get this working. On Tue, 2006-01-03 at 11:29 -0700, Richard Megginson wrote: > Michael Montgomery wrote: > > >I do agree that this is closer to what I'm looking for, but the first > >problem I see is that I wanted to allow Groups of people to login to > >Groups of servers like: > > > >cn=www,ou=Group,dc=example,dc=com is a group of www servers. > >cn=Unix,ou=Group,dc=example,dc=com is a group of Unix users. > > > >So basically, on the people in the Unix group, can login to the www > >servers, and so forth. > > > > > Right. The host attribute is per user. You could set up a Roles for > your users, and use Class of Service to automatically add the host > attribute to the role members. -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From ulf.weltman at hp.com Tue Jan 3 19:28:05 2006 From: ulf.weltman at hp.com (Ulf Weltman) Date: Tue, 03 Jan 2006 11:28:05 -0800 Subject: [Fedora-directory-users] Chain On Update problem In-Reply-To: <43BAB034.2050709@redhat.com> References: <43B074A3.6010704@gmail.com> <43BAB034.2050709@redhat.com> Message-ID: <43BAD045.1020202@hp.com> Richard Megginson wrote: > ILoveJython wrote: > >> I have read the document: >> >> Howto:ChainOnUpdate - Fedora Directory Server >> >> >> and have been unable to get it to work. When I attempt a write to the >> consumer it makes the change on the >> consumer and does not update the master. > > > This is bad. If the consumer is configured to be a read only consumer > you should not be able to make a change on it. You should either get > a referral returned from the consumer to the client program which the > client program will follow to make the change on the master, or, if > chain on update is working, you will see the operation on the consumer > and the same corresponding operation sent to the master. > >> With the next change on the master of any kind, >> the mapping tree entry for this suffix changes from "nsslapd-state: >> backend" to "nsslapd-state: referral on update". >> Once this state changes, my client complains that it cannot update, >> since it cannot follow referrals. > > > Ulf, you've been able to get this running, right? Yes, I was testing this a few weeks ago with the 7.1 release on HP-UX. It was configured with the instructions in the wiki document with a minor change to a malformed ACI (but that shouldn't cause this problem): http://directory.fedora.redhat.com/wiki?title=Howto%3AChainOnUpdate&diff=0&oldid=2794 There was also a minor issue with a spurious warning being logged. It doesn't cause any harm, just an inconvenience: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=176293 Danney, can you paste us these entries from your consumer's dse.ldif? dn: cn="{your replicated suffix}", cn=mapping tree, cn=config dn: cn=replica, cn="{your replicated suffix}", cn=mapping tree, cn=config dn: cn=config, cn=chaining database, cn=plugins, cn=config dn: cn={name of your chaining backend}, cn=chaining database, cn=plugins, cn=config In the fourth one you can blank out the "nsmultiplexorcredentials" value before you send it. > >> >> In addition, there are no log entries on the master to indicate any >> activity back from the consumer to the master, i.e. >> a proxy login. >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From danney.jarman at gmail.com Tue Jan 3 19:26:17 2006 From: danney.jarman at gmail.com (ILoveJython) Date: Tue, 03 Jan 2006 13:26:17 -0600 Subject: [Fedora-directory-users] Chain On Update problem In-Reply-To: <43BAB034.2050709@redhat.com> References: <43B074A3.6010704@gmail.com> <43BAB034.2050709@redhat.com> Message-ID: <43BACFD9.6090103@gmail.com> Richard Megginson wrote: > ILoveJython wrote: > >> I have read the document: >> >> Howto:ChainOnUpdate - Fedora Directory Server >> >> >> and have been unable to get it to work. When I attempt a write to the >> consumer it makes the change on the >> consumer and does not update the master. > > > This is bad. If the consumer is configured to be a read only consumer > you should not be able to make a change on it. You should either get > a referral returned from the consumer to the client program which the > client program will follow to make the change on the master, or, if > chain on update is working, you will see the operation on the consumer > and the same corresponding operation sent to the master. > >> With the next change on the master of any kind, >> the mapping tree entry for this suffix changes from "nsslapd-state: >> backend" to "nsslapd-state: referral on update". >> Once this state changes, my client complains that it cannot update, >> since it cannot follow referrals. > > > Ulf, you've been able to get this running, right? > >> >> In addition, there are no log entries on the master to indicate any >> activity back from the consumer to the master, i.e. >> a proxy login. >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > I have yet to get it working. I have pretty much tried everything I can think of to get it going, but no success. I would be quite happy to provide as much detail as is necessary to get it going, since in my environment, this functionality would be quite helpful. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dan at wep.net Tue Jan 3 20:54:42 2006 From: dan at wep.net (Dan Cox) Date: Tue, 03 Jan 2006 14:54:42 -0600 Subject: [Fedora-directory-users] Server-Side ACLs for pam_ldap logins. In-Reply-To: References: Message-ID: <43BAE492.4040103@wep.net> As an alternative, I've used the ldap/netgroup integration for many years and it seems the cleanest way of doing it when used in conjunction with pam's access.conf. It allows me to push the same /etc/passwd and /etc/security/access.conf to all machines on the network via something like CFEngine. The access.conf consists of something like (allow all QA users access to QA systems): + : @QA@@QAServers : ALL Then I just add or remove the user or machine in the ldap netgroup entry. The real power with using ldap based netgroups is when you realize all of the services that can consume netgroup information, unlike the simple user based host attribute. For example, you can push a global /etc/sudoers and specify certain groups of users can run certain commands on particular groups of machines all on one line. CFEngine itself can query netgroups to know what config files to push, tools like dsh (distributed ssh) can use netgroups as machine targets for commands, etc. I've administered some very large networks of machines with these tools and it makes it very easy to control. Dan- Jason Hane wrote: >I had a similar question a few weeks ago. I wanted to be able to assign >a list of users access to only a specific number of computers. This is >the response I got from Gary Tay: > >FDS is very similar to SUN ONE DS5.2, I think netgroup (+ at netgroupXXX in >/etc/passwd and /etc/shadow and "compat" keyword in /etc/nsswitch.conf) >LDAP maps could be setup to achieve what you want, it has been used by >many DS5.2 administrators > >See: >http://web.singnet.com.sg/~garyttt/Installing%20and%20configuring%20Open >LDAP%20for%20RedHat%20Enterprise%20Linux3.htm >Step 5Y: Configure "netgroup" to work with RedHat or Solaris Native LDAP >Clients >(i.e. controlling user access to host using netgroup LDAP maps) > >Also see: >http://swforum.sun.com/jive/thread.jspa?threadID=52764&messageID=223846# >223846 >Configuring LDAP netgroups > >Gary > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Michael >Montgomery >Sent: Tuesday, January 03, 2006 1:35 PM >To: General discussion list for the Fedora Directory server project. >Subject: Re: [Fedora-directory-users] Server-Side ACLs for pam_ldap >logins. > >Thanks for the response. I'll read up on this, and see if I can get >this working. > >On Tue, 2006-01-03 at 11:29 -0700, Richard Megginson wrote: > > >>Michael Montgomery wrote: >> >> >> >>>I do agree that this is closer to what I'm looking for, but the first >>> >>> > > > >>>problem I see is that I wanted to allow Groups of people to login to >>>Groups of servers like: >>> >>>cn=www,ou=Group,dc=example,dc=com is a group of www servers. >>>cn=Unix,ou=Group,dc=example,dc=com is a group of Unix users. >>> >>>So basically, on the people in the Unix group, can login to the www >>>servers, and so forth. >>> >>> >>> >>> >>Right. The host attribute is per user. You could set up a Roles for >>your users, and use Class of Service to automatically add the host >>attribute to the role members. >> >> > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From rmeggins at redhat.com Tue Jan 3 21:05:44 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 03 Jan 2006 14:05:44 -0700 Subject: [Fedora-directory-users] Server-Side ACLs for pam_ldap logins. In-Reply-To: <43BAE492.4040103@wep.net> References: <43BAE492.4040103@wep.net> Message-ID: <43BAE728.8070301@redhat.com> This looks very interesting and useful. Would you mind writing up something I can post on the Fedora DS wiki? Don't worry about formatting, spelling, etc. I can fix that up. Dan Cox wrote: > > As an alternative, I've used the ldap/netgroup integration for many > years and it seems the cleanest way of doing it when used in > conjunction with pam's access.conf. It allows me to push the same > /etc/passwd and /etc/security/access.conf to all machines on the > network via something like CFEngine. > > The access.conf consists of something like (allow all QA users access > to QA systems): > + : @QA@@QAServers : ALL > > Then I just add or remove the user or machine in the ldap netgroup > entry. The real power with using ldap based netgroups is when you > realize all of the services that can consume netgroup information, > unlike the simple user based host attribute. For example, you can push > a global /etc/sudoers and specify certain groups of users can run > certain commands on particular groups of machines all on one line. > CFEngine itself can query netgroups to know what config files to push, > tools like dsh (distributed ssh) can use netgroups as machine targets > for commands, etc. I've administered some very large networks of > machines with these tools and it makes it very easy to control. > > Dan- > > Jason Hane wrote: > >> I had a similar question a few weeks ago. I wanted to be able to assign >> a list of users access to only a specific number of computers. This is >> the response I got from Gary Tay: >> >> FDS is very similar to SUN ONE DS5.2, I think netgroup (+ at netgroupXXX in >> /etc/passwd and /etc/shadow and "compat" keyword in /etc/nsswitch.conf) >> LDAP maps could be setup to achieve what you want, it has been used by >> many DS5.2 administrators >> >> See: >> http://web.singnet.com.sg/~garyttt/Installing%20and%20configuring%20Open >> LDAP%20for%20RedHat%20Enterprise%20Linux3.htm >> Step 5Y: Configure "netgroup" to work with RedHat or Solaris Native LDAP >> Clients >> (i.e. controlling user access to host using netgroup LDAP maps) >> >> Also see: >> http://swforum.sun.com/jive/thread.jspa?threadID=52764&messageID=223846# >> 223846 >> Configuring LDAP netgroups >> Gary >> -----Original Message----- >> From: fedora-directory-users-bounces at redhat.com >> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Michael >> Montgomery >> Sent: Tuesday, January 03, 2006 1:35 PM >> To: General discussion list for the Fedora Directory server project. >> Subject: Re: [Fedora-directory-users] Server-Side ACLs for pam_ldap >> logins. >> >> Thanks for the response. I'll read up on this, and see if I can get >> this working. >> >> On Tue, 2006-01-03 at 11:29 -0700, Richard Megginson wrote: >> >> >>> Michael Montgomery wrote: >>> >>> >>> >>>> I do agree that this is closer to what I'm looking for, but the first >>>> >>> >> >> >> >>>> problem I see is that I wanted to allow Groups of people to login >>>> to Groups of servers like: >>>> >>>> cn=www,ou=Group,dc=example,dc=com is a group of www servers. >>>> cn=Unix,ou=Group,dc=example,dc=com is a group of Unix users. >>>> >>>> So basically, on the people in the Unix group, can login to the www >>>> servers, and so forth. >>>> >>>> >>>> >>> >>> Right. The host attribute is per user. You could set up a Roles >>> for your users, and use Class of Service to automatically add the >>> host attribute to the role members. >>> >> >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From HaneJ at gsicommerce.com Tue Jan 3 21:10:39 2006 From: HaneJ at gsicommerce.com (Jason Hane) Date: Tue, 3 Jan 2006 16:10:39 -0500 Subject: [Fedora-directory-users] Server-Side ACLs for pam_ldap logins. Message-ID: I second that. Dan if you can provide any resources you used to set up your netgroups I would hail at your feet. I've been playing with netgroups unsuccessfully for the past month and a half and haven't been able to get it to work. All my clients are RedHat ES 3&4. -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Tuesday, January 03, 2006 4:06 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Server-Side ACLs for pam_ldap logins. This looks very interesting and useful. Would you mind writing up something I can post on the Fedora DS wiki? Don't worry about formatting, spelling, etc. I can fix that up. Dan Cox wrote: > > As an alternative, I've used the ldap/netgroup integration for many > years and it seems the cleanest way of doing it when used in > conjunction with pam's access.conf. It allows me to push the same > /etc/passwd and /etc/security/access.conf to all machines on the > network via something like CFEngine. > > The access.conf consists of something like (allow all QA users access > to QA systems): > + : @QA@@QAServers : ALL > > Then I just add or remove the user or machine in the ldap netgroup > entry. The real power with using ldap based netgroups is when you > realize all of the services that can consume netgroup information, > unlike the simple user based host attribute. For example, you can push > a global /etc/sudoers and specify certain groups of users can run > certain commands on particular groups of machines all on one line. > CFEngine itself can query netgroups to know what config files to push, > tools like dsh (distributed ssh) can use netgroups as machine targets > for commands, etc. I've administered some very large networks of > machines with these tools and it makes it very easy to control. > > Dan- > > Jason Hane wrote: > >> I had a similar question a few weeks ago. I wanted to be able to >> assign a list of users access to only a specific number of computers. >> This is the response I got from Gary Tay: >> >> FDS is very similar to SUN ONE DS5.2, I think netgroup (+ at netgroupXXX >> in /etc/passwd and /etc/shadow and "compat" keyword in >> /etc/nsswitch.conf) LDAP maps could be setup to achieve what you >> want, it has been used by many DS5.2 administrators >> >> See: >> http://web.singnet.com.sg/~garyttt/Installing%20and%20configuring%20O >> pen LDAP%20for%20RedHat%20Enterprise%20Linux3.htm >> Step 5Y: Configure "netgroup" to work with RedHat or Solaris Native >> LDAP Clients (i.e. controlling user access to host using netgroup >> LDAP maps) >> >> Also see: >> http://swforum.sun.com/jive/thread.jspa?threadID=52764&messageID=2238 >> 46# >> 223846 >> Configuring LDAP netgroups >> Gary >> -----Original Message----- >> From: fedora-directory-users-bounces at redhat.com >> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of >> Michael Montgomery >> Sent: Tuesday, January 03, 2006 1:35 PM >> To: General discussion list for the Fedora Directory server project. >> Subject: Re: [Fedora-directory-users] Server-Side ACLs for pam_ldap >> logins. >> >> Thanks for the response. I'll read up on this, and see if I can get >> this working. >> >> On Tue, 2006-01-03 at 11:29 -0700, Richard Megginson wrote: >> >> >>> Michael Montgomery wrote: >>> >>> >>> >>>> I do agree that this is closer to what I'm looking for, but the >>>> first >>>> >>> >> >> >> >>>> problem I see is that I wanted to allow Groups of people to login >>>> to Groups of servers like: >>>> >>>> cn=www,ou=Group,dc=example,dc=com is a group of www servers. >>>> cn=Unix,ou=Group,dc=example,dc=com is a group of Unix users. >>>> >>>> So basically, on the people in the Unix group, can login to the www >>>> servers, and so forth. >>>> >>>> >>>> >>> >>> Right. The host attribute is per user. You could set up a Roles >>> for your users, and use Class of Service to automatically add the >>> host attribute to the role members. >>> >> >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From dan at wep.net Tue Jan 3 21:45:59 2006 From: dan at wep.net (Dan Cox) Date: Tue, 03 Jan 2006 15:45:59 -0600 Subject: [Fedora-directory-users] Server-Side ACLs for pam_ldap logins. In-Reply-To: References: Message-ID: <43BAF097.602@wep.net> I suppose I could put something together.. are you talking about something from the ground up like setting up nss_ldap, adding entries into LDAP, etc. or assume some of the prerequisites are in place? Also I'm assuming some short example usages of the tools I've mentioned? Dan- Jason Hane wrote: >I second that. Dan if you can provide any resources you used to set up >your netgroups I would hail at your feet. I've been playing with >netgroups unsuccessfully for the past month and a half and haven't been >able to get it to work. All my clients are RedHat ES 3&4. > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard >Megginson >Sent: Tuesday, January 03, 2006 4:06 PM >To: General discussion list for the Fedora Directory server project. >Subject: Re: [Fedora-directory-users] Server-Side ACLs for pam_ldap >logins. > >This looks very interesting and useful. Would you mind writing up >something I can post on the Fedora DS wiki? Don't worry about >formatting, spelling, etc. I can fix that up. > >Dan Cox wrote: > > > >>As an alternative, I've used the ldap/netgroup integration for many >>years and it seems the cleanest way of doing it when used in >>conjunction with pam's access.conf. It allows me to push the same >>/etc/passwd and /etc/security/access.conf to all machines on the >>network via something like CFEngine. >> >>The access.conf consists of something like (allow all QA users access >>to QA systems): >>+ : @QA@@QAServers : ALL >> >>Then I just add or remove the user or machine in the ldap netgroup >>entry. The real power with using ldap based netgroups is when you >>realize all of the services that can consume netgroup information, >>unlike the simple user based host attribute. For example, you can push >> >> > > > >>a global /etc/sudoers and specify certain groups of users can run >>certain commands on particular groups of machines all on one line. >>CFEngine itself can query netgroups to know what config files to push, >> >> > > > >>tools like dsh (distributed ssh) can use netgroups as machine targets >>for commands, etc. I've administered some very large networks of >>machines with these tools and it makes it very easy to control. >> >>Dan- >> >>Jason Hane wrote: >> >> >> >>>I had a similar question a few weeks ago. I wanted to be able to >>>assign a list of users access to only a specific number of computers. >>> >>> > > > >>>This is the response I got from Gary Tay: >>> >>>FDS is very similar to SUN ONE DS5.2, I think netgroup (+ at netgroupXXX >>> >>> > > > >>>in /etc/passwd and /etc/shadow and "compat" keyword in >>>/etc/nsswitch.conf) LDAP maps could be setup to achieve what you >>>want, it has been used by many DS5.2 administrators >>> >>>See: >>>http://web.singnet.com.sg/~garyttt/Installing%20and%20configuring%20O >>>pen LDAP%20for%20RedHat%20Enterprise%20Linux3.htm >>>Step 5Y: Configure "netgroup" to work with RedHat or Solaris Native >>>LDAP Clients (i.e. controlling user access to host using netgroup >>>LDAP maps) >>> >>>Also see: >>>http://swforum.sun.com/jive/thread.jspa?threadID=52764&messageID=2238 >>>46# >>>223846 >>>Configuring LDAP netgroups >>>Gary >>>-----Original Message----- >>>From: fedora-directory-users-bounces at redhat.com >>>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of >>>Michael Montgomery >>>Sent: Tuesday, January 03, 2006 1:35 PM >>>To: General discussion list for the Fedora Directory server project. >>>Subject: Re: [Fedora-directory-users] Server-Side ACLs for pam_ldap >>>logins. >>> >>>Thanks for the response. I'll read up on this, and see if I can get >>>this working. >>> >>>On Tue, 2006-01-03 at 11:29 -0700, Richard Megginson wrote: >>> >>> >>> >>> >>>>Michael Montgomery wrote: >>>> >>>> >>>> >>>> >>>> >>>>>I do agree that this is closer to what I'm looking for, but the >>>>>first >>>>> >>>>> >>>>> >>> >>> >>> >>> >>>>>problem I see is that I wanted to allow Groups of people to login >>>>>to Groups of servers like: >>>>> >>>>>cn=www,ou=Group,dc=example,dc=com is a group of www servers. >>>>>cn=Unix,ou=Group,dc=example,dc=com is a group of Unix users. >>>>> >>>>>So basically, on the people in the Unix group, can login to the www >>>>> >>>>> > > > >>>>>servers, and so forth. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>Right. The host attribute is per user. You could set up a Roles >>>>for your users, and use Class of Service to automatically add the >>>>host attribute to the role members. >>>> >>>> >>>> >>> >>>-- >>>Fedora-directory-users mailing list >>>Fedora-directory-users at redhat.com >>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>>-- >>>Fedora-directory-users mailing list >>>Fedora-directory-users at redhat.com >>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >>> >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From rmeggins at redhat.com Tue Jan 3 22:00:52 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 03 Jan 2006 15:00:52 -0700 Subject: [Fedora-directory-users] Server-Side ACLs for pam_ldap logins. In-Reply-To: <43BAF097.602@wep.net> References: <43BAF097.602@wep.net> Message-ID: <43BAF414.1000807@redhat.com> Dan Cox wrote: > I suppose I could put something together.. are you talking about > something from the ground up like setting up nss_ldap, adding entries > into LDAP, etc. or assume some of the prerequisites are in place? If there is already sufficient documentation on setting up nss_ldap or other prerequisites, then just a pointer to that will be fine. > Also I'm assuming some short example usages of the tools I've mentioned? Sure. At least on group based host access restriction, which seems to be the most asked for info. > > Dan- > > Jason Hane wrote: > >> I second that. Dan if you can provide any resources you used to set up >> your netgroups I would hail at your feet. I've been playing with >> netgroups unsuccessfully for the past month and a half and haven't been >> able to get it to work. All my clients are RedHat ES 3&4. >> >> -----Original Message----- >> From: fedora-directory-users-bounces at redhat.com >> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard >> Megginson >> Sent: Tuesday, January 03, 2006 4:06 PM >> To: General discussion list for the Fedora Directory server project. >> Subject: Re: [Fedora-directory-users] Server-Side ACLs for pam_ldap >> logins. >> >> This looks very interesting and useful. Would you mind writing up >> something I can post on the Fedora DS wiki? Don't worry about >> formatting, spelling, etc. I can fix that up. >> >> Dan Cox wrote: >> >> >> >>> As an alternative, I've used the ldap/netgroup integration for many >>> years and it seems the cleanest way of doing it when used in >>> conjunction with pam's access.conf. It allows me to push the same >>> /etc/passwd and /etc/security/access.conf to all machines on the >>> network via something like CFEngine. >>> >>> The access.conf consists of something like (allow all QA users >>> access to QA systems): >>> + : @QA@@QAServers : ALL >>> >>> Then I just add or remove the user or machine in the ldap netgroup >>> entry. The real power with using ldap based netgroups is when you >>> realize all of the services that can consume netgroup information, >>> unlike the simple user based host attribute. For example, you can push >>> >> >> >> >> >>> a global /etc/sudoers and specify certain groups of users can run >>> certain commands on particular groups of machines all on one line. >>> CFEngine itself can query netgroups to know what config files to push, >>> >> >> >> >> >>> tools like dsh (distributed ssh) can use netgroups as machine >>> targets for commands, etc. I've administered some very large >>> networks of machines with these tools and it makes it very easy to >>> control. >>> >>> Dan- >>> >>> Jason Hane wrote: >>> >>> >>> >>>> I had a similar question a few weeks ago. I wanted to be able to >>>> assign a list of users access to only a specific number of computers. >>>> >>> >> >> >> >>>> This is the response I got from Gary Tay: >>>> >>>> FDS is very similar to SUN ONE DS5.2, I think netgroup (+ at netgroupXXX >>>> >>> >> >> >> >>>> in /etc/passwd and /etc/shadow and "compat" keyword in >>>> /etc/nsswitch.conf) LDAP maps could be setup to achieve what you >>>> want, it has been used by many DS5.2 administrators >>>> >>>> See: >>>> http://web.singnet.com.sg/~garyttt/Installing%20and%20configuring%20O >>>> pen LDAP%20for%20RedHat%20Enterprise%20Linux3.htm >>>> Step 5Y: Configure "netgroup" to work with RedHat or Solaris Native >>>> LDAP Clients (i.e. controlling user access to host using netgroup >>>> LDAP maps) >>>> >>>> Also see: >>>> http://swforum.sun.com/jive/thread.jspa?threadID=52764&messageID=2238 >>>> 46# >>>> 223846 >>>> Configuring LDAP netgroups >>>> Gary >>>> -----Original Message----- >>>> From: fedora-directory-users-bounces at redhat.com >>>> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of >>>> Michael Montgomery >>>> Sent: Tuesday, January 03, 2006 1:35 PM >>>> To: General discussion list for the Fedora Directory server project. >>>> Subject: Re: [Fedora-directory-users] Server-Side ACLs for pam_ldap >>>> logins. >>>> >>>> Thanks for the response. I'll read up on this, and see if I can >>>> get this working. >>>> >>>> On Tue, 2006-01-03 at 11:29 -0700, Richard Megginson wrote: >>>> >>>> >>>> >>>> >>>>> Michael Montgomery wrote: >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>> I do agree that this is closer to what I'm looking for, but the >>>>>> first >>>>>> >>>>> >>>> >>>> >>>> >>>> >>>>>> problem I see is that I wanted to allow Groups of people to login >>>>>> to Groups of servers like: >>>>>> >>>>>> cn=www,ou=Group,dc=example,dc=com is a group of www servers. >>>>>> cn=Unix,ou=Group,dc=example,dc=com is a group of Unix users. >>>>>> >>>>>> So basically, on the people in the Unix group, can login to the www >>>>>> >>>>> >> >> >> >>>>>> servers, and so forth. >>>>>> >>>>>> >>>>>> >>>>> >>>>> Right. The host attribute is per user. You could set up a Roles >>>>> for your users, and use Class of Service to automatically add the >>>>> host attribute to the role members. >>>>> >>>>> >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From brudy at praecogito.com Tue Jan 3 23:02:30 2006 From: brudy at praecogito.com (Brian Rudy) Date: Tue, 03 Jan 2006 15:02:30 -0800 Subject: [Fedora-directory-users] Samba PDC using FDS backend Message-ID: <43BB0286.6000401@praecogito.com> Hi Folks, I had a crack at setting up a Samba PDC using a fresh installation of FDS 1.0.1 as the backend on one of our RHEL 3 servers per the Wiki Howto:Samba but ran into a few issues. In the section 'Populating FDS with PDC Entry', it instructs the user to run 'net getlocalsid'. This results in the following: [root at mybox logs]# net getlocalsid [2006/01/03 14:32:58, 0] lib/smbldap.c:smbldap_search_domain_info(1392) Adding domain info for CMOMA failed with NT_STATUS_UNSUCCESSFUL SID for domain mybox is: S-1-5-21-4207250186-2406131440-3849861866 Thinking that I might just have a Samba configuration problem, I continued by attempting to add the following ldif: dn: sambaDomainName=CMOMA,dc=cmoma,dc=mycompany,dc=com objectclass: sambaDomain objectclass: sambaUnixIDPool objectclass: top sambaDomainName: CMOMA sambaSID: S-1-5-21-4207250186-2406131440-3849861866 uidNumber: 550 gidNumber: 550 which resulted in the following error: adding new entry sambaDomainName=CMOMA,dc=cmoma,dc=mycompany,dc=com ldap_add: Object class violation ldap_add: additional info: unknown object class "sambaUnixIDPool" I double checked /opt/fedora-ds/slapd-/config/schema/61samba.ldif created in the initial setup steps and was unable to find a sambaUnixIDPool objectclass, but did see a sambaUnixIdPool. However, after I edited /tmp/sambaDomainName.ldif to reflect this objectclass name, ldif2ldap still complains about an 'unknown object class'. Any idea of what might be happening here? From prowley at redhat.com Tue Jan 3 23:08:52 2006 From: prowley at redhat.com (Pete Rowley) Date: Tue, 03 Jan 2006 15:08:52 -0800 Subject: [Fedora-directory-users] Samba PDC using FDS backend In-Reply-To: <43BB0286.6000401@praecogito.com> References: <43BB0286.6000401@praecogito.com> Message-ID: <43BB0404.2030307@redhat.com> Brian Rudy wrote: > > I double checked > /opt/fedora-ds/slapd-/config/schema/61samba.ldif created in > the initial setup steps and was unable to find a sambaUnixIDPool > objectclass, but did see a sambaUnixIdPool. These two values /should/ be equivalent. > Any idea of what might be happening here? Did you restart the server after you initially added the new schema files? -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From tscherf at redhat.com Wed Jan 4 00:16:27 2006 From: tscherf at redhat.com (Thorsten Scherf) Date: Wed, 04 Jan 2006 01:16:27 +0100 Subject: [Fedora-directory-users] [Fwd: FDS doesn't start] Message-ID: <43BB13DB.5000604@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 anybody knows why a fresh install of the latest FDS doesn't work properly? The error log is attached. System used is a updated FC3 box. Happy Day. Thorsten - -------- Original Message -------- Subject: log Date: Wed, 4 Jan 2006 01:13:55 +0100 From: root To: tscherf at redhat.com Fedora-Directory/1.0.1 B2005.342.165 tux1.tuxgeek.de:389 (/opt/fedora-ds/slapd-tux1) [04/Jan/2006:01:06:21 +0100] - Fedora-Directory/1.0.1 B2005.342.165 starting up [04/Jan/2006:01:06:21 +0100] - libdb: unable to initialize mutex: Function not implemented [04/Jan/2006:01:06:21 +0100] - libdb: /opt/fedora-ds/slapd-tux1/db/__db.001: unable to initialize environment lock: Function not implemented [04/Jan/2006:01:06:21 +0100] - Opening database environment (/opt/fedora-ds/slapd-tux1/db) failed. err=38: Function not implemented [04/Jan/2006:01:06:21 +0100] - start: Failed to init database, err=38 Function not implemented [04/Jan/2006:01:06:21 +0100] - Failed to start database plugin ldbm database [04/Jan/2006:01:06:21 +0100] - WARNING: ldbm instance userRoot already exists [04/Jan/2006:01:06:21 +0100] - WARNING: ldbm instance NetscapeRoot already exists [04/Jan/2006:01:06:21 +0100] binder-based resource limits - nsLookThroughLimit: parameter error (slapi_reslimit_register() already registered) [04/Jan/2006:01:06:21 +0100] - start: Resource limit registration failed [04/Jan/2006:01:06:21 +0100] - Failed to start database plugin ldbm database [04/Jan/2006:01:06:21 +0100] - Error: Failed to resolve plugin dependencies [04/Jan/2006:01:06:21 +0100] - Error: postoperation plugin Roles Plugin is not started [04/Jan/2006:01:06:21 +0100] - Error: accesscontrol plugin ACL Plugin is not started [04/Jan/2006:01:06:21 +0100] - Error: preoperation plugin ACL preoperation is not started [04/Jan/2006:01:06:21 +0100] - Error: object plugin Legacy Replication Plugin is not started [04/Jan/2006:01:06:21 +0100] - Error: object plugin Multimaster Replication Plugin is not started [04/Jan/2006:01:06:21 +0100] - Error: postoperation plugin Class of Service is not started [04/Jan/2006:01:06:21 +0100] - Error: object plugin Views is not started [04/Jan/2006:01:06:21 +0100] - Error: preoperation plugin 7-bit check is not started [04/Jan/2006:01:06:21 +0100] - Error: preoperation plugin HTTP Client is not started [04/Jan/2006:01:06:21 +0100] - Error: database plugin ldbm database is not started [04/Jan/2006:01:07:11 +0100] - Fedora-Directory/1.0.1 B2005.342.165 starting up [04/Jan/2006:01:07:12 +0100] - libdb: unable to initialize mutex: Function not implemented [04/Jan/2006:01:07:12 +0100] - libdb: /opt/fedora-ds/slapd-tux1/db/__db.001: unable to initialize environment lock: Function not implemented [04/Jan/2006:01:07:12 +0100] - Opening database environment (/opt/fedora-ds/slapd-tux1/db) failed. err=38: Function not implemented [04/Jan/2006:01:07:12 +0100] - start: Failed to init database, err=38 Function not implemented [04/Jan/2006:01:07:12 +0100] - Failed to start database plugin ldbm database [04/Jan/2006:01:07:12 +0100] - WARNING: ldbm instance userRoot already exists [04/Jan/2006:01:07:12 +0100] - WARNING: ldbm instance NetscapeRoot already exists [04/Jan/2006:01:07:12 +0100] binder-based resource limits - nsLookThroughLimit: parameter error (slapi_reslimit_register() already registered) [04/Jan/2006:01:07:12 +0100] - start: Resource limit registration failed [04/Jan/2006:01:07:12 +0100] - Failed to start database plugin ldbm database [04/Jan/2006:01:07:12 +0100] - Error: Failed to resolve plugin dependencies [04/Jan/2006:01:07:12 +0100] - Error: preoperation plugin 7-bit check is not started [04/Jan/2006:01:07:12 +0100] - Error: accesscontrol plugin ACL Plugin is not started [04/Jan/2006:01:07:12 +0100] - Error: preoperation plugin ACL preoperation is not started [04/Jan/2006:01:07:12 +0100] - Error: postoperation plugin Class of Service is not started [04/Jan/2006:01:07:12 +0100] - Error: preoperation plugin HTTP Client is not started [04/Jan/2006:01:07:12 +0100] - Error: database plugin ldbm database is not started [04/Jan/2006:01:07:12 +0100] - Error: object plugin Legacy Replication Plugin is not started [04/Jan/2006:01:07:12 +0100] - Error: object plugin Multimaster Replication Plugin is not started [04/Jan/2006:01:07:12 +0100] - Error: postoperation plugin Roles Plugin is not started [04/Jan/2006:01:07:12 +0100] - Error: object plugin Views is not started [04/Jan/2006:01:08:33 +0100] - Fedora-Directory/1.0.1 B2005.342.165 starting up [04/Jan/2006:01:08:33 +0100] - libdb: unable to initialize mutex: Function not implemented [04/Jan/2006:01:08:33 +0100] - libdb: /opt/fedora-ds/slapd-tux1/db/__db.001: unable to initialize environment lock: Function not implemented [04/Jan/2006:01:08:33 +0100] - Opening database environment (/opt/fedora-ds/slapd-tux1/db) failed. err=38: Function not implemented [04/Jan/2006:01:08:33 +0100] - start: Failed to init database, err=38 Function not implemented [04/Jan/2006:01:08:33 +0100] - Failed to start database plugin ldbm database [04/Jan/2006:01:08:33 +0100] - WARNING: ldbm instance userRoot already exists [04/Jan/2006:01:08:33 +0100] - WARNING: ldbm instance NetscapeRoot already exists [04/Jan/2006:01:08:33 +0100] binder-based resource limits - nsLookThroughLimit: parameter error (slapi_reslimit_register() already registered) [04/Jan/2006:01:08:33 +0100] - start: Resource limit registration failed [04/Jan/2006:01:08:33 +0100] - Failed to start database plugin ldbm database [04/Jan/2006:01:08:33 +0100] - Error: Failed to resolve plugin dependencies [04/Jan/2006:01:08:33 +0100] - Error: preoperation plugin 7-bit check is not started [04/Jan/2006:01:08:33 +0100] - Error: accesscontrol plugin ACL Plugin is not started [04/Jan/2006:01:08:33 +0100] - Error: preoperation plugin ACL preoperation is not started [04/Jan/2006:01:08:33 +0100] - Error: postoperation plugin Class of Service is not started [04/Jan/2006:01:08:33 +0100] - Error: preoperation plugin HTTP Client is not started [04/Jan/2006:01:08:33 +0100] - Error: database plugin ldbm database is not started [04/Jan/2006:01:08:33 +0100] - Error: object plugin Legacy Replication Plugin is not started [04/Jan/2006:01:08:33 +0100] - Error: object plugin Multimaster Replication Plugin is not started [04/Jan/2006:01:08:33 +0100] - Error: postoperation plugin Roles Plugin is not started [04/Jan/2006:01:08:33 +0100] - Error: object plugin Views is not started - -- Thorsten Scherf, RHCA Mobile: ++49 172 61 32 548 GLS EMEA Instructor II Fax: ++49 2064 470 564 GPG KEY: 0x3B9280BB - 92BF AA4C 082B F5DD FB28 47CC C1F9 282D 3B92 80BB -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFDuxPawfkoLTuSgLsRAjtnAKDB3LWqYLJklSmmlXllwZoAYoY2kwCbBEdF KRFfmKFc9HAXvvUERaJ4ikY= =zC1R -----END PGP SIGNATURE----- From rmeggins at redhat.com Wed Jan 4 00:31:32 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 03 Jan 2006 17:31:32 -0700 Subject: [Fedora-directory-users] [Fwd: FDS doesn't start] In-Reply-To: <43BB13DB.5000604@redhat.com> References: <43BB13DB.5000604@redhat.com> Message-ID: <43BB1764.5060501@redhat.com> Thorsten Scherf wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >anybody knows why a fresh install of the latest FDS doesn't work >properly? The error log is attached. System used is a updated FC3 box. > > Looks like it's using the wrong version of libdb. Try this: cd /opt/fedora-ds/bin/slapd/server ; ldd ./ns-slapd >Happy Day. >Thorsten > > >- -------- Original Message -------- >Subject: log >Date: Wed, 4 Jan 2006 01:13:55 +0100 >From: root >To: tscherf at redhat.com > > Fedora-Directory/1.0.1 B2005.342.165 > tux1.tuxgeek.de:389 (/opt/fedora-ds/slapd-tux1) > >[04/Jan/2006:01:06:21 +0100] - Fedora-Directory/1.0.1 B2005.342.165 >starting up >[04/Jan/2006:01:06:21 +0100] - libdb: unable to initialize mutex: >Function not implemented >[04/Jan/2006:01:06:21 +0100] - libdb: >/opt/fedora-ds/slapd-tux1/db/__db.001: unable to initialize environment >lock: Function not implemented >[04/Jan/2006:01:06:21 +0100] - Opening database environment >(/opt/fedora-ds/slapd-tux1/db) failed. err=38: Function not implemented >[04/Jan/2006:01:06:21 +0100] - start: Failed to init database, err=38 >Function not implemented >[04/Jan/2006:01:06:21 +0100] - Failed to start database plugin ldbm database >[04/Jan/2006:01:06:21 +0100] - WARNING: ldbm instance userRoot already >exists >[04/Jan/2006:01:06:21 +0100] - WARNING: ldbm instance NetscapeRoot >already exists >[04/Jan/2006:01:06:21 +0100] binder-based resource limits - >nsLookThroughLimit: parameter error (slapi_reslimit_register() already >registered) >[04/Jan/2006:01:06:21 +0100] - start: Resource limit registration failed >[04/Jan/2006:01:06:21 +0100] - Failed to start database plugin ldbm database >[04/Jan/2006:01:06:21 +0100] - Error: Failed to resolve plugin dependencies >[04/Jan/2006:01:06:21 +0100] - Error: postoperation plugin Roles Plugin >is not started >[04/Jan/2006:01:06:21 +0100] - Error: accesscontrol plugin ACL Plugin is >not started >[04/Jan/2006:01:06:21 +0100] - Error: preoperation plugin ACL >preoperation is not started >[04/Jan/2006:01:06:21 +0100] - Error: object plugin Legacy Replication >Plugin is not started >[04/Jan/2006:01:06:21 +0100] - Error: object plugin Multimaster >Replication Plugin is not started >[04/Jan/2006:01:06:21 +0100] - Error: postoperation plugin Class of >Service is not started >[04/Jan/2006:01:06:21 +0100] - Error: object plugin Views is not started >[04/Jan/2006:01:06:21 +0100] - Error: preoperation plugin 7-bit check is >not started >[04/Jan/2006:01:06:21 +0100] - Error: preoperation plugin HTTP Client is >not started >[04/Jan/2006:01:06:21 +0100] - Error: database plugin ldbm database is >not started >[04/Jan/2006:01:07:11 +0100] - Fedora-Directory/1.0.1 B2005.342.165 >starting up >[04/Jan/2006:01:07:12 +0100] - libdb: unable to initialize mutex: >Function not implemented >[04/Jan/2006:01:07:12 +0100] - libdb: >/opt/fedora-ds/slapd-tux1/db/__db.001: unable to initialize environment >lock: Function not implemented >[04/Jan/2006:01:07:12 +0100] - Opening database environment >(/opt/fedora-ds/slapd-tux1/db) failed. err=38: Function not implemented >[04/Jan/2006:01:07:12 +0100] - start: Failed to init database, err=38 >Function not implemented >[04/Jan/2006:01:07:12 +0100] - Failed to start database plugin ldbm database >[04/Jan/2006:01:07:12 +0100] - WARNING: ldbm instance userRoot already >exists >[04/Jan/2006:01:07:12 +0100] - WARNING: ldbm instance NetscapeRoot >already exists >[04/Jan/2006:01:07:12 +0100] binder-based resource limits - >nsLookThroughLimit: parameter error (slapi_reslimit_register() already >registered) >[04/Jan/2006:01:07:12 +0100] - start: Resource limit registration failed >[04/Jan/2006:01:07:12 +0100] - Failed to start database plugin ldbm database >[04/Jan/2006:01:07:12 +0100] - Error: Failed to resolve plugin dependencies >[04/Jan/2006:01:07:12 +0100] - Error: preoperation plugin 7-bit check is >not started >[04/Jan/2006:01:07:12 +0100] - Error: accesscontrol plugin ACL Plugin is >not started >[04/Jan/2006:01:07:12 +0100] - Error: preoperation plugin ACL >preoperation is not started >[04/Jan/2006:01:07:12 +0100] - Error: postoperation plugin Class of >Service is not started >[04/Jan/2006:01:07:12 +0100] - Error: preoperation plugin HTTP Client is >not started >[04/Jan/2006:01:07:12 +0100] - Error: database plugin ldbm database is >not started >[04/Jan/2006:01:07:12 +0100] - Error: object plugin Legacy Replication >Plugin is not started >[04/Jan/2006:01:07:12 +0100] - Error: object plugin Multimaster >Replication Plugin is not started >[04/Jan/2006:01:07:12 +0100] - Error: postoperation plugin Roles Plugin >is not started >[04/Jan/2006:01:07:12 +0100] - Error: object plugin Views is not started >[04/Jan/2006:01:08:33 +0100] - Fedora-Directory/1.0.1 B2005.342.165 >starting up >[04/Jan/2006:01:08:33 +0100] - libdb: unable to initialize mutex: >Function not implemented >[04/Jan/2006:01:08:33 +0100] - libdb: >/opt/fedora-ds/slapd-tux1/db/__db.001: unable to initialize environment >lock: Function not implemented >[04/Jan/2006:01:08:33 +0100] - Opening database environment >(/opt/fedora-ds/slapd-tux1/db) failed. err=38: Function not implemented >[04/Jan/2006:01:08:33 +0100] - start: Failed to init database, err=38 >Function not implemented >[04/Jan/2006:01:08:33 +0100] - Failed to start database plugin ldbm database >[04/Jan/2006:01:08:33 +0100] - WARNING: ldbm instance userRoot already >exists >[04/Jan/2006:01:08:33 +0100] - WARNING: ldbm instance NetscapeRoot >already exists >[04/Jan/2006:01:08:33 +0100] binder-based resource limits - >nsLookThroughLimit: parameter error (slapi_reslimit_register() already >registered) >[04/Jan/2006:01:08:33 +0100] - start: Resource limit registration failed >[04/Jan/2006:01:08:33 +0100] - Failed to start database plugin ldbm database >[04/Jan/2006:01:08:33 +0100] - Error: Failed to resolve plugin dependencies >[04/Jan/2006:01:08:33 +0100] - Error: preoperation plugin 7-bit check is >not started >[04/Jan/2006:01:08:33 +0100] - Error: accesscontrol plugin ACL Plugin is >not started >[04/Jan/2006:01:08:33 +0100] - Error: preoperation plugin ACL >preoperation is not started >[04/Jan/2006:01:08:33 +0100] - Error: postoperation plugin Class of >Service is not started >[04/Jan/2006:01:08:33 +0100] - Error: preoperation plugin HTTP Client is >not started >[04/Jan/2006:01:08:33 +0100] - Error: database plugin ldbm database is >not started >[04/Jan/2006:01:08:33 +0100] - Error: object plugin Legacy Replication >Plugin is not started >[04/Jan/2006:01:08:33 +0100] - Error: object plugin Multimaster >Replication Plugin is not started >[04/Jan/2006:01:08:33 +0100] - Error: postoperation plugin Roles Plugin >is not started >[04/Jan/2006:01:08:33 +0100] - Error: object plugin Views is not started > >- -- >Thorsten Scherf, RHCA Mobile: ++49 172 61 32 548 >GLS EMEA Instructor II Fax: ++49 2064 470 564 > >GPG KEY: 0x3B9280BB - 92BF AA4C 082B F5DD FB28 47CC C1F9 282D 3B92 80BB > >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.4.1 (GNU/Linux) >Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > >iD8DBQFDuxPawfkoLTuSgLsRAjtnAKDB3LWqYLJklSmmlXllwZoAYoY2kwCbBEdF >KRFfmKFc9HAXvvUERaJ4ikY= >=zC1R >-----END PGP SIGNATURE----- > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From brudy at praecogito.com Wed Jan 4 00:34:22 2006 From: brudy at praecogito.com (Brian Rudy) Date: Tue, 03 Jan 2006 16:34:22 -0800 Subject: [Fedora-directory-users] Samba PDC using FDS backend In-Reply-To: <43BB0404.2030307@redhat.com> References: <43BB0286.6000401@praecogito.com> <43BB0404.2030307@redhat.com> Message-ID: <43BB180E.70406@praecogito.com> Pete Rowley wrote: > Brian Rudy wrote: > >> >> I double checked >> /opt/fedora-ds/slapd-/config/schema/61samba.ldif created in >> the initial setup steps and was unable to find a sambaUnixIDPool >> objectclass, but did see a sambaUnixIdPool. > > > These two values /should/ be equivalent. > >> Any idea of what might be happening here? > > > Did you restart the server after you initially added the new schema > files? I did indeed. It almost looks like 61samba.ldif isn't being used for some reason... From tscherf at redhat.com Wed Jan 4 01:09:45 2006 From: tscherf at redhat.com (Thorsten Scherf) Date: Wed, 04 Jan 2006 02:09:45 +0100 Subject: [Fedora-directory-users] [Fwd: FDS doesn't start] In-Reply-To: <43BB1764.5060501@redhat.com> References: <43BB13DB.5000604@redhat.com> <43BB1764.5060501@redhat.com> Message-ID: <43BB2059.10700@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Richard Megginson wrote: > Thorsten Scherf wrote: > > anybody knows why a fresh install of the latest FDS doesn't work > properly? The error log is attached. System used is a updated FC3 box. > > >> Looks like it's using the wrong version of libdb. Try this: >> cd /opt/fedora-ds/bin/slapd/server ; ldd ./ns-slapd This is the output: [root at tux1 server]# ldd ./ns-slapd libslapd.so => ./libslapd.so (0x40018000) libssl3.so => ../lib/libssl3.so (0x400b8000) libnss3.so => ../lib/libnss3.so (0x400d8000) libsoftokn3.so => ../lib/libsoftokn3.so (0x4013b000) libssldap50.so => ../lib/libssldap50.so (0x401a1000) libldap50.so => ../lib/libldap50.so (0x401aa000) libprldap50.so => ../lib/libprldap50.so (0x401d3000) libplc4.so => ../lib/libplc4.so (0x401d7000) libplds4.so => ../lib/libplds4.so (0x401db000) libnspr4.so => ../lib/libnspr4.so (0x401de000) libdl.so.2 => /lib/libdl.so.2 (0x40216000) libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x4021b000) libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x4022f000) libcrypt.so.1 => /lib/libcrypt.so.1 (0x40243000) libpthread.so.0 => /lib/i686/libpthread.so.0 (0x40271000) libdb-4.2.so => ./libdb-4.2.so (0x402c3000) libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x40369000) libm.so.6 => /lib/i686/libm.so.6 (0x40432000) libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x40455000) libc.so.6 => /lib/i686/libc.so.6 (0x4045d000) /lib/ld-linux.so.2 (0x40000000) libresolv.so.2 => /lib/libresolv.so.2 (0x40587000) libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x4059b000) libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x40601000) libcom_err.so.2 => /lib/libcom_err.so.2 (0x40622000) Any hints? - -- Thorsten Scherf, RHCA Mobile: ++49 172 61 32 548 GLS EMEA Instructor II Fax: ++49 2064 470 564 GPG KEY: 0x3B9280BB - 92BF AA4C 082B F5DD FB28 47CC C1F9 282D 3B92 80BB -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFDuyBZwfkoLTuSgLsRAieeAKCb52YfoVK0iOl+V1GRW2yuTNJ9SACg4P98 /NB4gueuGj9Z8SXZd9GaBF8= =cez6 -----END PGP SIGNATURE----- From dan at wep.net Wed Jan 4 01:59:47 2006 From: dan at wep.net (Dan Cox) Date: Tue, 03 Jan 2006 19:59:47 -0600 Subject: [Fedora-directory-users] Server-Side ACLs for pam_ldap logins. In-Reply-To: <43BAF414.1000807@redhat.com> References: <43BAF097.602@wep.net> <43BAF414.1000807@redhat.com> Message-ID: <43BB2C13.8000901@wep.net> Since I've been meaning to write this document for quite a while now it got a bit long so feel free to trim it as needed. I concentrated mainly on how to implement login access control, but left some references to other possibilities. It may need to have some URL references added when it makes its way to the WIKI. I've attached it in OpenDocument form as well, which may be easier to read. *System Access Control using LDAP backed NIS Netgroups* There are many ways to control both login and service level authentication with Fedora Directory Server. Here, I will discuss a specific implementation using LDAP backed NIS Netgroups and detail what exactly makes them so powerful. /Prerequisites/ * Some knowledge of NIS and the netgroup triple syntax is in order. For those that do not have a netgroup man page available, you may see the Sun NIS FAQ http://www.sunhelp.org/faq/nis.html, Section 3.15 specifically. * An understanding of PAM and the PAM module stack. * A working implementation of nss_ldap, which acts as the NSS->NIS->LDAP gateway is required. /What are NIS netgroups good for?/ First, it's important to understand what a NIS netgroup gains the average system administrator. NIS Netgroups provide the ability to perform such tasks as: * Control both user and group login access to individual or groups of machines. * Manage NFS access control lists. * Control user and group sudo command access. * Execute remote commands or interactive logins on groups of machines with dsh (distributed shell). * Manage the configuration of your entire network on a role basis with CFEngine. These are just a few of the excellent uses for NIS netgroups. If we take this functionality and implement an LDAP based backend, we can not only take advantage of these tools but gain the security, manageability and fault tolerance of Fedora Directory Server. /How does it work?/ NIS netgroup entries are stored as an objectClass of type nisNetgroup in the directory server. The relative distinguished name attribute is typically cn (common name). There are two important attributes in creating the netgroup. Note that they are not mutually exclusive. Also, neither are required (sometimes having an empty netgroup is as valuable as one populated with values). * nisNetgroupTriple : This can be used to describe a user (,bobby,example.com) or a machine name (shellserver1,,example.com). This attribute can have multiple values. * memberNisNetgroup : This is a very powerful attribute. It is used to merge the attribute values of another netgroup into the current one by simply listing the name (cn) of the merging netgroup. This attribute can have multiple values as well. You also want to attach a description attribute and value to your object. You were planning on describing that netgroup, weren't you? Let's look at an example LDIF: dn: cn=QAUsers,ou=Netgroup,dc=example,dc=com objectClass: nisNetgroup objectClass: top cn: QAUsers nisNetgroupTriple: (,bobby,example.com) nisNetgroupTriple: (,joey,example.com) description: All QA users in my organization We can see here that the users 'bobby' and 'joey' belong to the QAUsers netgroup. Now, any tool that will query for the QAUsers netgroup will get back these values and can act upon them. With nss_ldap appropriately configured and /etc/nsswitch.conf conveniently pointing netgroup queries to ldap, we can test this entry on the command line like so: # getent netgroup QAUsers QAUsers (,bobby,example.com) (,joey,example.com) The getent command is part of the glibc-common package on Fedora. It can be used to query any of the available NSS databases. Now, let's look at an LDIF defining which machines are QA systems on our network: dn: cn=QASystems,ou=Netgroup,dc=example,dc=com objectClass: nisNetgroup objectClass: top cn: QASystems nisNetgroupTriple: (qa01,,example.com) nisNetgroupTriple: (qa02,,example.com) description: All QA systems on our network OK, so we have our users and systems in place, now how do we give QAUsers login access to QASystems? Enter PAM's access.conf. PAM has an often overlooked access control feature, the configuration of which is typically located in /etc/security/access.conf. It has the ability to use UNIX users and groups as well as NIS netgroups to control remote and local console access to the system. The documentation of the syntax should be contained within the configuration file itself. We can give our users remote login access from our 10.x.x.x network with this line: * : @QAUsers@@QASystems : 10. *NOTE*: PAM operates on a first match basis for granting access. This means you want to end your ACL list by denying all unmatched entries, but before you do that make sure root and/or your admin users have been matched! For example, adding root for console only, users in the Admins netgroup remote access and denying all other unmatched entries: + : root : LOCAL + : @Admins : 10. - : ALL : ALL An advantage to using machine groups in the access.conf is the ability to push out this access.conf configuration file to all systems in your network, regardless if they are related to QA. This gives an admin the ability to maintain a central access control list of general user and group pairs, which can be deployed via tools like CFEngine. If a QA user attempts to login to a non-QA system, PAM will first check for the user's name in the users portion of the ACL. If a match is found, it will then check if the current machine's hostname exists in the netgroup or machine name section. If the current machine does not belong to the netgroup, the ACL fails and the next one will be tried. Since we have created our own framework of system and user group ACLs inside the LDAP server, we have decoupled access control from the actual posixAccount and posixGroup entries. This means that the user no longer requires an account in the LDAP server itself. A simple entry in /etc/passwd is good enough to apply access control in this manor. With this infrastructure in place, we can now start up Fedora's Admin Console or our favorite LDAP editor and quickly add or remove login access to users and machines! /Advanced Usage & Tips/ Use sub scope for your netgroup queries as configured in /etc/ldap.conf. This will give you the ability to create new netgroups inside organizationalUnit and other containers, which will help categorize your ACLs. nss_ldap is smart enough to only match objects of type nisNetgroup when performing its searches. With the memberNisNetgroup attribute, we can join together our netgroups to achieve cascading access control and system groupings. What if the QAUsers bobby and joey were also members of a larger team called LinuxTeam, which contains individuals who aren't in QA? An example LDIF defining the LinuxTeam: dn: cn=LinuxTeam,ou=Netgroup,dc=example,dc=com objectClass: nisNetgroup objectClass: top cn: LinuxTeam nisNetgroupTriple: (,frank,example.com) nisNetgroupTriple: (,jill,example.com) memberNisNetgroup: QA memberNisNetgroup: Development memberNisNetgroup: Operations description: The Linux Team Here we have defined some new users frank and jill as being part of the LinuxTeam. We have also automatically imported bobby and joey from the QA team as well as any additional users defined in our hypothetical Development and Operations groups. Any ACL for the LinuxTeam deployed on our network will not only apply to frank and jill, but to all imported users! You may have noticed the nisNetgroupTriple's example.com entry. This is an indicator to NIS netgroup clients that the result of the netgroup query should only apply to servers in the example.com domain. If you have multiple domains, this can be a useful feature to further separate your ACLs. It's also completely optional. Leaving this portion of the triple empty will remove the domain restriction. It's worth noting that the LDAP backend implementation discussed here can be implemented in other directory servers include Active Directory. Also, client functionality can be applied to most modern, PAM enabled UNIX systems such as Linux and Solaris. I hope this information will be useful for systems administrators out there trying to implement centralized and maintainable access control in their Linux/UNIX network. It can be done! Dan Cox -------------- next part -------------- A non-text attachment was scrubbed... Name: System Access Control with LDAP.odt Type: application/vnd.oasis.opendocument.text Size: 16170 bytes Desc: not available URL: From rmeggins at redhat.com Wed Jan 4 02:25:29 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 03 Jan 2006 19:25:29 -0700 Subject: [Fedora-directory-users] [Fwd: FDS doesn't start] In-Reply-To: <43BB2059.10700@redhat.com> References: <43BB13DB.5000604@redhat.com> <43BB1764.5060501@redhat.com> <43BB2059.10700@redhat.com> Message-ID: <43BB3219.4050304@redhat.com> Hmm - could be that /usr/lib/libsasl2.so is linked against a different version of libdb - try ldd /usr/lib/libsasl2.so.2 Thorsten Scherf wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >Richard Megginson wrote: > > >>Thorsten Scherf wrote: >> >>anybody knows why a fresh install of the latest FDS doesn't work >>properly? The error log is attached. System used is a updated FC3 box. >> >> >> >> >>>Looks like it's using the wrong version of libdb. Try this: >>>cd /opt/fedora-ds/bin/slapd/server ; ldd ./ns-slapd >>> >>> > >This is the output: > >[root at tux1 server]# ldd ./ns-slapd > libslapd.so => ./libslapd.so (0x40018000) > libssl3.so => ../lib/libssl3.so (0x400b8000) > libnss3.so => ../lib/libnss3.so (0x400d8000) > libsoftokn3.so => ../lib/libsoftokn3.so (0x4013b000) > libssldap50.so => ../lib/libssldap50.so (0x401a1000) > libldap50.so => ../lib/libldap50.so (0x401aa000) > libprldap50.so => ../lib/libprldap50.so (0x401d3000) > libplc4.so => ../lib/libplc4.so (0x401d7000) > libplds4.so => ../lib/libplds4.so (0x401db000) > libnspr4.so => ../lib/libnspr4.so (0x401de000) > libdl.so.2 => /lib/libdl.so.2 (0x40216000) > libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x4021b000) > libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x4022f000) > libcrypt.so.1 => /lib/libcrypt.so.1 (0x40243000) > libpthread.so.0 => /lib/i686/libpthread.so.0 (0x40271000) > libdb-4.2.so => ./libdb-4.2.so (0x402c3000) > libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x40369000) > libm.so.6 => /lib/i686/libm.so.6 (0x40432000) > libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x40455000) > libc.so.6 => /lib/i686/libc.so.6 (0x4045d000) > /lib/ld-linux.so.2 (0x40000000) > libresolv.so.2 => /lib/libresolv.so.2 (0x40587000) > libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x4059b000) > libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x40601000) > libcom_err.so.2 => /lib/libcom_err.so.2 (0x40622000) > >Any hints? > >- -- >Thorsten Scherf, RHCA Mobile: ++49 172 61 32 548 >GLS EMEA Instructor II Fax: ++49 2064 470 564 > >GPG KEY: 0x3B9280BB - 92BF AA4C 082B F5DD FB28 47CC C1F9 282D 3B92 80BB > >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.4.1 (GNU/Linux) >Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > >iD8DBQFDuyBZwfkoLTuSgLsRAieeAKCb52YfoVK0iOl+V1GRW2yuTNJ9SACg4P98 >/NB4gueuGj9Z8SXZd9GaBF8= >=cez6 >-----END PGP SIGNATURE----- > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From david_list at boreham.org Wed Jan 4 04:50:19 2006 From: david_list at boreham.org (David Boreham) Date: Tue, 03 Jan 2006 21:50:19 -0700 Subject: [Fedora-directory-users] Multiple sync agreements In-Reply-To: <43A9B4C2.3090404@arbor.edu> References: <43A9B4C2.3090404@arbor.edu> Message-ID: <43BB540B.7030407@boreham.org> Daniel Shackelford wrote: > I am running FDS 1.0.1 and am syncing with AD on Win2003. All is > well. I have a question about the way that 2 sync agreements would > work. We are syncing the People OU, but our groups are in a sibling > OU in AD, and are not synced. If I setup a second agreement for the > groups, with the group membership be synchronized correctly? I guesss > I am asking if the group membership needs to be synced using the same > agreement that syncs the users. > A bit late : holiday season etc... Anyway the answer is that two agreements should be ok in this scenario. Where you will run into trouble with multiple agreements is if you try to sync users in the _same_ subtree using two or more agreements. That will lead to strange results. From tscherf at redhat.com Wed Jan 4 16:55:17 2006 From: tscherf at redhat.com (Thorsten Scherf) Date: Wed, 04 Jan 2006 17:55:17 +0100 Subject: [Fedora-directory-users] [Fwd: FDS doesn't start] In-Reply-To: <43BB3219.4050304@redhat.com> References: <43BB13DB.5000604@redhat.com> <43BB1764.5060501@redhat.com> <43BB2059.10700@redhat.com> <43BB3219.4050304@redhat.com> Message-ID: <43BBFDF5.6090700@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [root at tux1 system]# ldd /usr/lib/libsasl2.so.2 libdl.so.2 => /lib/libdl.so.2 (0x4001c000) libresolv.so.2 => /lib/libresolv.so.2 (0x40020000) libcrypt.so.1 => /lib/libcrypt.so.1 (0x40035000) libc.so.6 => /lib/i686/libc.so.6 (0x40063000) /lib/ld-linux.so.2 (0x80000000) Richard Megginson wrote: > Hmm - could be that /usr/lib/libsasl2.so is linked against a different > version of libdb - try ldd /usr/lib/libsasl2.so.2 > > Thorsten Scherf wrote: > > Richard Megginson wrote: > > >>>> Thorsten Scherf wrote: >>>> >>>> anybody knows why a fresh install of the latest FDS doesn't work >>>> properly? The error log is attached. System used is a updated FC3 box. >>>> >>>> >>>> >>>> >>>>> Looks like it's using the wrong version of libdb. Try this: >>>>> cd /opt/fedora-ds/bin/slapd/server ; ldd ./ns-slapd >>>>> > > > This is the output: > > [root at tux1 server]# ldd ./ns-slapd > libslapd.so => ./libslapd.so (0x40018000) > libssl3.so => ../lib/libssl3.so (0x400b8000) > libnss3.so => ../lib/libnss3.so (0x400d8000) > libsoftokn3.so => ../lib/libsoftokn3.so (0x4013b000) > libssldap50.so => ../lib/libssldap50.so (0x401a1000) > libldap50.so => ../lib/libldap50.so (0x401aa000) > libprldap50.so => ../lib/libprldap50.so (0x401d3000) > libplc4.so => ../lib/libplc4.so (0x401d7000) > libplds4.so => ../lib/libplds4.so (0x401db000) > libnspr4.so => ../lib/libnspr4.so (0x401de000) > libdl.so.2 => /lib/libdl.so.2 (0x40216000) > libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x4021b000) > libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x4022f000) > libcrypt.so.1 => /lib/libcrypt.so.1 (0x40243000) > libpthread.so.0 => /lib/i686/libpthread.so.0 (0x40271000) > libdb-4.2.so => ./libdb-4.2.so (0x402c3000) > libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x40369000) > libm.so.6 => /lib/i686/libm.so.6 (0x40432000) > libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x40455000) > libc.so.6 => /lib/i686/libc.so.6 (0x4045d000) > /lib/ld-linux.so.2 (0x40000000) > libresolv.so.2 => /lib/libresolv.so.2 (0x40587000) > libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x4059b000) > libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x40601000) > libcom_err.so.2 => /lib/libcom_err.so.2 (0x40622000) > > Any hints? > > -- > Thorsten Scherf, RHCA Mobile: ++49 172 61 32 548 > GLS EMEA Instructor II Fax: ++49 2064 470 564 > > GPG KEY: 0x3B9280BB - 92BF AA4C 082B F5DD FB28 47CC C1F9 282D 3B92 80BB > >> - -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > ------------------------------------------------------------------------ > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users - -- Thorsten Scherf, RHCA Mobile: ++49 172 61 32 548 GLS EMEA Instructor II Fax: ++49 2064 470 564 GPG KEY: 0x3B9280BB - 92BF AA4C 082B F5DD FB28 47CC C1F9 282D 3B92 80BB -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFDu/30wfkoLTuSgLsRAgI4AJ414kt+p8jz7cgifxCAZTlb7LHVnQCg9wRu w43BBfvSTBjrkxtKtrjlxOs= =TGPB -----END PGP SIGNATURE----- From rmeggins at redhat.com Wed Jan 4 17:43:17 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 04 Jan 2006 10:43:17 -0700 Subject: [Fedora-directory-users] [Fwd: FDS doesn't start] In-Reply-To: <43BBFDF5.6090700@redhat.com> References: <43BB13DB.5000604@redhat.com> <43BB1764.5060501@redhat.com> <43BB2059.10700@redhat.com> <43BB3219.4050304@redhat.com> <43BBFDF5.6090700@redhat.com> Message-ID: <43BC0935.5040604@redhat.com> Hmm - weird - no other version of libdb. So, it's either a libdb issue that's hidden, or it's a general glibc/kernel incompatability problem. The binaries for RHEL4/FC3 were compiled on an older RHEL4 machine, so it's possible FC3 has become incompatible with the latest FC3. Thorsten Scherf wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >[root at tux1 system]# ldd /usr/lib/libsasl2.so.2 > libdl.so.2 => /lib/libdl.so.2 (0x4001c000) > libresolv.so.2 => /lib/libresolv.so.2 (0x40020000) > libcrypt.so.1 => /lib/libcrypt.so.1 (0x40035000) > libc.so.6 => /lib/i686/libc.so.6 (0x40063000) > /lib/ld-linux.so.2 (0x80000000) > > > >Richard Megginson wrote: > > >>Hmm - could be that /usr/lib/libsasl2.so is linked against a different >>version of libdb - try ldd /usr/lib/libsasl2.so.2 >> >>Thorsten Scherf wrote: >> >>Richard Megginson wrote: >> >> >> >> >>>>>Thorsten Scherf wrote: >>>>> >>>>>anybody knows why a fresh install of the latest FDS doesn't work >>>>>properly? The error log is attached. System used is a updated FC3 box. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>>Looks like it's using the wrong version of libdb. Try this: >>>>>>cd /opt/fedora-ds/bin/slapd/server ; ldd ./ns-slapd >>>>>> >>>>>> >>>>>> >>This is the output: >> >>[root at tux1 server]# ldd ./ns-slapd >> libslapd.so => ./libslapd.so (0x40018000) >> libssl3.so => ../lib/libssl3.so (0x400b8000) >> libnss3.so => ../lib/libnss3.so (0x400d8000) >> libsoftokn3.so => ../lib/libsoftokn3.so (0x4013b000) >> libssldap50.so => ../lib/libssldap50.so (0x401a1000) >> libldap50.so => ../lib/libldap50.so (0x401aa000) >> libprldap50.so => ../lib/libprldap50.so (0x401d3000) >> libplc4.so => ../lib/libplc4.so (0x401d7000) >> libplds4.so => ../lib/libplds4.so (0x401db000) >> libnspr4.so => ../lib/libnspr4.so (0x401de000) >> libdl.so.2 => /lib/libdl.so.2 (0x40216000) >> libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x4021b000) >> libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x4022f000) >> libcrypt.so.1 => /lib/libcrypt.so.1 (0x40243000) >> libpthread.so.0 => /lib/i686/libpthread.so.0 (0x40271000) >> libdb-4.2.so => ./libdb-4.2.so (0x402c3000) >> libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x40369000) >> libm.so.6 => /lib/i686/libm.so.6 (0x40432000) >> libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x40455000) >> libc.so.6 => /lib/i686/libc.so.6 (0x4045d000) >> /lib/ld-linux.so.2 (0x40000000) >> libresolv.so.2 => /lib/libresolv.so.2 (0x40587000) >> libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x4059b000) >> libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x40601000) >> libcom_err.so.2 => /lib/libcom_err.so.2 (0x40622000) >> >>Any hints? >> >>-- >>Thorsten Scherf, RHCA Mobile: ++49 172 61 32 548 >>GLS EMEA Instructor II Fax: ++49 2064 470 564 >> >>GPG KEY: 0x3B9280BB - 92BF AA4C 082B F5DD FB28 47CC C1F9 282D 3B92 80BB >> >> >> >- -- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > >>------------------------------------------------------------------------ >> >> > > > >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > >- -- >Thorsten Scherf, RHCA Mobile: ++49 172 61 32 548 >GLS EMEA Instructor II Fax: ++49 2064 470 564 > >GPG KEY: 0x3B9280BB - 92BF AA4C 082B F5DD FB28 47CC C1F9 282D 3B92 80BB > >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.4.1 (GNU/Linux) >Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > >iD8DBQFDu/30wfkoLTuSgLsRAgI4AJ414kt+p8jz7cgifxCAZTlb7LHVnQCg9wRu >w43BBfvSTBjrkxtKtrjlxOs= >=TGPB >-----END PGP SIGNATURE----- > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Jan 4 17:52:40 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 04 Jan 2006 10:52:40 -0700 Subject: [Fedora-directory-users] Server-Side ACLs for pam_ldap logins. In-Reply-To: <43BB2C13.8000901@wep.net> References: <43BAF097.602@wep.net> <43BAF414.1000807@redhat.com> <43BB2C13.8000901@wep.net> Message-ID: <43BC0B68.7010803@redhat.com> Thanks! This is excellent! http://directory.fedora.redhat.com/wiki/Howto:Netgroups Dan Cox wrote: > > Since I've been meaning to write this document for quite a while now > it got a bit long so feel free to trim it as needed. I concentrated > mainly on how to implement login access control, but left some > references to other possibilities. It may need to have some URL > references added when it makes its way to the WIKI. I've attached it > in OpenDocument form as well, which may be easier to read. > > > *System Access Control using LDAP backed NIS Netgroups* > > > There are many ways to control both login and service level > authentication with Fedora Directory Server. Here, I will discuss a > specific implementation using LDAP backed NIS Netgroups and detail > what exactly makes them so powerful. > > /Prerequisites/ > > * > > Some knowledge of NIS and the netgroup triple syntax is in order. > For those that do not have a netgroup man page available, you may > see the Sun NIS FAQ http://www.sunhelp.org/faq/nis.html, Section > 3.15 specifically. > > * > > An understanding of PAM and the PAM module stack. > > * > > A working implementation of nss_ldap, which acts as the > NSS->NIS->LDAP gateway is required. > > /What are NIS netgroups good for?/ > > First, it's important to understand what a NIS netgroup gains the > average system administrator. NIS Netgroups provide the ability to > perform such tasks as: > > * > > Control both user and group login access to individual or groups > of machines. > > * > > Manage NFS access control lists. > > * > > Control user and group sudo command access. > > * > > Execute remote commands or interactive logins on groups of > machines with dsh (distributed shell). > > * > > Manage the configuration of your entire network on a role basis > with CFEngine. > > These are just a few of the excellent uses for NIS netgroups. If we > take this functionality and implement an LDAP based backend, we can > not only take advantage of these tools but gain the security, > manageability and fault tolerance of Fedora Directory Server. > > /How does it work?/ > > NIS netgroup entries are stored as an objectClass of type nisNetgroup > in the directory server. The relative distinguished name attribute is > typically cn (common name). There are two important attributes in > creating the netgroup. Note that they are not mutually exclusive. > Also, neither are required (sometimes having an empty netgroup is as > valuable as one populated with values). > > * > > nisNetgroupTriple : This can be used to describe a user > (,bobby,example.com) or a machine name > (shellserver1,,example.com). This attribute can have multiple > values. > > * > > memberNisNetgroup : This is a very powerful attribute. It is used > to merge the attribute values of another netgroup into the current > one by simply listing the name (cn) of the merging netgroup. This > attribute can have multiple values as well. > > You also want to attach a description attribute and value to your > object. You were planning on describing that netgroup, weren't you? > > Let's look at an example LDIF: > > dn: cn=QAUsers,ou=Netgroup,dc=example,dc=com > > objectClass: nisNetgroup > > objectClass: top > > cn: QAUsers > > nisNetgroupTriple: (,bobby,example.com) > > nisNetgroupTriple: (,joey,example.com) > > description: All QA users in my organization > > We can see here that the users 'bobby' and 'joey' belong to the > QAUsers netgroup. Now, any tool that will query for the QAUsers > netgroup will get back these values and can act upon them. > > With nss_ldap appropriately configured and /etc/nsswitch.conf > conveniently pointing netgroup queries to ldap, we can test this entry > on the command line like so: > > # getent netgroup QAUsers > > QAUsers (,bobby,example.com) (,joey,example.com) > > The getent command is part of the glibc-common package on Fedora. It > can be used to query any of the available NSS databases. > > Now, let's look at an LDIF defining which machines are QA systems on > our network: > > dn: cn=QASystems,ou=Netgroup,dc=example,dc=com > > objectClass: nisNetgroup > > objectClass: top > > cn: QASystems > > nisNetgroupTriple: (qa01,,example.com) > > nisNetgroupTriple: (qa02,,example.com) > > description: All QA systems on our network > > OK, so we have our users and systems in place, now how do we give > QAUsers login access to QASystems? Enter PAM's access.conf. > > PAM has an often overlooked access control feature, the configuration > of which is typically located in /etc/security/access.conf. It has the > ability to use UNIX users and groups as well as NIS netgroups to > control remote and local console access to the system. The > documentation of the syntax should be contained within the > configuration file itself. > > We can give our users remote login access from our 10.x.x.x network > with this line: > > * > > : @QAUsers@@QASystems : 10. > > *NOTE*: PAM operates on a first match basis for granting access. This > means you want to end your ACL list by denying all unmatched entries, > but before you do that make sure root and/or your admin users have > been matched! For example, adding root for console only, users in the > Admins netgroup remote access and denying all other unmatched entries: > > + : root : LOCAL > > + : @Admins : 10. > > - : ALL : ALL > > An advantage to using machine groups in the access.conf is the ability > to push out this access.conf configuration file to all systems in your > network, regardless if they are related to QA. This gives an admin the > ability to maintain a central access control list of general user and > group pairs, which can be deployed via tools like CFEngine. If a QA > user attempts to login to a non-QA system, PAM will first check for > the user's name in the users portion of the ACL. If a match is found, > it will then check if the current machine's hostname exists in the > netgroup or machine name section. If the current machine does not > belong to the netgroup, the ACL fails and the next one will be tried. > > Since we have created our own framework of system and user group ACLs > inside the LDAP server, we have decoupled access control from the > actual posixAccount and posixGroup entries. This means that the user > no longer requires an account in the LDAP server itself. A simple > entry in /etc/passwd is good enough to apply access control in this > manor. > > With this infrastructure in place, we can now start up Fedora's Admin > Console or our favorite LDAP editor and quickly add or remove login > access to users and machines! > > /Advanced Usage & Tips/ > > Use sub scope for your netgroup queries as configured in > /etc/ldap.conf. This will give you the ability to create new netgroups > inside organizationalUnit and other containers, which will help > categorize your ACLs. nss_ldap is smart enough to only match objects > of type nisNetgroup when performing its searches. > > With the memberNisNetgroup attribute, we can join together our > netgroups to achieve cascading access control and system groupings. > What if the QAUsers bobby and joey were also members of a larger team > called LinuxTeam, which contains individuals who aren't in QA? An > example LDIF defining the LinuxTeam: > > dn: cn=LinuxTeam,ou=Netgroup,dc=example,dc=com > > objectClass: nisNetgroup > > objectClass: top > > cn: LinuxTeam > > nisNetgroupTriple: (,frank,example.com) > > nisNetgroupTriple: (,jill,example.com) > > memberNisNetgroup: QA > > memberNisNetgroup: Development > > memberNisNetgroup: Operations > > description: The Linux Team > > Here we have defined some new users frank and jill as being part of > the LinuxTeam. We have also automatically imported bobby and joey from > the QA team as well as any additional users defined in our > hypothetical Development and Operations groups. Any ACL for the > LinuxTeam deployed on our network will not only apply to frank and > jill, but to all imported users! > > You may have noticed the nisNetgroupTriple's example.com entry. This > is an indicator to NIS netgroup clients that the result of the > netgroup query should only apply to servers in the example.com domain. > If you have multiple domains, this can be a useful feature to further > separate your ACLs. It's also completely optional. Leaving this > portion of the triple empty will remove the domain restriction. > > It's worth noting that the LDAP backend implementation discussed here > can be implemented in other directory servers include Active > Directory. Also, client functionality can be applied to most modern, > PAM enabled UNIX systems such as Linux and Solaris. > > I hope this information will be useful for systems administrators out > there trying to implement centralized and maintainable access control > in their Linux/UNIX network. It can be done! > > Dan Cox > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From danney.jarman at gmail.com Wed Jan 4 17:10:42 2006 From: danney.jarman at gmail.com (ILoveJython) Date: Wed, 04 Jan 2006 11:10:42 -0600 Subject: [Fedora-directory-users] Chain On Update problem In-Reply-To: <43BAD045.1020202@hp.com> References: <43B074A3.6010704@gmail.com> <43BAB034.2050709@redhat.com> <43BAD045.1020202@hp.com> Message-ID: <43BC0192.8020701@gmail.com> Ulf Weltman wrote: > Richard Megginson wrote: > >> ILoveJython wrote: >> >>> I have read the document: >>> >>> Howto:ChainOnUpdate - Fedora Directory Server >>> >>> >>> and have been unable to get it to work. When I attempt a write to >>> the consumer it makes the change on the >>> consumer and does not update the master. >> >> >> >> This is bad. If the consumer is configured to be a read only >> consumer you should not be able to make a change on it. You should >> either get a referral returned from the consumer to the client >> program which the client program will follow to make the change on >> the master, or, if chain on update is working, you will see the >> operation on the consumer and the same corresponding operation sent >> to the master. >> >>> With the next change on the master of any kind, >>> the mapping tree entry for this suffix changes from "nsslapd-state: >>> backend" to "nsslapd-state: referral on update". >>> Once this state changes, my client complains that it cannot update, >>> since it cannot follow referrals. >> >> >> >> Ulf, you've been able to get this running, right? > > > Yes, I was testing this a few weeks ago with the 7.1 release on > HP-UX. It was configured with the instructions in the wiki document > with a minor change to a malformed ACI (but that shouldn't cause this > problem): > http://directory.fedora.redhat.com/wiki?title=Howto%3AChainOnUpdate&diff=0&oldid=2794 > > > There was also a minor issue with a spurious warning being logged. It > doesn't cause any harm, just an inconvenience: > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=176293 > > Danney, can you paste us these entries from your consumer's dse.ldif? > dn: cn="{your replicated suffix}", cn=mapping tree, cn=config > dn: cn=replica, cn="{your replicated suffix}", cn=mapping tree, cn=config > dn: cn=config, cn=chaining database, cn=plugins, cn=config > dn: cn={name of your chaining backend}, cn=chaining database, > cn=plugins, cn=config > > In the fourth one you can blank out the "nsmultiplexorcredentials" > value before you send it. > >> >>> >>> In addition, there are no log entries on the master to indicate any >>> activity back from the consumer to the master, i.e. >>> a proxy login. >>> >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > When I could not get it to work, I removed everything. I repeated the process with the values I used and they are below. dn: cn="ou=CDE,o=FSL",cn=mapping tree, cn=config objectClass: top objectClass: extensibleObject objectClass: nsMappingTree nsslapd-state: backend cn: "ou=CDE,o=FSL" cn: ou=CDE,o=FSL nsslapd-parent-suffix: "o=FSL" nsslapd-backend: CDE creatorsName: cn=directory manager modifiersName: cn=directory manager createTimestamp: 20060104155644Z modifyTimestamp: 20060104164545Z nsslapd-distribution-plugin: /var/fedora/servers/lib/replication-plugin.so nsslapd-distribution-funct: repl_chain_on_update numSubordinates: 1 nsslapd-referral: ldap://vs31-tx32.am.freescale.net:389/ou%3DCDE%2Co%3DFSL dn: cn="ou=CDE,o=FSL",cn=mapping tree, cn=config objectClass: top objectClass: extensibleObject objectClass: nsMappingTree nsslapd-state: backend cn: "ou=CDE,o=FSL" cn: ou=CDE,o=FSL nsslapd-parent-suffix: "o=FSL" nsslapd-backend: CDE creatorsName: cn=directory manager modifiersName: cn=directory manager createTimestamp: 20060104155644Z modifyTimestamp: 20060104164545Z nsslapd-distribution-plugin: /var/fedora/servers/lib/replication-plugin.so nsslapd-distribution-funct: repl_chain_on_update numSubordinates: 1 nsslapd-referral: ldap://vs31-tx32.am.freescale.net:389/ou%3DCDE%2Co%3DFSL dn: cn=chaining database,cn=plugins,cn=config cn: chaining database nsslapd-pluginDescription: LDAP chaining backend database plugin nsslapd-pluginEnabled: on nsslapd-pluginId: chaining database nsslapd-pluginInitfunc: chaining_back_init nsslapd-pluginPath: /var/fedora/servers/lib/chainingdb-plugin.so nsslapd-pluginType: database nsslapd-pluginVendor: Fedora Project nsslapd-pluginVersion: 7.1 objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject creatorsName: cn=directory manager modifiersName: cn=directory manager createTimestamp: 20051220230831Z modifyTimestamp: 20051220230831Z numSubordinates: 4 dn: cn=CDE,cn=chaining database,cn=plugins,cn=config nschecklocalaci: on nsslapd-suffix: ou=CDE,o=FSL objectClass: top objectClass: extensibleObject nsmultiplexorbinddn: cn=Replication Manager,cn=replication,cn=config nsfarmserverurl: ldap://vs31-tx32:389/ou=CDE,o=FSL cn: CDE nsmultiplexorcredentials: {DES}MY_VALUE_GOES_HERE creatorsName: cn=directory manager modifiersName: cn=directory manager createTimestamp: 20060104162022Z modifyTimestamp: 20060104162022Z From agnaldofreitas at hotmail.com Wed Jan 4 18:06:55 2006 From: agnaldofreitas at hotmail.com (Agnaldo Freitas) Date: Wed, 4 Jan 2006 15:06:55 -0300 Subject: [Fedora-directory-users] Samba + Fedora-DS Message-ID: Hello list, I followed wiki's tutorial but samba didn't get to contact to Fedora Directory Server !!!! Samba answers "OK" to "testparm" and FDS is running OK, because i can search / find users from "command line"(also via console) with "ldapsearch" perfectly. when i try the command net getlocalsid, it returns : failed to bind to server ldap://sei.intranet with dn="cn=Directory Manager" Error can't contact LDAP server (unknown) (Timed out) ...but after that it returns the SID of the domain. smb.conf: passdb bakend ldap = ldapsam:ldap://sei.intranet idmap bakend ldap = ldapsam:ldap://sei.intranet ldap admin dn = cn=Directory Manager It is installed: fedora 4 fedora-ds1.0-2.Linux samba-3-.0.14a-2 openldap-2.2.23-5 (because it's required in tutorial) Is there somebody that uses Samba with FDS and can help me? thankful, Agnaldo -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Jan 4 18:11:58 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 04 Jan 2006 11:11:58 -0700 Subject: [Fedora-directory-users] Chain On Update problem In-Reply-To: <43BC0192.8020701@gmail.com> References: <43B074A3.6010704@gmail.com> <43BAB034.2050709@redhat.com> <43BAD045.1020202@hp.com> <43BC0192.8020701@gmail.com> Message-ID: <43BC0FEE.4050400@redhat.com> Hmm - there are two entries for dn: cn="ou=CDE,o=FSL",cn=mapping tree, cn=config That's bad. In addition, there is only 1 nsslapd-backend for that suffix - there should be two - one for the 'local' backend which is the replica of the master, and one for the chaining backend. e.g. nsslapd-backend: userRoot Only the chaining backend is there. ILoveJython wrote: >Ulf Weltman wrote: > > > >>Richard Megginson wrote: >> >> >> >>>ILoveJython wrote: >>> >>> >>> >>>>I have read the document: >>>> >>>>Howto:ChainOnUpdate - Fedora Directory Server >>>> >>>> >>>>and have been unable to get it to work. When I attempt a write to >>>>the consumer it makes the change on the >>>>consumer and does not update the master. >>>> >>>> >>> >>>This is bad. If the consumer is configured to be a read only >>>consumer you should not be able to make a change on it. You should >>>either get a referral returned from the consumer to the client >>>program which the client program will follow to make the change on >>>the master, or, if chain on update is working, you will see the >>>operation on the consumer and the same corresponding operation sent >>>to the master. >>> >>> >>> >>>>With the next change on the master of any kind, >>>>the mapping tree entry for this suffix changes from "nsslapd-state: >>>>backend" to "nsslapd-state: referral on update". >>>>Once this state changes, my client complains that it cannot update, >>>>since it cannot follow referrals. >>>> >>>> >>> >>>Ulf, you've been able to get this running, right? >>> >>> >>Yes, I was testing this a few weeks ago with the 7.1 release on >>HP-UX. It was configured with the instructions in the wiki document >>with a minor change to a malformed ACI (but that shouldn't cause this >>problem): >>http://directory.fedora.redhat.com/wiki?title=Howto%3AChainOnUpdate&diff=0&oldid=2794 >> >> >>There was also a minor issue with a spurious warning being logged. It >>doesn't cause any harm, just an inconvenience: >>https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=176293 >> >>Danney, can you paste us these entries from your consumer's dse.ldif? >>dn: cn="{your replicated suffix}", cn=mapping tree, cn=config >>dn: cn=replica, cn="{your replicated suffix}", cn=mapping tree, cn=config >>dn: cn=config, cn=chaining database, cn=plugins, cn=config >>dn: cn={name of your chaining backend}, cn=chaining database, >>cn=plugins, cn=config >> >>In the fourth one you can blank out the "nsmultiplexorcredentials" >>value before you send it. >> >> >> >>>>In addition, there are no log entries on the master to indicate any >>>>activity back from the consumer to the master, i.e. >>>>a proxy login. >>>> >>>>------------------------------------------------------------------------ >>>> >>>> >>>>-- >>>>Fedora-directory-users mailing list >>>>Fedora-directory-users at redhat.com >>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>>> >>>> >>>------------------------------------------------------------------------ >>> >>>-- >>>Fedora-directory-users mailing list >>>Fedora-directory-users at redhat.com >>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >>> >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> > >When I could not get it to work, I removed everything. I repeated the process with the >values I used and they are below. > >dn: cn="ou=CDE,o=FSL",cn=mapping tree, cn=config >objectClass: top >objectClass: extensibleObject >objectClass: nsMappingTree >nsslapd-state: backend >cn: "ou=CDE,o=FSL" >cn: ou=CDE,o=FSL >nsslapd-parent-suffix: "o=FSL" >nsslapd-backend: CDE >creatorsName: cn=directory manager >modifiersName: cn=directory manager >createTimestamp: 20060104155644Z >modifyTimestamp: 20060104164545Z >nsslapd-distribution-plugin: /var/fedora/servers/lib/replication-plugin.so >nsslapd-distribution-funct: repl_chain_on_update >numSubordinates: 1 >nsslapd-referral: ldap://vs31-tx32.am.freescale.net:389/ou%3DCDE%2Co%3DFSL > > > >dn: cn="ou=CDE,o=FSL",cn=mapping tree, cn=config >objectClass: top >objectClass: extensibleObject >objectClass: nsMappingTree >nsslapd-state: backend >cn: "ou=CDE,o=FSL" >cn: ou=CDE,o=FSL >nsslapd-parent-suffix: "o=FSL" >nsslapd-backend: CDE >creatorsName: cn=directory manager >modifiersName: cn=directory manager >createTimestamp: 20060104155644Z >modifyTimestamp: 20060104164545Z >nsslapd-distribution-plugin: /var/fedora/servers/lib/replication-plugin.so >nsslapd-distribution-funct: repl_chain_on_update >numSubordinates: 1 >nsslapd-referral: ldap://vs31-tx32.am.freescale.net:389/ou%3DCDE%2Co%3DFSL > > > >dn: cn=chaining database,cn=plugins,cn=config >cn: chaining database >nsslapd-pluginDescription: LDAP chaining backend database plugin >nsslapd-pluginEnabled: on >nsslapd-pluginId: chaining database >nsslapd-pluginInitfunc: chaining_back_init >nsslapd-pluginPath: /var/fedora/servers/lib/chainingdb-plugin.so >nsslapd-pluginType: database >nsslapd-pluginVendor: Fedora Project >nsslapd-pluginVersion: 7.1 >objectClass: top >objectClass: nsSlapdPlugin >objectClass: extensibleObject >creatorsName: cn=directory manager >modifiersName: cn=directory manager >createTimestamp: 20051220230831Z >modifyTimestamp: 20051220230831Z >numSubordinates: 4 > > > >dn: cn=CDE,cn=chaining database,cn=plugins,cn=config >nschecklocalaci: on >nsslapd-suffix: ou=CDE,o=FSL >objectClass: top >objectClass: extensibleObject >nsmultiplexorbinddn: cn=Replication Manager,cn=replication,cn=config >nsfarmserverurl: ldap://vs31-tx32:389/ou=CDE,o=FSL >cn: CDE >nsmultiplexorcredentials: {DES}MY_VALUE_GOES_HERE >creatorsName: cn=directory manager >modifiersName: cn=directory manager >createTimestamp: 20060104162022Z >modifyTimestamp: 20060104162022Z > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From logastellus at yahoo.com Wed Jan 4 19:01:10 2006 From: logastellus at yahoo.com (Susan) Date: Wed, 4 Jan 2006 11:01:10 -0800 (PST) Subject: [Fedora-directory-users] question about host based access control Message-ID: <20060104190110.94584.qmail@web52905.mail.yahoo.com> Hi. I've fds 1.0.1 setup, posixAccount and hostObject classes added (I migrated /usr/share/doc/nss_ldap-226/ldapns.schema > /opt/fedora-ds/slapd-localhost/config/schema/61ldapns.ldif). What's the next step? hostObject is added to the user: givenName: test sn: test loginShell: /bin/bash gidNumber: 666 uidNumber: 666 objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: posixAccount objectClass: posixgroup objectClass: hostobject uid: test cn: test test now what? Where in the console to I list the servers that 'test' is allowed to connect to? Thanks! __________________________________________ Yahoo! DSL ? Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com From rmeggins at redhat.com Wed Jan 4 19:05:20 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 04 Jan 2006 12:05:20 -0700 Subject: [Fedora-directory-users] question about host based access control In-Reply-To: <20060104190110.94584.qmail@web52905.mail.yahoo.com> References: <20060104190110.94584.qmail@web52905.mail.yahoo.com> Message-ID: <43BC1C70.1080806@redhat.com> Susan wrote: >Hi. I've fds 1.0.1 setup, posixAccount and hostObject classes added (I migrated >/usr/share/doc/nss_ldap-226/ldapns.schema > >/opt/fedora-ds/slapd-localhost/config/schema/61ldapns.ldif). > >What's the next step? hostObject is added to the user: > >givenName: test >sn: test >loginShell: /bin/bash >gidNumber: 666 >uidNumber: 666 >objectClass: top >objectClass: person >objectClass: organizationalPerson >objectClass: inetorgperson >objectClass: posixAccount >objectClass: posixgroup >objectClass: hostobject >uid: test >cn: test test > >now what? Where in the console to I list the servers that 'test' is allowed to connect >to? > > In the Directory window in the Directory tab, select the user you want to add access to, edit it, and use the Advanced.... editor. See http://directory.fedora.redhat.com/wiki/Howto:Posix >Thanks! > > > >__________________________________________ >Yahoo! DSL ? Something to write home about. >Just $16.99/mo. or less. >dsl.yahoo.com > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From logastellus at yahoo.com Wed Jan 4 19:18:02 2006 From: logastellus at yahoo.com (Susan) Date: Wed, 4 Jan 2006 11:18:02 -0800 (PST) Subject: [Fedora-directory-users] question about host based access control In-Reply-To: <43BC1C70.1080806@redhat.com> Message-ID: <20060104191802.1165.qmail@web52905.mail.yahoo.com> --- Richard Megginson wrote: > In the Directory window in the Directory tab, select the user you want > to add access to, edit it, and use the Advanced.... editor. See > http://directory.fedora.redhat.com/wiki/Howto:Posix right, I saw the link. I used the advanced editor, added the hostobject object class to the user.. Now what? Where do I list the hosts that the user is allowed to connect to? __________________________________________ Yahoo! DSL ? Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com From rmeggins at redhat.com Wed Jan 4 19:21:30 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 04 Jan 2006 12:21:30 -0700 Subject: [Fedora-directory-users] question about host based access control In-Reply-To: <20060104191802.1165.qmail@web52905.mail.yahoo.com> References: <20060104191802.1165.qmail@web52905.mail.yahoo.com> Message-ID: <43BC203A.6060705@redhat.com> Susan wrote: >--- Richard Megginson wrote: > > > >>In the Directory window in the Directory tab, select the user you want >>to add access to, edit it, and use the Advanced.... editor. See >>http://directory.fedora.redhat.com/wiki/Howto:Posix >> >> > >right, I saw the link. I used the advanced editor, added the hostobject object class to >the user.. Now what? Where do I list the hosts that the user is allowed to connect to? > > The directions for adding the "host" attribute are under "Old Method" on http://directory.fedora.redhat.com/wiki/Howto:Posix "Finally, click on Add Attributes. Select "host" from the list of attributes. Host should appear as an empty attribute in the window. Finally, click on host, and click on Add Value. This will add an empty text field next to host - fill this in with the fully qualified hostname of the host you want to grant that user access to. Repeat for as many hosts as you want. You should make sure that your ldap.conf file on your machines has "pam_check_host_attr" set to "yes" if you want pam_ldap to enforce host-based access control for logins." > > >__________________________________________ >Yahoo! DSL ? Something to write home about. >Just $16.99/mo. or less. >dsl.yahoo.com > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From logastellus at yahoo.com Wed Jan 4 20:15:52 2006 From: logastellus at yahoo.com (Susan) Date: Wed, 4 Jan 2006 12:15:52 -0800 (PST) Subject: [Fedora-directory-users] question about host based access control In-Reply-To: <43BC203A.6060705@redhat.com> Message-ID: <20060104201552.41672.qmail@web52907.mail.yahoo.com> --- Richard Megginson wrote: > The directions for adding the "host" attribute are under "Old Method" on > http://directory.fedora.redhat.com/wiki/Howto:Posix > "Finally, click on Add Attributes. Select "host" from the list of Ah. I see the problem. I didn't have the "account" object added, so host attribute was not showing up. Sorry! Thank you for your help, Richard. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From logastellus at yahoo.com Wed Jan 4 20:17:52 2006 From: logastellus at yahoo.com (Susan) Date: Wed, 4 Jan 2006 12:17:52 -0800 (PST) Subject: [Fedora-directory-users] question about host based access control In-Reply-To: <43BC203A.6060705@redhat.com> Message-ID: <20060104201752.98746.qmail@web52913.mail.yahoo.com> --- Richard Megginson wrote: > Susan wrote: > > >--- Richard Megginson wrote: > > Another follow-up, is shadowAccount object class required for a posix linux account? Because I don't have it added to a test account and I seem to be able to login fine. If it's not required, why is it listed in the HowTo:Posix wiki? Thanks. __________________________________________ Yahoo! DSL ? Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com From rmeggins at redhat.com Wed Jan 4 20:25:48 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 04 Jan 2006 13:25:48 -0700 Subject: [Fedora-directory-users] question about host based access control In-Reply-To: <20060104201752.98746.qmail@web52913.mail.yahoo.com> References: <20060104201752.98746.qmail@web52913.mail.yahoo.com> Message-ID: <43BC2F4C.7090202@redhat.com> Susan wrote: >--- Richard Megginson wrote: > > > >>Susan wrote: >> >> >> >>>--- Richard Megginson wrote: >>> >>> >>> > >Another follow-up, is shadowAccount object class required for a posix linux account? >Because I don't have it added to a test account and I seem to be able to login fine. If >it's not required, why is it listed in the HowTo:Posix wiki? > > I think it's required for other posix shadow password related functions. >Thanks. > > > >__________________________________________ >Yahoo! DSL ? Something to write home about. >Just $16.99/mo. or less. >dsl.yahoo.com > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Jan 4 20:26:19 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 04 Jan 2006 13:26:19 -0700 Subject: [Fedora-directory-users] question about host based access control In-Reply-To: <20060104201552.41672.qmail@web52907.mail.yahoo.com> References: <20060104201552.41672.qmail@web52907.mail.yahoo.com> Message-ID: <43BC2F6B.4020205@redhat.com> Susan wrote: >--- Richard Megginson wrote: > > >>The directions for adding the "host" attribute are under "Old Method" on >>http://directory.fedora.redhat.com/wiki/Howto:Posix >>"Finally, click on Add Attributes. Select "host" from the list of >> >> > >Ah. I see the problem. I didn't have the "account" object added, so host attribute was >not showing up. > > You should not need the "account" object class when using the new method. >Sorry! > >Thank you for your help, Richard. > > > >__________________________________________________ >Do You Yahoo!? >Tired of spam? Yahoo! Mail has the best spam protection around >http://mail.yahoo.com > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From logastellus at yahoo.com Wed Jan 4 20:26:47 2006 From: logastellus at yahoo.com (Susan) Date: Wed, 4 Jan 2006 12:26:47 -0800 (PST) Subject: [Fedora-directory-users] same UID having different passwords on different servers In-Reply-To: <20060104201752.98746.qmail@web52913.mail.yahoo.com> Message-ID: <20060104202647.1784.qmail@web52913.mail.yahoo.com> Hi. Is this possible? Can user test, UID 42 have different passwords depending on the server she's trying to login to? __________________________________________ Yahoo! DSL ? Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com From logastellus at yahoo.com Wed Jan 4 20:30:39 2006 From: logastellus at yahoo.com (Susan) Date: Wed, 4 Jan 2006 12:30:39 -0800 (PST) Subject: [Fedora-directory-users] question about host based access control In-Reply-To: <43BC2F6B.4020205@redhat.com> Message-ID: <20060104203039.98319.qmail@web52915.mail.yahoo.com> --- Richard Megginson wrote: > You should not need the "account" object class when using the new method. hmm... Well, the host attribute does not show up unless I add the account object class. It shows up in the global list of attributes and in the schemas [root at cnyldap01 schema]# grep attributeType * | grep \'host 28pilot.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.9 NAME 'host' DESC 'Standard LDAP attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'RFC 1274' ) but when I click add attribute, it's not there. Adding account oClass makes the host attr available. And I did use the new method, all I did is run this: ol-schema-migrate.pl /usr/share/doc/nss_ldap-226/ldapns.schema > /opt/fedora-ds/slapd-localhost/config/schema/61ldapns.ldif and bounced slapd. hostobject object class became available but not the host attribute. __________________________________________ Yahoo! DSL ? Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com From rmeggins at redhat.com Wed Jan 4 20:34:28 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 04 Jan 2006 13:34:28 -0700 Subject: [Fedora-directory-users] question about host based access control In-Reply-To: <20060104203039.98319.qmail@web52915.mail.yahoo.com> References: <20060104203039.98319.qmail@web52915.mail.yahoo.com> Message-ID: <43BC3154.4040000@redhat.com> Susan wrote: >--- Richard Megginson wrote: > > > >>You should not need the "account" object class when using the new method. >> >> > >hmm... Well, the host attribute does not show up unless I add the account object class. > It shows up in the global list of attributes and in the schemas > >[root at cnyldap01 schema]# grep attributeType * | grep \'host >28pilot.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.9 NAME 'host' DESC 'Standard LDAP >attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'RFC 1274' ) > >but when I click add attribute, it's not there. Adding account oClass makes the host >attr available. > >And I did use the new method, all I did is run this: >ol-schema-migrate.pl /usr/share/doc/nss_ldap-226/ldapns.schema > >/opt/fedora-ds/slapd-localhost/config/schema/61ldapns.ldif > >and bounced slapd. hostobject object class became available but not the host attribute. > > Weird. Sounds like a console bug. > > > >__________________________________________ >Yahoo! DSL ? Something to write home about. >Just $16.99/mo. or less. >dsl.yahoo.com > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From ABliss at preferredcare.org Wed Jan 4 20:36:51 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Wed, 4 Jan 2006 15:36:51 -0500 Subject: [Fedora-directory-users] Problem starting directory server Message-ID: I've been running the directory server for a few weeks now, however I've ran into a problem; when attempting to start the directory console, service starts and then stops; here's error log: [Wed Jan 04 15:21:45 2006] [warn] pid file /opt/fedora-ds/admin-serv/logs/pid overwritten -- Unclean shutdown of previous Apache run? [Wed Jan 04 15:21:45 2006] [notice] Apache/2.0 configured -- resuming normal operations [Wed Jan 04 15:21:45 2006] [alert] (11)Resource temporarily unavailable: apr_thread_create: unable to create worker thread [Wed Jan 04 15:21:56 2006] [alert] Child 2974 returned a Fatal error...\nApache is exiting! Just a heads up; I installed bastille on this box today with a script with the following lines that relate to apache: # Q: Would you like to disable indexes? [N] Apache.apacheindex="N" # Q: Would you like to deactivate the Apache web server? [Y] Apache.apacheoff="Y" # Q: Would you like to bind the Web server to listen only to the localhost? [N] Apache.bindapachelocal="N" # Q: Would you like to disable CGI scripts, at least for now? [Y] Apache.cgi="Y" # Q: Would you like to deactivate server-side includes? [Y] Apache.ssi="Y" # Q: Would you like to deactivate the following of symbolic links? [Y] Apache.symlink="Y" Stoping the bastille service, uninstalling had no effect; any thoughts? Thanks very much. www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From srmiller at interbel.net Wed Jan 4 20:55:25 2006 From: srmiller at interbel.net (Scott Miller) Date: Wed, 4 Jan 2006 13:55:25 -0700 Subject: [Fedora-directory-users] Importing Linux Users Message-ID: <036f01c61171$313102b0$eb7b1c0a@SCOTTTOWERNEW> Hello list, Here's my situation. I currently use Sendmail as my mail transport, and also have imap capabilities. Recently, we purchased a barracuda Spam Firewall to help reduce the amount of spam our customers receive. We have 5 domains on our mail server, so basically any user has 5 available e-mail addresses (ya, not the best way to do it, but that's how it was when I got here). With the barracuda, in order for it NOT to create a new spam account (or box) for each of the 5 e-mail addresses our customers have, it requires our mail server to run LDAP. Well, OK - if that's what it needs. In my search for building an LDAP server, I came across the Fedora Directory Server Project. Since I'm in the process of upgrading (replacing) my servers with Fedora Core 4 (forklift upgrade), I was hoping this might just be a perfect fit. Now here's my question. Before I start in on this task, is there an "easy" way to import normal linux users into the LDAP database on the new server? Granted, I've only spent a few days researching this question, and have come up blank everywhere I've looked. The answer is probably out there somewhere, so if someone could possibly point me in the right direction, it would be greatly appriciated. I'm hoping to stay away from entering the information for each and every customer we have. Thank You, Scott Miller From ABliss at preferredcare.org Wed Jan 4 20:59:28 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Wed, 4 Jan 2006 15:59:28 -0500 Subject: [Fedora-directory-users] Problem starting directory server Message-ID: P.S. slapd is running fine, authenticating users, etc; problem seems limited to server console. -----Original Message----- From: Bliss, Aaron Sent: Wednesday, January 04, 2006 3:37 PM To: General discussion list for the Fedora Directory server project. Subject: [Fedora-directory-users] Problem starting directory server I've been running the directory server for a few weeks now, however I've ran into a problem; when attempting to start the directory console, service starts and then stops; here's error log: [Wed Jan 04 15:21:45 2006] [warn] pid file /opt/fedora-ds/admin-serv/logs/pid overwritten -- Unclean shutdown of previous Apache run? [Wed Jan 04 15:21:45 2006] [notice] Apache/2.0 configured -- resuming normal operations [Wed Jan 04 15:21:45 2006] [alert] (11)Resource temporarily unavailable: apr_thread_create: unable to create worker thread [Wed Jan 04 15:21:56 2006] [alert] Child 2974 returned a Fatal error...\nApache is exiting! Just a heads up; I installed bastille on this box today with a script with the following lines that relate to apache: # Q: Would you like to disable indexes? [N] Apache.apacheindex="N" # Q: Would you like to deactivate the Apache web server? [Y] Apache.apacheoff="Y" # Q: Would you like to bind the Web server to listen only to the localhost? [N] Apache.bindapachelocal="N" # Q: Would you like to disable CGI scripts, at least for now? [Y] Apache.cgi="Y" # Q: Would you like to deactivate server-side includes? [Y] Apache.ssi="Y" # Q: Would you like to deactivate the following of symbolic links? [Y] Apache.symlink="Y" Stoping the bastille service, uninstalling had no effect; any thoughts? Thanks very much. www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From rmeggins at redhat.com Wed Jan 4 21:10:08 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 04 Jan 2006 14:10:08 -0700 Subject: [Fedora-directory-users] Importing Linux Users In-Reply-To: <036f01c61171$313102b0$eb7b1c0a@SCOTTTOWERNEW> References: <036f01c61171$313102b0$eb7b1c0a@SCOTTTOWERNEW> Message-ID: <43BC39B0.8050600@redhat.com> http://directory.fedora.redhat.com/wiki/Howto:MigrateToLDAP Also, check out www.padl.com http://www.padl.com/OSS/MigrationTools.html Scott Miller wrote: > Hello list, > > Here's my situation. I currently use Sendmail as my mail transport, > and also have imap capabilities. Recently, we purchased a barracuda > Spam Firewall to help reduce the amount of spam our customers > receive. We have 5 domains on our mail server, so basically any user > has 5 available e-mail addresses (ya, not the best way to do it, but > that's how it was when I got here). With the barracuda, in order for > it NOT to create a new spam account (or box) for each of the 5 e-mail > addresses our customers have, it requires our mail server to run > LDAP. Well, OK - if that's what it needs. > > In my search for building an LDAP server, I came across the Fedora > Directory Server Project. Since I'm in the process of upgrading > (replacing) my servers with Fedora Core 4 (forklift upgrade), I was > hoping this might just be a perfect fit. > > Now here's my question. Before I start in on this task, is there an > "easy" way to import normal linux users into the LDAP database on the > new server? Granted, I've only spent a few days researching this > question, and have come up blank everywhere I've looked. The answer > is probably out there somewhere, so if someone could possibly point me > in the right direction, it would be greatly appriciated. I'm hoping > to stay away from entering the information for each and every customer > we have. > > Thank You, > Scott Miller > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Jan 4 21:11:11 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 04 Jan 2006 14:11:11 -0700 Subject: [Fedora-directory-users] Problem starting directory server In-Reply-To: References: Message-ID: <43BC39EF.1020006@redhat.com> I don't know - does bastille have a log file? Does bastille hack the httpd.conf file? Bliss, Aaron wrote: >I've been running the directory server for a few weeks now, however I've ran >into a problem; when attempting to start the directory console, service >starts and then stops; here's error log: > >[Wed Jan 04 15:21:45 2006] [warn] pid file >/opt/fedora-ds/admin-serv/logs/pid overwritten -- Unclean shutdown of >previous Apache run? >[Wed Jan 04 15:21:45 2006] [notice] Apache/2.0 configured -- resuming normal >operations >[Wed Jan 04 15:21:45 2006] [alert] (11)Resource temporarily unavailable: >apr_thread_create: unable to create worker thread >[Wed Jan 04 15:21:56 2006] [alert] Child 2974 returned a Fatal >error...\nApache is exiting! > >Just a heads up; I installed bastille on this box today with a script with >the following lines that relate to apache: > ># Q: Would you like to disable indexes? [N] >Apache.apacheindex="N" ># Q: Would you like to deactivate the Apache web server? [Y] >Apache.apacheoff="Y" ># Q: Would you like to bind the Web server to listen only to the localhost? >[N] >Apache.bindapachelocal="N" ># Q: Would you like to disable CGI scripts, at least for now? [Y] >Apache.cgi="Y" ># Q: Would you like to deactivate server-side includes? [Y] >Apache.ssi="Y" ># Q: Would you like to deactivate the following of symbolic links? [Y] >Apache.symlink="Y" > >Stoping the bastille service, uninstalling had no effect; any thoughts? > >Thanks very much. > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From prowley at redhat.com Wed Jan 4 21:12:11 2006 From: prowley at redhat.com (Pete Rowley) Date: Wed, 04 Jan 2006 13:12:11 -0800 Subject: [Fedora-directory-users] Problem starting directory server In-Reply-To: References: Message-ID: <43BC3A2B.7070404@redhat.com> Bliss, Aaron wrote: >Just a heads up; I installed bastille on this box today with a script with >the following lines that relate to apache: > > > You configured Bastille with the break admin server options :) It needs apache, it needs cgi, it may need other things. Bastille works by changing the configuration of other things, so it is not enough to uninstall Bastille. You need to undo: http://www.bastille-linux.org/undoing_bastille.htm -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From prowley at redhat.com Wed Jan 4 21:17:03 2006 From: prowley at redhat.com (Pete Rowley) Date: Wed, 04 Jan 2006 13:17:03 -0800 Subject: [Fedora-directory-users] same UID having different passwords on different servers In-Reply-To: <20060104202647.1784.qmail@web52913.mail.yahoo.com> References: <20060104202647.1784.qmail@web52913.mail.yahoo.com> Message-ID: <43BC3B4F.9030403@redhat.com> Susan wrote: >Hi. Is this possible? Can user test, UID 42 have different passwords depending on the >server she's trying to login to? > > Not unless the server has a local account for the user and pam is configured to check that first. -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From ABliss at preferredcare.org Wed Jan 4 21:23:33 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Wed, 4 Jan 2006 16:23:33 -0500 Subject: [Fedora-directory-users] Problem starting directory server Message-ID: Bastille -r got me back up and running; thanks very much. -----Original Message----- From: Pete Rowley [mailto:prowley at redhat.com] Sent: Wednesday, January 04, 2006 4:12 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Problem starting directory server -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From warthog at warthogsolutions.com Wed Jan 4 23:15:10 2006 From: warthog at warthogsolutions.com (Jamie McKnight) Date: Wed, 04 Jan 2006 18:15:10 -0500 Subject: [Fedora-directory-users] same UID having different passwords on different servers In-Reply-To: <20060104202647.1784.qmail@web52913.mail.yahoo.com> References: <20060104202647.1784.qmail@web52913.mail.yahoo.com> Message-ID: <1136416510.3813.5.camel@portahog> You can create an new attribute to hold the user password and use the attribute mapping function in /etc/ldap.conf (examples are in the file) if you are running Linux on the client. I have never had to do this with a Solaris client, so I am not sure if the Solaris Profile has this ability or not. We have done this in some very specific instances, but I do not recommend it for long term supportability. Jamie On Wed, 2006-01-04 at 12:26 -0800, Susan wrote: > Hi. Is this possible? Can user test, UID 42 have different passwords depending on the > server she's trying to login to? > > > > > > __________________________________________ > Yahoo! DSL ? Something to write home about. > Just $16.99/mo. or less. > dsl.yahoo.com > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From craigwhite at azapple.com Thu Jan 5 00:15:52 2006 From: craigwhite at azapple.com (Craig White) Date: Wed, 04 Jan 2006 17:15:52 -0700 Subject: [Fedora-directory-users] Importing Linux Users In-Reply-To: <036f01c61171$313102b0$eb7b1c0a@SCOTTTOWERNEW> References: <036f01c61171$313102b0$eb7b1c0a@SCOTTTOWERNEW> Message-ID: <1136420152.16938.8.camel@lin-workstation.azapple.com> On Wed, 2006-01-04 at 13:55 -0700, Scott Miller wrote: > Hello list, > > Here's my situation. I currently use Sendmail as my mail transport, and > also have imap capabilities. Recently, we purchased a barracuda Spam > Firewall to help reduce the amount of spam our customers receive. We have 5 > domains on our mail server, so basically any user has 5 available e-mail > addresses (ya, not the best way to do it, but that's how it was when I got > here). With the barracuda, in order for it NOT to create a new spam account > (or box) for each of the 5 e-mail addresses our customers have, it requires > our mail server to run LDAP. Well, OK - if that's what it needs. > > In my search for building an LDAP server, I came across the Fedora > Directory Server Project. Since I'm in the process of upgrading (replacing) > my servers with Fedora Core 4 (forklift upgrade), I was hoping this might > just be a perfect fit. > > Now here's my question. Before I start in on this task, is there an > "easy" way to import normal linux users into the LDAP database on the new > server? Granted, I've only spent a few days researching this question, and > have come up blank everywhere I've looked. The answer is probably out there > somewhere, so if someone could possibly point me in the right direction, it > would be greatly appriciated. I'm hoping to stay away from entering the > information for each and every customer we have. ---- Install openldap-servers rpm locate scripts in /usr/share/openldap/migration Craig From marciok at celepar.pr.gov.br Thu Jan 5 11:42:48 2006 From: marciok at celepar.pr.gov.br (Marcio Kabke Pinheiro) Date: Thu, 5 Jan 2006 09:42:48 -0200 Subject: Fw: [Fedora-directory-users] Another console issue Message-ID: <029accd1448e313d6340fbecba039ad5@expresso.pr.gov.br> An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Jan 5 14:57:09 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 05 Jan 2006 07:57:09 -0700 Subject: Fw: [Fedora-directory-users] Another console issue In-Reply-To: <029accd1448e313d6340fbecba039ad5@expresso.pr.gov.br> References: <029accd1448e313d6340fbecba039ad5@expresso.pr.gov.br> Message-ID: <43BD33C5.10104@redhat.com> Marcio Kabke Pinheiro wrote: > Hi, everyone. > > Sorry for being repetitive, but anybody has any clue about it? > > Regards > > ---------- Mensagem encaminhada ---------- > Remetente: "" > Data: 29/12/2005 14:24 > Assunto: [Fedora-directory-users] Anoth... > Para: fedora-directory-users at redhat.com > > After Aaron?s tip, no more log erros, but after I?ve entered the admin > user and password, the console hangs, and in the Windows console > window opened by the .bat file (remembering, I?m using a Windows > machine to run the Management Console), appers the error: > ======================================= > C:\celepar\fedora directory\console\java>java -ms8m -mx64m -cp > .;.\nmclf70.jar; > .\base.jar;.\ldapjdk.jar;.\mcc70.jar;.\nmclf70_en.jar;.\mcc70_en.jar;.\jss3.jar > -Djava.library.path=..\lib\jss -Djava.util.prefs.systemRoot=.\.java > -Djava.util. > prefs.userRoot=. com.netscape.management.client.console.Console -a > http://10.15. > 20.128:4616 Should be using the *10.jar and *10_en.jar files if you are using Fedora DS 1.0.1. I've updated the instructions to reflect this. I don't know if you can use the *70*.jar files to manage a Fedora DS 1.0.1 server. http://directory.fedora.redhat.com/wiki/Howto:WindowsConsole > Exception in thread "main" java.lang.NumberFormatException: multiple > points > at sun.misc.FloatingDecimal.readJavaFormatString(Unknown Source) > at java.lang.Double.parseDouble(Unknown Source) > at > com.netscape.management.client.console.Console.checkHelpSystem(Unknow > n Source) > at > com.netscape.management.client.console.Console.initialize(Unknown Sou > rce) > at > com.netscape.management.client.console.Console.(Unknown Source) > > at com.netscape.management.client.console.Console.main(Unknown > Source) > ================================== > First I remembered that I was using the old console code, and copied > the new code from the new FDS install (the /bin and /lib folders), but > the error was the same. Second, I?ve upgraded the Java version of my > machine - was 1.4.2_3, now it?s 1.5.0_06. Same error. > > Any thoughts? > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com <#> > https://www.redhat.com/mailman/listinfo/fedora-directory-users > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From marciok at celepar.pr.gov.br Thu Jan 5 15:34:45 2006 From: marciok at celepar.pr.gov.br (Marcio Kabke Pinheiro) Date: Thu, 5 Jan 2006 13:34:45 -0200 Subject: Fw: [Fedora-directory-users] Another console issue Message-ID: <62b5ffdd51d0b835b6266c2402ff7590@expresso.pr.gov.br> An HTML attachment was scrubbed... URL: From yyovkov at yyovkov.net Thu Jan 5 16:17:59 2006 From: yyovkov at yyovkov.net (Yovko Ilchev Yovkov) Date: Thu, 05 Jan 2006 18:17:59 +0200 Subject: [Fedora-directory-users] Change Administrative Domain Message-ID: <1136477879.11389.1.camel@ws-1> Changing Admin Access Home for Fedora Direcotry Server How to change the Administrative domain on already started FDS? I have do the next: 1. Install lbe (ldap browser). Usualy you can use any Ldap Browser software 2. Connected to o=NetscapeRoot as "cn=Directory Manager" with password on targeted server (server.domain.com) 3. Browse to dn: cn=configuration, cn=admin-serv-sion, cn=Fedora Administration Server, cn =Server Group, cn=server.domain.com, ou=domain.com, o=NetscapeRoot Entry looks like: --- cut start --- dn: cn=configuration, cn=admin-serv-sion, cn=Fedora Administration Server, cn=Server Group, cn=server.domain.com, ou=domain.com, o=NetscapeRoot nsClassname: com.netscape.management.admserv.AdminServer at admserv10.jar@cn=admin-serv-sion, cn=Fedora Administration Server, cn=Server Group, cn=server.domain.com, ou=domain.com, o=NetscapeRoot nsAccessLog: admin-serv/logs/access modifyTimestamp: 20060105160826Z objectClass: nsConfig objectClass: nsAdminConfig objectClass: nsAdminObject objectClass: nsDirectoryInfo objectClass: top nsSuiteSpotUser: root nsErrorLog: admin-serv/logs/error nsAdminEnableEnduser: on createTimestamp: 20060105151745Z cn: Configuration nsAdminUsers: admin-serv/config/admpw nsAdminAccessAddresses: * nsServerPort: 22275 modifiersName: cn=directory manager nsDirectoryInfoRef: cn=Server Group, cn=server.domain.com, ou=domain.com, o=NetscapeRoot creatorsName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot nsAdminOneACLDir: adminacl nsServerAddress: nsPidLog: admin-serv/logs/pid nsAdminCacheLifetime: 600 nsAdminEnableDSGW: on nsAdminAccessHosts: *.domain.com nsDefaultAcceptLanguage: en --- cut end --- To change administrative domain you need to change the value of the attribute nsAdminAccessHosts. Then restart administrative server and you're OK. From rmeggins at redhat.com Thu Jan 5 16:32:57 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 05 Jan 2006 09:32:57 -0700 Subject: [Fedora-directory-users] Change Administrative Domain In-Reply-To: <1136477879.11389.1.camel@ws-1> References: <1136477879.11389.1.camel@ws-1> Message-ID: <43BD4A39.6090203@redhat.com> http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt Yovko Ilchev Yovkov wrote: >Changing Admin Access Home for Fedora Direcotry Server > >How to change the Administrative domain on already started FDS? > >I have do the next: >1. Install lbe (ldap browser). Usualy you can use any Ldap Browser >software >2. Connected to o=NetscapeRoot as "cn=Directory Manager" with password >on targeted server (server.domain.com) >3. Browse to dn: >cn=configuration, cn=admin-serv-sion, cn=Fedora Administration Server, >cn > =Server Group, cn=server.domain.com, ou=domain.com, o=NetscapeRoot > >Entry looks like: > >--- cut start --- >dn: cn=configuration, cn=admin-serv-sion, cn=Fedora Administration >Server, cn=Server Group, cn=server.domain.com, ou=domain.com, >o=NetscapeRoot > >nsClassname: >com.netscape.management.admserv.AdminServer at admserv10.jar@cn=admin-serv-sion, cn=Fedora Administration Server, cn=Server Group, cn=server.domain.com, ou=domain.com, o=NetscapeRoot > >nsAccessLog: admin-serv/logs/access >modifyTimestamp: 20060105160826Z >objectClass: nsConfig >objectClass: nsAdminConfig >objectClass: nsAdminObject >objectClass: nsDirectoryInfo >objectClass: top >nsSuiteSpotUser: root >nsErrorLog: admin-serv/logs/error >nsAdminEnableEnduser: on >createTimestamp: 20060105151745Z >cn: Configuration >nsAdminUsers: admin-serv/config/admpw >nsAdminAccessAddresses: * >nsServerPort: 22275 >modifiersName: cn=directory manager >nsDirectoryInfoRef: cn=Server Group, cn=server.domain.com, >ou=domain.com, o=NetscapeRoot >creatorsName: >uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot >nsAdminOneACLDir: adminacl >nsServerAddress: >nsPidLog: admin-serv/logs/pid >nsAdminCacheLifetime: 600 >nsAdminEnableDSGW: on >nsAdminAccessHosts: *.domain.com >nsDefaultAcceptLanguage: en >--- cut end --- > >To change administrative domain you need to change the value of the >attribute nsAdminAccessHosts. Then restart administrative server and >you're OK. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From logastellus at yahoo.com Thu Jan 5 17:01:18 2006 From: logastellus at yahoo.com (Susan) Date: Thu, 5 Jan 2006 09:01:18 -0800 (PST) Subject: [Fedora-directory-users] mandating SSL-only connections In-Reply-To: <43BD4A39.6090203@redhat.com> Message-ID: <20060105170118.40151.qmail@web52911.mail.yahoo.com> Hi, everybody. I turned ssl on the server and it seemed to be working OK, I was getting replies with ldapsearch -x -ZZ. (access log saying startTLS, aes256 SSL), tcpdump showing encrypted traffic (on port 389 tho, not 636 but OK) However, ldapsearch -x was also working, transmitting in clear text (as seen on tcpdump). I went ahead and set the nsslapd-port to 0: [05/Jan/2006:11:50:59 -0500] - Information: Non-Secure Port Disabled, server only contactable via secure port [05/Jan/2006:11:50:59 -0500] - Fedora-Directory/1.0.1 B2005.342.161 starting up [05/Jan/2006:11:50:59 -0500] - Listening on All Interfaces port 636 for LDAPS requests OK, good. Now, however, ldapsearch -x -ZZ doesn't work anymore: $>ldapsearch -x -ZZ ldap_start_tls: Can't contact LDAP server (-1) And ldapsearch -x -ZZ -p 636 -h cnyldap01 just hangs.. I get nothing back. What am I doing wrong??? __________________________________________ Yahoo! DSL ? Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com From rmeggins at redhat.com Thu Jan 5 17:08:38 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 05 Jan 2006 10:08:38 -0700 Subject: [Fedora-directory-users] mandating SSL-only connections In-Reply-To: <20060105170118.40151.qmail@web52911.mail.yahoo.com> References: <20060105170118.40151.qmail@web52911.mail.yahoo.com> Message-ID: <43BD5296.9000106@redhat.com> the openldap ldapsearch -Z does startTLS, which tries to startup a secure connection using the non-secure port - basically, so you can have ldap listen only to 389 and have SSL/TLS on that port. So then you may ask "Ok, that's fine, but how do I disable non-secure connections on 389?" I'm not sure how you can do that at the connection level, but at the entry level you can set ACIs to allow access only if using SSL/TLS. Susan wrote: >Hi, everybody. > >I turned ssl on the server and it seemed to be working OK, I was getting replies with >ldapsearch -x -ZZ. (access log saying startTLS, aes256 SSL), tcpdump showing encrypted >traffic (on port 389 tho, not 636 but OK) > >However, ldapsearch -x was also working, transmitting in clear text (as seen on tcpdump). > I went ahead and set the nsslapd-port to 0: > >[05/Jan/2006:11:50:59 -0500] - Information: Non-Secure Port Disabled, server only >contactable via secure port >[05/Jan/2006:11:50:59 -0500] - Fedora-Directory/1.0.1 B2005.342.161 starting up >[05/Jan/2006:11:50:59 -0500] - Listening on All Interfaces port 636 for LDAPS requests > >OK, good. Now, however, ldapsearch -x -ZZ doesn't work anymore: > >$>ldapsearch -x -ZZ >ldap_start_tls: Can't contact LDAP server (-1) > >And ldapsearch -x -ZZ -p 636 -h cnyldap01 just hangs.. I get nothing back. > >What am I doing wrong??? > > > >__________________________________________ >Yahoo! DSL ? Something to write home about. >Just $16.99/mo. or less. >dsl.yahoo.com > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From logastellus at yahoo.com Thu Jan 5 18:48:15 2006 From: logastellus at yahoo.com (Susan) Date: Thu, 5 Jan 2006 10:48:15 -0800 (PST) Subject: [Fedora-directory-users] mandating SSL-only connections In-Reply-To: <43BD5296.9000106@redhat.com> Message-ID: <20060105184815.76530.qmail@web52903.mail.yahoo.com> --- Richard Megginson wrote: > the openldap ldapsearch -Z does startTLS, which tries to startup a > secure connection using the non-secure port - basically, so you can have > ldap listen only to 389 and have SSL/TLS on that port. So then you may > ask "Ok, that's fine, but how do I disable non-secure connections on > 389?" I'm not sure how you can do that at the connection level, but at > the entry level you can set ACIs to allow access only if using SSL/TLS. Can you give me an example, please? ldapsearch aside, even though SSL is enabled on the server, everything (including the password) is being transmitted clear text -- I can see it in ethereal when I try to ssh to an ldap client. __________________________________________ Yahoo! DSL ? Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com From rmeggins at redhat.com Thu Jan 5 18:54:41 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 05 Jan 2006 11:54:41 -0700 Subject: [Fedora-directory-users] mandating SSL-only connections In-Reply-To: <20060105184815.76530.qmail@web52903.mail.yahoo.com> References: <20060105184815.76530.qmail@web52903.mail.yahoo.com> Message-ID: <43BD6B71.1020205@redhat.com> Susan wrote: >--- Richard Megginson wrote: > > > >>the openldap ldapsearch -Z does startTLS, which tries to startup a >>secure connection using the non-secure port - basically, so you can have >>ldap listen only to 389 and have SSL/TLS on that port. So then you may >>ask "Ok, that's fine, but how do I disable non-secure connections on >>389?" I'm not sure how you can do that at the connection level, but at >>the entry level you can set ACIs to allow access only if using SSL/TLS. >> >> > >Can you give me an example, please? ldapsearch aside, even though SSL is enabled on the server, >everything (including the password) is being transmitted clear text -- I can see it in ethereal >when I try to ssh to an ldap client. > > If you are using ldapsearch -ZZ: -Z[Z] Issue StartTLS (Transport Layer Security) extended operation. If you use -ZZ, the command will require the operation to be suc- cessful. And if it is successful, the connection should be encrypted from that point on, and you should not see any clear text. You can verify this by looking at the access log for the directory server - the connection and bind information should tell if the startTLS operation was successful. > > >__________________________________________ >Yahoo! DSL ? Something to write home about. >Just $16.99/mo. or less. >dsl.yahoo.com > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From logastellus at yahoo.com Thu Jan 5 19:02:52 2006 From: logastellus at yahoo.com (Susan) Date: Thu, 5 Jan 2006 11:02:52 -0800 (PST) Subject: [Fedora-directory-users] mandating SSL-only connections In-Reply-To: <43BD6B71.1020205@redhat.com> Message-ID: <20060105190252.70178.qmail@web52912.mail.yahoo.com> --- Richard Megginson wrote: > If you are using ldapsearch -ZZ: > -Z[Z] Issue StartTLS (Transport Layer Security) extended operation. If > you use -ZZ, the command will require the operation to be suc- > cessful. And if it is successful, the connection should be encrypted from >that point on, and you should not see any clear text. You can verify this by yes, I put the nssldap_port back to 389. Now ldapsearch -x -ZZ returns encrypted data, that's fine. However, when I ssh to a client, THAT LDAP traffic is not encrypted, I can see my password in clear text in ethereal. That's the problem. __________________________________________ Yahoo! DSL ? Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com From logastellus at yahoo.com Thu Jan 5 19:08:20 2006 From: logastellus at yahoo.com (Susan) Date: Thu, 5 Jan 2006 11:08:20 -0800 (PST) Subject: [Fedora-directory-users] mandating SSL-only connections In-Reply-To: <20060105190252.70178.qmail@web52912.mail.yahoo.com> Message-ID: <20060105190820.19859.qmail@web52902.mail.yahoo.com> --- Susan wrote: > > > --- Richard Megginson wrote: > > > If you are using ldapsearch -ZZ: > > -Z[Z] Issue StartTLS (Transport Layer Security) extended operation. If i just realized that ssl was turned off in the /etc/ldap.conf -- that's the problem. It's now going over the LDAPS port as it should. Sorry! __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From mmontgomery at theplanet.com Thu Jan 5 19:59:44 2006 From: mmontgomery at theplanet.com (Michael Montgomery) Date: Thu, 05 Jan 2006 13:59:44 -0600 Subject: [Fedora-directory-users] Server-Side ACLs for pam_ldap logins. In-Reply-To: <43BC0B68.7010803@redhat.com> References: <43BAF097.602@wep.net> <43BAF414.1000807@redhat.com> <43BB2C13.8000901@wep.net> <43BC0B68.7010803@redhat.com> Message-ID: <1136491184.15574.13.camel@localhost> On Wed, 2006-01-04 at 10:52 -0700, Richard Megginson wrote: > Thanks! This is excellent! > http://directory.fedora.redhat.com/wiki/Howto:Netgroups > Thank you all very much for this wonderful documentation, but I just have one last question. Being that pam_access doesn't seem to exist on solaris, and freebsd, and I'm trying to implement a full cross platform authentication system, are their any options that you know of to allow this type of command: : @QAUsers@@QASystems : 10. To restrict access based on the netgroups for these other two Unixes? Thanks again. From mmontgomery at theplanet.com Thu Jan 5 20:02:43 2006 From: mmontgomery at theplanet.com (Michael Montgomery) Date: Thu, 05 Jan 2006 14:02:43 -0600 Subject: [Fedora-directory-users] Server-Side ACLs for pam_ldap logins. In-Reply-To: <1136491184.15574.13.camel@localhost> References: <43BAF097.602@wep.net> <43BAF414.1000807@redhat.com> <43BB2C13.8000901@wep.net> <43BC0B68.7010803@redhat.com> <1136491184.15574.13.camel@localhost> Message-ID: <1136491363.15574.15.camel@localhost> Actually, login.access may fit the bill for freebsd: http://www.freebsd.org/cgi/man.cgi?query=login.access&sektion=5 So that just leaves Solaris. On Thu, 2006-01-05 at 13:59 -0600, Michael Montgomery wrote: > On Wed, 2006-01-04 at 10:52 -0700, Richard Megginson wrote: > > Thanks! This is excellent! > > http://directory.fedora.redhat.com/wiki/Howto:Netgroups > > > > Thank you all very much for this wonderful documentation, but I just > have one last question. Being that pam_access doesn't seem to exist on > solaris, and freebsd, and I'm trying to implement a full cross platform > authentication system, are their any options that you know of to allow > this type of command: > > : @QAUsers@@QASystems : 10. > > To restrict access based on the netgroups for these other two Unixes? > > Thanks again. From markmc at redhat.com Fri Jan 6 14:14:03 2006 From: markmc at redhat.com (Mark McLoughlin) Date: Fri, 06 Jan 2006 14:14:03 +0000 Subject: [Fedora-directory-users] NSS/SSL oddities Message-ID: <1136556843.3692.55.camel@blaa> Hi, A couple of quick questions about things that have been bugging me: - If I import a server certificate and a CA certificate with pk12util and change the trust attributes on the CA cert to "C,," - i.e. that it should be a trusted CA for server certificates - and then start slapd I get: [05/Jan/2006:17:21:57 +0000] conn=0 op=-1 fd=64 closed - No certificate authority is trusted for SSL client authentication. Which seems strange to me - I would have thought the CA certs in nssckbi would be trusted for client auth? - Unless /opt/fedora-ds/alias is owned by nobody:nobody you get [05/Jan/2006:17:43:40 +0000] - SSL alert: Security Initialization: NSS initialization failed (Netscape Portable Runtime error -8192 - An I/O error occurred during security authorization.): path: /opt/fedora-ds/alias/, certdb prefix: slapd-foo-, keydb prefix: slapd-foo-. [05/Jan/2006:17:43:40 +0000] - ERROR: NSS Initialization Failed. Couldn't we not make the directory owned by nobody:nobody by default in the RPM? root:root doesn't seem like a useful default. Cheers, Mark. From rcritten at redhat.com Fri Jan 6 14:21:30 2006 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 06 Jan 2006 09:21:30 -0500 Subject: [Fedora-directory-users] NSS/SSL oddities In-Reply-To: <1136556843.3692.55.camel@blaa> References: <1136556843.3692.55.camel@blaa> Message-ID: <43BE7CEA.6070907@redhat.com> Mark McLoughlin wrote: > Hi, > A couple of quick questions about things that have been bugging me: > > - If I import a server certificate and a CA certificate with pk12util > and change the trust attributes on the CA cert to "C,," - i.e. that > it should be a trusted CA for server certificates - and then start > slapd I get: > > [05/Jan/2006:17:21:57 +0000] conn=0 op=-1 fd=64 closed - No certificate authority is trusted for SSL client authentication. > > Which seems strange to me - I would have thought the CA certs in > nssckbi would be trusted for client auth? The C trust flag means that it is a trusted CA to issue server certs. For client certs you need the T flag as well. nssckbi doesn't really come into play here. I believe that even if your CA is signed by another CA that is in libnssckbi but you don't trust your CA to sign client certs, then any client certificates issued by your CA won't be trusted. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Jan 6 14:57:38 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 06 Jan 2006 07:57:38 -0700 Subject: [Fedora-directory-users] NSS/SSL oddities In-Reply-To: <1136556843.3692.55.camel@blaa> References: <1136556843.3692.55.camel@blaa> Message-ID: <43BE8562.4090903@redhat.com> Mark McLoughlin wrote: >Hi, > A couple of quick questions about things that have been bugging me: > > - If I import a server certificate and a CA certificate with pk12util > and change the trust attributes on the CA cert to "C,," - i.e. that > it should be a trusted CA for server certificates - and then start > slapd I get: > >[05/Jan/2006:17:21:57 +0000] conn=0 op=-1 fd=64 closed - No certificate authority is trusted for SSL client authentication. > > Which seems strange to me - I would have thought the CA certs in > nssckbi would be trusted for client auth? > > Hmm - not sure. > > - Unless /opt/fedora-ds/alias is owned by nobody:nobody you get > >[05/Jan/2006:17:43:40 +0000] - SSL alert: Security Initialization: NSS initialization failed (Netscape Portable Runtime error -8192 - An I/O error occurred during security authorization.): path: /opt/fedora-ds/alias/, certdb prefix: slapd-foo-, keydb prefix: slapd-foo-. >[05/Jan/2006:17:43:40 +0000] - ERROR: NSS Initialization Failed. > > Couldn't we not make the directory owned by nobody:nobody by > default in the RPM? root:root doesn't seem like a useful default. > > Yes, and it should be nobody:nobody - the setup script for FDS 1.0.1 should be setting that directory to be owned by nobody:nobody. Did you run setup after installing FDS 1.0.1? We're currently revamping the RPM installation. >Cheers, >Mark. > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From markmc at redhat.com Fri Jan 6 15:01:46 2006 From: markmc at redhat.com (Mark McLoughlin) Date: Fri, 06 Jan 2006 15:01:46 +0000 Subject: [Fedora-directory-users] NSS/SSL oddities In-Reply-To: <43BE8562.4090903@redhat.com> References: <1136556843.3692.55.camel@blaa> <43BE8562.4090903@redhat.com> Message-ID: <1136559706.3692.70.camel@blaa> On Fri, 2006-01-06 at 07:57 -0700, Richard Megginson wrote: > > - Unless /opt/fedora-ds/alias is owned by nobody:nobody you get > > > >[05/Jan/2006:17:43:40 +0000] - SSL alert: Security Initialization: NSS initialization failed (Netscape Portable Runtime error -8192 - An I/O error occurred during security authorization.): path: /opt/fedora-ds/alias/, certdb prefix: slapd-foo-, keydb prefix: slapd-foo-. > >[05/Jan/2006:17:43:40 +0000] - ERROR: NSS Initialization Failed. > > > > Couldn't we not make the directory owned by nobody:nobody by > > default in the RPM? root:root doesn't seem like a useful default. > > > > > Yes, and it should be nobody:nobody - the setup script for FDS 1.0.1 > should be setting that directory to be owned by nobody:nobody. Did you > run setup after installing FDS 1.0.1? No, I'm not using the setup script. > We're currently revamping the RPM installation. Excellent; is the work-in-progress available anywhere for people to poke at? Cheers, Mark. From markmc at redhat.com Fri Jan 6 15:03:39 2006 From: markmc at redhat.com (Mark McLoughlin) Date: Fri, 06 Jan 2006 15:03:39 +0000 Subject: [Fedora-directory-users] NSS/SSL oddities In-Reply-To: <43BE7CEA.6070907@redhat.com> References: <1136556843.3692.55.camel@blaa> <43BE7CEA.6070907@redhat.com> Message-ID: <1136559820.3692.74.camel@blaa> Hi Rob, On Fri, 2006-01-06 at 09:21 -0500, Rob Crittenden wrote: > Mark McLoughlin wrote: > > Hi, > > A couple of quick questions about things that have been bugging me: > > > > - If I import a server certificate and a CA certificate with pk12util > > and change the trust attributes on the CA cert to "C,," - i.e. that > > it should be a trusted CA for server certificates - and then start > > slapd I get: > > > > [05/Jan/2006:17:21:57 +0000] conn=0 op=-1 fd=64 closed - No certificate authority is trusted for SSL client authentication. > > > > Which seems strange to me - I would have thought the CA certs in > > nssckbi would be trusted for client auth? > > The C trust flag means that it is a trusted CA to issue server certs. > For client certs you need the T flag as well. Right. > nssckbi doesn't really come into play here. I believe that even if your > CA is signed by another CA that is in libnssckbi but you don't trust > your CA to sign client certs, then any client certificates issued by > your CA won't be trusted. Well, the point is that this CA won't be issuing an client certificates ... only a server certificate. What appears to be happening is that NSS requires at least one CA certificate to be available in order to send a certificate request during the handshake. However, my CA certificate isn't trusted for client auth and NSS isn't aware of any other CAs for client auth, so it barfs. I find this puzzling because looking through the NSS code, it looks like the CA certificates from nssckbi should be used for client auth - e.g. the error suggests that if I make my CA trusted for client auth, it will be the *only* CA used for client auth and that the root CAs will be ignored? Cheers, Mark. From rmeggins at redhat.com Fri Jan 6 15:20:34 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 06 Jan 2006 08:20:34 -0700 Subject: [Fedora-directory-users] NSS/SSL oddities In-Reply-To: <1136559706.3692.70.camel@blaa> References: <1136556843.3692.55.camel@blaa> <43BE8562.4090903@redhat.com> <1136559706.3692.70.camel@blaa> Message-ID: <43BE8AC2.50401@redhat.com> Mark McLoughlin wrote: >On Fri, 2006-01-06 at 07:57 -0700, Richard Megginson wrote: > > > >>> - Unless /opt/fedora-ds/alias is owned by nobody:nobody you get >>> >>>[05/Jan/2006:17:43:40 +0000] - SSL alert: Security Initialization: NSS initialization failed (Netscape Portable Runtime error -8192 - An I/O error occurred during security authorization.): path: /opt/fedora-ds/alias/, certdb prefix: slapd-foo-, keydb prefix: slapd-foo-. >>>[05/Jan/2006:17:43:40 +0000] - ERROR: NSS Initialization Failed. >>> >>> Couldn't we not make the directory owned by nobody:nobody by >>> default in the RPM? root:root doesn't seem like a useful default. >>> >>> >>> >>> >>Yes, and it should be nobody:nobody - the setup script for FDS 1.0.1 >>should be setting that directory to be owned by nobody:nobody. Did you >>run setup after installing FDS 1.0.1? >> >> > > No, I'm not using the setup script. > > Ah, that explains it. > > >>We're currently revamping the RPM installation. >> >> > > Excellent; is the work-in-progress available anywhere for people to >poke at? > > No, not yet. We're still climbing the mountain of dependent components - nspr, nss, svrcore, ldapsdk, ldapjdk, etc. etc. >Cheers, >Mark. > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From logastellus at yahoo.com Fri Jan 6 15:31:35 2006 From: logastellus at yahoo.com (Susan) Date: Fri, 6 Jan 2006 07:31:35 -0800 (PST) Subject: [Fedora-directory-users] putting root account in FDS In-Reply-To: <43BE8AC2.50401@redhat.com> Message-ID: <20060106153135.86161.qmail@web52901.mail.yahoo.com> I was just wondering what the community thoughts are on the subject of root accounts in LDAP vs. local. Some SAs in the company insist on keeping root passwords local in case of LDAP outage, saying that root is too critical to be handed over to FDS. Personally, I think it's no big deal. We have it local right now and every time an SA or a mgr quits, we've to login to every unix/linux box and change root's password which is a real pain. What are your thoughts on the subject? Are there some accounts that you insist on keeping local or is that line of thinking anachronistic? Thank you. __________________________________________ Yahoo! DSL ? Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com From rcritten at redhat.com Fri Jan 6 15:47:05 2006 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 06 Jan 2006 10:47:05 -0500 Subject: [Fedora-directory-users] NSS/SSL oddities In-Reply-To: <1136559820.3692.74.camel@blaa> References: <1136556843.3692.55.camel@blaa> <43BE7CEA.6070907@redhat.com> <1136559820.3692.74.camel@blaa> Message-ID: <43BE90F9.5060205@redhat.com> Mark McLoughlin wrote: > Hi Rob, > > On Fri, 2006-01-06 at 09:21 -0500, Rob Crittenden wrote: > >>Mark McLoughlin wrote: >> >>>Hi, >>> A couple of quick questions about things that have been bugging me: >>> >>> - If I import a server certificate and a CA certificate with pk12util >>> and change the trust attributes on the CA cert to "C,," - i.e. that >>> it should be a trusted CA for server certificates - and then start >>> slapd I get: >>> >>>[05/Jan/2006:17:21:57 +0000] conn=0 op=-1 fd=64 closed - No certificate authority is trusted for SSL client authentication. >>> >>> Which seems strange to me - I would have thought the CA certs in >>> nssckbi would be trusted for client auth? >> >>The C trust flag means that it is a trusted CA to issue server certs. >>For client certs you need the T flag as well. > > > Right. > > >>nssckbi doesn't really come into play here. I believe that even if your >>CA is signed by another CA that is in libnssckbi but you don't trust >>your CA to sign client certs, then any client certificates issued by >>your CA won't be trusted. > > > Well, the point is that this CA won't be issuing an client > certificates ... only a server certificate. > > What appears to be happening is that NSS requires at least one CA > certificate to be available in order to send a certificate request > during the handshake. However, my CA certificate isn't trusted for > client auth and NSS isn't aware of any other CAs for client auth, so it > barfs. > > I find this puzzling because looking through the NSS code, it looks > like the CA certificates from nssckbi should be used for client auth - > e.g. the error suggests that if I make my CA trusted for client auth, it > will be the *only* CA used for client auth and that the root CAs will be > ignored? The question is: Do you want to do client certificate authentication? If not then you should be able to disable client auth in the directory server and this message should go away. I'm not a FDS developer so I can't really say how one would do this configuration. As for the trust issue, this goes a bit beyond my knowledge. This would be a good question for the NSS guys in the netscape.public.mozilla.crypto newsgroup (on nntp://news.mozilla.org). rob > > Cheers, > Mark. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From markmc at redhat.com Fri Jan 6 16:17:06 2006 From: markmc at redhat.com (Mark McLoughlin) Date: Fri, 06 Jan 2006 16:17:06 +0000 Subject: [Fedora-directory-users] NSS/SSL oddities In-Reply-To: <43BE90F9.5060205@redhat.com> References: <1136556843.3692.55.camel@blaa> <43BE7CEA.6070907@redhat.com> <1136559820.3692.74.camel@blaa> <43BE90F9.5060205@redhat.com> Message-ID: <1136564226.3692.79.camel@blaa> On Fri, 2006-01-06 at 10:47 -0500, Rob Crittenden wrote: > Mark McLoughlin wrote: > > What appears to be happening is that NSS requires at least one CA > > certificate to be available in order to send a certificate request > > during the handshake. However, my CA certificate isn't trusted for > > client auth and NSS isn't aware of any other CAs for client auth, so it > > barfs. > > > > I find this puzzling because looking through the NSS code, it looks > > like the CA certificates from nssckbi should be used for client auth - > > e.g. the error suggests that if I make my CA trusted for client auth, it > > will be the *only* CA used for client auth and that the root CAs will be > > ignored? > > The question is: Do you want to do client certificate authentication? If > not then you should be able to disable client auth in the directory > server and this message should go away. I'm not a FDS developer so I > can't really say how one would do this configuration. Yep, if you disable client auth, no attempt is made to send a certificate request during the handshake and you don't get any error. (To disable it you seem to have to set both "nsslapd-sslclientauth" on "cn=config" and "nsSSLClientAuth" on "cn=encryption,cn=config") > As for the trust issue, this goes a bit beyond my knowledge. This would > be a good question for the NSS guys in the > netscape.public.mozilla.crypto newsgroup (on nntp://news.mozilla.org). Okay, thanks for your help. Cheers, Mark. From dhollis at davehollis.com Fri Jan 6 18:40:46 2006 From: dhollis at davehollis.com (David Hollis) Date: Fri, 06 Jan 2006 13:40:46 -0500 Subject: [Fedora-directory-users] putting root account in FDS In-Reply-To: <20060106153135.86161.qmail@web52901.mail.yahoo.com> References: <20060106153135.86161.qmail@web52901.mail.yahoo.com> Message-ID: <1136572846.2475.17.camel@dhollis-lnx.sunera.com> On Fri, 2006-01-06 at 07:31 -0800, Susan wrote: > I was just wondering what the community thoughts are on the subject of root accounts in LDAP vs. > local. Some SAs in the company insist on keeping root passwords local in case of LDAP outage, > saying that root is too critical to be handed over to FDS. Personally, I think it's no big deal. > We have it local right now and every time an SA or a mgr quits, we've to login to every unix/linux > box and change root's password which is a real pain. > > What are your thoughts on the subject? Are there some accounts that you insist on keeping local > or is that line of thinking anachronistic? Keeping root local does make sense. Giving every SA the root password doesn't. Use something like sudo to restrict and log SA administrative tasks. They then use their own password to switch up to root privs to perform a task, it gets logged, etc. When they leave, their account gets disabled and they no longer have any way to get to root. You still need to ensure that they don't do bad stuff like create another acct with UID 0 or something that gives them a backdoor. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From danlipsitt at gmail.com Fri Jan 6 19:34:51 2006 From: danlipsitt at gmail.com (Dan Lipsitt) Date: Fri, 6 Jan 2006 14:34:51 -0500 Subject: [Fedora-directory-users] Error start-admin In-Reply-To: <43BAA134.5090007@redhat.com> References: <43BAA134.5090007@redhat.com> Message-ID: On 1/3/06, Richard Megginson wrote: > Hm - I guess ld.so doesn't like the 32 bit shared libraries. We are > working on a 64 bit version. Don't have a date yet. Is there a bugzilla entry for the 64-bit problem so I can get emails and track your progress? I'm eager to try Fedora DS, but can't until there is a 64-bit version. Thanks, Dan From rmeggins at redhat.com Fri Jan 6 21:40:15 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 06 Jan 2006 14:40:15 -0700 Subject: [Fedora-directory-users] Error start-admin In-Reply-To: References: <43BAA134.5090007@redhat.com> Message-ID: <43BEE3BF.9080807@redhat.com> Dan Lipsitt wrote: >On 1/3/06, Richard Megginson wrote: > > >>Hm - I guess ld.so doesn't like the 32 bit shared libraries. We are >>working on a 64 bit version. Don't have a date yet. >> >> > >Is there a bugzilla entry for the 64-bit problem so I can get emails >and track your progress? I'm eager to try Fedora DS, but can't until >there is a 64-bit version. > > It may be possible to build it. http://directory.fedora.redhat.com/wiki/Building#One-Step_Build Try adding USE_64=1 to the make command. >Thanks, >Dan > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From ABliss at preferredcare.org Sat Jan 7 03:54:40 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Fri, 6 Jan 2006 22:54:40 -0500 Subject: [Fedora-directory-users] Host based access control Message-ID: Just a quick question, as referenced in this doc http://directory.fedora.redhat.com/wiki/Howto:Posix to control server logins using hostobject, to specify more than 1 host for an object, how should list be formatted in the object?; as a list of hosts separated by a spaces or by commas? For example, to allow user aaron to login into serverA and serverB, would list look like serverA serverB or serverA,serverB ? Thanks very much. Aaron www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From mj at sci.fi Sat Jan 7 11:28:22 2006 From: mj at sci.fi (Mike Jackson) Date: Sat, 07 Jan 2006 13:28:22 +0200 Subject: [Fedora-directory-users] putting root account in FDS In-Reply-To: <20060106153135.86161.qmail@web52901.mail.yahoo.com> References: <20060106153135.86161.qmail@web52901.mail.yahoo.com> Message-ID: <43BFA5D6.6030703@sci.fi> Susan wrote: > I was just wondering what the community thoughts are on the subject of root accounts in LDAP vs. > local. Some SAs in the company insist on keeping root passwords local in case of LDAP outage, > saying that root is too critical to be handed over to FDS. Personally, I think it's no big deal. > We have it local right now and every time an SA or a mgr quits, we've to login to every unix/linux > box and change root's password which is a real pain. > > What are your thoughts on the subject? Are there some accounts that you insist on keeping local > or is that line of thinking anachronistic? How are you supposed to log into your machine to restart a crashed LDAP service, if the root account (and all other accounts) is only stored in LDAP? Chicken or egg? On some boxes, you might need to give the root password to someone. On other boxes which are more sensitive, you don't want to give the root password to anyone. From a security perspective, having a single, enterprise-wide, root password is foolhardy and puts you down to the same security level as a windows "domain". To consider putting the root account into LDAP is basically not a stupid question, because you may have been shortsighted by the perceived benefits (ease of management). To put it there, however, is not a very good idea, for the reasons outlined above. -- mike From rmeggins at redhat.com Sat Jan 7 15:16:06 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Sat, 07 Jan 2006 08:16:06 -0700 Subject: [Fedora-directory-users] Host based access control In-Reply-To: References: Message-ID: <43BFDB36.4030001@redhat.com> Bliss, Aaron wrote: >Just a quick question, as referenced in this doc >http://directory.fedora.redhat.com/wiki/Howto:Posix to control server logins >using hostobject, to specify more than 1 host for an object, how should list >be formatted in the object?; as a list of hosts separated by a spaces or by >commas? For example, to allow user aaron to login into serverA and serverB, >would list look like serverA serverB or serverA,serverB ? Thanks very much. > > The host attribute is multi valued, so you just specify more than one attribute value e.g. in LDIF: dn: uid=foo,.... objectclass: hostObject ... host: serverA host: serverB host: serverC ... >Aaron > > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From jo.de.troy at gmail.com Sun Jan 8 20:32:05 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Sun, 8 Jan 2006 21:32:05 +0100 Subject: [Fedora-directory-users] password history question Message-ID: Hello, I'm using FDS 1.0.1 on RHEL 4 I've setup a global password policy and I've enabled password history of 5 passwords via the console. When I login through ssh with and LDAP user and I change the user's password via 'passwd' it seems I am able to use older password. Can anybody point me to what I'm probably doing wrong? Has anyone experienced the same problem? What am I doing wrong? Or does the password history not work when changing the password through passwd? Thanks in advance, Jo -------------- next part -------------- An HTML attachment was scrubbed... URL: From warthog at warthogsolutions.com Sun Jan 8 21:00:39 2006 From: warthog at warthogsolutions.com (Jamie McKnight) Date: Sun, 08 Jan 2006 16:00:39 -0500 Subject: [Fedora-directory-users] password history question In-Reply-To: References: Message-ID: <1136754039.21180.16.camel@ra> On Sun, 2006-01-08 at 21:32 +0100, Jo De Troy wrote: > Hello, > > I'm using FDS 1.0.1 on RHEL 4 > I've setup a global password policy and I've enabled password history > of 5 passwords via the console. > When I login through ssh with and LDAP user and I change the user's > password via 'passwd' it seems I am able to use older password. Can > anybody point me to what I'm probably doing wrong? Has anyone > experienced the same problem? What am I doing wrong? > Or does the password history not work when changing the password > through passwd? > > Thanks in advance, > Jo If the client is a Linux box, make sure you have this set in /etc/ldap.conf: pam_password clear Otherwise what is being passed to the directory server is the hashed password, and the password history comparison will not find a match. The DS will take the clear password, and encrypt it with matching salts/method to see if the new password matches what's in the history. You will also want to enable LDAPS or SSL/TLS so your passwords are not going across the wire in the clear. Hope this helps, Jamie From tim at registriesltd.com.au Mon Jan 9 00:22:51 2006 From: tim at registriesltd.com.au (Tim Edwards) Date: Mon, 09 Jan 2006 11:22:51 +1100 Subject: [Fedora-directory-users] ldconfig Message-ID: <43C1ACDB.6060304@registriesltd.com.au> I may have missed something but it seems to me that the RPMs for Fedora-ds don't add necessary entries in the ldconfig config. This means that you can't run any of the binaries in /opt/fedora-ds/shared/bin (for example) until you manually add the following entries to a /etc/ld.so.conf.d/fedorads-i386.conf file and run ldconfig. /opt/fedora-ds/lib /opt/fedora-ds/clients/lib/ /opt/fedora-ds/shared/lib/ /opt/fedora-ds/bin/admin/lib/ /opt/fedora-ds/bin/slapd/lib/ Is this an oversight in the packaging or is there another way I was supposed to do this? Thanks -- Tim Edwards From jo.de.troy at gmail.com Mon Jan 9 13:22:52 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Mon, 9 Jan 2006 14:22:52 +0100 Subject: [Fedora-directory-users] password history question Message-ID: Hi Jamie, thanks for the info. I'm trying to setup SSL now. I'm following the SSL howto posted on the wiki. It seems like it's not totally accurate, I get a failure when importing the ldif's mentioned in the document. Seems like I cannot add the attributes nsslapd-security and nsslapd-ssl-check-hostname I think SSL is setup now but I cannot seem to get it working with ldapsearch -zz, I keep getting ldap_start_tls: Connect error (-11) additional info: Start TLS request accepted.Server willing to negotiate SSL. I guess I need to point my ldap.conf to the ca certificate for trust, which file is holding the ca certificate? I can however login on port 636 as Directory Manager when using ldapbrowser ( http://www.mcs.anl.gov/~gawor/ldap/ ) Another question I have wrt password history, it seems like the history entries are all using crypt. I thought they would be using the same encryption as setup for the userpassword (e.g. md5) or is there a particular reason for using crypt? Thanks again, Jo -------------- next part -------------- An HTML attachment was scrubbed... URL: From jo.de.troy at gmail.com Fri Jan 6 21:14:06 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Fri, 6 Jan 2006 22:14:06 +0100 Subject: [Fedora-directory-users] account lockout and sshd Message-ID: Hello, I've setup FDS 1.0.1 on CentOs4 and configured this box to use ldap for authentication. I am able to login through SSH with an ldap user but I can't seem to figure out how to get account lockouts to work. Also password history doesn't seem to work, I followed the different documents on the Wiki though. Did anyone get this to work fine? Could someone give me a hint as to where I've messed things up? Thanks in advance, Jo -------------- next part -------------- An HTML attachment was scrubbed... URL: From fochlere at mail.nih.gov Sat Jan 7 20:20:59 2006 From: fochlere at mail.nih.gov (Edward Fochler) Date: Sat, 7 Jan 2006 15:20:59 -0500 Subject: [Fedora-directory-users] putting root account in FDS In-Reply-To: <43BFA5D6.6030703@sci.fi> References: <20060106153135.86161.qmail@web52901.mail.yahoo.com> <43BFA5D6.6030703@sci.fi> Message-ID: <19B874EC-87A2-4AD5-85FD-83AD50E31E7E@mail.nih.gov> We have root local on the boxes, but are locking it out from ssh. Admins are being weened off of root and are allowed to ssh and sudo if they are in the right groups in ldap. I also put in a local ssh and sudo capable non-root local account on the boes I manage to deal with network outages and misonfigurations. ssh brute force and a known-name god account like root are just a nightmare that I intend to stay far far away from. I do have a dummy, non-modifiable no password root entry in my username table so that if ldap becomes compromised, that's one avenue of attack that will be that much harder to exploit, and easy to detect. The problem is a good one, and I like the solution I'm using currently, which is partially inspired by the default setup of Mac OS X. No known (default) account names with login access. ED. On 2006, Jan 7, at 6:28 AM, Mike Jackson wrote: > Susan wrote: >> I was just wondering what the community thoughts are on the >> subject of root accounts in LDAP vs. >> local. Some SAs in the company insist on keeping root passwords >> local in case of LDAP outage, >> saying that root is too critical to be handed over to FDS. >> Personally, I think it's no big deal. We have it local right now >> and every time an SA or a mgr quits, we've to login to every unix/ >> linux >> box and change root's password which is a real pain. >> What are your thoughts on the subject? Are there some accounts >> that you insist on keeping local >> or is that line of thinking anachronistic? > > How are you supposed to log into your machine to restart a crashed > LDAP service, if the root account (and all other accounts) is only > stored in LDAP? Chicken or egg? > > On some boxes, you might need to give the root password to someone. > On other boxes which are more sensitive, you don't want to give the > root password to anyone. From a security perspective, having a > single, enterprise-wide, root password is foolhardy and puts you > down to the same security level as a windows "domain". > > To consider putting the root account into LDAP is basically not a > stupid question, because you may have been shortsighted by the > perceived benefits (ease of management). To put it there, however, > is not a very good idea, for the reasons outlined above. > > > -- > mike > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From logastellus at yahoo.com Mon Jan 9 14:11:54 2006 From: logastellus at yahoo.com (Susan) Date: Mon, 9 Jan 2006 06:11:54 -0800 (PST) Subject: [Fedora-directory-users] password history question In-Reply-To: Message-ID: <20060109141154.27697.qmail@web52914.mail.yahoo.com> Jo, make sure you are using ldapsearch -x -ZZ (if doing anon binds). Cap Zs. Also, I couldn't just copy/paste/import the /tmp/ssl_enable.ldif from the wiki. I had to make sure the line nsSSL3Ciphers: has no breaks in it, (basically shift J in vi) otherwise the import fails. That and make sure you've ssl turned on /etc/ldap.conf on the client's side. --- Jo De Troy wrote: > Hi Jamie, > > thanks for the info. I'm trying to setup SSL now. I'm following the SSL > howto posted on the wiki. It seems like it's not totally accurate, I get a > failure when importing the ldif's mentioned in the document. Seems like I > cannot add the attributes > > nsslapd-security and nsslapd-ssl-check-hostname > > I think SSL is setup now but I cannot seem to get it working with ldapsearch > -zz, I keep getting > ldap_start_tls: Connect error (-11) > additional info: Start TLS request accepted.Server willing to > negotiate SSL. > I guess I need to point my ldap.conf to the ca certificate for trust, which > file is holding the ca certificate? I can however login on port 636 as > Directory Manager when using ldapbrowser ( > http://www.mcs.anl.gov/~gawor/ldap/ ) > > Another question I have wrt password history, it seems like the history > entries are all using crypt. I thought they would be using the same > encryption as setup for the userpassword (e.g. md5) or is there a particular > reason for using crypt? > > Thanks again, > Jo > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > __________________________________________ Yahoo! DSL ? Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com From markmc at redhat.com Mon Jan 9 14:32:35 2006 From: markmc at redhat.com (Mark McLoughlin) Date: Mon, 09 Jan 2006 14:32:35 +0000 Subject: [Fedora-directory-users] password history question In-Reply-To: <20060109141154.27697.qmail@web52914.mail.yahoo.com> References: <20060109141154.27697.qmail@web52914.mail.yahoo.com> Message-ID: <1136817155.3677.36.camel@blaa> On Mon, 2006-01-09 at 06:11 -0800, Susan wrote: > Also, I couldn't just copy/paste/import the /tmp/ssl_enable.ldif from the wiki. I had to make > sure the line nsSSL3Ciphers: has no breaks in it, (basically shift J in vi) otherwise the import > fails. FWIW, if you don't set nsSSL3Ciphers, it defaults to the same ciphers which are listed in ssl_enable.ldif ... see: ldap/servers/slapd/ssl.c:_conf_setciphers() Cheers, Mark. From jo.de.troy at gmail.com Mon Jan 9 14:53:00 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Mon, 9 Jan 2006 15:53:00 +0100 Subject: [Fedora-directory-users] password history question Message-ID: Hi Susan, I was using capital Z in the ldapsearch, I've uncommented "ssl on" in /etc/ldap.conf Still the same problem. # ldapsearch -x -ZZ -h ldapserver -b 'dc=example,dc=com' '(uid=someuser)' ldap_start_tls: Connect error (-11) additional info: Start TLS request accepted.Server willing to negotiate SSL. Any other thought? Thanks again, Jo -------------- next part -------------- An HTML attachment was scrubbed... URL: From jon at compbio.dundee.ac.uk Mon Jan 9 15:16:08 2006 From: jon at compbio.dundee.ac.uk (Jonathan Barber) Date: Mon, 9 Jan 2006 15:16:08 +0000 Subject: [Fedora-directory-users] NIS groups->LDAP migration and ACIs Message-ID: <20060109151608.GI15145@flea.compbio.dundee.ac.uk> Hi all, I'm in the process of migrating from NIS to FDS and I'm running into problems implementing our requirements for access control under Fedora. The behaviour I'm trying to replicate is as follows; our current NIS administration tool allows the creation of users who are designated as group administrators. These are normal users who can modify user details and create users in NIS, but only for users who are in the same group as the group administrator. The DIT we're currently using is currently flatish, with three branches at the root; one for users (dn: ou=people,ou=foo), one for groups (dn: ou=groups,ou=foo), and one for other NIS maps (dn: ou=nis, ou=foo). Users and groups have been imported from NIS as RFC2307 posixAccounts and posixGroups. e.g.: dn: uid=test,ou=people,ou=foo givenName: Nemo loginShell: /bin/bash uidNumber: 1000 gidNumber: 1000 objectClass: posixAccount objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: shadowAccount uid: test cn: Nemo (GJB) homeDirectory: /homes/test dn: cn=servers,ou=groups,ou=foo gidNumber: 1000 memberUid: bar memberUid: baz objectClass: posixgroup objectClass: top cn: servers We plan to use PADL's ypldapd for legacy NIS. In addition to the NIS groups, I've created a groupofUniqueNames object (dn: cn=grp_admin,ou=groups,ou=foo) to list those users who are our group administrators. So far I've got the following (working) ACI on the ou=groups,ou=foo entry: (targetattr = "memberUid") (target = "ldap:///cn=*,ou=groups,ou=foo") ( version 3.0; acl "group edit by admin's"; allow (write) ( groupdn = "ldap:///cn=admin,ou=groups,ou=foo" and userattr = "gidnumber#1000" ); ) Which as long as users are in grp_admin and have a gidnumber of 1000, allows addition/deletion of users from the group. But this doesn't strike me as being very elegant as it requires a seperate ACI for each group. What I'd prefer is something similar to the following: (targetattr = "memberUid") (target = "ldap:///cn=*,ou=groups,ou=foo") ( version 3.0; acl "group edit by admin's"; allow (write) ( groupdn = "ldap:///cn=admin,ou=groups,ou=foo" and userattr = "gidnumber#($attr.gidnumber)" ); ) Using the ($attr.gidnumber) macro to matchup the user's GID and the groups GID. Is it possible to do something like this, or am I missing an obvious solution? Likewise, I have an ACI for restricting the creation of users to have the same group as the creator (in this case GID 1000): (targetattrfilter = "add=gidnumber:(gidnumber=1000)") (target = "ldap:///ou=people,ou=foo") ( version 3.0; acl "user edit by admin's - restrict GID to admin's"; allow (add) ( groupdn = "ldap:///cn=admin,ou=groups,ou=foo" and userattr = "gidnumber#1000" ); ) But again it suffers from the problem affecting the group ACI, requiring an ACI per group. Any help would be welcomed. -- Jonathan Barber From rmeggins at redhat.com Mon Jan 9 15:19:43 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 09 Jan 2006 08:19:43 -0700 Subject: [Fedora-directory-users] ldconfig In-Reply-To: <43C1ACDB.6060304@registriesltd.com.au> References: <43C1ACDB.6060304@registriesltd.com.au> Message-ID: <43C27F0F.2040806@redhat.com> Tim Edwards wrote: > I may have missed something but it seems to me that the RPMs for > Fedora-ds don't add necessary entries in the ldconfig config. Right. We're working on it for an upcoming release. > This means that you can't run any of the binaries in > /opt/fedora-ds/shared/bin (for example) until you manually add the > following entries to a /etc/ld.so.conf.d/fedorads-i386.conf file and > run ldconfig. > > /opt/fedora-ds/lib Hm - there's nothing in here that should be used by the shared binaries. > /opt/fedora-ds/clients/lib/ Ditto. > /opt/fedora-ds/shared/lib/ You can run the programs in shared/bin by first doing cd shared/bin ; ./programname - the security tools already have shell script wrappers so that shouldn't be necessary. > /opt/fedora-ds/bin/admin/lib/ > /opt/fedora-ds/bin/slapd/lib/ These are only used by the server programs, not by command line programs. > > Is this an oversight in the packaging or is there another way I was > supposed to do this? > > Thanks -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From logastellus at yahoo.com Mon Jan 9 15:37:43 2006 From: logastellus at yahoo.com (Susan) Date: Mon, 9 Jan 2006 07:37:43 -0800 (PST) Subject: [Fedora-directory-users] password history question In-Reply-To: Message-ID: <20060109153743.53670.qmail@web52909.mail.yahoo.com> Is your client a redhat-based machine? If so, you can run system-config-authentication (or redhat-) and just fill in the fields. That'll modify all the necessary files for you, real easy. Then you can leave off -h and -b flags and just run ldapsearch -x -ZZ, that should return everything. --- Jo De Troy wrote: > Hi Susan, > > I was using capital Z in the ldapsearch, I've uncommented "ssl on" in > /etc/ldap.conf > Still the same problem. > # ldapsearch -x -ZZ -h ldapserver -b 'dc=example,dc=com' '(uid=someuser)' > ldap_start_tls: Connect error (-11) > additional info: Start TLS request accepted.Server willing to > negotiate SSL. > > Any other thought? > > Thanks again, > Jo > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > __________________________________________ Yahoo! DSL ? Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com From dshackel at arbor.edu Mon Jan 9 15:41:01 2006 From: dshackel at arbor.edu (Daniel Shackelford) Date: Mon, 09 Jan 2006 10:41:01 -0500 Subject: [Fedora-directory-users] Failover for PassworkSync Message-ID: <43C2840D.3040301@arbor.edu> It seems that the Windows Sync setup connects directly to a specific DC. Is there any way to make it a little less of a weak link? Round robin DNS? How does that effect the WinSync client on the DC? Has anyone run into this type of setup? Any options for this? -- Daniel Shackelford Systems Administrator Technology Services Spring Arbor University 517 750-6648 "For even the Son of Man did not come to be served, but to serve, and to give His life a ransom for many" Mark 10:45 From markmc at redhat.com Mon Jan 9 15:46:48 2006 From: markmc at redhat.com (Mark McLoughlin) Date: Mon, 09 Jan 2006 15:46:48 +0000 Subject: [Fedora-directory-users] password history question In-Reply-To: References: Message-ID: <1136821608.3677.43.camel@blaa> On Mon, 2006-01-09 at 15:53 +0100, Jo De Troy wrote: > Hi Susan, > > I was using capital Z in the ldapsearch, I've uncommented "ssl on" > in /etc/ldap.conf > Still the same problem. > # ldapsearch -x -ZZ -h ldapserver -b 'dc=example,dc=com' > '(uid=someuser)' > ldap_start_tls: Connect error (-11) > additional info: Start TLS request accepted.Server willing to > negotiate SSL. > > Any other thought? A quick way to check whether TLS support is enabled in the server is to do something like: $> openssl s_client -showcerts -connect ldapserver:636 Once you've verified that much, then work on getting ldapsearch to work. If it's the OpenLDAP utils you're using, then you want to modify /etc/openldap/ldap.conf - /etc/ldap.conf is used by nss-ldap and pam-ldap. Also, use something like "ldapsearch -d 10" to get better error messages. You may find a problem like the server's certificate can't be verified because you haven't configured the utilities to trust the CA which issued it. You might need something like: TLS_CACERT /etc/pki/tls/cacert.pem Cheers, Mark. From logastellus at yahoo.com Mon Jan 9 19:03:51 2006 From: logastellus at yahoo.com (Susan) Date: Mon, 9 Jan 2006 11:03:51 -0800 (PST) Subject: [Fedora-directory-users] password history question In-Reply-To: Message-ID: <20060109190351.58419.qmail@web52907.mail.yahoo.com> is this set: TLS_REQCERT allow in /etc/openldap/ldap.conf ? --- Jo De Troy wrote: > Hi Susan, > > I was using capital Z in the ldapsearch, I've uncommented "ssl on" in > /etc/ldap.conf > Still the same problem. > # ldapsearch -x -ZZ -h ldapserver -b 'dc=example,dc=com' '(uid=someuser)' > ldap_start_tls: Connect error (-11) > additional info: Start TLS request accepted.Server willing to > negotiate SSL. > > Any other thought? > > Thanks again, > Jo > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > __________________________________________ Yahoo! DSL ? Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com From brudy at praecogito.com Mon Jan 9 19:52:54 2006 From: brudy at praecogito.com (Brian Rudy) Date: Mon, 09 Jan 2006 11:52:54 -0800 Subject: [Fedora-directory-users] Samba PDC using FDS backend In-Reply-To: <43BB180E.70406@praecogito.com> References: <43BB0286.6000401@praecogito.com> <43BB0404.2030307@redhat.com> <43BB180E.70406@praecogito.com> Message-ID: <43C2BF16.6040105@praecogito.com> I did some additional digging and realized that somehow I did something incorrectly while converting the samba.schema file to 61samba.ldif. My 61samba.ldif was over 176kb (the latter part being filled with binary gibberish), but should have been ~13k if things had completed properly :P Strangely enough, I didn't see any errors in the slapd logs about being unable to load the schema file... Brian Rudy wrote: > Pete Rowley wrote: > >> Brian Rudy wrote: >> >>> >>> I double checked >>> /opt/fedora-ds/slapd-/config/schema/61samba.ldif created in >>> the initial setup steps and was unable to find a sambaUnixIDPool >>> objectclass, but did see a sambaUnixIdPool. >> >> >> >> These two values /should/ be equivalent. >> >>> Any idea of what might be happening here? >> >> >> >> Did you restart the server after you initially added the new schema >> files? > > > I did indeed. It almost looks like 61samba.ldif isn't being used for > some reason... > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From jo.de.troy at gmail.com Mon Jan 9 19:56:28 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Mon, 9 Jan 2006 20:56:28 +0100 Subject: [Fedora-directory-users] password history question Message-ID: Hi Susan, yes it is. Below you can see my /etc/openldap/ldap.conf # HOST ldapserver BASE dc=example,dc=com TLS_REQCERT allow TLS_CACERT /etc/openldap/cacerts/cacert The openssl command Mark pointed to works fine. From that output I grabbed the CAcert and stored it the file I'm referencing in the /etc/openldap/ldap.conf I'm wondering if the certificate I created is correct. Should the cn in the certificate have the hostname as value? I guess it should or not? Thanks again, Jo -------------- next part -------------- An HTML attachment was scrubbed... URL: From dshackel at arbor.edu Mon Jan 9 21:06:34 2006 From: dshackel at arbor.edu (Daniel Shackelford) Date: Mon, 09 Jan 2006 16:06:34 -0500 Subject: [Fedora-directory-users] Groups Sync with AD Message-ID: <43C2D05A.2040705@arbor.edu> Howdy, I am using FDS 1.0.1, syncing with AD. User sync works just fine. I have a separate sync agreement for groups, but membership does not seem to be synced... I do get errors that look like this: [09/Jan/2006:15:43:58 -0500] NSMMReplicationPlugin - agmt="cn=ADGroupSYnc" (bsod:636): windows_replay_update: failed to fetch local entry for modify operation dn="uid=teststudent,ou=students,ou=people,dc=arbor,dc=edu" And some like this: [09/Jan/2006:15:40:45 -0500] - slapi_modify_internal_set_pb: NULL parameter [09/Jan/2006:15:40:45 -0500] - allow_operation: component identity is NULL And a couple of these: [09/Jan/2006:15:40:41 -0500] - Entry "cn=testgroup,ou=portal,ou=uGroups, dc=arbor,dc=edu" -- attribute "mail" not allowed [09/Jan/2006:15:40:41 -0500] NSMMReplicationPlugin - windows_update_local_entry: failed to modify entry cn=testgroup,ou=portal,ou=uGroups, dc=arbor, dc=edu Any insight? -- Daniel Shackelford Systems Administrator Technology Services Spring Arbor University 517 750-6648 "For even the Son of Man did not come to be served, but to serve, and to give His life a ransom for many" Mark 10:45 From david_list at boreham.org Mon Jan 9 21:17:53 2006 From: david_list at boreham.org (David Boreham) Date: Mon, 09 Jan 2006 14:17:53 -0700 Subject: [Fedora-directory-users] Groups Sync with AD In-Reply-To: <43C2D05A.2040705@arbor.edu> References: <43C2D05A.2040705@arbor.edu> Message-ID: <43C2D301.9060700@boreham.org> Daniel Shackelford wrote: > I am using FDS 1.0.1, syncing with AD. User sync works just fine. I > have a separate sync agreement for groups, but membership does not > seem to be synced... > I do get errors that look like this: > > [09/Jan/2006:15:43:58 -0500] NSMMReplicationPlugin - > agmt="cn=ADGroupSYnc" (bsod:636): windows_replay_update: failed to > fetch local entry for modify operation > dn="uid=teststudent,ou=students,ou=people,dc=arbor,dc=edu" > > And some like this: > > [09/Jan/2006:15:40:45 -0500] - slapi_modify_internal_set_pb: NULL > parameter > [09/Jan/2006:15:40:45 -0500] - allow_operation: component identity is > NULL > > > And a couple of these: > [09/Jan/2006:15:40:41 -0500] - Entry > "cn=testgroup,ou=portal,ou=uGroups, dc=arbor,dc=edu" -- attribute > "mail" not allowed > [09/Jan/2006:15:40:41 -0500] NSMMReplicationPlugin - > windows_update_local_entry: failed to modify entry > cn=testgroup,ou=portal,ou=uGroups, dc=arbor, dc=edu > > Any insight? > Hmm...yes. Unfortunately when I said earlier that this two agreement scheme would work, I was smoking crack. I forgot that we have a check on the group members : we don't sync members that are not also subject to the sync agreement. It has no way to know that you have those members sync'ed with another agreement, and hence assumed that they're not sync'ed. This will mean that it will refuse to sync any group content. From prowley at redhat.com Mon Jan 9 21:52:24 2006 From: prowley at redhat.com (Pete Rowley) Date: Mon, 09 Jan 2006 13:52:24 -0800 Subject: [Fedora-directory-users] Samba PDC using FDS backend In-Reply-To: <43C2BF16.6040105@praecogito.com> References: <43BB0286.6000401@praecogito.com> <43BB0404.2030307@redhat.com> <43BB180E.70406@praecogito.com> <43C2BF16.6040105@praecogito.com> Message-ID: <43C2DB18.9080103@redhat.com> Please create a bug and attach your (zipped) gibberish file. Bad schema should be logged (at least) - assuming the gibberish didn't actually form a valid schema component some how. Brian Rudy wrote: > I did some additional digging and realized that somehow I did > something incorrectly while converting the samba.schema file to > 61samba.ldif. My 61samba.ldif was over 176kb (the latter part being > filled with binary gibberish), but should have been ~13k if things had > completed properly :P Strangely enough, I didn't see any errors in the > slapd logs about being unable to load the schema file... > > > Brian Rudy wrote: > >> Pete Rowley wrote: >> >>> Brian Rudy wrote: >>> >>>> >>>> I double checked >>>> /opt/fedora-ds/slapd-/config/schema/61samba.ldif created in >>>> the initial setup steps and was unable to find a sambaUnixIDPool >>>> objectclass, but did see a sambaUnixIdPool. >>> >>> >>> >>> >>> These two values /should/ be equivalent. >>> >>>> Any idea of what might be happening here? >>> >>> >>> >>> >>> Did you restart the server after you initially added the new schema >>> files? >> >> >> >> I did indeed. It almost looks like 61samba.ldif isn't being used for >> some reason... >> >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From tim at registriesltd.com.au Mon Jan 9 21:59:01 2006 From: tim at registriesltd.com.au (Tim Edwards) Date: Tue, 10 Jan 2006 08:59:01 +1100 Subject: [Fedora-directory-users] ldconfig In-Reply-To: <43C27F0F.2040806@redhat.com> References: <43C1ACDB.6060304@registriesltd.com.au> <43C27F0F.2040806@redhat.com> Message-ID: <43C2DCA5.5000204@registriesltd.com.au> Richard Megginson wrote: > Tim Edwards wrote: > >> I may have missed something but it seems to me that the RPMs for >> Fedora-ds don't add necessary entries in the ldconfig config. > > > Right. We're working on it for an upcoming release. Great! >> /opt/fedora-ds/shared/lib/ > > > You can run the programs in shared/bin by first doing cd shared/bin ; > ./programname - the security tools already have shell script wrappers so > that shouldn't be necessary. Ok I'll remove all of them except that one from my ld conf file. -- Tim Edwards From mmontgomery at theplanet.com Mon Jan 9 22:22:17 2006 From: mmontgomery at theplanet.com (Michael Montgomery) Date: Mon, 09 Jan 2006 16:22:17 -0600 Subject: [Fedora-directory-users] Nis Netgroups and access.conf not quite working as advertised. Message-ID: <1136845337.21197.32.camel@localhost> I've been trying to setup and test using Nis Netgroups as a means of access control, and have run into some difficulties. I have two client systems (ldap01, ldap02) setup to authenticate against an ldap database. Pam_Ldap and everything are setup and functioning as they should with respect to allowing users queried from the ldap database to login. Here are the relevant details. (I'm using this, btw http://directory.fedora.redhat.com/wiki/Howto:Netgroups ) [root at ldap02 security]# hostname ldap02.inside.exampledomain.com [root at ldap02 ~]# host ldap02.inside.exampledomain.com ldap02.inside.theplanet.com has address 10.5.1.17 [root at ldap02 ~]# host 10.5.1.17 17.1.5.10.in-addr.arpa domain name pointer ldap02.inside.exampledomain.com [root at ldap02 security]# getent netgroup unixisusers unixisusers ( , mmontgomery, ) [root at ldap02 security]# getent netgroup unixissystems unixissystems (ldap01, , inside.exampledomain.com) (ldap02, , inside.exampledomain.com) [root at ldap02 security]# id mmontgomery uid=1000(mmontgomery) gid=10000(UnixIS) groups=10000(UnixIS) [root at ldap02 security]# tail access.conf | grep -v '#' + : root : LOCAL + : mmont : ALL + : @unixisusers@@unixissystems : ALL - : ALL : ALL [root at ldap02 pam.d]# cat system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so account required /lib/security/$ISA/pam_access.so account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so account required /lib/security/$ISA/pam_permit.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_ldap.so use_authtok password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session required /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel umask=077 session optional /lib/security/$ISA/pam_ldap.so When trying to login remotely, I get this: /var/log/messages: Jan 9 16:17:19 ldap02 pam_access[1552]: access denied for user `mmontgomery' from `202.10-5-1.inside.exampledomain.com' Adding this to access.conf, makes it work though: + : @unixisusers : ALL Does anyone have any ideas what I'm overlooking here? Thanks From markmc at redhat.com Tue Jan 10 08:20:39 2006 From: markmc at redhat.com (Mark McLoughlin) Date: Tue, 10 Jan 2006 08:20:39 +0000 Subject: [Fedora-directory-users] password history question In-Reply-To: References: Message-ID: <1136881239.3781.7.camel@blaa> On Mon, 2006-01-09 at 20:56 +0100, Jo De Troy wrote: > Hi Susan, > > yes it is. Below you can see my /etc/openldap/ldap.conf > # > HOST ldapserver > BASE dc=example,dc=com > TLS_REQCERT allow > TLS_CACERT /etc/openldap/cacerts/cacert > > The openssl command Mark pointed to works fine. From that output I > grabbed the CAcert and stored it the file I'm referencing in > the /etc/openldap/ldap.conf What's "ldapsearch -d 10" saying? > I'm wondering if the certificate I created is correct. Should the cn > in the certificate have the hostname as value? I guess it should or > not? In order for ldapsearch to verify the certificate, you need to contact the ldap server with the same hostname which is specified in the certificate. You can do that by making the subject of the cert "ldapserver.foo.com" or (I think, but haven't tried) by setting the subjectAltName extension to something like: subjectAltName = DNS:ldapserver.foo.com,IP:135.208.5.2 In which case you could contact it with either the subject name or the alternative subject names. Cheers, Mark. From logastellus at yahoo.com Tue Jan 10 20:20:41 2006 From: logastellus at yahoo.com (Susan) Date: Tue, 10 Jan 2006 12:20:41 -0800 (PST) Subject: [Fedora-directory-users] posixGroup location best practices In-Reply-To: <1136881239.3781.7.camel@blaa> Message-ID: <20060110202041.59292.qmail@web52915.mail.yahoo.com> Hi. Quick question, where in the tree do I stick posixGroups? For now, I'll be authenticating linux machines only, so every uid=gid. Should I create a OU called Groups or something and put all the groups in there? Or have a uid under gid or what? How do you guys do it? __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From mj at sci.fi Tue Jan 10 20:32:53 2006 From: mj at sci.fi (Mike Jackson) Date: Tue, 10 Jan 2006 22:32:53 +0200 Subject: [Fedora-directory-users] posixGroup location best practices In-Reply-To: <20060110202041.59292.qmail@web52915.mail.yahoo.com> References: <20060110202041.59292.qmail@web52915.mail.yahoo.com> Message-ID: <43C419F5.6090804@sci.fi> Susan wrote: > Hi. Quick question, where in the tree do I stick posixGroups? > > For now, I'll be authenticating linux machines only, so every uid=gid. Should I create a OU > called Groups or something and put all the groups in there? Or have a uid under gid or what? How > do you guys do it? Sure, just create some OU entry and put the group entries under that. That's the usual way. The reason for grouping them together is in case you want to restrict your search base, for efficiency and performance - not that it matters much in small setups. BR, Mike From logastellus at yahoo.com Tue Jan 10 20:35:19 2006 From: logastellus at yahoo.com (Susan) Date: Tue, 10 Jan 2006 12:35:19 -0800 (PST) Subject: [Fedora-directory-users] password history question In-Reply-To: <1136881239.3781.7.camel@blaa> Message-ID: <20060110203519.51471.qmail@web52904.mail.yahoo.com> --- Mark McLoughlin wrote: > On Mon, 2006-01-09 at 20:56 +0100, Jo De Troy wrote: > > Hi Susan, > > > > yes it is. Below you can see my /etc/openldap/ldap.conf > > # > > HOST ldapserver > > BASE dc=example,dc=com > > TLS_REQCERT allow > > TLS_CACERT /etc/openldap/cacerts/cacert > > > > The openssl command Mark pointed to works fine. From that output I > > grabbed the CAcert and stored it the file I'm referencing in > > the /etc/openldap/ldap.conf you only need the cert if you are doing client-based certificate authentication. Is that what you want? If all you need is server-based, then there's no need to put certs on the clients. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From jo.de.troy at gmail.com Tue Jan 10 20:55:51 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Tue, 10 Jan 2006 21:55:51 +0100 Subject: [Fedora-directory-users] password history question Message-ID: Hi Mark, ldapsearch -x -ZZ gives me: # ldapsearch -d 10 -x -ZZ '(uid=jdtroy2)' 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037 ldap_write: want=31, written=31 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037 ldap_read: want=8, got=8 0000: 30 5f 02 01 01 78 5a 0a 0_...xZ. ldap_read: want=89, got=89 0000: 01 00 04 00 04 3b 53 74 61 72 74 20 54 4c 53 20 .....;Start TLS 0010: 72 65 71 75 65 73 74 20 61 63 63 65 70 74 65 64 request accepted 0020: 2e 53 65 72 76 65 72 20 77 69 6c 6c 69 6e 67 20 .Server willing 0030: 74 6f 20 6e 65 67 6f 74 69 61 74 65 20 53 53 4c to negotiate SSL 0040: 2e 8a 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 31 ...1.3.6.1.4.1.1 0050: 34 36 36 2e 32 30 30 33 37 466.20037 request done: ld 0x9733ea0 msgid 1 ldap_start_tls: Connect error (-11) additional info: Start TLS request accepted.Server willing to negotiateSSL. Greetz, Jo -------------- next part -------------- An HTML attachment was scrubbed... URL: From jo.de.troy at gmail.com Tue Jan 10 20:58:07 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Tue, 10 Jan 2006 21:58:07 +0100 Subject: [Fedora-directory-users] password history question Message-ID: Susan, I thought I needed the cacert line in /etc/openldap/ldap.conf to point the ldap client to the CA cert we trust, otherwise we might not trust the server certificate being signed by the CA. Thanks again, Jo -------------- next part -------------- An HTML attachment was scrubbed... URL: From brudy at praecogito.com Tue Jan 10 22:22:45 2006 From: brudy at praecogito.com (Brian Rudy) Date: Tue, 10 Jan 2006 14:22:45 -0800 Subject: [Fedora-directory-users] Samba PDC using FDS backend In-Reply-To: <43C2DB18.9080103@redhat.com> References: <43BB0286.6000401@praecogito.com> <43BB0404.2030307@redhat.com> <43BB180E.70406@praecogito.com> <43C2BF16.6040105@praecogito.com> <43C2DB18.9080103@redhat.com> Message-ID: <43C433B5.6010406@praecogito.com> Bug 177473 has been created. Pete Rowley wrote: > Please create a bug and attach your (zipped) gibberish file. Bad > schema should be logged (at least) - assuming the gibberish didn't > actually form a valid schema component some how. > > Brian Rudy wrote: > >> I did some additional digging and realized that somehow I did >> something incorrectly while converting the samba.schema file to >> 61samba.ldif. My 61samba.ldif was over 176kb (the latter part being >> filled with binary gibberish), but should have been ~13k if things >> had completed properly :P Strangely enough, I didn't see any errors >> in the slapd logs about being unable to load the schema file... > From mj at sci.fi Tue Jan 10 23:43:30 2006 From: mj at sci.fi (Mike Jackson) Date: Wed, 11 Jan 2006 01:43:30 +0200 Subject: [Fedora-directory-users] Samba PDC using FDS backend In-Reply-To: <43C433B5.6010406@praecogito.com> References: <43BB0286.6000401@praecogito.com> <43BB0404.2030307@redhat.com> <43BB180E.70406@praecogito.com> <43C2BF16.6040105@praecogito.com> <43C2DB18.9080103@redhat.com> <43C433B5.6010406@praecogito.com> Message-ID: <43C446A2.4080903@sci.fi> Brian Rudy wrote: > Bug 177473 has been created. > > Pete Rowley wrote: > >> Please create a bug and attach your (zipped) gibberish file. Bad >> schema should be logged (at least) - assuming the gibberish didn't >> actually form a valid schema component some how. >> Hi, I am the author of that tool. There is no bug in the script which could cause this problem you have described. This problem is likely caused by bad memory on your machine or a kernel or filesystem bug. Are you able to reproduce this multiple times and provide multiple corrupted output files? And are they all identical (checked with openssl sha)? Example: openssl sha README.txt SHA(README.txt)= d9f24b5f0a2b26e8c498a3b4b9d3b34361c41e56 What about reproducing it on more than one machine? BR, -- mike From dan at wep.net Wed Jan 11 02:18:24 2006 From: dan at wep.net (Dan Cox) Date: Tue, 10 Jan 2006 20:18:24 -0600 Subject: [Fedora-directory-users] Nis Netgroups and access.conf not quite working as advertised. In-Reply-To: <1136845337.21197.32.camel@localhost> References: <1136845337.21197.32.camel@localhost> Message-ID: <43C46AF0.2030000@wep.net> Try a couple of things.. change the triple (ldap02,,inside.exampledomain.com) to read (ldap02,,) If that works, try changing it to read: (ldap02,,exampledomain.com) If that works, then NIS netgroups may not be able to work with subdomains. Dan- Michael Montgomery wrote: >I've been trying to setup and test using Nis Netgroups as a means of >access control, and have run into some difficulties. I have two client >systems (ldap01, ldap02) setup to authenticate against an ldap database. >Pam_Ldap and everything are setup and functioning as they should with >respect to allowing users queried from the ldap database to login. Here >are the relevant details. > >(I'm using this, btw >http://directory.fedora.redhat.com/wiki/Howto:Netgroups ) > >[root at ldap02 security]# hostname >ldap02.inside.exampledomain.com > >[root at ldap02 ~]# host ldap02.inside.exampledomain.com >ldap02.inside.theplanet.com has address 10.5.1.17 > >[root at ldap02 ~]# host 10.5.1.17 >17.1.5.10.in-addr.arpa domain name pointer ldap02.inside.exampledomain.com > >[root at ldap02 security]# getent netgroup unixisusers >unixisusers ( , mmontgomery, ) > >[root at ldap02 security]# getent netgroup unixissystems >unixissystems (ldap01, , inside.exampledomain.com) (ldap02, , inside.exampledomain.com) > >[root at ldap02 security]# id mmontgomery >uid=1000(mmontgomery) gid=10000(UnixIS) groups=10000(UnixIS) > >[root at ldap02 security]# tail access.conf | grep -v '#' >+ : root : LOCAL >+ : mmont : ALL >+ : @unixisusers@@unixissystems : ALL >- : ALL : ALL > >[root at ldap02 pam.d]# cat system-auth >#%PAM-1.0 ># This file is auto-generated. ># User changes will be destroyed the next time authconfig is run. >auth required /lib/security/$ISA/pam_env.so >auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok >auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass >auth required /lib/security/$ISA/pam_deny.so > >account required /lib/security/$ISA/pam_unix.so >account required /lib/security/$ISA/pam_access.so >account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet >account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so >account required /lib/security/$ISA/pam_permit.so > >password requisite /lib/security/$ISA/pam_cracklib.so retry=3 >password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow >password sufficient /lib/security/$ISA/pam_ldap.so use_authtok >password required /lib/security/$ISA/pam_deny.so > >session required /lib/security/$ISA/pam_limits.so >session required /lib/security/$ISA/pam_unix.so >session required /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel umask=077 >session optional /lib/security/$ISA/pam_ldap.so > >When trying to login remotely, I get this: > >/var/log/messages: >Jan 9 16:17:19 ldap02 pam_access[1552]: access denied for user `mmontgomery' from `202.10-5-1.inside.exampledomain.com' > >Adding this to access.conf, makes it work though: > >+ : @unixisusers : ALL > >Does anyone have any ideas what I'm overlooking here? > >Thanks > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From hyc at symas.com Wed Jan 11 17:50:57 2006 From: hyc at symas.com (Howard Chu) Date: Wed, 11 Jan 2006 09:50:57 -0800 Subject: [Fedora-directory-users] Re: Fedora-directory-users Digest, Vol 8, Issue 15 In-Reply-To: <20060111170004.C98ED738A8@hormel.redhat.com> References: <20060111170004.C98ED738A8@hormel.redhat.com> Message-ID: <43C54581.3090606@symas.com> fedora-directory-users-request at redhat.com wrote: > Date: Tue, 10 Jan 2006 22:32:53 +0200 > From: Mike Jackson > Subject: Re: [Fedora-directory-users] posixGroup location best > practices > > Susan wrote: > >> Hi. Quick question, where in the tree do I stick posixGroups? >> >> For now, I'll be authenticating linux machines only, so every uid=gid. Should I create a OU >> called Groups or something and put all the groups in there? Or have a uid under gid or what? How >> do you guys do it? >> > > Sure, just create some OU entry and put the group entries under that. > That's the usual way. The reason for grouping them together is in case > you want to restrict your search base, for efficiency and performance - > not that it matters much in small setups. > For people migrating from traditional passwd and group databases it does make sense to keep them colocated in the directory as well. And because users and groups represent two different namespaces in Unix, it is essential to keep them separate in the directory (ou=users and ou=groups). (Contrast this with Microsoft, where users and groups all reside in the same namespace. Very annoying.) > Date: Tue, 10 Jan 2006 21:58:07 +0100 > From: Jo De Troy > Subject: Re: [Fedora-directory-users] password history question > > Susan, > > I thought I needed the cacert line in /etc/openldap/ldap.conf to point the > ldap client to the CA cert we trust, otherwise we might not trust the > server certificate being signed by the CA. > > Thanks again, > Jo > That's correct, you always need the CA cert on all of the servers and clients. (Unless you're using anonymous cipher suites, in which case you don't need any certs at all. But that's pretty reckless.) -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/ From logastellus at yahoo.com Wed Jan 11 18:36:19 2006 From: logastellus at yahoo.com (Susan) Date: Wed, 11 Jan 2006 10:36:19 -0800 (PST) Subject: [Fedora-directory-users] certificates In-Reply-To: <43C54581.3090606@symas.com> Message-ID: <20060111183619.95618.qmail@web52906.mail.yahoo.com> > > I thought I needed the cacert line in /etc/openldap/ldap.conf to point the > > ldap client to the CA cert we trust, otherwise we might not trust the > > server certificate being signed by the CA. > > > > Thanks again, > > Jo > > > That's correct, you always need the CA cert on all of the servers and > clients. (Unless you're using anonymous cipher suites, in which case you > don't need any certs at all. But that's pretty reckless.) I have server-side, self-generated, self-signed certs. None of those certs exist on any of the clients, all my ldap traffic is ssl-encrypted over 636, no problem. Is that what you mean by "anonymous cipher suites"? If so, why is that reckless? I don't really care if the clients misrepresent themselves, I just care that the server doesn't. Perhaps I'm not understanding what you are saying....? __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From kgtemp at ensenda.com Wed Jan 11 21:28:11 2006 From: kgtemp at ensenda.com (Kevin M. Goess) Date: Wed, 11 Jan 2006 13:28:11 -0800 Subject: [Fedora-directory-users] orgchart on Fedora 2? Message-ID: <200601111328.11963.kgtemp@ensenda.com> Has anybody gotten the orgchart application running on Fedora Core 2? I get this: perl: error while loading shared libraries: /opt/fedora-ds/bin/admin/lib/libldap50.so: undefined symbol: pthread_key_create I'm able to get it to run on FC3, but I don't have a pristine version of FC2 and I can't tell if it's because I fiddled with the Perl installation. Trying to build Mozilla::LDAP gets me this from the build directory: $ perl -Ilib -Iblib/lib -Iblib/arch t/entry.pl perl: error while loading shared libraries: blib/arch/auto/Mozilla/LDAP/API/API.so: undefined symbol: ldap_set_option -- Kevin M. Goess (415) 277-2079 Ensenda, Inc. From fluffy.gibson at gmail.com Thu Jan 12 12:36:54 2006 From: fluffy.gibson at gmail.com (Richard Gibson) Date: Thu, 12 Jan 2006 12:36:54 +0000 Subject: [Fedora-directory-users] Binding using attribute other than CN Message-ID: Hello there. I've been using the Fedora Directory Server for very small scale testing at work, but actually know rather little about LDAP unfortunately. Hopefully you won't mind. Anyway, is it possible to bind with an entry other than CN? I have the following user (LDIF format): dn: uid=RSmith,ou=People, dc=fedora,dc=test,dc=com mail: blablabla at test.com uid: RSmith givenName: Richard objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: ntuser objectClass: posixAccount sn: Smith cn: RSmith creatorsName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot modifiersName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot createTimestamp: 20050905103419Z modifyTimestamp: 20050916131603Z nsUniqueId: 86b5b081-1dd211b2-806ddcd6-e1700000 ntUserDomainId: smithr uidNumber: 1 gidNumber: 2 homeDirectory: /home/smithr When attempting to bind using the following (as taken from the access log): BIND dn="ntUserDomainId=Richard Smith,ou=People,dc=fedora,dc=test,dc=com" method=128 version=3 ...I get "No such object". This user does exist though. Is binding using the ntUserDomainId out of the question? I notice from the following discussion that the same sort of thing is possible in Active Directory, although I have not tried it myself: http://groups.google.co.uk/group/microsoft.public.adsi.general/browse_thread/thread/b5fc22bfdd9079fe/f1caf3c9cf6c8188?lnk=st&q=ldap+bind+only+via+CN%3F&rnum=1&hl=en#f1caf3c9cf6c8188 Any pointers would be greatly appreciated. Thanks Rich -------------- next part -------------- An HTML attachment was scrubbed... URL: From jon at compbio.dundee.ac.uk Thu Jan 12 12:58:00 2006 From: jon at compbio.dundee.ac.uk (Jonathan Barber) Date: Thu, 12 Jan 2006 12:58:00 +0000 Subject: [Fedora-directory-users] Per-host specific search results Message-ID: <20060112125800.GA4505@flea.compbio.dundee.ac.uk> Is it possible to get FDS to return different results depending on the hostname/IP which the binding client appears to be comming from? I would like this as I want to distribute different versions of Linux autofs auto.master data to various client boxes, but keep the client configuration identical and as simple as possible. -- Jonathan Barber From Bowie_Bailey at BUC.com Thu Jan 12 14:44:42 2006 From: Bowie_Bailey at BUC.com (Bowie Bailey) Date: Thu, 12 Jan 2006 09:44:42 -0500 Subject: [Fedora-directory-users] Binding using attribute other than C N Message-ID: <4766EEE585A6D311ADF500E018C154E3021334D2@bnifex.cis.buc.com> Richard Gibson wrote: > Hello there. > > I've been using the Fedora Directory Server for very small scale > testing at work, but actually know rather little about LDAP > unfortunately. Hopefully you won't mind. Anyway, is it possible to > bind with an entry other than CN? I have the following user (LDIF > format): > > dn: uid=RSmith,ou=People, dc=fedora,dc=test,dc=com > mail: blablabla at test.com > uid: RSmith > givenName: Richard > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetorgperson > objectClass: ntuser > objectClass: posixAccount > sn: Smith > cn: RSmith > creatorsName: > uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot > modifiersName: > uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot > createTimestamp: 20050905103419Z > modifyTimestamp: 20050916131603Z > nsUniqueId: 86b5b081-1dd211b2-806ddcd6-e1700000 > ntUserDomainId: smithr > uidNumber: 1 > gidNumber: 2 > homeDirectory: /home/smithr > > > When attempting to bind using the following (as taken from the access > log): > BIND dn="ntUserDomainId=Richard Smith,ou=People,dc=fedora,dc=test,dc=com" method=128 version=3 > > ...I get "No such object". This user does exist though. Is binding > using the ntUserDomainId out of the question? Take a closer look. The ntUserDomainId is "smithr" for this user, not "Richard Smith". Try this: dn="ntUserDomainId=smithr,ou=People,dc=fedora,dc=test,dc=com" Disclaimer: I'm an LDAP beginner myself. This is just a suggestion based on the fact that your bind doesn't match the user information you provided. -- Bowie From rmeggins at redhat.com Thu Jan 12 14:54:29 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 12 Jan 2006 07:54:29 -0700 Subject: [Fedora-directory-users] Binding using attribute other than C N In-Reply-To: <4766EEE585A6D311ADF500E018C154E3021334D2@bnifex.cis.buc.com> References: <4766EEE585A6D311ADF500E018C154E3021334D2@bnifex.cis.buc.com> Message-ID: <43C66DA5.50207@redhat.com> I don't think this will work either. The DN for the entry is uid=RSmith,ou=People, dc=fedora,dc=test,dc=com - If you want to bind as this same user but with a different DN, you will have to rename the entry to use ntUserDomainId=smithr as the RDN instead of uid=RSmith. If AD allows you to request an entry by DN other than the actual DN of the entry, then it is non-standard LDAP behavior. Of course, if your client program allows it (like PAM), you can use a different search filter to look up your entry. I think PAM by default uses (uid=%s) where %s is filled in with your login name. I suppose you could change it to (ntUserDomainId=%s), then you should be able to use your existing entry for PAM login without having to rename it. However, if your client application expects ntUserDomainId=foo in the DN, then you have no choice but to rename your entry. Bowie Bailey wrote: >Richard Gibson wrote: > > >>Hello there. >> >>I've been using the Fedora Directory Server for very small scale >>testing at work, but actually know rather little about LDAP >>unfortunately. Hopefully you won't mind. Anyway, is it possible to >>bind with an entry other than CN? I have the following user (LDIF >>format): >> >>dn: uid=RSmith,ou=People, dc=fedora,dc=test,dc=com >>mail: blablabla at test.com >>uid: RSmith >>givenName: Richard >>objectClass: top >>objectClass: person >>objectClass: organizationalPerson >>objectClass: inetorgperson >>objectClass: ntuser >>objectClass: posixAccount >>sn: Smith >>cn: RSmith >>creatorsName: >>uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot >>modifiersName: >>uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot >>createTimestamp: 20050905103419Z >>modifyTimestamp: 20050916131603Z >>nsUniqueId: 86b5b081-1dd211b2-806ddcd6-e1700000 >>ntUserDomainId: smithr >>uidNumber: 1 >>gidNumber: 2 >>homeDirectory: /home/smithr >> >> >>When attempting to bind using the following (as taken from the access >>log): >>BIND dn="ntUserDomainId=Richard Smith,ou=People,dc=fedora,dc=test,dc=com" >> >> >method=128 version=3 > > >>...I get "No such object". This user does exist though. Is binding >>using the ntUserDomainId out of the question? >> >> > >Take a closer look. The ntUserDomainId is "smithr" for this user, not >"Richard Smith". > >Try this: >dn="ntUserDomainId=smithr,ou=People,dc=fedora,dc=test,dc=com" > >Disclaimer: I'm an LDAP beginner myself. This is just a suggestion >based on the fact that your bind doesn't match the user information you >provided. > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From fluffy.gibson at gmail.com Thu Jan 12 15:19:40 2006 From: fluffy.gibson at gmail.com (Richard Gibson) Date: Thu, 12 Jan 2006 15:19:40 +0000 Subject: [Fedora-directory-users] Binding using attribute other than C N In-Reply-To: <43C66DA5.50207@redhat.com> References: <4766EEE585A6D311ADF500E018C154E3021334D2@bnifex.cis.buc.com> <43C66DA5.50207@redhat.com> Message-ID: My apologies - I put the wrong bind example in. Attempting to bind as dn="ntUserDomainId=smithr,ou=People,dc=fedora,dc=test,dc=com" also fails. Richard, regarding the alternative search filter, is it possible to perform a search where you match against a password? I'm using this to currently perform a silent login after having binded (is that a word?) was the directory admin. SRCH base="ou=People,dc=fedora,dc=test,dc=com" scope=2 filter="(&(objectClass=*)(ntUserDomainId=SmithR))" attrs="memberOf" I imagine it would be fairly easy to extract the password too. Do you think so? Would I use the userPassword field for this? Do you think that this is what most directories will store the user's password in? Many thanks again Rich On 12/01/06, Richard Megginson wrote: > > I don't think this will work either. The DN for the entry is > uid=RSmith,ou=People, dc=fedora,dc=test,dc=com - If you want to bind as > this same user but with a different DN, you will have to rename the > entry to use ntUserDomainId=smithr as the RDN instead of uid=RSmith. If > AD allows you to request an entry by DN other than the actual DN of the > entry, then it is non-standard LDAP behavior. > > Of course, if your client program allows it (like PAM), you can use a > different search filter to look up your entry. I think PAM by default > uses (uid=%s) where %s is filled in with your login name. I suppose you > could change it to (ntUserDomainId=%s), then you should be able to use > your existing entry for PAM login without having to rename it. However, > if your client application expects ntUserDomainId=foo in the DN, then > you have no choice but to rename your entry. > > Bowie Bailey wrote: > > >Richard Gibson wrote: > > > > > >>Hello there. > >> > >>I've been using the Fedora Directory Server for very small scale > >>testing at work, but actually know rather little about LDAP > >>unfortunately. Hopefully you won't mind. Anyway, is it possible to > >>bind with an entry other than CN? I have the following user (LDIF > >>format): > >> > >>dn: uid=RSmith,ou=People, dc=fedora,dc=test,dc=com > >>mail: blablabla at test.com > >>uid: RSmith > >>givenName: Richard > >>objectClass: top > >>objectClass: person > >>objectClass: organizationalPerson > >>objectClass: inetorgperson > >>objectClass: ntuser > >>objectClass: posixAccount > >>sn: Smith > >>cn: RSmith > >>creatorsName: > >>uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot > >>modifiersName: > >>uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot > >>createTimestamp: 20050905103419Z > >>modifyTimestamp: 20050916131603Z > >>nsUniqueId: 86b5b081-1dd211b2-806ddcd6-e1700000 > >>ntUserDomainId: smithr > >>uidNumber: 1 > >>gidNumber: 2 > >>homeDirectory: /home/smithr > >> > >> > >>When attempting to bind using the following (as taken from the access > >>log): > >>BIND dn="ntUserDomainId=Richard > Smith,ou=People,dc=fedora,dc=test,dc=com" > >> > >> > >method=128 version=3 > > > > > >>...I get "No such object". This user does exist though. Is binding > >>using the ntUserDomainId out of the question? > >> > >> > > > >Take a closer look. The ntUserDomainId is "smithr" for this user, not > >"Richard Smith". > > > >Try this: > >dn="ntUserDomainId=smithr,ou=People,dc=fedora,dc=test,dc=com" > > > >Disclaimer: I'm an LDAP beginner myself. This is just a suggestion > >based on the fact that your bind doesn't match the user information you > >provided. > > > > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Jan 12 15:45:17 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 12 Jan 2006 08:45:17 -0700 Subject: [Fedora-directory-users] Binding using attribute other than C N In-Reply-To: References: <4766EEE585A6D311ADF500E018C154E3021334D2@bnifex.cis.buc.com> <43C66DA5.50207@redhat.com> Message-ID: <43C6798D.8070703@redhat.com> Richard Gibson wrote: > My apologies - I put the wrong bind example in. Attempting to bind as > dn="ntUserDomainId=smithr,ou=People,dc=fedora,dc=test,dc=com" also fails. Yes, because the DN of the entry is uid=RSmith,ou=People, dc=fedora,dc=test,dc=com not ntUserDomainId=smithr,ou=People,dc=fedora,dc=test,dc=com > Richard, regarding the alternative search filter, is it possible to > perform a search where you match against a password? What exactly are you trying to do? When you perform an LDAP BIND operation, you pass the credentials (i.e. the password) to the directory server, and it does the password comparison. LDAP BIND using other mechanism (SASL, TLS) allow you to pass credentials other than passwords. The client should never attempt to read the password from the directory server and do the password comparison itself. > > I'm using this to currently perform a silent login after having binded > (is that a word?) was the directory admin. > SRCH base="ou=People,dc=fedora,dc=test,dc=com" scope=2 > filter="(&(objectClass=*)(ntUserDomainId=SmithR))" attrs="memberOf" You don't need (objectclass=*) - it is redundant in this context. You can just use filter="(ntUserDomainId=SmithR)" Fedora DS does not support the memberOf attribute - you would have to add additional schema to support it. > > I imagine it would be fairly easy to extract the password too. Do you > think so? Would I use the userPassword field for this? Do you think > that this is what most directories will store the user's password in? > > Many thanks again > Rich > > On 12/01/06, *Richard Megginson* > wrote: > > I don't think this will work either. The DN for the entry is > uid=RSmith,ou=People, dc=fedora,dc=test,dc=com - If you want to > bind as > this same user but with a different DN, you will have to rename the > entry to use ntUserDomainId=smithr as the RDN instead of > uid=RSmith. If > AD allows you to request an entry by DN other than the actual DN > of the > entry, then it is non-standard LDAP behavior. > > Of course, if your client program allows it (like PAM), you can use a > different search filter to look up your entry. I think PAM by > default > uses (uid=%s) where %s is filled in with your login name. I > suppose you > could change it to (ntUserDomainId=%s), then you should be able to use > your existing entry for PAM login without having to rename > it. However, > if your client application expects ntUserDomainId=foo in the DN, then > you have no choice but to rename your entry. > > Bowie Bailey wrote: > > >Richard Gibson wrote: > > > > > >>Hello there. > >> > >>I've been using the Fedora Directory Server for very small scale > >>testing at work, but actually know rather little about LDAP > >>unfortunately. Hopefully you won't mind. Anyway, is it possible to > >>bind with an entry other than CN? I have the following user (LDIF > >>format): > >> > >>dn: uid=RSmith,ou=People, dc=fedora,dc=test,dc=com > >>mail: blablabla at test.com > >>uid: RSmith > >>givenName: Richard > >>objectClass: top > >>objectClass: person > >>objectClass: organizationalPerson > >>objectClass: inetorgperson > >>objectClass: ntuser > >>objectClass: posixAccount > >>sn: Smith > >>cn: RSmith > >>creatorsName: > >>uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot > >>modifiersName: > >>uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot > >>createTimestamp: 20050905103419Z > >>modifyTimestamp: 20050916131603Z > >>nsUniqueId: 86b5b081-1dd211b2-806ddcd6-e1700000 > >>ntUserDomainId: smithr > >>uidNumber: 1 > >>gidNumber: 2 > >>homeDirectory: /home/smithr > >> > >> > >>When attempting to bind using the following (as taken from the > access > >>log): > >>BIND dn="ntUserDomainId=Richard > Smith,ou=People,dc=fedora,dc=test,dc=com" > >> > >> > >method=128 version=3 > > > > > >>...I get "No such object". This user does exist though. Is binding > >>using the ntUserDomainId out of the question? > >> > >> > > > >Take a closer look. The ntUserDomainId is "smithr" for this > user, not > >"Richard Smith". > > > >Try this: > >dn="ntUserDomainId=smithr,ou=People,dc=fedora,dc=test,dc=com" > > > >Disclaimer: I'm an LDAP beginner myself. This is just a suggestion > >based on the fact that your bind doesn't match the user > information you > >provided. > > > > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From Darrell.Frazier at crc.army.mil Thu Jan 12 17:23:46 2006 From: Darrell.Frazier at crc.army.mil (Frazier, Darrell USA CRC (Contractor)) Date: Thu, 12 Jan 2006 11:23:46 -0600 Subject: [Fedora-directory-users] Cannot see certificate in the Console Message-ID: Hi, I have created a self-signed certificate as noted in chapter 11 in the RHDS Admin guide. After following the instructions for creating the cert (including creating the pk12 version to the server can read it) I then go into the console to enable SSL and the cert isn't noted in the encryption tab as the doc says it should. I don't know how to proceed. Thanks in advance. Darrell J. Frazier Unix System Administrator US Army Combat Readiness Center Fort Rucker, Alabama 36362 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Jan 12 17:34:47 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 12 Jan 2006 10:34:47 -0700 Subject: [Fedora-directory-users] Cannot see certificate in the Console In-Reply-To: References: Message-ID: <43C69337.7080903@redhat.com> Frazier, Darrell USA CRC (Contractor) wrote: > Hi, > > > > I have created a self-signed certificate as noted in chapter 11 in the > RHDS Admin guide. After following the instructions for creating the > cert (including creating the pk12 version to the server can read it) I > then go into the console to enable SSL and the cert isn't noted in the > encryption tab as the doc says it should. I don't know how to proceed. > Thanks in advance. > First, let's make sure those certs are in the correct place. 1) ls -al /opt/fedora-ds/alias 2) cd /opt/fedora/alias 3) ../shared/bin/certutil -P slapd-yourhost- -d . -L > > > **Darrell J. Frazier** > > Unix System Administrator > > US Army Combat Readiness Center > > Fort Rucker, Alabama 36362 > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From hyc at symas.com Thu Jan 12 17:36:13 2006 From: hyc at symas.com (Howard Chu) Date: Thu, 12 Jan 2006 09:36:13 -0800 Subject: [Fedora-directory-users] Re: certificates In-Reply-To: <20060112170007.3EB8C73BBC@hormel.redhat.com> References: <20060112170007.3EB8C73BBC@hormel.redhat.com> Message-ID: <43C6938D.1050608@symas.com> > > Date: Wed, 11 Jan 2006 10:36:19 -0800 (PST) From: Susan > >>> > > I thought I needed the cacert line in /etc/openldap/ldap.conf to point the >>> > > ldap client to the CA cert we trust, otherwise we might not trust the >>> > > server certificate being signed by the CA. >>> > > >>> > > Thanks again, >>> > > Jo >>> > > >>> >> > That's correct, you always need the CA cert on all of the servers and >> > clients. (Unless you're using anonymous cipher suites, in which case you >> > don't need any certs at all. But that's pretty reckless.) >> > > I have server-side, self-generated, self-signed certs. None of those certs exist on any of the > clients, all my ldap traffic is ssl-encrypted over 636, no problem. Is that what you mean by > "anonymous cipher suites"? If so, why is that reckless? I don't really care if the clients > misrepresent themselves, I just care that the server doesn't. > > Perhaps I'm not understanding what you are saying....? > Stop for a moment and think that through. If you don't configure the client with a set of CAs to trust, then the only way to make the TLS handshake work is to tell the client not to attempt to verify the server's cert at all. That means any server can present any ol' made up certificate, claiming to be any entity, and the client will just blindly trust it. In other words, you have absolutely zero assurance that the server hasn't misrepresented itself. If someone sets up a malicious server on your network spoofing the real server, you will never know - you'll have no way to know. Anonymous cipher suites are a separate topic; with those, no certificates are exchanged at all, so you only establish encryption, not server (or client) authentication. In OpenSSL they're disabled by default. Enabling them is generally a bad idea, they amount to the same as the above. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/ From markmc at redhat.com Thu Jan 12 17:41:11 2006 From: markmc at redhat.com (Mark McLoughlin) Date: Thu, 12 Jan 2006 17:41:11 +0000 Subject: [Fedora-directory-users] Cannot see certificate in the Console In-Reply-To: <43C69337.7080903@redhat.com> References: <43C69337.7080903@redhat.com> Message-ID: <1137087671.3781.28.camel@blaa> Hi Rich, On Thu, 2006-01-12 at 10:34 -0700, Richard Megginson wrote: > Frazier, Darrell USA CRC (Contractor) wrote: > > > Hi, > > > > > > > > I have created a self-signed certificate as noted in chapter 11 in the > > RHDS Admin guide. After following the instructions for creating the > > cert (including creating the pk12 version to the server can read it) Btw, what is this PKCS#12 version of the certificate supposed to be for? Things seem to work fine for me without it ... Cheers, Mark. From rmeggins at redhat.com Thu Jan 12 17:45:08 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 12 Jan 2006 10:45:08 -0700 Subject: [Fedora-directory-users] Cannot see certificate in the Console In-Reply-To: <1137087671.3781.28.camel@blaa> References: <43C69337.7080903@redhat.com> <1137087671.3781.28.camel@blaa> Message-ID: <43C695A4.5060201@redhat.com> Mark McLoughlin wrote: >Hi Rich, > >On Thu, 2006-01-12 at 10:34 -0700, Richard Megginson wrote: > > >>Frazier, Darrell USA CRC (Contractor) wrote: >> >> >> >>>Hi, >>> >>> >>> >>>I have created a self-signed certificate as noted in chapter 11 in the >>>RHDS Admin guide. After following the instructions for creating the >>>cert (including creating the pk12 version to the server can read it) >>> >>> > > Btw, what is this PKCS#12 version of the certificate supposed to be >for? Things seem to work fine for me without it ... > > I'm not sure. Perhaps just as a backup? >Cheers, >Mark. > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From mmontgomery at theplanet.com Thu Jan 12 17:57:09 2006 From: mmontgomery at theplanet.com (Michael Montgomery) Date: Thu, 12 Jan 2006 11:57:09 -0600 Subject: [Fedora-directory-users] Nis Netgroups and access.conf not quite working as advertised. In-Reply-To: <43C46AF0.2030000@wep.net> References: <1136845337.21197.32.camel@localhost> <43C46AF0.2030000@wep.net> Message-ID: <1137088630.13266.3.camel@localhost> Unfortunately, none of these worked. Is there any way to debug this to verify that it's definitely a subdomain issue, and not something else? Thanks for your help so far. On Tue, 2006-01-10 at 20:18 -0600, Dan Cox wrote: > Try a couple of things.. > > change the triple > (ldap02,,inside.exampledomain.com) > > to read > > (ldap02,,) > > If that works, try changing it to read: > > (ldap02,,exampledomain.com) > > If that works, then NIS netgroups may not be able to work with subdomains. From logastellus at yahoo.com Thu Jan 12 18:40:05 2006 From: logastellus at yahoo.com (Susan) Date: Thu, 12 Jan 2006 10:40:05 -0800 (PST) Subject: [Fedora-directory-users] Re: certificates In-Reply-To: <43C6938D.1050608@symas.com> Message-ID: <20060112184005.98317.qmail@web52911.mail.yahoo.com> --- Howard Chu wrote: > Stop for a moment and think that through. If you don't configure the > client with a set of CAs to trust, then the only way to make the TLS > handshake work is to tell the client not to attempt to verify the > server's cert at all. That means any server can present any ol' made up > certificate, claiming to be any entity, and the client will just blindly > trust it. oops, you're right, I didn't think that through. Of course. it just seems that managing CA certs on the clients would be a real pain. Besides, is there any way within this whole FDS framework to revoke Certs? If the ldap server is compromised, how do I tell the clients not to trust it (or the CA or both) anymore??? __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From prowley at redhat.com Thu Jan 12 19:28:34 2006 From: prowley at redhat.com (Pete Rowley) Date: Thu, 12 Jan 2006 11:28:34 -0800 Subject: [Fedora-directory-users] Binding using attribute other than CN In-Reply-To: References: Message-ID: <43C6ADE2.7070906@redhat.com> Richard Gibson wrote: > When attempting to bind using the following (as taken from the access > log): > BIND dn="ntUserDomainId=Richard > Smith,ou=People,dc=fedora,dc=test,dc=com" method=128 version=3 > > ...I get "No such object". This user does exist though. Is binding > using the ntUserDomainId out of the question? > When you bind you are not binding with an attribute, you specify the whole dn of the entry to bind with (and there is only one DN per entry) - that is the protocol specification for simple bind. Usually a client will allow "login" by requesting a username or some such and then searching the directory for that value in one or more attributes that it is configured or coded for, retrieving the dn of the entry returned and then binding with that. So end users need never see a DN in the normal course of events (and in fact DNs are not /supposed/ to be seen by end users). > I notice from the following discussion that the same sort of thing is > possible in Active Directory, although I have not tried it myself: > http://groups.google.co.uk/group/microsoft.public.adsi.general/browse_thread/thread/b5fc22bfdd9079fe/f1caf3c9cf6c8188?lnk=st&q=ldap+bind+only+via+CN%3F&rnum=1&hl=en#f1caf3c9cf6c8188 > Specifically, no, this mechanism is not supported. We support SASL, but not SPNEGO. We definitely do not support bind based on attribute value where the protocol documents say a DN should be. -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From prowley at redhat.com Thu Jan 12 19:41:35 2006 From: prowley at redhat.com (Pete Rowley) Date: Thu, 12 Jan 2006 11:41:35 -0800 Subject: [Fedora-directory-users] Per-host specific search results In-Reply-To: <20060112125800.GA4505@flea.compbio.dundee.ac.uk> References: <20060112125800.GA4505@flea.compbio.dundee.ac.uk> Message-ID: <43C6B0EF.20701@redhat.com> Jonathan Barber wrote: >Is it possible to get FDS to return different results depending on the >hostname/IP which the binding client appears to be comming from? > > > Possible I believe by ACL trickery (masking certain values from all but binds from certain hosts) but that would be a huge headache to administer I would imagine. >I would like this as I want to distribute different versions of Linux >autofs auto.master data to various client boxes, but keep the client >configuration identical and as simple as possible. > > Probably better just to have an entry per host so that each host just looks for its own settings - the clients can have identical configuration, they just get their hostname and use that to search for their directory based configuration. On the server side, look at class of service to reduce your admin overhead for the values. -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Jan 12 19:50:49 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 12 Jan 2006 12:50:49 -0700 Subject: [Fedora-directory-users] Re: certificates In-Reply-To: <20060112184005.98317.qmail@web52911.mail.yahoo.com> References: <20060112184005.98317.qmail@web52911.mail.yahoo.com> Message-ID: <43C6B319.4040901@redhat.com> Susan wrote: >--- Howard Chu wrote: > > > >>Stop for a moment and think that through. If you don't configure the >>client with a set of CAs to trust, then the only way to make the TLS >>handshake work is to tell the client not to attempt to verify the >>server's cert at all. That means any server can present any ol' made up >>certificate, claiming to be any entity, and the client will just blindly >>trust it. >> >> > > >oops, you're right, I didn't think that through. Of course. > >it just seems that managing CA certs on the clients would be a real pain. > > Indeed it is, if you have to update thousands of clients with the CA cert. But then, if you have such a large deployment, you will probably find it beneficial to apply for a real CA cert from Verisign or some such, and use a real CA. Red Hat Certificate System has support for web based cert issuance. It supports CRL generation and has an OCSP responder. It can generate certs and automatically publish them to an LDAP server (e.g. to generate the userCertificate attribute for users). >Besides, is there any way within this whole FDS framework to revoke Certs? > This issue is outside of Fedora DS. It's more of an issue with your PK infrastructure and your CA. >If the ldap server is >compromised, how do I tell the clients not to trust it (or the CA or both) anymore??? > > Revoke the cert on the CA, and have the CA generate a CRL. Then, push out this CRL to all of your clients. I'm not sure how to do this with openssl, but NSS provides a command line tool called crlutil that can be used to install a CRL into your cert database. Mozilla/Firefox/Thunderbird can do this automatically. For client programs such as email clients and web browsers, who just want to check the status of the server cert, they can use OCSP (if your CA supports it). I don't know if there is widespread support for OCSP - mozilla/firefox/thunderbird supports it, but I don't know about other client apps. OCSP is not good for server apps which need to validate client certs, especially if under any sort of load at all. For this, the server really needs the CRL. Our mod_nss author was also working on an Apache module which would automatically pull down CRLs from the CA using http(s) or ldap(s). We might be able to do something like that for Fedora DS. We proposed it as a feature a couple of years ago, but it was shot down because no customer asked for it. >__________________________________________________ >Do You Yahoo!? >Tired of spam? Yahoo! Mail has the best spam protection around >http://mail.yahoo.com > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From hartmut.woehrle at mail.pcom.de Thu Jan 12 20:26:34 2006 From: hartmut.woehrle at mail.pcom.de (Hartmut =?iso-8859-1?q?W=F6hrle?=) Date: Thu, 12 Jan 2006 21:26:34 +0100 Subject: [Fedora-directory-users] Winsync: UIDs Message-ID: <200601122126.34481.hartmut.woehrle@mail.pcom.de> Hallo everyone, I have a question connected with Winsync from Windows NT. When I do the replication (works fine now!) I recieve all Users and the uids in capital letters. Now I want to change them into lower case. ldapmodify refuses to change, and when I try to change it by the gui (not the best way with about 2000 users.... but ok for a test :) , I get the message "Unkown error with naming attribute" and in addition the entrydn and the uid were changed, but the dn: uid=.... is the same as before. Also the gui shows the old name - even when refreshing. So this seems to be a vital "non-changeable" value. I thought to perform an ldapsearch writing out all avlues then edit the entries by a script and with ldapdelete and ldapadd rewrite them in the directory. But I think then the replication will not realize them as the same users and create the entries once again - with capital letters. Is there a possibility to have all uids in lower case when performing the replication? Any switch that I forgot? Cu Hartmut FDs Version 7 installed from RPM -- =========================================== Hartmut Woehrle EMail: hartmut.woehrle at mail.pcom.de From Darrell.Frazier at crc.army.mil Thu Jan 12 20:35:48 2006 From: Darrell.Frazier at crc.army.mil (Frazier, Darrell USA CRC (Contractor)) Date: Thu, 12 Jan 2006 14:35:48 -0600 Subject: [Fedora-directory-users] Cannot see certificate in the Consol e Message-ID: I get the following error: certutil-bin: NSS_Initialize failed: An I/O error occurred during security authorization. Thanks all for your help!! Frazier, Darrell USA CRC (Contractor) wrote: > Hi, > > > > I have created a self-signed certificate as noted in chapter 11 in the > RHDS Admin guide. After following the instructions for creating the > cert (including creating the pk12 version to the server can read it) I > then go into the console to enable SSL and the cert isn't noted in the > encryption tab as the doc says it should. I don't know how to proceed. > Thanks in advance. > First, let's make sure those certs are in the correct place. 1) ls -al /opt/fedora-ds/alias 2) cd /opt/fedora/alias 3) ../shared/bin/certutil -P slapd-yourhost- -d . -L > > > **Darrell J. Frazier** > > Unix System Administrator > > US Army Combat Readiness Center > > Fort Rucker, Alabama 36362 Darrell J. Frazier Unix System Administrator US Army Combat Readiness Center Fort Rucker, Alabama 36362 Com: (334)255-2676 DSN: 558-3879 Email: darrell.frazier at crc.army.mil -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 3165 bytes Desc: not available URL: From rmeggins at redhat.com Thu Jan 12 20:46:14 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 12 Jan 2006 13:46:14 -0700 Subject: [Fedora-directory-users] Cannot see certificate in the Consol e In-Reply-To: References: Message-ID: <43C6C016.5050706@redhat.com> Frazier, Darrell USA CRC (Contractor) wrote: > I get the following error: > > > > certutil-bin: NSS_Initialize failed: An I/O error occurred during > security authorization. > > > > Thanks all for your help!! > > > > Frazier, Darrell USA CRC (Contractor) wrote: > > > >> Hi, > >> > >> > >> > >> I have created a self-signed certificate as noted in chapter 11 in the > >> RHDS Admin guide. After following the instructions for creating the > >> cert (including creating the pk12 version to the server can read it) I > >> then go into the console to enable SSL and the cert isn't noted in the > >> encryption tab as the doc says it should. I don't know how to proceed. > >> Thanks in advance. > >> > > First, let's make sure those certs are in the correct place. > > 1) ls -al /opt/fedora-ds/alias > Please post this - it may shed some light into why 3) below fails. > 2) cd /opt/fedora/alias > > 3) ../shared/bin/certutil -P slapd-yourhost- -d . -L > > > >> > >> > >> **Darrell J. Frazier** > >> > >> Unix System Administrator > >> > >> US Army Combat Readiness Center > >> > >> Fort Rucker, Alabama 36362 > > > > > > **Darrell J. Frazier** > > Unix System Administrator > > US Army Combat Readiness Center > > Fort Rucker, Alabama 36362 > > Com: (334)255-2676 > > DSN: 558-3879 > > Email: darrell.frazier at crc.army.mil > > */ /**//* > > > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From david_list at boreham.org Thu Jan 12 21:05:06 2006 From: david_list at boreham.org (David Boreham) Date: Thu, 12 Jan 2006 14:05:06 -0700 Subject: [Fedora-directory-users] Winsync: UIDs In-Reply-To: <200601122126.34481.hartmut.woehrle@mail.pcom.de> References: <200601122126.34481.hartmut.woehrle@mail.pcom.de> Message-ID: <43C6C482.8020202@boreham.org> Hartmut W?hrle wrote: >Hallo everyone, > >I have a question connected with Winsync from Windows NT. >When I do the replication (works fine now!) I recieve all Users and the uids >in capital letters. Now I want to change them into lower case. >ldapmodify refuses to change, and when I try to change it by the gui (not the >best way with about 2000 users.... but ok for a test :) , I get the message >"Unkown error with naming attribute" and in addition the entrydn and the uid >were changed, but the >dn: uid=.... > > Hi, this sounds interesting. I think it may be simply passing through the character case it gets from NT. The reason you can't change the uid value is that it's part of the DN (a distinguished attribute). If you changed it you'd be changing the DN which is equivalent to renaming the entry, and that has to be done with the MODDN LDAP operation rather than the regular MOD operation. To be honest I'm not sure what will happen if you change the uid attribute on the FDS side. It may still confuse the sync code. Perhaps we should understand a) where exactly the upper case is coming from and b) if and how it can be fixed in the sync code or in NTDS. I wonder if you could post a complete example entry here (the LDIF) please ? From hyc at symas.com Thu Jan 12 21:12:02 2006 From: hyc at symas.com (Howard Chu) Date: Thu, 12 Jan 2006 13:12:02 -0800 Subject: [Fedora-directory-users] Re:certificates In-Reply-To: <20060112194944.EBDCC732E8@hormel.redhat.com> References: <20060112194944.EBDCC732E8@hormel.redhat.com> Message-ID: <43C6C622.4080609@symas.com> > From: Richard Megginson Susan wrote: >> >oops, you're right, I didn't think that through. Of course. >> > >> >it just seems that managing CA certs on the clients would be a real pain. >> > >> > >> > Indeed it is, if you have to update thousands of clients with the CA > cert. But then, if you have such a large deployment, you will probably > find it beneficial to apply for a real CA cert from Verisign or some > such, and use a real CA. > That's why it's so important to generate a proper CA cert in the first place, and keep it safe. I see many people on mailing lists talking about how they generated a single self-signed cert and are using it as their actual server cert. No matter how much time we spend explaining why this is a stupid idea, they still do it. I'm not a big fan of paying real money for a random string of bits, and even Verisign has made screwups in the past. Basically as long as you keep the CA's private key safe, there shouldn't be any problem running with your own CA cert. > > Red Hat Certificate System has support for web based cert issuance. It > supports CRL generation and has an OCSP responder. It can generate > certs and automatically publish them to an LDAP server (e.g. to generate > the userCertificate attribute for users). > > Since we're on the topic, Symas has a CA module for OpenLDAP that generates certs on the fly for authenticated users. Naturally since it executes inside slapd, the cert is automatically stored in the user's LDAP entry. It's been part of our Connexitor EMS suite since 1999, works quite painlessly. > >> >Besides, is there any way within this whole FDS framework to revoke Certs? >> > >> > This issue is outside of Fedora DS. It's more of an issue with your PK > infrastructure and your CA. > > >> >If the ldap server is >> >compromised, how do I tell the clients not to trust it (or the CA or both) anymore??? >> > >> If the CA is compromised, all bets are off. Life can get ugly when the CA cert expires too... >> > >> > Revoke the cert on the CA, and have the CA generate a CRL. Then, push > out this CRL to all of your clients. I'm not sure how to do this with > openssl, but NSS provides a command line tool called crlutil that can be > used to install a CRL into your cert database. > Mozilla/Firefox/Thunderbird can do this automatically. > Newer OpenSSL (Certainly 0.9.8, but possibly also 0.9.7) versions can do CRL checking automatically, but you still must configure a source of CRLs to check. It's a bit more tedious in 0.9.6 and older. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/ From jeff.applewhite at motricity.com Thu Jan 12 22:12:56 2006 From: jeff.applewhite at motricity.com (Jeff Applewhite) Date: Thu, 12 Jan 2006 17:12:56 -0500 Subject: [Fedora-directory-users] freeRADIUS and FDS Message-ID: <43C6D468.6030603@motricity.com> Hi There, I need to assistance in getting Fedora Directory Server to interoperate with FreeRADIUS. Does anyone know of any good documentation on this (or Sun DS for that matter). Thanks, Jeff Applewhite From del at babel.com.au Fri Jan 13 04:12:52 2006 From: del at babel.com.au (Del) Date: Fri, 13 Jan 2006 15:12:52 +1100 Subject: [Fedora-directory-users] slapd-sql/perl or similar Message-ID: <43C728C4.6040903@babel.com.au> Hi, Are there any FDS equivalents to OpenLDAP's slapd-sql, slapd-perl, etc? (Customisable back-ends that allow you to query an SQL database or perl script for the results of an LDAP search). Thanx, -- Del From rmeggins at redhat.com Fri Jan 13 04:26:38 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 12 Jan 2006 21:26:38 -0700 Subject: [Fedora-directory-users] slapd-sql/perl or similar In-Reply-To: <43C728C4.6040903@babel.com.au> References: <43C728C4.6040903@babel.com.au> Message-ID: <43C72BFE.5040501@redhat.com> Del wrote: > > Hi, > > Are there any FDS equivalents to OpenLDAP's slapd-sql, slapd-perl, etc? > > (Customisable back-ends that allow you to query an SQL database or perl > script for the results of an LDAP search). No. You have to write a plug-in in C to get that sort of functionality - http://directory.fedora.redhat.com/wiki/Plugins > > Thanx, > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From jo.de.troy at gmail.com Fri Jan 13 14:03:05 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Fri, 13 Jan 2006 15:03:05 +0100 Subject: [Fedora-directory-users] password history question Message-ID: Hello, I've finally got the SSL working. Thanks for all the help. When I try to login with an imported account from OpenLDAP I get the message that my account is expired and that I need to change my LDAP password immediately. When trying this I get an error # ssh jdtroy at ldapserver jdtroy at ldapserver's password: You are required to change your password immediately (password aged) You are required to change your LDAP password immediately. Last login: Fri Jan 13 14:38:12 2006 from ldapserver WARNING: Your password has expired. You must change your password now and login again! Changing password for user jdtroy. Enter login(LDAP) password: New UNIX password: Retype new UNIX password: LDAP password information update failed: Can't contact LDAP server Current passwd must be supplied by the user. passwd: Permission denied Connection to ldapserver closed. In /var/log/messages I get pam_ldap: ldap_extended_operation_s Unknow error Any idea on what I'm doing wrong? In /etc/ldap.conf I do have pam_lookup_policy yes pam_password exop pam_password md5 ssl on ssl start_tls tls_cacertfile /path/to/cacertfile Thanks in advance, Jo -------------- next part -------------- An HTML attachment was scrubbed... URL: From rspencer at auspicecorp.com Fri Jan 13 17:35:54 2006 From: rspencer at auspicecorp.com (Roger Spencer) Date: Fri, 13 Jan 2006 12:35:54 -0500 Subject: [Fedora-directory-users] NT Password Hash Storage Message-ID: <43C7E4FA.8000102@auspicecorp.com> I'm working on getting wireless network clients to do authentication via radius plugged into Fedora DS. Windows will do PEAP for authentication, which encrypts the mschapv2 password check. FreeRadius supports this and all works well, except... For Radius to do mschapv2, using Fedora DS, the NT hash of the password must be in the directory. It cannot use the regular user's password. I used a perl script to hash a password and put it in a user's entry, using ntusercomment (for lack of finding a better field), told FreeRadius that ntusercomment is the NT-Password field it's looking for, and I was able to successfully authenticate from a Windows box over the wireless card using WAP. Obviously this is not a good long term solution. 1) Does anyone know of a better way to store NT password hashes in the directory? 2) Is there a way to update the hash when the user changes their password? Maybe have DS call a perl script when a password change occurs? 3) Is there a better way of doing this? Thank you, From logastellus at yahoo.com Fri Jan 13 19:39:02 2006 From: logastellus at yahoo.com (Susan) Date: Fri, 13 Jan 2006 11:39:02 -0800 (PST) Subject: [Fedora-directory-users] is the howto:Posix wiki correct? In-Reply-To: Message-ID: <20060113193902.403.qmail@web52905.mail.yahoo.com> For host-based access control, the new method says to do the following: New Method There is already an AUXILIARY objectclass provided with the pam/nss ldap distribution on Linux systems: hostObject. On a RHEL4 system, this is in the schema file /usr/share/doc/nss_ldap-226/ldapns.schema in OpenLDAP format. You can convert to Fedora DS schema format using Howto:OpenLDAPMigration like so: perl ol-schema-migrate.pl /usr/share/doc/nss_ldap-226/ldapns.schema > /opt/fedora-ds/slapd-localhost/config/schema/61ldapns.ldif However, I was able to get that working without the schema conversion, by adding 'account' objectClass and then the host attribute. It works fine and is much simpler, really... __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From rmeggins at redhat.com Fri Jan 13 20:42:31 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 13 Jan 2006 13:42:31 -0700 Subject: [Fedora-directory-users] is the howto:Posix wiki correct? In-Reply-To: <20060113193902.403.qmail@web52905.mail.yahoo.com> References: <20060113193902.403.qmail@web52905.mail.yahoo.com> Message-ID: <43C810B7.6080305@redhat.com> Susan wrote: >For host-based access control, the new method says to do the following: > >New Method > >There is already an AUXILIARY objectclass provided with the pam/nss ldap distribution on Linux >systems: hostObject. On a RHEL4 system, this is in the schema file >/usr/share/doc/nss_ldap-226/ldapns.schema in OpenLDAP format. You can convert to Fedora DS schema >format using Howto:OpenLDAPMigration like so: > >perl ol-schema-migrate.pl /usr/share/doc/nss_ldap-226/ldapns.schema > >/opt/fedora-ds/slapd-localhost/config/schema/61ldapns.ldif > >However, I was able to get that working without the schema conversion, by adding 'account' >objectClass and then the host attribute. It works fine and is much simpler, really... > > Yes, but it is not LDAP standard and not portable. account is a structural objectclass - that means you are not supposed to add it to an entry that already has a structural objectclass. See the NOTE under Old Method - http://directory.fedora.redhat.com/wiki/Howto:Posix >__________________________________________________ >Do You Yahoo!? >Tired of spam? Yahoo! Mail has the best spam protection around >http://mail.yahoo.com > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From craigwhite at azapple.com Fri Jan 13 22:10:54 2006 From: craigwhite at azapple.com (Craig White) Date: Fri, 13 Jan 2006 15:10:54 -0700 Subject: [Fedora-directory-users] NT Password Hash Storage In-Reply-To: <43C7E4FA.8000102@auspicecorp.com> References: <43C7E4FA.8000102@auspicecorp.com> Message-ID: <1137190254.17544.3.camel@lin-workstation.azapple.com> On Fri, 2006-01-13 at 12:35 -0500, Roger Spencer wrote: > I'm working on getting wireless network clients to do authentication via > radius plugged into Fedora DS. Windows will do PEAP for authentication, > which encrypts the mschapv2 password check. FreeRadius supports this > and all works well, except... > > For Radius to do mschapv2, using Fedora DS, the NT hash of the password > must be in the directory. It cannot use the regular user's password. > > I used a perl script to hash a password and put it in a user's entry, > using ntusercomment (for lack of finding a better field), told > FreeRadius that ntusercomment is the NT-Password field it's looking for, > and I was able to successfully authenticate from a Windows box over the > wireless card using WAP. Obviously this is not a good long term solution. > > 1) Does anyone know of a better way to store NT password hashes in the > directory? > > 2) Is there a way to update the hash when the user changes their > password? Maybe have DS call a perl script when a password change occurs? > > 3) Is there a better way of doing this? > ---- I am unclear how you are doing authentication by Windows users to the network in a normal login...via AD? anyway, my inclination is to setup Fedora-DS to use samba schema http://directory.fedora.redhat.com/wiki/Howto:Samba as that would give you a sambaNTPassword attribute which is normally the hashed password as expected but how that relates to question #2...updating the hash when the user changes their password...I suppose that would depend upon the chain of events that occur where/when the user changes their password...how is this information going to be sent to fedora-ds? Craig From ABliss at preferredcare.org Sat Jan 14 03:25:47 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Fri, 13 Jan 2006 22:25:47 -0500 Subject: [Fedora-directory-users] some questions on using ssl with fds Message-ID: These are some basic questions that I'm sure you guys will know how to answer straight away. Please forgive my ignorance, as I'm still trying to understand how ssl works and how to get it to work in fds both for my directory servers and clients. First some background information. I have 2 directory servers and several client servers. My goal is to get the directory servers to replicate using an encrypted link (they are currently replicating great using standard ldap port. My second goal is to have the client servers authenticate to the directory servers using ssl. I currently do not have a CA in my organization, and would like to use self signed keys to achieve goals listed above. I'm trying to understand how this is supposed to work; I took a look at the howto www.redhat.com/docs/manuals/dir-sever/ag/7.1/ssl.html#1087158 and have just a few questions. Correct me if I'm wrong, but the way this will work is that I will first create a CA cert on directory server A (step 6), generate server certificate (step 7). Next step will be to export the CA cert and import into directory server B. 1. When creating the server cert at step 6, what are the appropriate values for the -n and -s switches, assuming that my company is named company.org. 2. When creating the server certificate at step 7, what are the appropriate vaules with the -n, -s and -c switches? 3. What are the switches to use to export the CA certificate using the certutil as well as the appropriate switches to import this certificate on another server. 4. Is it true that after importing the CA cert into directory server B and generating a server certificate on this server, the 2 directory servers will inherently trust each other as their server certificates were generated from the same CA certificate? If so, I believe that I will then be able to create a replication link between the 2 directory servers over a ssl link? 5. How do I configure the client servers to use ldaps? Do I need to generate server certificates for each box? If so, where are these certificates stored on the client servers. Thanks very much for your help with this. Aaron www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From logastellus at yahoo.com Sat Jan 14 15:58:23 2006 From: logastellus at yahoo.com (Susan) Date: Sat, 14 Jan 2006 07:58:23 -0800 (PST) Subject: [Fedora-directory-users] is the howto:Posix wiki correct? In-Reply-To: <43C810B7.6080305@redhat.com> Message-ID: <20060114155823.94608.qmail@web52913.mail.yahoo.com> --- Richard Megginson wrote: > Yes, but it is not LDAP standard and not portable. account is a > structural objectclass - that means you are not supposed to add it to an > entry that already has a structural objectclass. See the NOTE under Old > Method - http://directory.fedora.redhat.com/wiki/Howto:Posix the problem is that you cannot add the host attribute (or the hostObject objectclass) from the gui UNTIL you add the account objectClass. Neither one is on the list, even with the newly created 61ldapns schema imported. There must a bug in the UI or something... __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From rmeggins at redhat.com Sat Jan 14 16:50:55 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Sat, 14 Jan 2006 09:50:55 -0700 Subject: [Fedora-directory-users] is the howto:Posix wiki correct? In-Reply-To: <20060114155823.94608.qmail@web52913.mail.yahoo.com> References: <20060114155823.94608.qmail@web52913.mail.yahoo.com> Message-ID: <43C92BEF.5020904@redhat.com> Susan wrote: >--- Richard Megginson wrote: > > > > >>Yes, but it is not LDAP standard and not portable. account is a >>structural objectclass - that means you are not supposed to add it to an >>entry that already has a structural objectclass. See the NOTE under Old >>Method - http://directory.fedora.redhat.com/wiki/Howto:Posix >> >> > > >the problem is that you cannot add the host attribute (or the hostObject objectclass) from the gui >UNTIL you add the account objectClass. Neither one is on the list, even with the newly created >61ldapns schema imported. There must a bug in the UI or something... > > You have to restart the server to read in the new schema file, then you have to restart the console in order for it to pick up the new schema from the server. If you've done that, and still no luck, then this is a console bug. >__________________________________________________ >Do You Yahoo!? >Tired of spam? Yahoo! Mail has the best spam protection around >http://mail.yahoo.com > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From logastellus at yahoo.com Sat Jan 14 17:33:07 2006 From: logastellus at yahoo.com (Susan) Date: Sat, 14 Jan 2006 09:33:07 -0800 (PST) Subject: [Fedora-directory-users] multi master replication over SSL In-Reply-To: Message-ID: <20060114173307.97300.qmail@web52915.mail.yahoo.com> I got this from the manual: Note Replication configured over SSL with certificate-based authentication will fail in the following cases: * If the supplier's certificate is a self-signed certificate. _________ Is that still the case for FDS? Is there any way to get it working using self-signed certs? If not, I'm thinking of using stunnel between both masters, then. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From logastellus at yahoo.com Sat Jan 14 18:12:34 2006 From: logastellus at yahoo.com (Susan) Date: Sat, 14 Jan 2006 10:12:34 -0800 (PST) Subject: [Fedora-directory-users] is the howto:Posix wiki correct? In-Reply-To: <43C92BEF.5020904@redhat.com> Message-ID: <20060114181234.57650.qmail@web52903.mail.yahoo.com> --- Richard Megginson wrote: > You have to restart the server to read in the new schema file, then you > have to restart the console in order for it to pick up the new schema > from the server. If you've done that, and still no luck, then this is a > console bug. restarting the console made the hostObject objectclass available but still no 'host' attribute. Must be a bug then... __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From rmeggins at redhat.com Sat Jan 14 20:12:41 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Sat, 14 Jan 2006 13:12:41 -0700 Subject: [Fedora-directory-users] multi master replication over SSL In-Reply-To: <20060114173307.97300.qmail@web52915.mail.yahoo.com> References: <20060114173307.97300.qmail@web52915.mail.yahoo.com> Message-ID: <43C95B39.5000606@redhat.com> Susan wrote: >I got this from the manual: > >Note >Replication configured over SSL with certificate-based authentication will fail in the following >cases: > > * If the supplier's certificate is a self-signed certificate. >_________ > >Is that still the case for FDS? Is there any way to get it working using self-signed certs? > > If the consumer can verify and validate the suppliers cert, as in certificate based auth, then it should work. Otherwise, you can just use regular SSL replication with password auth. >If not, I'm thinking of using stunnel between both masters, then. > > Will that allow you to do certificate based auth, or just SSL encryption of the channel with password based auth? If so, then it's the same as regular replication with SSL and passwords without certificate based auth. >__________________________________________________ >Do You Yahoo!? >Tired of spam? Yahoo! Mail has the best spam protection around >http://mail.yahoo.com > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From logastellus at yahoo.com Sat Jan 14 21:22:02 2006 From: logastellus at yahoo.com (Susan) Date: Sat, 14 Jan 2006 13:22:02 -0800 (PST) Subject: [Fedora-directory-users] multi master replication over SSL In-Reply-To: <43C95B39.5000606@redhat.com> Message-ID: <20060114212202.10764.qmail@web52906.mail.yahoo.com> --- Richard Megginson wrote: > If the consumer can verify and validate the suppliers cert, as in > certificate based auth, then it should work. Otherwise, you can just > use regular SSL replication with password auth. OK, I understand. I don't care about cert-based SSL, so I'll go with the simple auth then. I'm not sure who wrote the mmr.pl script (http://directory.fedora.redhat.com/wiki/Howto:MultiMasterReplication) but I must say thank you, author, the script works trouble free, as advertised. However, I don't see anything in there about replication over SSL. And it doesn't look like I can convert it to SSL, once the replication is established using mmr.pl, is that correct? > Will that allow you to do certificate based auth, or just SSL encryption > of the channel with password based auth? If so, then it's the same as > regular replication with SSL and passwords without certificate based au no, you're right, it's the same thing, so no point in using stunnel then. Nevermind. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From rmeggins at redhat.com Sat Jan 14 21:28:33 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Sat, 14 Jan 2006 14:28:33 -0700 Subject: [Fedora-directory-users] multi master replication over SSL In-Reply-To: <20060114212202.10764.qmail@web52906.mail.yahoo.com> References: <20060114212202.10764.qmail@web52906.mail.yahoo.com> Message-ID: <43C96D01.5080401@redhat.com> Susan wrote: >--- Richard Megginson wrote: > > >>If the consumer can verify and validate the suppliers cert, as in >>certificate based auth, then it should work. Otherwise, you can just >>use regular SSL replication with password auth. >> >> > >OK, I understand. I don't care about cert-based SSL, so I'll go with the simple auth then. > >I'm not sure who wrote the mmr.pl script >(http://directory.fedora.redhat.com/wiki/Howto:MultiMasterReplication) but I must say thank you, >author, the script works trouble free, as advertised. However, I don't see anything in there >about replication over SSL. And it doesn't look like I can convert it to SSL, once the >replication is established using mmr.pl, is that correct? > > No, I think you can. You just need to edit the replication agreement to use ssl and connect to the ssl port. > > >>Will that allow you to do certificate based auth, or just SSL encryption >>of the channel with password based auth? If so, then it's the same as >>regular replication with SSL and passwords without certificate based au >> >> > >no, you're right, it's the same thing, so no point in using stunnel then. Nevermind. > >__________________________________________________ >Do You Yahoo!? >Tired of spam? Yahoo! Mail has the best spam protection around >http://mail.yahoo.com > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From oscar.valdez at duraflex-politex.com Sun Jan 15 00:58:24 2006 From: oscar.valdez at duraflex-politex.com (Oscar A. Valdez) Date: Sat, 14 Jan 2006 18:58:24 -0600 Subject: [Fedora-directory-users] Samba & Fedora Directory Server Integration Message-ID: <1137286706.5471.22.camel@wzowski.duraflex-politex.com> I've followed the Samba & Fedora Directory Server Integration How-To located at http://directory.fedora.redhat.com/wiki/Howto:Samba , and I'm about to upload my user accounts into the DS. I have two questions before I proceed, though: 1) At the end of the How-To, a "testuser" is added to the Samba server with the "smbpasswd -a" command. Wouldn't the DS make the user accounts visible to the Samba server, making it unecessary to add them via smbpasswd? If it's really necessary to add the accounts via smbpasswd, then the DS isn't really a backend to the Samba Server: they would be acting in parallel. 2) The section on ldapsam of "The Official Samba-3 HOWTO and Reference Guide" (http://us4.samba.org/samba/docs/man/Samba3-HOWTO/passdb.html#id2559672) mentions quite a few attributes for the sambaSamAccount ObjectClass, such as sambaLogonTime, sambaLMPassword, sambaPrimaryGroupSID, sambaAcctFlags, logoffTime, sambaKickoffTime, sambaPwdLastSet, sambaSID, sambaPwdCanChange, sambaPwdMustChange, and sambaNTPassword, that are not present in the ldif files generated by the openldap migrate_passwd.pl script recommended by the How-To. How should these attributes be added, if one follows the How-To? -- Oscar A. Valdez From craigwhite at azapple.com Sun Jan 15 06:08:52 2006 From: craigwhite at azapple.com (Craig White) Date: Sat, 14 Jan 2006 23:08:52 -0700 Subject: [Fedora-directory-users] Samba & Fedora Directory Server Integration In-Reply-To: <1137286706.5471.22.camel@wzowski.duraflex-politex.com> References: <1137286706.5471.22.camel@wzowski.duraflex-politex.com> Message-ID: <1137305332.31384.9.camel@lin-workstation.azapple.com> On Sat, 2006-01-14 at 18:58 -0600, Oscar A. Valdez wrote: > I've followed the Samba & Fedora Directory Server Integration How-To > located at http://directory.fedora.redhat.com/wiki/Howto:Samba , and I'm > about to upload my user accounts into the DS. I have two questions > before I proceed, though: > > 1) At the end of the How-To, a "testuser" is added to the Samba server > with the "smbpasswd -a" command. Wouldn't the DS make the user accounts > visible to the Samba server, making it unecessary to add them via > smbpasswd? If it's really necessary to add the accounts via smbpasswd, > then the DS isn't really a backend to the Samba Server: they would be > acting in parallel. > > 2) The section on ldapsam of "The Official Samba-3 HOWTO and Reference > Guide" > (http://us4.samba.org/samba/docs/man/Samba3-HOWTO/passdb.html#id2559672) > mentions quite a few attributes for the sambaSamAccount ObjectClass, > such as sambaLogonTime, sambaLMPassword, sambaPrimaryGroupSID, > sambaAcctFlags, logoffTime, sambaKickoffTime, sambaPwdLastSet, sambaSID, > sambaPwdCanChange, sambaPwdMustChange, and sambaNTPassword, that are not > present in the ldif files generated by the openldap migrate_passwd.pl > script recommended by the How-To. How should these attributes be added, > if one follows the How-To? ---- In general, the administrator is responsible for the client tools used to create attributes for LDAP dn's If you are going to use a tool like the PADL migration tool (migrate_passwd.pl), obviously you aren't going to get attributes beyond the posixAccount stuff. Samba has some tools - smbldap-tools which can attributes for the samba-schema and then there are some other tools such as GQ, phpldapadmin, LAM and Webmin which can do a wide variety of LDAP entry. Just guessing at what you are trying to accomplish (taking an existing /etc/passwd - list and importing it into LDAP while inserting necessary samba attributes simultaneously...I would suggest that you use Webmin's LDAP Users and Groups which does have mass importing and is capable of adding a 'pre-configured' samba-schema attributes. Craig From del at babel.com.au Sun Jan 15 06:11:11 2006 From: del at babel.com.au (Del) Date: Sun, 15 Jan 2006 17:11:11 +1100 Subject: [Fedora-directory-users] Samba & Fedora Directory Server Integration In-Reply-To: <1137286706.5471.22.camel@wzowski.duraflex-politex.com> References: <1137286706.5471.22.camel@wzowski.duraflex-politex.com> Message-ID: <43C9E77F.40308@babel.com.au> Oscar A. Valdez wrote: > I've followed the Samba & Fedora Directory Server Integration How-To > located at http://directory.fedora.redhat.com/wiki/Howto:Samba , and I'm > about to upload my user accounts into the DS. I have two questions > before I proceed, though: You may want to read this for some further background information: http://www.samba.org/samba/docs/man/Samba-Guide/ntmigration.html > 1) At the end of the How-To, a "testuser" is added to the Samba server > with the "smbpasswd -a" command. Wouldn't the DS make the user accounts > visible to the Samba server, making it unecessary to add them via > smbpasswd? If it's really necessary to add the accounts via smbpasswd, > then the DS isn't really a backend to the Samba Server: they would be > acting in parallel. What's happening here (and relatively simple and not entirely correct language, because it's not really explained in depth above) is: Samba knows your root DN and bind password for your LDAP server. Samba therefore knows how to add users to LDAP. Samba has a couple of object classes and attributes that it needs, and will therefore use these object classes and attributes on every user object that it creates. So you may as well let Samba create the users in your LDAP server. Sure, you could do it yourself using any old LDAP tool. But you may as well let Samba do it, either from the command line using smbpasswd -a or using the user manager for domains tool. At the very least let Samba create a few accounts for you and have a look at the structure of those accounts in detail before you use another LDAP tool. LAM (http://lam.sourceforge.net/) will be able to add the attributes required by Samba as well, but I'd make a few accounts using Samba and then some using LAM to compare the two before relying on LAM. Same goes for any other LDAP account management tool you choose to use, whether it's a pre-done or roll-your-own. > 2) The section on ldapsam of "The Official Samba-3 HOWTO and Reference > Guide" > (http://us4.samba.org/samba/docs/man/Samba3-HOWTO/passdb.html#id2559672) > mentions quite a few attributes for the sambaSamAccount ObjectClass, > such as sambaLogonTime, sambaLMPassword, sambaPrimaryGroupSID, > sambaAcctFlags, logoffTime, sambaKickoffTime, sambaPwdLastSet, sambaSID, > sambaPwdCanChange, sambaPwdMustChange, and sambaNTPassword, that are not > present in the ldif files generated by the openldap migrate_passwd.pl > script recommended by the How-To. How should these attributes be added, > if one follows the How-To? /usr/share/doc/samba-*/LDAP/samba.schema (or wherever your Samba documentation is installed on your distro). Either create the attributes manually, or use the ol-schema-migrate.pl script in the FDS wiki to convert it to a FDS compatible schema file, and then install it into your /opt/fedora-ds/slapd-`hostname -s`/config/schema/ directory as 61samba.ldif -- Del From ABliss at preferredcare.org Sun Jan 15 19:20:33 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Sun, 15 Jan 2006 14:20:33 -0500 Subject: [Fedora-directory-users] some questions on using ssl with fds Message-ID: I believe that I'm very close to getting this to work for me. This is what I've done: 1. created my own CA certificate by running this openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem 2. using the gui, I followed the steps listed here http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1085091 under Obtaining and Installing server certificates, including the step 4 marked Trust the certificate authority. Everything to this point looks great; on each directory server the server certificates look fine including verifying that my new CA is listed and verified under the CA certs tab. I believe at this point that each directory server will inherently trust each other's server certificate, as their own certificates were signed by my own CA. Is this true? If so, can someone tell me what the next step is to enable ssl replication between the 2 directory servers as well as secure client authentication? Thanks very much. Aaron www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From ABliss at preferredcare.org Sun Jan 15 19:25:31 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Sun, 15 Jan 2006 14:25:31 -0500 Subject: [Fedora-directory-users] RE: some questions on using ssl with fds Message-ID: I believe that I'm very close to getting this to work for me. This is what I've done: 1. created my own CA certificate by running this openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem 2. using the gui, I followed the steps listed here http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1085091 under Obtaining and Installing server certificates, including the step 4 marked Trust the certificate authority. Everything to this point looks great; on each directory server the server certificates look fine including verifying that my new CA is listed and verified under the CA certs tab. I believe at this point that each directory server will inherently trust each other's server certificate, as their own certificates were signed by my own CA. Is this true? If so, can someone tell me what the next step is to enable ssl replication between the 2 directory servers as well as secure client authentication? Thanks very much. Aaron -----Original Message----- From: Bliss, Aaron Sent: Friday, January 13, 2006 10:26 PM To: General discussion list for the Fedora Directory server project. Subject: some questions on using ssl with fds These are some basic questions that I'm sure you guys will know how to answer straight away. Please forgive my ignorance, as I'm still trying to understand how ssl works and how to get it to work in fds both for my directory servers and clients. First some background information. I have 2 directory servers and several client servers. My goal is to get the directory servers to replicate using an encrypted link (they are currently replicating great using standard ldap port. My second goal is to have the client servers authenticate to the directory servers using ssl. I currently do not have a CA in my organization, and would like to use self signed keys to achieve goals listed above. I'm trying to understand how this is supposed to work; I took a look at the howto www.redhat.com/docs/manuals/dir-sever/ag/7.1/ssl.html#1087158 and have just a few questions. Correct me if I'm wrong, but the way this will work is that I will first create a CA cert on directory server A (step 6), generate server certificate (step 7). Next step will be to export the CA cert and import into directory server B. 1. When creating the server cert at step 6, what are the appropriate values for the -n and -s switches, assuming that my company is named company.org. 2. When creating the server certificate at step 7, what are the appropriate vaules with the -n, -s and -c switches? 3. What are the switches to use to export the CA certificate using the certutil as well as the appropriate switches to import this certificate on another server. 4. Is it true that after importing the CA cert into directory server B and generating a server certificate on this server, the 2 directory servers will inherently trust each other as their server certificates were generated from the same CA certificate? If so, I believe that I will then be able to create a replication link between the 2 directory servers over a ssl link? 5. How do I configure the client servers to use ldaps? Do I need to generate server certificates for each box? If so, where are these certificates stored on the client servers. Thanks very much for your help with this. Aaron www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From ABliss at preferredcare.org Sun Jan 15 20:46:03 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Sun, 15 Jan 2006 15:46:03 -0500 Subject: [Fedora-directory-users] RE: some questions on using ssl with fds Message-ID: I'm happy to report that I got things working. As noted in my slapd log file, [15/Jan/2006:15:32:05 -0500] - Fedora-Directory/1.0.1 B2005.342.165 starting up [15/Jan/2006:15:32:05 -0500] - slapd started. Listening on All Interfaces port 389 for LDAP requests [15/Jan/2006:15:32:05 -0500] - Listening on All Interfaces port 636 for LDAPS re Quests After following document listed below under section labeled starting the directory server with ssl enabled, both servers are accepting requests on 389 and 636. I have a question though; how much of a security threat would it pose if I used a password file to start the directory server automatically? Thanks very much to the fds developers, mailing list users and the designers of documentation. Aaron -----Original Message----- From: Bliss, Aaron Sent: Sunday, January 15, 2006 2:26 PM To: 'General discussion list for the Fedora Directory server project.' Subject: RE: some questions on using ssl with fds I believe that I'm very close to getting this to work for me. This is what I've done: 1. created my own CA certificate by running this openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem 2. using the gui, I followed the steps listed here http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1085091 under Obtaining and Installing server certificates, including the step 4 marked Trust the certificate authority. Everything to this point looks great; on each directory server the server certificates look fine including verifying that my new CA is listed and verified under the CA certs tab. I believe at this point that each directory server will inherently trust each other's server certificate, as their own certificates were signed by my own CA. Is this true? If so, can someone tell me what the next step is to enable ssl replication between the 2 directory servers as well as secure client authentication? Thanks very much. Aaron -----Original Message----- From: Bliss, Aaron Sent: Friday, January 13, 2006 10:26 PM To: General discussion list for the Fedora Directory server project. Subject: some questions on using ssl with fds These are some basic questions that I'm sure you guys will know how to answer straight away. Please forgive my ignorance, as I'm still trying to understand how ssl works and how to get it to work in fds both for my directory servers and clients. First some background information. I have 2 directory servers and several client servers. My goal is to get the directory servers to replicate using an encrypted link (they are currently replicating great using standard ldap port. My second goal is to have the client servers authenticate to the directory servers using ssl. I currently do not have a CA in my organization, and would like to use self signed keys to achieve goals listed above. I'm trying to understand how this is supposed to work; I took a look at the howto www.redhat.com/docs/manuals/dir-sever/ag/7.1/ssl.html#1087158 and have just a few questions. Correct me if I'm wrong, but the way this will work is that I will first create a CA cert on directory server A (step 6), generate server certificate (step 7). Next step will be to export the CA cert and import into directory server B. 1. When creating the server cert at step 6, what are the appropriate values for the -n and -s switches, assuming that my company is named company.org. 2. When creating the server certificate at step 7, what are the appropriate vaules with the -n, -s and -c switches? 3. What are the switches to use to export the CA certificate using the certutil as well as the appropriate switches to import this certificate on another server. 4. Is it true that after importing the CA cert into directory server B and generating a server certificate on this server, the 2 directory servers will inherently trust each other as their server certificates were generated from the same CA certificate? If so, I believe that I will then be able to create a replication link between the 2 directory servers over a ssl link? 5. How do I configure the client servers to use ldaps? Do I need to generate server certificates for each box? If so, where are these certificates stored on the client servers. Thanks very much for your help with this. Aaron www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From rmeggins at redhat.com Sun Jan 15 21:51:17 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Sun, 15 Jan 2006 14:51:17 -0700 Subject: [Fedora-directory-users] RE: some questions on using ssl with fds In-Reply-To: References: Message-ID: <43CAC3D5.3000704@redhat.com> Bliss, Aaron wrote: >I'm happy to report that I got things working. As noted in my slapd log >file, > >[15/Jan/2006:15:32:05 -0500] - Fedora-Directory/1.0.1 B2005.342.165 >starting up >[15/Jan/2006:15:32:05 -0500] - slapd started. Listening on All >Interfaces port >389 for LDAP requests >[15/Jan/2006:15:32:05 -0500] - Listening on All Interfaces port 636 for >LDAPS re >Quests > >After following document listed below under section labeled starting the >directory server with ssl enabled, both servers are accepting requests >on 389 and 636. > Excellent. >I have a question though; how much of a security threat >would it pose if I used a password file to start the directory server >automatically? > > That depends - how secure is your machine? >Thanks very much to the fds developers, mailing list users and the >designers of documentation. > >Aaron > >-----Original Message----- >From: Bliss, Aaron >Sent: Sunday, January 15, 2006 2:26 PM >To: 'General discussion list for the Fedora Directory server project.' >Subject: RE: some questions on using ssl with fds > >I believe that I'm very close to getting this to work for me. This is >what I've done: > >1. created my own CA certificate by running this openssl req -new -x509 >-keyout private/cakey.pem -out cacert.pem > >2. using the gui, I followed the steps listed here >http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1085091 >under Obtaining and Installing server certificates, including the step 4 >marked Trust the certificate authority. Everything to this point looks >great; on each directory server the server certificates look fine >including verifying that my new CA is listed and verified under the CA >certs tab. > >I believe at this point that each directory server will inherently trust >each other's server certificate, as their own certificates were signed >by my own CA. Is this true? If so, can someone tell me what the next >step is to enable ssl replication between the 2 directory servers as >well as secure client authentication? Thanks very much. > >Aaron > > >-----Original Message----- >From: Bliss, Aaron >Sent: Friday, January 13, 2006 10:26 PM >To: General discussion list for the Fedora Directory server project. >Subject: some questions on using ssl with fds > >These are some basic questions that I'm sure you guys will know how to >answer straight away. Please forgive my ignorance, as I'm still trying >to understand how ssl works and how to get it to work in fds both for my >directory servers and clients. First some background information. I >have 2 directory servers and several client servers. My goal is to get >the directory servers to replicate using an encrypted link (they are >currently replicating great using standard ldap port. My second goal is >to have the client servers authenticate to the directory servers using >ssl. I currently do not have a CA in my organization, and would like to >use self signed keys to achieve goals listed above. I'm trying to >understand how this is supposed to work; I took a look at the howto >www.redhat.com/docs/manuals/dir-sever/ag/7.1/ssl.html#1087158 and have >just a few questions. > >Correct me if I'm wrong, but the way this will work is that I will first >create a CA cert on directory server A (step 6), generate server >certificate (step 7). Next step will be to export the CA cert and >import into directory server B. > >1. When creating the server cert at step 6, what are the appropriate >values for the -n and -s switches, assuming that my company is named >company.org. > >2. When creating the server certificate at step 7, what are the >appropriate vaules with the -n, -s and -c switches? > >3. What are the switches to use to export the CA certificate using the >certutil as well as the appropriate switches to import this certificate >on another server. > >4. Is it true that after importing the CA cert into directory server B >and generating a server certificate on this server, the 2 directory >servers will inherently trust each other as their server certificates >were generated from the same CA certificate? If so, I believe that I >will then be able to create a replication link between the 2 directory >servers over a ssl link? > >5. How do I configure the client servers to use ldaps? Do I need to >generate server certificates for each box? If so, where are these >certificates stored on the client servers. Thanks very much for your >help with this. > >Aaron > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From ABliss at preferredcare.org Sun Jan 15 21:53:48 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Sun, 15 Jan 2006 16:53:48 -0500 Subject: [Fedora-directory-users] Howto Map the certificate's distinguished name to a distinguished name known by your directory Message-ID: I have replication working over ssl using simple authentication, however I would like to have this working using certificate based authentication. According to this doc http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1087158 under the section marked setting up certificate based authentication, it is necessary to map the certificate's distinguished name to a distinguished name known by your directory. This makes sense, as you must be able to tell the server your connecting to how much access you have to the destination directory. This corresponds to the error that I get when attempting to initiate replication over a certificate based ssl replication link "LDAP error: Invalid credentials. Error Code: 49" I believe this will work when I'm able to map the certs dn to a dn in the directory. Does anyone know how to do this, or can you point me to some documentation? Thanks again for your help. Aaron www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From ABliss at preferredcare.org Sun Jan 15 21:57:11 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Sun, 15 Jan 2006 16:57:11 -0500 Subject: [Fedora-directory-users] RE: some questions on using ssl with fds Message-ID: I would say the machines are pretty locked down; I've ran the bastille scripts against them, used CIS scoring tool to lock them down even more and they are of course behind our dmz....Normal users would never get a direct shell on the directory servers; the only other user that would have shell access to the boxes would be our security administrator. Aaron -----Original Message----- From: Richard Megginson [mailto:rmeggins at redhat.com] Sent: Sunday, January 15, 2006 4:51 PM To: General discussion list for the Fedora Directory server project. Cc: Bliss, Aaron Subject: Re: [Fedora-directory-users] RE: some questions on using ssl with fds Bliss, Aaron wrote: >I'm happy to report that I got things working. As noted in my slapd >log file, > >[15/Jan/2006:15:32:05 -0500] - Fedora-Directory/1.0.1 B2005.342.165 >starting up >[15/Jan/2006:15:32:05 -0500] - slapd started. Listening on All >Interfaces port >389 for LDAP requests >[15/Jan/2006:15:32:05 -0500] - Listening on All Interfaces port 636 for >LDAPS re Quests > >After following document listed below under section labeled starting >the directory server with ssl enabled, both servers are accepting >requests on 389 and 636. > Excellent. >I have a question though; how much of a security threat would it pose >if I used a password file to start the directory server automatically? > > That depends - how secure is your machine? >Thanks very much to the fds developers, mailing list users and the >designers of documentation. > >Aaron > >-----Original Message----- >From: Bliss, Aaron >Sent: Sunday, January 15, 2006 2:26 PM >To: 'General discussion list for the Fedora Directory server project.' >Subject: RE: some questions on using ssl with fds > >I believe that I'm very close to getting this to work for me. This is >what I've done: > >1. created my own CA certificate by running this openssl req -new -x509 >-keyout private/cakey.pem -out cacert.pem > >2. using the gui, I followed the steps listed here >http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1085091 >under Obtaining and Installing server certificates, including the step >4 marked Trust the certificate authority. Everything to this point >looks great; on each directory server the server certificates look fine >including verifying that my new CA is listed and verified under the CA >certs tab. > >I believe at this point that each directory server will inherently >trust each other's server certificate, as their own certificates were >signed by my own CA. Is this true? If so, can someone tell me what >the next step is to enable ssl replication between the 2 directory >servers as well as secure client authentication? Thanks very much. > >Aaron > > >-----Original Message----- >From: Bliss, Aaron >Sent: Friday, January 13, 2006 10:26 PM >To: General discussion list for the Fedora Directory server project. >Subject: some questions on using ssl with fds > >These are some basic questions that I'm sure you guys will know how to >answer straight away. Please forgive my ignorance, as I'm still trying >to understand how ssl works and how to get it to work in fds both for >my directory servers and clients. First some background information. >I have 2 directory servers and several client servers. My goal is to >get the directory servers to replicate using an encrypted link (they >are currently replicating great using standard ldap port. My second >goal is to have the client servers authenticate to the directory >servers using ssl. I currently do not have a CA in my organization, >and would like to use self signed keys to achieve goals listed above. >I'm trying to understand how this is supposed to work; I took a look at >the howto >www.redhat.com/docs/manuals/dir-sever/ag/7.1/ssl.html#1087158 and have >just a few questions. > >Correct me if I'm wrong, but the way this will work is that I will >first create a CA cert on directory server A (step 6), generate server >certificate (step 7). Next step will be to export the CA cert and >import into directory server B. > >1. When creating the server cert at step 6, what are the appropriate >values for the -n and -s switches, assuming that my company is named >company.org. > >2. When creating the server certificate at step 7, what are the >appropriate vaules with the -n, -s and -c switches? > >3. What are the switches to use to export the CA certificate using the >certutil as well as the appropriate switches to import this certificate >on another server. > >4. Is it true that after importing the CA cert into directory server B >and generating a server certificate on this server, the 2 directory >servers will inherently trust each other as their server certificates >were generated from the same CA certificate? If so, I believe that I >will then be able to create a replication link between the 2 directory >servers over a ssl link? > >5. How do I configure the client servers to use ldaps? Do I need to >generate server certificates for each box? If so, where are these >certificates stored on the client servers. Thanks very much for your >help with this. > >Aaron > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From rmeggins at redhat.com Sun Jan 15 22:03:57 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Sun, 15 Jan 2006 15:03:57 -0700 Subject: [Fedora-directory-users] RE: some questions on using ssl with fds In-Reply-To: References: Message-ID: <43CAC6CD.9000206@redhat.com> Bliss, Aaron wrote: >I would say the machines are pretty locked down; I've ran the bastille >scripts against them, used CIS scoring tool to lock them down even more >and they are of course behind our dmz....Normal users would never get a >direct shell on the directory servers; the only other user that would >have shell access to the boxes would be our security administrator. > > Then it's probably ok, but an HSM would be better if you can afford it. >Aaron > >-----Original Message----- >From: Richard Megginson [mailto:rmeggins at redhat.com] >Sent: Sunday, January 15, 2006 4:51 PM >To: General discussion list for the Fedora Directory server project. >Cc: Bliss, Aaron >Subject: Re: [Fedora-directory-users] RE: some questions on using ssl >with fds > >Bliss, Aaron wrote: > > > >>I'm happy to report that I got things working. As noted in my slapd >>log file, >> >>[15/Jan/2006:15:32:05 -0500] - Fedora-Directory/1.0.1 B2005.342.165 >>starting up >>[15/Jan/2006:15:32:05 -0500] - slapd started. Listening on All >>Interfaces port >>389 for LDAP requests >>[15/Jan/2006:15:32:05 -0500] - Listening on All Interfaces port 636 for >> >> > > > >>LDAPS re Quests >> >>After following document listed below under section labeled starting >>the directory server with ssl enabled, both servers are accepting >>requests on 389 and 636. >> >> >> >Excellent. > > > >>I have a question though; how much of a security threat would it pose >>if I used a password file to start the directory server automatically? >> >> >> >> >That depends - how secure is your machine? > > > >>Thanks very much to the fds developers, mailing list users and the >>designers of documentation. >> >>Aaron >> >>-----Original Message----- >>From: Bliss, Aaron >>Sent: Sunday, January 15, 2006 2:26 PM >>To: 'General discussion list for the Fedora Directory server project.' >>Subject: RE: some questions on using ssl with fds >> >>I believe that I'm very close to getting this to work for me. This is >>what I've done: >> >>1. created my own CA certificate by running this openssl req -new -x509 >> >> > > > >>-keyout private/cakey.pem -out cacert.pem >> >>2. using the gui, I followed the steps listed here >>http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1085091 >>under Obtaining and Installing server certificates, including the step >>4 marked Trust the certificate authority. Everything to this point >>looks great; on each directory server the server certificates look fine >> >> > > > >>including verifying that my new CA is listed and verified under the CA >>certs tab. >> >>I believe at this point that each directory server will inherently >>trust each other's server certificate, as their own certificates were >>signed by my own CA. Is this true? If so, can someone tell me what >>the next step is to enable ssl replication between the 2 directory >>servers as well as secure client authentication? Thanks very much. >> >>Aaron >> >> >>-----Original Message----- >>From: Bliss, Aaron >>Sent: Friday, January 13, 2006 10:26 PM >>To: General discussion list for the Fedora Directory server project. >>Subject: some questions on using ssl with fds >> >>These are some basic questions that I'm sure you guys will know how to >>answer straight away. Please forgive my ignorance, as I'm still trying >> >> > > > >>to understand how ssl works and how to get it to work in fds both for >>my directory servers and clients. First some background information. >>I have 2 directory servers and several client servers. My goal is to >>get the directory servers to replicate using an encrypted link (they >>are currently replicating great using standard ldap port. My second >>goal is to have the client servers authenticate to the directory >>servers using ssl. I currently do not have a CA in my organization, >>and would like to use self signed keys to achieve goals listed above. >>I'm trying to understand how this is supposed to work; I took a look at >> >> > > > >>the howto >>www.redhat.com/docs/manuals/dir-sever/ag/7.1/ssl.html#1087158 and have >>just a few questions. >> >>Correct me if I'm wrong, but the way this will work is that I will >>first create a CA cert on directory server A (step 6), generate server >>certificate (step 7). Next step will be to export the CA cert and >>import into directory server B. >> >>1. When creating the server cert at step 6, what are the appropriate >>values for the -n and -s switches, assuming that my company is named >>company.org. >> >>2. When creating the server certificate at step 7, what are the >>appropriate vaules with the -n, -s and -c switches? >> >>3. What are the switches to use to export the CA certificate using the >>certutil as well as the appropriate switches to import this certificate >> >> > > > >>on another server. >> >>4. Is it true that after importing the CA cert into directory server B >>and generating a server certificate on this server, the 2 directory >>servers will inherently trust each other as their server certificates >>were generated from the same CA certificate? If so, I believe that I >>will then be able to create a replication link between the 2 directory >>servers over a ssl link? >> >>5. How do I configure the client servers to use ldaps? Do I need to >>generate server certificates for each box? If so, where are these >>certificates stored on the client servers. Thanks very much for your >>help with this. >> >>Aaron >> >>www.preferredcare.org >>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>Power and Associates >> >>Confidentiality Notice: >>The information contained in this electronic message is intended for >> >> >the exclusive use of the individual or entity named above and may >contain privileged or confidential information. If the reader of this >message is not the intended recipient or the employee or agent >responsible to deliver it to the intended recipient, you are hereby >notified that dissemination, distribution or copying of this information >is prohibited. If you have received this communication in error, please >notify the sender immediately by telephone and destroy the copies you >received. > > >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Sun Jan 15 22:04:55 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Sun, 15 Jan 2006 15:04:55 -0700 Subject: [Fedora-directory-users] Howto Map the certificate's distinguished name to a distinguished name known by your directory In-Reply-To: References: Message-ID: <43CAC707.4080105@redhat.com> You might find this informative - http://directory.fedora.redhat.com/wiki/Howto:CertMapping Bliss, Aaron wrote: >I have replication working over ssl using simple authentication, however >I would like to have this working using certificate based >authentication. According to this doc >http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1087158 >under the section marked setting up certificate based authentication, it >is necessary to map the certificate's distinguished name to a >distinguished name known by your directory. This makes sense, as you >must be able to tell the server your connecting to how much access you >have to the destination directory. This corresponds to the error that I >get when attempting to initiate replication over a certificate based ssl >replication link "LDAP error: Invalid credentials. Error Code: 49" I >believe this will work when I'm able to map the certs dn to a dn in the >directory. Does anyone know how to do this, or can you point me to some >documentation? Thanks again for your help. > >Aaron > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From markmc at redhat.com Mon Jan 16 08:43:53 2006 From: markmc at redhat.com (Mark McLoughlin) Date: Mon, 16 Jan 2006 08:43:53 +0000 Subject: [Fedora-directory-users] Samba & Fedora Directory Server Integration In-Reply-To: <1137286706.5471.22.camel@wzowski.duraflex-politex.com> References: <1137286706.5471.22.camel@wzowski.duraflex-politex.com> Message-ID: <1137401034.3687.17.camel@blaa> On Sat, 2006-01-14 at 18:58 -0600, Oscar A. Valdez wrote: > I've followed the Samba & Fedora Directory Server Integration How-To > located at http://directory.fedora.redhat.com/wiki/Howto:Samba , and I'm > about to upload my user accounts into the DS. I have two questions > before I proceed, though: > > 1) At the end of the How-To, a "testuser" is added to the Samba server > with the "smbpasswd -a" command. Wouldn't the DS make the user accounts > visible to the Samba server, making it unecessary to add them via > smbpasswd? If it's really necessary to add the accounts via smbpasswd, > then the DS isn't really a backend to the Samba Server: they would be > acting in parallel. Yeah, it sucks. One of the main issues is that for SMB authentication each user's password needs to be stored in LM and NT formats in the sambaNTPassword and sambaLMPassword attributes. So, when the user set its password, some code needs to have access to the plaintext password and translate it into LM and NT format. The easiest way is to use smbpassword, but you could use your own code to set the password in all formats at once .... or, I'm sure you could right a fedora-ds plugin which would save the password in those formats whenever it is set. But it doesn't end there. Even just for SMB authentication, there are other attributes which smbpasswd manages and there's a lot of voodoo involved. To give you idea of the kind of stuff you need to do in order to not use smbpasswd, see the code below. I wish I could explain the code in detail, but I've forgotten a lot of the details. Cheers, Mark. ... # # Copyright (C) 2006 Red Hat, Inc. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. # SAMBA_RID_MULTIPLIER = 2 SAMBA_RID_BASE = 1000 SAMBA_USER_RID_TYPE = 0x0 SAMBA_USER_GID_TYPE = 0x1 SAMBA_LM_HASH_MAGIC = "KGS!@#$%" ... def _get_machine_sid (self): if not self.machine_sid is None: return self.machine_sid output = commands.getoutput ("net getlocalsid") for line in output.split ("\n"): if line.startswith ("SID for domain"): parts = line.split (":") if len (parts) >= 2: self.machine_sid = parts[1].strip () break return self.machine_sid def _get_user_sid (self, uid): machine_sid = self._get_machine_sid () user_rid = ((uid * SAMBA_RID_MULTIPLIER) + SAMBA_RID_BASE) | SAMBA_USER_RID_TYPE return machine_sid + "-" + str (user_rid) def _get_group_sid (self, gid): machine_sid = self._get_machine_sid () group_rid = ((gid * SAMBA_RID_MULTIPLIER) + SAMBA_RID_BASE) | SAMBA_USER_GID_TYPE return machine_sid + "-" + str (group_rid) def add_user_attributes (self, username, uid, gid, password): def get_nt_password (plaintext): hash = MD4.new () hash.update (plaintext.encode ("utf-16-le")) return hash.hexdigest ().upper () def get_lm_password (plaintext): def lm_hash (pw7): a7 = array.array ("B", pw7.upper ().encode ("850")) while len (a7) < 7: a7.append (0) a8 = array.array ("B") a8.append ( a7[0] >> 1 ) a8.append (((a7[0] & 0x01) << 6) | (a7[1] >> 2)) a8.append (((a7[1] & 0x03) << 5) | (a7[2] >> 3)) a8.append (((a7[2] & 0x07) << 4) | (a7[3] >> 4)) a8.append (((a7[3] & 0x0F) << 3) | (a7[4] >> 5)) a8.append (((a7[4] & 0x1F) << 2) | (a7[5] >> 6)) a8.append (((a7[5] & 0x3F) << 1) | (a7[6] >> 7)) a8.append ( a7[6] & 0x7F ) for i in range (8): a8[i] <<= 1 ciph = DES.new (a8.tostring ()).encrypt (SAMBA_LM_HASH_MAGIC) return ciph.encode ("hex").upper () return lm_hash (plaintext[0:7]) + lm_hash (plaintext[7:14]) samba_user_sid = self._get_user_sid (uid) samba_group_sid = self._get_group_sid (gid) nt_password = get_nt_password (password) lm_password = get_lm_password (password) directory.add_samba_user_attributes (username, samba_user_sid, samba_group_sid, nt_password, lm_password) ... def add_samba_user_attributes (self, username, samba_user_sid, samba_group_sid, nt_password, lm_password): ldap_connection = self.get_ldap_connection () user_suffix = self.get_user_suffix () ldap_connection.modify_s ("uid=%s,%s" % (username, user_suffix), [ ( ldap.MOD_ADD, "objectClass", [ "sambaSamAccount" ] ), ( ldap.MOD_ADD, "sambaSID", [ samba_user_sid ] ), ( ldap.MOD_ADD, "sambaPrimaryGroupSID", [ samba_group_sid ] ), ( ldap.MOD_ADD, "sambaNTPassword", [ nt_password ] ), ( ldap.MOD_ADD, "sambaLMPassword", [ lm_password ] ) ]) ... From hyc at symas.com Mon Jan 16 17:11:07 2006 From: hyc at symas.com (Howard Chu) Date: Mon, 16 Jan 2006 09:11:07 -0800 Subject: [Fedora-directory-users] Re:Samba & Fedora Directory Server Integration In-Reply-To: <20060116170007.5B7FE73BFE@hormel.redhat.com> References: <20060116170007.5B7FE73BFE@hormel.redhat.com> Message-ID: <43CBD3AB.9030602@symas.com> fedora-directory-users-request at redhat.com wrote: > From: Mark McLoughlin > Subject: Re: [Fedora-directory-users] Samba & Fedora Directory Server > Integration > > Yeah, it sucks. > > One of the main issues is that for SMB authentication each user's > password needs to be stored in LM and NT formats in the sambaNTPassword > and sambaLMPassword attributes. So, when the user set its password, some > code needs to have access to the plaintext password and translate it > into LM and NT format. The easiest way is to use smbpassword, but you > could use your own code to set the password in all formats at once .... > or, I'm sure you could right a fedora-ds plugin which would save the > password in those formats whenever it is set. > > But it doesn't end there. Even just for SMB authentication, there are > other attributes which smbpasswd manages and there's a lot of voodoo > involved. > > To give you idea of the kind of stuff you need to do in order to not > use smbpasswd, see the code below. I wish I could explain the code in > detail, but I've forgotten a lot of the details. > Sure it's tedious, but it's not so bad. The OpenLDAP smbk5pwd module that I wrote handles it easily enough, and I've written a SLAPI plugin (written for SunONE, probably works fine on Fedora-DS but untested as yet) that does pretty much the same. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/ From hartmut.woehrle at mail.pcom.de Mon Jan 16 19:03:27 2006 From: hartmut.woehrle at mail.pcom.de (Hartmut =?iso-8859-1?q?W=F6hrle?=) Date: Mon, 16 Jan 2006 20:03:27 +0100 Subject: [Fedora-directory-users] Winsync: UIDs In-Reply-To: <43C6C482.8020202@boreham.org> References: <200601122126.34481.hartmut.woehrle@mail.pcom.de> <43C6C482.8020202@boreham.org> Message-ID: <200601162003.28291.hartmut.woehrle@mail.pcom.de> Am Donnerstag 12 Januar 2006 22:05 schrieb David Boreham: > Hartmut W?hrle wrote: > >Hallo everyone, > > > >I have a question connected with Winsync from Windows NT. > >When I do the replication (works fine now!) I recieve all Users and the > > uids in capital letters. Now I want to change them into lower case. > >ldapmodify refuses to change, and when I try to change it by the gui (not > > the best way with about 2000 users.... but ok for a test :) , I get the > > message "Unkown error with naming attribute" and in addition the entrydn > > and the uid were changed, but the > >dn: uid=.... > > Hi, this sounds interesting. I think it may be simply passing through > the character case it gets from NT. > > The reason you can't change the uid value is that it's part of the DN (a > distinguished attribute). > If you changed it you'd be changing the DN which is equivalent to > renaming the entry, and that > has to be done with the MODDN LDAP operation rather than the regular MOD > operation. Ok, that gave me a hint. I saw in the Advanced Properties, that the naming attribute was set to uid=myname and this is the first entry of the dn Ok so I changed (via gui to test) the naming attribute to the cn value. Now I was able to change the uid entry to lower case and then switch back the naming attribute to uid. Now the new dn contains the new - lower case - uid. But how do I change the naming attribute in ldapmodify? In the logs I see that is an entry: [16/Jan/2006:18:36:14 +0100] conn=20 op=17 MODRDN dn="uid=NSogehts,ou=People, dc=daheim,dc=weil" newrdn="cn=Nur Sogehts" newsuperior="(null)" which is the switch for dn: uid -> cn and [16/Jan/2006:18:36:59 +0100] conn=20 op=42 MODRDN dn="cn=Nur Sogehts,ou=People, dc=daheim,dc=weil" newrdn="uid=nsogehts" newsuperior="(null)" the swicth back dn: cn -> uid so now is the entry something like this? dn: uid=NSogehts,ou=People,dc=daheim,dc=weil changetype: modify replace: newrdn newrdn: cn=Nur Sogehts - > > To be honest I'm not sure what will happen if you change the uid > attribute on the FDS side. > It may still confuse the sync code. Perhaps we should understand a) > where exactly the upper case > is coming from and b) if and how it can be fixed in the sync code or in > NTDS. No. It seems if I can go the following way: - change naming attribute uid -> cn - change uid lo lower case - change naming attribute back cn -> uid > > I wonder if you could post a complete example entry here (the LDIF) please > ? > > > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- =========================================== Hartmut Woehrle EMail: hartmut.woehrle at mail.pcom.de From oscar.valdez at duraflex-politex.com Tue Jan 17 00:01:04 2006 From: oscar.valdez at duraflex-politex.com (Oscar A. Valdez) Date: Mon, 16 Jan 2006 18:01:04 -0600 Subject: [Fedora-directory-users] Samba & Fedora Directory Server Integration In-Reply-To: <1137305332.31384.9.camel@lin-workstation.azapple.com> References: <1137286706.5471.22.camel@wzowski.duraflex-politex.com> <1137305332.31384.9.camel@lin-workstation.azapple.com> Message-ID: <1137456066.3933.23.camel@wzowski.duraflex-politex.com> El s?b, 14-01-2006 a las 23:08 -0700, Craig White escribi?: > On Sat, 2006-01-14 at 18:58 -0600, Oscar A. Valdez wrote: > > I've followed the Samba & Fedora Directory Server Integration How-To > > located at http://directory.fedora.redhat.com/wiki/Howto:Samba , and I'm > > about to upload my user accounts into the DS. I have two questions > > before I proceed, though: > > > > 1) At the end of the How-To, a "testuser" is added to the Samba server > > with the "smbpasswd -a" command. Wouldn't the DS make the user accounts > > visible to the Samba server, making it unecessary to add them via > > smbpasswd? If it's really necessary to add the accounts via smbpasswd, > > then the DS isn't really a backend to the Samba Server: they would be > > acting in parallel. > > > > 2) The section on ldapsam of "The Official Samba-3 HOWTO and Reference > > Guide" > > (http://us4.samba.org/samba/docs/man/Samba3-HOWTO/passdb.html#id2559672) > > mentions quite a few attributes for the sambaSamAccount ObjectClass, > > such as sambaLogonTime, sambaLMPassword, sambaPrimaryGroupSID, > > sambaAcctFlags, logoffTime, sambaKickoffTime, sambaPwdLastSet, sambaSID, > > sambaPwdCanChange, sambaPwdMustChange, and sambaNTPassword, that are not > > present in the ldif files generated by the openldap migrate_passwd.pl > > script recommended by the How-To. How should these attributes be added, > > if one follows the How-To? > ---- > In general, the administrator is responsible for the client tools used > to create attributes for LDAP dn's > > If you are going to use a tool like the PADL migration tool > (migrate_passwd.pl), obviously you aren't going to get attributes beyond > the posixAccount stuff. Samba has some tools - smbldap-tools which can > attributes for the samba-schema and then there are some other tools such > as GQ, phpldapadmin, LAM and Webmin which can do a wide variety of LDAP > entry. > > Just guessing at what you are trying to accomplish (taking an > existing /etc/passwd - list and importing it into LDAP while inserting > necessary samba attributes simultaneously...I would suggest that you use > Webmin's LDAP Users and Groups which does have mass importing and is > capable of adding a 'pre-configured' samba-schema attributes. Thanks for your response. I'm going to read the "SMB LDAP PDC Howto" found at http://samba.idealx.org/samba-ldap-howto.pdf. It's by the folks who put together the smbldap-tools. In the future, I would like to be able to create user account in the DS, and have it automatically create the samba-schema attributes. Does this sound feasible? -- Oscar A. Valdez From oscar.valdez at duraflex-politex.com Tue Jan 17 15:00:26 2006 From: oscar.valdez at duraflex-politex.com (Oscar A. Valdez) Date: Tue, 17 Jan 2006 09:00:26 -0600 Subject: [Fedora-directory-users] Samba & Fedora Directory Server Integration In-Reply-To: <1137456066.3933.23.camel@wzowski.duraflex-politex.com> References: <1137286706.5471.22.camel@wzowski.duraflex-politex.com> <1137305332.31384.9.camel@lin-workstation.azapple.com> <1137456066.3933.23.camel@wzowski.duraflex-politex.com> Message-ID: <1137510027.3874.4.camel@wzowski.duraflex-politex.com> El lun, 16-01-2006 a las 18:01 -0600, Oscar A. Valdez escribi?: > El s?b, 14-01-2006 a las 23:08 -0700, Craig White escribi?: > > In general, the administrator is responsible for the client tools used > > to create attributes for LDAP dn's > > > > If you are going to use a tool like the PADL migration tool > > (migrate_passwd.pl), obviously you aren't going to get attributes beyond > > the posixAccount stuff. Samba has some tools - smbldap-tools which can > > attributes for the samba-schema and then there are some other tools such > > as GQ, phpldapadmin, LAM and Webmin which can do a wide variety of LDAP > > entry. > > > > Just guessing at what you are trying to accomplish (taking an > > existing /etc/passwd - list and importing it into LDAP while inserting > > necessary samba attributes simultaneously...I would suggest that you use > > Webmin's LDAP Users and Groups which does have mass importing and is > > capable of adding a 'pre-configured' samba-schema attributes. > > Thanks for your response. I'm going to read the "SMB LDAP PDC Howto" > found at http://samba.idealx.org/samba-ldap-howto.pdf. It's by the folks > who put together the smbldap-tools. Just a word of caution: the above URI points to a Samba 2.2.4 LDAP PDC Howto. An updated Samba 3.0 LDAP Howto is at http://samba.idealx.org/dist/samba3-ldap-howto.pdf -- Oscar A. Valdez From oscar.valdez at duraflex-politex.com Tue Jan 17 15:08:37 2006 From: oscar.valdez at duraflex-politex.com (Oscar A. Valdez) Date: Tue, 17 Jan 2006 09:08:37 -0600 Subject: [Fedora-directory-users] Samba & Fedora Directory Server Integration In-Reply-To: <43C9E77F.40308@babel.com.au> References: <1137286706.5471.22.camel@wzowski.duraflex-politex.com> <43C9E77F.40308@babel.com.au> Message-ID: <1137510518.3874.13.camel@wzowski.duraflex-politex.com> El dom, 15-01-2006 a las 17:11 +1100, Del escribi?: > Oscar A. Valdez wrote: > > 2) The section on ldapsam of "The Official Samba-3 HOWTO and Reference > > Guide" > > (http://us4.samba.org/samba/docs/man/Samba3-HOWTO/passdb.html#id2559672) > > mentions quite a few attributes for the sambaSamAccount ObjectClass, > > such as sambaLogonTime, sambaLMPassword, sambaPrimaryGroupSID, > > sambaAcctFlags, logoffTime, sambaKickoffTime, sambaPwdLastSet, sambaSID, > > sambaPwdCanChange, sambaPwdMustChange, and sambaNTPassword, that are not > > present in the ldif files generated by the openldap migrate_passwd.pl > > script recommended by the How-To. How should these attributes be added, > > if one follows the How-To? > > /usr/share/doc/samba-*/LDAP/samba.schema (or wherever your Samba > documentation is installed on your distro). > > Either create the attributes manually, or use the ol-schema-migrate.pl > script in the FDS wiki to convert it to a FDS compatible schema file, > and then install it into your /opt/fedora-ds/slapd-`hostname -s`/config/schema/ > directory as 61samba.ldif Thanks for your response. I've already converted the schema file and placed it at /opt/fedora-ds/slapd-/config/schema/61samba.ldif. More precisely, how should these attributes be populated with data, following the Howto? I'm looking into the smbldap-tools from Idealx, because I prefer a single step to the two steps proposed by the Howto: smbpasswd and ldif import. -- Oscar A. Valdez From craigwhite at azapple.com Tue Jan 17 15:18:54 2006 From: craigwhite at azapple.com (Craig White) Date: Tue, 17 Jan 2006 08:18:54 -0700 Subject: [Fedora-directory-users] Samba & Fedora Directory Server Integration In-Reply-To: <1137510518.3874.13.camel@wzowski.duraflex-politex.com> References: <1137286706.5471.22.camel@wzowski.duraflex-politex.com> <43C9E77F.40308@babel.com.au> <1137510518.3874.13.camel@wzowski.duraflex-politex.com> Message-ID: <1137511134.1963.11.camel@lin-workstation.azapple.com> On Tue, 2006-01-17 at 09:08 -0600, Oscar A. Valdez wrote: > El dom, 15-01-2006 a las 17:11 +1100, Del escribi?: > > Oscar A. Valdez wrote: > > > 2) The section on ldapsam of "The Official Samba-3 HOWTO and Reference > > > Guide" > > > (http://us4.samba.org/samba/docs/man/Samba3-HOWTO/passdb.html#id2559672) > > > mentions quite a few attributes for the sambaSamAccount ObjectClass, > > > such as sambaLogonTime, sambaLMPassword, sambaPrimaryGroupSID, > > > sambaAcctFlags, logoffTime, sambaKickoffTime, sambaPwdLastSet, sambaSID, > > > sambaPwdCanChange, sambaPwdMustChange, and sambaNTPassword, that are not > > > present in the ldif files generated by the openldap migrate_passwd.pl > > > script recommended by the How-To. How should these attributes be added, > > > if one follows the How-To? > > > > /usr/share/doc/samba-*/LDAP/samba.schema (or wherever your Samba > > documentation is installed on your distro). > > > > Either create the attributes manually, or use the ol-schema-migrate.pl > > script in the FDS wiki to convert it to a FDS compatible schema file, > > and then install it into your /opt/fedora-ds/slapd-`hostname -s`/config/schema/ > > directory as 61samba.ldif > > Thanks for your response. I've already converted the schema file and > placed it at /opt/fedora-ds/slapd-/config/schema/61samba.ldif. > > More precisely, how should these attributes be populated with data, > following the Howto? I'm looking into the smbldap-tools from Idealx, > because I prefer a single step to the two steps proposed by the Howto: > smbpasswd and ldif import. ---- smbldap-tools by Idealx should be installed and configured. The tool suggested in official Samba documentation is the Microsoft tool - User manager for Domains which is downloadable from Microsoft - see the samba documentation. This tool requires smbldap-tools from Idealx to be installed and properly configured. I previously suggested...and would still highly recommend you use a tool such as: Webmin or LAM for adding users as you can template create users and automatically assign virtually all posixAccount and sambaSamAccount attributes. Craig From mmontgomery at theplanet.com Tue Jan 17 21:00:11 2006 From: mmontgomery at theplanet.com (Michael Montgomery) Date: Tue, 17 Jan 2006 15:00:11 -0600 Subject: [Fedora-directory-users] Nis Netgroups and access.conf not quite working as advertised. In-Reply-To: <1137088630.13266.3.camel@localhost> References: <1136845337.21197.32.camel@localhost> <43C46AF0.2030000@wep.net> <1137088630.13266.3.camel@localhost> Message-ID: <1137531611.20282.1.camel@localhost> If anybody is curious how to get subdomains working, you can 'trick' this to work by defining the triple this way: (ldap02.inside, , exampledomain.com) instead of this: (ldap02, , inside.exampledomain.com) This appears to allow this to work. Hope this helps. From rmeggins at redhat.com Tue Jan 17 21:09:05 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 17 Jan 2006 14:09:05 -0700 Subject: [Fedora-directory-users] Nis Netgroups and access.conf not quite working as advertised. In-Reply-To: <1137531611.20282.1.camel@localhost> References: <1136845337.21197.32.camel@localhost> <43C46AF0.2030000@wep.net> <1137088630.13266.3.camel@localhost> <1137531611.20282.1.camel@localhost> Message-ID: <43CD5CF1.2020502@redhat.com> Thanks! I've updated http://directory.fedora.redhat.com/wiki/Howto:Netgroups Michael Montgomery wrote: >If anybody is curious how to get subdomains working, you can 'trick' >this to work by defining the triple this way: > >(ldap02.inside, , exampledomain.com) > >instead of this: > >(ldap02, , inside.exampledomain.com) > >This appears to allow this to work. > >Hope this helps. > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From logastellus at yahoo.com Tue Jan 17 21:20:35 2006 From: logastellus at yahoo.com (Susan) Date: Tue, 17 Jan 2006 13:20:35 -0800 (PST) Subject: [Fedora-directory-users] access denied to replication agreement after mmr.pl In-Reply-To: <43CD5CF1.2020502@redhat.com> Message-ID: <20060117212035.41353.qmail@web52907.mail.yahoo.com> Hi, all, a quick question. I ran mmr.pl (http://www.netauth.com/~jacksonm/ldap/mmr.pl), it worked fine. However, when I bring up the console now and click on the replication agreement to see the details, it's saying that uid=admin is denied access and no password works to get in. I must be missing an ACI somewhere, can anybody point me in the right direction? Thank you. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From samjohnlbt at yahoo.com Wed Jan 18 00:15:32 2006 From: samjohnlbt at yahoo.com (Sam John) Date: Tue, 17 Jan 2006 16:15:32 -0800 (PST) Subject: [Fedora-directory-users] Debug Level 2 is not working Message-ID: <20060118001532.39741.qmail@web37007.mail.mud.yahoo.com> The debug level option -d2 is supposed to give packet level debug information. However, I am not getting any logs when I try to authenticate a client machine using LDAP server. [root at server server]# ./ns-slapd -D /opt/fedora-ds/slapd-server -i /opt/fedora-ds/slapd-server/logs/pid -w /opt/fedora-ds/slapd-server/logs/startpid -d2 [17/Jan/2006:17:06:35 -0700] Fedora-Directory/1.0.1 - debug level: packets (2) [17/Jan/2006:17:06:35 -0700] - Fedora-Directory/1.0.1 B2005.342.165 starting up [17/Jan/2006:17:06:36 -0700] - slapd started. Listening on All Interfaces port 389 for LDAP requests I dont get any logs after this, when a client machine tries to autheticate the LDAP server. Any help would be greatly appreciated!!! Thanks Sam John __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From ABliss at preferredcare.org Wed Jan 18 00:46:30 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Tue, 17 Jan 2006 19:46:30 -0500 Subject: [Fedora-directory-users] weird error when querying directory server Message-ID: this works great from a redhat 4 box, however from my redhat 3 box I receive the following error: ldapsearch -x -ZZ '(uid =azb)' ldap_start_tls: Connect error additional info: Start TLS request accepted.Server willing to negotiate SSL. relevant entries of /etc/ldap.conf look like this: pam_password md5 ssl start_tls ssl on tls_cacertfile /etc/openldap/cacerts/cacert.pem tls_cacertdir /etc/openldap/cacerts/ client has read and execute to the ca certificate relavent entries of /etc/openldap/ldap.conf TLS_CACERTDIR /etc/openldap/cacerts TLS_REQCERT allow I'm just trying to verify that ssl logins are working from the redhat 3 box; secure logins from the redhat 4 box work fine. Thanks very much for your help. Aaron www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ABliss at preferredcare.org Wed Jan 18 01:29:45 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Tue, 17 Jan 2006 20:29:45 -0500 Subject: [Fedora-directory-users] weird error when querying directory server Message-ID: all set, not sure why, but changing line in /etc/openldap/ldap.conf to TLS_CACERT /etc/openldap/cacerts/cacert.pem took care of it; thanks again. Aaron ________________________________ From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Bliss, Aaron Sent: Tuesday, January 17, 2006 7:47 PM To: fedora-directory-users at redhat.com Subject: [Fedora-directory-users] weird error when querying directory server this works great from a redhat 4 box, however from my redhat 3 box I receive the following error: ldapsearch -x -ZZ '(uid =azb)' ldap_start_tls: Connect error additional info: Start TLS request accepted.Server willing to negotiate SSL. relevant entries of /etc/ldap.conf look like this: pam_password md5 ssl start_tls ssl on tls_cacertfile /etc/openldap/cacerts/cacert.pem tls_cacertdir /etc/openldap/cacerts/ client has read and execute to the ca certificate relavent entries of /etc/openldap/ldap.conf TLS_CACERTDIR /etc/openldap/cacerts TLS_REQCERT allow I'm just trying to verify that ssl logins are working from the redhat 3 box; secure logins from the redhat 4 box work fine. Thanks very much for your help. Aaron www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Jan 18 02:08:30 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 17 Jan 2006 19:08:30 -0700 Subject: [Fedora-directory-users] Debug Level 2 is not working In-Reply-To: <20060118001532.39741.qmail@web37007.mail.mud.yahoo.com> References: <20060118001532.39741.qmail@web37007.mail.mud.yahoo.com> Message-ID: <43CDA31E.1000008@redhat.com> It appears that is not used anymore. Are you trying to get a tcp dump of the connection? If so, I recommend tcpdump or ethereal. Sam John wrote: > The debug level option -d2 is supposed to give packet level debug > information. However, I am not getting any logs when I try to > authenticate a client machine using LDAP server. > > [root at server server]# ./ns-slapd -D /opt/fedora-ds/slapd-server -i > /opt/fedora-ds/slapd-server/logs/pid -w > /opt/fedora-ds/slapd-server/logs/startpid -d2 > [17/Jan/2006:17:06:35 -0700] Fedora-Directory/1.0.1 - debug level: > packets (2) > [17/Jan/2006:17:06:35 -0700] - Fedora-Directory/1.0.1 B2005.342.165 > starting up > [17/Jan/2006:17:06:36 -0700] - slapd started. Listening on All > Interfaces port 389 for LDAP requests > > I dont get any logs after this, when a client machine tries to > autheticate the LDAP server. > > Any help would be greatly appreciated!!! > > Thanks > Sam John > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection ! around > http://mail.yahoo.com > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From adireks at gmail.com Wed Jan 18 05:46:27 2006 From: adireks at gmail.com (adirek sanyakhuan) Date: Wed, 18 Jan 2006 12:46:27 +0700 Subject: [Fedora-directory-users] I cannot startconsole Message-ID: <9fed1320601172146o7a36edbdu9bfb7f95e1caf0be@mail.gmail.com> after I setup fedora directory. I try startconsole this is error [root at ldp fedora-ds]# ./startconsole -u admin -a http://ldp.pccp.ac.th:1500/ Exception in thread "main" java.lang.UnsatisfiedLinkError: /usr/java/j2re1.4.2_10/l ib/i386/libawt.so: libXp.so.6: cannot open shared object file: No such file or dire ctory at java.lang.ClassLoader$NativeLibrary.load(Native Method) at java.lang.ClassLoader.loadLibrary0(Unknown Source) at java.lang.ClassLoader.loadLibrary(Unknown Source) at java.lang.Runtime.loadLibrary0(Unknown Source) at java.lang.System.loadLibrary(Unknown Source) at sun.security.action.LoadLibraryAction.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at java.awt.Toolkit.loadLibraries(Unknown Source) at java.awt.Toolkit.(Unknown Source) at com.sun.java.swing.plaf.windows.WindowsLookAndFeel.initialize(Unknown So urce) at com.netscape.management.nmclf.SuiLookAndFeel.initialize(Unknown Source) at javax.swing.UIManager.setLookAndFeel(Unknown Source) at com.netscape.management.client.console.Console.common_init(Unknown Sourc e) at com.netscape.management.client.console.Console.(Unknown Source) at com.netscape.management.client.console.Console.main(Unknown Source) how I do? Hope this helps. From markmc at redhat.com Wed Jan 18 07:38:36 2006 From: markmc at redhat.com (Mark McLoughlin) Date: Wed, 18 Jan 2006 07:38:36 +0000 Subject: [Fedora-directory-users] weird error when querying directory server In-Reply-To: References: Message-ID: <1137569916.3774.8.camel@blaa> Hi, A similar problem was discussed only last week on this list. Check the archives. On Tue, 2006-01-17 at 19:46 -0500, Bliss, Aaron wrote: > this works great from a redhat 4 box, however from my redhat 3 box I > receive the following error: > ldapsearch -x -ZZ '(uid =azb)' > > ldap_start_tls: Connect error > additional info: Start TLS request accepted.Server willing to > negotiate SSL. Use "-d 10" to get more info on the problem. > relevant entries of /etc/ldap.conf look like this: /etc/ldap.conf isn't relevant to the OpenLDAP utils. It's only used by nss-ldap and pam-ldap. > relavent entries of /etc/openldap/ldap.conf > TLS_CACERTDIR /etc/openldap/cacerts > TLS_REQCERT allow Do you have the CA certificate in /etc/openldap/cacerts? Are you using the certificate hash as the filename? i.e. did you do: $> openssl x509 -noout -hash -in cacert.pem 8c7ad84c $> cp cacert.pem /etc/openldap/cacerts/8c7ad84c.0 Cheers, Mark. From logastellus at yahoo.com Wed Jan 18 13:24:13 2006 From: logastellus at yahoo.com (Susan) Date: Wed, 18 Jan 2006 05:24:13 -0800 (PST) Subject: [Fedora-directory-users] I cannot startconsole In-Reply-To: <9fed1320601172146o7a36edbdu9bfb7f95e1caf0be@mail.gmail.com> Message-ID: <20060118132413.53693.qmail@web52906.mail.yahoo.com> Do you have this package installed? xorg-x11-deprecated-libs you need it for libXp.so.6 --- adirek sanyakhuan wrote: > after I setup fedora directory. I try startconsole > > this is error > > [root at ldp fedora-ds]# ./startconsole -u admin -a http://ldp.pccp.ac.th:1500/ > Exception in thread "main" java.lang.UnsatisfiedLinkError: > /usr/java/j2re1.4.2_10/l ib/i386/libawt.so: libXp.so.6: cannot open > shared object file: No such file or dire ctory > at java.lang.ClassLoader$NativeLibrary.load(Native Method) > at java.lang.ClassLoader.loadLibrary0(Unknown Source) > at java.lang.ClassLoader.loadLibrary(Unknown Source) > at java.lang.Runtime.loadLibrary0(Unknown Source) > at java.lang.System.loadLibrary(Unknown Source) > at sun.security.action.LoadLibraryAction.run(Unknown Source) > at java.security.AccessController.doPrivileged(Native Method) > at java.awt.Toolkit.loadLibraries(Unknown Source) > at java.awt.Toolkit.(Unknown Source) > at com.sun.java.swing.plaf.windows.WindowsLookAndFeel.initialize(Unknown > So urce) > at com.netscape.management.nmclf.SuiLookAndFeel.initialize(Unknown > Source) > at javax.swing.UIManager.setLookAndFeel(Unknown Source) > at com.netscape.management.client.console.Console.common_init(Unknown > Sourc e) > at com.netscape.management.client.console.Console.(Unknown Source) > at com.netscape.management.client.console.Console.main(Unknown Source) > > how I do? > Hope this helps. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From jw-swdl at glocalnet.com Wed Jan 18 16:15:40 2006 From: jw-swdl at glocalnet.com (James Wilde) Date: Wed, 18 Jan 2006 17:15:40 +0100 Subject: [Fedora-directory-users] Another console problem Message-ID: <43CE69AC.5000406@glocalnet.com> Have not found any directly relevant solutions recently in the mailing list. Hope I'm not duplicating something that's already been answered. I'm running FDS 101 on RHEL 4. I have run the setup program to install the administration server, and the installation completed with no apparent errors. The setup.log indicates everything is in order and encourages me to start the console. When I do as it states, cd /opt/fedora-ds then ./startconsole -u admin -a http://myserver.domain.com:1234/ I get a splash screen for the console, including the words 'Please log in...', but no login window. The prompt does not return either from ./startconsole command until I press Ctrl-C, when the splash screen also disappears. I have not been able to find any errors recorded in log files. Any help would be appreciated. //James From mj at sci.fi Wed Jan 18 16:18:01 2006 From: mj at sci.fi (Mike Jackson) Date: Wed, 18 Jan 2006 18:18:01 +0200 Subject: [Fedora-directory-users] Another console problem In-Reply-To: <43CE69AC.5000406@glocalnet.com> References: <43CE69AC.5000406@glocalnet.com> Message-ID: <43CE6A39.1040801@sci.fi> James Wilde wrote: > Have not found any directly relevant solutions recently in the mailing > list. Hope I'm not duplicating something that's already been answered. > > I'm running FDS 101 on RHEL 4. I have run the setup program to install > the administration server, and the installation completed with no > apparent errors. The setup.log indicates everything is in order and > encourages me to start the console. > > When I do as it states, cd /opt/fedora-ds then ./startconsole -u admin > -a http://myserver.domain.com:1234/ I get a splash screen for the > console, including the words 'Please log in...', but no login window. > The prompt does not return either from ./startconsole command until I > press Ctrl-C, when the splash screen also disappears. > > I have not been able to find any errors recorded in log files. > > Any help would be appreciated. Hi James, This is a "known problem", caused by X11 window focus. Use the following command option: ./startconsole -x nologo & to bypass the logo screen. BR, Mike From mizzio at sinapto.net Wed Jan 18 16:24:40 2006 From: mizzio at sinapto.net (mizzio) Date: Wed, 18 Jan 2006 17:24:40 +0100 Subject: [Fedora-directory-users] Another console problem In-Reply-To: <43CE6A39.1040801@sci.fi> References: <43CE69AC.5000406@glocalnet.com> <43CE6A39.1040801@sci.fi> Message-ID: <1137601481.14467.55.camel@mizzim.gmr.mazzucchelli.it> I was having the same problem, thank you for your help ! mizzio Il giorno mer, 18/01/2006 alle 18.18 +0200, Mike Jackson ha scritto: > James Wilde wrote: > > Have not found any directly relevant solutions recently in the mailing > > list. Hope I'm not duplicating something that's already been answered. > > > > I'm running FDS 101 on RHEL 4. I have run the setup program to install > > the administration server, and the installation completed with no > > apparent errors. The setup.log indicates everything is in order and > > encourages me to start the console. > > > > When I do as it states, cd /opt/fedora-ds then ./startconsole -u admin > > -a http://myserver.domain.com:1234/ I get a splash screen for the > > console, including the words 'Please log in...', but no login window. > > The prompt does not return either from ./startconsole command until I > > press Ctrl-C, when the splash screen also disappears. > > > > I have not been able to find any errors recorded in log files. > > > > Any help would be appreciated. > > > Hi James, > This is a "known problem", caused by X11 window focus. > > Use the following command option: > > > ./startconsole -x nologo & > > > to bypass the logo screen. > > BR, > Mike > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From prowley at redhat.com Wed Jan 18 16:25:37 2006 From: prowley at redhat.com (Pete Rowley) Date: Wed, 18 Jan 2006 08:25:37 -0800 Subject: [Fedora-directory-users] Another console problem In-Reply-To: <43CE69AC.5000406@glocalnet.com> References: <43CE69AC.5000406@glocalnet.com> Message-ID: <43CE6C01.5060607@redhat.com> This is a bug in Java, the login window is behind the splash screen: please use ./startconsole -x nologo James Wilde wrote: > Have not found any directly relevant solutions recently in the mailing > list. Hope I'm not duplicating something that's already been answered. > > I'm running FDS 101 on RHEL 4. I have run the setup program to > install the administration server, and the installation completed with > no apparent errors. The setup.log indicates everything is in order > and encourages me to start the console. > > When I do as it states, cd /opt/fedora-ds then ./startconsole -u admin > -a http://myserver.domain.com:1234/ I get a splash screen for the > console, including the words 'Please log in...', but no login window. > The prompt does not return either from ./startconsole command until I > press Ctrl-C, when the splash screen also disappears. > > I have not been able to find any errors recorded in log files. > > Any help would be appreciated. > > //James > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From jw-swdl at glocalnet.com Wed Jan 18 16:38:13 2006 From: jw-swdl at glocalnet.com (James Wilde) Date: Wed, 18 Jan 2006 17:38:13 +0100 Subject: [Fedora-directory-users] Another console problem In-Reply-To: <43CE69AC.5000406@glocalnet.com> References: <43CE69AC.5000406@glocalnet.com> Message-ID: <43CE6EF5.1060105@glocalnet.com> Thanks to Mike and Pete for the solution. I suspected it was a java problem. Glad it's not. //James From logastellus at yahoo.com Wed Jan 18 17:02:22 2006 From: logastellus at yahoo.com (Susan) Date: Wed, 18 Jan 2006 09:02:22 -0800 (PST) Subject: [Fedora-directory-users] simple ssl replication In-Reply-To: <43CE6C01.5060607@redhat.com> Message-ID: <20060118170222.26729.qmail@web52901.mail.yahoo.com> Hi, all. Trying to setup replication over SSL, without certificates. In the UI, I said "Simple Authentication.", gave it the bind dn & password. (The name/pass pair work fine if non-SSL replication is used.) Anyway, in the consumer log, I see this: [18/Jan/2006:11:50:56 -0500] conn=66 fd=72 slot=72 SSL connection from 129.85.70.110 to 129.85.86.65 [18/Jan/2006:11:50:56 -0500] conn=66 op=-1 fd=72 closed - SSL peer cannot verify your certificate. What's the deal? Why is it trying to verify certs??? on the supplier, I see this: [18/Jan/2006:11:44:47 -0500] NSMMReplicationPlugin - agmt="cn=main" (cnjldap01:636): Simple bind failed, LDAP sdk error 81 (Can't contact LDAP server), Netscape Portable Runtime error -8054 (unknown) How come it failed?? __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From ldragon at freemail.hu Wed Jan 18 16:06:18 2006 From: ldragon at freemail.hu (Little Dragon) Date: Wed, 18 Jan 2006 17:06:18 +0100 (CET) Subject: [Fedora-directory-users] Admin Server or Console problem Message-ID: Hi, I have installed fedora-ds-1.0.1-1.FC4.i386.opt.rpm and SUN java: j2re-1_4_2_10-linux-i586.rpm Then set the JAVA_HOME env. Variable. After the Typical install the ldapsearch works (I get results). (ldapsearch -x -h localhost -p 389 -b "o=NetscapeRoot") But I can not start the console. startconsole -u admin -a http://vpclinux:1500 I always get the error: Cannot connect to the Admin Server "http://hostname:1500" The URL is not correct or the server is not running. I can see the ns-slapd and httpd.worker processes running (one ns-slapd and 3 httpd.worker processes are running) I read all the docs on the web and the FAQ at redhat (Troubleshooting) Troubleshooting can not help: - there is no "admin-serv/config/jvm12.conf", (I created but no effect) - there is no "/bin/https/bin/start-jvm" file so I can not edit After 3 days I am out of ideas. Could anybody help? TIA, Laszlo ________________________________________________________________________ ?p?ts SAJ?T HONLAPOT! Zene, mozi, j?t?k, chat ? frissess?g ?s okoss?g az ?j tiniport?lon: www.g-portal.hu From rmeggins at redhat.com Wed Jan 18 17:12:04 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 18 Jan 2006 10:12:04 -0700 Subject: [Fedora-directory-users] simple ssl replication In-Reply-To: <20060118170222.26729.qmail@web52901.mail.yahoo.com> References: <20060118170222.26729.qmail@web52901.mail.yahoo.com> Message-ID: <43CE76E4.6000905@redhat.com> The SSL client (in this case, the replication supplier) still needs to verify the SSL server (in this case, the replication consumer) certificate in order for SSL to work. It should be sufficient for the supplier to have the certificate of the CA that issued the consumer's certificate in its cert db. Susan wrote: >Hi, all. Trying to setup replication over SSL, without certificates. In the UI, I said "Simple >Authentication.", gave it the bind dn & password. (The name/pass pair work fine if non-SSL >replication is used.) > >Anyway, in the consumer log, I see this: > >[18/Jan/2006:11:50:56 -0500] conn=66 fd=72 slot=72 SSL connection from 129.85.70.110 to >129.85.86.65 >[18/Jan/2006:11:50:56 -0500] conn=66 op=-1 fd=72 closed - SSL peer cannot verify your certificate. > >What's the deal? Why is it trying to verify certs??? > >on the supplier, I see this: > >[18/Jan/2006:11:44:47 -0500] NSMMReplicationPlugin - agmt="cn=main" (cnjldap01:636): Simple bind >failed, LDAP sdk error 81 (Can't contact LDAP server), Netscape Portable Runtime error -8054 >(unknown) > >How come it failed?? > >__________________________________________________ >Do You Yahoo!? >Tired of spam? Yahoo! Mail has the best spam protection around >http://mail.yahoo.com > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Jan 18 17:13:56 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 18 Jan 2006 10:13:56 -0700 Subject: [Fedora-directory-users] Admin Server or Console problem In-Reply-To: References: Message-ID: <43CE7754.1040905@redhat.com> Little Dragon wrote: >Hi, > >I have installed fedora-ds-1.0.1-1.FC4.i386.opt.rpm >and SUN java: j2re-1_4_2_10-linux-i586.rpm >Then set the JAVA_HOME env. Variable. > >After the Typical install the ldapsearch works (I get results). >(ldapsearch -x -h localhost -p 389 -b "o=NetscapeRoot") > >But I can not start the console. >startconsole -u admin -a http://vpclinux:1500 > >I always get the error: >Cannot connect to the Admin Server "http://hostname:1500" >The URL is not correct or the server is not running. > > can you telnet hostname 1500 ? can you use your web browser to connect to http://hostname:1500/ ? >I can see the ns-slapd and httpd.worker processes running >(one ns-slapd and 3 httpd.worker processes are running) > >I read all the docs on the web and the FAQ at redhat >(Troubleshooting) >Troubleshooting can not help: >- there is no "admin-serv/config/jvm12.conf", (I created but >no effect) >- there is no "/bin/https/bin/start-jvm" file >so I can not edit > >After 3 days I am out of ideas. > >Could anybody help? > >TIA, >Laszlo > > > > > > >________________________________________________________________________ >?p?ts SAJ?T HONLAPOT! Zene, mozi, j?t?k, chat ? frissess?g ?s okoss?g >az ?j tiniport?lon: www.g-portal.hu > > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From fluffy.gibson at gmail.com Wed Jan 18 17:41:01 2006 From: fluffy.gibson at gmail.com (Richard Gibson) Date: Wed, 18 Jan 2006 17:41:01 +0000 Subject: [Fedora-directory-users] Admin Server or Console problem In-Reply-To: <43CE7754.1040905@redhat.com> References: <43CE7754.1040905@redhat.com> Message-ID: Have you started the admin server using start-admin? Just a thought.... Rich On 18/01/06, Richard Megginson wrote: > > Little Dragon wrote: > > >Hi, > > > >I have installed fedora-ds-1.0.1-1.FC4.i386.opt.rpm > >and SUN java: j2re-1_4_2_10-linux-i586.rpm > >Then set the JAVA_HOME env. Variable. > > > >After the Typical install the ldapsearch works (I get results). > >(ldapsearch -x -h localhost -p 389 -b "o=NetscapeRoot") > > > >But I can not start the console. > >startconsole -u admin -a http://vpclinux:1500 > > > >I always get the error: > >Cannot connect to the Admin Server "http://hostname:1500" > >The URL is not correct or the server is not running. > > > > > can you > telnet hostname 1500 > ? > can you use your web browser to connect to > http://hostname:1500/ > ? > > >I can see the ns-slapd and httpd.worker processes running > >(one ns-slapd and 3 httpd.worker processes are running) > > > >I read all the docs on the web and the FAQ at redhat > >(Troubleshooting) > >Troubleshooting can not help: > >- there is no "admin-serv/config/jvm12.conf", (I created but > >no effect) > >- there is no "/bin/https/bin/start-jvm" file > >so I can not edit > > > >After 3 days I am out of ideas. > > > >Could anybody help? > > > >TIA, > >Laszlo > > > > > > > > > > > > > >________________________________________________________________________ > >?p?ts SAJ?T HONLAPOT! Zene, mozi, j?t?k, chat ? frissess?g ?s okoss?g > >az ?j tiniport?lon: www.g-portal.hu > > > > > > > >-- > >Fedora-directory-users mailing list > >Fedora-directory-users at redhat.com > >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From logastellus at yahoo.com Wed Jan 18 18:54:07 2006 From: logastellus at yahoo.com (Susan) Date: Wed, 18 Jan 2006 10:54:07 -0800 (PST) Subject: [Fedora-directory-users] simple ssl replication In-Reply-To: <43CE76E4.6000905@redhat.com> Message-ID: <20060118185407.66568.qmail@web52912.mail.yahoo.com> --- Richard Megginson wrote: > The SSL client (in this case, the replication supplier) still needs to > verify the SSL server (in this case, the replication consumer) > certificate in order for SSL to work. It should be sufficient for the > supplier to have the certificate of the CA that issued the consumer's > certificate in its cert db. I understand. Where is the cert db? Is that controled by /etc/openldap/ldap.conf? Because I took *.db from the consumser's /opt/fedora-ds/alias, copied them over to the location specified by TLS_CACERTDIR (/etc/openldap/cacerts) and still got the same error. On the supplier: [root at cnyldap01 cacerts]# ll total 84 -rw------- 1 root root 65536 Jan 18 13:48 slapd-cnjldap01-cert8.db -rw------- 1 root root 16384 Jan 18 13:48 slapd-cnjldap01-key3.db On the consumer (cnjldap01) still: [18/Jan/2006:13:50:21 -0500] conn=22 fd=65 slot=65 SSL connection from 149.85.70.110 to 149.85.86.65 [18/Jan/2006:13:50:21 -0500] conn=22 op=-1 fd=65 closed - SSL peer cannot verify your certificate. What am I doing wrong? Thank you for your help... __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From rmeggins at redhat.com Wed Jan 18 19:26:42 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 18 Jan 2006 12:26:42 -0700 Subject: [Fedora-directory-users] simple ssl replication In-Reply-To: <20060118185407.66568.qmail@web52912.mail.yahoo.com> References: <20060118185407.66568.qmail@web52912.mail.yahoo.com> Message-ID: <43CE9672.4060102@redhat.com> Susan wrote: >--- Richard Megginson wrote: > > > >>The SSL client (in this case, the replication supplier) still needs to >>verify the SSL server (in this case, the replication consumer) >>certificate in order for SSL to work. It should be sufficient for the >>supplier to have the certificate of the CA that issued the consumer's >>certificate in its cert db. >> >> > >I understand. Where is the cert db? > /opt/fedora-ds/alias/slapd-yourhost-cert8.db >Is that controled by /etc/openldap/ldap.conf? > No. It is completely different. The operating system ldap client code is OpenLDAP which uses OpenSSL for crypto. Fedora DS uses Mozilla NSS for crypto. >Because I >took *.db from the consumser's /opt/fedora-ds/alias, copied them over to the location specified by >TLS_CACERTDIR (/etc/openldap/cacerts) and still got the same error. > > Right. OpenSSL doesn't use our NSS .db format. Fedora DS doesn't use /etc/ldap* or /etc/openldap* at all. However, OS clients, such as /usr/bin/ldapsearch, PAM, NSS, etc. use /etc/ldap* and /etc/openldap* >On the supplier: >[root at cnyldap01 cacerts]# ll >total 84 >-rw------- 1 root root 65536 Jan 18 13:48 slapd-cnjldap01-cert8.db >-rw------- 1 root root 16384 Jan 18 13:48 slapd-cnjldap01-key3.db > >On the consumer (cnjldap01) still: >[18/Jan/2006:13:50:21 -0500] conn=22 fd=65 slot=65 SSL connection from 149.85.70.110 to >149.85.86.65 >[18/Jan/2006:13:50:21 -0500] conn=22 op=-1 fd=65 closed - SSL peer cannot verify your certificate. > > > >What am I doing wrong? > > You need to use certutil -L to export the CA certificate and certutil -A to import it where needed e.g. # cd /opt/fedora-ds/alias # ../shared/bin/certutil -L -d . -P slapd-supplier- you should see something like CA certificate CT,, then you can do # ../shared/bin/certutil -L -d . -P slapd-supplier- -n "CA certificate" -a > cacert.asc to export the CA certificate in ASCII (RFC 1113) encoding. Next, import the CA cert into your consumer cert db: # ../shared/bin/certutil -A -d . -P slapd-consumer- -n "CA certificate" -t "CT,," -a -i cacert.asc Note that it may prompt you for the password you used to protect the cert db. You will need to restart your consumer. You can also take this cacert.asc and use the openssl tool to convert this into a .pem file for use with those clients (or is .asc the same as .pem?). >Thank you for your help... > >__________________________________________________ >Do You Yahoo!? >Tired of spam? Yahoo! Mail has the best spam protection around >http://mail.yahoo.com > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From mf at yci.org.uk Wed Jan 18 16:07:00 2006 From: mf at yci.org.uk (matt farey) Date: Wed, 18 Jan 2006 16:07:00 +0000 Subject: [Fedora-directory-users] login problem Message-ID: <43CE67A4.6070503@yci.org.uk> Hi all, we have not changed any profile settings, but while I am able to login as root, users cannot log in, we get an out of disk space error, but looking around there appears to be enough space. does anyone know what can cause this, I was thinking log files, or perhaps a permissions issue. any help would be gratefully received. matt From logastellus at yahoo.com Wed Jan 18 19:47:50 2006 From: logastellus at yahoo.com (Susan) Date: Wed, 18 Jan 2006 11:47:50 -0800 (PST) Subject: [Fedora-directory-users] simple ssl replication In-Reply-To: <43CE9672.4060102@redhat.com> Message-ID: <20060118194751.3946.qmail@web52913.mail.yahoo.com> --- Richard Megginson wrote: > Next, import the CA cert into your consumer cert db: > # ../shared/bin/certutil -A -d . -P slapd-consumer- -n "CA certificate" > -t "CT,," -a -i cacert.asc [root at cnyldap01 alias]# ../shared/bin/certutil -A -d . -P slapd-cnyldap01- -n "CA certificate" -t "CT,," -a -i cnjldap01.cert.asc certutil: could not obtain certificate from file: You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert. What do you think? Both the supplier's and the consumer's CA certs were created with identical password/noise files. Is that a problem? __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From rmeggins at redhat.com Wed Jan 18 20:06:32 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 18 Jan 2006 13:06:32 -0700 Subject: [Fedora-directory-users] simple ssl replication In-Reply-To: <20060118194751.3946.qmail@web52913.mail.yahoo.com> References: <20060118194751.3946.qmail@web52913.mail.yahoo.com> Message-ID: <43CE9FC8.9090208@redhat.com> Susan wrote: >--- Richard Megginson wrote: > > > >>Next, import the CA cert into your consumer cert db: >># ../shared/bin/certutil -A -d . -P slapd-consumer- -n "CA certificate" >>-t "CT,," -a -i cacert.asc >> >> > >[root at cnyldap01 alias]# ../shared/bin/certutil -A -d . -P slapd-cnyldap01- -n "CA certificate" -t >"CT,," -a -i cnjldap01.cert.asc >certutil: could not obtain certificate from file: You are attempting to import a cert with the >same issuer/serial as an existing cert, but that is not the same cert. > >What do you think? Both the supplier's and the consumer's CA certs were created with identical >password/noise files. Is that a problem? > > It seems that you already have the CA cert in the consumer cert db. > >__________________________________________________ >Do You Yahoo!? >Tired of spam? Yahoo! Mail has the best spam protection around >http://mail.yahoo.com > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From logastellus at yahoo.com Wed Jan 18 21:08:35 2006 From: logastellus at yahoo.com (Susan) Date: Wed, 18 Jan 2006 13:08:35 -0800 (PST) Subject: [Fedora-directory-users] simple ssl replication In-Reply-To: <43CE9FC8.9090208@redhat.com> Message-ID: <20060118210835.43988.qmail@web52906.mail.yahoo.com> --- Richard Megginson wrote: susan: > >"CT,," -a -i cnjldap01.cert.asc > >certutil: could not obtain certificate from file: You are attempting to import a cert with the > >same issuer/serial as an existing cert, but that is not the same cert. > > > >What do you think? Both the supplier's and the consumer's CA certs were created with identical > >password/noise files. Is that a problem? > > > > > It seems that you already have the CA cert in the consumer cert db. well, I recreated the cert DB on the supplier and the consumer, using different passwords and noise files and it worked fine after that. I guess identical passwords/noise produce identical certs and that's not allowed. Anyway.. now I know. Thank you for the export/import cert db explanation. Perhaps that could go into the SSL wiki? __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From rmeggins at redhat.com Wed Jan 18 21:18:01 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 18 Jan 2006 14:18:01 -0700 Subject: [Fedora-directory-users] simple ssl replication In-Reply-To: <20060118210835.43988.qmail@web52906.mail.yahoo.com> References: <20060118210835.43988.qmail@web52906.mail.yahoo.com> Message-ID: <43CEB089.8040207@redhat.com> Susan wrote: >--- Richard Megginson wrote: >susan: > > >>>"CT,," -a -i cnjldap01.cert.asc >>>certutil: could not obtain certificate from file: You are attempting to import a cert with the >>>same issuer/serial as an existing cert, but that is not the same cert. >>> >>>What do you think? Both the supplier's and the consumer's CA certs were created with identical >>>password/noise files. Is that a problem? >>> >>> >>> >>> >>It seems that you already have the CA cert in the consumer cert db. >> >> > > >well, I recreated the cert DB on the supplier and the consumer, using different passwords and >noise files and it worked fine after that. I guess identical passwords/noise produce identical >certs and that's not allowed. > No, that should be ok - are you sure you gave each cert a unique serial number? >Anyway.. now I know. Thank you for the export/import cert db >explanation. Perhaps that could go into the SSL wiki? > > Yes. >__________________________________________________ >Do You Yahoo!? >Tired of spam? Yahoo! Mail has the best spam protection around >http://mail.yahoo.com > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From oscar.valdez at duraflex-politex.com Wed Jan 18 21:24:00 2006 From: oscar.valdez at duraflex-politex.com (Oscar A. Valdez) Date: Wed, 18 Jan 2006 15:24:00 -0600 Subject: [Fedora-directory-users] Samba & Fedora Directory Server Integration In-Reply-To: <1137456066.3933.23.camel@wzowski.duraflex-politex.com> References: <1137286706.5471.22.camel@wzowski.duraflex-politex.com> <1137305332.31384.9.camel@lin-workstation.azapple.com> <1137456066.3933.23.camel@wzowski.duraflex-politex.com> Message-ID: <1137619441.3872.12.camel@wzowski.duraflex-politex.com> El lun, 16-01-2006 a las 18:01 -0600, Oscar A. Valdez escribi?: > El s?b, 14-01-2006 a las 23:08 -0700, Craig White escribi?: > > If you are going to use a tool like the PADL migration tool > > (migrate_passwd.pl), obviously you aren't going to get attributes beyond > > the posixAccount stuff. Samba has some tools - smbldap-tools which can > > attributes for the samba-schema... > > Thanks for your response. I'm going to read the "SMB LDAP PDC Howto" > found at http://samba.idealx.org/samba-ldap-howto.pdf. It's by the folks > who put together the smbldap-tools. Do the smbldap-tools work "out of the box" with the Fedora Directory Server? They're not tailored too tightly to OpenLDAP? -- Oscar A. Valdez From rcritten at redhat.com Wed Jan 18 21:40:07 2006 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 18 Jan 2006 16:40:07 -0500 Subject: [Fedora-directory-users] simple ssl replication In-Reply-To: <43CEB089.8040207@redhat.com> References: <20060118210835.43988.qmail@web52906.mail.yahoo.com> <43CEB089.8040207@redhat.com> Message-ID: <43CEB5B7.7000302@redhat.com> Richard Megginson wrote: > Susan wrote: > >> --- Richard Megginson wrote: >> susan: >> >> >>>> "CT,," -a -i cnjldap01.cert.asc certutil: could not obtain >>>> certificate from file: You are attempting to import a cert with the >>>> same issuer/serial as an existing cert, but that is not the same cert. >>>> >>>> What do you think? Both the supplier's and the consumer's CA certs >>>> were created with identical >>>> password/noise files. Is that a problem? >>>> >>>> >>>> >>> >>> It seems that you already have the CA cert in the consumer cert db. >>> >> >> >> >> well, I recreated the cert DB on the supplier and the consumer, using >> different passwords and >> noise files and it worked fine after that. I guess identical >> passwords/noise produce identical >> certs and that's not allowed. >> > No, that should be ok - are you sure you gave each cert a unique serial > number? Really all you need to do is generate a single CA certificate and use that to sign both the supplier and consumer certificates. Each server doesn't need its own CA. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Jan 18 22:28:11 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 18 Jan 2006 15:28:11 -0700 Subject: [Fedora-directory-users] Updated Howto:SSL Message-ID: <43CEC0FB.6050005@redhat.com> http://directory.fedora.redhat.com/wiki/Howto:SSL This includes the cacertdir setup from Mark McLoughlin (Thanks!). -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From oscar.valdez at duraflex-politex.com Thu Jan 19 00:57:08 2006 From: oscar.valdez at duraflex-politex.com (Oscar A. Valdez) Date: Wed, 18 Jan 2006 18:57:08 -0600 Subject: [Fedora-directory-users] Samba & Fedora Directory Server Integration In-Reply-To: <1137619441.3872.12.camel@wzowski.duraflex-politex.com> References: <1137286706.5471.22.camel@wzowski.duraflex-politex.com> <1137305332.31384.9.camel@lin-workstation.azapple.com> <1137456066.3933.23.camel@wzowski.duraflex-politex.com> <1137619441.3872.12.camel@wzowski.duraflex-politex.com> Message-ID: <1137632229.3872.20.camel@wzowski.duraflex-politex.com> El mi?, 18-01-2006 a las 15:24 -0600, Oscar A. Valdez escribi?: > El lun, 16-01-2006 a las 18:01 -0600, Oscar A. Valdez escribi?: > > El s?b, 14-01-2006 a las 23:08 -0700, Craig White escribi?: > > > If you are going to use a tool like the PADL migration tool > > > (migrate_passwd.pl), obviously you aren't going to get attributes beyond > > > the posixAccount stuff. Samba has some tools - smbldap-tools which can > > > attributes for the samba-schema... > > > > Thanks for your response. I'm going to read the "SMB LDAP PDC Howto" > > found at http://samba.idealx.org/samba-ldap-howto.pdf. It's by the folks > > who put together the smbldap-tools. > > Do the smbldap-tools work "out of the box" with the Fedora Directory > Server? They're not tailored too tightly to OpenLDAP? To answer my own question: they seem to work with FDS. I just installed them, and tried the smbldap-passwd command on a test account. The error I get seems to be a permissions error: Unable to change password: Insufficient 'write' privilege to the 'userPassword' attribute of entry 'uid=ovaldez,ou=people,dc=duraflex,dc=com,dc=sv' Any ideas on how to fix this? -- Oscar A. Valdez From craigwhite at azapple.com Thu Jan 19 01:24:47 2006 From: craigwhite at azapple.com (Craig White) Date: Wed, 18 Jan 2006 18:24:47 -0700 Subject: [Fedora-directory-users] Samba & Fedora Directory Server Integration In-Reply-To: <1137632229.3872.20.camel@wzowski.duraflex-politex.com> References: <1137286706.5471.22.camel@wzowski.duraflex-politex.com> <1137305332.31384.9.camel@lin-workstation.azapple.com> <1137456066.3933.23.camel@wzowski.duraflex-politex.com> <1137619441.3872.12.camel@wzowski.duraflex-politex.com> <1137632229.3872.20.camel@wzowski.duraflex-politex.com> Message-ID: <1137633887.16077.31.camel@lin-workstation.azapple.com> On Wed, 2006-01-18 at 18:57 -0600, Oscar A. Valdez wrote: > El mi?, 18-01-2006 a las 15:24 -0600, Oscar A. Valdez escribi?: > > El lun, 16-01-2006 a las 18:01 -0600, Oscar A. Valdez escribi?: > > > El s?b, 14-01-2006 a las 23:08 -0700, Craig White escribi?: > > > > If you are going to use a tool like the PADL migration tool > > > > (migrate_passwd.pl), obviously you aren't going to get attributes beyond > > > > the posixAccount stuff. Samba has some tools - smbldap-tools which can > > > > attributes for the samba-schema... > > > > > > Thanks for your response. I'm going to read the "SMB LDAP PDC Howto" > > > found at http://samba.idealx.org/samba-ldap-howto.pdf. It's by the folks > > > who put together the smbldap-tools. > > > > Do the smbldap-tools work "out of the box" with the Fedora Directory > > Server? They're not tailored too tightly to OpenLDAP? > > To answer my own question: they seem to work with FDS. I just installed > them, and tried the smbldap-passwd command on a test account. The error > I get seems to be a permissions error: > > Unable to change password: Insufficient 'write' privilege to the > 'userPassword' attribute of entry > 'uid=ovaldez,ou=people,dc=duraflex,dc=com,dc=sv' > > Any ideas on how to fix this? ---- sure - you need to use a dn with sufficient access... i.e. cn=Directory Manager or by default, uid=ovaldez,ou=people,dc=duraflex,dc=com,dc=sv should have sufficient access to the userPasswd attribute you probably want to create a 'super user' account which can change all entries in 'dc=duraflex,dc=com,dc=sv' tree (see ACi) and set that to be the user that is 'ldap admin' in smb.conf and in smbldap-tools. Craig From adireks at gmail.com Thu Jan 19 02:07:22 2006 From: adireks at gmail.com (adirek sanyakhuan) Date: Thu, 19 Jan 2006 09:07:22 +0700 Subject: [Fedora-directory-users] cannot start admin Message-ID: <9fed1320601181807t7cb23d65xf7d990b4ec8f9b94@mail.gmail.com> this is error log file =>"/opt/fedora-ds/admin-serv/logs" [Thu Jan 19 08:55:14 2006] [crit] mod_admserv_post_config(): unable to build user/group LDAP server info: unable to set User/Group baseDN Configuration Failed [Thu Jan 19 08:55:22 2006] [crit] mod_admserv_post_config(): unable to build user/group LDAP server info: unable to set User/Group baseDN Configuration Failed [Thu Jan 19 08:55:31 2006] [crit] mod_admserv_post_config(): unable to build user/group LDAP server info: unable to set User/Group baseDN Configuration Failed when I try start admin not success. From rmeggins at redhat.com Thu Jan 19 03:28:27 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 18 Jan 2006 20:28:27 -0700 Subject: [Fedora-directory-users] cannot start admin In-Reply-To: <9fed1320601181807t7cb23d65xf7d990b4ec8f9b94@mail.gmail.com> References: <9fed1320601181807t7cb23d65xf7d990b4ec8f9b94@mail.gmail.com> Message-ID: <43CF075B.8070009@redhat.com> Make sure the directory server is started before you start admin server. adirek sanyakhuan wrote: >this is error log file =>"/opt/fedora-ds/admin-serv/logs" > >[Thu Jan 19 08:55:14 2006] [crit] mod_admserv_post_config(): unable to >build user/group LDAP server info: unable to set User/Group baseDN >Configuration Failed >[Thu Jan 19 08:55:22 2006] [crit] mod_admserv_post_config(): unable to >build user/group LDAP server info: unable to set User/Group baseDN >Configuration Failed >[Thu Jan 19 08:55:31 2006] [crit] mod_admserv_post_config(): unable to >build user/group LDAP server info: unable to set User/Group baseDN >Configuration Failed > >when I try start admin not success. > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From clayton at cjrogers.net Thu Jan 19 09:21:09 2006 From: clayton at cjrogers.net (Clayton Rogers) Date: Thu, 19 Jan 2006 19:21:09 +1000 Subject: [Fedora-directory-users] Console on Windows Server 2003 Message-ID: <43CF5A05.2000403@cjrogers.net> Hi everyone, I have installed FDS on a few of my Linux servers however I want to run an administrative console in Windows also. I have followed the instructions in the how to (at least I think I have) however, when I run the command:- C:\fedora\java>java -ms8m -mx64m -cp .;.\nmclf10.jar;.\base.jar;.\ldapjdk.jar;.\mcc10.jar;.\nmclf10_en.jar;.\mcc10_en.jar;.\jss3.jar -Djava.library.path=..\lib\jss -Djava.util.prefs.systemRoot=.\.java -Djava.util.prefs.userRoot=.com.netscape.management.client.console.Console -D -a http://{server}:{port}/ Unrecognized option: -a Could not create the Java virtual machine. I receive the error as you see above unrecognized option: -a. I have J2RE Runtime environment installed. Any ideas? Cheers From ldragon at freemail.hu Thu Jan 19 09:40:35 2006 From: ldragon at freemail.hu (Little Dragon) Date: Thu, 19 Jan 2006 10:40:35 +0100 (CET) Subject: [Fedora-directory-users] Admin Server or Console problem Message-ID: Hi Richard, I reinstalled with custom install. can youtelnet hostname 1500 Yes I can. (Port changed to 51321) The result: [root at vpclinux fedora-ds]# telnet vpclinux 51321 Trying xxx.xxx.xxx.xxx... Connected to vpclinux.emea.tcs.com (xxx.xxx.xxx.xxx). Escape character is '^]'. ************************************* can you use your web browser to connect to http://hostname:1500/ Yes I can,,. I can see the pages chek admin-server info and log, ldap server info and log. As from the hostname you can see this linux (Fedora Core 4) run on a virtual PC (Microsoft Virtual PC 2004), I jus wanted to try the directory server. Any other idea, things to check? Are there any debug level option on admin-server and/or console side? TIA, Laszlo Little Dragon wrote: > Hi, > > I have installed fedora-ds-1.0.1-1.FC4.i386.opt.rpm > and SUN java: j2re-1_4_2_10-linux-i586.rpm > Then set the JAVA_HOME env. Variable. > > After the Typical install the ldapsearch works (I get results). > (ldapsearch -x -h localhost -p 389 -b "o=NetscapeRoot") > > But I can not start the console. > startconsole -u admin -a http://vpclinux:1500 > > I always get the error: Cannot connect to the Admin Server "http://hostname:1500" > The URL is not correct or the server is not running. > > can you telnet hostname 1500 ? can you use your web browser to connect to http://hostname:1500/ ? > I can see the ns-slapd and httpd.worker processes running > (one ns-slapd and 3 httpd.worker processes are running) > > I read all the docs on the web and the FAQ at redhat > (Troubleshooting) > Troubleshooting can not help: - there is no "admin-serv/config/jvm12.conf", (I created but > no effect) > - there is no "/bin/https/bin/start-jvm" file > so I can not edit > > After 3 days I am out of ideas. > Could anybody help? > > TIA, > Laszlo > > > >> -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > ________________________________________________________________________ K?pkidolgoz?s m?r brutt? 25,- Ft-t?l! FotoMarket Online Fot??ruh?z - m?r 5 ?ve az ?n fot?szolg?lat?ban: www.fotomarket.hu From ldragon at freemail.hu Thu Jan 19 09:46:44 2006 From: ldragon at freemail.hu (Little Dragon) Date: Thu, 19 Jan 2006 10:46:44 +0100 (CET) Subject: [Fedora-directory-users] Admin Server or Console problem Message-ID: Hi Richard, Yes. I see the http.worker processes in the process list. **************************************************** Have you started the admin server using start-admin? Just a thought.... Rich On 18/01/06, Richard Megginson wrote: Little Dragon wrote: >Hi, > >I have installed fedora-ds-1.0.1-1.FC4.i386.opt.rpm >and SUN java: j2re-1_4_2_10-linux-i586.rpm >Then set the JAVA_HOME env. Variable. > >After the Typical install the ldapsearch works (I get results). >(ldapsearch -x -h localhost -p 389 -b "o=NetscapeRoot") > >But I can not start the console. >startconsole -u admin -a http://vpclinux:1500 > >I always get the error: >Cannot connect to the Admin Server "http://hostname:1500" >The URL is not correct or the server is not running. > > can you telnet hostname 1500 ? can you use your web browser to connect to http://hostname:1500/ ? >I can see the ns-slapd and httpd.worker processes running >(one ns-slapd and 3 httpd.worker processes are running) > >I read all the docs on the web and the FAQ at redhat >(Troubleshooting) >Troubleshooting can not help: >- there is no "admin-serv/config/jvm12.conf", (I created but >no effect) >- there is no "/bin/https/bin/start-jvm" file >so I can not edit > >After 3 days I am out of ideas. > >Could anybody help? > >TIA, >Laszlo >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > ________________________________________________________________________ K?pkidolgoz?s m?r brutt? 25,- Ft-t?l! FotoMarket Online Fot??ruh?z - m?r 5 ?ve az ?n fot?szolg?lat?ban: www.fotomarket.hu From basile.mathieu at siris.sorbonne.fr Thu Jan 19 11:04:04 2006 From: basile.mathieu at siris.sorbonne.fr (basile au siris) Date: Thu, 19 Jan 2006 12:04:04 +0100 Subject: [Fedora-directory-users] fds 1.0.1 on solaris Message-ID: <43CF7224.8070207@siris.sorbonne.fr> is there a term for fds 1.0.1 on solaris 9 ? we are waiting for to do our production installation. thanks basile From rmeggins at redhat.com Thu Jan 19 14:45:43 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 19 Jan 2006 07:45:43 -0700 Subject: [Fedora-directory-users] Console on Windows Server 2003 In-Reply-To: <43CF5A05.2000403@cjrogers.net> References: <43CF5A05.2000403@cjrogers.net> Message-ID: <43CFA617.2060405@redhat.com> Clayton Rogers wrote: > Hi everyone, > > I have installed FDS on a few of my Linux servers however I want to > run an administrative console in Windows also. I have followed the > instructions in the how to (at least I think I have) however, when I > run the command:- > C:\fedora\java>java -ms8m -mx64m -cp > .;.\nmclf10.jar;.\base.jar;.\ldapjdk.jar;.\mcc10.jar;.\nmclf10_en.jar;.\mcc10_en.jar;.\jss3.jar > -Djava.library.path=..\lib\jss -Djava.util.prefs.systemRoot=.\.java > -Djava.util.prefs.userRoot=.com.netscape.management.client.console.Console > -D -a http://{server}:{port}/ > Unrecognized option: -a > Could not create the Java virtual machine. Looks like you need a space between "Djava.util.prefs.userRoot=." and "com.netscape.management.client.console.Console" > > I receive the error as you see above unrecognized option: -a. I have > J2RE Runtime environment installed. > > Any ideas? > > Cheers > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Jan 19 14:48:28 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 19 Jan 2006 07:48:28 -0700 Subject: [Fedora-directory-users] fds 1.0.1 on solaris In-Reply-To: <43CF7224.8070207@siris.sorbonne.fr> References: <43CF7224.8070207@siris.sorbonne.fr> Message-ID: <43CFA6BC.2030905@redhat.com> basile au siris wrote: > is there a term for fds 1.0.1 on solaris 9 ? > we are waiting for to do our production installation. We're switching Fedora DS to use gcc instead of the Sun Forte compiler on Solaris. This will probably take a couple of weeks more. Do you require 32 bit or 64 bit? > thanks > basile > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Jan 19 14:53:01 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 19 Jan 2006 07:53:01 -0700 Subject: [Fedora-directory-users] Admin Server or Console problem In-Reply-To: References: Message-ID: <43CFA7CD.4080404@redhat.com> Little Dragon wrote: >Hi Richard, >I reinstalled with custom install. > >can youtelnet hostname 1500 >Yes I can. (Port changed to 51321) > > Why was the port changed? Is the admin server listening to port 1500 or port 51321? >The result: >[root at vpclinux fedora-ds]# telnet vpclinux 51321 >Trying xxx.xxx.xxx.xxx... >Connected to vpclinux.emea.tcs.com (xxx.xxx.xxx.xxx). >Escape character is '^]'. > >************************************* >can you use your web browser to connect to http://hostname:1500/ >Yes I can,,. I can see the pages chek admin-server info and >log, ldap server info and log. > > >As from the hostname you can see this linux (Fedora Core 4) >run on a virtual PC (Microsoft Virtual PC 2004), I jus >wanted to try the directory server. > >Any other idea, things to check? >Are there any debug level option on admin-server and/or >console side? > >TIA, >Laszlo > >Little Dragon wrote: > > > >>Hi, >> >>I have installed fedora-ds-1.0.1-1.FC4.i386.opt.rpm >>and SUN java: j2re-1_4_2_10-linux-i586.rpm >>Then set the JAVA_HOME env. Variable. >> >>After the Typical install the ldapsearch works (I get >> >> >results). > > >>(ldapsearch -x -h localhost -p 389 -b "o=NetscapeRoot") >> >>But I can not start the console. >>startconsole -u admin -a http://vpclinux:1500 >> >>I always get the error: Cannot connect to the Admin Server >> >> >"http://hostname:1500" > > >>The URL is not correct or the server is not running. >> >> >> >> >can you >telnet hostname 1500 >? >can you use your web browser to connect to >http://hostname:1500/ >? > > > >>I can see the ns-slapd and httpd.worker processes running >>(one ns-slapd and 3 httpd.worker processes are running) >> >>I read all the docs on the web and the FAQ at redhat >>(Troubleshooting) >>Troubleshooting can not help: - there is no >> >> >"admin-serv/config/jvm12.conf", (I created but > > >>no effect) >>- there is no "/bin/https/bin/start-jvm" file >>so I can not edit >> >>After 3 days I am out of ideas. >>Could anybody help? >> >>TIA, >>Laszlo >> >> >> >> >> >>>-- >>> >>> >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> > >________________________________________________________________________ >K?pkidolgoz?s m?r brutt? 25,- Ft-t?l! FotoMarket Online Fot??ruh?z >- m?r 5 ?ve az ?n fot?szolg?lat?ban: www.fotomarket.hu > > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From ABliss at preferredcare.org Thu Jan 19 15:28:16 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Thu, 19 Jan 2006 10:28:16 -0500 Subject: [Fedora-directory-users] Password history is not being enforced by the directory server Message-ID: I'm not sure why, but for some reason the directory servers are not enforcing password history policies. I've set the policy from within the fds console at the data level (as described in directory server documentation). Here is a sample ldap.conf file: pam_password exop pam_password clear pam_password md5 ssl start_tls ssl on I'm running fds 1.0.1 on a redhat 4 box (actually have 2 directory servers, I've set this policy on both servers, supplier consumer replication is setup between them. I've verified that this is not enforced regardless if the client has ssl enabled or not. Please advise as this is a highly critical issue that I must get fixed in order to move this into production. Thanks very much. Aaron www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From rmeggins at redhat.com Thu Jan 19 15:59:22 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 19 Jan 2006 08:59:22 -0700 Subject: [Fedora-directory-users] Password history is not being enforced by the directory server In-Reply-To: References: Message-ID: <43CFB75A.2040208@redhat.com> Bliss, Aaron wrote: >I'm not sure why, but for some reason the directory servers are not >enforcing password history policies. I've set the policy from within >the fds console at the data level (as described in directory server >documentation). > Did you set "Enable fine-grained password policy" under the Configuration tab -> Data node -> Passwords tab? Because the console will allow you to configure the fine grained password policy under the Directory tab even if this is not set, but it will not take effect. >Here is a sample ldap.conf file: > >pam_password exop >pam_password clear >pam_password md5 >ssl start_tls >ssl on > >I'm running fds 1.0.1 on a redhat 4 box (actually have 2 directory >servers, I've set this policy on both servers, supplier consumer >replication is setup between them. > >I've verified that this is not enforced regardless if the client has ssl >enabled or not. > Did you try ldapmodify from the command line to see if the problem is with FDS or with PAM? e.g. ldapmodify -D "uid=user,ou=people,dc=company,dc=com" -w currentpassword dn: uid=user,ou=people,dc=company,dc=com changetype: modify replace: userPassword userPassword: passwordinhistory >Please advise as this is a highly critical issue that I >must get fixed in order to move this into production. Thanks very much. > >Aaron > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From ABliss at preferredcare.org Thu Jan 19 16:01:26 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Thu, 19 Jan 2006 11:01:26 -0500 Subject: [Fedora-directory-users] Password history is not being enforced by the directory server Message-ID: It appears that this is an issue with the client; if I attempt change a users password from within fds using a password that I've already used for that user, I get a warning from fds indicating that it violates password history rule. However, using passwd from a client allows usage of old passwords. Aaron -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Thursday, January 19, 2006 10:59 AM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Password history is not being enforced by the directory server Bliss, Aaron wrote: >I'm not sure why, but for some reason the directory servers are not >enforcing password history policies. I've set the policy from within >the fds console at the data level (as described in directory server >documentation). > Did you set "Enable fine-grained password policy" under the Configuration tab -> Data node -> Passwords tab? Because the console will allow you to configure the fine grained password policy under the Directory tab even if this is not set, but it will not take effect. >Here is a sample ldap.conf file: > >pam_password exop >pam_password clear >pam_password md5 >ssl start_tls >ssl on > >I'm running fds 1.0.1 on a redhat 4 box (actually have 2 directory >servers, I've set this policy on both servers, supplier consumer >replication is setup between them. > >I've verified that this is not enforced regardless if the client has >ssl enabled or not. > Did you try ldapmodify from the command line to see if the problem is with FDS or with PAM? e.g. ldapmodify -D "uid=user,ou=people,dc=company,dc=com" -w currentpassword dn: uid=user,ou=people,dc=company,dc=com changetype: modify replace: userPassword userPassword: passwordinhistory >Please advise as this is a highly critical issue that I must get fixed >in order to move this into production. Thanks very much. > >Aaron > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From jon at compbio.dundee.ac.uk Thu Jan 19 16:04:27 2006 From: jon at compbio.dundee.ac.uk (Jonathan Barber) Date: Thu, 19 Jan 2006 16:04:27 +0000 Subject: [Fedora-directory-users] Password history is not being enforced by the directory server In-Reply-To: References: Message-ID: <20060119160427.GA8760@flea.compbio.dundee.ac.uk> On Thu, Jan 19, 2006 at 11:01:26AM -0500, Bliss, Aaron wrote: > It appears that this is an issue with the client; if I attempt change a > users password from within fds using a password that I've already used > for that user, I get a warning from fds indicating that it violates > password history rule. However, using passwd from a client allows usage > of old passwords. PDAL libnss_ldap has another option (present in 2.4.3 at least): pam_lookup_policy yes which may be what you need. > > Aaron > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard > Megginson > Sent: Thursday, January 19, 2006 10:59 AM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Password history is not being > enforced by the directory server > > Bliss, Aaron wrote: > > >I'm not sure why, but for some reason the directory servers are not > >enforcing password history policies. I've set the policy from within > >the fds console at the data level (as described in directory server > >documentation). > > > Did you set "Enable fine-grained password policy" under the > Configuration tab -> Data node -> Passwords tab? Because the console > will allow you to configure the fine grained password policy under the > Directory tab even if this is not set, but it will not take effect. > > >Here is a sample ldap.conf file: > > > >pam_password exop > >pam_password clear > >pam_password md5 > >ssl start_tls > >ssl on > > > >I'm running fds 1.0.1 on a redhat 4 box (actually have 2 directory > >servers, I've set this policy on both servers, supplier consumer > >replication is setup between them. > > > >I've verified that this is not enforced regardless if the client has > >ssl enabled or not. > > > Did you try ldapmodify from the command line to see if the problem is > with FDS or with PAM? e.g. > ldapmodify -D "uid=user,ou=people,dc=company,dc=com" -w currentpassword > dn: uid=user,ou=people,dc=company,dc=com > changetype: modify > replace: userPassword > userPassword: passwordinhistory > > >Please advise as this is a highly critical issue that I must get fixed > >in order to move this into production. Thanks very much. > > > >Aaron > > > >www.preferredcare.org > >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. > >Power and Associates > > > >Confidentiality Notice: > >The information contained in this electronic message is intended for > the exclusive use of the individual or entity named above and may > contain privileged or confidential information. If the reader of this > message is not the intended recipient or the employee or agent > responsible to deliver it to the intended recipient, you are hereby > notified that dissemination, distribution or copying of this information > is prohibited. If you have received this communication in error, please > notify the sender immediately by telephone and destroy the copies you > received. > > > > > >-- > >Fedora-directory-users mailing list > >Fedora-directory-users at redhat.com > >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > www.preferredcare.org > "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates > > Confidentiality Notice: > The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Jonathan Barber High Performance Computing Analysis Tel. +44 (0) 1382 86389 From ABliss at preferredcare.org Thu Jan 19 16:07:02 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Thu, 19 Jan 2006 11:07:02 -0500 Subject: [Fedora-directory-users] Password history is not being enforced by the directory server Message-ID: Sorry I forgot to include, but I have pam_lookup_policy yes already set in ldap.conf. Aaron -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Jonathan Barber Sent: Thursday, January 19, 2006 11:04 AM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Password history is not being enforced by the directory server On Thu, Jan 19, 2006 at 11:01:26AM -0500, Bliss, Aaron wrote: > It appears that this is an issue with the client; if I attempt change > a users password from within fds using a password that I've already > used for that user, I get a warning from fds indicating that it > violates password history rule. However, using passwd from a client > allows usage of old passwords. PDAL libnss_ldap has another option (present in 2.4.3 at least): pam_lookup_policy yes which may be what you need. > > Aaron > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of > Richard Megginson > Sent: Thursday, January 19, 2006 10:59 AM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Password history is not being > enforced by the directory server > > Bliss, Aaron wrote: > > >I'm not sure why, but for some reason the directory servers are not > >enforcing password history policies. I've set the policy from within > >the fds console at the data level (as described in directory server > >documentation). > > > Did you set "Enable fine-grained password policy" under the > Configuration tab -> Data node -> Passwords tab? Because the console > will allow you to configure the fine grained password policy under the > Directory tab even if this is not set, but it will not take effect. > > >Here is a sample ldap.conf file: > > > >pam_password exop > >pam_password clear > >pam_password md5 > >ssl start_tls > >ssl on > > > >I'm running fds 1.0.1 on a redhat 4 box (actually have 2 directory > >servers, I've set this policy on both servers, supplier consumer > >replication is setup between them. > > > >I've verified that this is not enforced regardless if the client has > >ssl enabled or not. > > > Did you try ldapmodify from the command line to see if the problem is > with FDS or with PAM? e.g. > ldapmodify -D "uid=user,ou=people,dc=company,dc=com" -w > currentpassword > dn: uid=user,ou=people,dc=company,dc=com > changetype: modify > replace: userPassword > userPassword: passwordinhistory > > >Please advise as this is a highly critical issue that I must get > >fixed in order to move this into production. Thanks very much. > > > >Aaron > > > >www.preferredcare.org > >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. > >Power and Associates > > > >Confidentiality Notice: > >The information contained in this electronic message is intended for > the exclusive use of the individual or entity named above and may > contain privileged or confidential information. If the reader of this > message is not the intended recipient or the employee or agent > responsible to deliver it to the intended recipient, you are hereby > notified that dissemination, distribution or copying of this > information is prohibited. If you have received this communication in > error, please notify the sender immediately by telephone and destroy > the copies you received. > > > > > >-- > >Fedora-directory-users mailing list > >Fedora-directory-users at redhat.com > >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > www.preferredcare.org > "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. > Power and Associates > > Confidentiality Notice: > The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Jonathan Barber High Performance Computing Analysis Tel. +44 (0) 1382 86389 -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From ABliss at preferredcare.org Thu Jan 19 16:20:49 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Thu, 19 Jan 2006 11:20:49 -0500 Subject: [Fedora-directory-users] Password history is not being enforced by the directory server Message-ID: I think I've figured it out. After running authconfig, pam_password md5 was enabled in /etc/ldap.conf. Commenting this out seems to have taken care things. After commenting that out, clients now return this when attempting to use an old password. LDAP password information update failed: Can't contact LDAP server password in history passwd: Permission denied Thanks again for your help. Aaron -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Jonathan Barber Sent: Thursday, January 19, 2006 11:04 AM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Password history is not being enforced by the directory server On Thu, Jan 19, 2006 at 11:01:26AM -0500, Bliss, Aaron wrote: > It appears that this is an issue with the client; if I attempt change > a users password from within fds using a password that I've already > used for that user, I get a warning from fds indicating that it > violates password history rule. However, using passwd from a client > allows usage of old passwords. PDAL libnss_ldap has another option (present in 2.4.3 at least): pam_lookup_policy yes which may be what you need. > > Aaron > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of > Richard Megginson > Sent: Thursday, January 19, 2006 10:59 AM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Password history is not being > enforced by the directory server > > Bliss, Aaron wrote: > > >I'm not sure why, but for some reason the directory servers are not > >enforcing password history policies. I've set the policy from within > >the fds console at the data level (as described in directory server > >documentation). > > > Did you set "Enable fine-grained password policy" under the > Configuration tab -> Data node -> Passwords tab? Because the console > will allow you to configure the fine grained password policy under the > Directory tab even if this is not set, but it will not take effect. > > >Here is a sample ldap.conf file: > > > >pam_password exop > >pam_password clear > >pam_password md5 > >ssl start_tls > >ssl on > > > >I'm running fds 1.0.1 on a redhat 4 box (actually have 2 directory > >servers, I've set this policy on both servers, supplier consumer > >replication is setup between them. > > > >I've verified that this is not enforced regardless if the client has > >ssl enabled or not. > > > Did you try ldapmodify from the command line to see if the problem is > with FDS or with PAM? e.g. > ldapmodify -D "uid=user,ou=people,dc=company,dc=com" -w > currentpassword > dn: uid=user,ou=people,dc=company,dc=com > changetype: modify > replace: userPassword > userPassword: passwordinhistory > > >Please advise as this is a highly critical issue that I must get > >fixed in order to move this into production. Thanks very much. > > > >Aaron > > > >www.preferredcare.org > >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. > >Power and Associates > > > >Confidentiality Notice: > >The information contained in this electronic message is intended for > the exclusive use of the individual or entity named above and may > contain privileged or confidential information. If the reader of this > message is not the intended recipient or the employee or agent > responsible to deliver it to the intended recipient, you are hereby > notified that dissemination, distribution or copying of this > information is prohibited. If you have received this communication in > error, please notify the sender immediately by telephone and destroy > the copies you received. > > > > > >-- > >Fedora-directory-users mailing list > >Fedora-directory-users at redhat.com > >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > www.preferredcare.org > "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. > Power and Associates > > Confidentiality Notice: > The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Jonathan Barber High Performance Computing Analysis Tel. +44 (0) 1382 86389 -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From ABliss at preferredcare.org Thu Jan 19 18:34:47 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Thu, 19 Jan 2006 13:34:47 -0500 Subject: [Fedora-directory-users] Some password policy enforcement information questions Message-ID: Please forgive me if I'm asking silly newbie questions, however I'm trying to understand exactly what I'm seeing thru fds; first the policy I've configured on the directory using the fds console: I've enabled fine-grain password policy for the data unit, including password history enforcement, password expiration after 90 days, password warning 14 days before password expires, check password syntax, account lockout policy enabled after 3 login failures for 120 minutes and reset failure count after 15 minutes. Everything seems to be working except for send password warning; in the client's ldap.conf file, I've enabled pam_lookup_policy yes. Looking at account information attributes for a user, passwordexpwarnd value is 0; I've reset users password to try to initialize the password policy, however this value never seems to change. According to this documentation http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#10770 81 I believe that this attribute is stored in seconds. Is this true? If so, what can I do to ensure this attribute is getting updated (assuming that this is the attribute responsible for triggering password expiration warning). Second issue/question: I've looked at this wiki http://directory.fedora.redhat.com/wiki/Howto:PAM and near the very bottom it mentions adding the following dn: cn=config changetype: modify add: passwordExp passwordExp: on - add: passwordMaxAge passwordMaxAge: 8640000 (this I believe would give a password max age of 100 days) Do I need to add these attributes even though I've configured the password policy using fds console has done this for me. Is this the case, I see don't these attributes in the gui, however I do see passwordexpirationtime as an attribute and is set to 90 days from now (I'm want to ensure that accounts are indeed locked after passwords have expired). Also, Jim Summers posted to this group that he saw an issue with shadowpasswd / shadowexpire fields not being updated https://www.redhat.com/archives/fedora-directory-users/2005-December/msg 00367.html Can anyone tell me what these fields are used for, as I don't see any mention of them in this documentation http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#10770 81 Thanks again very much. Aaron www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From rmeggins at redhat.com Thu Jan 19 18:48:22 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 19 Jan 2006 11:48:22 -0700 Subject: [Fedora-directory-users] Some password policy enforcement information questions In-Reply-To: References: Message-ID: <43CFDEF6.20100@redhat.com> Bliss, Aaron wrote: >Please forgive me if I'm asking silly newbie questions, however I'm >trying to understand exactly what I'm seeing thru fds; first the policy >I've configured on the directory using the fds console: >I've enabled fine-grain password policy for the data unit, including >password history enforcement, password expiration after 90 days, >password warning 14 days before password expires, check password syntax, >account lockout policy enabled after 3 login failures for 120 minutes >and reset failure count after 15 minutes. > >Everything seems to be working except for send password warning; in the >client's ldap.conf file, I've enabled pam_lookup_policy yes. > >Looking at account information attributes for a user, passwordexpwarnd >value is 0; I've reset users password to try to initialize the password >policy, however this value never seems to change. According to this >documentation >http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#10770 >81 I believe that this attribute is stored in seconds. Is this true? > > Yes. >If so, what can I do to ensure this attribute is getting updated >(assuming that this is the attribute responsible for triggering password >expiration warning). > > I'm not really sure. >Second issue/question: >I've looked at this wiki >http://directory.fedora.redhat.com/wiki/Howto:PAM and near the very >bottom it mentions adding the following > > dn: cn=config > changetype: modify > add: passwordExp > passwordExp: on > - > add: passwordMaxAge > passwordMaxAge: 8640000 (this I believe would give a password max age >of 100 days) > >Do I need to add these attributes even though I've configured the >password policy using fds console has done this for me. Is this the >case, I see don't these attributes in the gui, however I do see >passwordexpirationtime as an attribute and is set to 90 days from now >(I'm want to ensure that accounts are indeed locked after passwords have >expired). > > Those attributes are only for global (default) password policy - what you have set for fine grained password policy will override those. >Also, Jim Summers posted to this group that he saw an issue with >shadowpasswd / shadowexpire fields not being updated >https://www.redhat.com/archives/fedora-directory-users/2005-December/msg >00367.html > >Can anyone tell me what these fields are used for, as I don't see any >mention of them in this documentation >http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#10770 >81 > > Right. They are a PAM/posix thing - FDS treats them as any other data - it doesn't update them from it's own password policy. >Thanks again very much. > >Aaron > > > > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From ABliss at preferredcare.org Thu Jan 19 19:07:31 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Thu, 19 Jan 2006 14:07:31 -0500 Subject: [Fedora-directory-users] Some password policy enforcement information questions Message-ID: If I've configured a correct password policy and the warning attribute is not getting updated, should this be considered a bug? Aaron -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Thursday, January 19, 2006 1:48 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Some password policy enforcement information questions Bliss, Aaron wrote: >Please forgive me if I'm asking silly newbie questions, however I'm >trying to understand exactly what I'm seeing thru fds; first the policy >I've configured on the directory using the fds console: >I've enabled fine-grain password policy for the data unit, including >password history enforcement, password expiration after 90 days, >password warning 14 days before password expires, check password >syntax, account lockout policy enabled after 3 login failures for 120 >minutes and reset failure count after 15 minutes. > >Everything seems to be working except for send password warning; in the >client's ldap.conf file, I've enabled pam_lookup_policy yes. > >Looking at account information attributes for a user, passwordexpwarnd >value is 0; I've reset users password to try to initialize the password >policy, however this value never seems to change. According to this >documentation >http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#1077 >0 >81 I believe that this attribute is stored in seconds. Is this true? > > Yes. >If so, what can I do to ensure this attribute is getting updated >(assuming that this is the attribute responsible for triggering >password expiration warning). > > I'm not really sure. >Second issue/question: >I've looked at this wiki >http://directory.fedora.redhat.com/wiki/Howto:PAM and near the very >bottom it mentions adding the following > > dn: cn=config > changetype: modify > add: passwordExp > passwordExp: on > - > add: passwordMaxAge > passwordMaxAge: 8640000 (this I believe would give a password max age >of 100 days) > >Do I need to add these attributes even though I've configured the >password policy using fds console has done this for me. Is this the >case, I see don't these attributes in the gui, however I do see >passwordexpirationtime as an attribute and is set to 90 days from now >(I'm want to ensure that accounts are indeed locked after passwords >have expired). > > Those attributes are only for global (default) password policy - what you have set for fine grained password policy will override those. >Also, Jim Summers posted to this group that he saw an issue with >shadowpasswd / shadowexpire fields not being updated >https://www.redhat.com/archives/fedora-directory-users/2005-December/ms >g >00367.html > >Can anyone tell me what these fields are used for, as I don't see any >mention of them in this documentation >http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#1077 >0 >81 > > Right. They are a PAM/posix thing - FDS treats them as any other data - it doesn't update them from it's own password policy. >Thanks again very much. > >Aaron > > > > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From rmeggins at redhat.com Thu Jan 19 19:34:58 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 19 Jan 2006 12:34:58 -0700 Subject: [Fedora-directory-users] Some password policy enforcement information questions In-Reply-To: References: Message-ID: <43CFE9E2.7020900@redhat.com> It looks like the way it works is this: When you have enabled password warning, an operational attribute called "passwordExpWarned" is created in the user's entry. The value will be 0 until the user does a successful BIND operation and the time between now and the configured password expiration time is less than or equal to the configured password warning time. When this happens, the warning will be sent, the value of passwordExpWarned will be changed to 1, and the operational attribute passwordExpirationTime in the user's entry will be set to the time at which the password will expire. When the user changes the password, passwordExpWarned will be reset to 0 and passwordExpirationTime will be set to the new expiration time. Bliss, Aaron wrote: >If I've configured a correct password policy and the warning attribute >is not getting updated, should this be considered a bug? > >Aaron > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard >Megginson >Sent: Thursday, January 19, 2006 1:48 PM >To: General discussion list for the Fedora Directory server project. >Subject: Re: [Fedora-directory-users] Some password policy enforcement >information questions > >Bliss, Aaron wrote: > > > >>Please forgive me if I'm asking silly newbie questions, however I'm >>trying to understand exactly what I'm seeing thru fds; first the policy >> >> > > > >>I've configured on the directory using the fds console: >>I've enabled fine-grain password policy for the data unit, including >>password history enforcement, password expiration after 90 days, >>password warning 14 days before password expires, check password >>syntax, account lockout policy enabled after 3 login failures for 120 >>minutes and reset failure count after 15 minutes. >> >>Everything seems to be working except for send password warning; in the >>client's ldap.conf file, I've enabled pam_lookup_policy yes. >> >>Looking at account information attributes for a user, passwordexpwarnd >>value is 0; I've reset users password to try to initialize the password >> >> > > > >>policy, however this value never seems to change. According to this >>documentation >>http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#1077 >>0 >>81 I believe that this attribute is stored in seconds. Is this true? >> >> >> >> >Yes. > > > >>If so, what can I do to ensure this attribute is getting updated >>(assuming that this is the attribute responsible for triggering >>password expiration warning). >> >> >> >> >I'm not really sure. > > > >>Second issue/question: >>I've looked at this wiki >>http://directory.fedora.redhat.com/wiki/Howto:PAM and near the very >>bottom it mentions adding the following >> >>dn: cn=config >>changetype: modify >>add: passwordExp >>passwordExp: on >>- >>add: passwordMaxAge >>passwordMaxAge: 8640000 (this I believe would give a password max age >>of 100 days) >> >>Do I need to add these attributes even though I've configured the >>password policy using fds console has done this for me. Is this the >>case, I see don't these attributes in the gui, however I do see >>passwordexpirationtime as an attribute and is set to 90 days from now >>(I'm want to ensure that accounts are indeed locked after passwords >>have expired). >> >> >> >> >Those attributes are only for global (default) password policy - what >you have set for fine grained password policy will override those. > > > >>Also, Jim Summers posted to this group that he saw an issue with >>shadowpasswd / shadowexpire fields not being updated >>https://www.redhat.com/archives/fedora-directory-users/2005-December/ms >>g >>00367.html >> >>Can anyone tell me what these fields are used for, as I don't see any >>mention of them in this documentation >>http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#1077 >>0 >>81 >> >> >> >> >Right. They are a PAM/posix thing - FDS treats them as any other data - >it doesn't update them from it's own password policy. > > > >>Thanks again very much. >> >>Aaron >> >> >> >> >>www.preferredcare.org >>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>Power and Associates >> >>Confidentiality Notice: >>The information contained in this electronic message is intended for >> >> >the exclusive use of the individual or entity named above and may >contain privileged or confidential information. If the reader of this >message is not the intended recipient or the employee or agent >responsible to deliver it to the intended recipient, you are hereby >notified that dissemination, distribution or copying of this information >is prohibited. If you have received this communication in error, please >notify the sender immediately by telephone and destroy the copies you >received. > > >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> > > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rspencer at auspicecorp.com Thu Jan 19 19:38:50 2006 From: rspencer at auspicecorp.com (Roger Spencer) Date: Thu, 19 Jan 2006 14:38:50 -0500 Subject: [Fedora-directory-users] NT Password Hash Storage In-Reply-To: <1137190254.17544.3.camel@lin-workstation.azapple.com> References: <43C7E4FA.8000102@auspicecorp.com> <1137190254.17544.3.camel@lin-workstation.azapple.com> Message-ID: <43CFEACA.1070103@auspicecorp.com> Craig White wrote: >><..snip..> >> >> >---- >I am unclear how you are doing authentication by Windows users to the >network in a normal login...via AD? > >anyway, my inclination is to setup Fedora-DS to use samba schema > >http://directory.fedora.redhat.com/wiki/Howto:Samba > >as that would give you a sambaNTPassword attribute which is normally the >hashed password as expected but how that relates to question >#2...updating the hash when the user changes their password...I suppose >that would depend upon the chain of events that occur where/when the >user changes their password...how is this information going to be sent >to fedora-ds? > >Craig > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > When I arrived on the scene, network authentication for windows clients consisted of setting a local user id and password on a PC and setting the same user id and password on a stand-alone samba server. Of course, users had different ids for email, vpn, shared-keys for wireless, etc. and passwords never changed (there was a partial NIS setup going, so all was not bleak). What I'm doing is consolidating it all into FDS with the benifit of a password policy. The samba schema worked great and also gets samba using FDS for authentication. But this leaves one question: what to do about having two sets of passwords in FDS? With samba running as an NT domain controller, and having PCs join the domain, samba should take care of keeping the sambantpassord correct when a Windows user changes their password. But what of the userpassord attribute? What happens when that same user does an ssh session into a Linux server, which if I understand correctly, will use the userpassword attribute for authentication? Is there a way to keep the two password attributes in sync? I'm not sure if it's possible to have all devices needing to do authentication to use the NT style. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Jan 19 19:50:34 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 19 Jan 2006 12:50:34 -0700 Subject: [Fedora-directory-users] NT Password Hash Storage In-Reply-To: <43CFEACA.1070103@auspicecorp.com> References: <43C7E4FA.8000102@auspicecorp.com> <1137190254.17544.3.camel@lin-workstation.azapple.com> <43CFEACA.1070103@auspicecorp.com> Message-ID: <43CFED8A.3020605@redhat.com> Yes. We need a plug-in that will take updates to userPassword and update sambaNTPassword (and vice versa) and possibly other related things like the sambaLMPassword. Any volunteers? Mark McLoughlin posted some pyldap code that does this, and I believe OpenLDAP has a samba module/overlay that does this. Roger Spencer wrote: > > Craig White wrote: > >>><..snip..> >>> >>> >>---- >>I am unclear how you are doing authentication by Windows users to the >>network in a normal login...via AD? >> >>anyway, my inclination is to setup Fedora-DS to use samba schema >> >>http://directory.fedora.redhat.com/wiki/Howto:Samba >> >>as that would give you a sambaNTPassword attribute which is normally the >>hashed password as expected but how that relates to question >>#2...updating the hash when the user changes their password...I suppose >>that would depend upon the chain of events that occur where/when the >>user changes their password...how is this information going to be sent >>to fedora-ds? >> >>Craig >> >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > When I arrived on the scene, network authentication for windows > clients consisted of setting a local user id and password on a PC and > setting the same user id and password on a stand-alone samba server. > Of course, users had different ids for email, vpn, shared-keys for > wireless, etc. and passwords never changed (there was a partial NIS > setup going, so all was not bleak). > > What I'm doing is consolidating it all into FDS with the benifit of a > password policy. The samba schema worked great and also gets samba > using FDS for authentication. But this leaves one question: what to > do about having two sets of passwords in FDS? > > With samba running as an NT domain controller, and having PCs join the > domain, samba should take care of keeping the sambantpassord correct > when a Windows user changes their password. But what of the > userpassord attribute? What happens when that same user does an ssh > session into a Linux server, which if I understand correctly, will use > the userpassword attribute for authentication? > > Is there a way to keep the two password attributes in sync? I'm not > sure if it's possible to have all devices needing to do authentication > to use the NT style. > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From waynescomputerworld at hotmail.com Thu Jan 19 19:57:27 2006 From: waynescomputerworld at hotmail.com (Wayne Miller) Date: Thu, 19 Jan 2006 14:57:27 -0500 Subject: [Fedora-directory-users] How can I get Fedora Redhat to recognize an external usb drive with NTFS ??? Message-ID: An HTML attachment was scrubbed... URL: From aly.dharshi at telus.net Thu Jan 19 19:59:55 2006 From: aly.dharshi at telus.net (Aly Dharshi) Date: Thu, 19 Jan 2006 12:59:55 -0700 Subject: [Fedora-directory-users] fds 1.0.1 on solaris In-Reply-To: <43CFA6BC.2030905@redhat.com> References: <43CF7224.8070207@siris.sorbonne.fr> <43CFA6BC.2030905@redhat.com> Message-ID: <43CFEFBB.4040705@telus.net> I believe that the Sun Forte compiler is free now for download and use on a sun box. Richard Megginson wrote: > basile au siris wrote: > >> is there a term for fds 1.0.1 on solaris 9 ? >> we are waiting for to do our production installation. > > We're switching Fedora DS to use gcc instead of the Sun Forte compiler > on Solaris. This will probably take a couple of weeks more. Do you > require 32 bit or 64 bit? > >> thanks >> basile >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Aly S.P Dharshi aly.dharshi at telus.net "A good speech is like a good dress that's short enough to be interesting and long enough to cover the subject" From ABliss at preferredcare.org Thu Jan 19 20:14:55 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Thu, 19 Jan 2006 15:14:55 -0500 Subject: [Fedora-directory-users] Some password policy enforcement information questions Message-ID: Thanks very much for the explanation; makes much sense to me now; I did some playing around, and got the directory server to spit out to me that your password is going to expire in x amount of days. Thanks again. Aaron -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Thursday, January 19, 2006 2:35 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Some password policy enforcement information questions It looks like the way it works is this: When you have enabled password warning, an operational attribute called "passwordExpWarned" is created in the user's entry. The value will be 0 until the user does a successful BIND operation and the time between now and the configured password expiration time is less than or equal to the configured password warning time. When this happens, the warning will be sent, the value of passwordExpWarned will be changed to 1, and the operational attribute passwordExpirationTime in the user's entry will be set to the time at which the password will expire. When the user changes the password, passwordExpWarned will be reset to 0 and passwordExpirationTime will be set to the new expiration time. Bliss, Aaron wrote: >If I've configured a correct password policy and the warning attribute >is not getting updated, should this be considered a bug? > >Aaron > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard >Megginson >Sent: Thursday, January 19, 2006 1:48 PM >To: General discussion list for the Fedora Directory server project. >Subject: Re: [Fedora-directory-users] Some password policy enforcement >information questions > >Bliss, Aaron wrote: > > > >>Please forgive me if I'm asking silly newbie questions, however I'm >>trying to understand exactly what I'm seeing thru fds; first the >>policy >> >> > > > >>I've configured on the directory using the fds console: >>I've enabled fine-grain password policy for the data unit, including >>password history enforcement, password expiration after 90 days, >>password warning 14 days before password expires, check password >>syntax, account lockout policy enabled after 3 login failures for 120 >>minutes and reset failure count after 15 minutes. >> >>Everything seems to be working except for send password warning; in the >>client's ldap.conf file, I've enabled pam_lookup_policy yes. >> >>Looking at account information attributes for a user, passwordexpwarnd >>value is 0; I've reset users password to try to initialize the >>password >> >> > > > >>policy, however this value never seems to change. According to this >>documentation >>http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#107 >>7 >>0 >>81 I believe that this attribute is stored in seconds. Is this true? >> >> >> >> >Yes. > > > >>If so, what can I do to ensure this attribute is getting updated >>(assuming that this is the attribute responsible for triggering >>password expiration warning). >> >> >> >> >I'm not really sure. > > > >>Second issue/question: >>I've looked at this wiki >>http://directory.fedora.redhat.com/wiki/Howto:PAM and near the very >>bottom it mentions adding the following >> >>dn: cn=config >>changetype: modify >>add: passwordExp >>passwordExp: on >>- >>add: passwordMaxAge >>passwordMaxAge: 8640000 (this I believe would give a password max age >>of 100 days) >> >>Do I need to add these attributes even though I've configured the >>password policy using fds console has done this for me. Is this the >>case, I see don't these attributes in the gui, however I do see >>passwordexpirationtime as an attribute and is set to 90 days from now >>(I'm want to ensure that accounts are indeed locked after passwords >>have expired). >> >> >> >> >Those attributes are only for global (default) password policy - what >you have set for fine grained password policy will override those. > > > >>Also, Jim Summers posted to this group that he saw an issue with >>shadowpasswd / shadowexpire fields not being updated >>https://www.redhat.com/archives/fedora-directory-users/2005-December/m >>s >>g >>00367.html >> >>Can anyone tell me what these fields are used for, as I don't see any >>mention of them in this documentation >>http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#107 >>7 >>0 >>81 >> >> >> >> >Right. They are a PAM/posix thing - FDS treats them as any other data >- it doesn't update them from it's own password policy. > > > >>Thanks again very much. >> >>Aaron >> >> >> >> >>www.preferredcare.org >>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>Power and Associates >> >>Confidentiality Notice: >>The information contained in this electronic message is intended for >> >> >the exclusive use of the individual or entity named above and may >contain privileged or confidential information. If the reader of this >message is not the intended recipient or the employee or agent >responsible to deliver it to the intended recipient, you are hereby >notified that dissemination, distribution or copying of this >information is prohibited. If you have received this communication in >error, please notify the sender immediately by telephone and destroy >the copies you received. > > >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> > > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From rspencer at auspicecorp.com Thu Jan 19 20:27:42 2006 From: rspencer at auspicecorp.com (Roger Spencer) Date: Thu, 19 Jan 2006 15:27:42 -0500 Subject: [Fedora-directory-users] NT Password Hash Storage In-Reply-To: <43CFED8A.3020605@redhat.com> References: <43C7E4FA.8000102@auspicecorp.com> <1137190254.17544.3.camel@lin-workstation.azapple.com> <43CFEACA.1070103@auspicecorp.com> <43CFED8A.3020605@redhat.com> Message-ID: <43CFF63E.50803@auspicecorp.com> I don't think I have the skill set to write something, but I'm willing to poke around with the OpenLDAP samba module and look at the pyldap plugin (where is it at?). Richard Megginson wrote: > Yes. We need a plug-in that will take updates to userPassword and > update sambaNTPassword (and vice versa) and possibly other related > things like the sambaLMPassword. > > Any volunteers? Mark McLoughlin posted some pyldap code that does > this, and I believe OpenLDAP has a samba module/overlay that does this. > > Roger Spencer wrote: > >> >> Craig White wrote: >> >>>> <..snip..> >>>> >>> >>> ---- >>> I am unclear how you are doing authentication by Windows users to the >>> network in a normal login...via AD? >>> >>> anyway, my inclination is to setup Fedora-DS to use samba schema >>> >>> http://directory.fedora.redhat.com/wiki/Howto:Samba >>> >>> as that would give you a sambaNTPassword attribute which is normally >>> the >>> hashed password as expected but how that relates to question >>> #2...updating the hash when the user changes their password...I suppose >>> that would depend upon the chain of events that occur where/when the >>> user changes their password...how is this information going to be sent >>> to fedora-ds? >>> >>> Craig >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >> >> When I arrived on the scene, network authentication for windows >> clients consisted of setting a local user id and password on a PC and >> setting the same user id and password on a stand-alone samba server. >> Of course, users had different ids for email, vpn, shared-keys for >> wireless, etc. and passwords never changed (there was a partial NIS >> setup going, so all was not bleak). >> >> What I'm doing is consolidating it all into FDS with the benifit of a >> password policy. The samba schema worked great and also gets samba >> using FDS for authentication. But this leaves one question: what to >> do about having two sets of passwords in FDS? >> >> With samba running as an NT domain controller, and having PCs join >> the domain, samba should take care of keeping the sambantpassord >> correct when a Windows user changes their password. But what of the >> userpassord attribute? What happens when that same user does an ssh >> session into a Linux server, which if I understand correctly, will >> use the userpassword attribute for authentication? >> >> Is there a way to keep the two password attributes in sync? I'm not >> sure if it's possible to have all devices needing to do >> authentication to use the NT style. >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Jan 19 20:37:56 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 19 Jan 2006 13:37:56 -0700 Subject: [Fedora-directory-users] NT Password Hash Storage In-Reply-To: <43CFF63E.50803@auspicecorp.com> References: <43C7E4FA.8000102@auspicecorp.com> <1137190254.17544.3.camel@lin-workstation.azapple.com> <43CFEACA.1070103@auspicecorp.com> <43CFED8A.3020605@redhat.com> <43CFF63E.50803@auspicecorp.com> Message-ID: <43CFF8A4.9070501@redhat.com> Roger Spencer wrote: > I don't think I have the skill set to write something, but I'm willing > to poke around with the OpenLDAP samba module and look at the pyldap > plugin (where is it at?). Don't worry about it then. We'll have to get a C coder to take a look at it. > > Richard Megginson wrote: > >> Yes. We need a plug-in that will take updates to userPassword and >> update sambaNTPassword (and vice versa) and possibly other related >> things like the sambaLMPassword. >> >> Any volunteers? Mark McLoughlin posted some pyldap code that does >> this, and I believe OpenLDAP has a samba module/overlay that does this. >> >> Roger Spencer wrote: >> >>> >>> Craig White wrote: >>> >>>>> <..snip..> >>>>> >>>> >>>> ---- >>>> I am unclear how you are doing authentication by Windows users to the >>>> network in a normal login...via AD? >>>> >>>> anyway, my inclination is to setup Fedora-DS to use samba schema >>>> >>>> http://directory.fedora.redhat.com/wiki/Howto:Samba >>>> >>>> as that would give you a sambaNTPassword attribute which is >>>> normally the >>>> hashed password as expected but how that relates to question >>>> #2...updating the hash when the user changes their password...I >>>> suppose >>>> that would depend upon the chain of events that occur where/when the >>>> user changes their password...how is this information going to be sent >>>> to fedora-ds? >>>> >>>> Craig >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>> >>> When I arrived on the scene, network authentication for windows >>> clients consisted of setting a local user id and password on a PC >>> and setting the same user id and password on a stand-alone samba >>> server. Of course, users had different ids for email, vpn, >>> shared-keys for wireless, etc. and passwords never changed (there >>> was a partial NIS setup going, so all was not bleak). >>> >>> What I'm doing is consolidating it all into FDS with the benifit of >>> a password policy. The samba schema worked great and also gets >>> samba using FDS for authentication. But this leaves one question: >>> what to do about having two sets of passwords in FDS? >>> >>> With samba running as an NT domain controller, and having PCs join >>> the domain, samba should take care of keeping the sambantpassord >>> correct when a Windows user changes their password. But what of the >>> userpassord attribute? What happens when that same user does an ssh >>> session into a Linux server, which if I understand correctly, will >>> use the userpassword attribute for authentication? >>> >>> Is there a way to keep the two password attributes in sync? I'm not >>> sure if it's possible to have all devices needing to do >>> authentication to use the NT style. >>> >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>------------------------------------------------------------------------ >> >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From oscar.valdez at duraflex-politex.com Thu Jan 19 20:42:13 2006 From: oscar.valdez at duraflex-politex.com (Oscar A. Valdez) Date: Thu, 19 Jan 2006 14:42:13 -0600 Subject: [Fedora-directory-users] NT Password Hash Storage In-Reply-To: <43CFED8A.3020605@redhat.com> References: <43C7E4FA.8000102@auspicecorp.com> <1137190254.17544.3.camel@lin-workstation.azapple.com> <43CFEACA.1070103@auspicecorp.com> <43CFED8A.3020605@redhat.com> Message-ID: <1137703334.3918.28.camel@wzowski.duraflex-politex.com> El jue, 19-01-2006 a las 12:50 -0700, Richard Megginson escribi?: > Yes. We need a plug-in that will take updates to userPassword and > update sambaNTPassword (and vice versa) and possibly other related > things like the sambaLMPassword. > > Any volunteers? Mark McLoughlin posted some pyldap code that does this, > and I believe OpenLDAP has a samba module/overlay that does this. I believe this is what the smbldap-tools' smbldap-passwd command does. It looks like the smbldap-tools work pretty well with FDS. -- Oscar A. Valdez From jo.de.troy at gmail.com Thu Jan 19 21:17:14 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Thu, 19 Jan 2006 22:17:14 +0100 Subject: [Fedora-directory-users] enforce strong passwords Message-ID: Hello, I was wondering if anyone was looking into enforcement of strong passwords. I'm not a hardcore C programmer but I'm willing to help. But first I'll have to try in getting the current version compiled. I'm certainly willing to do some testing. Greetings, Jo -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Jan 19 21:25:16 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 19 Jan 2006 14:25:16 -0700 Subject: [Fedora-directory-users] enforce strong passwords In-Reply-To: References: Message-ID: <43D003BC.2040604@redhat.com> Jo De Troy wrote: > Hello, > > I was wondering if anyone was looking into enforcement of strong > passwords. > I'm not a hardcore C programmer but I'm willing to help. But first > I'll have to try in getting the current version compiled. > I'm certainly willing to do some testing. Funny you should mention that. We're looking at that issue right now. What sort of things would you want to check for? min number of lower case min number of upper case min number of digits min number of alphanumerics min number of special chars no user data in password dictionary checking? If so, how? /usr/share/dict/words? > > Greetings, > Jo > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From nkinder at redhat.com Thu Jan 19 21:26:31 2006 From: nkinder at redhat.com (Nathan Kinder) Date: Thu, 19 Jan 2006 13:26:31 -0800 Subject: [Fedora-directory-users] enforce strong passwords In-Reply-To: References: Message-ID: <43D00407.4060603@redhat.com> Jo, I'm expecting to check in code for this in the next few days, so don't worry about it. Thanks for offering to help with it though! Are there any specific password complexity requirements that you could share with us? I'd like to make sure I'm writing something useful to as many different deployments as possible. -NGK Jo De Troy wrote: > Hello, > > I was wondering if anyone was looking into enforcement of strong > passwords. > I'm not a hardcore C programmer but I'm willing to help. But first > I'll have to try in getting the current version compiled. > I'm certainly willing to do some testing. > > Greetings, > Jo > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From jo.de.troy at gmail.com Thu Jan 19 21:56:01 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Thu, 19 Jan 2006 22:56:01 +0100 Subject: [Fedora-directory-users] enforce strong passwords Message-ID: Hi Nathan, Richard, I was thinking along the lines of pam_passwdqc, well part of it. The password should contain at least 3 different character categories. The categories being: lowercase, uppercase, special characters and numbers Not specifically a minumum number of uppercase/lowercase/... Off course there should be no user data in the password, it should not even contain the username as a substring. But I think that code is already in CVS. It's checking for cn, givenname, surname, ... attributes A dictionarry check would be nice but I would maybe make this optional. I guess that if we make the rules too stringent the enduser may complain Greetings, Jo -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Jan 19 22:01:01 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 19 Jan 2006 15:01:01 -0700 Subject: [Fedora-directory-users] enforce strong passwords In-Reply-To: References: Message-ID: <43D00C1D.20508@redhat.com> Jo De Troy wrote: > Hi Nathan, Richard, > > I was thinking along the lines of pam_passwdqc, well part of it. > The password should contain at least 3 different character categories. > The categories being: lowercase, uppercase, special characters and numbers > Not specifically a minumum number of uppercase/lowercase/... > Off course there should be no user data in the password, it should not > even contain the username as a substring. But I think that code is > already in CVS. It's checking for cn, givenname, surname, ... attributes > A dictionarry check would be nice but I would maybe make this optional. > I guess that if we make the rules too stringent the enduser may complain The goal would be to set up reasonable default values if the user decides to enforce strong passwords, then give them the knobs to turn up or down the strength. > > Greetings, > Jo > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From jo.de.troy at gmail.com Thu Jan 19 22:03:12 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Thu, 19 Jan 2006 23:03:12 +0100 Subject: [Fedora-directory-users] enforce strong passwords Message-ID: Nathan, Richard, I meant that the rules I propose combined with a minimum length (be it 6 or 8 characters) should suffice. Together with a policy that does history checking, lockouts and expiration we would have a secure enterprise setting, right? Off course I agree that fds should setup reasonable default values which can be upgraded or downgraded by the directory admin. Greetz, Jo -------------- next part -------------- An HTML attachment was scrubbed... URL: From nkinder at redhat.com Thu Jan 19 22:35:21 2006 From: nkinder at redhat.com (Nathan Kinder) Date: Thu, 19 Jan 2006 14:35:21 -0800 Subject: [Fedora-directory-users] enforce strong passwords In-Reply-To: References: Message-ID: <43D01429.2020503@redhat.com> Jo De Troy wrote: > Hi Nathan, Richard, > > I was thinking along the lines of pam_passwdqc, well part of it. > The password should contain at least 3 different character categories. > The categories being: lowercase, uppercase, special characters and numbers Yes, I'm working on implementing this. The minimum number of categories would be configurable by the administrator. > Not specifically a minumum number of uppercase/lowercase/... I'm making this configurable too. It'll be there, but you don't need to use it. > Off course there should be no user data in the password, it should not > even contain the username as a substring. But I think that code is > already in CVS. It's checking for cn, givenname, surname, ... attributes We currently check is the password is equal to uid, cn, sn, givenname, or ou. We do not check if it's a substring. I'm changing this behavior to check if it's a substring. > A dictionarry check would be nice but I would maybe make this optional. > I guess that if we make the rules too stringent the enduser may complain Default rules would be a minimum password length of 8 with a minimum of 3 character categories. It would also check the attribute values I mentioned above if thos values are 3 or more characters in length (this length would be configurable). It sounds like this would meet your requirements. -NGK > > Greetings, > Jo > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From craigwhite at azapple.com Fri Jan 20 00:20:51 2006 From: craigwhite at azapple.com (Craig White) Date: Thu, 19 Jan 2006 17:20:51 -0700 Subject: [Fedora-directory-users] NT Password Hash Storage In-Reply-To: <43CFED8A.3020605@redhat.com> References: <43C7E4FA.8000102@auspicecorp.com> <1137190254.17544.3.camel@lin-workstation.azapple.com> <43CFEACA.1070103@auspicecorp.com> <43CFED8A.3020605@redhat.com> Message-ID: <1137716451.7954.7.camel@lin-workstation.azapple.com> That shouldn't be necessary for samba users. smb.conf - global section ldap passwd sync = yes from man page for smb.conf ldap passwd sync (G) This option is used to define whether or not Samba should sync the LDAP password with the NT and LM hashes for normal accounts (NOT for workstation, server or domain trusts) on a password change via SAMBA. The ldap passwd sync can be set to one of three values: Yes = Try to update the LDAP, NT and LM passwords and update the pwdLastSet time. No = Update NT and LM passwords and update the pwdLastSet time. Only = Only update the LDAP password and let the LDAP server do the rest. Of course this only handles instances where the user changes his windows password from Windows but that was the direction of the OP as I understood him. Craig On Thu, 2006-01-19 at 12:50 -0700, Richard Megginson wrote: > Yes. We need a plug-in that will take updates to userPassword and > update sambaNTPassword (and vice versa) and possibly other related > things like the sambaLMPassword. > > Any volunteers? Mark McLoughlin posted some pyldap code that does this, > and I believe OpenLDAP has a samba module/overlay that does this. > > Roger Spencer wrote: > > > > > Craig White wrote: > > > >>><..snip..> > >>> > >>> > >>---- > >>I am unclear how you are doing authentication by Windows users to the > >>network in a normal login...via AD? > >> > >>anyway, my inclination is to setup Fedora-DS to use samba schema > >> > >>http://directory.fedora.redhat.com/wiki/Howto:Samba > >> > >>as that would give you a sambaNTPassword attribute which is normally the > >>hashed password as expected but how that relates to question > >>#2...updating the hash when the user changes their password...I suppose > >>that would depend upon the chain of events that occur where/when the > >>user changes their password...how is this information going to be sent > >>to fedora-ds? > >> > >>Craig > >> > >>-- > >>Fedora-directory-users mailing list > >>Fedora-directory-users at redhat.com > >>https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > >> > > > > When I arrived on the scene, network authentication for windows > > clients consisted of setting a local user id and password on a PC and > > setting the same user id and password on a stand-alone samba server. > > Of course, users had different ids for email, vpn, shared-keys for > > wireless, etc. and passwords never changed (there was a partial NIS > > setup going, so all was not bleak). > > > > What I'm doing is consolidating it all into FDS with the benifit of a > > password policy. The samba schema worked great and also gets samba > > using FDS for authentication. But this leaves one question: what to > > do about having two sets of passwords in FDS? > > > > With samba running as an NT domain controller, and having PCs join the > > domain, samba should take care of keeping the sambantpassord correct > > when a Windows user changes their password. But what of the > > userpassord attribute? What happens when that same user does an ssh > > session into a Linux server, which if I understand correctly, will use > > the userpassword attribute for authentication? > > > > Is there a way to keep the two password attributes in sync? I'm not > > sure if it's possible to have all devices needing to do authentication > > to use the NT style. > > > >------------------------------------------------------------------------ > > > >-- > >Fedora-directory-users mailing list > >Fedora-directory-users at redhat.com > >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From craigwhite at azapple.com Fri Jan 20 00:22:26 2006 From: craigwhite at azapple.com (Craig White) Date: Thu, 19 Jan 2006 17:22:26 -0700 Subject: [Fedora-directory-users] How can I get Fedora Redhat to recognize an external usb drive with NTFS ??? In-Reply-To: References: Message-ID: <1137716546.7954.9.camel@lin-workstation.azapple.com> On Thu, 2006-01-19 at 14:57 -0500, Wayne Miller wrote: > ---- start by asking the right list... fedora-list mailing list fedora-list at redhat.com https://www.redhat.com/mailman/listinfo/fedora-list This is the fedora-directory mail list. Craig From hyc at symas.com Fri Jan 20 00:53:51 2006 From: hyc at symas.com (Howard Chu) Date: Thu, 19 Jan 2006 16:53:51 -0800 Subject: [Fedora-directory-users] Re: enforce strong passwords In-Reply-To: <20060120002120.1D96A734CA@hormel.redhat.com> References: <20060120002120.1D96A734CA@hormel.redhat.com> Message-ID: <43D0349F.20607@symas.com> > > Message: 5 Date: Thu, 19 Jan 2006 14:25:16 -0700 From: Richard > Megginson Jo De Troy wrote: > Hello, >> > >> > I was wondering if anyone was looking into enforcement of strong >> > passwords. >> > I'm not a hardcore C programmer but I'm willing to help. But first >> > I'll have to try in getting the current version compiled. >> > I'm certainly willing to do some testing. >> > > Funny you should mention that. We're looking at that issue right now. > What sort of things would you want to check for? > min number of lower case > min number of upper case > min number of digits > min number of alphanumerics > min number of special chars > no user data in password > dictionary checking? If so, how? /usr/share/dict/words? > > For OpenLDAP's password policy module we define an attribute in the policy object that gives the pathname of a dynamically loaded module that can perform further quality checks. We pass in the password that is being set, an error string pointer, and the user's current entry and get a yes/no result code back. I suggest a similar approach here; it's too limiting to just hardcode one set of rules into the server. (Heck, if we used SLAPI, we could write these modules interchangeably between OpenLDAP and FDS.) Symas currently has a module that checks against cracklib. You could bundle one or two standard modules and go from there. Probably we should have extended our API to include a pointer to the current policy object as well. The point is to make the API simple enough and expressive enough that end-users can plug in whatever constraints they want. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/ From rmeggins at redhat.com Fri Jan 20 01:16:38 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 19 Jan 2006 18:16:38 -0700 Subject: [Fedora-directory-users] Re: enforce strong passwords In-Reply-To: <43D0349F.20607@symas.com> References: <20060120002120.1D96A734CA@hormel.redhat.com> <43D0349F.20607@symas.com> Message-ID: <43D039F6.2050303@redhat.com> Howard Chu wrote: >> >> Message: 5 Date: Thu, 19 Jan 2006 14:25:16 -0700 From: Richard >> Megginson Jo De Troy wrote: > Hello, >> >>> > >>> > I was wondering if anyone was looking into enforcement of strong > >>> passwords. >>> > I'm not a hardcore C programmer but I'm willing to help. But first >>> > I'll have to try in getting the current version compiled. >>> > I'm certainly willing to do some testing. >>> >> >> >> Funny you should mention that. We're looking at that issue right >> now. What sort of things would you want to check for? >> min number of lower case >> min number of upper case >> min number of digits >> min number of alphanumerics >> min number of special chars >> no user data in password >> dictionary checking? If so, how? /usr/share/dict/words? >> >> > > For OpenLDAP's password policy module we define an attribute in the > policy object that gives the pathname of a dynamically loaded module > that can perform further quality checks. We pass in the password that > is being set, an error string pointer, and the user's current entry > and get a yes/no result code back. I suggest a similar approach here; > it's too limiting to just hardcode one set of rules into the server. > (Heck, if we used SLAPI, we could write these modules interchangeably > between OpenLDAP and FDS.) Symas currently has a module that checks > against cracklib. You could bundle one or two standard modules and go > from there. Probably we should have extended our API to include a > pointer to the current policy object as well. The point is to make the > API simple enough and expressive enough that end-users can plug in > whatever constraints they want. Yes. That's the intention - make password policy pluggable. It's going to be a bit more work to add the entry points to the code. We should support the attribute that you described. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From markmc at redhat.com Fri Jan 20 07:37:33 2006 From: markmc at redhat.com (Mark McLoughlin) Date: Fri, 20 Jan 2006 07:37:33 +0000 Subject: [Fedora-directory-users] NT Password Hash Storage In-Reply-To: <1137716451.7954.7.camel@lin-workstation.azapple.com> References: <43C7E4FA.8000102@auspicecorp.com> <1137190254.17544.3.camel@lin-workstation.azapple.com> <43CFEACA.1070103@auspicecorp.com> <43CFED8A.3020605@redhat.com> <1137716451.7954.7.camel@lin-workstation.azapple.com> Message-ID: <1137742653.3742.3.camel@localhost.localdomain> On Thu, 2006-01-19 at 17:20 -0700, Craig White wrote: > That shouldn't be necessary for samba users. > > smb.conf - global section > > ldap passwd sync = yes > > from man page for smb.conf > > ldap passwd sync (G) > This option is used to define whether or not Samba should sync > the LDAP password with the NT and LM hashes for normal accounts > (NOT for workstation, server or domain trusts) on a password > change via SAMBA. ^^^^^^^^^ Right, but if you want to allow password directly through the directory, you'd need a plugin which updates the NT and LM hashes. Cheers, Mark. From jo.de.troy at gmail.com Fri Jan 20 08:53:15 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Fri, 20 Jan 2006 09:53:15 +0100 Subject: [Fedora-directory-users] Re: enforce strong passwords Message-ID: Hi Nathan, yep this would meet my requirements. As an aside: Would it be in scope of this project to have a webinterface to allow the users to change their passwords? If the endusers don't have a valid shell on a Unix box and they need to change their password. Would the ldapserver give back meaningfull errors as to why a password change was rejected? Maybe a stupid question: Will changing the password via ldappasswd enforce all the policies set? ( e.g. password history, lockout, expiration) If ldappasswd does this, I guess it does, I guess a webinterface would basically be a frontend to ldappasswd. Greetings, Jo -------------- next part -------------- An HTML attachment was scrubbed... URL: From ldragon at freemail.hu Fri Jan 20 09:40:38 2006 From: ldragon at freemail.hu (Little Dragon) Date: Fri, 20 Jan 2006 10:40:38 +0100 (CET) Subject: [Fedora-directory-users] Admin Server or Console problem In-Reply-To: <43CFA7CD.4080404@redhat.com> Message-ID: Hi Richard, > Why was the port changed? Is the admin server listening to port 1500 or > port 51321? I just reinstalled FDS and leave the default port generated by the install script. The actual port is 51321 Richard Megginson ?rta: > Little Dragon wrote: > > >Hi Richard, > >I reinstalled with custom install. > > > >can youtelnet hostname 1500 > >Yes I can. (Port changed to 51321) > > > > > Why was the port changed? Is the admin server listening to port 1500 or > port 51321? > > >The result: > >[root at vpclinux fedora-ds]# telnet vpclinux 51321 > >Trying xxx.xxx.xxx.xxx... > >Connected to vpclinux.emea.tcs.com (xxx.xxx.xxx.xxx). > >Escape character is '^]'. > > > >************************************* > >can you use your web browser to connect to http://hostname:1500/ > >Yes I can,,. I can see the pages chek admin-server info and > >log, ldap server info and log. > > > > > >As from the hostname you can see this linux (Fedora Core 4) > >run on a virtual PC (Microsoft Virtual PC 2004), I jus > >wanted to try the directory server. > > > >Any other idea, things to check? > >Are there any debug level option on admin-server and/or > >console side? > > > >TIA, > >Laszlo > > > >Little Dragon wrote: > > > > > > > >>Hi, > >> > >>I have installed fedora-ds-1.0.1-1.FC4.i386.opt.rpm > >>and SUN java: j2re-1_4_2_10-linux-i586.rpm > >>Then set the JAVA_HOME env. Variable. > >> > >>After the Typical install the ldapsearch works (I get > >> > >> > >results). > > > > > >>(ldapsearch -x -h localhost -p 389 -b "o=NetscapeRoot") > >> > >>But I can not start the console. > >>startconsole -u admin -a http://vpclinux:1500 > >> > >>I always get the error: Cannot connect to the Admin Server > >> > >> > >"http://hostname:1500" > > > > > >>The URL is not correct or the server is not running. > >> > >> > >> > >> > >can you > >telnet hostname 1500 > >? > >can you use your web browser to connect to > >http://hostname:1500/ > >? > > > > > > > >>I can see the ns-slapd and httpd.worker processes running > >>(one ns-slapd and 3 httpd.worker processes are running) > >> > >>I read all the docs on the web and the FAQ at redhat > >>(Troubleshooting) > >>Troubleshooting can not help: - there is no > >> > >> > >"admin-serv/config/jvm12.conf", (I created but > > > > > >>no effect) > >>- there is no "/bin/https/bin/start-jvm" file > >>so I can not edit > >> > >>After 3 days I am out of ideas. > >>Could anybody help? > >> > >>TIA, > >>Laszlo > >> > >> > >> > >> > >> > >>>-- > >>> > >>> > >>Fedora-directory-users mailing list > >>Fedora-directory-users at redhat.com > >>https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > >> > >> > > > >________________________________________________________________________ > >K?pkidolgoz?s m?r brutt? 25,- Ft-t?l! FotoMarket Online Fot??ruh?z > >- m?r 5 ?ve az ?n fot?szolg?lat?ban: www.fotomarket.hu > > > > > > > >-- > >Fedora-directory-users mailing list > >Fedora-directory-users at redhat.com > >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > ________________________________________________________________ El?gedetlen helyzet?vel? ?j kih?v?sokra v?gyik? ?ll?st Keres? - Mi seg?t?nk! www.jobpilot.hu From craigwhite at azapple.com Fri Jan 20 13:46:10 2006 From: craigwhite at azapple.com (Craig White) Date: Fri, 20 Jan 2006 06:46:10 -0700 Subject: [Fedora-directory-users] NT Password Hash Storage In-Reply-To: <1137742653.3742.3.camel@localhost.localdomain> References: <43C7E4FA.8000102@auspicecorp.com> <1137190254.17544.3.camel@lin-workstation.azapple.com> <43CFEACA.1070103@auspicecorp.com> <43CFED8A.3020605@redhat.com> <1137716451.7954.7.camel@lin-workstation.azapple.com> <1137742653.3742.3.camel@localhost.localdomain> Message-ID: <1137764770.7954.78.camel@lin-workstation.azapple.com> On Fri, 2006-01-20 at 07:37 +0000, Mark McLoughlin wrote: > On Thu, 2006-01-19 at 17:20 -0700, Craig White wrote: > > That shouldn't be necessary for samba users. > > > > smb.conf - global section > > > > ldap passwd sync = yes > > > > from man page for smb.conf > > > > ldap passwd sync (G) > > This option is used to define whether or not Samba should sync > > the LDAP password with the NT and LM hashes for normal accounts > > (NOT for workstation, server or domain trusts) on a password > > change via SAMBA. > ^^^^^^^^^ > > Right, but if you want to allow password directly through the > directory, you'd need a plugin which updates the NT and LM hashes. ---- I presume that you are speaking of setting the sambaNTPassword and sambaLMPassword attributes from the console application. That would be nice. In fact, their should be a 'view/edit template' for samba attributes similar to that for the posix stuff too. The OP was interested in changing via samba and that was the basis of my answer. Craig From markmc at redhat.com Fri Jan 20 13:49:32 2006 From: markmc at redhat.com (Mark McLoughlin) Date: Fri, 20 Jan 2006 13:49:32 +0000 Subject: [Fedora-directory-users] NT Password Hash Storage In-Reply-To: <1137764770.7954.78.camel@lin-workstation.azapple.com> References: <43C7E4FA.8000102@auspicecorp.com> <1137190254.17544.3.camel@lin-workstation.azapple.com> <43CFEACA.1070103@auspicecorp.com> <43CFED8A.3020605@redhat.com> <1137716451.7954.7.camel@lin-workstation.azapple.com> <1137742653.3742.3.camel@localhost.localdomain> <1137764770.7954.78.camel@lin-workstation.azapple.com> Message-ID: <1137764972.7553.2.camel@localhost.localdomain> On Fri, 2006-01-20 at 06:46 -0700, Craig White wrote: > I presume that you are speaking of setting the sambaNTPassword and > sambaLMPassword attributes from the console application. Nope, it would be a slapd plugin which would automatically update those attributes when you change the userPassword attribute. Cheers, Mark. From lesmikesell at gmail.com Fri Jan 20 14:09:39 2006 From: lesmikesell at gmail.com (Les Mikesell) Date: Fri, 20 Jan 2006 08:09:39 -0600 Subject: [Fedora-directory-users] NT Password Hash Storage In-Reply-To: <1137764770.7954.78.camel@lin-workstation.azapple.com> References: <43C7E4FA.8000102@auspicecorp.com> <1137190254.17544.3.camel@lin-workstation.azapple.com> <43CFEACA.1070103@auspicecorp.com> <43CFED8A.3020605@redhat.com> <1137716451.7954.7.camel@lin-workstation.azapple.com> <1137742653.3742.3.camel@localhost.localdomain> <1137764770.7954.78.camel@lin-workstation.azapple.com> Message-ID: <1137766178.26828.12.camel@les-home.futuresource.com> On Fri, 2006-01-20 at 07:46, Craig White wrote: > > Right, but if you want to allow password directly through the > > directory, you'd need a plugin which updates the NT and LM hashes. > ---- > I presume that you are speaking of setting the sambaNTPassword and > sambaLMPassword attributes from the console application. That would be > nice. In fact, their should be a 'view/edit template' for samba > attributes similar to that for the posix stuff too. > > The OP was interested in changing via samba and that was the basis of my > answer. Doesn't running sambapasswd from the command line do that if you have set samba up to sync? Or is it only when changed from windows? Does pam have password-changing hooks that can be used to make all password changes work the same way for any pam-aware app? -- Les Mikesell lesmikesell at gmail.com From dshackel at arbor.edu Fri Jan 20 14:13:18 2006 From: dshackel at arbor.edu (Daniel Shackelford) Date: Fri, 20 Jan 2006 09:13:18 -0500 Subject: [Fedora-directory-users] Grabbing unix crypt of password Message-ID: <43D0EFFE.6000100@arbor.edu> Hello, We have scripts that are currently looking at our Win2003 and grabbing the user passwords via SFU. This is in a Unix crypt format, and it is then stuffed into the local passwd file and httpauth file on our HPUX server. We are attempting to move to FDS and it would be super nice if we could just change a few line of our current scripts to get the password crypts from there instead. Are my hopes too high? -- Daniel Shackelford Systems Administrator Technology Services Spring Arbor University 517 750-6648 "For even the Son of Man did not come to be served, but to serve, and to give His life a ransom for many" Mark 10:45 From craigwhite at azapple.com Fri Jan 20 14:15:08 2006 From: craigwhite at azapple.com (Craig White) Date: Fri, 20 Jan 2006 07:15:08 -0700 Subject: [Fedora-directory-users] NT Password Hash Storage In-Reply-To: <1137764972.7553.2.camel@localhost.localdomain> References: <43C7E4FA.8000102@auspicecorp.com> <1137190254.17544.3.camel@lin-workstation.azapple.com> <43CFEACA.1070103@auspicecorp.com> <43CFED8A.3020605@redhat.com> <1137716451.7954.7.camel@lin-workstation.azapple.com> <1137742653.3742.3.camel@localhost.localdomain> <1137764770.7954.78.camel@lin-workstation.azapple.com> <1137764972.7553.2.camel@localhost.localdomain> Message-ID: <1137766509.7954.91.camel@lin-workstation.azapple.com> On Fri, 2006-01-20 at 13:49 +0000, Mark McLoughlin wrote: > On Fri, 2006-01-20 at 06:46 -0700, Craig White wrote: > > > I presume that you are speaking of setting the sambaNTPassword and > > sambaLMPassword attributes from the console application. > > Nope, it would be a slapd plugin which would automatically update those > attributes when you change the userPassword attribute. > ---- of course you would have an on/off switch for that since I don't think that everyone desires that function and for the most part, has other ways of obtaining that already (hence simultaneous updates of userPassword/sambaNTPassword/sambaLMPassword attributes from their client applications). Craig From craigwhite at azapple.com Fri Jan 20 14:23:45 2006 From: craigwhite at azapple.com (Craig White) Date: Fri, 20 Jan 2006 07:23:45 -0700 Subject: [Fedora-directory-users] NT Password Hash Storage In-Reply-To: <1137766178.26828.12.camel@les-home.futuresource.com> References: <43C7E4FA.8000102@auspicecorp.com> <1137190254.17544.3.camel@lin-workstation.azapple.com> <43CFEACA.1070103@auspicecorp.com> <43CFED8A.3020605@redhat.com> <1137716451.7954.7.camel@lin-workstation.azapple.com> <1137742653.3742.3.camel@localhost.localdomain> <1137764770.7954.78.camel@lin-workstation.azapple.com> <1137766178.26828.12.camel@les-home.futuresource.com> Message-ID: <1137767025.7954.99.camel@lin-workstation.azapple.com> On Fri, 2006-01-20 at 08:09 -0600, Les Mikesell wrote: > On Fri, 2006-01-20 at 07:46, Craig White wrote: > > > > Right, but if you want to allow password directly through the > > > directory, you'd need a plugin which updates the NT and LM hashes. > > ---- > > I presume that you are speaking of setting the sambaNTPassword and > > sambaLMPassword attributes from the console application. That would be > > nice. In fact, their should be a 'view/edit template' for samba > > attributes similar to that for the posix stuff too. > > > > The OP was interested in changing via samba and that was the basis of my > > answer. > > Doesn't running sambapasswd from the command line do that if you > have set samba up to sync? Or is it only when changed from > windows? Does pam have password-changing hooks that can be > used to make all password changes work the same way for > any pam-aware app? ---- password changes via smbpasswd would change userPassword attribute if 'ldap passwd sync = yes' in smb.conf I wouldn't know about pam capabilities but I don't think so. Craig From rmeggins at redhat.com Fri Jan 20 14:48:52 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 20 Jan 2006 07:48:52 -0700 Subject: [Fedora-directory-users] Grabbing unix crypt of password In-Reply-To: <43D0EFFE.6000100@arbor.edu> References: <43D0EFFE.6000100@arbor.edu> Message-ID: <43D0F854.1080606@redhat.com> Daniel Shackelford wrote: > Hello, > > We have scripts that are currently looking at our Win2003 and grabbing > the user passwords via SFU. This is in a Unix crypt format, and it is > then stuffed into the local passwd file and httpauth file on our HPUX > server. We are attempting to move to FDS and it would be super nice > if we could just change a few line of our current scripts to get the > password crypts from there instead. So, grab the crypt'ed password from Win2003 and store that as the userPassword attribute in FDS? Sure, FDS supports crypt. > > Are my hopes too high? > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Jan 20 14:52:13 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 20 Jan 2006 07:52:13 -0700 Subject: [Fedora-directory-users] Admin Server or Console problem In-Reply-To: References: Message-ID: <43D0F91D.8090808@redhat.com> Little Dragon wrote: >Hi Richard, > > > >>Why was the port changed? Is the admin server listening >> >> >to port 1500 or > > >>port 51321? >> >> >I just reinstalled FDS and leave the default port generated >by the install script. >The actual port is 51321 > > I still don't understand. Is the admin server listening to port 1500 or port 51321? Check admin-serv/config/adm.conf. > >Richard Megginson ?rta: > > > >>Little Dragon wrote: >> >> >> >>>Hi Richard, >>>I reinstalled with custom install. >>> >>>can youtelnet hostname 1500 >>>Yes I can. (Port changed to 51321) >>> >>> >>> >>> >>Why was the port changed? Is the admin server listening >> >> >to port 1500 or > > >>port 51321? >> >> >> >>>The result: >>>[root at vpclinux fedora-ds]# telnet vpclinux 51321 >>>Trying xxx.xxx.xxx.xxx... >>>Connected to vpclinux.emea.tcs.com (xxx.xxx.xxx.xxx). >>>Escape character is '^]'. >>> >>>************************************* >>>can you use your web browser to connect to >>> >>> >http://hostname:1500/ > > >>>Yes I can,,. I can see the pages chek admin-server info and >>>log, ldap server info and log. >>> >>> >>>As from the hostname you can see this linux (Fedora Core 4) >>>run on a virtual PC (Microsoft Virtual PC 2004), I jus >>>wanted to try the directory server. >>> >>>Any other idea, things to check? >>>Are there any debug level option on admin-server and/or >>>console side? >>> >>>TIA, >>>Laszlo >>> >>>Little Dragon wrote: >>> >>> >>> >>> >>> >>>>Hi, >>>> >>>>I have installed fedora-ds-1.0.1-1.FC4.i386.opt.rpm >>>>and SUN java: j2re-1_4_2_10-linux-i586.rpm >>>>Then set the JAVA_HOME env. Variable. >>>> >>>>After the Typical install the ldapsearch works (I get >>>> >>>> >>>> >>>> >>>results). >>> >>> >>> >>> >>>>(ldapsearch -x -h localhost -p 389 -b "o=NetscapeRoot") >>>> >>>>But I can not start the console. >>>>startconsole -u admin -a http://vpclinux:1500 >>>> >>>>I always get the error: Cannot connect to the Admin Server >>>> >>>> >>>> >>>> >>>"http://hostname:1500" >>> >>> >>> >>> >>>>The URL is not correct or the server is not running. >>>> >>>> >>>> >>>> >>>> >>>> >>>can you >>>telnet hostname 1500 >>>? >>>can you use your web browser to connect to >>>http://hostname:1500/ >>>? >>> >>> >>> >>> >>> >>>>I can see the ns-slapd and httpd.worker processes running >>>>(one ns-slapd and 3 httpd.worker processes are running) >>>> >>>>I read all the docs on the web and the FAQ at redhat >>>>(Troubleshooting) >>>>Troubleshooting can not help: - there is no >>>> >>>> >>>> >>>> >>>"admin-serv/config/jvm12.conf", (I created but >>> >>> >>> >>> >>>>no effect) >>>>- there is no "/bin/https/bin/start-jvm" file >>>>so I can not edit >>>> >>>>After 3 days I am out of ideas. >>>>Could anybody help? >>>> >>>>TIA, >>>>Laszlo >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>>-- >>>>> >>>>> >>>>> >>>>> >>>>Fedora-directory-users mailing list >>>>Fedora-directory-users at redhat.com >>>> >>>> >>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>>> >>>> >>>> >>>> >>________________________________________________________________________ >> >> >>>K?pkidolgoz?s m?r brutt? 25,- Ft-t?l! FotoMarket Online >>> >>> >Fot??ruh?z > > >>>- m?r 5 ?ve az ?n fot?szolg?lat?ban: www.fotomarket.hu >>> >>> >>> >>>-- >>>Fedora-directory-users mailing list >>>Fedora-directory-users at redhat.com >>> >>> >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >>> >>> >>> >>> > >________________________________________________________________ >El?gedetlen helyzet?vel? ?j kih?v?sokra v?gyik? ?ll?st Keres? - >Mi seg?t?nk! www.jobpilot.hu > > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Jan 20 14:59:49 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 20 Jan 2006 07:59:49 -0700 Subject: [Fedora-directory-users] Re: enforce strong passwords In-Reply-To: References: Message-ID: <43D0FAE5.2020504@redhat.com> Jo De Troy wrote: > Hi Nathan, > > yep this would meet my requirements. > As an aside: Would it be in scope of this project to have a > webinterface to allow the users to change their passwords? > If the endusers don't have a valid shell on a Unix box and they need > to change their password. The Directory Server Gateway web application included with Fedora DS allows users to change their password. > > Would the ldapserver give back meaningfull errors as to why a password > change was rejected? The LDAP password policy draft does not break things down into quite the level of detail you might need. We'll see if we can extend it. > Maybe a stupid question: Will changing the password via ldappasswd > enforce all the policies set? ( e.g. password history, lockout, > expiration) > If ldappasswd does this, I guess it does, I guess a webinterface would > basically be a frontend to ldappasswd. > > Greetings, > Jo > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From david_list at boreham.org Fri Jan 20 15:21:42 2006 From: david_list at boreham.org (David Boreham) Date: Fri, 20 Jan 2006 08:21:42 -0700 Subject: [Fedora-directory-users] Grabbing unix crypt of password In-Reply-To: <43D0EFFE.6000100@arbor.edu> References: <43D0EFFE.6000100@arbor.edu> Message-ID: <43D10006.6040308@boreham.org> Daniel Shackelford wrote: > We have scripts that are currently looking at our Win2003 and grabbing > the user passwords via SFU. This is in a Unix crypt format, and it is > then stuffed into the local passwd file and httpauth file on our HPUX > server. We are attempting to move to FDS and it would be super nice > if we could just change a few line of our current scripts to get the > password crypts from there instead. > > Are my hopes too high? Perhaps not. This is essentially exactly what the 'passsync' service for the FDS Windows Sync feature does (except it sends the plaintext password over the wire, SSL protected, and lets FDS do the crypting). You could modify your existing sctipt (add a call to 'ldapmodify'). You might take a look at the passsync source code for some inspiration on how to find the entry to modify in the DS, and so on. From brudy at praecogito.com Fri Jan 20 18:35:13 2006 From: brudy at praecogito.com (Brian Rudy) Date: Fri, 20 Jan 2006 10:35:13 -0800 Subject: [Fedora-directory-users] Samba PDC using FDS backend In-Reply-To: <43C446A2.4080903@sci.fi> References: <43BB0286.6000401@praecogito.com> <43BB0404.2030307@redhat.com> <43BB180E.70406@praecogito.com> <43C2BF16.6040105@praecogito.com> <43C2DB18.9080103@redhat.com> <43C433B5.6010406@praecogito.com> <43C446A2.4080903@sci.fi> Message-ID: <43D12D61.8060205@praecogito.com> Mike Jackson wrote: > Brian Rudy wrote: >> Bug 177473 has been created. >> >> Pete Rowley wrote: >> >>> Please create a bug and attach your (zipped) gibberish file. Bad >>> schema should be logged (at least) - assuming the gibberish didn't >>> actually form a valid schema component some how. >>> > > Hi, > I am the author of that tool. > > There is no bug in the script which could cause this problem you have > described. This problem is likely caused by bad memory on your machine > or a kernel or filesystem bug. > > Are you able to reproduce this multiple times and provide multiple > corrupted output files? And are they all identical (checked with > openssl sha)? > > Example: > > openssl sha README.txt > SHA(README.txt)= d9f24b5f0a2b26e8c498a3b4b9d3b34361c41e56 > > What about reproducing it on more than one machine? > > BR, > -- > mike Hi Mike, This far I have only seen this happen one time. I tried multiple times with the same machine and a few other development boxes with no success. Its certainly possible that I mistyped something during the initial schema conversion step, but I don't see how it would have produced this file either. From brudy at praecogito.com Fri Jan 20 19:24:06 2006 From: brudy at praecogito.com (Brian Rudy) Date: Fri, 20 Jan 2006 11:24:06 -0800 Subject: [Fedora-directory-users] FDS console on Windows with SSL and self-signed certificates Message-ID: <43D138D6.2070803@praecogito.com> Hi Folks, I have set up Fedora Management Console on one of my Windows boxes per the directions in the Howto:WindowsConsole Wiki, but have an issue connecting to the Directory Server using SSL. From the Windows box FMC, the Directory Server is listed in the Server Group, with Server status: Stopped. In the slapd logs I see the following: [20/Jan/2006:11:09:36 -0800] conn=4768 fd=68 slot=68 SSL connection from 192.168.128.65 to 192.168.128.4 [20/Jan/2006:11:09:36 -0800] conn=4768 op=-1 fd=68 closed - SSL peer cannot verify your certificate. Since I am using a self-signed certificate on the directory server, which would require installation on the client, this all appears to make sense. Now for the question: How does one install certificates on the client when using JSS/NSPR/NSS as shown in the Wiki? It looks like you would need to create your own cert7.db and key3.db with certutil, and import the Server-Cert, but I'm a bit confused as to where the .db files should be located, and what they should be named. Has anyone done this who wouldn't mind sharing? From gholbert at broadcom.com Fri Jan 20 19:34:00 2006 From: gholbert at broadcom.com (George Holbert) Date: Fri, 20 Jan 2006 11:34:00 -0800 Subject: [Fedora-directory-users] FDS console on Windows with SSL and self-signed certificates In-Reply-To: <43D138D6.2070803@praecogito.com> References: <43D138D6.2070803@praecogito.com> Message-ID: <43D13B28.2090503@broadcom.com> Hi Brian, When running the console on Unix, these files are created under $HOME/.mcc. ls -l ~/.mcc total 178 -rw-r--r-- 1 root other 226 Jan 12 14:27 Console.4.0.Login.preferences -rw------- 1 root other 65536 Aug 16 18:32 cert8.db -rw------- 1 root other 32768 Aug 16 18:32 key3.db -rw------- 1 root other 32768 Aug 16 18:32 secmod.db I'm not sure where this stuff would be created on Windows, but might be under C:\Documents and Settings\\.mcc ? Just a guess. -- George Brian Rudy wrote: > Hi Folks, > > I have set up Fedora Management Console on one of my Windows boxes per > the directions in the Howto:WindowsConsole Wiki, but have an issue > connecting to the Directory Server using SSL. From the Windows box > FMC, the Directory Server is listed in the Server Group, with Server > status: Stopped. In the slapd logs I see the following: > > [20/Jan/2006:11:09:36 -0800] conn=4768 fd=68 slot=68 SSL connection > from 192.168.128.65 to 192.168.128.4 > [20/Jan/2006:11:09:36 -0800] conn=4768 op=-1 fd=68 closed - SSL peer > cannot verify your certificate. > > Since I am using a self-signed certificate on the directory server, > which would require installation on the client, this all appears to > make sense. Now for the question: How does one install certificates on > the client when using JSS/NSPR/NSS as shown in the Wiki? It looks like > you would need to create your own cert7.db and key3.db with certutil, > and import the Server-Cert, but I'm a bit confused as to where the .db > files should be located, and what they should be named. > > Has anyone done this who wouldn't mind sharing? > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From brudy at praecogito.com Fri Jan 20 22:08:10 2006 From: brudy at praecogito.com (Brian Rudy) Date: Fri, 20 Jan 2006 14:08:10 -0800 Subject: [Fedora-directory-users] FDS console on Windows with SSL and self-signed certificates In-Reply-To: <43D13B28.2090503@broadcom.com> References: <43D138D6.2070803@praecogito.com> <43D13B28.2090503@broadcom.com> Message-ID: <43D15F4A.2060605@praecogito.com> Thanks George, This is indeed the location of cert7.db and key3.db. I was able to get it working by importing the self-signed certificate with pk12util. (ex. pk12util -i servercert.pfx -d C:\Documents and Settings\\.mcc) This might be sufficiently useful for inclusion in the Wiki. George Holbert wrote: > Hi Brian, > When running the console on Unix, these files are created under > $HOME/.mcc. > > ls -l ~/.mcc > total 178 > -rw-r--r-- 1 root other 226 Jan 12 14:27 > Console.4.0.Login.preferences > -rw------- 1 root other 65536 Aug 16 18:32 cert8.db > -rw------- 1 root other 32768 Aug 16 18:32 key3.db > -rw------- 1 root other 32768 Aug 16 18:32 secmod.db > > I'm not sure where this stuff would be created on Windows, but might > be under C:\Documents and Settings\\.mcc ? Just a guess. > > -- George > > > Brian Rudy wrote: >> >> Since I am using a self-signed certificate on the directory server, >> which would require installation on the client, this all appears to >> make sense. Now for the question: How does one install certificates >> on the client when using JSS/NSPR/NSS as shown in the Wiki? It looks >> like you would need to create your own cert7.db and key3.db with >> certutil, and import the Server-Cert, but I'm a bit confused as to >> where the .db files should be located, and what they should be named. >> >> Has anyone done this who wouldn't mind sharing? From mj at sci.fi Sat Jan 21 09:53:20 2006 From: mj at sci.fi (Mike Jackson) Date: Sat, 21 Jan 2006 11:53:20 +0200 Subject: [Fedora-directory-users] Samba PDC using FDS backend In-Reply-To: <43D12D61.8060205@praecogito.com> References: <43BB0286.6000401@praecogito.com> <43BB0404.2030307@redhat.com> <43BB180E.70406@praecogito.com> <43C2BF16.6040105@praecogito.com> <43C2DB18.9080103@redhat.com> <43C433B5.6010406@praecogito.com> <43C446A2.4080903@sci.fi> <43D12D61.8060205@praecogito.com> Message-ID: <43D20490.2000202@sci.fi> Brian Rudy wrote: > This far I have only seen this happen one time. I tried multiple times > with the same machine and a few other development boxes with no success. > Its certainly possible that I mistyped something during the initial > schema conversion step, but I don't see how it would have produced this > file either. OK, I would consider this case closed, but I don't have those type of rights in the bugzilla. Maybe Rich or one of the others can close it. BR, Mike From brudy at praecogito.com Sat Jan 21 20:03:22 2006 From: brudy at praecogito.com (Brian Rudy) Date: Sat, 21 Jan 2006 12:03:22 -0800 Subject: [Fedora-directory-users] Samba PDC using FDS backend In-Reply-To: <43D20490.2000202@sci.fi> References: <43BB0286.6000401@praecogito.com> <43BB0404.2030307@redhat.com> <43BB180E.70406@praecogito.com> <43C2BF16.6040105@praecogito.com> <43C2DB18.9080103@redhat.com> <43C433B5.6010406@praecogito.com> <43C446A2.4080903@sci.fi> <43D12D61.8060205@praecogito.com> <43D20490.2000202@sci.fi> Message-ID: <43D2938A.90801@praecogito.com> Mike Jackson wrote: > Brian Rudy wrote: > >> This far I have only seen this happen one time. I tried multiple >> times with the same machine and a few other development boxes with no >> success. Its certainly possible that I mistyped something during the >> initial schema conversion step, but I don't see how it would have >> produced this file either. > > > OK, I would consider this case closed, but I don't have those type of > rights in the bugzilla. Maybe Rich or one of the others can close it. > > BR, > Mike There are two problems listed in the bug: 1) OpenLDAP schema file conversion produces invalid LDIF. 2) slapd does not complain that it is unable to read said LDIF. For the moment, we can assume PEBKAC for #1, but #2 warrants further scrutiny. -- Brian Rudy (brudyNO at SPAMpraecogito.com) Funky Monkey Praecogito=>Thinking Ahead... -- Tweaking your inner geek. From bikerepairman at gmail.com Mon Jan 23 08:55:12 2006 From: bikerepairman at gmail.com (Bikerepairman -) Date: Mon, 23 Jan 2006 09:55:12 +0100 Subject: [Fedora-directory-users] ldap scheme/site survey troubles Message-ID: Hi, I'm new at ldap/directory services, and I's like to get some advice setting up a directory server. While reading the docs, some thing are clear while other things are not that clear. I'm at the stage of survey/scheme drawing now. The directory server will be used for authenticating and assigning rights/quota for about 70 users. This is for a hobby network and we're migrating the servers from windows to linux. I myself use linux for 1 ? year now. What I got so far is the folowing: 2 domains (one primary, one for experimenting) 3 servers (file-, gateway/proxy- and web); can be expanded to 9) 4 user groups (users, companies, power-users and administrators) 8 services (pop mail, imap mail, sendmail/postfix, website/homepages, ftp, samba and nfs, dns) The organisation (non-profit) is called dins. And we live in the netherlands. Our top-level name should be o=dins, c=nl. After this I begin to run in circles. I think I fail to see something. Who is willing to help me getting the scheme right and/or discuss it over the mail? -------------- next part -------------- An HTML attachment was scrubbed... URL: From ABliss at preferredcare.org Mon Jan 23 19:23:10 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Mon, 23 Jan 2006 14:23:10 -0500 Subject: [Fedora-directory-users] Couple of questions on ldapsearch queries Message-ID: I'm sure that you guys will know how to run these queries against my directory servers (pardon the newbie questions), but can you tell me how to: 1. Check last time passwords were changed (similar functionality to chage) 2. check when passwords are due to expire (similar functionality to chage) 3. Return list of users who have access to a specific server (I'm using the host attribute in order to restrict access to servers) i.e. show list of users who have access to serverA Thanks very much for your help. Aaron www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From rmeggins at redhat.com Mon Jan 23 19:44:50 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 23 Jan 2006 12:44:50 -0700 Subject: [Fedora-directory-users] Couple of questions on ldapsearch queries In-Reply-To: References: Message-ID: <43D53232.4080406@redhat.com> Bliss, Aaron wrote: >I'm sure that you guys will know how to run these queries against my >directory servers (pardon the newbie questions), but can you tell me how >to: > >1. Check last time passwords were changed (similar functionality to >chage) > > We don't store that information in easy client readable form, and not at all if you're not using replication. >2. check when passwords are due to expire (similar functionality to >chage) > > The operational attribute passwordExpirationTime >3. Return list of users who have access to a specific server (I'm using >the host attribute in order to restrict access to servers) i.e. show >list of users who have access to serverA > > ldapsearch .... (host=serverA) uid You will need to index the host attribute for equality if you have many entries or you may find your performance suffers. >Thanks very much for your help. > >Aaron > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From julian_yap at yahoo.com Tue Jan 24 03:06:02 2006 From: julian_yap at yahoo.com (Julian Yap) Date: Mon, 23 Jan 2006 17:06:02 -1000 Subject: [Fedora-directory-users] Installation error on RHEL 4 using a Dynamic DNS Message-ID: <1138071962.29079.5.camel@localhost.localdomain> Hi, I'm trying to install FDS on a RHEL test machine. I have a dynamic domain name for this machine (from dyndns.org). I'm getting this error at the end of the installation: [slapd-test]: [23/Jan/2006:16:21:46 -1000] - slapd started. Listening on All Interfaces port 389 for LDAP requests Your new directory server has been started. Created new Directory Server Start Slapd Starting Slapd server configuration. Fatal Slapd ERROR: Ldap authentication failed for url ldap://test.homelinux.com:389/o=NetscapeRoot user id admin (151:Unknown error.) Fatal Slapd Did not add Directory Server information to Configuration Server. Configuring Administration Server... ---- Any clues here? In this case, my dynamic domain name is test.homelinux.com. I think I may have setup the hostname wrong? Or have I done something wrong in the FDS setup? Thanks, Julian From ABliss at preferredcare.org Tue Jan 24 15:17:43 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Tue, 24 Jan 2006 10:17:43 -0500 Subject: [Fedora-directory-users] Question on password changes Message-ID: I have a quick question on password changes; my current setup is the following: I have 2 directory servers, single master environment (supplier and consumer); I understand that all changes to the directory have to be made by the supplier and are then replicated to the consumer; when a client server binds to the consumer and a user attempts to change their password, they receive an unknown error response from the server, and changes are not made; simply configuring the client's ldap.conf file to bind first with the supplier resolved this issue, however I was wondering if it's possible to configure the consumer in such a way that he will refer the update to take place on the supplier instead of rejecting the change to the database? I would have thought that the consumer would simply refer changes automatically to the supplier, but that doesn't seem to be the case. Any thoughts? I do know that I can configure both servers to be masters, but I was hoping to avoid this (I've read thru some of the directory server documentation citing errors and so forth in a multi-master environment) Thanks. Aaron www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From rmeggins at redhat.com Tue Jan 24 15:34:52 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 24 Jan 2006 08:34:52 -0700 Subject: [Fedora-directory-users] Question on password changes In-Reply-To: References: Message-ID: <43D6491C.9050708@redhat.com> Bliss, Aaron wrote: >I have a quick question on password changes; my current setup is the >following: I have 2 directory servers, single master environment >(supplier and consumer); I understand that all changes to the directory >have to be made by the supplier and are then replicated to the consumer; >when a client server binds to the consumer and a user attempts to change >their password, they receive an unknown error response from the server, >and changes are not made; simply configuring the client's ldap.conf file >to bind first with the supplier resolved this issue, however I was >wondering if it's possible to configure the consumer in such a way that >he will refer the update to take place on the supplier instead of >rejecting the change to the database? > Yes, that's what should be happening. When you send the modify password request to the consumer, it should send back a referral to the supplier. You can see this in the access log - a MOD request followed by a response with err=10 (referral). If however the client is using the password modify extended operation, I don't think that is referred to the supplier. In this case, you will see EXT as the operation type in the access log for the request. >I would have thought that the >consumer would simply refer changes automatically to the supplier, but >that doesn't seem to be the case. Any thoughts? > Check the access logs, as above. >I do know that I can >configure both servers to be masters, but I was hoping to avoid this >(I've read thru some of the directory server documentation citing errors >and so forth in a multi-master environment) Thanks. > > http://directory.fedora.redhat.com/wiki/Howto:ChainOnUpdate However, I don't think we chain the password change extended operation. >Aaron > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From ABliss at preferredcare.org Tue Jan 24 15:52:25 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Tue, 24 Jan 2006 10:52:25 -0500 Subject: [Fedora-directory-users] Question on password changes Message-ID: Thanks for getting back to me so quickly; I've seen the error messages that you referenced below; I can then assume then my only alternative is to setup a multimaster environment? Thanks. Aaron -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Tuesday, January 24, 2006 10:35 AM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Question on password changes Bliss, Aaron wrote: >I have a quick question on password changes; my current setup is the >following: I have 2 directory servers, single master environment >(supplier and consumer); I understand that all changes to the directory >have to be made by the supplier and are then replicated to the >consumer; when a client server binds to the consumer and a user >attempts to change their password, they receive an unknown error >response from the server, and changes are not made; simply configuring >the client's ldap.conf file to bind first with the supplier resolved >this issue, however I was wondering if it's possible to configure the >consumer in such a way that he will refer the update to take place on >the supplier instead of rejecting the change to the database? > Yes, that's what should be happening. When you send the modify password request to the consumer, it should send back a referral to the supplier. You can see this in the access log - a MOD request followed by a response with err=10 (referral). If however the client is using the password modify extended operation, I don't think that is referred to the supplier. In this case, you will see EXT as the operation type in the access log for the request. >I would have thought that the >consumer would simply refer changes automatically to the supplier, but >that doesn't seem to be the case. Any thoughts? > Check the access logs, as above. >I do know that I can >configure both servers to be masters, but I was hoping to avoid this >(I've read thru some of the directory server documentation citing >errors and so forth in a multi-master environment) Thanks. > > http://directory.fedora.redhat.com/wiki/Howto:ChainOnUpdate However, I don't think we chain the password change extended operation. >Aaron > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From rmeggins at redhat.com Tue Jan 24 16:13:29 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 24 Jan 2006 09:13:29 -0700 Subject: [Fedora-directory-users] Question on password changes In-Reply-To: References: Message-ID: <43D65229.6030500@redhat.com> Bliss, Aaron wrote: >Thanks for getting back to me so quickly; I've seen the error messages >that you referenced below; I can then assume then my only alternative is >to setup a multimaster environment? Thanks. > > Which error messages have you seen? Are you saying that the client is using the password modify extended operation? If so, then yes, you will have to use multi master. If not, then single master should be fine, and you'll need to debug the client to figure out why it's not following the referral to the supplier. BTW, I believe we have a bug - the consumer should send back a referral to the supplier when it gets the password modify extended operation. We need to add support for sending back referrals when certain extended operations that modify data are received. >Aaron > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard >Megginson >Sent: Tuesday, January 24, 2006 10:35 AM >To: General discussion list for the Fedora Directory server project. >Subject: Re: [Fedora-directory-users] Question on password changes > >Bliss, Aaron wrote: > > > >>I have a quick question on password changes; my current setup is the >>following: I have 2 directory servers, single master environment >>(supplier and consumer); I understand that all changes to the directory >> >> > > > >>have to be made by the supplier and are then replicated to the >>consumer; when a client server binds to the consumer and a user >>attempts to change their password, they receive an unknown error >>response from the server, and changes are not made; simply configuring >>the client's ldap.conf file to bind first with the supplier resolved >>this issue, however I was wondering if it's possible to configure the >>consumer in such a way that he will refer the update to take place on >>the supplier instead of rejecting the change to the database? >> >> >> >Yes, that's what should be happening. When you send the modify password >request to the consumer, it should send back a referral to the supplier. >You can see this in the access log - a MOD request followed by a >response with err=10 (referral). If however the client is using the >password modify extended operation, I don't think that is referred to >the supplier. In this case, you will see EXT as the operation type in >the access log for the request. > > > >>I would have thought that the >>consumer would simply refer changes automatically to the supplier, but >>that doesn't seem to be the case. Any thoughts? >> >> >> >Check the access logs, as above. > > > >>I do know that I can >>configure both servers to be masters, but I was hoping to avoid this >>(I've read thru some of the directory server documentation citing >>errors and so forth in a multi-master environment) Thanks. >> >> >> >> >http://directory.fedora.redhat.com/wiki/Howto:ChainOnUpdate > >However, I don't think we chain the password change extended operation. > > > >>Aaron >> >>www.preferredcare.org >>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>Power and Associates >> >>Confidentiality Notice: >>The information contained in this electronic message is intended for >> >> >the exclusive use of the individual or entity named above and may >contain privileged or confidential information. If the reader of this >message is not the intended recipient or the employee or agent >responsible to deliver it to the intended recipient, you are hereby >notified that dissemination, distribution or copying of this information >is prohibited. If you have received this communication in error, please >notify the sender immediately by telephone and destroy the copies you >received. > > >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> > > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From ABliss at preferredcare.org Tue Jan 24 17:43:45 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Tue, 24 Jan 2006 12:43:45 -0500 Subject: [Fedora-directory-users] Question on password changes Message-ID: I am not using the password extended operation to change passwords i.e. in /etc/ldap.conf pam_password exop is commented out; as such, what's the best way to being to debug this? Also, what is the advantage of using the extended operation to change passwords? Thanks again. Aaron -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Tuesday, January 24, 2006 11:13 AM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Question on password changes Bliss, Aaron wrote: >Thanks for getting back to me so quickly; I've seen the error messages >that you referenced below; I can then assume then my only alternative >is to setup a multimaster environment? Thanks. > > Which error messages have you seen? Are you saying that the client is using the password modify extended operation? If so, then yes, you will have to use multi master. If not, then single master should be fine, and you'll need to debug the client to figure out why it's not following the referral to the supplier. BTW, I believe we have a bug - the consumer should send back a referral to the supplier when it gets the password modify extended operation. We need to add support for sending back referrals when certain extended operations that modify data are received. >Aaron > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard >Megginson >Sent: Tuesday, January 24, 2006 10:35 AM >To: General discussion list for the Fedora Directory server project. >Subject: Re: [Fedora-directory-users] Question on password changes > >Bliss, Aaron wrote: > > > >>I have a quick question on password changes; my current setup is the >>following: I have 2 directory servers, single master environment >>(supplier and consumer); I understand that all changes to the >>directory >> >> > > > >>have to be made by the supplier and are then replicated to the >>consumer; when a client server binds to the consumer and a user >>attempts to change their password, they receive an unknown error >>response from the server, and changes are not made; simply configuring >>the client's ldap.conf file to bind first with the supplier resolved >>this issue, however I was wondering if it's possible to configure the >>consumer in such a way that he will refer the update to take place on >>the supplier instead of rejecting the change to the database? >> >> >> >Yes, that's what should be happening. When you send the modify >password request to the consumer, it should send back a referral to the supplier. >You can see this in the access log - a MOD request followed by a >response with err=10 (referral). If however the client is using the >password modify extended operation, I don't think that is referred to >the supplier. In this case, you will see EXT as the operation type in >the access log for the request. > > > >>I would have thought that the >>consumer would simply refer changes automatically to the supplier, but >>that doesn't seem to be the case. Any thoughts? >> >> >> >Check the access logs, as above. > > > >>I do know that I can >>configure both servers to be masters, but I was hoping to avoid this >>(I've read thru some of the directory server documentation citing >>errors and so forth in a multi-master environment) Thanks. >> >> >> >> >http://directory.fedora.redhat.com/wiki/Howto:ChainOnUpdate > >However, I don't think we chain the password change extended operation. > > > >>Aaron >> >>www.preferredcare.org >>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>Power and Associates >> >>Confidentiality Notice: >>The information contained in this electronic message is intended for >> >> >the exclusive use of the individual or entity named above and may >contain privileged or confidential information. If the reader of this >message is not the intended recipient or the employee or agent >responsible to deliver it to the intended recipient, you are hereby >notified that dissemination, distribution or copying of this >information is prohibited. If you have received this communication in >error, please notify the sender immediately by telephone and destroy >the copies you received. > > >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> > > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From rmeggins at redhat.com Tue Jan 24 18:21:17 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 24 Jan 2006 11:21:17 -0700 Subject: [Fedora-directory-users] Question on password changes In-Reply-To: References: Message-ID: <43D6701D.50608@redhat.com> Bliss, Aaron wrote: >I am not using the password extended operation to change passwords i.e. >in /etc/ldap.conf pam_password exop is commented out; as such, what's >the best way to being to debug this? > I'm not sure. If I understand you correctly, it seems that the consumer is correctly sending the referral back to the client in response to the MOD request to change the password. Can you examine the supplier access log to see if the client is following the referral? You should see a MOD request in the supplier access log shortly after the MOD to the consumer that resulted in the err=10. If not, this means the client is not following the referral, which is either a bug or a mis-configuration of the client. >Also, what is the advantage of >using the extended operation to change passwords? Thanks again. > > The extended operation is meant to be used when you are not using a simple userPassword (e.g. some SASL mechs, Kerberos). >Aaron > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard >Megginson >Sent: Tuesday, January 24, 2006 11:13 AM >To: General discussion list for the Fedora Directory server project. >Subject: Re: [Fedora-directory-users] Question on password changes > >Bliss, Aaron wrote: > > > >>Thanks for getting back to me so quickly; I've seen the error messages >>that you referenced below; I can then assume then my only alternative >>is to setup a multimaster environment? Thanks. >> >> >> >> >Which error messages have you seen? Are you saying that the client is >using the password modify extended operation? If so, then yes, you will >have to use multi master. If not, then single master should be fine, >and you'll need to debug the client to figure out why it's not following >the referral to the supplier. > >BTW, I believe we have a bug - the consumer should send back a referral >to the supplier when it gets the password modify extended operation. We >need to add support for sending back referrals when certain extended >operations that modify data are received. > > > >>Aaron >> >>-----Original Message----- >>From: fedora-directory-users-bounces at redhat.com >>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard >> >> > > > >>Megginson >>Sent: Tuesday, January 24, 2006 10:35 AM >>To: General discussion list for the Fedora Directory server project. >>Subject: Re: [Fedora-directory-users] Question on password changes >> >>Bliss, Aaron wrote: >> >> >> >> >> >>>I have a quick question on password changes; my current setup is the >>>following: I have 2 directory servers, single master environment >>>(supplier and consumer); I understand that all changes to the >>>directory >>> >>> >>> >>> >> >> >> >> >>>have to be made by the supplier and are then replicated to the >>>consumer; when a client server binds to the consumer and a user >>>attempts to change their password, they receive an unknown error >>>response from the server, and changes are not made; simply configuring >>> >>> > > > >>>the client's ldap.conf file to bind first with the supplier resolved >>>this issue, however I was wondering if it's possible to configure the >>>consumer in such a way that he will refer the update to take place on >>>the supplier instead of rejecting the change to the database? >>> >>> >>> >>> >>> >>Yes, that's what should be happening. When you send the modify >>password request to the consumer, it should send back a referral to the >> >> >supplier. > > >>You can see this in the access log - a MOD request followed by a >>response with err=10 (referral). If however the client is using the >>password modify extended operation, I don't think that is referred to >>the supplier. In this case, you will see EXT as the operation type in >>the access log for the request. >> >> >> >> >> >>>I would have thought that the >>>consumer would simply refer changes automatically to the supplier, but >>> >>> > > > >>>that doesn't seem to be the case. Any thoughts? >>> >>> >>> >>> >>> >>Check the access logs, as above. >> >> >> >> >> >>>I do know that I can >>>configure both servers to be masters, but I was hoping to avoid this >>>(I've read thru some of the directory server documentation citing >>>errors and so forth in a multi-master environment) Thanks. >>> >>> >>> >>> >>> >>> >>http://directory.fedora.redhat.com/wiki/Howto:ChainOnUpdate >> >>However, I don't think we chain the password change extended operation. >> >> >> >> >> >>>Aaron >>> >>>www.preferredcare.org >>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>>Power and Associates >>> >>>Confidentiality Notice: >>>The information contained in this electronic message is intended for >>> >>> >>> >>> >>the exclusive use of the individual or entity named above and may >>contain privileged or confidential information. If the reader of this >>message is not the intended recipient or the employee or agent >>responsible to deliver it to the intended recipient, you are hereby >>notified that dissemination, distribution or copying of this >>information is prohibited. If you have received this communication in >>error, please notify the sender immediately by telephone and destroy >>the copies you received. >> >> >> >> >>>-- >>>Fedora-directory-users mailing list >>>Fedora-directory-users at redhat.com >>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >>> >>> >>> >>www.preferredcare.org >>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>Power and Associates >> >>Confidentiality Notice: >>The information contained in this electronic message is intended for >> >> >the exclusive use of the individual or entity named above and may >contain privileged or confidential information. If the reader of this >message is not the intended recipient or the employee or agent >responsible to deliver it to the intended recipient, you are hereby >notified that dissemination, distribution or copying of this information >is prohibited. If you have received this communication in error, please >notify the sender immediately by telephone and destroy the copies you >received. > > >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> > > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From logastellus at yahoo.com Tue Jan 24 18:19:29 2006 From: logastellus at yahoo.com (Susan) Date: Tue, 24 Jan 2006 10:19:29 -0800 (PST) Subject: [Fedora-directory-users] ldap scheme/site survey troubles In-Reply-To: Message-ID: <20060124181929.36329.qmail@web52907.mail.yahoo.com> Look here: http://www.redhat.com/docs/manuals/dir-server/deploy/7.1/deployTOC.html It's a nice, slow intro into a preliminary survey. I also faced some of your dilemmas and reading that helped a lot. I'd suggest keeping things real simple, a multi master setup, tree organized by high level business units. Leave out fancy stuff and don't go too deep, you should be OK for ~70 users. --- Bikerepairman - wrote: > Hi, > > I'm new at ldap/directory services, and I's like to get some advice setting > up a directory server. > While reading the docs, some thing are clear while other things are not that > clear. I'm at the stage of survey/scheme drawing now. > > The directory server will be used for authenticating and assigning > rights/quota for about 70 users. > This is for a hobby network and we're migrating the servers from windows to > linux. I myself use linux for 1 ? year now. > > What I got so far is the folowing: > 2 domains (one primary, one for experimenting) > 3 servers (file-, gateway/proxy- and web); can be expanded to 9) > 4 user groups (users, companies, power-users and administrators) > 8 services (pop mail, imap mail, sendmail/postfix, website/homepages, ftp, > samba and nfs, dns) > > The organisation (non-profit) is called dins. And we live in the > netherlands. Our top-level name should be o=dins, c=nl. After this I begin > to run in circles. I think I fail to see something. > > Who is willing to help me getting the scheme right and/or discuss it over > the mail? > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From ABliss at preferredcare.org Tue Jan 24 19:03:39 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Tue, 24 Jan 2006 14:03:39 -0500 Subject: [Fedora-directory-users] Question on password changes Message-ID: I see the MOD request in the consumer, but do not see the MOD request in the client; here are the relevant entries from /etc/ldap.conf and host serverA serverB base dc=myorg,dc=org pam_lookup_policy yes pam_check_host_attr yes pam_password clear ssl start_tls /etc/openldap/ldap.conf BASE dc=myorg,dc=org HOST serverA serverB TLS_CACERT /etc/openldap/cacerts/cacert.pem TLS_REQCERT allow Any ideas? I've confirmed this behaviour on redhat 3 and redhat 4 boxes, further this is the error that I get from redhat 4 boxes LDAP password information update failed: Can't contact LDAP server passwd: Permission denied Thanks again for your help. Aaron -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Tuesday, January 24, 2006 1:21 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Question on password changes Bliss, Aaron wrote: >I am not using the password extended operation to change passwords i.e. >in /etc/ldap.conf pam_password exop is commented out; as such, what's >the best way to being to debug this? > I'm not sure. If I understand you correctly, it seems that the consumer is correctly sending the referral back to the client in response to the MOD request to change the password. Can you examine the supplier access log to see if the client is following the referral? You should see a MOD request in the supplier access log shortly after the MOD to the consumer that resulted in the err=10. If not, this means the client is not following the referral, which is either a bug or a mis-configuration of the client. >Also, what is the advantage of >using the extended operation to change passwords? Thanks again. > > The extended operation is meant to be used when you are not using a simple userPassword (e.g. some SASL mechs, Kerberos). >Aaron > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard >Megginson >Sent: Tuesday, January 24, 2006 11:13 AM >To: General discussion list for the Fedora Directory server project. >Subject: Re: [Fedora-directory-users] Question on password changes > >Bliss, Aaron wrote: > > > >>Thanks for getting back to me so quickly; I've seen the error messages >>that you referenced below; I can then assume then my only alternative >>is to setup a multimaster environment? Thanks. >> >> >> >> >Which error messages have you seen? Are you saying that the client is >using the password modify extended operation? If so, then yes, you >will have to use multi master. If not, then single master should be >fine, and you'll need to debug the client to figure out why it's not >following the referral to the supplier. > >BTW, I believe we have a bug - the consumer should send back a referral >to the supplier when it gets the password modify extended operation. >We need to add support for sending back referrals when certain extended >operations that modify data are received. > > > >>Aaron >> >>-----Original Message----- >>From: fedora-directory-users-bounces at redhat.com >>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of >>Richard >> >> > > > >>Megginson >>Sent: Tuesday, January 24, 2006 10:35 AM >>To: General discussion list for the Fedora Directory server project. >>Subject: Re: [Fedora-directory-users] Question on password changes >> >>Bliss, Aaron wrote: >> >> >> >> >> >>>I have a quick question on password changes; my current setup is the >>>following: I have 2 directory servers, single master environment >>>(supplier and consumer); I understand that all changes to the >>>directory >>> >>> >>> >>> >> >> >> >> >>>have to be made by the supplier and are then replicated to the >>>consumer; when a client server binds to the consumer and a user >>>attempts to change their password, they receive an unknown error >>>response from the server, and changes are not made; simply >>>configuring >>> >>> > > > >>>the client's ldap.conf file to bind first with the supplier resolved >>>this issue, however I was wondering if it's possible to configure the >>>consumer in such a way that he will refer the update to take place on >>>the supplier instead of rejecting the change to the database? >>> >>> >>> >>> >>> >>Yes, that's what should be happening. When you send the modify >>password request to the consumer, it should send back a referral to >>the >> >> >supplier. > > >>You can see this in the access log - a MOD request followed by a >>response with err=10 (referral). If however the client is using the >>password modify extended operation, I don't think that is referred to >>the supplier. In this case, you will see EXT as the operation type in >>the access log for the request. >> >> >> >> >> >>>I would have thought that the >>>consumer would simply refer changes automatically to the supplier, >>>but >>> >>> > > > >>>that doesn't seem to be the case. Any thoughts? >>> >>> >>> >>> >>> >>Check the access logs, as above. >> >> >> >> >> >>>I do know that I can >>>configure both servers to be masters, but I was hoping to avoid this >>>(I've read thru some of the directory server documentation citing >>>errors and so forth in a multi-master environment) Thanks. >>> >>> >>> >>> >>> >>> >>http://directory.fedora.redhat.com/wiki/Howto:ChainOnUpdate >> >>However, I don't think we chain the password change extended operation. >> >> >> >> >> >>>Aaron >>> >>>www.preferredcare.org >>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>>Power and Associates >>> >>>Confidentiality Notice: >>>The information contained in this electronic message is intended for >>> >>> >>> >>> >>the exclusive use of the individual or entity named above and may >>contain privileged or confidential information. If the reader of this >>message is not the intended recipient or the employee or agent >>responsible to deliver it to the intended recipient, you are hereby >>notified that dissemination, distribution or copying of this >>information is prohibited. If you have received this communication in >>error, please notify the sender immediately by telephone and destroy >>the copies you received. >> >> >> >> >>>-- >>>Fedora-directory-users mailing list >>>Fedora-directory-users at redhat.com >>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >>> >>> >>> >>www.preferredcare.org >>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>Power and Associates >> >>Confidentiality Notice: >>The information contained in this electronic message is intended for >> >> >the exclusive use of the individual or entity named above and may >contain privileged or confidential information. If the reader of this >message is not the intended recipient or the employee or agent >responsible to deliver it to the intended recipient, you are hereby >notified that dissemination, distribution or copying of this >information is prohibited. If you have received this communication in >error, please notify the sender immediately by telephone and destroy >the copies you received. > > >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> > > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From rmeggins at redhat.com Tue Jan 24 19:10:16 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 24 Jan 2006 12:10:16 -0700 Subject: [Fedora-directory-users] Question on password changes In-Reply-To: References: Message-ID: <43D67B98.2090602@redhat.com> Bliss, Aaron wrote: >I see the MOD request in the consumer, but do not see the MOD request in >the client; > Where would you see the MOD request in the client? It just seems as though PAM is not following the referral and I'm not sure why. Perhaps there is some other PAM configuration required? >here are the relevant entries from > >/etc/ldap.conf and >host serverA serverB >base dc=myorg,dc=org >pam_lookup_policy yes >pam_check_host_attr yes >pam_password clear >ssl start_tls > >/etc/openldap/ldap.conf >BASE dc=myorg,dc=org >HOST serverA serverB >TLS_CACERT /etc/openldap/cacerts/cacert.pem >TLS_REQCERT allow > >Any ideas? I've confirmed this behaviour on redhat 3 and redhat 4 >boxes, further this is the error that I get from redhat 4 boxes > >LDAP password information update failed: Can't contact LDAP server > >passwd: Permission denied > >Thanks again for your help. > >Aaron > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard >Megginson >Sent: Tuesday, January 24, 2006 1:21 PM >To: General discussion list for the Fedora Directory server project. >Subject: Re: [Fedora-directory-users] Question on password changes > >Bliss, Aaron wrote: > > > >>I am not using the password extended operation to change passwords i.e. >>in /etc/ldap.conf pam_password exop is commented out; as such, what's >>the best way to being to debug this? >> >> >> >I'm not sure. If I understand you correctly, it seems that the consumer >is correctly sending the referral back to the client in response to the >MOD request to change the password. Can you examine the supplier access >log to see if the client is following the referral? You should see a >MOD request in the supplier access log shortly after the MOD to the >consumer that resulted in the err=10. If not, this means the client is >not following the referral, which is either a bug or a mis-configuration >of the client. > > > >>Also, what is the advantage of >>using the extended operation to change passwords? Thanks again. >> >> >> >> >The extended operation is meant to be used when you are not using a >simple userPassword (e.g. some SASL mechs, Kerberos). > > > >>Aaron >> >>-----Original Message----- >>From: fedora-directory-users-bounces at redhat.com >>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard >> >> > > > >>Megginson >>Sent: Tuesday, January 24, 2006 11:13 AM >>To: General discussion list for the Fedora Directory server project. >>Subject: Re: [Fedora-directory-users] Question on password changes >> >>Bliss, Aaron wrote: >> >> >> >> >> >>>Thanks for getting back to me so quickly; I've seen the error messages >>> >>> > > > >>>that you referenced below; I can then assume then my only alternative >>>is to setup a multimaster environment? Thanks. >>> >>> >>> >>> >>> >>> >>Which error messages have you seen? Are you saying that the client is >>using the password modify extended operation? If so, then yes, you >>will have to use multi master. If not, then single master should be >>fine, and you'll need to debug the client to figure out why it's not >>following the referral to the supplier. >> >>BTW, I believe we have a bug - the consumer should send back a referral >> >> > > > >>to the supplier when it gets the password modify extended operation. >>We need to add support for sending back referrals when certain extended >> >> > > > >>operations that modify data are received. >> >> >> >> >> >>>Aaron >>> >>>-----Original Message----- >>>From: fedora-directory-users-bounces at redhat.com >>>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of >>>Richard >>> >>> >>> >>> >> >> >> >> >>>Megginson >>>Sent: Tuesday, January 24, 2006 10:35 AM >>>To: General discussion list for the Fedora Directory server project. >>>Subject: Re: [Fedora-directory-users] Question on password changes >>> >>>Bliss, Aaron wrote: >>> >>> >>> >>> >>> >>> >>> >>>>I have a quick question on password changes; my current setup is the >>>>following: I have 2 directory servers, single master environment >>>>(supplier and consumer); I understand that all changes to the >>>>directory >>>> >>>> >>>> >>>> >>>> >>>> >>> >>> >>> >>> >>>>have to be made by the supplier and are then replicated to the >>>>consumer; when a client server binds to the consumer and a user >>>>attempts to change their password, they receive an unknown error >>>>response from the server, and changes are not made; simply >>>>configuring >>>> >>>> >>>> >>>> >> >> >> >> >>>>the client's ldap.conf file to bind first with the supplier resolved >>>>this issue, however I was wondering if it's possible to configure the >>>> >>>> > > > >>>>consumer in such a way that he will refer the update to take place on >>>> >>>> > > > >>>>the supplier instead of rejecting the change to the database? >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>Yes, that's what should be happening. When you send the modify >>>password request to the consumer, it should send back a referral to >>>the >>> >>> >>> >>> >>supplier. >> >> >> >> >>>You can see this in the access log - a MOD request followed by a >>>response with err=10 (referral). If however the client is using the >>>password modify extended operation, I don't think that is referred to >>>the supplier. In this case, you will see EXT as the operation type in >>> >>> > > > >>>the access log for the request. >>> >>> >>> >>> >>> >>> >>> >>>>I would have thought that the >>>>consumer would simply refer changes automatically to the supplier, >>>>but >>>> >>>> >>>> >>>> >> >> >> >> >>>>that doesn't seem to be the case. Any thoughts? >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>Check the access logs, as above. >>> >>> >>> >>> >>> >>> >>> >>>>I do know that I can >>>>configure both servers to be masters, but I was hoping to avoid this >>>>(I've read thru some of the directory server documentation citing >>>>errors and so forth in a multi-master environment) Thanks. >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>http://directory.fedora.redhat.com/wiki/Howto:ChainOnUpdate >>> >>>However, I don't think we chain the password change extended >>> >>> >operation. > > >>> >>> >>> >>> >>> >>>>Aaron >>>> >>>>www.preferredcare.org >>>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>>> >>>> > > > >>>>Power and Associates >>>> >>>>Confidentiality Notice: >>>>The information contained in this electronic message is intended for >>>> >>>> >>>> >>>> >>>> >>>> >>>the exclusive use of the individual or entity named above and may >>>contain privileged or confidential information. If the reader of this >>> >>> > > > >>>message is not the intended recipient or the employee or agent >>>responsible to deliver it to the intended recipient, you are hereby >>>notified that dissemination, distribution or copying of this >>>information is prohibited. If you have received this communication in >>> >>> > > > >>>error, please notify the sender immediately by telephone and destroy >>>the copies you received. >>> >>> >>> >>> >>> >>> >>>>-- >>>>Fedora-directory-users mailing list >>>>Fedora-directory-users at redhat.com >>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>www.preferredcare.org >>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>>Power and Associates >>> >>>Confidentiality Notice: >>>The information contained in this electronic message is intended for >>> >>> >>> >>> >>the exclusive use of the individual or entity named above and may >>contain privileged or confidential information. If the reader of this >>message is not the intended recipient or the employee or agent >>responsible to deliver it to the intended recipient, you are hereby >>notified that dissemination, distribution or copying of this >>information is prohibited. If you have received this communication in >>error, please notify the sender immediately by telephone and destroy >>the copies you received. >> >> >> >> >>>-- >>>Fedora-directory-users mailing list >>>Fedora-directory-users at redhat.com >>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >>> >>> >>> >>www.preferredcare.org >>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>Power and Associates >> >>Confidentiality Notice: >>The information contained in this electronic message is intended for >> >> >the exclusive use of the individual or entity named above and may >contain privileged or confidential information. If the reader of this >message is not the intended recipient or the employee or agent >responsible to deliver it to the intended recipient, you are hereby >notified that dissemination, distribution or copying of this information >is prohibited. If you have received this communication in error, please >notify the sender immediately by telephone and destroy the copies you >received. > > >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> > > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From ABliss at preferredcare.org Tue Jan 24 19:10:54 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Tue, 24 Jan 2006 14:10:54 -0500 Subject: [Fedora-directory-users] Question on password changes Message-ID: Sorry, I meant to say that I don't see the MOD entry on the supplier's log file; I agree with you, it doesn't seem that the client is listening to the referral. Aaron -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Tuesday, January 24, 2006 2:10 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Question on password changes Bliss, Aaron wrote: >I see the MOD request in the consumer, but do not see the MOD request >in the client; > Where would you see the MOD request in the client? It just seems as though PAM is not following the referral and I'm not sure why. Perhaps there is some other PAM configuration required? >here are the relevant entries from > >/etc/ldap.conf and >host serverA serverB >base dc=myorg,dc=org >pam_lookup_policy yes >pam_check_host_attr yes >pam_password clear >ssl start_tls > >/etc/openldap/ldap.conf >BASE dc=myorg,dc=org >HOST serverA serverB >TLS_CACERT /etc/openldap/cacerts/cacert.pem TLS_REQCERT allow > >Any ideas? I've confirmed this behaviour on redhat 3 and redhat 4 >boxes, further this is the error that I get from redhat 4 boxes > >LDAP password information update failed: Can't contact LDAP server > >passwd: Permission denied > >Thanks again for your help. > >Aaron > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard >Megginson >Sent: Tuesday, January 24, 2006 1:21 PM >To: General discussion list for the Fedora Directory server project. >Subject: Re: [Fedora-directory-users] Question on password changes > >Bliss, Aaron wrote: > > > >>I am not using the password extended operation to change passwords i.e. >>in /etc/ldap.conf pam_password exop is commented out; as such, what's >>the best way to being to debug this? >> >> >> >I'm not sure. If I understand you correctly, it seems that the >consumer is correctly sending the referral back to the client in >response to the MOD request to change the password. Can you examine >the supplier access log to see if the client is following the referral? >You should see a MOD request in the supplier access log shortly after >the MOD to the consumer that resulted in the err=10. If not, this >means the client is not following the referral, which is either a bug >or a mis-configuration of the client. > > > >>Also, what is the advantage of >>using the extended operation to change passwords? Thanks again. >> >> >> >> >The extended operation is meant to be used when you are not using a >simple userPassword (e.g. some SASL mechs, Kerberos). > > > >>Aaron >> >>-----Original Message----- >>From: fedora-directory-users-bounces at redhat.com >>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of >>Richard >> >> > > > >>Megginson >>Sent: Tuesday, January 24, 2006 11:13 AM >>To: General discussion list for the Fedora Directory server project. >>Subject: Re: [Fedora-directory-users] Question on password changes >> >>Bliss, Aaron wrote: >> >> >> >> >> >>>Thanks for getting back to me so quickly; I've seen the error >>>messages >>> >>> > > > >>>that you referenced below; I can then assume then my only alternative >>>is to setup a multimaster environment? Thanks. >>> >>> >>> >>> >>> >>> >>Which error messages have you seen? Are you saying that the client is >>using the password modify extended operation? If so, then yes, you >>will have to use multi master. If not, then single master should be >>fine, and you'll need to debug the client to figure out why it's not >>following the referral to the supplier. >> >>BTW, I believe we have a bug - the consumer should send back a >>referral >> >> > > > >>to the supplier when it gets the password modify extended operation. >>We need to add support for sending back referrals when certain >>extended >> >> > > > >>operations that modify data are received. >> >> >> >> >> >>>Aaron >>> >>>-----Original Message----- >>>From: fedora-directory-users-bounces at redhat.com >>>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of >>>Richard >>> >>> >>> >>> >> >> >> >> >>>Megginson >>>Sent: Tuesday, January 24, 2006 10:35 AM >>>To: General discussion list for the Fedora Directory server project. >>>Subject: Re: [Fedora-directory-users] Question on password changes >>> >>>Bliss, Aaron wrote: >>> >>> >>> >>> >>> >>> >>> >>>>I have a quick question on password changes; my current setup is the >>>>following: I have 2 directory servers, single master environment >>>>(supplier and consumer); I understand that all changes to the >>>>directory >>>> >>>> >>>> >>>> >>>> >>>> >>> >>> >>> >>> >>>>have to be made by the supplier and are then replicated to the >>>>consumer; when a client server binds to the consumer and a user >>>>attempts to change their password, they receive an unknown error >>>>response from the server, and changes are not made; simply >>>>configuring >>>> >>>> >>>> >>>> >> >> >> >> >>>>the client's ldap.conf file to bind first with the supplier resolved >>>>this issue, however I was wondering if it's possible to configure >>>>the >>>> >>>> > > > >>>>consumer in such a way that he will refer the update to take place >>>>on >>>> >>>> > > > >>>>the supplier instead of rejecting the change to the database? >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>Yes, that's what should be happening. When you send the modify >>>password request to the consumer, it should send back a referral to >>>the >>> >>> >>> >>> >>supplier. >> >> >> >> >>>You can see this in the access log - a MOD request followed by a >>>response with err=10 (referral). If however the client is using the >>>password modify extended operation, I don't think that is referred to >>>the supplier. In this case, you will see EXT as the operation type >>>in >>> >>> > > > >>>the access log for the request. >>> >>> >>> >>> >>> >>> >>> >>>>I would have thought that the >>>>consumer would simply refer changes automatically to the supplier, >>>>but >>>> >>>> >>>> >>>> >> >> >> >> >>>>that doesn't seem to be the case. Any thoughts? >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>Check the access logs, as above. >>> >>> >>> >>> >>> >>> >>> >>>>I do know that I can >>>>configure both servers to be masters, but I was hoping to avoid this >>>>(I've read thru some of the directory server documentation citing >>>>errors and so forth in a multi-master environment) Thanks. >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>http://directory.fedora.redhat.com/wiki/Howto:ChainOnUpdate >>> >>>However, I don't think we chain the password change extended >>> >>> >operation. > > >>> >>> >>> >>> >>> >>>>Aaron >>>> >>>>www.preferredcare.org >>>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>>> >>>> > > > >>>>Power and Associates >>>> >>>>Confidentiality Notice: >>>>The information contained in this electronic message is intended for >>>> >>>> >>>> >>>> >>>> >>>> >>>the exclusive use of the individual or entity named above and may >>>contain privileged or confidential information. If the reader of >>>this >>> >>> > > > >>>message is not the intended recipient or the employee or agent >>>responsible to deliver it to the intended recipient, you are hereby >>>notified that dissemination, distribution or copying of this >>>information is prohibited. If you have received this communication >>>in >>> >>> > > > >>>error, please notify the sender immediately by telephone and destroy >>>the copies you received. >>> >>> >>> >>> >>> >>> >>>>-- >>>>Fedora-directory-users mailing list >>>>Fedora-directory-users at redhat.com >>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>www.preferredcare.org >>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>>Power and Associates >>> >>>Confidentiality Notice: >>>The information contained in this electronic message is intended for >>> >>> >>> >>> >>the exclusive use of the individual or entity named above and may >>contain privileged or confidential information. If the reader of this >>message is not the intended recipient or the employee or agent >>responsible to deliver it to the intended recipient, you are hereby >>notified that dissemination, distribution or copying of this >>information is prohibited. If you have received this communication in >>error, please notify the sender immediately by telephone and destroy >>the copies you received. >> >> >> >> >>>-- >>>Fedora-directory-users mailing list >>>Fedora-directory-users at redhat.com >>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >>> >>> >>> >>www.preferredcare.org >>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>Power and Associates >> >>Confidentiality Notice: >>The information contained in this electronic message is intended for >> >> >the exclusive use of the individual or entity named above and may >contain privileged or confidential information. If the reader of this >message is not the intended recipient or the employee or agent >responsible to deliver it to the intended recipient, you are hereby >notified that dissemination, distribution or copying of this >information is prohibited. If you have received this communication in >error, please notify the sender immediately by telephone and destroy >the copies you received. > > >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> > > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From ABliss at preferredcare.org Tue Jan 24 19:21:37 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Tue, 24 Jan 2006 14:21:37 -0500 Subject: [Fedora-directory-users] Question on password changes Message-ID: I'm all set, in the fds on the consumer, I had to manually add the supplier as a referral as part of the replication link (even though the documentation says it will do this based upon replication link). Thanks again very much for such a great product. Aaron -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Bliss, Aaron Sent: Tuesday, January 24, 2006 2:11 PM To: General discussion list for the Fedora Directory server project. Subject: RE: [Fedora-directory-users] Question on password changes Sorry, I meant to say that I don't see the MOD entry on the supplier's log file; I agree with you, it doesn't seem that the client is listening to the referral. Aaron -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Tuesday, January 24, 2006 2:10 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Question on password changes Bliss, Aaron wrote: >I see the MOD request in the consumer, but do not see the MOD request >in the client; > Where would you see the MOD request in the client? It just seems as though PAM is not following the referral and I'm not sure why. Perhaps there is some other PAM configuration required? >here are the relevant entries from > >/etc/ldap.conf and >host serverA serverB >base dc=myorg,dc=org >pam_lookup_policy yes >pam_check_host_attr yes >pam_password clear >ssl start_tls > >/etc/openldap/ldap.conf >BASE dc=myorg,dc=org >HOST serverA serverB >TLS_CACERT /etc/openldap/cacerts/cacert.pem TLS_REQCERT allow > >Any ideas? I've confirmed this behaviour on redhat 3 and redhat 4 >boxes, further this is the error that I get from redhat 4 boxes > >LDAP password information update failed: Can't contact LDAP server > >passwd: Permission denied > >Thanks again for your help. > >Aaron > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard >Megginson >Sent: Tuesday, January 24, 2006 1:21 PM >To: General discussion list for the Fedora Directory server project. >Subject: Re: [Fedora-directory-users] Question on password changes > >Bliss, Aaron wrote: > > > >>I am not using the password extended operation to change passwords i.e. >>in /etc/ldap.conf pam_password exop is commented out; as such, what's >>the best way to being to debug this? >> >> >> >I'm not sure. If I understand you correctly, it seems that the >consumer is correctly sending the referral back to the client in >response to the MOD request to change the password. Can you examine >the supplier access log to see if the client is following the referral? >You should see a MOD request in the supplier access log shortly after >the MOD to the consumer that resulted in the err=10. If not, this >means the client is not following the referral, which is either a bug >or a mis-configuration of the client. > > > >>Also, what is the advantage of >>using the extended operation to change passwords? Thanks again. >> >> >> >> >The extended operation is meant to be used when you are not using a >simple userPassword (e.g. some SASL mechs, Kerberos). > > > >>Aaron >> >>-----Original Message----- >>From: fedora-directory-users-bounces at redhat.com >>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of >>Richard >> >> > > > >>Megginson >>Sent: Tuesday, January 24, 2006 11:13 AM >>To: General discussion list for the Fedora Directory server project. >>Subject: Re: [Fedora-directory-users] Question on password changes >> >>Bliss, Aaron wrote: >> >> >> >> >> >>>Thanks for getting back to me so quickly; I've seen the error >>>messages >>> >>> > > > >>>that you referenced below; I can then assume then my only alternative >>>is to setup a multimaster environment? Thanks. >>> >>> >>> >>> >>> >>> >>Which error messages have you seen? Are you saying that the client is >>using the password modify extended operation? If so, then yes, you >>will have to use multi master. If not, then single master should be >>fine, and you'll need to debug the client to figure out why it's not >>following the referral to the supplier. >> >>BTW, I believe we have a bug - the consumer should send back a >>referral >> >> > > > >>to the supplier when it gets the password modify extended operation. >>We need to add support for sending back referrals when certain >>extended >> >> > > > >>operations that modify data are received. >> >> >> >> >> >>>Aaron >>> >>>-----Original Message----- >>>From: fedora-directory-users-bounces at redhat.com >>>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of >>>Richard >>> >>> >>> >>> >> >> >> >> >>>Megginson >>>Sent: Tuesday, January 24, 2006 10:35 AM >>>To: General discussion list for the Fedora Directory server project. >>>Subject: Re: [Fedora-directory-users] Question on password changes >>> >>>Bliss, Aaron wrote: >>> >>> >>> >>> >>> >>> >>> >>>>I have a quick question on password changes; my current setup is the >>>>following: I have 2 directory servers, single master environment >>>>(supplier and consumer); I understand that all changes to the >>>>directory >>>> >>>> >>>> >>>> >>>> >>>> >>> >>> >>> >>> >>>>have to be made by the supplier and are then replicated to the >>>>consumer; when a client server binds to the consumer and a user >>>>attempts to change their password, they receive an unknown error >>>>response from the server, and changes are not made; simply >>>>configuring >>>> >>>> >>>> >>>> >> >> >> >> >>>>the client's ldap.conf file to bind first with the supplier resolved >>>>this issue, however I was wondering if it's possible to configure >>>>the >>>> >>>> > > > >>>>consumer in such a way that he will refer the update to take place >>>>on >>>> >>>> > > > >>>>the supplier instead of rejecting the change to the database? >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>Yes, that's what should be happening. When you send the modify >>>password request to the consumer, it should send back a referral to >>>the >>> >>> >>> >>> >>supplier. >> >> >> >> >>>You can see this in the access log - a MOD request followed by a >>>response with err=10 (referral). If however the client is using the >>>password modify extended operation, I don't think that is referred to >>>the supplier. In this case, you will see EXT as the operation type >>>in >>> >>> > > > >>>the access log for the request. >>> >>> >>> >>> >>> >>> >>> >>>>I would have thought that the >>>>consumer would simply refer changes automatically to the supplier, >>>>but >>>> >>>> >>>> >>>> >> >> >> >> >>>>that doesn't seem to be the case. Any thoughts? >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>Check the access logs, as above. >>> >>> >>> >>> >>> >>> >>> >>>>I do know that I can >>>>configure both servers to be masters, but I was hoping to avoid this >>>>(I've read thru some of the directory server documentation citing >>>>errors and so forth in a multi-master environment) Thanks. >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>http://directory.fedora.redhat.com/wiki/Howto:ChainOnUpdate >>> >>>However, I don't think we chain the password change extended >>> >>> >operation. > > >>> >>> >>> >>> >>> >>>>Aaron >>>> >>>>www.preferredcare.org >>>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>>> >>>> > > > >>>>Power and Associates >>>> >>>>Confidentiality Notice: >>>>The information contained in this electronic message is intended for >>>> >>>> >>>> >>>> >>>> >>>> >>>the exclusive use of the individual or entity named above and may >>>contain privileged or confidential information. If the reader of >>>this >>> >>> > > > >>>message is not the intended recipient or the employee or agent >>>responsible to deliver it to the intended recipient, you are hereby >>>notified that dissemination, distribution or copying of this >>>information is prohibited. If you have received this communication >>>in >>> >>> > > > >>>error, please notify the sender immediately by telephone and destroy >>>the copies you received. >>> >>> >>> >>> >>> >>> >>>>-- >>>>Fedora-directory-users mailing list >>>>Fedora-directory-users at redhat.com >>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>www.preferredcare.org >>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>>Power and Associates >>> >>>Confidentiality Notice: >>>The information contained in this electronic message is intended for >>> >>> >>> >>> >>the exclusive use of the individual or entity named above and may >>contain privileged or confidential information. If the reader of this >>message is not the intended recipient or the employee or agent >>responsible to deliver it to the intended recipient, you are hereby >>notified that dissemination, distribution or copying of this >>information is prohibited. If you have received this communication in >>error, please notify the sender immediately by telephone and destroy >>the copies you received. >> >> >> >> >>>-- >>>Fedora-directory-users mailing list >>>Fedora-directory-users at redhat.com >>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >>> >>> >>> >>www.preferredcare.org >>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>Power and Associates >> >>Confidentiality Notice: >>The information contained in this electronic message is intended for >> >> >the exclusive use of the individual or entity named above and may >contain privileged or confidential information. If the reader of this >message is not the intended recipient or the employee or agent >responsible to deliver it to the intended recipient, you are hereby >notified that dissemination, distribution or copying of this >information is prohibited. If you have received this communication in >error, please notify the sender immediately by telephone and destroy >the copies you received. > > >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> > > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From rmeggins at redhat.com Tue Jan 24 20:04:30 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 24 Jan 2006 13:04:30 -0700 Subject: [Fedora-directory-users] Question on password changes In-Reply-To: References: Message-ID: <43D6884E.3090802@redhat.com> Bliss, Aaron wrote: >I'm all set, in the fds on the consumer, I had to manually add the >supplier as a referral as part of the replication link (even though the >documentation says it will do this based upon replication link). Thanks >again very much for such a great product. > > This sounds like a bug. The supplier automatically sets the referral in the consumer. You can confirm this by attempting to do an ldapmodify against the consumer - you should get a referral back. If not, then this is definitely a bug. >Aaron > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Bliss, >Aaron >Sent: Tuesday, January 24, 2006 2:11 PM >To: General discussion list for the Fedora Directory server project. >Subject: RE: [Fedora-directory-users] Question on password changes > >Sorry, I meant to say that I don't see the MOD entry on the supplier's >log file; I agree with you, it doesn't seem that the client is listening >to the referral. > >Aaron > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard >Megginson >Sent: Tuesday, January 24, 2006 2:10 PM >To: General discussion list for the Fedora Directory server project. >Subject: Re: [Fedora-directory-users] Question on password changes > >Bliss, Aaron wrote: > > > >>I see the MOD request in the consumer, but do not see the MOD request >>in the client; >> >> >> >Where would you see the MOD request in the client? It just seems as >though PAM is not following the referral and I'm not sure why. Perhaps >there is some other PAM configuration required? > > > >>here are the relevant entries from >> >>/etc/ldap.conf and >>host serverA serverB >>base dc=myorg,dc=org >>pam_lookup_policy yes >>pam_check_host_attr yes >>pam_password clear >>ssl start_tls >> >>/etc/openldap/ldap.conf >>BASE dc=myorg,dc=org >>HOST serverA serverB >>TLS_CACERT /etc/openldap/cacerts/cacert.pem TLS_REQCERT allow >> >>Any ideas? I've confirmed this behaviour on redhat 3 and redhat 4 >>boxes, further this is the error that I get from redhat 4 boxes >> >>LDAP password information update failed: Can't contact LDAP server >> >>passwd: Permission denied >> >>Thanks again for your help. >> >>Aaron >> >>-----Original Message----- >>From: fedora-directory-users-bounces at redhat.com >>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard >> >> > > > >>Megginson >>Sent: Tuesday, January 24, 2006 1:21 PM >>To: General discussion list for the Fedora Directory server project. >>Subject: Re: [Fedora-directory-users] Question on password changes >> >>Bliss, Aaron wrote: >> >> >> >> >> >>>I am not using the password extended operation to change passwords >>> >>> >i.e. > > >>>in /etc/ldap.conf pam_password exop is commented out; as such, what's >>>the best way to being to debug this? >>> >>> >>> >>> >>> >>I'm not sure. If I understand you correctly, it seems that the >>consumer is correctly sending the referral back to the client in >>response to the MOD request to change the password. Can you examine >>the supplier access log to see if the client is following the referral? >> >> > > > >>You should see a MOD request in the supplier access log shortly after >>the MOD to the consumer that resulted in the err=10. If not, this >>means the client is not following the referral, which is either a bug >>or a mis-configuration of the client. >> >> >> >> >> >>>Also, what is the advantage of >>>using the extended operation to change passwords? Thanks again. >>> >>> >>> >>> >>> >>> >>The extended operation is meant to be used when you are not using a >>simple userPassword (e.g. some SASL mechs, Kerberos). >> >> >> >> >> >>>Aaron >>> >>>-----Original Message----- >>>From: fedora-directory-users-bounces at redhat.com >>>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of >>>Richard >>> >>> >>> >>> >> >> >> >> >>>Megginson >>>Sent: Tuesday, January 24, 2006 11:13 AM >>>To: General discussion list for the Fedora Directory server project. >>>Subject: Re: [Fedora-directory-users] Question on password changes >>> >>>Bliss, Aaron wrote: >>> >>> >>> >>> >>> >>> >>> >>>>Thanks for getting back to me so quickly; I've seen the error >>>>messages >>>> >>>> >>>> >>>> >> >> >> >> >>>>that you referenced below; I can then assume then my only alternative >>>> >>>> > > > >>>>is to setup a multimaster environment? Thanks. >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>Which error messages have you seen? Are you saying that the client is >>> >>> > > > >>>using the password modify extended operation? If so, then yes, you >>>will have to use multi master. If not, then single master should be >>>fine, and you'll need to debug the client to figure out why it's not >>>following the referral to the supplier. >>> >>>BTW, I believe we have a bug - the consumer should send back a >>>referral >>> >>> >>> >>> >> >> >> >> >>>to the supplier when it gets the password modify extended operation. >>>We need to add support for sending back referrals when certain >>>extended >>> >>> >>> >>> >> >> >> >> >>>operations that modify data are received. >>> >>> >>> >>> >>> >>> >>> >>>>Aaron >>>> >>>>-----Original Message----- >>>>From: fedora-directory-users-bounces at redhat.com >>>>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of >>>>Richard >>>> >>>> >>>> >>>> >>>> >>>> >>> >>> >>> >>> >>>>Megginson >>>>Sent: Tuesday, January 24, 2006 10:35 AM >>>>To: General discussion list for the Fedora Directory server project. >>>>Subject: Re: [Fedora-directory-users] Question on password changes >>>> >>>>Bliss, Aaron wrote: >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>>I have a quick question on password changes; my current setup is the >>>>>following: I have 2 directory servers, single master environment >>>>>(supplier and consumer); I understand that all changes to the >>>>>directory >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>>have to be made by the supplier and are then replicated to the >>>>>consumer; when a client server binds to the consumer and a user >>>>>attempts to change their password, they receive an unknown error >>>>>response from the server, and changes are not made; simply >>>>>configuring >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>> >>> >>> >>> >>>>>the client's ldap.conf file to bind first with the supplier resolved >>>>> >>>>> > > > >>>>>this issue, however I was wondering if it's possible to configure >>>>>the >>>>> >>>>> >>>>> >>>>> >> >> >> >> >>>>>consumer in such a way that he will refer the update to take place >>>>>on >>>>> >>>>> >>>>> >>>>> >> >> >> >> >>>>>the supplier instead of rejecting the change to the database? >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>Yes, that's what should be happening. When you send the modify >>>>password request to the consumer, it should send back a referral to >>>>the >>>> >>>> >>>> >>>> >>>> >>>> >>>supplier. >>> >>> >>> >>> >>> >>> >>>>You can see this in the access log - a MOD request followed by a >>>>response with err=10 (referral). If however the client is using the >>>>password modify extended operation, I don't think that is referred to >>>> >>>> > > > >>>>the supplier. In this case, you will see EXT as the operation type >>>>in >>>> >>>> >>>> >>>> >> >> >> >> >>>>the access log for the request. >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>>I would have thought that the >>>>>consumer would simply refer changes automatically to the supplier, >>>>>but >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>> >>> >>> >>> >>>>>that doesn't seem to be the case. Any thoughts? >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>Check the access logs, as above. >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>>I do know that I can >>>>>configure both servers to be masters, but I was hoping to avoid this >>>>> >>>>> > > > >>>>>(I've read thru some of the directory server documentation citing >>>>>errors and so forth in a multi-master environment) Thanks. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>http://directory.fedora.redhat.com/wiki/Howto:ChainOnUpdate >>>> >>>>However, I don't think we chain the password change extended >>>> >>>> >>>> >>>> >>operation. >> >> >> >> >>>> >>>> >>>> >>>> >>>> >>>> >>>>>Aaron >>>>> >>>>>www.preferredcare.org >>>>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. >>>>> >>>>> >D. > > >>>>> >>>>> >>>>> >>>>> >> >> >> >> >>>>>Power and Associates >>>>> >>>>>Confidentiality Notice: >>>>>The information contained in this electronic message is intended for >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>the exclusive use of the individual or entity named above and may >>>>contain privileged or confidential information. If the reader of >>>>this >>>> >>>> >>>> >>>> >> >> >> >> >>>>message is not the intended recipient or the employee or agent >>>>responsible to deliver it to the intended recipient, you are hereby >>>>notified that dissemination, distribution or copying of this >>>>information is prohibited. If you have received this communication >>>>in >>>> >>>> >>>> >>>> >> >> >> >> >>>>error, please notify the sender immediately by telephone and destroy >>>>the copies you received. >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>>-- >>>>>Fedora-directory-users mailing list >>>>>Fedora-directory-users at redhat.com >>>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>www.preferredcare.org >>>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>>> >>>> > > > >>>>Power and Associates >>>> >>>>Confidentiality Notice: >>>>The information contained in this electronic message is intended for >>>> >>>> >>>> >>>> >>>> >>>> >>>the exclusive use of the individual or entity named above and may >>>contain privileged or confidential information. If the reader of this >>> >>> > > > >>>message is not the intended recipient or the employee or agent >>>responsible to deliver it to the intended recipient, you are hereby >>>notified that dissemination, distribution or copying of this >>>information is prohibited. If you have received this communication in >>> >>> > > > >>>error, please notify the sender immediately by telephone and destroy >>>the copies you received. >>> >>> >>> >>> >>> >>> >>>>-- >>>>Fedora-directory-users mailing list >>>>Fedora-directory-users at redhat.com >>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>www.preferredcare.org >>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>>Power and Associates >>> >>>Confidentiality Notice: >>>The information contained in this electronic message is intended for >>> >>> >>> >>> >>the exclusive use of the individual or entity named above and may >>contain privileged or confidential information. If the reader of this >>message is not the intended recipient or the employee or agent >>responsible to deliver it to the intended recipient, you are hereby >>notified that dissemination, distribution or copying of this >>information is prohibited. If you have received this communication in >>error, please notify the sender immediately by telephone and destroy >>the copies you received. >> >> >> >> >>>-- >>>Fedora-directory-users mailing list >>>Fedora-directory-users at redhat.com >>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >>> >>> >>> >>www.preferredcare.org >>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>Power and Associates >> >>Confidentiality Notice: >>The information contained in this electronic message is intended for >> >> >the exclusive use of the individual or entity named above and may >contain privileged or confidential information. If the reader of this >message is not the intended recipient or the employee or agent >responsible to deliver it to the intended recipient, you are hereby >notified that dissemination, distribution or copying of this information >is prohibited. If you have received this communication in error, please >notify the sender immediately by telephone and destroy the copies you >received. > > >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> > > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the >exclusive use of the individual or entity named above and may contain >privileged or confidential information. If the reader of this message >is not the intended recipient or the employee or agent responsible to >deliver it to the intended recipient, you are hereby notified that >dissemination, distribution or copying of this information is >prohibited. If you have received this communication in error, please >notify the sender immediately by telephone and destroy the copies you >received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From kovach at gmail.com Tue Jan 24 20:54:38 2006 From: kovach at gmail.com (Kevin Kovach) Date: Tue, 24 Jan 2006 15:54:38 -0500 Subject: [Fedora-directory-users] FDS and Apache Message-ID: The HowTo for integration with Apache ( http://directory.fedora.redhat.com/wiki/Howto:Apache) is currently blank. Can somebody advise on another source for information on getting some type of mod_authnz_ldap working between FDS and Apache? Thanks. - Kevin -- Take back the web, http://www.switch2firefox.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Jan 24 20:59:06 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 24 Jan 2006 13:59:06 -0700 Subject: [Fedora-directory-users] FDS and Apache In-Reply-To: References: Message-ID: <43D6951A.3040401@redhat.com> Kevin Kovach wrote: > The HowTo for integration with Apache > (http://directory.fedora.redhat.com/wiki/Howto:Apache) is currently > blank. Can somebody advise on another source for information on > getting some type of mod_authnz_ldap working between FDS and Apache? > Thanks. Any information regarding how to point mod_authnz_ldap at any LDAP server (e.g. openldap) would in general apply to FDS as well. > > - Kevin > > -- > Take back the web, http://www.switch2firefox.com/ > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From craigwhite at azapple.com Wed Jan 25 03:56:06 2006 From: craigwhite at azapple.com (Craig White) Date: Tue, 24 Jan 2006 20:56:06 -0700 Subject: [Fedora-directory-users] FDS and Apache In-Reply-To: <43D6951A.3040401@redhat.com> References: <43D6951A.3040401@redhat.com> Message-ID: <1138161366.31697.80.camel@lin-workstation.azapple.com> On Tue, 2006-01-24 at 13:59 -0700, Richard Megginson wrote: > Kevin Kovach wrote: > > > The HowTo for integration with Apache > > (http://directory.fedora.redhat.com/wiki/Howto:Apache) is currently > > blank. Can somebody advise on another source for information on > > getting some type of mod_authnz_ldap working between FDS and Apache? > > Thanks. > > Any information regarding how to point mod_authnz_ldap at any LDAP > server (e.g. openldap) would in general apply to FDS as well. > ---- fwiw... (RHEL 4 clone) # rpm -q httpd mod_authz_ldap httpd-2.0.52-22.ent.centos4 mod_authz_ldap-0.26-2 I have a directory /var/www/html/files I have /etc/httpd/conf.d/authz_ldap.conf AuthzLDAPMethod ldap AuthzLDAPProtocolVersion 3 AuthzLDAPServer localhost AuthzLDAPUserBase ou=People,ou=Accounts,dc=example,dc=com AuthzLDAPUserKey uid AuthzLDAPUserScope onelevel AuthType basic AuthName "phpldapadmin" require valid-user This requires a valid user (dn) login/userPassword I've not had success with groups but I haven't played with it much. Craig From robert.ludvik at zd-lj.si Wed Jan 25 06:41:26 2006 From: robert.ludvik at zd-lj.si (Robert Ludvik) Date: Wed, 25 Jan 2006 07:41:26 +0100 Subject: [Fedora-directory-users] FDS and Apache In-Reply-To: References: Message-ID: <43D71D96.3050201@zd-lj.si> Kevin Kovach pravi: > The HowTo for integration with Apache > (http://directory.fedora.redhat.com/wiki/Howto:Apache) is currently > blank. Can somebody advise on another source for information on getting > some type of mod_authnz_ldap working between FDS and Apache? Thanks. > > - Kevin I made it this way (see attachment). Hope it helps. Bye Robert Ludvik -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: HowToApache.txt URL: From rmeggins at redhat.com Wed Jan 25 15:26:34 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 25 Jan 2006 08:26:34 -0700 Subject: [Fedora-directory-users] FDS and Apache In-Reply-To: <43D71D96.3050201@zd-lj.si> References: <43D71D96.3050201@zd-lj.si> Message-ID: <43D798AA.1050002@redhat.com> Robert Ludvik wrote: >Kevin Kovach pravi: > > >>The HowTo for integration with Apache >>(http://directory.fedora.redhat.com/wiki/Howto:Apache) is currently >>blank. Can somebody advise on another source for information on getting >>some type of mod_authnz_ldap working between FDS and Apache? Thanks. >> >>- Kevin >> >> > >I made it this way (see attachment). Hope it helps. >Bye >Robert Ludvik > > >------------------------------------------------------------------------ > >Information source: >http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap_apache2.html#conf > >Download modauthldap_apache2.tar.gz and unpack it in /usr/local/src >In /usr/local/src/modauthldap_apache2 run: > >./configure --with-ldap-dir=/opt/fedora-ds/shared --with-apxs=/usr/sbin/apxs >make >make install > >Check httpd.conf: >LoadModule ldap_module modules/mod_ldap.so >LoadModule auth_ldap_module /usr/lib/httpd/modules/mod_auth_ldap.so > >I had to copy manualy these files: >cp /opt/fedora-ds/shared/lib/libprldap50.so /lib/ >cp /opt/fedora-ds/shared/lib/libldap50.so /lib/ >cp /opt/fedora-ds/shared/lib/libssldap50.so /lib/ > > What version of Apache is this? Note that some versions of Apache are linked directly against /usr/lib/libldap*.so which is the OpenLDAP API library. You may run into strange problems if you have both the Mozilla (Fedora DS) and OpenLDAP libs linked into Apache - the APIs, while similar, are not compatible and you will run into strange errors. It is for this reason that I recommend just using the default OpenLDAP libraries with mod_ldap and mod_auth_ldap. (Fedora DS Admin Server does use the Mozilla LDAP libs despite the fact that Apache is linked with the OpenLDAP ones - we have to jump through hoops like using LD_PRELOAD - but we do not use any other LDAP modules at all, and we have to use the Mozilla ones because we must use NSS for crypto). >In httpd.conf add folder for which you want to have LDAP authentication: > > >Options Indexes FollowSymLinks >AllowOverride None >order allow,deny >allow from all ># Q: I get a error message like reason: unknown require directive: ># "xxxxxxx". What's the problem? ># A: Use the directive AuthAuthoritative Off >AuthAuthoritative Off >AuthName "Only for nice people ;-)" >AuthType Basic >#AuthOnBind Off >#Sub_DNou=CIS,ou=People >#LDAP_Persistent On >#Bind_Tries 5 >#LDAP_Debug On >#LDAP_Protocol_Version 3 >#LDAP_Deref NEVER >#LDAP_StartTLS On >LDAP_Server dserver.domain.com >#LDAP_Server 192.168.1.1 >LDAP_Port 389 ># Connect timeout in seconds #LDAP_Connect_Timeout 3 ># If SSL is on, must specify the LDAP SSL port, usually 636 >#LDAP_Port 636 >#LDAP_CertDbDir /usr/foo/ssl >Base_DN "dc=domain,dc=com" ># If your configuration allows annonymous access you don't have to set ># Bind_DN >#Bind_DN "uid=admin,o=Fox Chase Cancer Center,c=US" >#Bind_Pass "secret" >UID_Attr uid >#UID_Attr_Alt "mail" >#Group_Attr uniqueMember >#SupportNestedGroupsOff ># You also need one of require statements: ># any valid user: >#require valid-user ># OR these users: >#require user muquit foo bar "john doe" ># OR users that metch some condition: >#require roomnumber "123 Center Building" ># OR filter: >#require filter "(&(telephonenumber=1234)(roomnumber=123))" ># for a group of users (NOTE, without dc=domain,dc=com) >require group cn=my_group,ou=Groups > > >Restart Apache: >apachectl restart > > > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From gokhan.afacan at gmail.com Wed Jan 25 15:44:31 2006 From: gokhan.afacan at gmail.com (=?ISO-8859-1?Q?G=F6khan_Afacan?=) Date: Wed, 25 Jan 2006 17:44:31 +0200 Subject: [Fedora-directory-users] How to enable "cn=Directory Administrator" to login from only specified hosts Message-ID: <2393d5a10601250744m7c2e0643mea5ee25a5658d4fc@mail.gmail.com> Hello, How can I enable "cn=Directory Administrator" to login from only specified hosts? I mean that cn=Directory Administrator user can only logon only from 10.1.3.110. How can I do that? From gokhan.afacan at gmail.com Wed Jan 25 15:46:03 2006 From: gokhan.afacan at gmail.com (=?ISO-8859-1?Q?G=F6khan_Afacan?=) Date: Wed, 25 Jan 2006 17:46:03 +0200 Subject: [Fedora-directory-users] How to lock/unlock "cn=Directory Administrator" user account? Message-ID: <2393d5a10601250746hfae7d11t8526098605735d8d@mail.gmail.com> How can I lock and unlock the user cn=Directory Administrator user account? On 1/25/06, G?khan Afacan wrote: > Hello, > How can I enable "cn=Directory Administrator" to login from only > specified hosts? > I mean that cn=Directory Administrator user can only logon only from 10.1.3.110. > How can I do that? > From rmeggins at redhat.com Wed Jan 25 16:13:30 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 25 Jan 2006 09:13:30 -0700 Subject: [Fedora-directory-users] How to enable "cn=Directory Administrator" to login from only specified hosts In-Reply-To: <2393d5a10601250744m7c2e0643mea5ee25a5658d4fc@mail.gmail.com> References: <2393d5a10601250744m7c2e0643mea5ee25a5658d4fc@mail.gmail.com> Message-ID: <43D7A3AA.2000208@redhat.com> G?khan Afacan wrote: >Hello, >How can I enable "cn=Directory Administrator" to login from only >specified hosts? > > I don't think that is possible. >I mean that cn=Directory Administrator user can only logon only from 10.1.3.110. >How can I do that? > > I don't think you can do that. If you are worried about Directory Manager access, you can create another account (like the console admin account) that has administrator privileges, then you can set up ACIs for that user, then you can disable the directory manager account. >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Jan 25 16:14:11 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 25 Jan 2006 09:14:11 -0700 Subject: [Fedora-directory-users] How to lock/unlock "cn=Directory Administrator" user account? In-Reply-To: <2393d5a10601250746hfae7d11t8526098605735d8d@mail.gmail.com> References: <2393d5a10601250746hfae7d11t8526098605735d8d@mail.gmail.com> Message-ID: <43D7A3D3.2050004@redhat.com> G?khan Afacan wrote: >How can I lock and unlock the user cn=Directory Administrator user account? > > You cannot do that. You can disable the directory manager account, but you cannot lock and unlock it as if it were a "normal" user account. > >On 1/25/06, G?khan Afacan wrote: > > >>Hello, >>How can I enable "cn=Directory Administrator" to login from only >>specified hosts? >>I mean that cn=Directory Administrator user can only logon only from 10.1.3.110. >>How can I do that? >> >> >> > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From cino11 at gmail.com Wed Jan 25 16:25:51 2006 From: cino11 at gmail.com (A G) Date: Wed, 25 Jan 2006 18:25:51 +0200 Subject: [Fedora-directory-users] How to enable "cn=Directory Administrator" to login from only specified hosts Message-ID: <408162380601250825y4e966611p@mail.gmail.com> Hello, How can I enable "cn=Directory Administrator" to login from only specified hosts? I mean that cn=Directory Administrator user can only logon only from 10.1.3.110. How can I do that? -------------- next part -------------- An HTML attachment was scrubbed... URL: From cino11 at gmail.com Wed Jan 25 16:26:20 2006 From: cino11 at gmail.com (A G) Date: Wed, 25 Jan 2006 18:26:20 +0200 Subject: [Fedora-directory-users] How to lock/unlock "cn=Directory Administrator" user account? Message-ID: <408162380601250826r5dca4666q@mail.gmail.com> How can I lock and unlock the user cn=Directory Administrator user account? -------------- next part -------------- An HTML attachment was scrubbed... URL: From cino11 at gmail.com Wed Jan 25 17:21:32 2006 From: cino11 at gmail.com (A G) Date: Wed, 25 Jan 2006 19:21:32 +0200 Subject: [Fedora-directory-users] Re: Fedora-directory-users Digest, Vol 8, Issue 40 In-Reply-To: <20060125170005.149F473085@hormel.redhat.com> References: <20060125170005.149F473085@hormel.redhat.com> Message-ID: <408162380601250921m1bf8e2baua0d954c1b19bc684@mail.gmail.com> OK. how can I disable the "cn=Directory Administrator" account? Will I be able to enable easily so that in the normal operation it is disabled for the security purposes? On 1/25/06, fedora-directory-users-request at redhat.com < fedora-directory-users-request at redhat.com> wrote: > > Send Fedora-directory-users mailing list submissions to > fedora-directory-users at redhat.com > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.redhat.com/mailman/listinfo/fedora-directory-users > or, via email, send a message with subject or body 'help' to > fedora-directory-users-request at redhat.com > > You can reach the person managing the list at > fedora-directory-users-owner at redhat.com > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Fedora-directory-users digest..." > > > Today's Topics: > > 1. How to enable "cn=Directory Administrator" to login from only > specified hosts (G?khan Afacan) > 2. How to lock/unlock "cn=Directory Administrator" user account? > (G?khan Afacan) > 3. Re: How to enable "cn=Directory Administrator" to login from > only specified hosts (Richard Megginson) > 4. Re: How to lock/unlock "cn=Directory Administrator" user > account? (Richard Megginson) > 5. How to enable "cn=Directory Administrator" to login from only > specified hosts (A G) > 6. How to lock/unlock "cn=Directory Administrator" user account? > (A G) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 25 Jan 2006 17:44:31 +0200 > From: G?khan Afacan > Subject: [Fedora-directory-users] How to enable "cn=Directory > Administrator" to login from only specified hosts > To: fedora-directory-users at redhat.com > Message-ID: > <2393d5a10601250744m7c2e0643mea5ee25a5658d4fc at mail.gmail.com> > Content-Type: text/plain; charset=ISO-8859-1 > > Hello, > How can I enable "cn=Directory Administrator" to login from only > specified hosts? > I mean that cn=Directory Administrator user can only logon only from > 10.1.3.110. > How can I do that? > > > > ------------------------------ > > Message: 2 > Date: Wed, 25 Jan 2006 17:46:03 +0200 > From: G?khan Afacan > Subject: [Fedora-directory-users] How to lock/unlock "cn=Directory > Administrator" user account? > To: fedora-directory-users at redhat.com > Message-ID: > <2393d5a10601250746hfae7d11t8526098605735d8d at mail.gmail.com> > Content-Type: text/plain; charset=ISO-8859-1 > > How can I lock and unlock the user cn=Directory Administrator user > account? > > > On 1/25/06, G?khan Afacan wrote: > > Hello, > > How can I enable "cn=Directory Administrator" to login from only > > specified hosts? > > I mean that cn=Directory Administrator user can only logon only from > 10.1.3.110. > > How can I do that? > > > > > > ------------------------------ > > Message: 3 > Date: Wed, 25 Jan 2006 09:13:30 -0700 > From: Richard Megginson > Subject: Re: [Fedora-directory-users] How to enable "cn=Directory > Administrator" to login from only specified hosts > To: "General discussion list for the Fedora Directory server project." > > Message-ID: <43D7A3AA.2000208 at redhat.com> > Content-Type: text/plain; charset="iso-8859-1" > > G?khan Afacan wrote: > > >Hello, > >How can I enable "cn=Directory Administrator" to login from only > >specified hosts? > > > > > I don't think that is possible. > > >I mean that cn=Directory Administrator user can only logon only from > 10.1.3.110. > >How can I do that? > > > > > I don't think you can do that. If you are worried about Directory > Manager access, you can create another account (like the console admin > account) that has administrator privileges, then you can set up ACIs for > that user, then you can disable the directory manager account. > > >-- > >Fedora-directory-users mailing list > >Fedora-directory-users at redhat.com > >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: smime.p7s > Type: application/x-pkcs7-signature > Size: 3178 bytes > Desc: S/MIME Cryptographic Signature > Url : > https://www.redhat.com/archives/fedora-directory-users/attachments/20060125/ca03ba5e/smime.bin > > ------------------------------ > > Message: 4 > Date: Wed, 25 Jan 2006 09:14:11 -0700 > From: Richard Megginson > Subject: Re: [Fedora-directory-users] How to > lock/unlock "cn=Directory > Administrator" user account? > To: "General discussion list for the Fedora Directory server project." > > Message-ID: <43D7A3D3.2050004 at redhat.com> > Content-Type: text/plain; charset="iso-8859-1" > > G?khan Afacan wrote: > > >How can I lock and unlock the user cn=Directory Administrator user > account? > > > > > You cannot do that. You can disable the directory manager account, but > you cannot lock and unlock it as if it were a "normal" user account. > > > > >On 1/25/06, G?khan Afacan wrote: > > > > > >>Hello, > >>How can I enable "cn=Directory Administrator" to login from only > >>specified hosts? > >>I mean that cn=Directory Administrator user can only logon only from > 10.1.3.110. > >>How can I do that? > >> > >> > >> > > > >-- > >Fedora-directory-users mailing list > >Fedora-directory-users at redhat.com > >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: smime.p7s > Type: application/x-pkcs7-signature > Size: 3178 bytes > Desc: S/MIME Cryptographic Signature > Url : > https://www.redhat.com/archives/fedora-directory-users/attachments/20060125/e067bfcc/smime.bin > > ------------------------------ > > Message: 5 > Date: Wed, 25 Jan 2006 18:25:51 +0200 > From: A G > Subject: [Fedora-directory-users] How to enable "cn=Directory > Administrator" to login from only specified hosts > To: fedora-directory-users at redhat.com > Message-ID: <408162380601250825y4e966611p at mail.gmail.com> > Content-Type: text/plain; charset="iso-8859-1" > > Hello, > How can I enable "cn=Directory Administrator" to login from only > specified hosts? > I mean that cn=Directory Administrator user can only logon only from > 10.1.3.110. > How can I do that? > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > https://www.redhat.com/archives/fedora-directory-users/attachments/20060125/0b354c42/attachment.html > > ------------------------------ > > Message: 6 > Date: Wed, 25 Jan 2006 18:26:20 +0200 > From: A G > Subject: [Fedora-directory-users] How to lock/unlock "cn=Directory > Administrator" user account? > To: fedora-directory-users at redhat.com > Message-ID: <408162380601250826r5dca4666q at mail.gmail.com> > Content-Type: text/plain; charset="iso-8859-1" > > How can I lock and unlock the user cn=Directory Administrator user > account? > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > https://www.redhat.com/archives/fedora-directory-users/attachments/20060125/1e6d0495/attachment.html > > ------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > End of Fedora-directory-users Digest, Vol 8, Issue 40 > ***************************************************** > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Jan 25 17:18:44 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 25 Jan 2006 10:18:44 -0700 Subject: [Fedora-directory-users] Re: Fedora-directory-users Digest, Vol 8, Issue 40 In-Reply-To: <408162380601250921m1bf8e2baua0d954c1b19bc684@mail.gmail.com> References: <20060125170005.149F473085@hormel.redhat.com> <408162380601250921m1bf8e2baua0d954c1b19bc684@mail.gmail.com> Message-ID: <43D7B2F4.6050504@redhat.com> I think you just remove the nsslapd-rootpw attribute in cn=config - that will disallow BINDs as the directory manager. I suppose you could save the value somewhere so you can enable it as needed. A G wrote: > OK. how can I disable the "cn=Directory Administrator" account? > Will I be able to enable easily so that in the normal operation it is > disabled for the security purposes? > > > On 1/25/06, *fedora-directory-users-request at redhat.com > * < > fedora-directory-users-request at redhat.com > > wrote: > > Send Fedora-directory-users mailing list submissions to > fedora-directory-users at redhat.com > > > To subscribe or unsubscribe via the World Wide Web, visit > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > or, via email, send a message with subject or body 'help' to > fedora-directory-users-request at redhat.com > > > You can reach the person managing the list at > fedora-directory-users-owner at redhat.com > > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Fedora-directory-users digest..." > > > Today's Topics: > > 1. How to enable "cn=Directory Administrator" to login > from only > specified hosts (G?khan Afacan) > 2. How to lock/unlock "cn=Directory Administrator" user account? > (G?khan Afacan) > 3. Re: How to enable "cn=Directory Administrator" to login from > only specified hosts (Richard Megginson) > 4. Re: How to lock/unlock "cn=Directory Administrator" user > account? (Richard Megginson) > 5. How to enable "cn=Directory Administrator" to login > from only > specified hosts (A G) > 6. How to lock/unlock "cn=Directory Administrator" user account? > (A G) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 25 Jan 2006 17:44:31 +0200 > From: G?khan Afacan > > Subject: [Fedora-directory-users] How to enable "cn=Directory > Administrator" to login from only specified hosts > To: fedora-directory-users at redhat.com > > Message-ID: > <2393d5a10601250744m7c2e0643mea5ee25a5658d4fc at mail.gmail.com > > > Content-Type: text/plain; charset=ISO-8859-1 > > Hello, > How can I enable "cn=Directory Administrator" to login from only > specified hosts? > I mean that cn=Directory Administrator user can only logon only > from 10.1.3.110 . > How can I do that? > > > > ------------------------------ > > Message: 2 > Date: Wed, 25 Jan 2006 17:46:03 +0200 > From: G?khan Afacan < gokhan.afacan at gmail.com > > > Subject: [Fedora-directory-users] How to lock/unlock "cn=Directory > Administrator" user account? > To: fedora-directory-users at redhat.com > > Message-ID: > <2393d5a10601250746hfae7d11t8526098605735d8d at mail.gmail.com > > > Content-Type: text/plain; charset=ISO-8859-1 > > How can I lock and unlock the user cn=Directory Administrator user > account? > > > On 1/25/06, G?khan Afacan > wrote: > > Hello, > > How can I enable "cn=Directory Administrator" to login from only > > specified hosts? > > I mean that cn=Directory Administrator user can only logon only > from 10.1.3.110 . > > How can I do that? > > > > > > ------------------------------ > > Message: 3 > Date: Wed, 25 Jan 2006 09:13:30 -0700 > From: Richard Megginson > > Subject: Re: [Fedora-directory-users] How to enable "cn=Directory > Administrator" to login from only specified hosts > To: "General discussion list for the Fedora Directory server > project." > > > Message-ID: <43D7A3AA.2000208 at redhat.com > > > Content-Type: text/plain; charset="iso-8859-1" > > G?khan Afacan wrote: > > >Hello, > >How can I enable "cn=Directory Administrator" to login from only > >specified hosts? > > > > > I don't think that is possible. > > >I mean that cn=Directory Administrator user can only logon only > from 10.1.3.110 . > >How can I do that? > > > > > I don't think you can do that. If you are worried about Directory > Manager access, you can create another account (like the console > admin > account) that has administrator privileges, then you can set up > ACIs for > that user, then you can disable the directory manager account. > > >-- > >Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: smime.p7s > Type: application/x-pkcs7-signature > Size: 3178 bytes > Desc: S/MIME Cryptographic Signature > Url : > https://www.redhat.com/archives/fedora-directory-users/attachments/20060125/ca03ba5e/smime.bin > > ------------------------------ > > Message: 4 > Date: Wed, 25 Jan 2006 09:14:11 -0700 > From: Richard Megginson < rmeggins at redhat.com > > > Subject: Re: [Fedora-directory-users] How to > lock/unlock "cn=Directory > Administrator" user account? > To: "General discussion list for the Fedora Directory server > project." > > > Message-ID: <43D7A3D3.2050004 at redhat.com > > > Content-Type: text/plain; charset="iso-8859-1" > > G?khan Afacan wrote: > > >How can I lock and unlock the user cn=Directory Administrator > user account? > > > > > You cannot do that. You can disable the directory manager > account, but > you cannot lock and unlock it as if it were a "normal" user account. > > > > >On 1/25/06, G?khan Afacan > wrote: > > > > > >>Hello, > >>How can I enable "cn=Directory Administrator" to login from only > >>specified hosts? > >>I mean that cn=Directory Administrator user can only logon only > from 10.1.3.110 . > >>How can I do that? > >> > >> > >> > > > >-- > >Fedora-directory-users mailing list > >Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: smime.p7s > Type: application/x-pkcs7-signature > Size: 3178 bytes > Desc: S/MIME Cryptographic Signature > Url : > https://www.redhat.com/archives/fedora-directory-users/attachments/20060125/e067bfcc/smime.bin > > > ------------------------------ > > Message: 5 > Date: Wed, 25 Jan 2006 18:25:51 +0200 > From: A G > > Subject: [Fedora-directory-users] How to enable "cn=Directory > Administrator" to login from only specified hosts > To: fedora-directory-users at redhat.com > > Message-ID: < 408162380601250825y4e966611p at mail.gmail.com > > > Content-Type: text/plain; charset="iso-8859-1" > > Hello, > How can I enable "cn=Directory Administrator" to login from only > specified hosts? > I mean that cn=Directory Administrator user can only logon only from > 10.1.3.110 . > How can I do that? > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > https://www.redhat.com/archives/fedora-directory-users/attachments/20060125/0b354c42/attachment.html > > > ------------------------------ > > Message: 6 > Date: Wed, 25 Jan 2006 18:26:20 +0200 > From: A G > > Subject: [Fedora-directory-users] How to lock/unlock "cn=Directory > Administrator" user account? > To: fedora-directory-users at redhat.com > > Message-ID: < 408162380601250826r5dca4666q at mail.gmail.com > > > Content-Type: text/plain; charset="iso-8859-1" > > How can I lock and unlock the user cn=Directory Administrator user > account? > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > https://www.redhat.com/archives/fedora-directory-users/attachments/20060125/1e6d0495/attachment.html > > > ------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > End of Fedora-directory-users Digest, Vol 8, Issue 40 > ***************************************************** > > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From prowley at redhat.com Wed Jan 25 18:01:16 2006 From: prowley at redhat.com (Pete Rowley) Date: Wed, 25 Jan 2006 10:01:16 -0800 Subject: [Fedora-directory-users] Re: Fedora-directory-users Digest, Vol 8, Issue 40 In-Reply-To: <43D7B2F4.6050504@redhat.com> References: <20060125170005.149F473085@hormel.redhat.com> <408162380601250921m1bf8e2baua0d954c1b19bc684@mail.gmail.com> <43D7B2F4.6050504@redhat.com> Message-ID: <43D7BCEC.6050502@redhat.com> Richard Megginson wrote: > I think you just remove the nsslapd-rootpw attribute in cn=config - > that will disallow BINDs as the directory manager. I suppose you > could save the value somewhere so you can enable it as needed. > In addition to what Rich has said here and previously: It sounds like you are planning to actually use the cn=Directory Manager account for normal administrative operations, this is not adviseable for the same reasons you would only su to root when you absolutely have to. Creating admin accounts with various levels of permission designed for the tasks they need to perform is a much better solution, and then you *can* perform actions like disabling the admin accounts and applying additional access control, resource limits, and all the other good things an admin can do to a user. Whereas cn=Directory Manager, like root, is a no holds barred, no access control applied kind of guy, and should be allowed out only on the rarest of occasions. > A G wrote: > >> OK. how can I disable the "cn=Directory Administrator" account? >> Will I be able to enable easily so that in the normal operation it is >> disabled for the security purposes? >> >> >> On 1/25/06, *fedora-directory-users-request at redhat.com >> * < >> fedora-directory-users-request at redhat.com >> > wrote: >> >> Send Fedora-directory-users mailing list submissions to >> fedora-directory-users at redhat.com >> >> >> To subscribe or unsubscribe via the World Wide Web, visit >> >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> or, via email, send a message with subject or body 'help' to >> fedora-directory-users-request at redhat.com >> >> >> You can reach the person managing the list at >> fedora-directory-users-owner at redhat.com >> >> >> When replying, please edit your Subject line so it is more specific >> than "Re: Contents of Fedora-directory-users digest..." >> >> >> Today's Topics: >> >> 1. How to enable "cn=Directory Administrator" to login >> from only >> specified hosts (G?khan Afacan) >> 2. How to lock/unlock "cn=Directory Administrator" user account? >> (G?khan Afacan) >> 3. Re: How to enable "cn=Directory Administrator" to login from >> only specified hosts (Richard Megginson) >> 4. Re: How to lock/unlock "cn=Directory Administrator" user >> account? (Richard Megginson) >> 5. How to enable "cn=Directory Administrator" to login >> from only >> specified hosts (A G) >> 6. How to lock/unlock "cn=Directory Administrator" user account? >> (A G) >> >> >> >> ---------------------------------------------------------------------- >> >> Message: 1 >> Date: Wed, 25 Jan 2006 17:44:31 +0200 >> From: G?khan Afacan > > >> Subject: [Fedora-directory-users] How to enable "cn=Directory >> Administrator" to login from only specified hosts >> To: fedora-directory-users at redhat.com >> >> Message-ID: >> <2393d5a10601250744m7c2e0643mea5ee25a5658d4fc at mail.gmail.com >> >> > >> Content-Type: text/plain; charset=ISO-8859-1 >> >> Hello, >> How can I enable "cn=Directory Administrator" to login from only >> specified hosts? >> I mean that cn=Directory Administrator user can only logon only >> from 10.1.3.110 . >> How can I do that? >> >> >> >> ------------------------------ >> >> Message: 2 >> Date: Wed, 25 Jan 2006 17:46:03 +0200 >> From: G?khan Afacan < gokhan.afacan at gmail.com >> > >> Subject: [Fedora-directory-users] How to lock/unlock "cn=Directory >> Administrator" user account? >> To: fedora-directory-users at redhat.com >> >> Message-ID: >> <2393d5a10601250746hfae7d11t8526098605735d8d at mail.gmail.com >> > >> Content-Type: text/plain; charset=ISO-8859-1 >> >> How can I lock and unlock the user cn=Directory Administrator user >> account? >> >> >> On 1/25/06, G?khan Afacan > > wrote: >> > Hello, >> > How can I enable "cn=Directory Administrator" to login from only >> > specified hosts? >> > I mean that cn=Directory Administrator user can only logon only >> from 10.1.3.110 . >> > How can I do that? >> > >> >> >> >> ------------------------------ >> >> Message: 3 >> Date: Wed, 25 Jan 2006 09:13:30 -0700 >> From: Richard Megginson > > >> Subject: Re: [Fedora-directory-users] How to enable "cn=Directory >> Administrator" to login from only specified hosts >> To: "General discussion list for the Fedora Directory server >> project." >> > > >> Message-ID: <43D7A3AA.2000208 at redhat.com >> > >> Content-Type: text/plain; charset="iso-8859-1" >> >> G?khan Afacan wrote: >> >> >Hello, >> >How can I enable "cn=Directory Administrator" to login from only >> >specified hosts? >> > >> > >> I don't think that is possible. >> >> >I mean that cn=Directory Administrator user can only logon only >> from 10.1.3.110 . >> >How can I do that? >> > >> > >> I don't think you can do that. If you are worried about Directory >> Manager access, you can create another account (like the console >> admin >> account) that has administrator privileges, then you can set up >> ACIs for >> that user, then you can disable the directory manager account. >> >> >-- >> >Fedora-directory-users mailing list >> > Fedora-directory-users at redhat.com >> >> >https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > >> > >> -------------- next part -------------- >> A non-text attachment was scrubbed... >> Name: smime.p7s >> Type: application/x-pkcs7-signature >> Size: 3178 bytes >> Desc: S/MIME Cryptographic Signature >> Url : >> >> https://www.redhat.com/archives/fedora-directory-users/attachments/20060125/ca03ba5e/smime.bin >> >> >> ------------------------------ >> >> Message: 4 >> Date: Wed, 25 Jan 2006 09:14:11 -0700 >> From: Richard Megginson < rmeggins at redhat.com >> > >> Subject: Re: [Fedora-directory-users] How to >> lock/unlock "cn=Directory >> Administrator" user account? >> To: "General discussion list for the Fedora Directory server >> project." >> > > >> Message-ID: <43D7A3D3.2050004 at redhat.com >> > >> Content-Type: text/plain; charset="iso-8859-1" >> >> G?khan Afacan wrote: >> >> >How can I lock and unlock the user cn=Directory Administrator >> user account? >> > >> > >> You cannot do that. You can disable the directory manager >> account, but >> you cannot lock and unlock it as if it were a "normal" user account. >> >> > >> >On 1/25/06, G?khan Afacan > > wrote: >> > >> > >> >>Hello, >> >>How can I enable "cn=Directory Administrator" to login from only >> >>specified hosts? >> >>I mean that cn=Directory Administrator user can only logon only >> from 10.1.3.110 . >> >>How can I do that? >> >> >> >> >> >> >> > >> >-- >> >Fedora-directory-users mailing list >> >Fedora-directory-users at redhat.com >> >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > >> > >> -------------- next part -------------- >> A non-text attachment was scrubbed... >> Name: smime.p7s >> Type: application/x-pkcs7-signature >> Size: 3178 bytes >> Desc: S/MIME Cryptographic Signature >> Url : >> >> https://www.redhat.com/archives/fedora-directory-users/attachments/20060125/e067bfcc/smime.bin >> >> >> >> >> >> ------------------------------ >> >> Message: 5 >> Date: Wed, 25 Jan 2006 18:25:51 +0200 >> From: A G > >> Subject: [Fedora-directory-users] How to enable "cn=Directory >> Administrator" to login from only specified hosts >> To: fedora-directory-users at redhat.com >> >> Message-ID: < 408162380601250825y4e966611p at mail.gmail.com >> > >> Content-Type: text/plain; charset="iso-8859-1" >> >> Hello, >> How can I enable "cn=Directory Administrator" to login from only >> specified hosts? >> I mean that cn=Directory Administrator user can only logon only from >> 10.1.3.110 . >> How can I do that? >> -------------- next part -------------- >> An HTML attachment was scrubbed... >> URL: >> >> https://www.redhat.com/archives/fedora-directory-users/attachments/20060125/0b354c42/attachment.html >> >> >> >> ------------------------------ >> >> Message: 6 >> Date: Wed, 25 Jan 2006 18:26:20 +0200 >> From: A G > >> Subject: [Fedora-directory-users] How to lock/unlock "cn=Directory >> Administrator" user account? >> To: fedora-directory-users at redhat.com >> >> Message-ID: < 408162380601250826r5dca4666q at mail.gmail.com >> > >> Content-Type: text/plain; charset="iso-8859-1" >> >> How can I lock and unlock the user cn=Directory Administrator user >> account? >> -------------- next part -------------- >> An HTML attachment was scrubbed... >> URL: >> >> https://www.redhat.com/archives/fedora-directory-users/attachments/20060125/1e6d0495/attachment.html >> >> >> >> >> >> ------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> End of Fedora-directory-users Digest, Vol 8, Issue 40 >> ***************************************************** >> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From kovach at gmail.com Wed Jan 25 18:17:36 2006 From: kovach at gmail.com (Kevin Kovach) Date: Wed, 25 Jan 2006 13:17:36 -0500 Subject: [Fedora-directory-users] FDS and Apache In-Reply-To: <43D798AA.1050002@redhat.com> References: <43D71D96.3050201@zd-lj.si> <43D798AA.1050002@redhat.com> Message-ID: Yeah, this was the kind of info I was looking for. I just downloaded the newest Apache 2.2 server and was going to give it a go at implementing the included mod_authnz_ldap with FDS. I was planning on compiling everything from scratch, and wasn't sure if I could compile everything against the FDS/NS ldap libraries or if I needed to compile some or all of it against the OpenLDAP client libraries. >From Richard's comments it sounds like I should just concentrate on compiling everything against the OpenLDAP libs. However, you mention using NSS for encryption. I'm unsure if using the OpenLDAP libs will limit me in some way? If we have control over the Apache compilation is there an advantage/disadvantage to compiling against the FDS/NS libs rather than OpenLDAP? I apologize if that's too vague a question. :-) Thanks. - Kevin On 1/25/06, Richard Megginson wrote: > > Robert Ludvik wrote: > > >Kevin Kovach pravi: > > > > > >>The HowTo for integration with Apache > >>(http://directory.fedora.redhat.com/wiki/Howto:Apache) is currently > >>blank. Can somebody advise on another source for information on getting > >>some type of mod_authnz_ldap working between FDS and Apache? Thanks. > >> > >>- Kevin > >> > >> > > > >I made it this way (see attachment). Hope it helps. > >Bye > >Robert Ludvik > > > > > >------------------------------------------------------------------------ > > > >Information source: > > > http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap_apache2.html#conf > > > >Download modauthldap_apache2.tar.gz and unpack it in /usr/local/src > >In /usr/local/src/modauthldap_apache2 run: > > > >./configure --with-ldap-dir=/opt/fedora-ds/shared > --with-apxs=/usr/sbin/apxs > >make > >make install > > > >Check httpd.conf: > >LoadModule ldap_module modules/mod_ldap.so > >LoadModule auth_ldap_module /usr/lib/httpd/modules/mod_auth_ldap.so > > > >I had to copy manualy these files: > >cp /opt/fedora-ds/shared/lib/libprldap50.so /lib/ > >cp /opt/fedora-ds/shared/lib/libldap50.so /lib/ > >cp /opt/fedora-ds/shared/lib/libssldap50.so /lib/ > > > > > What version of Apache is this? Note that some versions of Apache are > linked directly against /usr/lib/libldap*.so which is the OpenLDAP API > library. You may run into strange problems if you have both the Mozilla > (Fedora DS) and OpenLDAP libs linked into Apache - the APIs, while > similar, are not compatible and you will run into strange errors. It is > for this reason that I recommend just using the default OpenLDAP > libraries with mod_ldap and mod_auth_ldap. (Fedora DS Admin Server does > use the Mozilla LDAP libs despite the fact that Apache is linked with > the OpenLDAP ones - we have to jump through hoops like using LD_PRELOAD > - but we do not use any other LDAP modules at all, and we have to use > the Mozilla ones because we must use NSS for crypto). > > >In httpd.conf add folder for which you want to have LDAP authentication: > > > > > >Options Indexes FollowSymLinks > >AllowOverride None > >order allow,deny > >allow from all > ># Q: I get a error message like reason: unknown require directive: > ># "xxxxxxx". What's the problem? > ># A: Use the directive AuthAuthoritative Off > >AuthAuthoritative Off > >AuthName "Only for nice people ;-)" > >AuthType Basic > >#AuthOnBind Off > >#Sub_DNou=CIS,ou=People > >#LDAP_Persistent On > >#Bind_Tries 5 > >#LDAP_Debug On > >#LDAP_Protocol_Version 3 > >#LDAP_Deref NEVER > >#LDAP_StartTLS On > >LDAP_Server dserver.domain.com > >#LDAP_Server 192.168.1.1 > >LDAP_Port 389 > ># Connect timeout in seconds #LDAP_Connect_Timeout 3 > ># If SSL is on, must specify the LDAP SSL port, usually 636 > >#LDAP_Port 636 > >#LDAP_CertDbDir /usr/foo/ssl > >Base_DN "dc=domain,dc=com" > ># If your configuration allows annonymous access you don't have to set > ># Bind_DN > >#Bind_DN "uid=admin,o=Fox Chase Cancer Center,c=US" > >#Bind_Pass "secret" > >UID_Attr uid > >#UID_Attr_Alt "mail" > >#Group_Attr uniqueMember > >#SupportNestedGroupsOff > ># You also need one of require statements: > ># any valid user: > >#require valid-user > ># OR these users: > >#require user muquit foo bar "john doe" > ># OR users that metch some condition: > >#require roomnumber "123 Center Building" > ># OR filter: > >#require filter "(&(telephonenumber=1234)(roomnumber=123))" > ># for a group of users (NOTE, without dc=domain,dc=com) > >require group cn=my_group,ou=Groups > > > > > >Restart Apache: > >apachectl restart > > > > > > > >------------------------------------------------------------------------ > > > >-- > >Fedora-directory-users mailing list > >Fedora-directory-users at redhat.com > >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- Take back the web, http://www.switch2firefox.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Jan 25 18:26:33 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 25 Jan 2006 11:26:33 -0700 Subject: [Fedora-directory-users] FDS and Apache In-Reply-To: References: <43D71D96.3050201@zd-lj.si> <43D798AA.1050002@redhat.com> Message-ID: <43D7C2D9.3090004@redhat.com> Kevin Kovach wrote: > Yeah, this was the kind of info I was looking for. > > I just downloaded the newest Apache 2.2 server and was going to give > it a go at implementing the included mod_authnz_ldap with FDS. I was > planning on compiling everything from scratch, and wasn't sure if I > could compile everything against the FDS/NS ldap libraries or if I > needed to compile some or all of it against the OpenLDAP client > libraries. > > From Richard's comments it sounds like I should just concentrate on > compiling everything against the OpenLDAP libs. However, you mention > using NSS for encryption. I'm unsure if using the OpenLDAP libs will > limit me in some way? No, not really. OpenLDAP uses OpenSSL for crypto. You can convert your certs from that format to the NSS format and vice versa if needed. If you were running in a paranoid secure environment, you probably wouldn't be asking me these questions :-) > > If we have control over the Apache compilation is there an > advantage/disadvantage to compiling against the FDS/NS libs rather > than OpenLDAP? I apologize if that's too vague a question. :-) Thanks. I think it's probably simpler and easier to use the OpenLDAP ones. Then you can just use the standard Apache binaries that come with most OS distros. > > - Kevin > > On 1/25/06, *Richard Megginson* > wrote: > > Robert Ludvik wrote: > > >Kevin Kovach pravi: > > > > > >>The HowTo for integration with Apache > >>(http://directory.fedora.redhat.com/wiki/Howto:Apache > ) is currently > >>blank. Can somebody advise on another source for information on > getting > >>some type of mod_authnz_ldap working between FDS and > Apache? Thanks. > >> > >>- Kevin > >> > >> > > > >I made it this way (see attachment). Hope it helps. > >Bye > >Robert Ludvik > > > > > >------------------------------------------------------------------------ > > > >Information source: > >http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap_apache2.html#conf > > > >Download modauthldap_apache2.tar.gz and unpack it in /usr/local/src > >In /usr/local/src/modauthldap_apache2 run: > > > >./configure --with-ldap-dir=/opt/fedora-ds/shared > --with-apxs=/usr/sbin/apxs > >make > >make install > > > >Check httpd.conf: > >LoadModule ldap_module modules/mod_ldap.so > >LoadModule auth_ldap_module /usr/lib/httpd/modules/mod_auth_ldap.so > > > >I had to copy manualy these files: > >cp /opt/fedora-ds/shared/lib/libprldap50.so /lib/ > >cp /opt/fedora-ds/shared/lib/libldap50.so /lib/ > >cp /opt/fedora-ds/shared/lib/libssldap50.so /lib/ > > > > > What version of Apache is this? Note that some versions of Apache are > linked directly against /usr/lib/libldap*.so which is the OpenLDAP > API > library. You may run into strange problems if you have both the > Mozilla > (Fedora DS) and OpenLDAP libs linked into Apache - the APIs, while > similar, are not compatible and you will run into strange > errors. It is > for this reason that I recommend just using the default OpenLDAP > libraries with mod_ldap and mod_auth_ldap. (Fedora DS Admin > Server does > use the Mozilla LDAP libs despite the fact that Apache is linked with > the OpenLDAP ones - we have to jump through hoops like using > LD_PRELOAD > - but we do not use any other LDAP modules at all, and we have to use > the Mozilla ones because we must use NSS for crypto). > > >In httpd.conf add folder for which you want to have LDAP > authentication: > > > > > >Options Indexes FollowSymLinks > >AllowOverride None > >order allow,deny > >allow from all > ># Q: I get a error message like reason: unknown require directive: > ># "xxxxxxx". What's the problem? > ># A: Use the directive AuthAuthoritative Off > >AuthAuthoritative Off > >AuthName "Only for nice people ;-)" > >AuthType Basic > >#AuthOnBind Off > >#Sub_DNou=CIS,ou=People > >#LDAP_Persistent On > >#Bind_Tries 5 > >#LDAP_Debug On > >#LDAP_Protocol_Version 3 > >#LDAP_Deref NEVER > >#LDAP_StartTLS On > >LDAP_Server dserver.domain.com > >#LDAP_Server 192.168.1.1 > >LDAP_Port 389 > ># Connect timeout in seconds #LDAP_Connect_Timeout 3 > ># If SSL is on, must specify the LDAP SSL port, usually 636 > >#LDAP_Port 636 > >#LDAP_CertDbDir /usr/foo/ssl > >Base_DN "dc=domain,dc=com" > ># If your configuration allows annonymous access you don't have > to set > ># Bind_DN > >#Bind_DN "uid=admin,o=Fox Chase Cancer Center,c=US" > >#Bind_Pass "secret" > >UID_Attr uid > >#UID_Attr_Alt "mail" > >#Group_Attr uniqueMember > >#SupportNestedGroupsOff > ># You also need one of require statements: > ># any valid user: > >#require valid-user > ># OR these users: > >#require user muquit foo bar "john doe" > ># OR users that metch some condition: > >#require roomnumber "123 Center Building" > ># OR filter: > >#require filter "(&(telephonenumber=1234)(roomnumber=123))" > ># for a group of users (NOTE, without dc=domain,dc=com) > >require group cn=my_group,ou=Groups > > > > > >Restart Apache: > >apachectl restart > > > > > > > >------------------------------------------------------------------------ > > > > >-- > >Fedora-directory-users mailing list > >Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > -- > Take back the web, http://www.switch2firefox.com/ > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From les at futuresource.com Wed Jan 25 18:39:58 2006 From: les at futuresource.com (Les Mikesell) Date: Wed, 25 Jan 2006 12:39:58 -0600 Subject: [Fedora-directory-users] fds vs. samba4? Message-ID: <1138214397.20944.115.camel@moola.futuresource.com> Is anyone following the Active Directory services in samba4 (http://www.zdnet.com.au/news/software/soa/New_Samba_targets_Active_Directory/0,2000061733,39234687,00.htm) enough to comment on how it would compare to FDS for network authentication purposes? -- Les Mikesell lesmikesell at gmail.com From nzahar at gmail.com Wed Jan 25 20:05:42 2006 From: nzahar at gmail.com (Nikos Zaharioudakis) Date: Wed, 25 Jan 2006 22:05:42 +0200 Subject: [Fedora-directory-users] fds vs. samba4? In-Reply-To: <1138214397.20944.115.camel@moola.futuresource.com> References: <1138214397.20944.115.camel@moola.futuresource.com> Message-ID: <2adff3550601251205y785a25fjcfc903c99363a9f@mail.gmail.com> On 1/25/06, Les Mikesell wrote: > Is anyone following the Active Directory services in samba4 > (http://www.zdnet.com.au/news/software/soa/New_Samba_targets_Active_Directory/0,2000061733,39234687,00.htm) > enough to comment on how it would compare to FDS for network > authentication purposes? > > -- > Les Mikesell > lesmikesell at gmail.com > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > Well at least I think you could still use FDS as a meta directory server that has to play with a M$ ADS. On the other hand SMB 4 features a new mini ldap inside, let alone the kerberos. So ther are chances you could play that way too. Please list correct me if I am stupid.;-) -- ########################################3 Zaharioudakis Nikos mob: +30 6947204063 A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing on usenet and in e-mail? From robert.ludvik at zd-lj.si Wed Jan 25 21:35:44 2006 From: robert.ludvik at zd-lj.si (Robert Ludvik) Date: Wed, 25 Jan 2006 22:35:44 +0100 Subject: [Fedora-directory-users] FDS and Apache In-Reply-To: <43D798AA.1050002@redhat.com> References: <43D71D96.3050201@zd-lj.si> <43D798AA.1050002@redhat.com> Message-ID: <20060125223544.bp0diguyo0oswk4s@mail.zd-lj.si> Navajam Richard Megginson : >> I had to copy manualy these files: >> cp /opt/fedora-ds/shared/lib/libprldap50.so /lib/ >> cp /opt/fedora-ds/shared/lib/libldap50.so /lib/ >> cp /opt/fedora-ds/shared/lib/libssldap50.so /lib/ >> > What version of Apache is this? 2.0.54.something. I didn't realy pay attention what is installed and which libraries are used... Robert Ludvik From prowley at redhat.com Wed Jan 25 22:19:14 2006 From: prowley at redhat.com (Pete Rowley) Date: Wed, 25 Jan 2006 14:19:14 -0800 Subject: [Fedora-directory-users] fds vs. samba4? In-Reply-To: <1138214397.20944.115.camel@moola.futuresource.com> References: <1138214397.20944.115.camel@moola.futuresource.com> Message-ID: <43D7F962.5090907@redhat.com> Les Mikesell wrote: >Is anyone following the Active Directory services in samba4 >(http://www.zdnet.com.au/news/software/soa/New_Samba_targets_Active_Directory/0,2000061733,39234687,00.htm) >enough to comment on how it would compare to FDS for network >authentication purposes? > > > It isn't really a case of versus. There is a high likelyhood that in any large deployment you will want FDS as the backend server to SAMBA. Indeed, the SAMBA team appear to realise that writing it all themselves is not the best idea when there are perfectly good existing, scalable open source solutions available for the components they need. The standalone LDAP services for instance will likely not be intended to replace an existing LDAP deployment or indeed to displace the need for one - rather I suspect the internal LDAP functionality is intended for cases where a directory server is overkill and the additional services of directory servers are unrequired, and what is really required is an even lighter LDAP sufficient to get the job done in these cases. Ditto Kerberos. So to sum up, if you have a need now that is best filled by a fully fledged directory server, you should probably not expect that to change when SAMBA4 releases. This all of course, IMO. -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From craigwhite at azapple.com Thu Jan 26 00:30:52 2006 From: craigwhite at azapple.com (Craig White) Date: Wed, 25 Jan 2006 17:30:52 -0700 Subject: [Fedora-directory-users] fds vs. samba4? In-Reply-To: <43D7F962.5090907@redhat.com> References: <1138214397.20944.115.camel@moola.futuresource.com> <43D7F962.5090907@redhat.com> Message-ID: <1138235452.15631.26.camel@lin-workstation.azapple.com> On Wed, 2006-01-25 at 14:19 -0800, Pete Rowley wrote: > Les Mikesell wrote: > > >Is anyone following the Active Directory services in samba4 > >(http://www.zdnet.com.au/news/software/soa/New_Samba_targets_Active_Directory/0,2000061733,39234687,00.htm) > >enough to comment on how it would compare to FDS for network > >authentication purposes? > > > > > > > It isn't really a case of versus. There is a high likelyhood that in > any large deployment you will want FDS as the backend server to SAMBA. > Indeed, the SAMBA team appear to realise that writing it all themselves > is not the best idea when there are perfectly good existing, scalable > open source solutions available for the components they need. The > standalone LDAP services for instance will likely not be intended to > replace an existing LDAP deployment or indeed to displace the need for > one - rather I suspect the internal LDAP functionality is intended for > cases where a directory server is overkill and the additional services > of directory servers are unrequired, and what is really required is an > even lighter LDAP sufficient to get the job done in these cases. Ditto > Kerberos. > > So to sum up, if you have a need now that is best filled by a fully > fledged directory server, you should probably not expect that to change > when SAMBA4 releases. > > This all of course, IMO. ---- It is the only way they can really provide a complete turnkey type solution as an AD alternative. The samba list is replete of examples of people trying to obtain a samba integration with LDAP and for these people, an integrated - even if simplistic adaptation of LDAP and kerberos server should be more accommodating. Craig From ABliss at preferredcare.org Thu Jan 26 00:47:30 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Wed, 25 Jan 2006 19:47:30 -0500 Subject: [Fedora-directory-users] Some password policy enforcement information questions Message-ID: Turns out the issue I was having was with my clients; I'm not sure why, but the administrator before me had "UseLogin Yes" set in /etc/ssh/sshd_config; commenting this out immediately started generating password warnings to users (as configured by the directory server); does anyone know what the UseLogin option is used for? Thanks. Aaron -----Original Message----- From: Bliss, Aaron Sent: Thursday, January 19, 2006 3:15 PM To: 'General discussion list for the Fedora Directory server project.' Subject: RE: [Fedora-directory-users] Some password policy enforcement information questions Thanks very much for the explanation; makes much sense to me now; I did some playing around, and got the directory server to spit out to me that your password is going to expire in x amount of days. Thanks again. Aaron -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Thursday, January 19, 2006 2:35 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Some password policy enforcement information questions It looks like the way it works is this: When you have enabled password warning, an operational attribute called "passwordExpWarned" is created in the user's entry. The value will be 0 until the user does a successful BIND operation and the time between now and the configured password expiration time is less than or equal to the configured password warning time. When this happens, the warning will be sent, the value of passwordExpWarned will be changed to 1, and the operational attribute passwordExpirationTime in the user's entry will be set to the time at which the password will expire. When the user changes the password, passwordExpWarned will be reset to 0 and passwordExpirationTime will be set to the new expiration time. Bliss, Aaron wrote: >If I've configured a correct password policy and the warning attribute >is not getting updated, should this be considered a bug? > >Aaron > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard >Megginson >Sent: Thursday, January 19, 2006 1:48 PM >To: General discussion list for the Fedora Directory server project. >Subject: Re: [Fedora-directory-users] Some password policy enforcement >information questions > >Bliss, Aaron wrote: > > > >>Please forgive me if I'm asking silly newbie questions, however I'm >>trying to understand exactly what I'm seeing thru fds; first the >>policy >> >> > > > >>I've configured on the directory using the fds console: >>I've enabled fine-grain password policy for the data unit, including >>password history enforcement, password expiration after 90 days, >>password warning 14 days before password expires, check password >>syntax, account lockout policy enabled after 3 login failures for 120 >>minutes and reset failure count after 15 minutes. >> >>Everything seems to be working except for send password warning; in the >>client's ldap.conf file, I've enabled pam_lookup_policy yes. >> >>Looking at account information attributes for a user, passwordexpwarnd >>value is 0; I've reset users password to try to initialize the >>password >> >> > > > >>policy, however this value never seems to change. According to this >>documentation >>http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#107 >>7 >>0 >>81 I believe that this attribute is stored in seconds. Is this true? >> >> >> >> >Yes. > > > >>If so, what can I do to ensure this attribute is getting updated >>(assuming that this is the attribute responsible for triggering >>password expiration warning). >> >> >> >> >I'm not really sure. > > > >>Second issue/question: >>I've looked at this wiki >>http://directory.fedora.redhat.com/wiki/Howto:PAM and near the very >>bottom it mentions adding the following >> >>dn: cn=config >>changetype: modify >>add: passwordExp >>passwordExp: on >>- >>add: passwordMaxAge >>passwordMaxAge: 8640000 (this I believe would give a password max age >>of 100 days) >> >>Do I need to add these attributes even though I've configured the >>password policy using fds console has done this for me. Is this the >>case, I see don't these attributes in the gui, however I do see >>passwordexpirationtime as an attribute and is set to 90 days from now >>(I'm want to ensure that accounts are indeed locked after passwords >>have expired). >> >> >> >> >Those attributes are only for global (default) password policy - what >you have set for fine grained password policy will override those. > > > >>Also, Jim Summers posted to this group that he saw an issue with >>shadowpasswd / shadowexpire fields not being updated >>https://www.redhat.com/archives/fedora-directory-users/2005-December/m >>s >>g >>00367.html >> >>Can anyone tell me what these fields are used for, as I don't see any >>mention of them in this documentation >>http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#107 >>7 >>0 >>81 >> >> >> >> >Right. They are a PAM/posix thing - FDS treats them as any other data >- it doesn't update them from it's own password policy. > > > >>Thanks again very much. >> >>Aaron >> >> >> >> >>www.preferredcare.org >>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>Power and Associates >> >>Confidentiality Notice: >>The information contained in this electronic message is intended for >> >> >the exclusive use of the individual or entity named above and may >contain privileged or confidential information. If the reader of this >message is not the intended recipient or the employee or agent >responsible to deliver it to the intended recipient, you are hereby >notified that dissemination, distribution or copying of this >information is prohibited. If you have received this communication in >error, please notify the sender immediately by telephone and destroy >the copies you received. > > >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> > > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From kovach at gmail.com Thu Jan 26 01:29:40 2006 From: kovach at gmail.com (Kevin Kovach) Date: Wed, 25 Jan 2006 20:29:40 -0500 Subject: [Fedora-directory-users] dsbuild and libadminutil build error os Slackware 10.2 - 2.6.14.3 In-Reply-To: <439C618A.4060601@redhat.com> References: <439A390C.8050604@vendetta.ca> <439C618A.4060601@redhat.com> Message-ID: Mike, Did you end up finding a solution to this issue? I'm trying to build FDS 1.0.1 tonight on Slackware 10.1 kernel 2.4.29 with dsbuild and seeing the exact same error. Thanks. - Kevin On 12/11/05, Richard Megginson wrote: > > Does this directory exist: > > /usr/local/src/dsbuild/ds/mozilla/work/mozilla/dist/Linux2.6.14_x86_glibc_PTH_OPT.OBJ/include > > If not, is there a platform specific directory under > ......../mozilla/dist? If so, what is it? > > Mike Lowrie wrote: > > > I'm trying to do a complete build using dsbuild on a freshly installed > > Slackware 10.2 box with a 2.6.14.3 kernel, but I'm running into > > problems with the system not finding some header files: > > > > ==== Building AdminUtil ========== > > > > cd lib/libadminutil; gmake BUILD_OPT=1 NSPR_BASENAME= > > USE_PTHREADS=1 SECURITY=domestic MOZILLA_SOURCE_ROOT_EXT= > > ICU_SOURCE_ROOT_EXT= USE_64= > > gmake[3]: Entering directory > > `/usr/local/src/dsbuild/ds/adminutil/work/fedora-adminutil-1.0 > /lib/libadminutil' > > > > gcc -c -fPIC -pipe -DLINUX -Dlinux -DBSD -D_POSIX_SOURCE > > -D_XOPEN_SOURCE -D_BSD_SOURCE -DHAVE_STRERROR -DNO_DBM -DNO_NODELOCK > > -DXP_UNIX -DLinux -O2 -DNET_SSL -DSPAPI20 -DBUILD_NUM=\"2005.344.255\" > > -I/usr/local/src/dsbuild/ds/adminutil/work/fedora-adminutil-1.0/include > > > -I/usr/local/src/dsbuild/ds/mozilla/work/mozilla/dist/Linux2.6.14_x86_glibc_PTH_OPT.OBJ/include > > -I/usr/local/src/dsbuild/ds/mozilla/work/mozilla/dist/public/nss > > -I/usr/local/src/dsbuild/ds/mozilla/work/mozilla/dist/public/ldap > > -I/usr/local/src/dsbuild/ds/icu/work/icu-2.4/built/include psetc.c -o > > /usr/local/src/dsbuild/ds/adminutil/work/fedora-adminutil-1.0 > /built/Linux2.6.14_x86_glibc_PTH_OPT.OBJ/lib/libadminutil/psetc.o > > > > In file included from > > /usr/local/src/dsbuild/ds/adminutil/work/fedora-adminutil-1.0 > /include/libadminutil/psetc.h:24, > > > > from psetc_pvt.h:26, > > from psetc.c:30: > > /usr/local/src/dsbuild/ds/adminutil/work/fedora-adminutil-1.0 > /include/libadminutil/admutil.h:25:21: > > prtypes.h: No such file or directory > > /usr/local/src/dsbuild/ds/adminutil/work/fedora-adminutil-1.0 > /include/libadminutil/admutil.h:26:19: > > plstr.h: No such file or directory > > /usr/local/src/dsbuild/ds/adminutil/work/fedora-adminutil-1.0 > /include/libadminutil/admutil.h:27:19: > > prprf.h: No such file or directory > > In file included from > > /usr/local/src/dsbuild/ds/adminutil/work/fedora-adminutil-1.0 > /include/libadminutil/psetc.h:24, > > > > from psetc_pvt.h:26, > > from psetc.c:30: > > /usr/local/src/dsbuild/ds/adminutil/work/fedora-adminutil-1.0 > /include/libadminutil/admutil.h:78: > > error: syntax error before "createAttrNameList" > > /usr/local/src/dsbuild/ds/adminutil/work/fedora-adminutil-1.0 > /include/libadminutil/admutil.h:78: > > warning: data definition has no type or storage class > > /usr/local/src/dsbuild/ds/adminutil/work/fedora-adminutil-1.0 > /include/libadminutil/admutil.h:80: > > error: syntax error before "addName" > > /usr/local/src/dsbuild/ds/adminutil/work/fedora-adminutil-1.0 > /include/libadminutil/admutil.h:80: > > warning: data definition has no type or storage class > > . > > . > > . > > > > and of course a whole lot of other errors follow. > > > > I have found the files it is looking for in the mozilla directory of > > the dsbuild directory, but its as if it doesn't have the correct > > include paths. I tried adding a few manually, but there are a lot of > > different paths - all from the mozilla directory that aren't being > found. > > > > Does anyone have any suggestions on how to fix this? > > > > Appreciate the help! > > Mike > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- Take back the web, http://www.switch2firefox.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Jan 26 01:34:58 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 25 Jan 2006 18:34:58 -0700 Subject: [Fedora-directory-users] dsbuild and libadminutil build error os Slackware 10.2 - 2.6.14.3 In-Reply-To: References: <439A390C.8050604@vendetta.ca> <439C618A.4060601@redhat.com> Message-ID: <43D82742.6090506@redhat.com> Kevin Kovach wrote: > Mike, > > Did you end up finding a solution to this issue? I'm trying to build > FDS 1.0.1 tonight on Slackware 10.1 kernel 2.4.29 with dsbuild and > seeing the exact same error. Thanks. > > - Kevin > > On 12/11/05, *Richard Megginson* > wrote: > > Does this directory exist: > /usr/local/src/dsbuild/ds/mozilla/work/mozilla/dist/Linux2.6.14_x86_glibc_PTH_OPT.OBJ/include > > If not, is there a platform specific directory under > ......../mozilla/dist? If so, what is it? > Kevin, same question as above. If you are using dsbuild, you might be able to hack dsbuild/objdirname.mk to make it spit out the right name. Or, just change it to grab the name from the actual name of the directory under mozilla/dist > > > Mike Lowrie wrote: > > > I'm trying to do a complete build using dsbuild on a freshly > installed > > Slackware 10.2 box with a 2.6.14.3 kernel, but > I'm running into > > problems with the system not finding some header files: > > > > ==== Building AdminUtil ========== > > > > cd lib/libadminutil; gmake BUILD_OPT=1 NSPR_BASENAME= > > USE_PTHREADS=1 SECURITY=domestic MOZILLA_SOURCE_ROOT_EXT= > > ICU_SOURCE_ROOT_EXT= USE_64= > > gmake[3]: Entering directory > > > `/usr/local/src/dsbuild/ds/adminutil/work/fedora-adminutil-1.0/lib/libadminutil' > > > > gcc -c -fPIC -pipe -DLINUX -Dlinux -DBSD -D_POSIX_SOURCE > > -D_XOPEN_SOURCE -D_BSD_SOURCE -DHAVE_STRERROR -DNO_DBM > -DNO_NODELOCK > > -DXP_UNIX -DLinux -O2 -DNET_SSL -DSPAPI20 > -DBUILD_NUM=\"2005.344.255\" > > > -I/usr/local/src/dsbuild/ds/adminutil/work/fedora-adminutil-1.0/include > > > -I/usr/local/src/dsbuild/ds/mozilla/work/mozilla/dist/Linux2.6.14_x86_glibc_PTH_OPT.OBJ/include > > > -I/usr/local/src/dsbuild/ds/mozilla/work/mozilla/dist/public/nss > > -I/usr/local/src/dsbuild/ds/mozilla/work/mozilla/dist/public/ldap > > -I/usr/local/src/dsbuild/ds/icu/work/icu-2.4/built/include > psetc.c -o > > > /usr/local/src/dsbuild/ds/adminutil/work/fedora-adminutil-1.0/built/Linux2.6.14_x86_glibc_PTH_OPT.OBJ/lib/libadminutil/psetc.o > > > > In file included from > > /usr/local/src/dsbuild/ds/adminutil/work/fedora- > adminutil-1.0/include/libadminutil/psetc.h:24, > > > > from psetc_pvt.h:26, > > from psetc.c:30: > > > /usr/local/src/dsbuild/ds/adminutil/work/fedora-adminutil-1.0/include/libadminutil/admutil.h:25:21: > > > prtypes.h: No such file or directory > > > /usr/local/src/dsbuild/ds/adminutil/work/fedora-adminutil-1.0/include/libadminutil/admutil.h:26:19: > > plstr.h: No such file or directory > > /usr/local/src/dsbuild/ds/adminutil/work/fedora- > adminutil-1.0/include/libadminutil/admutil.h:27:19: > > prprf.h: No such file or directory > > In file included from > > > /usr/local/src/dsbuild/ds/adminutil/work/fedora-adminutil-1.0/include/libadminutil/psetc.h:24, > > > > > from psetc_pvt.h:26, > > from psetc.c:30: > > > /usr/local/src/dsbuild/ds/adminutil/work/fedora-adminutil-1.0/include/libadminutil/admutil.h:78: > > error: syntax error before "createAttrNameList" > > > /usr/local/src/dsbuild/ds/adminutil/work/fedora-adminutil-1.0/include/libadminutil/admutil.h:78: > > warning: data definition has no type or storage class > > /usr/local/src/dsbuild/ds/adminutil/work/fedora- > adminutil-1.0/include/libadminutil/admutil.h:80: > > error: syntax error before "addName" > > > /usr/local/src/dsbuild/ds/adminutil/work/fedora-adminutil-1.0/include/libadminutil/admutil.h:80: > > warning: data definition has no type or storage class > > . > > . > > . > > > > and of course a whole lot of other errors follow. > > > > I have found the files it is looking for in the mozilla directory of > > the dsbuild directory, but its as if it doesn't have the correct > > include paths. I tried adding a few manually, but there are a lot of > > different paths - all from the mozilla directory that aren't > being found. > > > > Does anyone have any suggestions on how to fix this? > > > > Appreciate the help! > > Mike > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > -- > Take back the web, http://www.switch2firefox.com/ > > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From kovach at gmail.com Thu Jan 26 01:54:12 2006 From: kovach at gmail.com (Kevin Kovach) Date: Wed, 25 Jan 2006 20:54:12 -0500 Subject: [Fedora-directory-users] dsbuild and libadminutil build error os Slackware 10.2 - 2.6.14.3 In-Reply-To: <43D82742.6090506@redhat.com> References: <439A390C.8050604@vendetta.ca> <439C618A.4060601@redhat.com> <43D82742.6090506@redhat.com> Message-ID: To answer the question in your reply to Mike, I'm building FDS in /opt/src/dsbuild and I have the following directory as you asked him ... /opt/src/dsbuild/ds/adminutil/work/fedora-adminutil-1.0 /built/Linux2.4_x86_glibc_PTH_DBG.OBJ/include/ I guess I didn't understand what the solution was if this directory does exist? Thanks. - Kevin On 1/25/06, Richard Megginson wrote: > > Kevin Kovach wrote: > > > Mike, > > > > Did you end up finding a solution to this issue? I'm trying to build > > FDS 1.0.1 tonight on Slackware 10.1 kernel 2.4.29 with dsbuild and > > seeing the exact same error. Thanks. > > > > - Kevin > > > > On 12/11/05, *Richard Megginson* > > wrote: > > > > Does this directory exist: > > > /usr/local/src/dsbuild/ds/mozilla/work/mozilla/dist/Linux2.6.14_x86_glibc_PTH_OPT.OBJ/include > > > > If not, is there a platform specific directory under > > ......../mozilla/dist? If so, what is it? > > > Kevin, same question as above. If you are using dsbuild, you might be > able to hack dsbuild/objdirname.mk to make it spit out the right name. > Or, just change it to grab the name from the actual name of the > directory under mozilla/dist > > > > > > > Mike Lowrie wrote: > > > > > I'm trying to do a complete build using dsbuild on a freshly > > installed > > > Slackware 10.2 box with a 2.6.14.3 kernel, but > > I'm running into > > > problems with the system not finding some header files: > > > > > > ==== Building AdminUtil ========== > > > > > > cd lib/libadminutil; gmake BUILD_OPT=1 NSPR_BASENAME= > > > USE_PTHREADS=1 SECURITY=domestic MOZILLA_SOURCE_ROOT_EXT= > > > ICU_SOURCE_ROOT_EXT= USE_64= > > > gmake[3]: Entering directory > > > > > `/usr/local/src/dsbuild/ds/adminutil/work/fedora-adminutil-1.0 > /lib/libadminutil' > > > > > > gcc -c -fPIC -pipe -DLINUX -Dlinux -DBSD -D_POSIX_SOURCE > > > -D_XOPEN_SOURCE -D_BSD_SOURCE -DHAVE_STRERROR -DNO_DBM > > -DNO_NODELOCK > > > -DXP_UNIX -DLinux -O2 -DNET_SSL -DSPAPI20 > > -DBUILD_NUM=\"2005.344.255\" > > > > > -I/usr/local/src/dsbuild/ds/adminutil/work/fedora-adminutil-1.0 > /include > > > > > > -I/usr/local/src/dsbuild/ds/mozilla/work/mozilla/dist/Linux2.6.14_x86_glibc_PTH_OPT.OBJ/include > > > > > -I/usr/local/src/dsbuild/ds/mozilla/work/mozilla/dist/public/nss > > > -I/usr/local/src/dsbuild/ds/mozilla/work/mozilla/dist/public/ldap > > > -I/usr/local/src/dsbuild/ds/icu/work/icu-2.4/built/include > > psetc.c -o > > > > > /usr/local/src/dsbuild/ds/adminutil/work/fedora-adminutil-1.0 > /built/Linux2.6.14_x86_glibc_PTH_OPT.OBJ/lib/libadminutil/psetc.o > > > > > > In file included from > > > /usr/local/src/dsbuild/ds/adminutil/work/fedora- > > adminutil-1.0/include/libadminutil/psetc.h:24, > > > > > > from psetc_pvt.h:26, > > > from psetc.c:30: > > > > > /usr/local/src/dsbuild/ds/adminutil/work/fedora-adminutil-1.0 > /include/libadminutil/admutil.h:25:21: > > > > > prtypes.h: No such file or directory > > > > > /usr/local/src/dsbuild/ds/adminutil/work/fedora-adminutil-1.0 > /include/libadminutil/admutil.h:26:19: > > > plstr.h: No such file or directory > > > /usr/local/src/dsbuild/ds/adminutil/work/fedora- > > adminutil-1.0/include/libadminutil/admutil.h:27:19: > > > prprf.h: No such file or directory > > > In file included from > > > > > /usr/local/src/dsbuild/ds/adminutil/work/fedora-adminutil-1.0 > /include/libadminutil/psetc.h:24, > > > > > > > > from psetc_pvt.h:26, > > > from psetc.c:30: > > > > > /usr/local/src/dsbuild/ds/adminutil/work/fedora-adminutil-1.0 > /include/libadminutil/admutil.h:78: > > > error: syntax error before "createAttrNameList" > > > > > /usr/local/src/dsbuild/ds/adminutil/work/fedora-adminutil-1.0 > /include/libadminutil/admutil.h:78: > > > warning: data definition has no type or storage class > > > /usr/local/src/dsbuild/ds/adminutil/work/fedora- > > adminutil-1.0/include/libadminutil/admutil.h:80: > > > error: syntax error before "addName" > > > > > /usr/local/src/dsbuild/ds/adminutil/work/fedora-adminutil-1.0 > /include/libadminutil/admutil.h:80: > > > warning: data definition has no type or storage class > > > . > > > . > > > . > > > > > > and of course a whole lot of other errors follow. > > > > > > I have found the files it is looking for in the mozilla directory > of > > > the dsbuild directory, but its as if it doesn't have the correct > > > include paths. I tried adding a few manually, but there are a lot > of > > > different paths - all from the mozilla directory that aren't > > being found. > > > > > > Does anyone have any suggestions on how to fix this? > > > > > > Appreciate the help! > > > Mike > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > -- > > Take back the web, http://www.switch2firefox.com/ > > > > > >------------------------------------------------------------------------ > > > >-- > >Fedora-directory-users mailing list > >Fedora-directory-users at redhat.com > >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- Take back the web, http://www.switch2firefox.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Jan 26 04:42:26 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 25 Jan 2006 21:42:26 -0700 Subject: [Fedora-directory-users] dsbuild and libadminutil build error os Slackware 10.2 - 2.6.14.3 In-Reply-To: References: <439A390C.8050604@vendetta.ca> <439C618A.4060601@redhat.com> <43D82742.6090506@redhat.com> Message-ID: <43D85332.8020500@redhat.com> Kevin Kovach wrote: > To answer the question in your reply to Mike, I'm building FDS in > /opt/src/dsbuild and I have the following directory as you asked him ... > > /opt/src/dsbuild/ds/adminutil/work/fedora-adminutil-1.0/built/Linux2.4_x86_glibc_PTH_DBG.OBJ/include/ > > > I guess I didn't understand what the solution was if this directory > does exist? Thanks. the adminutil component is looking for Linux2.4 but NSPR is using something different. Do you have this directory: dsbuild/ds/mozilla/work/mozilla/dist/Linux2.6.14_x86_glibc_PTH_OPT.OBJ/include If not, what is to the right of dist/ and to the left of /include under your dsbuild/ds/mozilla/work/mozilla? > > - Kevin > > On 1/25/06, *Richard Megginson* < rmeggins at redhat.com > > wrote: > > Kevin Kovach wrote: > > > Mike, > > > > Did you end up finding a solution to this issue? I'm trying to > build > > FDS 1.0.1 tonight on Slackware 10.1 kernel 2.4.29 with dsbuild and > > seeing the exact same error. Thanks. > > > > - Kevin > > > > On 12/11/05, *Richard Megginson* < rmeggins at redhat.com > > > >> wrote: > > > > Does this directory exist: > > > /usr/local/src/dsbuild/ds/mozilla/work/mozilla/dist/Linux2.6.14_x86_glibc_PTH_OPT.OBJ/include > > > > > If not, is there a platform specific directory under > > ......../mozilla/dist? If so, what is it? > > > Kevin, same question as above. If you are using dsbuild, you might be > able to hack dsbuild/objdirname.mk to make it spit out the right > name. > Or, just change it to grab the name from the actual name of the > directory under mozilla/dist > > > > > > > Mike Lowrie wrote: > > > > > I'm trying to do a complete build using dsbuild on a freshly > > installed > > > Slackware 10.2 box with a 2.6.14.3 > kernel, but > > I'm running into > > > problems with the system not finding some header files: > > > > > > ==== Building AdminUtil ========== > > > > > > cd lib/libadminutil; gmake BUILD_OPT=1 NSPR_BASENAME= > > > USE_PTHREADS=1 SECURITY=domestic MOZILLA_SOURCE_ROOT_EXT= > > > ICU_SOURCE_ROOT_EXT= USE_64= > > > gmake[3]: Entering directory > > > > > > `/usr/local/src/dsbuild/ds/adminutil/work/fedora-adminutil-1.0/lib/libadminutil' > > > > > > gcc -c -fPIC -pipe -DLINUX -Dlinux -DBSD -D_POSIX_SOURCE > > > -D_XOPEN_SOURCE -D_BSD_SOURCE -DHAVE_STRERROR -DNO_DBM > > -DNO_NODELOCK > > > -DXP_UNIX -DLinux -O2 -DNET_SSL -DSPAPI20 > > -DBUILD_NUM=\"2005.344.255\" > > > > > > -I/usr/local/src/dsbuild/ds/adminutil/work/fedora-adminutil-1.0/include > > > > > > -I/usr/local/src/dsbuild/ds/mozilla/work/mozilla/dist/Linux2.6.14_x86_glibc_PTH_OPT.OBJ/include > > > > > > > -I/usr/local/src/dsbuild/ds/mozilla/work/mozilla/dist/public/nss > > > > -I/usr/local/src/dsbuild/ds/mozilla/work/mozilla/dist/public/ldap > > > -I/usr/local/src/dsbuild/ds/icu/work/icu- 2.4/built/include > > psetc.c -o > > > > > > /usr/local/src/dsbuild/ds/adminutil/work/fedora-adminutil-1.0/built/Linux2.6.14_x86_glibc_PTH_OPT.OBJ/lib/libadminutil/psetc.o > > > > > > In file included from > > > /usr/local/src/dsbuild/ds/adminutil/work/fedora- > > adminutil-1.0/include/libadminutil/psetc.h:24, > > > > > > from psetc_pvt.h:26, > > > from psetc.c:30: > > > > > > /usr/local/src/dsbuild/ds/adminutil/work/fedora-adminutil-1.0/include/libadminutil/admutil.h:25:21: > > > > > prtypes.h: No such file or directory > > > > > > /usr/local/src/dsbuild/ds/adminutil/work/fedora-adminutil-1.0/include/libadminutil/admutil.h:26:19: > > > plstr.h: No such file or directory > > > /usr/local/src/dsbuild/ds/adminutil/work/fedora- > > adminutil-1.0/include/libadminutil/admutil.h:27:19: > > > prprf.h: No such file or directory > > > In file included from > > > > > /usr/local/src/dsbuild/ds/adminutil/work/fedora- > adminutil-1.0/include/libadminutil/psetc.h:24, > > > > > > > > from psetc_pvt.h:26, > > > from psetc.c:30: > > > > > /usr/local/src/dsbuild/ds/adminutil/work/fedora- > adminutil-1.0/include/libadminutil/admutil.h:78: > > > error: syntax error before "createAttrNameList" > > > > > > /usr/local/src/dsbuild/ds/adminutil/work/fedora-adminutil-1.0/include/libadminutil/admutil.h:78: > > > > warning: data definition has no type or storage class > > > /usr/local/src/dsbuild/ds/adminutil/work/fedora- > > adminutil-1.0/include/libadminutil/admutil.h:80: > > > error: syntax error before "addName" > > > > > > /usr/local/src/dsbuild/ds/adminutil/work/fedora-adminutil-1.0/include/libadminutil/admutil.h:80: > > > warning: data definition has no type or storage class > > > . > > > . > > > . > > > > > > and of course a whole lot of other errors follow. > > > > > > I have found the files it is looking for in the mozilla > directory of > > > the dsbuild directory, but its as if it doesn't have the > correct > > > include paths. I tried adding a few manually, but there > are a lot of > > > different paths - all from the mozilla directory that aren't > > being found. > > > > > > Does anyone have any suggestions on how to fix this? > > > > > > Appreciate the help! > > > Mike > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > > -- > > Take back the web, http://www.switch2firefox.com/ > > > > > > >------------------------------------------------------------------------ > > > >-- > >Fedora-directory-users mailing list > >Fedora-directory-users at redhat.com > > >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > -- > Take back the web, http://www.switch2firefox.com/ > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From kovach at gmail.com Thu Jan 26 05:17:39 2006 From: kovach at gmail.com (Kevin Kovach) Date: Thu, 26 Jan 2006 00:17:39 -0500 Subject: [Fedora-directory-users] dsbuild and libadminutil build error os Slackware 10.2 - 2.6.14.3 In-Reply-To: <43D85332.8020500@redhat.com> References: <439A390C.8050604@vendetta.ca> <439C618A.4060601@redhat.com> <43D82742.6090506@redhat.com> <43D85332.8020500@redhat.com> Message-ID: I'm using the 2.4 kernel. Under dist I have a Linux2.4_x86_glibc_PTH_OPT.OBJ/include directory. The full path to the header files is /opt/src/dsbuild/ds/mozilla/work/mozilla/dist/Linux2.4_x86_glibc_PTH_OPT.OBJ/include. All the headers are links to ../../../nsprpub/Linux2.4_x86_glibc_PTH_OPT.OBJ/pr/include/../../../pr/include/ I need to add this directory to objdirname.mk somewhere? Pardon my ignorance. Thanks for the help. - Kevin On 1/25/06, Richard Megginson wrote: > > Kevin Kovach wrote: > > > To answer the question in your reply to Mike, I'm building FDS in > > /opt/src/dsbuild and I have the following directory as you asked him ... > > > > /opt/src/dsbuild/ds/adminutil/work/fedora-adminutil-1.0 > /built/Linux2.4_x86_glibc_PTH_DBG.OBJ/include/ > > > > > > I guess I didn't understand what the solution was if this directory > > does exist? Thanks. > > the adminutil component is looking for Linux2.4 but NSPR is using > something different. Do you have this directory: > > dsbuild/ds/mozilla/work/mozilla/dist/Linux2.6.14_x86_glibc_PTH_OPT.OBJ/include > > If not, what is to the right of dist/ and to the left of /include under > your dsbuild/ds/mozilla/work/mozilla? > > > > > - Kevin > > > > On 1/25/06, *Richard Megginson* < rmeggins at redhat.com > > > wrote: > > > > Kevin Kovach wrote: > > > > > Mike, > > > > > > Did you end up finding a solution to this issue? I'm trying to > > build > > > FDS 1.0.1 tonight on Slackware 10.1 kernel 2.4.29 with dsbuild and > > > seeing the exact same error. Thanks. > > > > > > - Kevin > > > > > > On 12/11/05, *Richard Megginson* < rmeggins at redhat.com > > > > > >> wrote: > > > > > > Does this directory exist: > > > > > > /usr/local/src/dsbuild/ds/mozilla/work/mozilla/dist/Linux2.6.14_x86_glibc_PTH_OPT.OBJ/include > > > > > > > > If not, is there a platform specific directory under > > > ......../mozilla/dist? If so, what is it? > > > > > Kevin, same question as above. If you are using dsbuild, you might > be > > able to hack dsbuild/objdirname.mk to make it spit out the right > > name. > > Or, just change it to grab the name from the actual name of the > > directory under mozilla/dist > > > > > > > > > > > Mike Lowrie wrote: > > > > > > > I'm trying to do a complete build using dsbuild on a freshly > > > installed > > > > Slackware 10.2 box with a 2.6.14.3 > > kernel, but > > > I'm running into > > > > problems with the system not finding some header files: > > > > > > > > ==== Building AdminUtil ========== > > > > > > > > cd lib/libadminutil; gmake BUILD_OPT=1 NSPR_BASENAME= > > > > USE_PTHREADS=1 SECURITY=domestic MOZILLA_SOURCE_ROOT_EXT= > > > > ICU_SOURCE_ROOT_EXT= USE_64= > > > > gmake[3]: Entering directory > > > > > > > > > `/usr/local/src/dsbuild/ds/adminutil/work/fedora-adminutil-1.0 > /lib/libadminutil' > > > > > > > > gcc -c -fPIC -pipe -DLINUX -Dlinux -DBSD -D_POSIX_SOURCE > > > > -D_XOPEN_SOURCE -D_BSD_SOURCE -DHAVE_STRERROR -DNO_DBM > > > -DNO_NODELOCK > > > > -DXP_UNIX -DLinux -O2 -DNET_SSL -DSPAPI20 > > > -DBUILD_NUM=\"2005.344.255\" > > > > > > > > > -I/usr/local/src/dsbuild/ds/adminutil/work/fedora-adminutil-1.0 > /include > > > > > > > > > > -I/usr/local/src/dsbuild/ds/mozilla/work/mozilla/dist/Linux2.6.14_x86_glibc_PTH_OPT.OBJ/include > > > > > > > > > > > -I/usr/local/src/dsbuild/ds/mozilla/work/mozilla/dist/public/nss > > > > > > -I/usr/local/src/dsbuild/ds/mozilla/work/mozilla/dist/public/ldap > > > > -I/usr/local/src/dsbuild/ds/icu/work/icu- 2.4/built/include > > > psetc.c -o > > > > > > > > > /usr/local/src/dsbuild/ds/adminutil/work/fedora-adminutil-1.0 > /built/Linux2.6.14_x86_glibc_PTH_OPT.OBJ/lib/libadminutil/psetc.o > > > > > > > > In file included from > > > > /usr/local/src/dsbuild/ds/adminutil/work/fedora- > > > adminutil-1.0/include/libadminutil/psetc.h:24, > > > > > > > > from psetc_pvt.h:26, > > > > from psetc.c:30: > > > > > > > > > /usr/local/src/dsbuild/ds/adminutil/work/fedora-adminutil-1.0 > /include/libadminutil/admutil.h:25:21: > > > > > > > prtypes.h: No such file or directory > > > > > > > > > /usr/local/src/dsbuild/ds/adminutil/work/fedora-adminutil-1.0 > /include/libadminutil/admutil.h:26:19: > > > > plstr.h: No such file or directory > > > > /usr/local/src/dsbuild/ds/adminutil/work/fedora- > > > adminutil-1.0/include/libadminutil/admutil.h:27:19: > > > > prprf.h: No such file or directory > > > > In file included from > > > > > > > /usr/local/src/dsbuild/ds/adminutil/work/fedora- > > adminutil-1.0/include/libadminutil/psetc.h:24, > > > > > > > > > > > from psetc_pvt.h:26, > > > > from psetc.c:30: > > > > > > > /usr/local/src/dsbuild/ds/adminutil/work/fedora- > > adminutil-1.0/include/libadminutil/admutil.h:78: > > > > error: syntax error before "createAttrNameList" > > > > > > > > > /usr/local/src/dsbuild/ds/adminutil/work/fedora-adminutil-1.0 > /include/libadminutil/admutil.h:78: > > > > > > warning: data definition has no type or storage class > > > > /usr/local/src/dsbuild/ds/adminutil/work/fedora- > > > adminutil-1.0/include/libadminutil/admutil.h:80: > > > > error: syntax error before "addName" > > > > > > > > > /usr/local/src/dsbuild/ds/adminutil/work/fedora-adminutil-1.0 > /include/libadminutil/admutil.h:80: > > > > warning: data definition has no type or storage class > > > > . > > > > . > > > > . > > > > > > > > and of course a whole lot of other errors follow. > > > > > > > > I have found the files it is looking for in the mozilla > > directory of > > > > the dsbuild directory, but its as if it doesn't have the > > correct > > > > include paths. I tried adding a few manually, but there > > are a lot of > > > > different paths - all from the mozilla directory that aren't > > > being found. > > > > > > > > Does anyone have any suggestions on how to fix this? > > > > > > > > Appreciate the help! > > > > Mike > > > > > > > > -- > > > > Fedora-directory-users mailing list > > > > Fedora-directory-users at redhat.com > > > > > > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > > > > > > > > > > -- > > > Take back the web, http://www.switch2firefox.com/ > > > > > > > > > > >------------------------------------------------------------------------ > > > > > >-- > > >Fedora-directory-users mailing list > > >Fedora-directory-users at redhat.com > > > > >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > > > -- > > Take back the web, http://www.switch2firefox.com/ > > > >------------------------------------------------------------------------ > > > >-- > >Fedora-directory-users mailing list > >Fedora-directory-users at redhat.com > >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- Take back the web, http://www.switch2firefox.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From ldragon at freemail.hu Thu Jan 26 09:49:34 2006 From: ldragon at freemail.hu (Little Dragon) Date: Thu, 26 Jan 2006 10:49:34 +0100 (CET) Subject: [Fedora-directory-users] Admin Server or Console problem In-Reply-To: <000601c62220$6d4a6dd0$67de0a0a@starlightws> Message-ID: Hi, My problem is partly solved. I am testing FDS on virtual PC (VPC) with FC4. It seems my problem related to DHCP/DNS settings. The VCP gets the IP address from DHCP but the hostname is not registered as it is just a test and I am testing it when I have a few free minutes. Then I installed a new VPC without network (only the "lo" is there) and now it works as it should. If you are on a network then try to check the hostname with "nslookup yourhostname". If it is not OK then your problem is also could related to DHCP/DNS. HTH, Laszlo "Hyo-su,Won" ?rta: > > Cannot connect to the Admin Server http://hostname:1500; > The URL is not correct or the server is not running. > > I'm looking for how to solve.. > > If you got any idea.. can I share your opinion? ________________________________________________________________ Harry Potter ?s a F?lv?r Herceg! Garant?lt sz?ll?t?s a megjelen?s napj?n! (febru?r 10. ) Jegyezze el? most! http://www.bookline.hu/control/news?newsid=322&affiliate=frehp6kar1482 From rmeggins at redhat.com Thu Jan 26 14:57:53 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 26 Jan 2006 07:57:53 -0700 Subject: [Fedora-directory-users] dsbuild and libadminutil build error os Slackware 10.2 - 2.6.14.3 In-Reply-To: References: <439A390C.8050604@vendetta.ca> <439C618A.4060601@redhat.com> <43D82742.6090506@redhat.com> <43D85332.8020500@redhat.com> Message-ID: <43D8E371.8040700@redhat.com> Kevin Kovach wrote: > I'm using the 2.4 kernel. Under dist I have a > Linux2.4_x86_glibc_PTH_OPT.OBJ/include directory. > > The full path to the header files is > /opt/src/dsbuild/ds/mozilla/work/mozilla/dist/Linux2.4_x86_glibc_PTH_OPT.OBJ/include. > All the headers are links to > ../../../nsprpub/Linux2.4_x86_glibc_PTH_OPT.OBJ/pr/include/../../../pr/include/ > > > I need to add this directory to objdirname.mk > somewhere? Not exactly. objdirname.mk figures out what the name of this directory is supposed to be based on the output of uname. e.g. grep uname dsbuild/* In some places, we use the patch version number (.14) and in other places we do not (as in your example above where it only has Linux2.4 instead of Linux2.6.14 below. In your case, you might just want to hard code the correct values into objdirname.mk. But we'd like to make dsbuild work on other linux distros, so if you can figure out how to make objdirname.mk get the correct values from the environment, and send us the patches, we would appreciate it. > > Pardon my ignorance. Thanks for the help. > > - Kevin > > On 1/25/06, * Richard Megginson* > wrote: > > Kevin Kovach wrote: > > > To answer the question in your reply to Mike, I'm building FDS in > > /opt/src/dsbuild and I have the following directory as you asked > him ... > > > > /opt/src/dsbuild/ds/adminutil/work/fedora- > adminutil-1.0/built/Linux2.4_x86_glibc_PTH_DBG.OBJ/include/ > > > > > > I guess I didn't understand what the solution was if this directory > > does exist? Thanks. > > the adminutil component is looking for Linux2.4 but NSPR is using > something different. Do you have this directory: > dsbuild/ds/mozilla/work/mozilla/dist/Linux2.6.14_x86_glibc_PTH_OPT.OBJ/include > > If not, what is to the right of dist/ and to the left of /include > under > your dsbuild/ds/mozilla/work/mozilla? > > > > > - Kevin > > > > On 1/25/06, *Richard Megginson* < rmeggins at redhat.com > > > >> wrote: > > > > Kevin Kovach wrote: > > > > > Mike, > > > > > > Did you end up finding a solution to this issue? I'm > trying to > > build > > > FDS 1.0.1 tonight on Slackware 10.1 kernel 2.4.29 with > dsbuild and > > > seeing the exact same error. Thanks. > > > > > > - Kevin > > > > > > On 12/11/05, *Richard Megginson* < rmeggins at redhat.com > > > > > > > > >>> wrote: > > > > > > Does this directory exist: > > > > > > /usr/local/src/dsbuild/ds/mozilla/work/mozilla/dist/Linux2.6.14_x86_glibc_PTH_OPT.OBJ/include > > > > > > > > > If not, is there a platform specific directory under > > > ......../mozilla/dist? If so, what is it? > > > > > Kevin, same question as above. If you are using dsbuild, > you might be > > able to hack dsbuild/objdirname.mk to make it spit out the right > > name. > > Or, just change it to grab the name from the actual name of the > > directory under mozilla/dist > > > > > > > > > > > Mike Lowrie wrote: > > > > > > > I'm trying to do a complete build using dsbuild on a > freshly > > > installed > > > > Slackware 10.2 box with a 2.6.14.3 > > > kernel, but > > > I'm running into > > > > problems with the system not finding some header files: > > > > > > > > ==== Building AdminUtil ========== > > > > > > > > cd lib/libadminutil; gmake BUILD_OPT=1 > NSPR_BASENAME= > > > > USE_PTHREADS=1 SECURITY=domestic > MOZILLA_SOURCE_ROOT_EXT= > > > > ICU_SOURCE_ROOT_EXT= USE_64= > > > > gmake[3]: Entering directory > > > > > > > > > > `/usr/local/src/dsbuild/ds/adminutil/work/fedora-adminutil-1.0/lib/libadminutil' > > > > > > > > gcc -c -fPIC -pipe -DLINUX -Dlinux -DBSD -D_POSIX_SOURCE > > > > -D_XOPEN_SOURCE -D_BSD_SOURCE -DHAVE_STRERROR -DNO_DBM > > > -DNO_NODELOCK > > > > -DXP_UNIX -DLinux -O2 -DNET_SSL -DSPAPI20 > > > -DBUILD_NUM=\"2005.344.255\" > > > > > > > > > -I/usr/local/src/dsbuild/ds/adminutil/work/fedora- > adminutil-1.0/include > > > > > > > > > > -I/usr/local/src/dsbuild/ds/mozilla/work/mozilla/dist/Linux2.6.14_x86_glibc_PTH_OPT.OBJ/include > > > > > > > > > > > -I/usr/local/src/dsbuild/ds/mozilla/work/mozilla/dist/public/nss > > > > > > > -I/usr/local/src/dsbuild/ds/mozilla/work/mozilla/dist/public/ldap > > > > -I/usr/local/src/dsbuild/ds/icu/work/icu- > 2.4/built/include > > > psetc.c -o > > > > > > > > > > /usr/local/src/dsbuild/ds/adminutil/work/fedora-adminutil-1.0/built/Linux2.6.14_x86_glibc_PTH_OPT.OBJ/lib/libadminutil/psetc.o > > > > > > > > > In file included from > > > > /usr/local/src/dsbuild/ds/adminutil/work/fedora- > > > adminutil-1.0/include/libadminutil/psetc.h:24, > > > > > > > > from psetc_pvt.h:26, > > > > from psetc.c:30: > > > > > > > > > /usr/local/src/dsbuild/ds/adminutil/work/fedora- > adminutil-1.0/include/libadminutil/admutil.h:25:21: > > > > > > > prtypes.h: No such file or directory > > > > > > > > > /usr/local/src/dsbuild/ds/adminutil/work/fedora- > adminutil-1.0/include/libadminutil/admutil.h:26:19: > > > > plstr.h: No such file or directory > > > > /usr/local/src/dsbuild/ds/adminutil/work/fedora- > > > adminutil-1.0 /include/libadminutil/admutil.h:27:19: > > > > prprf.h: No such file or directory > > > > In file included from > > > > > > > /usr/local/src/dsbuild/ds/adminutil/work/fedora- > > adminutil-1.0/include/libadminutil/psetc.h:24, > > > > > > > > > > > from psetc_pvt.h:26, > > > > from psetc.c:30: > > > > > > > /usr/local/src/dsbuild/ds/adminutil/work/fedora- > > adminutil-1.0/include/libadminutil/admutil.h:78: > > > > error: syntax error before "createAttrNameList" > > > > > > > > > > /usr/local/src/dsbuild/ds/adminutil/work/fedora-adminutil-1.0/include/libadminutil/admutil.h:78: > > > > > > warning: data definition has no type or storage class > > > > /usr/local/src/dsbuild/ds/adminutil/work/fedora- > > > adminutil-1.0/include/libadminutil/admutil.h:80: > > > > error: syntax error before "addName" > > > > > > > > > > /usr/local/src/dsbuild/ds/adminutil/work/fedora-adminutil-1.0/include/libadminutil/admutil.h:80: > > > > warning: data definition has no type or storage class > > > > . > > > > . > > > > . > > > > > > > > and of course a whole lot of other errors follow. > > > > > > > > I have found the files it is looking for in the mozilla > > directory of > > > > the dsbuild directory, but its as if it doesn't have the > > correct > > > > include paths. I tried adding a few manually, but there > > are a lot of > > > > different paths - all from the mozilla directory > that aren't > > > being found. > > > > > > > > Does anyone have any suggestions on how to fix this? > > > > > > > > Appreciate the help! > > > > Mike > > > > > > > > -- > > > > Fedora-directory-users mailing list > > > > Fedora-directory-users at redhat.com > > > > > > > > > >> > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > > > > > >> > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > < > https://www.redhat.com/mailman/listinfo/fedora-directory-users> > > > > > > > > > > > > > > > > > > > > > -- > > > Take back the web, http://www.switch2firefox.com/ > > > > > > > > > > >------------------------------------------------------------------------ > > > > > >-- > > >Fedora-directory-users mailing list > > >Fedora-directory-users at redhat.com > > > > > > >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > < > https://www.redhat.com/mailman/listinfo/fedora-directory-users> > > > > > > > > > > > > > > -- > > Take back the web, http://www.switch2firefox.com/ > > > > >------------------------------------------------------------------------ > > > >-- > >Fedora-directory-users mailing list > >Fedora-directory-users at redhat.com > > >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > -- > Take back the web, http://www.switch2firefox.com/ > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Jan 27 18:54:52 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 27 Jan 2006 11:54:52 -0700 Subject: [Fedora-directory-users] FDS and Apache In-Reply-To: <1138161366.31697.80.camel@lin-workstation.azapple.com> References: <43D6951A.3040401@redhat.com> <1138161366.31697.80.camel@lin-workstation.azapple.com> Message-ID: <43DA6C7C.800@redhat.com> http://directory.fedora.redhat.com/wiki/Howto:Apache Thanks! Craig White wrote: >On Tue, 2006-01-24 at 13:59 -0700, Richard Megginson wrote: > > >>Kevin Kovach wrote: >> >> >> >>>The HowTo for integration with Apache >>>(http://directory.fedora.redhat.com/wiki/Howto:Apache) is currently >>>blank. Can somebody advise on another source for information on >>>getting some type of mod_authnz_ldap working between FDS and Apache? >>>Thanks. >>> >>> >>Any information regarding how to point mod_authnz_ldap at any LDAP >>server (e.g. openldap) would in general apply to FDS as well. >> >> >> >---- >fwiw... (RHEL 4 clone) ># rpm -q httpd mod_authz_ldap >httpd-2.0.52-22.ent.centos4 >mod_authz_ldap-0.26-2 > >I have a directory /var/www/html/files > >I have /etc/httpd/conf.d/authz_ldap.conf > > > > AuthzLDAPMethod ldap > AuthzLDAPProtocolVersion 3 > AuthzLDAPServer localhost > AuthzLDAPUserBase ou=People,ou=Accounts,dc=example,dc=com > AuthzLDAPUserKey uid > AuthzLDAPUserScope onelevel > AuthType basic > AuthName "phpldapadmin" > require valid-user > > > > >This requires a valid user (dn) login/userPassword > >I've not had success with groups but I haven't played with it much. > >Craig > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Jan 27 19:01:02 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 27 Jan 2006 12:01:02 -0700 Subject: [Fedora-directory-users] FDS console on Windows with SSL and self-signed certificates In-Reply-To: <43D15F4A.2060605@praecogito.com> References: <43D138D6.2070803@praecogito.com> <43D13B28.2090503@broadcom.com> <43D15F4A.2060605@praecogito.com> Message-ID: <43DA6DEE.4020207@redhat.com> Brian Rudy wrote: > Thanks George, > > This is indeed the location of cert7.db and key3.db. I was able to get > it working by importing the self-signed certificate with pk12util. > (ex. pk12util -i servercert.pfx -d C:\Documents and > Settings\\.mcc) > > This might be sufficiently useful for inclusion in the Wiki. Added to http://directory.fedora.redhat.com/wiki/Howto:WindowsConsole#SSL > > > > George Holbert wrote: > >> Hi Brian, >> When running the console on Unix, these files are created under >> $HOME/.mcc. >> >> ls -l ~/.mcc >> total 178 >> -rw-r--r-- 1 root other 226 Jan 12 14:27 >> Console.4.0.Login.preferences >> -rw------- 1 root other 65536 Aug 16 18:32 cert8.db >> -rw------- 1 root other 32768 Aug 16 18:32 key3.db >> -rw------- 1 root other 32768 Aug 16 18:32 secmod.db >> >> I'm not sure where this stuff would be created on Windows, but might >> be under C:\Documents and Settings\\.mcc ? Just a guess. >> >> -- George >> >> >> Brian Rudy wrote: >> >>> >>> Since I am using a self-signed certificate on the directory server, >>> which would require installation on the client, this all appears to >>> make sense. Now for the question: How does one install certificates >>> on the client when using JSS/NSPR/NSS as shown in the Wiki? It looks >>> like you would need to create your own cert7.db and key3.db with >>> certutil, and import the Server-Cert, but I'm a bit confused as to >>> where the .db files should be located, and what they should be named. >>> >>> Has anyone done this who wouldn't mind sharing? >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From patrick at wudika.de Sun Jan 29 14:39:01 2006 From: patrick at wudika.de (Patrick von der Hagen) Date: Sun, 29 Jan 2006 15:39:01 +0100 Subject: [Fedora-directory-users] enforce strong passwords In-Reply-To: <43D003BC.2040604@redhat.com> References: <43D003BC.2040604@redhat.com> Message-ID: <43DCD385.80507@wudika.de> Richard Megginson wrote: > Jo De Troy wrote: > >> Hello, >> >> I was wondering if anyone was looking into enforcement of strong >> passwords. >> I'm not a hardcore C programmer but I'm willing to help. But first >> I'll have to try in getting the current version compiled. >> I'm certainly willing to do some testing. > > Funny you should mention that. We're looking at that issue right now. > What sort of things would you want to check for? It's a pity I haven't read this thread earlier, currently I'm lagging a bit behind... For me it would be nice to allow/disallow certain characters in passwords. For example, we had a release of horde/imp which failed to cope with the "/"-character in passwords, so we disallowd that character, otherwise support was to busy answering questions like "why can I use every application but webmail?". -- CU, Patrick. From dshackel at arbor.edu Tue Jan 31 20:17:18 2006 From: dshackel at arbor.edu (Daniel Shackelford) Date: Tue, 31 Jan 2006 15:17:18 -0500 Subject: [Fedora-directory-users] Hosed sync with AD Message-ID: <43DFC5CE.1050909@arbor.edu> Hello... Earlier this month we had an issue with one of our domain controllers (Win2003) and took it down. It was the one the directory server was pointing to for synchronization. Ever since then, no sync has occurred and I am back to getting the -81 (Peer's Certificate issuer is not recognized.) I have checked the DC, and all looks well. We were merely moving the logs to another volume, so it should not have an effect on ldap connections. I did some fiddling and at one point I removed the native java since I had installed the IBM version. Jessie depended on it, so that was removed as well. I have since gotten new certs and CA certs, and installed them, but still no luck on the connection. Certutil no longer worked, so I installed mozilla-nss, and now it does not work for other reasons: NSS_Initialize failed: An I/O error occurred during security authorization. All certificate management via the console seems to work fine... So, my questions are: Is there a way to get my ssl libraries so they line up with what FDS wants? Was jessie even involved in this issue? I already have all our data in this directory, so is there a way for me to get this thing syncing again without a wipe and reinstall? If I delete the sync agreement, and create a new one, what happens on the first sync? Will it just pick up where it left off, or will it choke on all the objects that were a part of the previous sync agreement? Will I have problems with my data since it has been over 10 days since the last sync? -- Daniel Shackelford Systems Administrator Technology Services Spring Arbor University 517 750-6648 "For even the Son of Man did not come to be served, but to serve, and to give His life a ransom for many" Mark 10:45 From david_list at boreham.org Tue Jan 31 20:27:50 2006 From: david_list at boreham.org (David Boreham) Date: Tue, 31 Jan 2006 13:27:50 -0700 Subject: [Fedora-directory-users] Hosed sync with AD In-Reply-To: <43DFC5CE.1050909@arbor.edu> References: <43DFC5CE.1050909@arbor.edu> Message-ID: <43DFC846.8000201@boreham.org> > > I already have all our data in this directory, so is there a way for > me to get this thing syncing again without a wipe and reinstall? Surely yes. > If I delete the sync agreement, and create a new one, what happens on > the first sync? Will it just pick up where it left off, or will it > choke on all the objects that were a part of the previous sync > agreement? It should pick up : all the persisted state peratining to Winsync in the FDS side comes from AD, and will have the same value after the creation of the new agreement as it did before. > Will I have problems with my data since it has been over 10 days since > the last sync? > No, not unless you have set the tombstone reap interval on your AD server to < 10 days. In that case you'd only loose deletes made on AD (FDS would probably re-create the entries in AD again). From brett at elsmob.com Tue Jan 31 21:41:37 2006 From: brett at elsmob.com (Brett Elsmore) Date: Tue, 31 Jan 2006 14:41:37 -0700 Subject: [Fedora-directory-users] Building RPMS on 64 Bit Message-ID: <1138743697.31425.8.camel@bje-fc4.overstock.com> FDUG, Has anyone had success building rpm's on 64 bit ? I am getting the following error - Executing(%install): /bin/sh -e /var/tmp/rpm-tmp.38067 + umask 022 + cd /usr/src/redhat/BUILD + LANG=C + export LANG + unset DISPLAY + echo yes + echo yes + ./setup -b /usr/src/redhat/BUILD//opt/fedora-ds /var/tmp/rpm-tmp.38067: line 30: ./setup: No such file or directory error: Bad exit status from /var/tmp/rpm-tmp.38067 (%install) When I look at the spec file, like 80 states - (echo yes ; echo yes) | ./setup -b $RPM_BUILD_ROOT/%{prefix} Thanks for any assistance. From rmeggins at redhat.com Tue Jan 31 21:46:02 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 31 Jan 2006 14:46:02 -0700 Subject: [Fedora-directory-users] Building RPMS on 64 Bit In-Reply-To: <1138743697.31425.8.camel@bje-fc4.overstock.com> References: <1138743697.31425.8.camel@bje-fc4.overstock.com> Message-ID: <43DFDA9A.8050701@redhat.com> It doesn't yet work. We're working on it. Brett Elsmore wrote: >FDUG, > >Has anyone had success building rpm's on 64 bit ? > >I am getting the following error - > >Executing(%install): /bin/sh -e /var/tmp/rpm-tmp.38067 >+ umask 022 >+ cd /usr/src/redhat/BUILD >+ LANG=C >+ export LANG >+ unset DISPLAY >+ echo yes >+ echo yes >+ ./setup -b /usr/src/redhat/BUILD//opt/fedora-ds >/var/tmp/rpm-tmp.38067: line 30: ./setup: No such file or directory >error: Bad exit status from /var/tmp/rpm-tmp.38067 (%install) > >When I look at the spec file, like 80 states - >(echo yes ; echo yes) | ./setup -b $RPM_BUILD_ROOT/%{prefix} > >Thanks for any assistance. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rspencer at auspicecorp.com Tue Jan 31 22:45:45 2006 From: rspencer at auspicecorp.com (Roger Spencer) Date: Tue, 31 Jan 2006 17:45:45 -0500 Subject: [Fedora-directory-users] automount (revisited) Message-ID: <43DFE899.5000203@auspicecorp.com> I dug the below out from the archive. Is there anything new on the subject? I've seemed to have slammed head first into the subject. Got SUSE and RHEL 3 using nisObjects happily (apparently they'll support either model). Just configured a Solaris 10 box as a client and it wants automountMap. Even worse, Solaris 9 and 10 do automountMap, Solaris 8 does nisObjects. Fortunately, I have all three versions running. (Info on Solaris' automount: http://www.informit.com/articles/article.asp?p=31550&seqNum=4&rl=1 ) I tried loading the 10rfc2307bis.ldif (by replacing the 10rfc2307.ldif file) and slapd wouldn't restart. Any idea to a) get the automountMap objects in the schema? b) possibly support both models? * /From/: Rich Megginson * /To/: "General discussion list for the Fedora Directory server project." * /Subject/: Re: [Fedora-directory-users] Re: automount * /Date/: Tue, 16 Aug 2005 09:01:40 -0600 ------------------------------------------------------------------------ There has been a lot of confusion around this issue (mostly on my part). I think one of the problems is that rfc2307 support from OS vendors is now deprecated in favor of rfc2307bis http://www.ietf.org/internet-drafts/draft-howard-rfc2307bis-01.txt, which is still in Internet Draft phase (and is due to expire very quickly). A new draft is being worked on with the goal of generating a new RFC. The bis draft has one problem with it, in that it requires the use of the authPassword attribute (defined in RFC 3112 http://www.ietf.org/rfc/rfc3112.txt). FDS does not support this (and neither does OpenLDAP AFAICT). I have attached a file called 10rfc2307bis.ldif. This is the schema from the 2307bis I-D in FDS schema format. The preferred way to map the automount information is to use the automount attributes and objectclasses in the RFC 2307bis draft schema. The problem is that I don't know all of the vendor support. So far I've been unable to find out what RHEL3 and RHEL4 support. I've been told that Solaris has support for the bis schema. If you like, you can replace the 10rfc2307.ldif schema supplied with FDS with the attached file, and see what happens. -------------- next part -------------- An HTML attachment was scrubbed... URL: From brett at elsmob.com Tue Jan 31 22:45:55 2006 From: brett at elsmob.com (Brett Elsmore) Date: Tue, 31 Jan 2006 15:45:55 -0700 Subject: [Fedora-directory-users] Building RPMS on 64 Bit In-Reply-To: <43DFDA9A.8050701@redhat.com> References: <1138743697.31425.8.camel@bje-fc4.overstock.com> <43DFDA9A.8050701@redhat.com> Message-ID: <1138747555.31425.31.camel@bje-fc4.overstock.com> Cool, thanks. On Tue, 2006-01-31 at 14:46 -0700, Richard Megginson wrote: > It doesn't yet work. We're working on it. > > Brett Elsmore wrote: > > >FDUG, > > > >Has anyone had success building rpm's on 64 bit ? > > > >I am getting the following error - > > > >Executing(%install): /bin/sh -e /var/tmp/rpm-tmp.38067 > >+ umask 022 > >+ cd /usr/src/redhat/BUILD > >+ LANG=C > >+ export LANG > >+ unset DISPLAY > >+ echo yes > >+ echo yes > >+ ./setup -b /usr/src/redhat/BUILD//opt/fedora-ds > >/var/tmp/rpm-tmp.38067: line 30: ./setup: No such file or directory > >error: Bad exit status from /var/tmp/rpm-tmp.38067 (%install) > > > >When I look at the spec file, like 80 states - > >(echo yes ; echo yes) | ./setup -b $RPM_BUILD_ROOT/%{prefix} > > > >Thanks for any assistance. > > > > > >-- > >Fedora-directory-users mailing list > >Fedora-directory-users at redhat.com > >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From rmeggins at redhat.com Tue Jan 31 22:50:11 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 31 Jan 2006 15:50:11 -0700 Subject: [Fedora-directory-users] automount (revisited) In-Reply-To: <43DFE899.5000203@auspicecorp.com> References: <43DFE899.5000203@auspicecorp.com> Message-ID: <43DFE9A3.5090703@redhat.com> Roger Spencer wrote: > I dug the below out from the archive. Is there anything new on the > subject? > > I've seemed to have slammed head first into the subject. Got SUSE and > RHEL 3 using nisObjects happily (apparently they'll support either > model). Just configured a Solaris 10 box as a client and it wants > automountMap. Even worse, Solaris 9 and 10 do automountMap, Solaris 8 > does nisObjects. Fortunately, I have all three versions running. > (Info on Solaris' automount: > http://www.informit.com/articles/article.asp?p=31550&seqNum=4&rl=1 ) > > I tried loading the 10rfc2307bis.ldif (by replacing the 10rfc2307.ldif > file) and slapd wouldn't restart. What errors did you see in the errors log? > > Any idea to a) get the automountMap objects in the schema? b) > possibly support both models? > > * /From/: Rich Megginson > * /To/: "General discussion list for the Fedora Directory server > project." > * /Subject/: Re: [Fedora-directory-users] Re: automount > * /Date/: Tue, 16 Aug 2005 09:01:40 -0600 > > ------------------------------------------------------------------------ > There has been a lot of confusion around this issue (mostly on my > part). I think one of the problems is that rfc2307 support from OS > vendors is now deprecated in favor of rfc2307bis > http://www.ietf.org/internet-drafts/draft-howard-rfc2307bis-01.txt, > which is still in Internet Draft phase (and is due to expire very > quickly). A new draft is being worked on with the goal of generating a > new RFC. The bis draft has one problem with it, in that it requires > the use of the authPassword attribute (defined in RFC 3112 > http://www.ietf.org/rfc/rfc3112.txt). FDS does not support this (and > neither does OpenLDAP AFAICT). I have attached a file called > 10rfc2307bis.ldif. This is the schema from the 2307bis I-D in FDS > schema format. > > The preferred way to map the automount information is to use the > automount attributes and objectclasses in the RFC 2307bis draft > schema. The problem is that I don't know all of the vendor support. So > far I've been unable to find out what RHEL3 and RHEL4 support. I've > been told that Solaris has support for the bis schema. > > If you like, you can replace the 10rfc2307.ldif schema supplied with > FDS with the attached file, and see what happens. > > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rspencer at auspicecorp.com Tue Jan 31 22:53:23 2006 From: rspencer at auspicecorp.com (Roger Spencer) Date: Tue, 31 Jan 2006 17:53:23 -0500 Subject: [Fedora-directory-users] automount (revisited) In-Reply-To: <43DFE9A3.5090703@redhat.com> References: <43DFE899.5000203@auspicecorp.com> <43DFE9A3.5090703@redhat.com> Message-ID: <43DFEA63.1020800@auspicecorp.com> [31/Jan/2006:17:18:32 -0500] dse - The entry cn=schema in file /opt/fedora-ds/slapd-auspice/config/schema/63nisDomain.ldif is invalid, error code 20 (Type or value exists) - attribute type nisDomain: Does not match the OID "1.3.6.1.4.1.1.1.1.12". Another attribute type is already using the name or OID. 63nisDomain.ldif is (put in to support Solaris client): dn: cn=schema attributeTypes: ( 1.3.6.1.1.1.1.28 NAME 'nisPublickey' DESC 'nisPublickey' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: ( 1.3.6.1.1.1.1.29 NAME 'nisSecretkey' DESC 'nisSecretkey' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: ( 1.3.6.1.4.1.1.1.1.12 SUP name NAME 'nisDomain' DESC 'NIS domain' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: ( 2.16.840.1.113730.3.1.30 NAME 'mgrpRFC822MailMember' DESC 'mgrpRFC822MailMember' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: ( 1.3.6.1.4.1.42.2.27.1.1.12 NAME 'nisNetIdUser' DESC 'nisNetIdUser' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: ( 1.3.6.1.4.1.42.2.27.1.1.13 NAME 'nisNetIdGroup' DESC 'nisNetIdGroup' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: ( 1.3.6.1.4.1.42.2.27.1.1.14 NAME 'nisNetIdHost' DESC 'nisNetIdHost' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) objectClasses: ( 1.3.6.1.1.1.2.14 NAME 'NisKeyObject' DESC 'NisKeyObject' SUP top MUST ( cn $ nisPublickey $ nisSecretkey ) MAY ( uidNumber $ description ) ) objectClasses: ( 1.3.1.6.1.1.1.2.15 NAME 'nisDomainObject' DESC 'nisDomainObject' SUP top AUXILIARY MUST ( nisDomain ) ) objectClasses: ( 2.16.840.1.113730.3.2.4 NAME 'mailGroup' DESC 'mailGroup' SUP top MUST ( mail ) MAY ( cn $ mgrpRFC822MailMember ) ) objectClasses: ( 1.3.6.1.4.1.42.2.27.1.2.6 NAME 'nisNetId' DESC 'nisNetId' SUP top MUST ( cn ) MAY ( nisNetIdUser $ nisNetIdGroup $ nisNetIdHost ) ) ~ Can I get away with removing the oid from one of the files? Not sure how touchy schema files are about where what is defined. Richard Megginson wrote: > Roger Spencer wrote: > >> I dug the below out from the archive. Is there anything new on the >> subject? >> >> I've seemed to have slammed head first into the subject. Got SUSE >> and RHEL 3 using nisObjects happily (apparently they'll support >> either model). Just configured a Solaris 10 box as a client and it >> wants automountMap. Even worse, Solaris 9 and 10 do automountMap, >> Solaris 8 does nisObjects. Fortunately, I have all three versions >> running. (Info on Solaris' automount: >> http://www.informit.com/articles/article.asp?p=31550&seqNum=4&rl=1 ) >> >> I tried loading the 10rfc2307bis.ldif (by replacing the >> 10rfc2307.ldif file) and slapd wouldn't restart. > > What errors did you see in the errors log? > >> >> Any idea to a) get the automountMap objects in the schema? b) >> possibly support both models? >> >> * /From/: Rich Megginson >> * /To/: "General discussion list for the Fedora Directory server >> project." >> * /Subject/: Re: [Fedora-directory-users] Re: automount >> * /Date/: Tue, 16 Aug 2005 09:01:40 -0600 >> >> ------------------------------------------------------------------------ >> There has been a lot of confusion around this issue (mostly on my >> part). I think one of the problems is that rfc2307 support from OS >> vendors is now deprecated in favor of rfc2307bis >> http://www.ietf.org/internet-drafts/draft-howard-rfc2307bis-01.txt, >> which is still in Internet Draft phase (and is due to expire very >> quickly). A new draft is being worked on with the goal of generating >> a new RFC. The bis draft has one problem with it, in that it requires >> the use of the authPassword attribute (defined in RFC 3112 >> http://www.ietf.org/rfc/rfc3112.txt). FDS does not support this (and >> neither does OpenLDAP AFAICT). I have attached a file called >> 10rfc2307bis.ldif. This is the schema from the 2307bis I-D in FDS >> schema format. >> >> The preferred way to map the automount information is to use the >> automount attributes and objectclasses in the RFC 2307bis draft >> schema. The problem is that I don't know all of the vendor support. >> So far I've been unable to find out what RHEL3 and RHEL4 support. >> I've been told that Solaris has support for the bis schema. >> >> If you like, you can replace the 10rfc2307.ldif schema supplied with >> FDS with the attached file, and see what happens. >> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Jan 31 22:59:04 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 31 Jan 2006 15:59:04 -0700 Subject: [Fedora-directory-users] automount (revisited) In-Reply-To: <43DFEA63.1020800@auspicecorp.com> References: <43DFE899.5000203@auspicecorp.com> <43DFE9A3.5090703@redhat.com> <43DFEA63.1020800@auspicecorp.com> Message-ID: <43DFEBB8.7050205@redhat.com> What other attribute type or objectclass is using OID 1.3.6.1.4.1.1.1.1.12? Roger Spencer wrote: > [31/Jan/2006:17:18:32 -0500] dse - The entry cn=schema in file > /opt/fedora-ds/slapd-auspice/config/schema/63nisDomain.ldif is > invalid, error code 20 (Type or value exists) - attribute type > nisDomain: Does not match the OID "1.3.6.1.4.1.1.1.1.12". Another > attribute type is already using the name or OID. > > 63nisDomain.ldif is (put in to support Solaris client): > dn: cn=schema > attributeTypes: ( 1.3.6.1.1.1.1.28 NAME 'nisPublickey' DESC > 'nisPublickey' EQUALITY caseIgnoreIA5Match SYNTAX > 1.3.6.1.4.1.1466.115.121.1.26 ) > attributeTypes: ( 1.3.6.1.1.1.1.29 NAME 'nisSecretkey' DESC > 'nisSecretkey' EQUALITY caseIgnoreIA5Match SYNTAX > 1.3.6.1.4.1.1466.115.121.1.26 ) > attributeTypes: ( 1.3.6.1.4.1.1.1.1.12 SUP name NAME 'nisDomain' DESC > 'NIS domain' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) > attributeTypes: ( 2.16.840.1.113730.3.1.30 NAME 'mgrpRFC822MailMember' > DESC 'mgrpRFC822MailMember' EQUALITY caseIgnoreIA5Match SYNTAX > 1.3.6.1.4.1.1466.115.121.1.26 ) > attributeTypes: ( 1.3.6.1.4.1.42.2.27.1.1.12 NAME 'nisNetIdUser' DESC > 'nisNetIdUser' EQUALITY caseExactIA5Match SYNTAX > 1.3.6.1.4.1.1466.115.121.1.26 ) > attributeTypes: ( 1.3.6.1.4.1.42.2.27.1.1.13 NAME 'nisNetIdGroup' DESC > 'nisNetIdGroup' EQUALITY caseExactIA5Match SYNTAX > 1.3.6.1.4.1.1466.115.121.1.26 ) > attributeTypes: ( 1.3.6.1.4.1.42.2.27.1.1.14 NAME 'nisNetIdHost' DESC > 'nisNetIdHost' EQUALITY caseExactIA5Match SYNTAX > 1.3.6.1.4.1.1466.115.121.1.26 ) > objectClasses: ( 1.3.6.1.1.1.2.14 NAME 'NisKeyObject' DESC > 'NisKeyObject' SUP top MUST ( cn $ nisPublickey $ nisSecretkey ) MAY ( > uidNumber $ description ) ) > objectClasses: ( 1.3.1.6.1.1.1.2.15 NAME 'nisDomainObject' DESC > 'nisDomainObject' SUP top AUXILIARY MUST ( nisDomain ) ) > objectClasses: ( 2.16.840.1.113730.3.2.4 NAME 'mailGroup' DESC > 'mailGroup' SUP top MUST ( mail ) MAY ( cn $ mgrpRFC822MailMember ) ) > objectClasses: ( 1.3.6.1.4.1.42.2.27.1.2.6 NAME 'nisNetId' DESC > 'nisNetId' SUP top MUST ( cn ) MAY ( nisNetIdUser $ nisNetIdGroup $ > nisNetIdHost ) ) > ~ > > Can I get away with removing the oid from one of the files? Not sure > how touchy schema files are about where what is defined. > > > > Richard Megginson wrote: > >> Roger Spencer wrote: >> >>> I dug the below out from the archive. Is there anything new on the >>> subject? >>> >>> I've seemed to have slammed head first into the subject. Got SUSE >>> and RHEL 3 using nisObjects happily (apparently they'll support >>> either model). Just configured a Solaris 10 box as a client and it >>> wants automountMap. Even worse, Solaris 9 and 10 do automountMap, >>> Solaris 8 does nisObjects. Fortunately, I have all three versions >>> running. (Info on Solaris' automount: >>> http://www.informit.com/articles/article.asp?p=31550&seqNum=4&rl=1 ) >>> >>> I tried loading the 10rfc2307bis.ldif (by replacing the >>> 10rfc2307.ldif file) and slapd wouldn't restart. >> >> >> What errors did you see in the errors log? >> >>> >>> Any idea to a) get the automountMap objects in the schema? b) >>> possibly support both models? >>> >>> * /From/: Rich Megginson >>> * /To/: "General discussion list for the Fedora Directory server >>> project." >>> * /Subject/: Re: [Fedora-directory-users] Re: automount >>> * /Date/: Tue, 16 Aug 2005 09:01:40 -0600 >>> >>> ------------------------------------------------------------------------ >>> >>> There has been a lot of confusion around this issue (mostly on my >>> part). I think one of the problems is that rfc2307 support from OS >>> vendors is now deprecated in favor of rfc2307bis >>> http://www.ietf.org/internet-drafts/draft-howard-rfc2307bis-01.txt, >>> which is still in Internet Draft phase (and is due to expire very >>> quickly). A new draft is being worked on with the goal of generating >>> a new RFC. The bis draft has one problem with it, in that it >>> requires the use of the authPassword attribute (defined in RFC 3112 >>> http://www.ietf.org/rfc/rfc3112.txt). FDS does not support this (and >>> neither does OpenLDAP AFAICT). I have attached a file called >>> 10rfc2307bis.ldif. This is the schema from the 2307bis I-D in FDS >>> schema format. >>> >>> The preferred way to map the automount information is to use the >>> automount attributes and objectclasses in the RFC 2307bis draft >>> schema. The problem is that I don't know all of the vendor support. >>> So far I've been unable to find out what RHEL3 and RHEL4 support. >>> I've been told that Solaris has support for the bis schema. >>> >>> If you like, you can replace the 10rfc2307.ldif schema supplied with >>> FDS with the attached file, and see what happens. >>> >>> >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>------------------------------------------------------------------------ >> >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rspencer at auspicecorp.com Tue Jan 31 23:04:43 2006 From: rspencer at auspicecorp.com (Roger Spencer) Date: Tue, 31 Jan 2006 18:04:43 -0500 Subject: [Fedora-directory-users] automount (revisited) In-Reply-To: <43DFEBB8.7050205@redhat.com> References: <43DFE899.5000203@auspicecorp.com> <43DFE9A3.5090703@redhat.com> <43DFEA63.1020800@auspicecorp.com> <43DFEBB8.7050205@redhat.com> Message-ID: <43DFED0B.9080401@auspicecorp.com> None. Look's like both ldif files define nisDomain with a different oid. 10rfc2307bis.ldif - attributetypes: ( 1.3.6.1.1.1.1.30 NAME 'nisDomain' DESC 'NIS domain' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) 63nisDomain.ldif - attributeTypes: ( 1.3.6.1.4.1.1.1.1.12 SUP name NAME 'nisDomain' DESC 'NIS domain' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) Richard Megginson wrote: > What other attribute type or objectclass is using OID > 1.3.6.1.4.1.1.1.1.12? > > Roger Spencer wrote: > >> [31/Jan/2006:17:18:32 -0500] dse - The entry cn=schema in file >> /opt/fedora-ds/slapd-auspice/config/schema/63nisDomain.ldif is >> invalid, error code 20 (Type or value exists) - attribute type >> nisDomain: Does not match the OID "1.3.6.1.4.1.1.1.1.12". Another >> attribute type is already using the name or OID. >> >> 63nisDomain.ldif is (put in to support Solaris client): >> dn: cn=schema >> attributeTypes: ( 1.3.6.1.1.1.1.28 NAME 'nisPublickey' DESC >> 'nisPublickey' EQUALITY caseIgnoreIA5Match SYNTAX >> 1.3.6.1.4.1.1466.115.121.1.26 ) >> attributeTypes: ( 1.3.6.1.1.1.1.29 NAME 'nisSecretkey' DESC >> 'nisSecretkey' EQUALITY caseIgnoreIA5Match SYNTAX >> 1.3.6.1.4.1.1466.115.121.1.26 ) >> attributeTypes: ( 1.3.6.1.4.1.1.1.1.12 SUP name NAME 'nisDomain' DESC >> 'NIS domain' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) >> attributeTypes: ( 2.16.840.1.113730.3.1.30 NAME >> 'mgrpRFC822MailMember' DESC 'mgrpRFC822MailMember' EQUALITY >> caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) >> attributeTypes: ( 1.3.6.1.4.1.42.2.27.1.1.12 NAME 'nisNetIdUser' DESC >> 'nisNetIdUser' EQUALITY caseExactIA5Match SYNTAX >> 1.3.6.1.4.1.1466.115.121.1.26 ) >> attributeTypes: ( 1.3.6.1.4.1.42.2.27.1.1.13 NAME 'nisNetIdGroup' >> DESC 'nisNetIdGroup' EQUALITY caseExactIA5Match SYNTAX >> 1.3.6.1.4.1.1466.115.121.1.26 ) >> attributeTypes: ( 1.3.6.1.4.1.42.2.27.1.1.14 NAME 'nisNetIdHost' DESC >> 'nisNetIdHost' EQUALITY caseExactIA5Match SYNTAX >> 1.3.6.1.4.1.1466.115.121.1.26 ) >> objectClasses: ( 1.3.6.1.1.1.2.14 NAME 'NisKeyObject' DESC >> 'NisKeyObject' SUP top MUST ( cn $ nisPublickey $ nisSecretkey ) MAY >> ( uidNumber $ description ) ) >> objectClasses: ( 1.3.1.6.1.1.1.2.15 NAME 'nisDomainObject' DESC >> 'nisDomainObject' SUP top AUXILIARY MUST ( nisDomain ) ) >> objectClasses: ( 2.16.840.1.113730.3.2.4 NAME 'mailGroup' DESC >> 'mailGroup' SUP top MUST ( mail ) MAY ( cn $ mgrpRFC822MailMember ) ) >> objectClasses: ( 1.3.6.1.4.1.42.2.27.1.2.6 NAME 'nisNetId' DESC >> 'nisNetId' SUP top MUST ( cn ) MAY ( nisNetIdUser $ nisNetIdGroup $ >> nisNetIdHost ) ) >> ~ >> >> Can I get away with removing the oid from one of the files? Not sure >> how touchy schema files are about where what is defined. >> >> >> >> Richard Megginson wrote: >> >>> Roger Spencer wrote: >>> >>>> I dug the below out from the archive. Is there anything new on the >>>> subject? >>>> >>>> I've seemed to have slammed head first into the subject. Got SUSE >>>> and RHEL 3 using nisObjects happily (apparently they'll support >>>> either model). Just configured a Solaris 10 box as a client and it >>>> wants automountMap. Even worse, Solaris 9 and 10 do automountMap, >>>> Solaris 8 does nisObjects. Fortunately, I have all three versions >>>> running. (Info on Solaris' automount: >>>> http://www.informit.com/articles/article.asp?p=31550&seqNum=4&rl=1 ) >>>> >>>> I tried loading the 10rfc2307bis.ldif (by replacing the >>>> 10rfc2307.ldif file) and slapd wouldn't restart. >>> >>> >>> What errors did you see in the errors log? >>> >>>> >>>> Any idea to a) get the automountMap objects in the schema? b) >>>> possibly support both models? >>>> >>>> * /From/: Rich Megginson >>>> * /To/: "General discussion list for the Fedora Directory server >>>> project." >>>> * /Subject/: Re: [Fedora-directory-users] Re: automount >>>> * /Date/: Tue, 16 Aug 2005 09:01:40 -0600 >>>> >>>> ------------------------------------------------------------------------ >>>> >>>> There has been a lot of confusion around this issue (mostly on my >>>> part). I think one of the problems is that rfc2307 support from OS >>>> vendors is now deprecated in favor of rfc2307bis >>>> http://www.ietf.org/internet-drafts/draft-howard-rfc2307bis-01.txt, >>>> which is still in Internet Draft phase (and is due to expire very >>>> quickly). A new draft is being worked on with the goal of >>>> generating a new RFC. The bis draft has one problem with it, in >>>> that it requires the use of the authPassword attribute (defined in >>>> RFC 3112 http://www.ietf.org/rfc/rfc3112.txt). FDS does not support >>>> this (and neither does OpenLDAP AFAICT). I have attached a file >>>> called 10rfc2307bis.ldif. This is the schema from the 2307bis I-D >>>> in FDS schema format. >>>> >>>> The preferred way to map the automount information is to use the >>>> automount attributes and objectclasses in the RFC 2307bis draft >>>> schema. The problem is that I don't know all of the vendor support. >>>> So far I've been unable to find out what RHEL3 and RHEL4 support. >>>> I've been told that Solaris has support for the bis schema. >>>> >>>> If you like, you can replace the 10rfc2307.ldif schema supplied >>>> with FDS with the attached file, and see what happens. >>>> >>>> >>>> ------------------------------------------------------------------------ >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From prowley at redhat.com Tue Jan 31 23:29:19 2006 From: prowley at redhat.com (Pete Rowley) Date: Tue, 31 Jan 2006 15:29:19 -0800 Subject: [Fedora-directory-users] automount (revisited) In-Reply-To: <43DFED0B.9080401@auspicecorp.com> References: <43DFE899.5000203@auspicecorp.com> <43DFE9A3.5090703@redhat.com> <43DFEA63.1020800@auspicecorp.com> <43DFEBB8.7050205@redhat.com> <43DFED0B.9080401@auspicecorp.com> Message-ID: <43DFF2CF.40604@redhat.com> Roger Spencer wrote: > None. Look's like both ldif files define nisDomain with a different oid. > > 10rfc2307bis.ldif - attributetypes: ( 1.3.6.1.1.1.1.30 NAME > 'nisDomain' DESC 'NIS domain' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) > > 63nisDomain.ldif - attributeTypes: ( 1.3.6.1.4.1.1.1.1.12 SUP name > NAME 'nisDomain' DESC 'NIS domain' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) > Well that's nasty. One of those nisDomain attribute types has to go - I would take out the one from 63nisdomain.ldif and see if your applications still work - they probably will since the vast majority of applications never look at schema and simply assume that the attribute type they reference by name is the type they believe it to be. They have the same syntax so no issue there. -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: