From oscar.valdez at duraflex-politex.com Sat Jul 1 18:04:41 2006 From: oscar.valdez at duraflex-politex.com (Oscar A. Valdez) Date: Sat, 01 Jul 2006 12:04:41 -0600 Subject: [Fedora-directory-users] New filesystem layout for directory server and admin server files In-Reply-To: <44A582A9.7090902@redhat.com> References: <44A582A9.7090902@redhat.com> Message-ID: <1151777082.2115.8.camel@wzowski.duraflex-politex.com> El vie, 30-06-2006 a las 13:59 -0600, Richard Megginson escribi?: > In order to be more linux friendly, we are currently considering > changing the layout from having everything under /opt/fedora-ds to > putting files in their FHS specific paths. The details are here - > http://directory.fedora.redhat.com/wiki/FHS_Packaging > > I've heard some pretty strong opinions for both moving to this and > sticking to the current packaging model. I'd like to open this debate > up to the wider audience. 1) FHS packaging will make life easier for system administrators. 2) In general, standards are "a good thing" (the FHS certainly is). I vote for FHS packaging. -- Oscar A. Valdez From ABliss at preferredcare.org Sat Jul 1 19:57:11 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Sat, 1 Jul 2006 15:57:11 -0400 Subject: [Fedora-directory-users] New filesystem layout for directory server and admin server files Message-ID: We are currently using fds in production without any issues at all; at first, management was a little skeptical about using software so critical to production systems without the comfort of a support contract, but after working out the pre-implementation bugs, the reliability of the application speaks for itself; I can honestly say that having all files in /opt/fedora-ds makes doing full backups, restores and disaster recovery testing very straight forward; I simply shutdown slapd and the admin server, tar up the directory, and startup slapd and the admin server; very quick to do, no muss or fuss; taking fds out of it's own directory would make my life much more difficult (as far as backups, and dr testing are concerned); so from my point of view, if I had a vote, I would say that if it's not broke, then don't fix it :) Aaron -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of mj at sci.fi Sent: Friday, June 30, 2006 5:04 PM To: General discussion list for the Fedora Directory server project.; miranda at syndetic.org Subject: Re: [Fedora-directory-users] New filesystem layout for directory server and admin server files Michael Chang kirjoitti: > > > You could always make a separate, FHS-specific package available and see > what people think. If the votes are high enough in support of the new > layout then you could make a permanent switch. The problem here is assuming that FDS updates will eventually be pushed into RHDS. Judging by a good portion of the traffic on this list, a good majority of the FDS users are still learning how to use an LDAP server, so they likely don't understand or care enough to have an opinion about file layout or why it matters in a package as large and complex as this one. OTOH, the RHDS package is used for critical infrastructure in banks, military, telecoms, etc. By the time those users notice the change and it's ramifications, it will be too late for them to have their vote (other than with their feet). -- mike -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From minfrin at sharp.fm Sun Jul 2 10:11:18 2006 From: minfrin at sharp.fm (Graham Leggett) Date: Sun, 02 Jul 2006 12:11:18 +0200 Subject: [Fedora-directory-users] New filesystem layout for directory server and admin server files In-Reply-To: <10015237.223521151698443200.JavaMail.mj@sci.fi> References: <10015237.223521151698443200.JavaMail.mj@sci.fi> Message-ID: <44A79BC6.4020209@sharp.fm> mj at sci.fi wrote: > One of the biggest strengths of this software is that it is completely > self-contained, which allows much simpler troubleshooting, research and > development of administration tools, and testing multiple versions. It > is easier to see if a file is missing or has the wrong permissions, and > fix it. It is easier to backup and restore. I could go on and on. When > an entire network depends on the LDAP infrastructure, these type of > things really matter. This is an argument for compiling critical binaries statically by default (something I wish Redhat would do with RPM, so that upgrading isn't such a mission), but as to the filesystem layout, having a non FHS package on the system means I must partition my system differently just for FDS, which isn't ideal. I think it would be ideal to include the option for supporting both standalone and FHS, to keep everyone happy. Regards, Graham -- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3220 bytes Desc: S/MIME Cryptographic Signature URL: From pkime at Shopzilla.com Sun Jul 2 23:19:43 2006 From: pkime at Shopzilla.com (Philip Kime) Date: Sun, 2 Jul 2006 16:19:43 -0700 Subject: [Fedora-directory-users] How to change the Configuration Directory location? Message-ID: <58B1112F0EEB7349AE14A0AA46F9CEC00284BBC2@szexchange.Shopzilla.inc> I have a FDS 1.0.2 and I'd like to change the configuration directory location to another server (currently, it's the same server). The admin server has a tab for this and says it's possible but you must (obviously) migrate the config data first. For this, it says to "see the DS docs" - I can't find any information on this - is it a simple LDIF export/import? PK -- Philip Kime -------------- next part -------------- An HTML attachment was scrubbed... URL: From jsummers at bachman.cs.ou.edu Mon Jul 3 03:17:55 2006 From: jsummers at bachman.cs.ou.edu (Jim Summers) Date: Sun, 02 Jul 2006 22:17:55 -0500 Subject: [Fedora-directory-users] New filesystem layout for directory server and admin server files In-Reply-To: References: Message-ID: <44A88C63.8020008@cs.ou.edu> I second the motion here. Having the directory server contained in one directory makes things much more straightforward and easy to verify. Which is a great help for such a critical service as the directory server provides. Thanks Bliss, Aaron wrote: > We are currently using fds in production without any issues at all; at > first, management was a little skeptical about using software so > critical to production systems without the comfort of a support > contract, but after working out the pre-implementation bugs, the > reliability of the application speaks for itself; I can honestly say > that having all files in /opt/fedora-ds makes doing full backups, > restores and disaster recovery testing very straight forward; I simply > shutdown slapd and the admin server, tar up the directory, and startup > slapd and the admin server; very quick to do, no muss or fuss; taking > fds out of it's own directory would make my life much more difficult (as > far as backups, and dr testing are concerned); so from my point of view, > if I had a vote, I would say that if it's not broke, then don't fix it > :) > > Aaron > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of > mj at sci.fi > Sent: Friday, June 30, 2006 5:04 PM > To: General discussion list for the Fedora Directory server project.; > miranda at syndetic.org > Subject: Re: [Fedora-directory-users] New filesystem layout for > directory server and admin server files > > Michael Chang kirjoitti: >> >> You could always make a separate, FHS-specific package available and > see >> what people think. If the votes are high enough in support of the new >> layout then you could make a permanent switch. > > The problem here is assuming that FDS updates will eventually be pushed > into RHDS. > > Judging by a good portion of the traffic on this list, a good majority > of the FDS users are still learning how to use an LDAP server, so they > likely don't understand or care enough to have an opinion about file > layout or why it matters in a package as large and complex as this one. > > OTOH, the RHDS package is used for critical infrastructure in banks, > military, telecoms, etc. By the time those users notice the change and > it's ramifications, it will be too late for them to have their vote > (other than with their feet). > > -- > mike > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > Confidentiality Notice: > The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Jim Summers School of Computer Science-University of Oklahoma ------------------------------------------------- From Dirk.Kastens at uni-osnabrueck.de Mon Jul 3 06:29:21 2006 From: Dirk.Kastens at uni-osnabrueck.de (Dirk Kastens) Date: Mon, 03 Jul 2006 08:29:21 +0200 Subject: [Fedora-directory-users] New filesystem layout for directory server and admin server files In-Reply-To: <44A582A9.7090902@redhat.com> References: <44A582A9.7090902@redhat.com> Message-ID: <44A8B941.3090607@uni-osnabrueck.de> Richard Megginson schrieb: > In order to be more linux friendly, we are currently considering > changing the layout from having everything under /opt/fedora-ds to > putting files in their FHS specific paths. The details are here - > http://directory.fedora.redhat.com/wiki/FHS_Packaging I would leave it as it is. The IBM Directory Server, for example, also uses its own directory structure under /opt/IBM/ldap and creates symbolic links from the FHS directories to the ldap directories. As others have mentioned, it's much easier to backup the software and to find errors etc. Best wishes, Dirk Kastens Universitaet Osnabrueck, Rechenzentrum (Computer Center) Albrechtstr. 28, 49069 Osnabrueck, Germany Tel.: +49-541-969-2347, FAX: -2470 From Andrey.Ivanov at polytechnique.fr Mon Jul 3 08:32:54 2006 From: Andrey.Ivanov at polytechnique.fr (Andrey Ivanov) Date: Mon, 3 Jul 2006 10:32:54 +0200 Subject: [Fedora-directory-users] ldapadd with Kerberos Message-ID: <1881697363.20060703103254@polytechnique.edu> Hi, There is something I can't explain concerning the interaction of ldapadd & ldapsearch (from openldap) with FDS while using kerberos Here is what i do : 1. kinit User.Name ... 2. Verification with klist -ok, i have the kerberos ticket 3. Verification with ldapsearch works without any problem, giving all the necessary infos: ldapsearch -Y GSSAPI 'sn=toto*' SASL/GSSAPI authentication started SASL username: User.Name at KRB-FDS SASL SSF: 56 SASL installing layers # extended LDIF # # LDAPv3 # base <> with scope sub # filter: sn=aic* # requesting: userPassword .... infos ... 4. The problem appears when i try to use ldapadd/ldapmodify with some ldif files (apparently, these files should be larger than some critical value to produce the error) Her is an example of such an ldif test.ldif: dn: cn=Gilles Martin,ou=CMLS,ou=Laboratoires,o=Some Organization,dc=fds-example,dc=domain,dc=com givenName: Gilles sn: Martin telephoneNumber: 00 00 loginShell: /bin/bash departmentNumber: LAB CMLS physicalDeliveryOfficeName: 402:10-02 uidNumber: 3090 gidNumber: 3000 mail: gilles.martin at some-organization.domain.com displayName: Gilles Martin (M.) uid: Gilles.Martin objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: posixAccount gecos: Gilles Martin,LAB CMLS ,PERSONNEL DE RECHERCHE cn: Gilles Martin title: PERSONNEL DE RECHERCHE homeDirectory: /home/CMLS/Gilles.Martin userPassword: {clear}Gilles.Martin When i try to add this entry using ldapadd or ldapmodify with kerberos : [root at workstation ~]# ldapadd -Y GSSAPI -v -f test.ldif -H ldap://fds-example.domain.com ldap_initialize( ldap://fds-example.domain.com ) SASL/GSSAPI authentication started SASL username: User.Name at KRB-FDS SASL SSF: 56 SASL installing layers add givenName: Gilles add sn: Martin add telephoneNumber: 00 00 add loginShell: /bin/bash add departmentNumber: LAB CMLS add physicalDeliveryOfficeName: 402:10-02 add uidNumber: 3090 add gidNumber: 3000 add mail: gilles.martin at some-organization.domain.com add displayName: Gilles Martin (M.) add uid: Gilles.Martin add objectClass: top person organizationalPerson inetorgperson posixAccount add gecos: Gilles Martin,LAB CMLS ,PERSONNEL DE RECHERCHE add cn: Gilles Martin add title: PERSONNEL DE RECHERCHE add homeDirectory: /home/CMLS/Gilles.Martin add userPassword: {clear}Gilles.Martin adding new entry " cn=Gilles Martin,ou=CMLS,ou=Laboratoires,o=Some Organization,dc=fds-example,dc=domain,dc=com" modify complete ldap_add: Protocol error (2) additional info: decoding error 5. Adding the same entry using simple authentification (plain text or SSL/TLS) is possible without any problem. The only way of using kerberos and ldapadd/ldapmodify is adding the option "-O maxssf=0" : ldapadd -Y GSSAPI -O maxssf=0 -v -f test.ldif -H ldap://fds-example.domain.com With this command line, the ldapadd adds the entry with success. Can someone explain me why ldapsearch works without problem and ldapadd needs an additional option (this option forbids the double encryption kerberos+ssl if i understand correctly)? Thank you! Andrey Ivanov tel +33-(0)1-69-33-99-24 fax +33-(0)1-69-33-99-55 Direction des Systemes d'Information Ecole Polytechnique 91128 Palaiseau CEDEX France From hariharan at lantana.tenet.res.in Mon Jul 3 12:40:52 2006 From: hariharan at lantana.tenet.res.in (Hariharan R) Date: Mon, 3 Jul 2006 18:10:52 +0530 (IST) Subject: [Fedora-directory-users] Retrieving User Password From Fedora Directory Server Message-ID: Dear all, I am using FDS 7.2 on FC3 for my development. I am storing userprofile along with user password to the FDS database (BDB). When i look the user profile in console i seen that the password value has been encrypted. Fine. If i do 'ldapsearch' , it doesn't returns the 'userpassword' attribute and its value. How i can get the userPassword attribute and it's value using LDAP search command. Is there is any way to convert the encrypted password to plain text one. I am in an urgent need , so please any one guide me. Thanks in advance. --- Regards, Hariharan.R From hariharan at lantana.tenet.res.in Mon Jul 3 12:44:13 2006 From: hariharan at lantana.tenet.res.in (Hariharan R) Date: Mon, 3 Jul 2006 18:14:13 +0530 (IST) Subject: [Fedora-directory-users] Migrating /etc/passwd file to FDS database Message-ID: Dear all, I need to migrate all the users in/etc/passwd file to FDS7.2 database. Is there is any script comes along with FDS to achieve that. I looked into /opt/fedora-ds/bin/slapd/admin/bin/ directory, any file in that folder will do the above. Pls guide me. --- Regards, Hariharan.R From rmeggins at redhat.com Mon Jul 3 12:47:40 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 03 Jul 2006 06:47:40 -0600 Subject: [Fedora-directory-users] Migrating /etc/passwd file to FDS database In-Reply-To: References: Message-ID: <44A911EC.6030604@redhat.com> Hariharan R wrote: > Dear all, > I need to migrate all the users in/etc/passwd file to FDS7.2 database. > Is there is any script comes along with FDS to achieve that. http://directory.fedora.redhat.com/wiki/Howto:MigrateToLDAP > I looked into /opt/fedora-ds/bin/slapd/admin/bin/ directory, any file > in that folder will do the above. > > Pls guide me. > > --- > Regards, > Hariharan.R > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From felipe.alfaro at gmail.com Mon Jul 3 12:46:06 2006 From: felipe.alfaro at gmail.com (Felipe Alfaro Solana) Date: Mon, 3 Jul 2006 14:46:06 +0200 Subject: [Fedora-directory-users] Retrieving User Password From Fedora Directory Server In-Reply-To: References: Message-ID: <6f6293f10607030546y738b66d5t99e4aee0c277a3f8@mail.gmail.com> > I am using FDS 7.2 on FC3 for my development. I am storing userprofile > along with user password to the FDS database (BDB). When i look the user > profile in console i seen that the password value has been encrypted. > Fine. If i do 'ldapsearch' , it doesn't returns the 'userpassword' > attribute and its value. > How i can get the userPassword attribute and it's value using LDAP > search command. Is there is any way to convert the encrypted password to > plain text one. You can't... when you set/change the password, it's processed by hashing function and the result value is stored in the userPassword attribute. You can, however, disable that kind of processing and store the passwords in cleat-text (which I would recommend against since it's a security hole) by using the console to configure the password-hashing mechanism and setting it to none. From felipe.alfaro at gmail.com Mon Jul 3 12:47:23 2006 From: felipe.alfaro at gmail.com (Felipe Alfaro Solana) Date: Mon, 3 Jul 2006 14:47:23 +0200 Subject: [Fedora-directory-users] Migrating /etc/passwd file to FDS database In-Reply-To: References: Message-ID: <6f6293f10607030547v1b0eed5y5e05f79e8aca1947@mail.gmail.com> > I need to migrate all the users in/etc/passwd file to FDS7.2 database. > Is there is any script comes along with FDS to achieve that. > I looked into /opt/fedora-ds/bin/slapd/admin/bin/ directory, any file in > that folder will do the above. What about http://www.padl.com/OSS/MigrationTools.html? From rmeggins at redhat.com Mon Jul 3 13:20:31 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 03 Jul 2006 07:20:31 -0600 Subject: [Fedora-directory-users] New filesystem layout for directory server and admin server files In-Reply-To: <44A79BC6.4020209@sharp.fm> References: <10015237.223521151698443200.JavaMail.mj@sci.fi> <44A79BC6.4020209@sharp.fm> Message-ID: <44A9199F.8040106@redhat.com> Graham Leggett wrote: > mj at sci.fi wrote: > >> One of the biggest strengths of this software is that it is >> completely self-contained, which allows much simpler troubleshooting, >> research and development of administration tools, and testing >> multiple versions. It is easier to see if a file is missing or has >> the wrong permissions, and fix it. It is easier to backup and >> restore. I could go on and on. When an entire network depends on the >> LDAP infrastructure, these type of things really matter. > > This is an argument for compiling critical binaries statically by > default (something I wish Redhat would do with RPM, so that upgrading > isn't such a mission), but as to the filesystem layout, having a non > FHS package on the system means I must partition my system differently > just for FDS, which isn't ideal. Meaning you have to make /opt bigger, or on its own (large) partition. Note that a large FDS deployment will usually have to do a custom disk partition, in order to have the database files on a separate physical disk than the database transaction logs. For a small deployment, it may not matter. So are you saying that in a typical FHS deployment, the /var partition is by far the largest, and is on a separate partition than /? If not, then it doesn't make any difference - /opt is just as "bad" as /var. > > I think it would be ideal to include the option for supporting both > standalone and FHS, to keep everyone happy. We will most likely not go the route of having two separate packages, one /opt layout and one FHS layout. This is just too much work to have to QA two packages for every OS/platform combination. It's also a lot of work for our documentation - it would either make the documentation really confusing by having to specify two different paths for everything, or create a lot more work by having two different doc sets. It seems the leading contender so far is to use the FHS layout for the "real" files, and have the /opt layout be mostly symlinks to files/directories in the FHS style layout. Another option would be to allow the installer to specify the prefix. This is really frowned upon in RPM-land, but it may make sense for Fedora DS. You would get the FHS style layout by default, but you could specify /opt/fedora-ds as the prefix, in which case you get the FHS style layout underneath /opt/fedora-ds. > > Regards, > Graham > -- > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From kevin.mccarthy at teligent.co.uk Mon Jul 3 13:35:11 2006 From: kevin.mccarthy at teligent.co.uk (Kevin McCarthy) Date: Mon, 3 Jul 2006 14:35:11 +0100 Subject: [Fedora-directory-users] Fedora DS 1.0.2 Multiple Master SSL replication: empty bind DN... In-Reply-To: <20060630160007.1C9257321F@hormel.redhat.com> Message-ID: <00a301c69ea5$82303e30$eb90a8c0@teligent.org> Thanks again Richard, My attempt to determine why the bind DN remains as "" have still not located the cause - though I guess that is due to this being my first usage and I have merely missed the obvious! > To ensure that you are doing client cert auth, you can examine the access > log on the replication consumer - look for the connection and BIND from > the supplier. If you're not sure what you're looking at, just post the > relevant excerpts here. I can see from the bind result that the initial "dn" is still the required: "cn=nema2,ou=EDS,o=teligent,dc=co,c=uk" ..but the BIND dn remains as "", with the method as "sasl"? Consumer Access log file extract: [03/Jul/2006:10:24:11 +0100] conn=11 fd=67 slot=67 SSL connection from 192.168.27.15 to 192.168.144.61 [03/Jul/2006:10:24:11 +0100] conn=11 SSL 256-bit AES; client CN=nema2,OU=EDS,O=teligent,DC=co,C=uk; issuer CN=CAcertnema2 [03/Jul/2006:10:24:11 +0100] conn=11 SSL client bound as cn=nema2,ou=EDS,o=teligent,dc=co,c=uk [03/Jul/2006:10:24:11 +0100] conn=11 op=0 BIND dn="" method=sasl version=3 mech=EXTERNAL [03/Jul/2006:10:24:11 +0100] conn=11 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=nema2,ou=EDS,o=teligent,dc=co,c=uk" [03/Jul/2006:10:24:11 +0100] conn=11 op=1 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension" [03/Jul/2006:10:24:11 +0100] conn=11 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [03/Jul/2006:10:24:11 +0100] conn=11 op=2 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension" [03/Jul/2006:10:24:11 +0100] conn=11 op=2 RESULT err=0 tag=101 nentries=1 etime=0 [03/Jul/2006:10:24:11 +0100] conn=11 op=3 EXT oid="2.16.840.1.113730.3.5.3" name="Netscape Replication Start Session" [03/Jul/2006:10:24:11 +0100] conn=11 op=3 RESULT err=0 tag=120 nentries=0 etime=0 [03/Jul/2006:10:24:12 +0100] conn=11 op=4 EXT oid="2.16.840.1.113730.3.5.3" name="Netscape Replication Start Session" [03/Jul/2006:10:24:12 +0100] conn=11 op=4 RESULT err=0 tag=120 nentries=0 etime=0 [03/Jul/2006:10:24:15 +0100] conn=11 op=5 EXT oid="2.16.840.1.113730.3.5.3" name="Netscape Replication Start Session" [03/Jul/2006:10:24:15 +0100] conn=11 op=5 RESULT err=0 tag=120 nentries=0 etime=0 [03/Jul/2006:10:24:19 +0100] conn=11 op=6 EXT oid="2.16.840.1.113730.3.5.3" name="Netscape Replication Start Session" [03/Jul/2006:10:24:19 +0100] conn=11 op=6 RESULT err=0 tag=120 nentries=0 etime=0 [03/Jul/2006:10:24:28 +0100] conn=11 op=8 EXT oid="2.16.840.1.113730.3.5.3" name="Netscape Replication Start Session" [03/Jul/2006:10:24:28 +0100] conn=11 op=8 RESULT err=0 tag=120 nentries=0 etime=0 [03/Jul/2006:10:24:34 +0100] conn=10 op=4 UNBIND [03/Jul/2006:10:24:34 +0100] conn=10 op=4 fd=64 closed - U1 [03/Jul/2006:10:24:46 +0100] conn=11 op=10 EXT oid="2.16.840.1.113730.3.5.3" name="Netscape Replication Start Session" [03/Jul/2006:10:24:46 +0100] conn=11 op=10 RESULT err=0 tag=120 nentries=0 etime=0 [03/Jul/2006:10:25:08 +0100] conn=11 op=12 UNBIND [03/Jul/2006:10:25:08 +0100] conn=11 op=12 fd=67 closed - U1 Consumer Error log file extract: [03/Jul/2006:10:24:11 +0100] NSMMReplicationPlugin - conn=11 op=3 replica="ou=EDS,o=teligent,dc= co,c=uk": Unable to acquire replica: error: permission denied [03/Jul/2006:10:24:12 +0100] NSMMReplicationPlugin - conn=11 op=4 replica="ou=EDS,o=teligent,dc=co,c=uk": Unable to acquire replica: error: permission denied [03/Jul/2006:10:24:15 +0100] NSMMReplicationPlugin - conn=11 op=5 replica="ou=EDS,o=teligent,dc=co,c=uk": Unable to acquire replica: error: permission denied [03/Jul/2006:10:24:19 +0100] NSMMReplicationPlugin - conn=11 op=6 replica="ou=EDS,o=teligent,dc=co,c=uk": Unable to acquire replica: error: permission denied [03/Jul/2006:10:24:28 +0100] NSMMReplicationPlugin - conn=11 op=8 replica="ou=EDS,o=teligent,dc=co,c=uk": Unable to acquire replica: error: permission denied [03/Jul/2006:10:24:46 +0100] NSMMReplicationPlugin - conn=11 op=10 replica="ou=EDS,o=teligent,dc=co,c=uk": Unable to acquire replica: error: permission denied [03/Jul/2006:10:24:50 +0100] NSMMReplicationPlugin - agmt="cn=EDS from Server 1" (nema2:636): Unable to acquire replica: permission denied. The bind dn "" does not have permission to supply replication updates to the replica. Will retry later. Regards and thanks again, Kevin From: Richard Megginson Subject: Re: [Fedora-directory-users] Fedora DS 1.0.2 Multiple Master SSL replication: empty bind DN... To: "General discussion list for the Fedora Directory server project." Message-ID: <44A51838.4040409 at redhat.com> Content-Type: text/plain; charset="windows-1252" Kevin McCarthy wrote: > > Richard, thank you for your response! > > hopefully whatever configuration mistake I made to cause a NULL bind > DN will soon come to light > > > Dear List Members, > > > > > > Release: *fedora-ds-1.0.2-1.RHEL3.i386.opt.rpm* > > > > > > A typical replication error log entry now follows (seen repeatedly at > > > both fedora DS servers): > > > > > > [28/Jun/2006:18:29:21 +0100] NSMMReplicationPlugin - agmt="cn=EDS from > > > server 2" (ukstatlap:636): Unable to acquire replica: permission > > > denied. The *bind dn ""* does not have permission to supply > > > replication updates to the replica. Will retry later. > > > > > > Believe me, I have been investigating this one for 2 or 3 days now > > > (having just switched from OpenLDAP, since multiple master replication > > > is required) before sending this submission, just in case I missed a > > > configuration item or work-around, but unfortunately no luck (so far). > > > > > > The only reference I can find for SSL Client Authentication based > > > Multiple Master replication (2 Linux RHEL 3 servers being used) that > > > supplies empty DNs, is the Windows specific entry (whose work-around I > > > tried anyway, but without success)_ > > > > > > Unable to acquire replica: permission denied. The bind dn "" does not > > > have permission to supply replication updates to the replica. Will > > > retry later. > > > To workaround the problem, after you modify and save the replication > > > schedule of an agreement, refresh the console, reconfigure the > > > connection settings (to SSL client authentication) for the agreement, > > > and save your changes. > > > > > > http://www.redhat.com/docs/manuals/dir-server/release-notes/ds611relno > > > tes.html > > > > > > The mutual _Current Supplier DNs_ are indeed set (cn=Replication > > > Manager,cn=replication,cn=config) and the corresponding directory > > > entries do exist. > > > > > > The respective server certificates and CA certificates are installed, > > > with Subject DN entries loaded. > > > > > What are the SubjectDNs in the server certificates? > > CN=,OU=EDS,O=teligent,DC=co,C=uk > > where  is the respective server name of the replicating > servers e.g. nema2 rather than a full domain name. > I think this is ok, as long as your DNS (/etc/resolv.conf) configuration can resolve nema2. > > The following will hopefully also be relevant: > > 1) The tree being replicated is OU=EDS,O=Teligent,DC=co,C=uk i.e. > the Subject DN is within the replicated tree. > > 2) certutil was used to generate the server and CA certificates. > Surprisingly (to me at least) the CA certificate was then listed in > the "Server Certs" panel on the Directory Server Manage Certificates > panel. > > 3) I loaded the ascii version of the other servers CA Certificate > directly into the CA Certs panel. > > 4) All CA certificates have both the accept and make connection trusts > ticked. > > > I do _not_ have Legacy Consumer enabled. > > > > > You don't need it. > > > > > > CertMapping is also defined (though with a NULL DN being supplied, I > > > guess that will not be kicking in just yet, though there are entries > > > for the exact subject DN anyway.) > > > > > You might want to post your certmap.conf and see here - > http://directory.fedora.redhat.com/wiki/Howto:CertMapping > > I must admit that since the Bind DN was NULL I had not realized that > certmapping would actually take affect. > If you are using client cert based auth (and not just username/password auth with SSL) then certmapping will be used. To ensure that you are doing client cert auth, you can examine the access log on the replication consumer - look for the connection and BIND from the supplier. If you're not sure what you're looking at, just post the relevant excerpts here. ...log file extract at the head. > > I ensured that the exact subject DN of the server certificates > corresponded to an actual directory entry (with the respective > servers user certificate loaded), which I had thought would be > matched without the need for a certmap configuration via the original > default option, but I tried one anyway > > certmap nema ou=EDS,o=teligent,dc=co,c=uk > I think this DN should correspond to the issuerDN (i.e. the subjectDN of your CA cert). But I don't think it's used for cert mapping. > > nema:FilterComps cn > This means you must have one and only one entry called cn=nema2, ....., o=teligent,dc=co,c=uk somewhere in your tree. ...indeed, just the one. > > nema:verifycert off > > certmap default default > > indeed one server still runs with the default certmap configuration > to see if it made any difference, but both servers receive a NULL bind > DN . > This leads me to believe it is not doing client cert auth. Also check the errors log for your supplier and consumer. ...extracts at the head. > > > When using simple authentication, with or without SSL, all is well > > > (although replication did require both servers to Initialize the > > > Consumer, I thought that only one was required e.g. ID 1 initializing > > > ID 2, but ID 2 then needed to initialize ID 1 before successful 2-way > > > replication was achieved). > > > > > That's odd. You should only need to initialize once one way. > > indeed, but I guess that it can not do any harm, as the secondary > server will not actually need to supply any further updates back to > the primary server and it does at least make the mutual replication > work for me  until the certificates took their toll From lesmikesell at gmail.com Mon Jul 3 13:49:10 2006 From: lesmikesell at gmail.com (Les Mikesell) Date: Mon, 03 Jul 2006 08:49:10 -0500 Subject: [Fedora-directory-users] New filesystem layout for directory server and admin server files In-Reply-To: <44A9199F.8040106@redhat.com> References: <10015237.223521151698443200.JavaMail.mj@sci.fi> <44A79BC6.4020209@sharp.fm> <44A9199F.8040106@redhat.com> Message-ID: <1151934549.15495.6.camel@les-home.futuresource.com> On Mon, 2006-07-03 at 08:20, Richard Megginson wrote: > So are you saying that in a typical FHS deployment, the /var partition > is by far the largest, and is on a separate partition than /? If not, > then it doesn't make any difference - /opt is just as "bad" as /var. If you didn't plan out what you were going to deploy on the machine in question there isn't much reason to expect extra space to be sitting around in one place more than any other. That is, if you do have /var on a separate partition, you probably planned the size for what you already have there. And it's probably easier to add /opt as a separate partition than to move /var in a typical RH layout. > We will most likely not go the route of having two separate packages, > one /opt layout and one FHS layout. Moving locations is always traumatic. Personally I like stand-alone packages that aren't going to be installed on every machine you have to live under /opt, but if it is ever going to move, do it soon to minimize the number of people who will be affected by already having it installed in the wrong place. -- Les Mikesell lesmikesell at gmail.com From david_list at boreham.org Mon Jul 3 13:49:49 2006 From: david_list at boreham.org (David Boreham) Date: Mon, 03 Jul 2006 07:49:49 -0600 Subject: [Fedora-directory-users] New filesystem layout for directory server and admin server files In-Reply-To: <44A9199F.8040106@redhat.com> References: <10015237.223521151698443200.JavaMail.mj@sci.fi> <44A79BC6.4020209@sharp.fm> <44A9199F.8040106@redhat.com> Message-ID: <44A9207D.9010802@boreham.org> Is all this partitioning stuff still being done ? I though it had gone away once Linux aquired decent filesystem capabilities. I've installed probably 100 systems in the past few years, all with one big partition for all the /var /usr /tmp etc trees. If I want separate physical disks, I just call them /home2 /home3 or whatever and point the applications at those paths. I can't remember the last time I configured a system with separate filesystems for /opt and /var Recent Fedora Core releases default to one big partition using LVM. Am I smoking crack ? From rmeggins at redhat.com Mon Jul 3 14:26:12 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 03 Jul 2006 08:26:12 -0600 Subject: [Fedora-directory-users] Fedora DS 1.0.2 Multiple Master SSL replication: empty bind DN... In-Reply-To: <00a301c69ea5$82303e30$eb90a8c0@teligent.org> References: <00a301c69ea5$82303e30$eb90a8c0@teligent.org> Message-ID: <44A92904.9070006@redhat.com> Kevin McCarthy wrote: > Thanks again Richard, > > My attempt to determine why the bind DN remains as "" have still not located > the cause - though I guess that is due to this being my first usage and I > have merely missed the obvious! > > >> To ensure that you are doing client cert auth, you can examine the access >> log on the replication consumer - look for the connection and BIND from >> the supplier. If you're not sure what you're looking at, just post the >> relevant excerpts here. >> > > I can see from the bind result that the initial "dn" is still the required: > > "cn=nema2,ou=EDS,o=teligent,dc=co,c=uk" > > ..but the BIND dn remains as "", with the method as "sasl"? > Actually, the method is SASL/EXTERNAL, which means the BIND identity comes from somewhere else (in this case, the certificate). So, dn="" is ignored since it is obtained from the certificate. > > Consumer Access log file extract: > > [03/Jul/2006:10:24:11 +0100] conn=11 fd=67 slot=67 SSL connection from > 192.168.27.15 to 192.168.144.61 > > [03/Jul/2006:10:24:11 +0100] conn=11 SSL 256-bit AES; client > CN=nema2,OU=EDS,O=teligent,DC=co,C=uk; issuer CN=CAcertnema2 > > [03/Jul/2006:10:24:11 +0100] conn=11 SSL client bound as > cn=nema2,ou=EDS,o=teligent,dc=co,c=uk > > [03/Jul/2006:10:24:11 +0100] conn=11 op=0 BIND dn="" method=sasl version=3 > mech=EXTERNAL > All of this means that you are definitely doing client cert auth. You say that the entry cn=nema2,ou=EDS,o=teligent,dc=co,c=uk exists on both servers (and cn=nema1 or cn=nema also)? And you have this DN listed in the supplier DN in the replica configuration? If so, then it could be that replication does not allow you to specify a supplier DN that lives in the replicated area. What we usually recommend is that you create a replication pseudo user in the configuration naming context e.g. dn: cn=repluser, cn=config objectclass: person sn: repluser cn: repluser userPassword: password Then configure cert mapping to map the subjectDN in the cert to this user. To make certmapping work, you may have to name the replication pseudo user something like cn=nema or cn=nema2 so you can use the attributes in the cert subjectDN to map to the pseudo user. Then you will need to have the pseudo user DN as the supplier DN in the replica configuration. > [03/Jul/2006:10:24:11 +0100] conn=11 op=0 RESULT err=0 tag=97 nentries=0 > etime=0 dn="cn=nema2,ou=EDS,o=teligent,dc=co,c=uk" > > [03/Jul/2006:10:24:11 +0100] conn=11 op=1 SRCH base="" scope=0 > filter="(objectClass=*)" attrs="supportedControl supportedExtension" > [03/Jul/2006:10:24:11 +0100] conn=11 op=1 RESULT err=0 tag=101 nentries=1 > etime=0 > [03/Jul/2006:10:24:11 +0100] conn=11 op=2 SRCH base="" scope=0 > filter="(objectClass=*)" attrs="supportedControl supportedExtension" > [03/Jul/2006:10:24:11 +0100] conn=11 op=2 RESULT err=0 tag=101 nentries=1 > etime=0 > [03/Jul/2006:10:24:11 +0100] conn=11 op=3 EXT oid="2.16.840.1.113730.3.5.3" > name="Netscape Replication Start Session" > [03/Jul/2006:10:24:11 +0100] conn=11 op=3 RESULT err=0 tag=120 nentries=0 > etime=0 > [03/Jul/2006:10:24:12 +0100] conn=11 op=4 EXT oid="2.16.840.1.113730.3.5.3" > name="Netscape Replication Start Session" > [03/Jul/2006:10:24:12 +0100] conn=11 op=4 RESULT err=0 tag=120 nentries=0 > etime=0 > [03/Jul/2006:10:24:15 +0100] conn=11 op=5 EXT oid="2.16.840.1.113730.3.5.3" > name="Netscape Replication Start Session" > [03/Jul/2006:10:24:15 +0100] conn=11 op=5 RESULT err=0 tag=120 nentries=0 > etime=0 > [03/Jul/2006:10:24:19 +0100] conn=11 op=6 EXT oid="2.16.840.1.113730.3.5.3" > name="Netscape Replication Start Session" > [03/Jul/2006:10:24:19 +0100] conn=11 op=6 RESULT err=0 tag=120 nentries=0 > etime=0 > [03/Jul/2006:10:24:28 +0100] conn=11 op=8 EXT oid="2.16.840.1.113730.3.5.3" > name="Netscape Replication Start Session" > [03/Jul/2006:10:24:28 +0100] conn=11 op=8 RESULT err=0 tag=120 nentries=0 > etime=0 > [03/Jul/2006:10:24:34 +0100] conn=10 op=4 UNBIND > [03/Jul/2006:10:24:34 +0100] conn=10 op=4 fd=64 closed - U1 > [03/Jul/2006:10:24:46 +0100] conn=11 op=10 EXT oid="2.16.840.1.113730.3.5.3" > name="Netscape Replication Start Session" > [03/Jul/2006:10:24:46 +0100] conn=11 op=10 RESULT err=0 tag=120 nentries=0 > etime=0 > [03/Jul/2006:10:25:08 +0100] conn=11 op=12 UNBIND > [03/Jul/2006:10:25:08 +0100] conn=11 op=12 fd=67 closed - U1 > > Consumer Error log file extract: > > [03/Jul/2006:10:24:11 +0100] NSMMReplicationPlugin - conn=11 op=3 > replica="ou=EDS,o=teligent,dc= > co,c=uk": Unable to acquire replica: error: permission denied > [03/Jul/2006:10:24:12 +0100] NSMMReplicationPlugin - conn=11 op=4 > replica="ou=EDS,o=teligent,dc=co,c=uk": Unable to acquire replica: error: > permission denied > [03/Jul/2006:10:24:15 +0100] NSMMReplicationPlugin - conn=11 op=5 > replica="ou=EDS,o=teligent,dc=co,c=uk": Unable to acquire replica: error: > permission denied > [03/Jul/2006:10:24:19 +0100] NSMMReplicationPlugin - conn=11 op=6 > replica="ou=EDS,o=teligent,dc=co,c=uk": Unable to acquire replica: error: > permission denied > [03/Jul/2006:10:24:28 +0100] NSMMReplicationPlugin - conn=11 op=8 > replica="ou=EDS,o=teligent,dc=co,c=uk": Unable to acquire replica: error: > permission denied > [03/Jul/2006:10:24:46 +0100] NSMMReplicationPlugin - conn=11 op=10 > replica="ou=EDS,o=teligent,dc=co,c=uk": Unable to acquire replica: error: > permission denied > [03/Jul/2006:10:24:50 +0100] NSMMReplicationPlugin - agmt="cn=EDS from > Server 1" (nema2:636): Unable to acquire replica: permission denied. The > bind dn "" does not have permission to supply replication updates to the > replica. Will retry later. > > > Regards and thanks again, > Kevin > > From: Richard Megginson > Subject: Re: [Fedora-directory-users] Fedora DS 1.0.2 Multiple Master > SSL replication: empty bind DN... > To: "General discussion list for the Fedora Directory server project." > > Message-ID: <44A51838.4040409 at redhat.com> > Content-Type: text/plain; charset="windows-1252" > > Kevin McCarthy wrote: > >> Richard, thank you for your response! >> >> hopefully whatever configuration mistake I made to cause a NULL bind >> DN will soon come to light >> >> >>> Dear List Members, >>> >>> Release: *fedora-ds-1.0.2-1.RHEL3.i386.opt.rpm* >>> >>> A typical replication error log entry now follows (seen repeatedly at >>> >>> both fedora DS servers): >>> >>> [28/Jun/2006:18:29:21 +0100] NSMMReplicationPlugin - agmt="cn=EDS from >>> >>> server 2" (ukstatlap:636): Unable to acquire replica: permission >>> >>> denied. The *bind dn ""* does not have permission to supply >>> >>> replication updates to the replica. Will retry later. >>> >>> Believe me, I have been investigating this one for 2 or 3 days now >>> >>> (having just switched from OpenLDAP, since multiple master replication >>> >>> is required) before sending this submission, just in case I missed a >>> >>> configuration item or work-around, but unfortunately no luck (so far). >>> >>> The only reference I can find for SSL Client Authentication based >>> >>> Multiple Master replication (2 Linux RHEL 3 servers being used) that >>> >>> supplies empty DNs, is the Windows specific entry (whose work-around I >>> >>> tried anyway, but without success)_ >>> >>> Unable to acquire replica: permission denied. The bind dn "" does not >>> >>> have permission to supply replication updates to the replica. Will >>> >>> retry later. >>> >>> To workaround the problem, after you modify and save the replication >>> >>> schedule of an agreement, refresh the console, reconfigure the >>> >>> connection settings (to SSL client authentication) for the agreement, >>> >>> and save your changes. >>> >>> http://www.redhat.com/docs/manuals/dir-server/release-notes/ds611relno >>> >>> tes.html >>> >>> The mutual _Current Supplier DNs_ are indeed set (cn=Replication >>> >>> Manager,cn=replication,cn=config) and the corresponding directory >>> >>> entries do exist. >>> >>> The respective server certificates and CA certificates are installed, >>> >>> with Subject DN entries loaded. >>> >> What are the SubjectDNs in the server certificates? >> >> CN=,OU=EDS,O=teligent,DC=co,C=uk >> >> where  is the respective server name of the replicating >> servers e.g. nema2 rather than a full domain name. >> >> > I think this is ok, as long as your DNS (/etc/resolv.conf) configuration > can resolve nema2. > >> The following will hopefully also be relevant: >> >> 1) The tree being replicated is OU=EDS,O=Teligent,DC=co,C=uk i.e. >> the Subject DN is within the replicated tree. >> >> 2) certutil was used to generate the server and CA certificates. >> Surprisingly (to me at least) the CA certificate was then listed in >> the "Server Certs" panel on the Directory Server Manage Certificates >> panel. >> >> 3) I loaded the ascii version of the other servers CA Certificate >> directly into the CA Certs panel. >> >> 4) All CA certificates have both the accept and make connection trusts >> ticked. >> >> >>> I do _not_ have Legacy Consumer enabled. >>> >> You don't need it. >> >> >>> CertMapping is also defined (though with a NULL DN being supplied, I >>> >>> guess that will not be kicking in just yet, though there are entries >>> >>> for the exact subject DN anyway.) >>> >> You might want to post your certmap.conf and see here - >> http://directory.fedora.redhat.com/wiki/Howto:CertMapping >> >> I must admit that since the Bind DN was NULL I had not realized that >> certmapping would actually take affect. >> >> > If you are using client cert based auth (and not just username/password > auth with SSL) then certmapping will be used. To ensure that you are > doing client cert auth, you can examine the access log on the > replication consumer - look for the connection and BIND from the > supplier. If you're not sure what you're looking at, just post the > relevant excerpts here. > > ...log file extract at the head. > > >> I ensured that the exact subject DN of the server certificates >> corresponded to an actual directory entry (with the respective >> servers user certificate loaded), which I had thought would be >> matched without the need for a certmap configuration via the original >> default option, but I tried one anyway >> >> certmap nema ou=EDS,o=teligent,dc=co,c=uk >> >> > I think this DN should correspond to the issuerDN (i.e. the subjectDN of > your CA cert). But I don't think it's used for cert mapping. > >> nema:FilterComps cn >> >> > This means you must have one and only one entry called cn=nema2, ....., > o=teligent,dc=co,c=uk somewhere in your tree. > > ...indeed, just the one. > > >> nema:verifycert off >> >> certmap default default >> >> indeed one server still runs with the default certmap configuration >> to see if it made any difference, but both servers receive a NULL bind >> DN . >> >> > This leads me to believe it is not doing client cert auth. Also check > the errors log for your supplier and consumer. > > ...extracts at the head. > >>> When using simple authentication, with or without SSL, all is well >>> >>> (although replication did require both servers to Initialize the >>> >>> Consumer, I thought that only one was required e.g. ID 1 initializing >>> >>> ID 2, but ID 2 then needed to initialize ID 1 before successful 2-way >>> >>> replication was achieved). >>> >> That's odd. You should only need to initialize once one way. >> >> indeed, but I guess that it can not do any harm, as the secondary >> server will not actually need to supply any further updates back to >> the primary server and it does at least make the mutual replication >> work for me  until the certificates took their toll >> > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Jul 3 15:17:26 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 03 Jul 2006 09:17:26 -0600 Subject: [Fedora-directory-users] ldapadd with Kerberos In-Reply-To: <1881697363.20060703103254@polytechnique.edu> References: <1881697363.20060703103254@polytechnique.edu> Message-ID: <44A93506.6020707@redhat.com> Andrey Ivanov wrote: > Hi, > > > There is something I can't explain concerning the interaction of > ldapadd & ldapsearch (from openldap) with FDS while using kerberos > > > Here is what i do : > > 1. kinit User.Name > ... > 2. Verification with klist -ok, i have the kerberos ticket > > 3. Verification with ldapsearch works without any problem, giving all the necessary infos: > > ldapsearch -Y GSSAPI 'sn=toto*' > SASL/GSSAPI authentication started > SASL username: User.Name at KRB-FDS > SASL SSF: 56 > SASL installing layers > # extended LDIF > # > # LDAPv3 > # base <> with scope sub > # filter: sn=aic* > # requesting: userPassword > .... infos ... > > 4. The problem appears when i try to use ldapadd/ldapmodify with some > ldif files (apparently, these files should be larger than some > critical value to produce the error) > > > Her is an example of such an ldif > > test.ldif: > dn: cn=Gilles Martin,ou=CMLS,ou=Laboratoires,o=Some Organization,dc=fds-example,dc=domain,dc=com > givenName: Gilles > sn: Martin > telephoneNumber: 00 00 > loginShell: /bin/bash > departmentNumber: LAB CMLS > physicalDeliveryOfficeName: 402:10-02 > uidNumber: 3090 > gidNumber: 3000 > mail: gilles.martin at some-organization.domain.com > displayName: Gilles Martin (M.) > uid: Gilles.Martin > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetorgperson > objectClass: posixAccount > gecos: Gilles Martin,LAB CMLS ,PERSONNEL DE RECHERCHE > cn: Gilles Martin > title: PERSONNEL DE RECHERCHE > homeDirectory: /home/CMLS/Gilles.Martin > userPassword: {clear}Gilles.Martin > > > > When i try to add this entry using ldapadd or ldapmodify with kerberos : > > [root at workstation ~]# ldapadd -Y GSSAPI -v -f test.ldif -H ldap://fds-example.domain.com > ldap_initialize( ldap://fds-example.domain.com ) > SASL/GSSAPI authentication started > SASL username: User.Name at KRB-FDS > SASL SSF: 56 > SASL installing layers > add givenName: > Gilles > add sn: > Martin > add telephoneNumber: > 00 00 > add loginShell: > /bin/bash > add departmentNumber: > LAB CMLS > add physicalDeliveryOfficeName: > 402:10-02 > add uidNumber: > 3090 > add gidNumber: > 3000 > add mail: > gilles.martin at some-organization.domain.com > add displayName: > Gilles Martin (M.) > add uid: > Gilles.Martin > add objectClass: > top > person > organizationalPerson > inetorgperson > posixAccount > add gecos: > Gilles Martin,LAB CMLS ,PERSONNEL DE RECHERCHE > add cn: > Gilles Martin > add title: > PERSONNEL DE RECHERCHE > add homeDirectory: > /home/CMLS/Gilles.Martin > add userPassword: > {clear}Gilles.Martin > adding new entry " cn=Gilles Martin,ou=CMLS,ou=Laboratoires,o=Some Organization,dc=fds-example,dc=domain,dc=com" > modify complete > ldap_add: Protocol error (2) > additional info: decoding error > > > > 5. Adding the same entry using simple authentification (plain text or > SSL/TLS) is possible without any problem. The only way of using > kerberos and ldapadd/ldapmodify is adding the option "-O maxssf=0" : > > ldapadd -Y GSSAPI -O maxssf=0 -v -f test.ldif -H ldap://fds-example.domain.com > > With this command line, the ldapadd adds the entry with success. > > > > > > Can someone explain me why ldapsearch works without problem and > ldapadd needs an additional option (this option forbids the double > encryption kerberos+ssl if i understand correctly)? > I'm not sure. Could you post some relevant excerpts from your directory server access and error logs? Be sure to remove any sensitive data from them first. > Thank you! > > > > Andrey Ivanov > tel +33-(0)1-69-33-99-24 > fax +33-(0)1-69-33-99-55 > > Direction des Systemes d'Information > Ecole Polytechnique > 91128 Palaiseau CEDEX > France > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From patrick.morris at hp.com Mon Jul 3 15:19:19 2006 From: patrick.morris at hp.com (Morris, Patrick) Date: Mon, 3 Jul 2006 11:19:19 -0400 Subject: [Fedora-directory-users] New filesystem layout for directoryserver and admin server files In-Reply-To: <44A9207D.9010802@boreham.org> Message-ID: > Is all this partitioning stuff still being done ? I though it > had gone away once Linux aquired decent filesystem capabilities. > I've installed probably 100 systems in the past few years, > all with one big partition for all the /var /usr /tmp etc trees. > If I want separate physical disks, I just call them /home2 > /home3 or whatever and point the applications at those paths. > I can't remember the last time I configured a system with > separate filesystems for /opt and /var > > Recent Fedora Core releases default to one big partition using LVM. > > Am I smoking crack ? As someone who has to deal with high-security systems, user quotas, databases, and several other fairly common things, I can tell you it makes my life a hell of a lot easier to split a machines disk(s) into separate filesystems. You can't put a quota on "/home", for example, if it's just a part of one big giant "/". You'll also have a hard time mounting "/usr/bin" r/o if it's part of "/". There are a ton of reasons people still do this, and in my experience it's far more common to do it than not to. From mj at sci.fi Mon Jul 3 15:53:07 2006 From: mj at sci.fi (mj at sci.fi) Date: Mon, 3 Jul 2006 18:53:07 +0300 (EEST) Subject: [Fedora-directory-users] New filesystem layout for directory server and admin server files Message-ID: <15356649.344581151941987778.JavaMail.mj@sci.fi> Les Mikesell kirjoitti: > > > Moving locations is always traumatic. Personally I like > stand-alone packages that aren't going to be installed on > every machine you have to live under /opt, but if it is > ever going to move, do it soon to minimize the number of > people who will be affected by already having it installed > in the wrong place. As FDS is the basis of a commercial product, RHDS, let's talk about the commercial aspect for a moment. Things which are changed in FDS will eventually go into RHDS. There are already folks with lots of RHDS servers deployed or being deployed into commercial environments. We are already talking about a large number of installations. One of the reasons why I argue so strongly to use RHDS in commercial environments is that it includes all dependencies in an isolated manner, and doesn't change interfaces often. IMO, those features make it currently the most suitable server for commercial usage. To the people who are complaining about the filesystem layout, understand that FDS is the basis for a complex and _stable_ commercial product. You don't just start fiddling with it if it ain't broken... Moving to FHS is certainly not going to increase sales or product stability, although it might make a few systems engineers who have never heard of RFC 2251 happy for a day or two. Or am I wrong to assume that these type of proposed changes would also make it into RHDS? -- mike From lesmikesell at gmail.com Mon Jul 3 16:14:11 2006 From: lesmikesell at gmail.com (Les Mikesell) Date: Mon, 03 Jul 2006 11:14:11 -0500 Subject: [Fedora-directory-users] New filesystem layout for directoryserver and admin server files In-Reply-To: References: Message-ID: <1151943252.8353.14.camel@moola.futuresource.com> On Mon, 2006-07-03 at 11:19 -0400, Morris, Patrick wrote: > > Is all this partitioning stuff still being done ? I though it > > had gone away once Linux aquired decent filesystem capabilities. > > I've installed probably 100 systems in the past few years, > > all with one big partition for all the /var /usr /tmp etc trees. > > If I want separate physical disks, I just call them /home2 > > /home3 or whatever and point the applications at those paths. > > I can't remember the last time I configured a system with > > separate filesystems for /opt and /var > > > > Recent Fedora Core releases default to one big partition using LVM. > > > > Am I smoking crack ? > > As someone who has to deal with high-security systems, user quotas, > databases, and several other fairly common things, I can tell you it > makes my life a hell of a lot easier to split a machines disk(s) into > separate filesystems. You can't put a quota on "/home", for example, if > it's just a part of one big giant "/". > > You'll also have a hard time mounting "/usr/bin" r/o if it's part of > "/". > > There are a ton of reasons people still do this, and in my experience > it's far more common to do it than not to. The current default is to span drives with LVM and spread everything across it. That's a reasonable default for an installer that can't know the machine's intended use, but probably not the best choice if you do. Disk head motion is still the slowest common computer operation and giving your most intense application it's own drive(s) is one of the best ways to improve performance. I also like to do software RAID1 mirrors of partitions for critical data so I could recover data from any single drive after any kind of problem. -- Les Mikesell lesmikesell at gmail.com From rmeggins at redhat.com Mon Jul 3 16:23:54 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 03 Jul 2006 10:23:54 -0600 Subject: [Fedora-directory-users] New filesystem layout for directory server and admin server files In-Reply-To: <15356649.344581151941987778.JavaMail.mj@sci.fi> References: <15356649.344581151941987778.JavaMail.mj@sci.fi> Message-ID: <44A9449A.5050901@redhat.com> mj at sci.fi wrote: > Les Mikesell kirjoitti: >> >> >> Moving locations is always traumatic. Personally I like >> stand-alone packages that aren't going to be installed on >> every machine you have to live under /opt, but if it is >> ever going to move, do it soon to minimize the number of >> people who will be affected by already having it installed >> in the wrong place. > > > As FDS is the basis of a commercial product, RHDS, let's talk about > the commercial aspect for a moment. Things which are changed in FDS > will eventually go into RHDS. There are already folks with lots of > RHDS servers deployed or being deployed into commercial environments. > We are already talking about a large number of installations. > > One of the reasons why I argue so strongly to use RHDS in commercial > environments is that it includes all dependencies in an isolated > manner, and doesn't change interfaces often. IMO, those features make > it currently the most suitable server for commercial usage. But there are a lot of people for whom this is a problem. For example, we ship 3 versions of NSPR, NSS, LDAP C SDK, ICU, etc. that are private to RHDS. In addition, we ship our own versions of bdb, cyrus sasl, netsnmp, and other software that are in most cases identical to what is already included or available for the OS. To remedy this situation, we are going to switch FDS/RHDS to build and run against those OS libraries, and to not include them in the DS package. So we are already committed to not including all of the dependencies in an isolated manner. This change will affect the linux and solaris ports. I'm not sure how it will affect the HP-UX port. HP already takes our software and repackages it in the HP-UX depot format. In general, we need to use one copy of the software, and the software should be forward and backward compatible. We have this assurance with NSPR, NSS, and mozldap (since it's under our control :-), so if we need to update NSS on the system to fix a security problem or introduce some new functionality, we can do so with a very high degree of assurance that we will not break any existing apps that dynamically link with those NSS libs we are replacing. One way we will be able to mitigate this situation is to allow the use of local, isolated libraries. For example, let's say that we do go the FHS route. All of the library dependencies will be in /usr/lib - nspr, nss, mozldap, icu, bdb, netsnmp, sasl. FDS/RHDS will have a private lib directory in /usr/lib/fedora-ds (or /usr/lib/redhat-ds). We will build the software in such a way that you could put a private copy of e.g. mozldap in /usr/lib/fedora-ds that the server will use without affecting the rest of the software in the system. Finally, if/when we do change the layout, we will be providing migration tools to make upgrades as seamless as possible. > > To the people who are complaining about the filesystem layout, > understand that FDS is the basis for a complex and _stable_ commercial > product. You don't just start fiddling with it if it ain't broken... > Moving to FHS is certainly not going to increase sales or product > stability, although it might make a few systems engineers who have > never heard of RFC 2251 happy for a day or two. I think it is an orthogonal issue to RFC2251. A lot of people in the linux community have certain assumptions about where to find software, config, log files, etc. This is the market in which we now find ourselves - FDS being used as a NOS directory for linux - hence a lot more requests for features like out-of-the-box support for POSIX, NIS, automount, samba, etc. And support for FHS, since that is what the other linux NOS directory server (openldap) uses, as well as other related software such as autofs, nis, pam, etc. In the past (i.e. Netscape/iPlanet), most of our customers were very large enterprises which used our DS for portals, mail servers, PKI, etc. and just figured out how to make it work for their NOS apps. These types of customers typically didn't really care where the software was installed as long as it was easy to manage, since none of the other large enterprise software had any consistency about where it was installed. > > Or am I wrong to assume that these type of proposed changes would also > make it into RHDS? You are correct - RHDS is the downstream for FDS, and there is no way we would be able to make a drastic change like this to FDS without RHDS picking it up. As far as doing FHS for explicit business reasons - the same could be said about RPM packaging - we added support for RPMs when we already had a good package with installer. > > -- > mike > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From jfgamsby at lbl.gov Mon Jul 3 16:26:05 2006 From: jfgamsby at lbl.gov (Jeff Gamsby) Date: Mon, 03 Jul 2006 09:26:05 -0700 Subject: [Fedora-directory-users] Retrieving User Password From Fedora Directory Server In-Reply-To: References: Message-ID: <44A9451D.6070407@lbl.gov> Hariharan R wrote: > Dear all, > > I am using FDS 7.2 on FC3 for my development. I am storing > userprofile along with user password to the FDS database (BDB). When i > look the user profile in console i seen that the password value has > been encrypted. > Fine. If i do 'ldapsearch' , it doesn't returns the 'userpassword' > attribute and its value. Are you doing an 'ldapsearch' as "Directory Manager"? Try '-D "Directory Manager" -w -' > How i can get the userPassword attribute and it's value using LDAP > search command. Is there is any way to convert the encrypted password > to plain text one. No. AFAIK the hashes are one-way. > > I am in an urgent need , so please any one guide me. > > Thanks in advance. > > --- > Regards, > Hariharan.R > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From mj at sci.fi Mon Jul 3 17:11:02 2006 From: mj at sci.fi (mj at sci.fi) Date: Mon, 3 Jul 2006 20:11:02 +0300 (EEST) Subject: [Fedora-directory-users] New filesystem layout for directory server and admin server files Message-ID: <31422144.348341151946662330.JavaMail.mj@sci.fi> Richard Megginson kirjoitti: > But there are a lot of people for whom this is a problem. For example, we ship 3 versions of NSPR, NSS, LDAP C SDK, ICU, etc. that are private to RHDS. In > addition, we ship our own versions of bdb, cyrus sasl, netsnmp, and other software that are in most cases identical to what is already included or available for > the OS. To remedy this situation, we are going to switch FDS/RHDS to build and run against those OS libraries, and to not include them in the DS package. > So we are already committed to not including all of the dependencies in an isolated manner. This change will affect the linux and solaris ports. I'm not sure > how it will affect the HP-UX port. HP already takes our software and repackages it in the HP-UX depot format. Argh. This is also a strength of the FDS software, not a problem or weakness. The package always works because it always includes exactly what it needs. Using OS libraries can cause all sorts of unpredictable problems. IMO, removing the included dependencies is also a bad idea. My list of reasons on the plus side for FDS/RHDS vs OL are being reduced, strangely. One would have thought that the package could only get better, not worse. Consider Symas, how they compile and deliver CDS, which is intended to be a supportable product for commercial customers. They put the entire chain of dependencies and software into /opt/symas, so CDS doesn't break everytime somebody installs a new buggy OS level bdb or OL library on the machine. There's a good reason for that; it is then a supportable product. Trusting the proper operation of your critically important software to the random quality and version numbers of system libraries is not wise. BTW, when is the autoconf support coming? The patch was submitted quite a while ago, IIRC... BR, -- mike From rmeggins at redhat.com Mon Jul 3 19:34:05 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 03 Jul 2006 13:34:05 -0600 Subject: [Fedora-directory-users] New filesystem layout for directory server and admin server files In-Reply-To: <31422144.348341151946662330.JavaMail.mj@sci.fi> References: <31422144.348341151946662330.JavaMail.mj@sci.fi> Message-ID: <44A9712D.3070105@redhat.com> mj at sci.fi wrote: > Richard Megginson kirjoitti: >> But there are a lot of people for whom this is a problem. For >> example, we ship 3 versions of NSPR, NSS, LDAP C SDK, ICU, etc. that >> are private to RHDS. In >> addition, we ship our own versions of bdb, cyrus sasl, netsnmp, and >> other software that are in most cases identical to what is already >> included or available for the OS. To remedy this situation, we are >> going to switch FDS/RHDS to build and run against those OS libraries, >> and to not include them in the DS package. So we are already >> committed to not including all of the dependencies in an isolated >> manner. This change will affect the linux and solaris ports. I'm not >> sure how it will affect the HP-UX port. HP already takes our software >> and repackages it in the HP-UX depot format. > > > Argh. This is also a strength of the FDS software, not a problem or > weakness. The package always works because it always includes exactly > what it needs. Using OS libraries can cause all sorts of unpredictable > problems. IMO, removing the included dependencies is also a bad idea. > My list of reasons on the plus side for FDS/RHDS vs OL are being > reduced, strangely. One would have thought that the package could only > get better, not worse. > Consider Symas, how they compile and deliver CDS, which is intended to > be a supportable product for commercial customers. They put the entire > chain of dependencies and software into /opt/symas, so CDS doesn't > break everytime somebody installs a new buggy OS level bdb or OL > library on the machine. There's a good reason for that; it is then a > supportable product. Trusting the proper operation of your critically > important software to the random quality and version numbers of system > libraries is not wise. This is why we also give ourselves the ability to fall back to the safe position of having all of the dependencies installed in a private directory. In most cases it won't be an issue because we control the software (NSPR, NSS, mozldap) or the software isn't that critical (netsnmp, icu). The two exceptions are bdb and cyrus sasl. For bdb, it will be absolutely critical to the operation of the server to use the exact supported version, no more, no less. For the near future, this means 4.2.52 + the recommended patch set, which is what is provided with the latest db4-4.2 packages on RHEL/Fedora Core. Something similar applies for cyrus-sasl and kerberos. The RPM will reflect this in its Requires. > BTW, when is the autoconf support coming? The patch was submitted > quite a while ago, IIRC... Slowly. We're slowly working our way up the stack. Next on the hit list is Admin Server. > > BR, > -- > mike > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From haizaar at gmail.com Mon Jul 3 10:17:31 2006 From: haizaar at gmail.com (Hai Zaar) Date: Mon, 3 Jul 2006 13:17:31 +0300 Subject: [Fedora-directory-users] packaging problems. In-Reply-To: References: Message-ID: Dear, list, I know that you are currently working on making FDS to be more FHS friendly, but anyway, I've got the problem with the current packaging. I'm building FDS-1.0.2 using dsbuild. When build finishes, ds/ldapserver/work dir contains file allLinux2.6_x86_glibc_PTH_OPT.OBJ.tar.gz, that, AFAIK, should be unzipped and then ./setup should be run. The problem is, not all of the files are packaged: cd ds/ldapserver/work mkdir /tmp/fds tar zxvf allLinux2.6_x86_glibc_PTH_OPT.OBJ.tar.gz -C /tmp/fds cd /tmp/fds && ls -la admin base dsktune setup setup.inf slapd tmp 'svrcore' dir is missing, setup complains about it and fails. On the onther hand, produced rpm is fine, and running setup from ds/servercore/work/pkg dir (that looks like origin for the tarball) succeeds. Distro: LFS-6.1+kernel-2.6.15. P.S. I'm not on the list, so please CC me. -- Zaar From Andrey.Ivanov at polytechnique.fr Tue Jul 4 08:37:02 2006 From: Andrey.Ivanov at polytechnique.fr (Andrey Ivanov) Date: Tue, 4 Jul 2006 10:37:02 +0200 Subject: [Fedora-directory-users] ldapadd with Kerberos In-Reply-To: <44A93506.6020707@redhat.com> References: <1881697363.20060703103254@polytechnique.edu> <44A93506.6020707@redhat.com> Message-ID: <11910689900.20060704103702@polytechnique.edu> >> 5. Adding the same entry using simple authentification (plain text or >> SSL/TLS) is possible without any problem. The only way of using >> kerberos and ldapadd/ldapmodify is adding the option "-O maxssf=0" : >> >> ldapadd -Y GSSAPI -O maxssf=0 -v -f test.ldif -H ldap://fds-example.domain.com >> >> With this command line, the ldapadd adds the entry with success. >> >> >> >> >> >> Can someone explain me why ldapsearch works without problem and >> ldapadd needs an additional option (this option forbids the double >> encryption kerberos+ssl if i understand correctly)? >> RM> I'm not sure. Could you post some relevant excerpts from your directory RM> server access and error logs? Be sure to remove any sensitive data from RM> them first. The logs do not reveal anything special - it's the same error (2 - protocol error). FDS1.0.2. ldapadd/ldapmodify are the rpm versions from FC2, FC3, FC4 (i've tested both) ldapadd -Y GSSAPI -v -f test.ldif -H ldap://fds-example.domain.com Access logs : [29/Jun/2006:20:38:47 +0200] conn=225 fd=64 slot=64 connection from xxx.xxx.xxx.xxx to yyy.yyy.yyy.yyy [29/Jun/2006:20:38:48 +0200] conn=225 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI [29/Jun/2006:20:38:48 +0200] conn=225 op=0 RESULT err=14 tag=97 nentries=0 etime=0.013000, SASL bind in progress [29/Jun/2006:20:38:48 +0200] conn=225 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [29/Jun/2006:20:38:48 +0200] conn=225 op=1 RESULT err=14 tag=97 nentries=0 etime=0.000000, SASL bind in progress [29/Jun/2006:20:38:48 +0200] conn=225 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [29/Jun/2006:20:38:48 +0200] conn=Internal op=-1 SRCH base="dc=fds-example,dc=domain,dc=com" scope=2 filter="(&(uid=User.Name))" attrs=ALL [29/Jun/2006:20:38:48 +0200] conn=Internal op=-1 RESULT err=0 tag=48 nentries=1 etime=0.001000 [29/Jun/2006:20:38:48 +0200] conn=Internal op=-1 SRCH base="o=NetscapeRoot" scope=2 filter="(&(uid=User.Name))" attrs=ALL [29/Jun/2006:20:38:48 +0200] conn=Internal op=-1 RESULT err=0 tag=48 nentries=0 etime=0.000000 [29/Jun/2006:20:38:48 +0200] conn=Internal op=-1 SRCH base="cn=user name,ou=cmap,ou=laboratoires,o=Some Organization,dc=fds-example,dc=domain,dc=com" scope=0 filter="(|(objectclass=*)(objectclass=ldapsubentry))" attrs=ALL [29/Jun/2006:20:38:48 +0200] conn=Internal op=-1 RESULT err=0 tag=48 nentries=1 etime=0.000000 [29/Jun/2006:20:38:48 +0200] conn=225 op=2 RESULT err=0 tag=97 nentries=0 etime=0.002000 dn="cn=user name,ou=cmap,ou=laboratoires,o=Some Organization,dc=fds-example,dc=domain,dc=com" [29/Jun/2006:20:38:48 +0200] conn=225 op=3 ADD dn="cn=Gilles Martin,ou=CMLS,ou=Laboratoires,o=Some Organization,dc=fds-example,dc=domain,dc=com", decoding error [29/Jun/2006:20:38:48 +0200] conn=225 op=3 RESULT err=2 tag=105 nentries=0 etime=0.000000 [29/Jun/2006:20:38:48 +0200] conn=225 op=4 UNBIND [29/Jun/2006:20:38:48 +0200] conn=225 op=4 fd=64 closed - U1 And there is nothing in error logs.... What may be important - it's the size of the ldif file. The error pops up for this file : dn: cn=Gilles Martin,ou=CMLS,ou=Laboratoires,o=Some Organization,dc=fds-example,dc=domain,dc=com givenName: Gilles sn: Martin telephoneNumber: 00 00 loginShell: /bin/bash departmentNumber: LAB CMLS physicalDeliveryOfficeName: 402:10-02 uidNumber: 3090 gidNumber: 3000 mail: gilles.martin at some-organization.domain.com displayName: Gilles Martin (M.) uid: Gilles.Martin objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: posixAccount gecos: Gilles Martin,LAB CMLS ,PERSONNEL DE RECHERCHE cn: Gilles Martin title: PERSONNEL DE RECHERCHE homeDirectory: /home/CMLS/Gilles.Martin userPassword: {clear}Gilles.Martin But everything goes smooth for this one : dn: cn=Gilles Martin,ou=CMLS,ou=Laboratoires,o=Some Organization,dc=fds-example,dc=domain,dc=com givenName: Gilles sn: Martin #telephoneNumber: 00 00 loginShell: /bin/bash #departmentNumber: LAB CMLS #physicalDeliveryOfficeName: 402:10-02 uidNumber: 3090 gidNumber: 3000 #mail: gilles.martin at some-organization.domain.com #displayName: Gilles Martin (M.) uid: Gilles.Martin objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: posixAccount #gecos: Gilles Martin,LAB CMLS ,PERSONNEL DE RECHERCHE cn: Gilles Martin #title: PERSONNEL DE RECHERCHE homeDirectory: /home/CMLS/Gilles.Martin userPassword: {clear}Gilles.Martin Both files are correctly imported with ldapadd -Y GSSAPI -O maxssf=0 -v -f test.ldif -H ldap://fds-example.domain.com Andrey Ivanov tel +33-(0)1-69-33-99-24 fax +33-(0)1-69-33-99-55 Direction des Systemes d'Information Ecole Polytechnique 91128 Palaiseau CEDEX France From basile.mathieu at siris.sorbonne.fr Tue Jul 4 11:21:46 2006 From: basile.mathieu at siris.sorbonne.fr (basile) Date: Tue, 04 Jul 2006 13:21:46 +0200 Subject: [Fedora-directory-users] [Fwd: migrate sendmail with fds] Message-ID: <44AA4F4A.2090204@siris.sorbonne.fr> -------------- next part -------------- An embedded message was scrubbed... From: basile Subject: migrate sendmail with fds Date: Tue, 04 Jul 2006 13:19:35 +0200 Size: 1438 URL: From mj at sci.fi Tue Jul 4 11:36:54 2006 From: mj at sci.fi (mj at sci.fi) Date: Tue, 4 Jul 2006 14:36:54 +0300 (EEST) Subject: [Fedora-directory-users] [Fwd: migrate sendmail with fds] Message-ID: <24825062.337591152013014150.JavaMail.mj@sci.fi> basile kirjoitti: > i have this errors in logs > > Jul 4 13:08:22 sorbon sm-mta[21182]: [ID 293258 mail.error] libsldap: > Status: 91 Mesg: Error 0 > Jul 4 13:08:22 sorbon last message repeated 1 time > Jul 4 13:08:22 xxx sm-mta[21182]: [ID 293258 mail.error] libsldap: > Status: 7 Mesg: Session error no available conn. Hi, For FDS support, post FDS logs to the FDS list. We understand those. For sendmail support, post sendmail logs to the sendmail list. They understand those. -- mike From rmeggins at redhat.com Tue Jul 4 12:41:37 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 04 Jul 2006 06:41:37 -0600 Subject: [Fedora-directory-users] packaging problems. In-Reply-To: References: Message-ID: <44AA6201.8050708@redhat.com> Hai Zaar wrote: > Dear, list, > > I know that you are currently working on making FDS to be more FHS > friendly, but anyway, I've got the problem with the current packaging. > > I'm building FDS-1.0.2 using dsbuild. When build finishes, > ds/ldapserver/work dir contains file > allLinux2.6_x86_glibc_PTH_OPT.OBJ.tar.gz, that, AFAIK, should be > unzipped and then ./setup should be run. > > The problem is, not all of the files are packaged: > cd ds/ldapserver/work > mkdir /tmp/fds > tar zxvf allLinux2.6_x86_glibc_PTH_OPT.OBJ.tar.gz -C /tmp/fds > cd /tmp/fds && ls -la > admin base dsktune setup setup.inf slapd tmp > > 'svrcore' dir is missing, setup complains about it and fails. Yes, that appears to be a bug in dsbuild. > On the > onther hand, produced rpm is fine, and running setup from > ds/servercore/work/pkg dir (that looks like origin for the tarball) > succeeds. Ok, you found the workaround. If you want to use the tar.gz file, you can just manually add the svrcore directory to it and it should work fine. > > Distro: LFS-6.1+kernel-2.6.15. > > P.S. I'm not on the list, so please CC me. > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From oliver.hookins at anchor.com.au Wed Jul 5 01:30:15 2006 From: oliver.hookins at anchor.com.au (Oliver Hookins) Date: Wed, 05 Jul 2006 11:30:15 +1000 Subject: [Fedora-directory-users] RPM/SRPM issues and old RHEL Message-ID: <44AB1627.8050906@anchor.com.au> Hi there, I'm trying to get started testing out Fedora Directory Server with the goal of replacing our OpenLDAP infrastructure. Most of our servers are RHEL3/4 so there are no big issues there since there are already prepackaged binary RPMS for those platforms. But we do have two RHEL2.1 server which we will definitely need packages for in order to do any migration to FDS. Upgrading these servers to RHEL3/4 is not an option. Looking at the spec file of the SRPM from RHEL3 it seems like dependencies won't be a problem, the spec file itself is a mess and doesn't come close to building everything (which I understand is a work in progress). So my questions are: has anyone got FDS running well on RHEL2.1 (either by compiling directly from source, shoehorning the RPM from RHEL3 or building the RPM from the SRPM)? Has anyone written their own spec file from scratch to build FDS in its entirety from sources? I also wanted to change the installation prefix from /opt so getting a working and complete spec file would be very desirable. -- Regards, Oliver Hookins Anchor Systems From jim_patterson at comcast.net Wed Jul 5 01:42:12 2006 From: jim_patterson at comcast.net (Jim Patterson) Date: Tue, 04 Jul 2006 20:42:12 -0500 Subject: [Fedora-directory-users]command line not working Message-ID: <44AB18F4.5020605@comcast.net> newbie I was able to set up directory server and import the Example.ldif into the server (using console). But whenever I try and do a command line modify,delete or search I get the following errors. My server was set up to run on port 42645 and I also tried port 389. This is my second install the first was typical and the second was express. I must have missed something in the documentation. [root at station100 ldif]# ldapdelete -D "cn=Directory Manager, dc=example,dc=com"-wpassword -h station100 -p 42645 "cn=Ted Morris,ou=People,dc=example,dc=com" ldap_sasl_interactive_bind_s: Local error (-2) [root at station100 ldif]# ldapdelete -D "cn=Directory Manager, dc=example,dc=com"-wpassword -h station100 -p 389 "cn=Ted Morris,ou=People,dc=example,dc=com" SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: From patrick.morris at hp.com Wed Jul 5 02:52:01 2006 From: patrick.morris at hp.com (Morris, Patrick) Date: Tue, 4 Jul 2006 22:52:01 -0400 Subject: [Fedora-directory-users]command line not working In-Reply-To: <44AB18F4.5020605@comcast.net> Message-ID: Are you using the utilities from FDS, or the OpenLDAP ones? If the ones from OpenLDAP, you can try adding "-x" to the command line to use simple authentication. > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf > Of Jim Patterson > Sent: Tuesday, July 04, 2006 6:42 PM > To: Fedora Directory server users > Subject: [Fedora-directory-users]command line not working > > newbie > I was able to set up directory server and import the > Example.ldif into the server (using console). But whenever I > try and do a command line modify,delete or search I get the > following errors. > My server was set up to run on port 42645 and I also tried port 389. > This is my second install the first was typical and the > second was express. I must have missed something in the > documentation. > > [root at station100 ldif]# ldapdelete -D "cn=Directory Manager, > dc=example,dc=com"-wpassword -h station100 -p 42645 "cn=Ted > Morris,ou=People,dc=example,dc=com" > ldap_sasl_interactive_bind_s: Local error (-2) > [root at station100 ldif]# ldapdelete -D "cn=Directory Manager, > dc=example,dc=com"-wpassword -h station100 -p 389 "cn=Ted > Morris,ou=People,dc=example,dc=com" > SASL/EXTERNAL authentication started > ldap_sasl_interactive_bind_s: Unknown authentication method (-6) > additional info: SASL(-4): no mechanism available: > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From kevin.mccarthy at teligent.co.uk Wed Jul 5 10:38:13 2006 From: kevin.mccarthy at teligent.co.uk (Kevin McCarthy) Date: Wed, 5 Jul 2006 11:38:13 +0100 Subject: [Fedora-directory-users] Fedora DS 1.0.2 Multiple Master SSL replication: empty bind DN... In-Reply-To: <44A92904.9070006@redhat.com> Message-ID: <011501c6a01f$1df95e30$eb90a8c0@teligent.org> Hi Richard, Thanks, the addition of the cn=config replication entry did indeed allow the replication to commence between both servers and the additions/deletions of new user entries were fairly quickly propagated to the other server. Regards, Kevin -----Original Message----- From: Richard Megginson [mailto:rmeggins at redhat.com] Sent: 03 July 2006 15:26 To: Kevin McCarthy Cc: fedora-directory-users at redhat.com Subject: Re: [Fedora-directory-users] Fedora DS 1.0.2 Multiple Master SSL replication: empty bind DN... Kevin McCarthy wrote: > Thanks again Richard, > > My attempt to determine why the bind DN remains as "" have still not located > the cause - though I guess that is due to this being my first usage and I > have merely missed the obvious! > > >> To ensure that you are doing client cert auth, you can examine the access >> log on the replication consumer - look for the connection and BIND from >> the supplier. If you're not sure what you're looking at, just post the >> relevant excerpts here. >> > > I can see from the bind result that the initial "dn" is still the required: > > "cn=nema2,ou=EDS,o=teligent,dc=co,c=uk" > > ..but the BIND dn remains as "", with the method as "sasl"? > Actually, the method is SASL/EXTERNAL, which means the BIND identity comes from somewhere else (in this case, the certificate). So, dn="" is ignored since it is obtained from the certificate. > > Consumer Access log file extract: > > [03/Jul/2006:10:24:11 +0100] conn=11 fd=67 slot=67 SSL connection from > 192.168.27.15 to 192.168.144.61 > > [03/Jul/2006:10:24:11 +0100] conn=11 SSL 256-bit AES; client > CN=nema2,OU=EDS,O=teligent,DC=co,C=uk; issuer CN=CAcertnema2 > > [03/Jul/2006:10:24:11 +0100] conn=11 SSL client bound as > cn=nema2,ou=EDS,o=teligent,dc=co,c=uk > > [03/Jul/2006:10:24:11 +0100] conn=11 op=0 BIND dn="" method=sasl version=3 > mech=EXTERNAL > All of this means that you are definitely doing client cert auth. You say that the entry cn=nema2,ou=EDS,o=teligent,dc=co,c=uk exists on both servers (and cn=nema1 or cn=nema also)? And you have this DN listed in the supplier DN in the replica configuration? If so, then it could be that replication does not allow you to specify a supplier DN that lives in the replicated area. What we usually recommend is that you create a replication pseudo user in the configuration naming context e.g. dn: cn=repluser, cn=config objectclass: person sn: repluser cn: repluser userPassword: password Then configure cert mapping to map the subjectDN in the cert to this user. To make certmapping work, you may have to name the replication pseudo user something like cn=nema or cn=nema2 so you can use the attributes in the cert subjectDN to map to the pseudo user. Then you will need to have the pseudo user DN as the supplier DN in the replica configuration. > [03/Jul/2006:10:24:11 +0100] conn=11 op=0 RESULT err=0 tag=97 nentries=0 > etime=0 dn="cn=nema2,ou=EDS,o=teligent,dc=co,c=uk" > > [03/Jul/2006:10:24:11 +0100] conn=11 op=1 SRCH base="" scope=0 > filter="(objectClass=*)" attrs="supportedControl supportedExtension" > [03/Jul/2006:10:24:11 +0100] conn=11 op=1 RESULT err=0 tag=101 nentries=1 > etime=0 > [03/Jul/2006:10:24:11 +0100] conn=11 op=2 SRCH base="" scope=0 > filter="(objectClass=*)" attrs="supportedControl supportedExtension" > [03/Jul/2006:10:24:11 +0100] conn=11 op=2 RESULT err=0 tag=101 nentries=1 > etime=0 > [03/Jul/2006:10:24:11 +0100] conn=11 op=3 EXT oid="2.16.840.1.113730.3.5.3" > name="Netscape Replication Start Session" > [03/Jul/2006:10:24:11 +0100] conn=11 op=3 RESULT err=0 tag=120 nentries=0 > etime=0 > [03/Jul/2006:10:24:12 +0100] conn=11 op=4 EXT oid="2.16.840.1.113730.3.5.3" > name="Netscape Replication Start Session" > [03/Jul/2006:10:24:12 +0100] conn=11 op=4 RESULT err=0 tag=120 nentries=0 > etime=0 > [03/Jul/2006:10:24:15 +0100] conn=11 op=5 EXT oid="2.16.840.1.113730.3.5.3" > name="Netscape Replication Start Session" > [03/Jul/2006:10:24:15 +0100] conn=11 op=5 RESULT err=0 tag=120 nentries=0 > etime=0 > [03/Jul/2006:10:24:19 +0100] conn=11 op=6 EXT oid="2.16.840.1.113730.3.5.3" > name="Netscape Replication Start Session" > [03/Jul/2006:10:24:19 +0100] conn=11 op=6 RESULT err=0 tag=120 nentries=0 > etime=0 > [03/Jul/2006:10:24:28 +0100] conn=11 op=8 EXT oid="2.16.840.1.113730.3.5.3" > name="Netscape Replication Start Session" > [03/Jul/2006:10:24:28 +0100] conn=11 op=8 RESULT err=0 tag=120 nentries=0 > etime=0 > [03/Jul/2006:10:24:34 +0100] conn=10 op=4 UNBIND > [03/Jul/2006:10:24:34 +0100] conn=10 op=4 fd=64 closed - U1 > [03/Jul/2006:10:24:46 +0100] conn=11 op=10 EXT oid="2.16.840.1.113730.3.5.3" > name="Netscape Replication Start Session" > [03/Jul/2006:10:24:46 +0100] conn=11 op=10 RESULT err=0 tag=120 nentries=0 > etime=0 > [03/Jul/2006:10:25:08 +0100] conn=11 op=12 UNBIND > [03/Jul/2006:10:25:08 +0100] conn=11 op=12 fd=67 closed - U1 > > Consumer Error log file extract: > > [03/Jul/2006:10:24:11 +0100] NSMMReplicationPlugin - conn=11 op=3 > replica="ou=EDS,o=teligent,dc= > co,c=uk": Unable to acquire replica: error: permission denied > [03/Jul/2006:10:24:12 +0100] NSMMReplicationPlugin - conn=11 op=4 > replica="ou=EDS,o=teligent,dc=co,c=uk": Unable to acquire replica: error: > permission denied > [03/Jul/2006:10:24:15 +0100] NSMMReplicationPlugin - conn=11 op=5 > replica="ou=EDS,o=teligent,dc=co,c=uk": Unable to acquire replica: error: > permission denied > [03/Jul/2006:10:24:19 +0100] NSMMReplicationPlugin - conn=11 op=6 > replica="ou=EDS,o=teligent,dc=co,c=uk": Unable to acquire replica: error: > permission denied > [03/Jul/2006:10:24:28 +0100] NSMMReplicationPlugin - conn=11 op=8 > replica="ou=EDS,o=teligent,dc=co,c=uk": Unable to acquire replica: error: > permission denied > [03/Jul/2006:10:24:46 +0100] NSMMReplicationPlugin - conn=11 op=10 > replica="ou=EDS,o=teligent,dc=co,c=uk": Unable to acquire replica: error: > permission denied > [03/Jul/2006:10:24:50 +0100] NSMMReplicationPlugin - agmt="cn=EDS from > Server 1" (nema2:636): Unable to acquire replica: permission denied. The > bind dn "" does not have permission to supply replication updates to the > replica. Will retry later. > > > Regards and thanks again, > Kevin > > From: Richard Megginson > Subject: Re: [Fedora-directory-users] Fedora DS 1.0.2 Multiple Master > SSL replication: empty bind DN... > To: "General discussion list for the Fedora Directory server project." > > Message-ID: <44A51838.4040409 at redhat.com> > Content-Type: text/plain; charset="windows-1252" > > Kevin McCarthy wrote: > >> Richard, thank you for your response! >> >> hopefully whatever configuration mistake I made to cause a NULL bind >> DN will soon come to light >> >> >>> Dear List Members, >>> >>> Release: *fedora-ds-1.0.2-1.RHEL3.i386.opt.rpm* >>> >>> A typical replication error log entry now follows (seen repeatedly at >>> >>> both fedora DS servers): >>> >>> [28/Jun/2006:18:29:21 +0100] NSMMReplicationPlugin - agmt="cn=EDS from >>> >>> server 2" (ukstatlap:636): Unable to acquire replica: permission >>> >>> denied. The *bind dn ""* does not have permission to supply >>> >>> replication updates to the replica. Will retry later. >>> >>> Believe me, I have been investigating this one for 2 or 3 days now >>> >>> (having just switched from OpenLDAP, since multiple master replication >>> >>> is required) before sending this submission, just in case I missed a >>> >>> configuration item or work-around, but unfortunately no luck (so far). >>> >>> The only reference I can find for SSL Client Authentication based >>> >>> Multiple Master replication (2 Linux RHEL 3 servers being used) that >>> >>> supplies empty DNs, is the Windows specific entry (whose work-around I >>> >>> tried anyway, but without success)_ >>> >>> Unable to acquire replica: permission denied. The bind dn "" does not >>> >>> have permission to supply replication updates to the replica. Will >>> >>> retry later. >>> >>> To workaround the problem, after you modify and save the replication >>> >>> schedule of an agreement, refresh the console, reconfigure the >>> >>> connection settings (to SSL client authentication) for the agreement, >>> >>> and save your changes. >>> >>> http://www.redhat.com/docs/manuals/dir-server/release-notes/ds611relno >>> >>> tes.html >>> >>> The mutual _Current Supplier DNs_ are indeed set (cn=Replication >>> >>> Manager,cn=replication,cn=config) and the corresponding directory >>> >>> entries do exist. >>> >>> The respective server certificates and CA certificates are installed, >>> >>> with Subject DN entries loaded. >>> >> What are the SubjectDNs in the server certificates? >> >> CN=,OU=EDS,O=teligent,DC=co,C=uk >> >> where  is the respective server name of the replicating >> servers e.g. nema2 rather than a full domain name. >> >> > I think this is ok, as long as your DNS (/etc/resolv.conf) configuration > can resolve nema2. > >> The following will hopefully also be relevant: >> >> 1) The tree being replicated is OU=EDS,O=Teligent,DC=co,C=uk i.e. >> the Subject DN is within the replicated tree. >> >> 2) certutil was used to generate the server and CA certificates. >> Surprisingly (to me at least) the CA certificate was then listed in >> the "Server Certs" panel on the Directory Server Manage Certificates >> panel. >> >> 3) I loaded the ascii version of the other servers CA Certificate >> directly into the CA Certs panel. >> >> 4) All CA certificates have both the accept and make connection trusts >> ticked. >> >> >>> I do _not_ have Legacy Consumer enabled. >>> >> You don't need it. >> >> >>> CertMapping is also defined (though with a NULL DN being supplied, I >>> >>> guess that will not be kicking in just yet, though there are entries >>> >>> for the exact subject DN anyway.) >>> >> You might want to post your certmap.conf and see here - >> http://directory.fedora.redhat.com/wiki/Howto:CertMapping >> >> I must admit that since the Bind DN was NULL I had not realized that >> certmapping would actually take affect. >> >> > If you are using client cert based auth (and not just username/password > auth with SSL) then certmapping will be used. To ensure that you are > doing client cert auth, you can examine the access log on the > replication consumer - look for the connection and BIND from the > supplier. If you're not sure what you're looking at, just post the > relevant excerpts here. > > ...log file extract at the head. > > >> I ensured that the exact subject DN of the server certificates >> corresponded to an actual directory entry (with the respective >> servers user certificate loaded), which I had thought would be >> matched without the need for a certmap configuration via the original >> default option, but I tried one anyway >> >> certmap nema ou=EDS,o=teligent,dc=co,c=uk >> >> > I think this DN should correspond to the issuerDN (i.e. the subjectDN of > your CA cert). But I don't think it's used for cert mapping. > >> nema:FilterComps cn >> >> > This means you must have one and only one entry called cn=nema2, ....., > o=teligent,dc=co,c=uk somewhere in your tree. > > ...indeed, just the one. > > >> nema:verifycert off >> >> certmap default default >> >> indeed one server still runs with the default certmap configuration >> to see if it made any difference, but both servers receive a NULL bind >> DN . >> >> > This leads me to believe it is not doing client cert auth. Also check > the errors log for your supplier and consumer. > > ...extracts at the head. > >>> When using simple authentication, with or without SSL, all is well >>> >>> (although replication did require both servers to Initialize the >>> >>> Consumer, I thought that only one was required e.g. ID 1 initializing >>> >>> ID 2, but ID 2 then needed to initialize ID 1 before successful 2-way >>> >>> replication was achieved). >>> >> That's odd. You should only need to initialize once one way. >> >> indeed, but I guess that it can not do any harm, as the secondary >> server will not actually need to supply any further updates back to >> the primary server and it does at least make the mutual replication >> work for me  until the certificates took their toll >> > > > From oliver.hookins at anchor.com.au Wed Jul 5 01:28:42 2006 From: oliver.hookins at anchor.com.au (Oliver Hookins) Date: Wed, 05 Jul 2006 11:28:42 +1000 Subject: [Fedora-directory-users] RPM/SRPM issues and old RHEL Message-ID: <44AB15CA.3070302@anchor.com.au> Hi there, I'm trying to get started testing out Fedora Directory Server with the goal of replacing our OpenLDAP infrastructure. Most of our servers are RHEL3/4 so there are no big issues there since there are already prepackaged binary RPMS for those platforms. But we do have two RHEL2.1 server which we will definitely need packages for in order to do any migration to FDS. Upgrading these servers to RHEL3/4 is not an option. Looking at the spec file of the SRPM from RHEL3 it seems like dependencies won't be a problem, the spec file itself is a mess and doesn't come close to building everything (which I understand is a work in progress). So my questions are: has anyone got FDS running well on RHEL2.1 (either by compiling directly from source, shoehorning the RPM from RHEL3 or building the RPM from the SRPM)? Has anyone written their own spec file from scratch to build FDS in its entirety from sources? I also wanted to change the installation prefix from /opt so getting a working and complete spec file would be very desirable. -- Regards, Oliver Hookins Anchor Systems From bmathieu at sorbonne.fr Tue Jul 4 11:30:44 2006 From: bmathieu at sorbonne.fr (basile) Date: Tue, 04 Jul 2006 13:30:44 +0200 Subject: [Fedora-directory-users] sendmail and fds Message-ID: <44AA5164.4080905@siris.sorbonne.fr> hi our mail users are now in a fedora directory it works fine except : i have this errors in logs Jul 4 13:08:22 sorbon sm-mta[21182]: [ID 293258 mail.error] libsldap: Status: 91 Mesg: Error 0 Jul 4 13:08:22 sorbon last message repeated 1 time Jul 4 13:08:22 xxx sm-mta[21182]: [ID 293258 mail.error] libsldap: Status: 7 Mesg: Session error no available conn. Jul 4 13:08:22 xxx sm-mta[21182]: [ID 293258 mail.error] libsldap: Status: 91 Mesg: No such file or directory Jul 4 13:08:22 xxx last message repeated 1 time Jul 4 13:08:22 xxx sm-mta[21182]: [ID 293258 mail.error] libsldap: Status: 7 Mesg: Session error no available conn. and i have a thunderbird on xp which cannot send mail ( xp , thunderbird 1.5.0.4 ) but with another instance of thunderbird ( same version on xp all works fine ) that is very strange if someone have any idea or experience , because we are now in production thanks basile From bmathieu at siris.sorbonne.fr Wed Jul 5 13:27:27 2006 From: bmathieu at siris.sorbonne.fr (basile) Date: Wed, 05 Jul 2006 15:27:27 +0200 Subject: [Fedora-directory-users] critical problem with fds Message-ID: <44ABBE3F.5020909@siris.sorbonne.fr> hi our fds stop without any error message , nothing in the logs when it is started , it take 11 , 12 % of cpu time our mailer works with fds so it s a bit critical there are about 2000 users and 6500 alias thanks for help do you think these parameters i havent change can explain this : NOTICE : The tcp_conn_req_max_q value is currently 128, which will limit the value of listen backlog which can be configured. It can be raised by adding to /etc/init.d/inetinit, after any adb command, an entry similar to: TRANSPORT_NAME[10]=tcp NDD_NAME[10]=tcp_conn_req_max_q NDD_VALUE[10]=1024 NOTICE : The tcp_keepalive_interval is set to 7200000 milliseconds (120 minutes). This may cause temporary server congestion from lost client connections. An entry similar to the following should be added to /etc/init.d/inetinit: TRANSPORT_NAME[10]=tcp NDD_NAME[10]=tcp_keepalive_interval NDD_VALUE[10]=600000 NOTICE : The NDD tcp_rexmit_interval_initial is currently set to 3000 milliseconds (3 seconds). This may cause packet loss for clients on Solaris 2.5.1 due to a bug in that version of Solaris. If the clients are not using Solaris 2.5.1, no problems should occur. NOTICE : If the directory service is intended only for LAN or private high-speed WAN environment, this interval can be reduced by adding an entry similar to the following to /etc/init.d/inetinit file: TRANSPORT_NAME[10]=tcp NDD_NAME[10]=tcp_rexmit_interval_initial NDD_VALUE[10]=500 NOTICE : The NDD tcp_ip_abort_cinterval is currently set to 180000 milliseconds (180 seconds). This may cause long delays in establishing outgoing connections if the destination server is down. NOTICE : If the directory service is intended only for LAN or private high-speed WAN environment, this interval can be reduced by adding an entry similar to the following to /etc/init.d/inetinit file: TRANSPORT_NAME[10]=tcp NDD_NAME[10]=tcp_ip_abort_cinterval NDD_VALUE[10]=10000 NOTICE : The NDD tcp_ip_abort_interval is currently set to 180000 milliseconds (180 seconds). This may cause long delays in detecting connection failure if the destination server is down. NOTICE : If the directory service is intended only for LAN or private high-speed WAN environment, this interval can be reduced by adding an entry similar to the following to /etc/init.d/inetinit: TRANSPORT_NAME[10]=tcp NDD_NAME[10]=tcp_ip_abort_interval NDD_VALUE[10]=60000 NOTICE : The TCP initial sequence number generation is not based on RFC 1948. If this directory service is intended for external access, add the following to /etc/init.d/inetinit: ndd -set /dev/tcp tcp_strong_iss 2 NOTICE : The NDD tcp_smallest_anon_port is currently 32768. This allows a maximum of 32768 simultaneous connections. More ports can be made available by adding an entry similar to the following to /etc/init.d/inetinit: TRANSPORT_NAME[10]=tcp NDD_NAME[10]=tcp_smallest_anon_port NDD_VALUE[10]=8192 WARNING: tcp_deferred_ack_interval is currently 100 milliseconds. This will cause the operating system to insert artificial delays in the LDAP protocol. It should be reduced during load testing. An entry similar to the following can be added to the /etc/init.d/inetinit file: TRANSPORT_NAME[10]=tcp NDD_NAME[10]=tcp_deferred_ack_interval NDD_VALUE[10]=5 WARNING: There are only 256 file descriptors (soft limit) available, which limit the number of simultaneous connections. Additional file descriptors, up to 65536 (hard limit), are available by issuing 'ulimit' ('limit' for tcsh) command with proper arguments. ulimit -n 4096 NOTICE : / partition has less space available, 1584MB, than the largest allowable core file size of 2048MB. A daemon process which dumps core could cause the root partition to be filled. ERROR : The above errors MUST be corrected before proceeding. From bmathieu at siris.sorbonne.fr Wed Jul 5 13:36:18 2006 From: bmathieu at siris.sorbonne.fr (basile) Date: Wed, 05 Jul 2006 15:36:18 +0200 Subject: [Fedora-directory-users] critical problem with fds Message-ID: <44ABC052.3090405@siris.sorbonne.fr> find that after enabling audit log time: 20060705152654 dn: cn=uniqueid generator,cn=config changetype: modify replace: nsState nsState:: AbId0eoziQDf45YlAADsUgEAAAAAAAAA what does it means ? thanks basile From beyonddc.storage at gmail.com Wed Jul 5 20:38:51 2006 From: beyonddc.storage at gmail.com (Chun Tat David Chu) Date: Wed, 5 Jul 2006 16:38:51 -0400 Subject: [Fedora-directory-users] Any recommendation for a decent up to date LDAP book? Message-ID: <20e4c38c0607051338p1b74bbffj3b435b94f50353be@mail.gmail.com> I would like to learn more about the LDAP, but a lot of the book I found on amazon.com are more than 2-3 years old. I am afraid they're out of date. Is there any good books that you guys would like to suggest? I am interested in in-depth LDAP explaination/usages/design/schema design. I don't really want to be product specific because the last 2 years, we already switched 3 directory server. From Sun DS to OpenLDAP to Fedora DS. Thanks in advance! David -------------- next part -------------- An HTML attachment was scrubbed... URL: From mj at sci.fi Wed Jul 5 20:37:09 2006 From: mj at sci.fi (Mike Jackson) Date: Wed, 05 Jul 2006 23:37:09 +0300 Subject: [Fedora-directory-users] Any recommendation for a decent up to date LDAP book? In-Reply-To: <20e4c38c0607051338p1b74bbffj3b435b94f50353be@mail.gmail.com> References: <20e4c38c0607051338p1b74bbffj3b435b94f50353be@mail.gmail.com> Message-ID: <44AC22F5.2030005@sci.fi> Chun Tat David Chu wrote: > I would like to learn more about the LDAP, but a lot of the book I found > on amazon.com are more than 2-3 years old. I am > afraid they're out of date. > > Is there any good books that you guys would like to suggest? I am > interested in in-depth LDAP explaination/usages/design/schema design. > I don't really want to be product specific because the last 2 years, we > already switched 3 directory server. From Sun DS to OpenLDAP to Fedora DS. What makes you assume that because a book is 3 years old that it's outdated? The LDAP standard hasn't changed since 1997; it's still at version 3. "Understanding and Deploying LDAP Directory Services" is still the best book you could hope to read. -- mike From miranda at syndetic.org Wed Jul 5 21:40:45 2006 From: miranda at syndetic.org (Michael Chang) Date: Wed, 5 Jul 2006 16:40:45 -0500 (CDT) Subject: [Fedora-directory-users] Any recommendation for a decent up to date LDAP book? In-Reply-To: <44AC22F5.2030005@sci.fi> References: <20e4c38c0607051338p1b74bbffj3b435b94f50353be@mail.gmail.com> <44AC22F5.2030005@sci.fi> Message-ID: [Top Post] I second that. "Understanding and Deploying LDAP Directory Services" is a VERY rich text that covers pretty much everything from A-Z. I don't know which edition is out now, but I have the 2nd edition, and it covers the basics as well as product-specific stuff. I had also purchased another book, "LDAP Directories Explained" (Arkills, Addison Wesley), but it was awful in comparison. Michael On Wed, 5 Jul 2006, Mike Jackson wrote: | Chun Tat David Chu wrote: | > I would like to learn more about the LDAP, but a lot of the book I found on | > amazon.com are more than 2-3 years old. I am afraid | > they're out of date. | > | > Is there any good books that you guys would like to suggest? I am | > interested in in-depth LDAP explaination/usages/design/schema design. | > I don't really want to be product specific because the last 2 years, we | > already switched 3 directory server. From Sun DS to OpenLDAP to Fedora DS. | | What makes you assume that because a book is 3 years old that it's outdated? | The LDAP standard hasn't changed since 1997; it's still at version 3. | | "Understanding and Deploying LDAP Directory Services" is still the best book | you could hope to read. | | | -- | mike | | -- | Fedora-directory-users mailing list | Fedora-directory-users at redhat.com | https://www.redhat.com/mailman/listinfo/fedora-directory-users | -- /* BEGIN SIG * * "Most of us, when all is said and done, like what * we like and make up reasons for it afterwards." * -- Soren F. Petersen * *----------------------------- * Michael Chang * miranda [at] syndetic [dot] org * AIM: Solempathe * http://www.syndetic.org/ */ From ben.steeves at gmail.com Wed Jul 5 22:07:16 2006 From: ben.steeves at gmail.com (Ben Steeves) Date: Wed, 5 Jul 2006 19:07:16 -0300 Subject: [Fedora-directory-users] Any recommendation for a decent up to date LDAP book? In-Reply-To: References: <20e4c38c0607051338p1b74bbffj3b435b94f50353be@mail.gmail.com> <44AC22F5.2030005@sci.fi> Message-ID: <7ebb24d10607051507r16b04b4egc7be09eaf466df03@mail.gmail.com> On 7/5/06, Michael Chang wrote: > [Top Post] > > I second that. "Understanding and Deploying LDAP Directory Services" is a VERY > rich text that covers pretty much everything from A-Z. I third the recommendation. The example directory used in the text is the Netscape Directory Server, which is what FDS is based on, so a lot of the server-specific stuff in the book is still applicable (like the ACI chapter, which I found very helpful). The FDS PDF manuals are also very detailed, although a bit obtuse from time to time. -- _ Ben Steeves bcs at metacon.ca ( ) The ASCII ribbon campaign ben.steeves at unb.ca X against HTML e-mail GPG ID: 0xB3EBF1D9 / \ http://www.metacon.ca/ascii Yahoo Messenger: ben_steeves From jim_patterson at comcast.net Wed Jul 5 22:55:59 2006 From: jim_patterson at comcast.net (Jim Patterson) Date: Wed, 05 Jul 2006 17:55:59 -0500 Subject: [Fedora-directory-users]command line not working In-Reply-To: References: Message-ID: <44AC437F.7020205@comcast.net> Ah yes, seems to work much better now. I was wondering how this worked since I thought ldap* commands were tied to /etc/openldap/ldap.conf. I still haven't figured out where these commands are connected to, but I guess as I go through this I'll figure it out. On to page 81 of ds71admin.pdf. Thanks Morris, Patrick wrote: >Are you using the utilities from FDS, or the OpenLDAP ones? If the >ones from OpenLDAP, you can try adding "-x" to the command line to use >simple authentication. > > > >>-----Original Message----- >>From: fedora-directory-users-bounces at redhat.com >>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf >>Of Jim Patterson >>Sent: Tuesday, July 04, 2006 6:42 PM >>To: Fedora Directory server users >>Subject: [Fedora-directory-users]command line not working >> >>newbie >>I was able to set up directory server and import the >>Example.ldif into the server (using console). But whenever I >>try and do a command line modify,delete or search I get the >>following errors. >>My server was set up to run on port 42645 and I also tried port 389. >>This is my second install the first was typical and the >>second was express. I must have missed something in the >>documentation. >> >>[root at station100 ldif]# ldapdelete -D "cn=Directory Manager, >>dc=example,dc=com"-wpassword -h station100 -p 42645 "cn=Ted >>Morris,ou=People,dc=example,dc=com" >>ldap_sasl_interactive_bind_s: Local error (-2) >>[root at station100 ldif]# ldapdelete -D "cn=Directory Manager, >>dc=example,dc=com"-wpassword -h station100 -p 389 "cn=Ted >>Morris,ou=People,dc=example,dc=com" >>SASL/EXTERNAL authentication started >>ldap_sasl_interactive_bind_s: Unknown authentication method (-6) >> additional info: SASL(-4): no mechanism available: >> >> >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > From beyonddc.storage at gmail.com Thu Jul 6 01:07:53 2006 From: beyonddc.storage at gmail.com (Chun Tat David Chu) Date: Wed, 5 Jul 2006 21:07:53 -0400 Subject: [Fedora-directory-users] Any recommendation for a decent up to date LDAP book? In-Reply-To: <7ebb24d10607051507r16b04b4egc7be09eaf466df03@mail.gmail.com> References: <20e4c38c0607051338p1b74bbffj3b435b94f50353be@mail.gmail.com> <44AC22F5.2030005@sci.fi> <7ebb24d10607051507r16b04b4egc7be09eaf466df03@mail.gmail.com> Message-ID: <20e4c38c0607051807t75c0da59va1425257a162f09e@mail.gmail.com> Thanks guys... Looks like "Understanding and Deploying LDAP Directory Services" is the winner. I'll try out that book! On 7/5/06, Ben Steeves wrote: > > On 7/5/06, Michael Chang wrote: > > [Top Post] > > > > I second that. "Understanding and Deploying LDAP Directory Services" is > a VERY > > rich text that covers pretty much everything from A-Z. > > I third the recommendation. The example directory used in the text is > the Netscape Directory Server, which is what FDS is based on, so a lot > of the server-specific stuff in the book is still applicable (like the > ACI chapter, which I found very helpful). > > The FDS PDF manuals are also very detailed, although a bit obtuse from > time to time. > -- > _ Ben Steeves bcs at metacon.ca > ( ) The ASCII ribbon campaign ben.steeves at unb.ca > X against HTML e-mail GPG ID: 0xB3EBF1D9 > / \ http://www.metacon.ca/ascii Yahoo Messenger: ben_steeves > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pkime at Shopzilla.com Fri Jul 7 04:37:19 2006 From: pkime at Shopzilla.com (Philip Kime) Date: Thu, 6 Jul 2006 21:37:19 -0700 Subject: [Fedora-directory-users] Changing the hostname domain of the fedora server Message-ID: <9C0091F428E697439E7A773FFD083427025EE6@szexchange.Shopzilla.inc> Suddenly, I have to change the DNS domain for two Fedora-DS servers. The IP and hostname remain the same. They have replication agreements with other servers. Are there any guidelines for doing this? I suspect it's a horrible thing to have to do ...? PK -- Philip Kime -------------- next part -------------- An HTML attachment was scrubbed... URL: From mj at sci.fi Fri Jul 7 07:22:35 2006 From: mj at sci.fi (Mike Jackson) Date: Fri, 07 Jul 2006 10:22:35 +0300 Subject: [Fedora-directory-users] Changing the hostname domain of the fedora server In-Reply-To: <9C0091F428E697439E7A773FFD083427025EE6@szexchange.Shopzilla.inc> References: <9C0091F428E697439E7A773FFD083427025EE6@szexchange.Shopzilla.inc> Message-ID: <44AE0BBB.1080400@sci.fi> Philip Kime wrote: > Suddenly, I have to change the DNS domain for two Fedora-DS servers. The > IP and hostname remain the same. They have replication agreements with > other servers. Are there any guidelines for doing this? I suspect it's a > horrible thing to have to do ...? I have done this and tested it in production environments. It's a pretty hairy procedure as it is, and would be next to impossible if the files were spread around in an FHS setup... Briefly: Do a recursive grep for the domain name from /opt/fedora-ds and you will find about 25 files in several different subdirectories which need to be modified. Do all modifications with the service shut down. Do the same mods to all machines. Start the services up on all machines and check if replication still works (probably not). If not, then just remove and recreate the replication agreements. BTW, the procedure is the same for hostname or domain name change. BR, Mike -- http://www.netauth.com - LDAP Directory Consulting From olivier at pref.nl Fri Jul 7 14:37:31 2006 From: olivier at pref.nl (Olivier Brugman) Date: Fri, 07 Jul 2006 16:37:31 +0200 Subject: [Fedora-directory-users] Addendum howto install fds on ubuntu Message-ID: <44AE71AB.8060300@pref.nl> Hi all, One requires the termcap-compat package for installation of fds on Ubuntu and Debian. Unfortunately, this package is not available for the x86_64 platform. In order to install fds on a Ubuntu Dapper x86_64 xen-U this workaround seems to work for me: - Get the termcap-5.4-4.noarch.rpm and libtermcap-2.0.8-41.x86_64.rpm package from the Fedora Core 4 x86_64 distribution. - Convert these two packages to .deb and install them (dpkg -i). Regards, Olivier Brugman From rmeggins at redhat.com Fri Jul 7 15:10:32 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 07 Jul 2006 09:10:32 -0600 Subject: [Fedora-directory-users] RPM/SRPM issues and old RHEL In-Reply-To: <44AB1627.8050906@anchor.com.au> References: <44AB1627.8050906@anchor.com.au> Message-ID: <44AE7968.5020809@redhat.com> Oliver Hookins wrote: > > Hi there, > > I'm trying to get started testing out Fedora Directory Server with the > goal of replacing our OpenLDAP infrastructure. Most of our servers are > RHEL3/4 so there are no big issues there since there are already > prepackaged binary RPMS for those platforms. > > But we do have two RHEL2.1 server which we will definitely need > packages for in order to do any migration to FDS. Upgrading these > servers to RHEL3/4 is not an option. Looking at the spec file of the > SRPM from RHEL3 it seems like dependencies won't be a problem, the > spec file itself is a mess and doesn't come close to building > everything (which I understand is a work in progress). > > So my questions are: has anyone got FDS running well on RHEL2.1 > (either by compiling directly from source, shoehorning the RPM from > RHEL3 or building the RPM from the SRPM)? Has anyone written their own > spec file from scratch to build FDS in its entirety from sources? I > also wanted to change the installation prefix from /opt so getting a > working and complete spec file would be very desirable. It's going to be a few weeks until we have a buildable srpm. In the meantime, I suggest you try http://directory.fedora.redhat.com/wiki/Building#One-Step_Build -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Jul 7 15:11:45 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 07 Jul 2006 09:11:45 -0600 Subject: [Fedora-directory-users] critical problem with fds In-Reply-To: <44ABC052.3090405@siris.sorbonne.fr> References: <44ABC052.3090405@siris.sorbonne.fr> Message-ID: <44AE79B1.6010106@redhat.com> basile wrote: > find that after enabling audit log > > time: 20060705152654 > dn: cn=uniqueid generator,cn=config > changetype: modify > replace: nsState > nsState:: AbId0eoziQDf45YlAADsUgEAAAAAAAAA > > what does it means ? This is just normal replication housekeeping. You can ignore these entries. I think in your earlier post you had only 256 file descriptors. You should follow the directions to increase that to probably 4096 - that will probably help with your problems. > thanks > basile > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Jul 7 17:01:51 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 07 Jul 2006 11:01:51 -0600 Subject: [Fedora-directory-users] Addendum howto install fds on ubuntu In-Reply-To: <44AE71AB.8060300@pref.nl> References: <44AE71AB.8060300@pref.nl> Message-ID: <44AE937F.1080603@redhat.com> Olivier Brugman wrote: > Hi all, > > One requires the termcap-compat package for installation of fds on > Ubuntu and Debian. Unfortunately, this package is not available for > the x86_64 platform. > > In order to install fds on a Ubuntu Dapper x86_64 xen-U this > workaround seems to work for me: > > - Get the termcap-5.4-4.noarch.rpm and libtermcap-2.0.8-41.x86_64.rpm > package from the Fedora Core 4 x86_64 distribution. > - Convert these two packages to .deb and install them (dpkg -i). > > Regards, > Olivier Brugman Thanks! http://directory.fedora.redhat.com/wiki/Howto:DebianUbuntu#Ubuntu_x86_64 > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From bitdumpster at gmail.com Fri Jul 7 19:58:09 2006 From: bitdumpster at gmail.com (Mike Mueller) Date: Fri, 7 Jul 2006 15:58:09 -0400 Subject: [Fedora-directory-users] Strange problem -- LDAP server hosed Message-ID: Hey guys... I hope I can provide sufficient detail to get a clue here, but I don't have much info about what's happening yet. We are using Fedora DS v1.0.2, and the client is a Java application using JNDI. The client is doing some tests that involve manipulating the schema, adding/removing attributes, adding/modifying/removing object classes. During this process, objects of these types are created in the directory, too. What's happening is that it seems like objects with duplicate names are being created, i.e. cn=object1 is created twice. The second time it gets created, its name is nsuniqueid=. I'm not sure how this could happen, because typically if you tried to create a duplicate entry, you'd get a javax.naming.directory.NameAlreadyBoundException. What's worse, I can't delete any of these entries. When I try to, it says "Operation not allowed on nonleaf" (doing this via the graphical console), although the object in question is a leaf. Typically, even for nonleafs, the GUI would recursively delete everything. The only fix for this problem was to delete the underlying database behind the root suffix, and recreate it fresh. Obviously this is a serious problem, in a production environment, we can't afford to be doing something like this. This has happened on two of our servers now, and on the second one, I'm unable to even delete the database! It got halfway through, and then sits there hanging. That server is completely out of commision now. Any information would be appreciated!! Mike -------------- next part -------------- An HTML attachment was scrubbed... URL: From bitdumpster at gmail.com Fri Jul 7 20:10:31 2006 From: bitdumpster at gmail.com (Mike Mueller) Date: Fri, 7 Jul 2006 16:10:31 -0400 Subject: [Fedora-directory-users] Re: Strange problem -- LDAP server hosed In-Reply-To: References: Message-ID: Follow-up: I was able to finish deleting and recreating the database on the second server by restarting the server (/etc/init.d/ns-slapd restart). Mike On 7/7/06, Mike Mueller wrote: > > Hey guys... I hope I can provide sufficient detail to get a clue here, but > I don't have much info about what's happening yet. > > We are using Fedora DS v1.0.2, and the client is a Java application using > JNDI. The client is doing some tests that involve manipulating the schema, > adding/removing attributes, adding/modifying/removing object classes. > During this process, objects of these types are created in the directory, > too. > > What's happening is that it seems like objects with duplicate names are > being created, i.e. cn=object1 is created twice. The second time it gets > created, its name is nsuniqueid=. I'm not sure how > this could happen, because typically if you tried to create a duplicate > entry, you'd get a javax.naming.directory.NameAlreadyBoundException. > > What's worse, I can't delete any of these entries. When I try to, it says > "Operation not allowed on nonleaf" (doing this via the graphical console), > although the object in question is a leaf. Typically, even for nonleafs, > the GUI would recursively delete everything. > > The only fix for this problem was to delete the underlying database behind > the root suffix, and recreate it fresh. Obviously this is a serious > problem, in a production environment, we can't afford to be doing something > like this. This has happened on two of our servers now, and on the second > one, I'm unable to even delete the database! It got halfway through, and > then sits there hanging. That server is completely out of commision now. > > Any information would be appreciated!! > > Mike > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nkinder at redhat.com Fri Jul 7 20:19:31 2006 From: nkinder at redhat.com (Nathan Kinder) Date: Fri, 07 Jul 2006 13:19:31 -0700 Subject: [Fedora-directory-users] Strange problem -- LDAP server hosed In-Reply-To: References: Message-ID: <44AEC1D3.1090906@redhat.com> Mike Mueller wrote: > Hey guys... I hope I can provide sufficient detail to get a clue here, > but I don't have much info about what's happening yet. > > We are using Fedora DS v1.0.2, and the client is a Java application > using JNDI. The client is doing some tests that involve manipulating > the schema, adding/removing attributes, adding/modifying/removing > object classes. During this process, objects of these types are > created in the directory, too. > > What's happening is that it seems like objects with duplicate names > are being created, i.e. cn=object1 is created twice. The second time > it gets created, its name is nsuniqueid=. I'm > not sure how this could happen, because typically if you tried to > create a duplicate entry, you'd get a > javax.naming.directory.NameAlreadyBoundException. Are you are using multi-master replication? It sounds like these entries you are seeing are replication conflict entries. You can read about dealing with them in the Administrator's Guide. Here is a link to the relevant section: http://www.redhat.com/docs/manuals/dir-server/ag/7.1/replicat.html#1106141 > > What's worse, I can't delete any of these entries. When I try to, it > says "Operation not allowed on nonleaf" (doing this via the graphical > console), although the object in question is a leaf. Typically, even > for nonleafs, the GUI would recursively delete everything. What happens when you try to delete the entry with ldapdelete? Also, did you verify that the entry is indeed a leaf entry with ldapsearch as "cn=directory manager"? -NGK > > The only fix for this problem was to delete the underlying database > behind the root suffix, and recreate it fresh. Obviously this is a > serious problem, in a production environment, we can't afford to be > doing something like this. This has happened on two of our servers > now, and on the second one, I'm unable to even delete the database! > It got halfway through, and then sits there hanging. That server is > completely out of commision now. > > Any information would be appreciated!! > > Mike > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From bitdumpster at gmail.com Fri Jul 7 20:29:59 2006 From: bitdumpster at gmail.com (Mike Mueller) Date: Fri, 7 Jul 2006 16:29:59 -0400 Subject: [Fedora-directory-users] Strange problem -- LDAP server hosed In-Reply-To: <44AEC1D3.1090906@redhat.com> References: <44AEC1D3.1090906@redhat.com> Message-ID: On 7/7/06, Nathan Kinder wrote: > > Are you are using multi-master replication? It sounds like these > entries you are seeing are replication conflict entries. You can read > about dealing with them in the Administrator's Guide. Here is a link to > the relevant section: > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/replicat.html#1106141 No, replication is currently not active on these machines... What happens when you try to delete the entry with ldapdelete? Also, > did you verify that the entry is indeed a leaf entry with ldapsearch as > "cn=directory manager"? > > -NGK Unfortunately, since I've deleted and recreated the databases, I haven't reproduced this problem. I will try this the next time it happens, assuming it ever happens again. Thanks for the quick response. Mike -------------- next part -------------- An HTML attachment was scrubbed... URL: From pkime at Shopzilla.com Fri Jul 7 20:41:10 2006 From: pkime at Shopzilla.com (Philip Kime) Date: Fri, 7 Jul 2006 13:41:10 -0700 Subject: [Fedora-directory-users] Re: Changing the hostname domain of the fedora server Message-ID: <9C0091F428E697439E7A773FFD083427025EEA@szexchange.Shopzilla.inc> I tried this but it's a real pain. In the end, I just re-installed and used replication to populate again - actually took less time. PK From prowley at redhat.com Fri Jul 7 21:09:52 2006 From: prowley at redhat.com (Pete Rowley) Date: Fri, 07 Jul 2006 14:09:52 -0700 Subject: [Fedora-directory-users] Strange problem -- LDAP server hosed In-Reply-To: References: <44AEC1D3.1090906@redhat.com> Message-ID: <44AECDA0.9000605@redhat.com> Mike Mueller wrote: > > > On 7/7/06, *Nathan Kinder* > wrote: > > Are you are using multi-master replication? It sounds like these > entries you are seeing are replication conflict entries. You can read > about dealing with them in the Administrator's Guide. Here is a > link to > the relevant section: > > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/replicat.html#1106141 > > > No, replication is currently not active on these machines... You say currently, was it once? -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From bitdumpster at gmail.com Fri Jul 7 21:58:49 2006 From: bitdumpster at gmail.com (Mike Mueller) Date: Fri, 7 Jul 2006 17:58:49 -0400 Subject: [Fedora-directory-users] Strange problem -- LDAP server hosed In-Reply-To: <44AECDA0.9000605@redhat.com> References: <44AEC1D3.1090906@redhat.com> <44AECDA0.9000605@redhat.com> Message-ID: Ok, I just double checked, and apparently it never got turned off. The two machines involved were using multiple-master replication. Thanks for the insightful replies, guys. Seems like Nathan described exactly what was happening. Mike On 7/7/06, Pete Rowley wrote: > > You say currently, was it once? > > -- > Pete > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pkime at Shopzilla.com Sun Jul 9 04:16:44 2006 From: pkime at Shopzilla.com (Philip Kime) Date: Sat, 8 Jul 2006 21:16:44 -0700 Subject: [Fedora-directory-users] Converting a 4-way replication setup to SSL Message-ID: <9C0091F428E697439E7A773FFD083427025EF0@szexchange.Shopzilla.inc> What a nightmare. I tried to use the script on the Wiki but this isn't really set up to do this. I would like one CA and then to generate all of the DS and AS certificates from this. I can't work out if I need to copy the CA db or just the .asc file to the other servers to generate the certs - it seems to need the key for the CA cert and also the noise and pwd files? I finally got two servers on SSL but they won't replicate as they don't like each other's certificates even though I had the CA certs on both servers. I have spent eight hours getting nowhere and will have to start again from scratch. If there are any clues on how to: Have one CA for all server certs How to install this CA cert on all servers What is needed for replication over SSL to work Please let me know ... PK -- Philip Kime NOPS Systems Architect 310 401 0407 -------------- next part -------------- An HTML attachment was scrubbed... URL: From ccesario at isic.com.br Sun Jul 9 19:08:48 2006 From: ccesario at isic.com.br (Cesario) Date: Sun, 09 Jul 2006 16:08:48 -0300 Subject: [Fedora-directory-users] phpQLAdmin schema Message-ID: <44B0F1D00200008B00000F2C@gwise.isicbrasil.com.br> Hi peoples! I have qmail and fedora-ds integrated, and I trying to use phpqladmin (http://phpqladmin.com/), but I'm having problems with schema. I get the schema from phpqladmin and try convert it using ol-schema-migrate.pl (http://www.netauth.com/~jacksonm/ldap/ol-schema-migrate.pl), but when I start the slapd I receive one error, maybe somebody with more experiency can hep me Details and schemas =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ldaptest:/tmp # wget http://www.netauth.com/~jacksonm/ldap/ol-schema-migrate.pl ...... 23:54:23 (20.15 KB/s) - `ol-schema-migrate.pl' saved [14877/14877] ldaptest:/tmp # cp /srv/www/htdocs/phpQLAdmin/schemas/phpQLAdmin.schema . ldaptest:/tmp # chmod a+x ol-schema-migrate.pl ldaptest:/tmp # ./ol-schema-migrate.pl -b phpQLAdmin.schema > phpQLAdmin.schema.converted ldaptest:/tmp # cp phpQLAdmin.schema.converted /opt/fedora-ds/slapd-ldaptest/config/schema/55ns-phpQLAdmin.ldif ldaptest:/tmp # /opt/fedora-ds/slapd-ldaptest/start-slapd [08/Jul/2006:23:57:08 -0300] dse - The entry cn=schema in file /opt/fedora-ds/slapd-ldaptest/config/schema/55ns-phpQLAdmin.ldif is invalid, error code 21 (Invalid syntax) - attribute type administrator: Missing parent attribute syntax OID [08/Jul/2006:23:57:08 -0300] dse - Please edit the file to correct the reported problems and then restart the server. ldaptest:/tmp # =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Schemas original and converts is attached Any idea abou solve this error ? Thanks Carlos -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: phpQLAdmin.schema.converted.txt URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: phpQLAdmin.schema.txt URL: From mj at sci.fi Sun Jul 9 18:07:05 2006 From: mj at sci.fi (Mike Jackson) Date: Sun, 09 Jul 2006 21:07:05 +0300 Subject: [Fedora-directory-users] phpQLAdmin schema In-Reply-To: <44B0F1D00200008B00000F2C@gwise.isicbrasil.com.br> References: <44B0F1D00200008B00000F2C@gwise.isicbrasil.com.br> Message-ID: <44B145C9.1080307@sci.fi> Cesario wrote: > Hi peoples! > > I have qmail and fedora-ds integrated, and I trying to use phpqladmin (http://phpqladmin.com/), but I'm having problems with schema. > > > I get the schema from phpqladmin and try convert it using ol-schema-migrate.pl (http://www.netauth.com/~jacksonm/ldap/ol-schema-migrate.pl), but when I start the slapd I receive one error, maybe somebody with more experiency can hep me > > > Details and schemas > > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > ldaptest:/tmp # wget http://www.netauth.com/~jacksonm/ldap/ol-schema-migrate.pl > ...... > 23:54:23 (20.15 KB/s) - `ol-schema-migrate.pl' saved [14877/14877] > > ldaptest:/tmp # cp /srv/www/htdocs/phpQLAdmin/schemas/phpQLAdmin.schema . > ldaptest:/tmp # chmod a+x ol-schema-migrate.pl > ldaptest:/tmp # ./ol-schema-migrate.pl -b phpQLAdmin.schema > phpQLAdmin.schema.converted > ldaptest:/tmp # cp phpQLAdmin.schema.converted /opt/fedora-ds/slapd-ldaptest/config/schema/55ns-phpQLAdmin.ldif > > ldaptest:/tmp # /opt/fedora-ds/slapd-ldaptest/start-slapd > [08/Jul/2006:23:57:08 -0300] dse - The entry cn=schema in file /opt/fedora-ds/slapd-ldaptest/config/schema/55ns-phpQLAdmin.ldif is invalid, error code 21 (Invalid syntax) - attribute type administrator: Missing parent attribute syntax OID > [08/Jul/2006:23:57:08 -0300] dse - Please edit the file to correct the reported problems and then restart the server. > ldaptest:/tmp # > > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > > Schemas original and converts is attached > > > Any idea abou solve this error ? > > Thanks > > Carlos Hi, Seems that my schema conversion tool doesn't support attribute inheritance. That's not something which is used very often, however Turbo used it in the phpqladmin schema. Replace all those lines where you see "SUP owner" in an attribute definition, example: Current: attributetype ( 1.3.6.1.4.1.8767.3.2.4.4 NAME 'administrator' DESC 'Administrator for branch' SUP owner) Fixed: attributetype ( 1.3.6.1.4.1.8767.3.2.4.4 NAME 'administrator' DESC 'Administrator for branch' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE) I will keep this in mind for a feature enhancement. BR, Mike -- http://www.netauth.com - LDAP Directory Consulting From ccesario at isic.com.br Sun Jul 9 23:02:04 2006 From: ccesario at isic.com.br (Cesario) Date: Sun, 09 Jul 2006 20:02:04 -0300 Subject: [Fedora-directory-users] phpQLAdmin schema Message-ID: <44B1287C0200008B00000F3A@gwise.isicbrasil.com.br> Hi, Seems that my schema conversion tool doesn't support attribute inheritance. That's not something which is used very often, however Turbo used it in the phpqladmin schema. Replace all those lines where you see "SUP owner" in an attribute definition, example: Current: attributetype ( 1.3.6.1.4.1.8767.3.2.4.4 NAME 'administrator' DESC 'Administrator for branch' SUP owner) Fixed: attributetype ( 1.3.6.1.4.1.8767.3.2.4.4 NAME 'administrator' DESC 'Administrator for branch' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE) I will keep this in mind for a feature enhancement. BR, Mike -- http://www.netauth.com - LDAP Directory Consulting -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users Hi Mike, Thank you for your help! This work! But exists other fileds that is the sama problem -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= [09/Jul/2006:04:04:16 -0300] dse - The entry cn=schema in file /opt/fedora-ds/slapd-ldaptest/config/schema/55ns-phpQLAdmin.ldif is invalid, error code 21 (Invalid syntax) - attribute type controlBaseDn: Missing parent attribute syntax OID [09/Jul/2006:04:04:16 -0300] dse - Please edit the file to correct the reported problems and then restart the server -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= I can make the same procedure with atrribute 'administrator' ? current attributetype ( 1.3.6.1.4.1.8767.3.2.4.5 NAME 'controlBaseDn' DESC 'Search base DN for QmailLDAP/Controls objects' SUP owner) fixed attributetype ( 1.3.6.1.4.1.8767.3.2.4.5 NAME 'controlBaseDn' DESC 'Search base DN for QmailLDAP/Controls objects' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE) the all attributes with SUP onwer are... attributetype ( 1.3.6.1.4.1.8767.3.2.4.5 NAME 'controlBaseDn' DESC 'Search base DN for QmailLDAP/Controls objects' SUP owner) attributetype ( 1.3.6.1.4.1.8767.3.2.4.10 NAME 'ezmlmAdministrator' DESC 'Mailinglist Administrator for branch' SUP owner) attributetype ( 1.3.6.1.4.1.8767.3.2.4.12 NAME 'controlsAdministrator' DESC 'QmailLDAP/Controls information administrator(s)?' SUP owner) I can make the same procedure?! Very very thanks! Carlos Cesario From mj at sci.fi Sun Jul 9 21:18:44 2006 From: mj at sci.fi (Mike Jackson) Date: Mon, 10 Jul 2006 00:18:44 +0300 Subject: [Fedora-directory-users] phpQLAdmin schema In-Reply-To: <44B1287C0200008B00000F3A@gwise.isicbrasil.com.br> References: <44B1287C0200008B00000F3A@gwise.isicbrasil.com.br> Message-ID: <44B172B4.5000409@sci.fi> Cesario wrote: > > > I can make the same procedure with atrribute 'administrator' ? Yes. BR, Mike -- http://www.netauth.com - LDAP Directory Consulting From ccesario at isic.com.br Mon Jul 10 01:53:11 2006 From: ccesario at isic.com.br (Cesario) Date: Sun, 09 Jul 2006 22:53:11 -0300 Subject: [Fedora-directory-users] phpQLAdmin schema Message-ID: <44B150970200008B00000F49@gwise.isicbrasil.com.br> Hi Mike, I replace all entrys with "SUP owner" to EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE) but I think that don't work..... see -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ldaptest:/tmp # /opt/fedora-ds/slapd-ldaptest/start-slapd [09/Jul/2006:06:53:47 -0300] dse - The entry cn=schema in file /opt/fedora-ds/slapd-ldaptest/config/schema/55ns-phpQLAdmin.ldif is invalid, error code 21 (Invalid syntax) - attribute type baseQuota: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.44" [09/Jul/2006:06:53:47 -0300] dse - Please edit the file to correct the reported problems and then restart the server. ldaptest:/tmp # -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= I attach the file with changes ... can U help me ? Thanks Carlos >>> Mike Jackson 09/07/06 18:18 >>> Cesario wrote: > > > I can make the same procedure with atrribute 'administrator' ? Yes. BR, Mike -- http://www.netauth.com - LDAP Directory Consulting -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: phpQLAdmin.schema.changed.txt URL: From oliver.hookins at anchor.com.au Mon Jul 10 01:46:42 2006 From: oliver.hookins at anchor.com.au (Oliver Hookins) Date: Mon, 10 Jul 2006 11:46:42 +1000 Subject: [Fedora-directory-users] RPM/SRPM issues and old RHEL In-Reply-To: <44AE7968.5020809@redhat.com> References: <44AB1627.8050906@anchor.com.au> <44AE7968.5020809@redhat.com> Message-ID: <44B1B182.6060108@anchor.com.au> Richard Megginson wrote: > It's going to be a few weeks until we have a buildable srpm. In the > meantime, I suggest you try > http://directory.fedora.redhat.com/wiki/Building#One-Step_Build I don't want to place unpackaged files onto my test machines so I was going to write up my own spec file based on the build instructions. I was hoping someone might have already done this though... no point in duplicating work! To be honest I'm more interested in anyone's success with RHEL2.1 though as this is a critical point for us. -- Regards, Oliver Hookins Anchor Systems From linuxkarthi at gmail.com Mon Jul 10 08:14:01 2006 From: linuxkarthi at gmail.com (osk) Date: Mon, 10 Jul 2006 13:44:01 +0530 Subject: [Fedora-directory-users] directory server stopped Message-ID: <3ed7d0be0607100114r4f232719pb79ecb8003230292@mail.gmail.com> hi, when we do any modification using ldapadd,ldapmodify the server shutting down the 389 service in "/opt/redhat-ds/slapd-inp1pf01/logs/errors" the following error if we restart the service Detected Disorderly Shutdown last time Directory Server was running, recovering database. [10/Jul/2006:11:01:44 +051800] - slapd started. Listening on All Interfaces port 389 plz help me to solve this issue regards karthikeyan.N -- winners don't do different things they do things differently -------------- next part -------------- An HTML attachment was scrubbed... URL: From bkjones at gmail.com Mon Jul 10 13:05:53 2006 From: bkjones at gmail.com (Brian Jones) Date: Mon, 10 Jul 2006 09:05:53 -0400 Subject: [Fedora-directory-users] certutil: generating new .db files for server Message-ID: <6e5927ff0607100605v5c430ebepd1b3e28e07d9ce5a@mail.gmail.com> Hi all, I'm generating new *.db files for my server, where I will install a new root ca, and a new server cert (new *.db files allows me to easily test and back out). I have a couple of questions about *.db files and how FDS uses them: 1. When I use certutil -N to create the new db files, is the value I give to the '-P' flag arbitrary, or does the server look for a specific value based on instance name or something? I have new files called 'slapd-ldap-cert8.db' and 'slapd-ldap-key3.db', because I thought this prefix value was arbitrary, but FDS fails to start because it says that files ' slapd-ldap-testbox-cert8.db' and 'slapd-ldap-testbox-key3.db' are missing. Those are the *old* db file names. 2. Related to 1, how do I (from the command line) change what files FDS looks for? Is this possible? Recommended? 3. Is it true that I cannot reuse a signed server certificate in a newly created database, even if the new database has the same root ca installed as the old one? I need to generate a request every time I run certutil -N? 4. Are there other rules that these files have to conform to in order for the server to start up? Are there docs on this that I've missed? Links? I've seen the mozilla NSS docs, but they're mostly for developers (except for the decent certutil reference), and the RHDS docs do everything from the GUI as far as I've seen. Thanks. brian. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Jul 10 13:27:00 2006 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 10 Jul 2006 09:27:00 -0400 Subject: [Fedora-directory-users] certutil: generating new .db files for server In-Reply-To: <6e5927ff0607100605v5c430ebepd1b3e28e07d9ce5a@mail.gmail.com> References: <6e5927ff0607100605v5c430ebepd1b3e28e07d9ce5a@mail.gmail.com> Message-ID: <44B255A4.8030307@redhat.com> Brian Jones wrote: > Hi all, > > I'm generating new *.db files for my server, where I will install a new > root > ca, and a new server cert (new *.db files allows me to easily test and back > out). I have a couple of questions about *.db files and how FDS uses them: > > 1. When I use certutil -N to create the new db files, is the value I > give to > the '-P' flag arbitrary, or does the server look for a specific value based > on instance name or something? I have new files called > 'slapd-ldap-cert8.db' > and 'slapd-ldap-key3.db', because I thought this prefix value was > arbitrary, > but FDS fails to start because it says that files ' > slapd-ldap-testbox-cert8.db' and 'slapd-ldap-testbox-key3.db' are missing. > Those are the *old* db file names. By default the prefix needs to match the FDS instance name. Because the database files are stored in a common directory a way was needed to discretely name them, hence the prefix. > > 2. Related to 1, how do I (from the command line) change what files FDS > looks for? Is this possible? Recommended? I've never done this but a cursory look at the code found nsCertfile and nsKeyfile. I guess in theory you could change those values (stored in LDAP, of course) and point to new key/cert files. I grepped them out of dse.ldif to see the current settings. > > 3. Is it true that I cannot reuse a signed server certificate in a newly > created database, even if the new database has the same root ca > installed as > the old one? I need to generate a request every time I run certutil -N? The signed certificate is only half of what you need. You also need the private key. Without more information on what you're trying to do I can't really make a recommendation. > > 4. Are there other rules that these files have to conform to in order for > the server to start up? Are there docs on this that I've missed? Links? > I've > seen the mozilla NSS docs, but they're mostly for developers (except for > the > decent certutil reference), and the RHDS docs do everything from the GUI as > far as I've seen. > From the perspective of the command-line utilities, they could care less what the files are named as long as they end in cert8.db and key3.db. The prefix flag (-P) lets you set arbitrary data before that. For a bit more detail on how NSS is initialized, look at the function slapd_nss_init() at http://cvs.fedora.redhat.com/lxr/dirsec/source/ldapserver/ldap/servers/slapd/ssl.c It looks like the only thing hardcoded is the directory where the files are located, server-root/alias. But like I said, I've never tried renaming those files in the DS. I just wonder if this would cause confusion in the future, or with the console. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From bkjones at gmail.com Mon Jul 10 13:50:04 2006 From: bkjones at gmail.com (Brian Jones) Date: Mon, 10 Jul 2006 09:50:04 -0400 Subject: [Fedora-directory-users] certutil: generating new .db files for server In-Reply-To: <44B255A4.8030307@redhat.com> References: <6e5927ff0607100605v5c430ebepd1b3e28e07d9ce5a@mail.gmail.com> <44B255A4.8030307@redhat.com> Message-ID: <6e5927ff0607100650k400bf33q65d856a815a553d9@mail.gmail.com> Hi Rob, thanks for the reply. I've clarified inline: On 7/10/06, Rob Crittenden wrote: > > Brian Jones wrote: > > > 3. Is it true that I cannot reuse a signed server certificate in a newly > > created database, even if the new database has the same root ca > > installed as > > the old one? I need to generate a request every time I run certutil -N? > > The signed certificate is only half of what you need. You also need the > private key. Without more information on what you're trying to do I > can't really make a recommendation. Right, I know I need the root ca and the server cert (signed by said root ca) both installed in the db. What I'm doing is this: I have /opt/fedora-ds/alias set up as a symlink to alias-test1, alias-test2, etc. I have a couple of these directories around for... um.... testing :) What I want to confirm is whether or not I can use, for example, the cert request I generated (using certutil -R) for the db files in alias-test1 for the new db files created in alias-test2. Thanks for the input. brian. > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Jul 10 14:06:40 2006 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 10 Jul 2006 10:06:40 -0400 Subject: [Fedora-directory-users] certutil: generating new .db files for server In-Reply-To: <6e5927ff0607100650k400bf33q65d856a815a553d9@mail.gmail.com> References: <6e5927ff0607100605v5c430ebepd1b3e28e07d9ce5a@mail.gmail.com> <44B255A4.8030307@redhat.com> <6e5927ff0607100650k400bf33q65d856a815a553d9@mail.gmail.com> Message-ID: <44B25EF0.50508@redhat.com> Brian Jones wrote: > Hi Rob, thanks for the reply. I've clarified inline: > > On 7/10/06, Rob Crittenden wrote: >> >> Brian Jones wrote: >> >> > 3. Is it true that I cannot reuse a signed server certificate in a >> newly >> > created database, even if the new database has the same root ca >> > installed as >> > the old one? I need to generate a request every time I run certutil -N? >> >> The signed certificate is only half of what you need. You also need the >> private key. Without more information on what you're trying to do I >> can't really make a recommendation. > > > > Right, I know I need the root ca and the server cert (signed by said root > ca) both installed in the db. What I'm doing is this: > > I have /opt/fedora-ds/alias set up as a symlink to alias-test1, > alias-test2, > etc. I have a couple of these directories around for... um.... testing :) > > What I want to confirm is whether or not I can use, for example, the cert > request I generated (using certutil -R) for the db files in alias-test1 for > the new db files created in alias-test2. Ok, so what you want to do is issue the certificate once, then perhaps move it to other directories? If so here is what you do: 1. Generate a new database (or use an existing one, it doesn't really matter). 2. generate your Certifiacte Server Request (CSR) 3. Sign this with your CA 4. Import the new server certificate into your database (certutil -A ...) 5. Export this server cert, which I've nicknamed Server-Cert, into a PKCS#12 file with: pk12util -o server.p12 -n Server-Cert -P slapd-foo- -d alias 6. You can now import this into another certificate database with pk12util -i server.p12 -n Server-Cert -P slapd-bar- -d alias-test1 The other alternative is to simply copy the database files between directories, but you'll pick up all certificates/keys rather than discretely copying a single cert/key combo. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Jul 10 14:31:48 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 10 Jul 2006 08:31:48 -0600 Subject: [Fedora-directory-users] directory server stopped In-Reply-To: <3ed7d0be0607100114r4f232719pb79ecb8003230292@mail.gmail.com> References: <3ed7d0be0607100114r4f232719pb79ecb8003230292@mail.gmail.com> Message-ID: <44B264D4.3010106@redhat.com> osk wrote: > hi, > when we do any modification using ldapadd,ldapmodify the server > shutting down the 389 service Do you have an example of the ldapmodify command you are doing? > > in "/opt/redhat-ds/slapd-inp1pf01/logs/errors" the following error if > we restart the service Is there anything else in the errors log before this? Can you post a relevant excerpt from your access log? What version of Fedora DS are you using? What OS and version? > > Detected Disorderly Shutdown last time Directory Server was running, > recovering database. > [10/Jul/2006:11:01:44 +051800] - slapd started. Listening on All > Interfaces port 389 > > plz help me to solve this issue > > regards > karthikeyan.N > > > -- > winners don't do different things > they do things differently > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From jo.de.troy at gmail.com Mon Jul 10 14:51:16 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Mon, 10 Jul 2006 16:51:16 +0200 Subject: [Fedora-directory-users] admin-server SSL Message-ID: Hello, I'm trying to set-up SSL for the admin server and I had a few questions. Can I reuse the server certificate that I use for the LDAP server? Or isn't it a good idea? It seems a bit strange to have to create 2 separate certificates for the LDAP server and the admin-servers when they're running on the same physical server with the same fqdn. Or do I better use a virtual host for the admin-server? I must be missing something. I tried copying over the slapd-<>-key and slapd-<>-cert db's to admin-serv-<> but then I couldn't start up the admin server any more. Kind Regards, Jo -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Jul 10 14:54:51 2006 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 10 Jul 2006 10:54:51 -0400 Subject: [Fedora-directory-users] admin-server SSL In-Reply-To: References: Message-ID: <44B26A3B.3060503@redhat.com> Jo De Troy wrote: > Hello, > > I'm trying to set-up SSL for the admin server and I had a few questions. > Can I reuse the server certificate that I use for the LDAP server? Or > isn't > it a good idea? > It seems a bit strange to have to create 2 separate certificates for the > LDAP server and the admin-servers when they're running on the same physical > server with the same fqdn. Or do I better use a virtual host for the > admin-server? I must be missing something. > I tried copying over the slapd-<>-key and slapd-<>-cert db's to > admin-serv-<> but then I couldn't start up the admin server any more. Yes, you can use the same certificate for both and copying is a good way to do this. What error are you getting during startup? rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From jo.de.troy at gmail.com Mon Jul 10 15:15:13 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Mon, 10 Jul 2006 17:15:13 +0200 Subject: [Fedora-directory-users] admin-server SSL Message-ID: Hi Rob, I expressed myself wrongly, sorry for that. I can start up and connect as before (didn't enable SSL yet) but when I hit the Certificate Mgmt in the admin server console I get and internal error (Unable to open certificate database). Bye, Jo -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Jul 10 15:32:01 2006 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 10 Jul 2006 11:32:01 -0400 Subject: [Fedora-directory-users] admin-server SSL In-Reply-To: References: Message-ID: <44B272F1.6010106@redhat.com> Jo De Troy wrote: > Hi Rob, > > I expressed myself wrongly, sorry for that. > I can start up and connect as before (didn't enable SSL yet) but when I hit > the Certificate Mgmt in the admin server console I get and internal error > (Unable to open certificate database). > My first guess is file ownership. I'll bet they are owned by root and mode 600. They need to be owned by the user that runs admin server, usually nobody. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From linuxkarthi at gmail.com Mon Jul 10 15:40:08 2006 From: linuxkarthi at gmail.com (osk) Date: Mon, 10 Jul 2006 21:10:08 +0530 Subject: [Fedora-directory-users] directory server stopped In-Reply-To: <44B264D4.3010106@redhat.com> References: <3ed7d0be0607100114r4f232719pb79ecb8003230292@mail.gmail.com> <44B264D4.3010106@redhat.com> Message-ID: <3ed7d0be0607100840j2fcb5619n1ff937b152916cf2@mail.gmail.com> hi, On 7/10/06, Richard Megginson wrote: > > osk wrote: > > hi, > > when we do any modification using ldapadd,ldapmodify the server > > shutting down the 389 service > Do you have an example of the ldapmodify command you are doing? ldapmodify -x -w admin123 -D "cn=admin,o=xyz" -h 192.168.250.10 -f Pankaj.Dhir_modify.ldif modifying uid=SUNITA.DEVI,cn=people,o=xyz ldap_bind: Can't contact LDAP server (-1) the content of "Pankaj.Dhir_modify.ldif" dn: uid=SUNITA.DEVI,cn=people,o=xyz changetype: modify replace: userPassword userPassword: password > > > in "/opt/redhat-ds/slapd-inp1pf01/logs/errors" the following error if > > we restart the service > Is there anything else in the errors log before this? Can you post a > relevant excerpt from your access log? I enabled loglevel 512 and even 8192 also, but the server not writing any information into log file while server crashing What version of Fedora DS are you using? What OS and version? I am using RHEl4U2 - rhds-7.1-sp2 waiting for your response regards karthikeyan.N -- winners don't do different things they do things differently -------------- next part -------------- An HTML attachment was scrubbed... URL: From jo.de.troy at gmail.com Mon Jul 10 15:50:48 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Mon, 10 Jul 2006 17:50:48 +0200 Subject: [Fedora-directory-users] admin-server SSL Message-ID: Hi Rob, thanks. Stupid, stupid The admin-server is up-and-running with SSL. Can I disable non-SSL access from within the FedoraDS? Or should I use iptables to do this? Thanks again, Jo -------------- next part -------------- An HTML attachment was scrubbed... URL: From jo.de.troy at gmail.com Mon Jul 10 16:01:40 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Mon, 10 Jul 2006 18:01:40 +0200 Subject: [Fedora-directory-users] admin-server SSL Message-ID: Hi again, I'm getting numerous HTTP response timeout when trying to access the admin-server console. Best Regards, Jo -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Jul 10 16:29:37 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 10 Jul 2006 10:29:37 -0600 Subject: [Fedora-directory-users] admin-server SSL In-Reply-To: References: Message-ID: <44B28071.1070906@redhat.com> Jo De Troy wrote: > Hi again, > > I'm getting numerous HTTP response timeout when trying to access the > admin-server console. Are you using the https url to connect? > > Best Regards, > Jo > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Jul 10 16:33:10 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 10 Jul 2006 10:33:10 -0600 Subject: [Fedora-directory-users] directory server stopped In-Reply-To: <3ed7d0be0607100840j2fcb5619n1ff937b152916cf2@mail.gmail.com> References: <3ed7d0be0607100114r4f232719pb79ecb8003230292@mail.gmail.com> <44B264D4.3010106@redhat.com> <3ed7d0be0607100840j2fcb5619n1ff937b152916cf2@mail.gmail.com> Message-ID: <44B28146.1090407@redhat.com> osk wrote: > hi, > > On 7/10/06, *Richard Megginson* > wrote: > > osk wrote: > > hi, > > when we do any modification using ldapadd,ldapmodify the server > > shutting down the 389 service > Do you have an example of the ldapmodify command you are doing? > > > > ldapmodify -x -w admin123 -D "cn=admin,o=xyz" -h > 192.168.250.10 -f Pankaj.Dhir_modify.ldif > > modifying uid=SUNITA.DEVI,cn=people,o=xyz > ldap_bind: Can't contact LDAP server (-1) > > > the content of "Pankaj.Dhir_modify.ldif > " > > dn: uid=SUNITA.DEVI,cn=people,o=xyz > changetype: modify > replace: userPassword > userPassword: password > > > > > > > in "/opt/redhat-ds/slapd-inp1pf01/logs/errors" the following > error if > > we restart the service > Is there anything else in the errors log before this? Can you post a > relevant excerpt from your access log? > > > I enabled loglevel 512 and even 8192 also, but the server not > writing any information into log file while server crashing Try loglevel 1 > > What version of Fedora DS are you using? What OS and version? > > > I am using RHEl4U2 - rhds-7.1-sp2 Are you a Red Hat Directory Server customer? If so, you might want to go through your support channel - they may have more information. But this does sound suspiciously like a bug we encountered. Are you using the new password syntax checking? > > waiting for your response > regards > karthikeyan.N > > -- > winners don't do different things > they do things differently > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Jul 10 16:36:41 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 10 Jul 2006 10:36:41 -0600 Subject: [Fedora-directory-users] phpQLAdmin schema In-Reply-To: <44B150970200008B00000F49@gwise.isicbrasil.com.br> References: <44B150970200008B00000F49@gwise.isicbrasil.com.br> Message-ID: <44B28219.2060400@redhat.com> Cesario wrote: > Hi Mike, > > I replace all entrys with "SUP owner" to > > EQUALITY distinguishedNameMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 > SINGLE-VALUE) > > > but I think that don't work..... > > > see > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > > > ldaptest:/tmp # /opt/fedora-ds/slapd-ldaptest/start-slapd > [09/Jul/2006:06:53:47 -0300] dse - The entry cn=schema in file /opt/fedora-ds/slapd-ldaptest/config/schema/55ns-phpQLAdmin.ldif is invalid, error code 21 (Invalid syntax) - attribute type baseQuota: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.44" > I think this is the numeric string syntax which is not supported by Fedora DS. If the baseQuota value is an integer (e.g. [0-9]+) and does not contain . or - or other alpha characters, you can use the integer syntax which is 1.3.6.1.4.1.1466.115.121.1.15. Otherwise, you can just use something like 1.3.6.1.4.1.1466.115.121.1.15 which should work fine. > [09/Jul/2006:06:53:47 -0300] dse - Please edit the file to correct the reported problems and then restart the server. > ldaptest:/tmp # > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > > I attach the file with changes ... > can U help me ? > > > Thanks > > Carlos > > > > >>>> Mike Jackson 09/07/06 18:18 >>> >>>> > Cesario wrote: > > > > > > I can make the same procedure with atrribute 'administrator' ? > > Yes. > > > BR, > Mike > > > ------------------------------------------------------------------------ > > # OID base (IANA) 1.3.6.1.4.1 > # OID Base (Turbo Fredriksson) 8767 > # > # OID assignments: > # LDAP Elements 1 > # [defined elsewhere] > # > # SNMP Elements 2 > # [defined elsewhere] > # > # phpQLAdmin Elements 3 > # Objectclasses 1 > # phpQLAdminConfig 1 > # phpQLAdminGlobal 2 > # phpQLAdminBranch 3 > # phpQLAdminInfo 5 > # phpQLAdminUser 6 > # phpQLAdminUserTemplate 7 > # phpQLAdminMXHostAddition 8 > # > # Attributes 2 > # Toggles 1 > # showUsers 1 > # useControls 2 > # useEzmlm 3 > # autoReload 4 > # autoSend 5 > # autoAddLocals 6 > # allowServerChange 7 > # allowAbsoluteMailPath 8 > # deleteVerification 9 > # useBind9 10 > # test 11 > # autoAddRCPTHosts 12 > # autoAddHostName 13 > # autoCreateUserName 14 > # autoCreateMailAddress 15 > # autoCreatePassWord 16 > # useWebSrv 17 > # startWithAdvancedMode 18 > # useACI 19 > # useMBox 20 > # ezmlmRemote 21 > # useSimScan 22 > # simScanSpamAssassin 23 > # simScanClamAntiVirus 24 > # simScanTrophie 25 > # autoCreateUGidNumber 26 > # allowAllPasswordChars 27 > # useHostACL 28 > # useSudo 29 > # > # System texts 2 > # whoAreWe 1 > # subTreeUsers 2 > # subTreeGroups 3 > # branchObjectClass 4 > # userObjectClass 5 > # userReference 6 > # branchReference 7 > # ezmlmBinaryPath 8 > # passWordScheme 9 > # catchAllUser 10 > # userAttribute 11 > # language 12 > # externalScriptUser 13 > # externalScriptDomain 14 > # krb5AdminServer 15 > # krb5AdminKeytab 16 > # krb5AdminCommandPath 17 > # [removed: virtualBaseHomeDir] > # ezmlmVirtualUser 18 > # externalScriptUserDelete 19 > # externalScriptDomainDelete 20 > # ezmlmRemoteRetreiveScript 21 > # > # Texts 3 > # hostMaster 1 > # testMailSubject 2 > # testMailText 3 > # forwardUIDNumber 4 > # minimumUIDNumber 5 > # minimumGIDNumber 6 > # > # Value 4 > # defaultDomain 1 > # baseHomeDir 2 > # baseMailDir 3 > # administrator 4 > # controlBaseDN 5 > # baseQuota 6 > # maximumDomainUsers 7 > # additionalDomainName 8 > # defaultPasswordScheme 9 > # ezmlmAdministrator 10 > # maximumMailingLists 11 > # controlsAdministrator 12 > # userNamePrefix 13 > # userNamePrefixLength 14 > # vatNumber 15 > # userTemplateName 17 > # userTemplateDescriptionShort 18 > # userTemplateDescriptionLong 19 > # ezmlmRemoteHost 20 > # ezmlmRemoteUser 21 > # nonPrimaryRcptHosts 22 > # simScanSpamAssassinHits 23 > # simScanAttachmentSuffix 24 > # -------------------------------------------- > # > # *mod_cfg_ldap => Also defined (with other name) in mod_cfg_ldap > # availible from http://sourceforge.net/projects/modcfgldap/ > # See doc/README.apache for more information. > > # $Id: phpQLAdmin.schema,v 2.63 2006/03/08 14:21:06 turbo Exp $ > > # PQL_ATTR_SHOW_USERS (true | false) > attributetype ( 1.3.6.1.4.1.8767.3.2.1.1 NAME 'showUsers' > DESC 'Shown users in the navigation frame [True/False]?' > EQUALITY booleanMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 > SINGLE-VALUE ) > > # PQL_ATTR_CONTROL_USE (true | false) > attributetype ( 1.3.6.1.4.1.8767.3.2.1.2 NAME 'useControls' > DESC 'Is ~controls information stored in LDAP database [True/False]?' > EQUALITY booleanMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 > SINGLE-VALUE ) > > # PQL_ATTR_EZMLM_USE (true | false) > attributetype ( 1.3.6.1.4.1.8767.3.2.1.3 NAME 'useEzmlm' > DESC 'Manage ezmlm mailinglists [True/False]?' > EQUALITY booleanMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 > SINGLE-VALUE ) > > # PQL_ATTR_AUTO_RELOAD (true | false) > attributetype ( 1.3.6.1.4.1.8767.3.2.1.4 NAME 'autoReload' > DESC 'Automatically reload navigation bar(s) [True/False]?' > EQUALITY booleanMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 > SINGLE-VALUE ) > > # PQL_ATTR_TESTMAIL_AUTOSEND (true | false) > attributetype ( 1.3.6.1.4.1.8767.3.2.1.5 NAME 'autoSend' > DESC 'Automatically send a testmail when a new user or alias has been added [True/False]?' > EQUALITY booleanMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 > SINGLE-VALUE ) > > # PQL_ATTR_CONTROL_AUTOADDLOCALS (true | false) > attributetype ( 1.3.6.1.4.1.8767.3.2.1.6 NAME 'autoAddLocals' > DESC 'Automatically add domain to ~controls/locals attribute [True/False]?' > EQUALITY booleanMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 > SINGLE-VALUE ) > > # PQL_ATTR_CHANGE_SERVER (true | false) > attributetype ( 1.3.6.1.4.1.8767.3.2.1.7 NAME 'allowServerChange' > DESC 'Should we allow LDAP server change [True/False]?' > EQUALITY booleanMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 > SINGLE-VALUE ) > > # PQL_ATTR_ALLOW_ABSOLUTE_PATH (true | false) > attributetype ( 1.3.6.1.4.1.8767.3.2.1.8 NAME 'allowAbsoluteMailPath' > DESC 'Should we allow setting absolute path to mailbox directory [True/False]?' > EQUALITY booleanMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 > SINGLE-VALUE ) > > # PQL_ATTR_VERIFY_DELETE (true | false) > attributetype ( 1.3.6.1.4.1.8767.3.2.1.9 NAME 'deleteVerification' > DESC 'Verify deletion of user objects etc [True/False]?' > EQUALITY booleanMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 > SINGLE-VALUE ) > > # PQL_ATTR_BIND9_USE (true | false) > attributetype ( 1.3.6.1.4.1.8767.3.2.1.10 NAME 'useBind9' > DESC 'Manage a Bind 9 DNS server [True/False]?' > EQUALITY booleanMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 > SINGLE-VALUE ) > > attributetype ( 1.3.6.1.4.1.8767.3.2.1.11 NAME 'test' > DESC 'Used to test write access, dont set yourself' > EQUALITY booleanMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 > SINGLE-VALUE ) > > # PQL_ATTR_CONTROL_AUTOADDRCPTHOSTS (true | false) > attributetype ( 1.3.6.1.4.1.8767.3.2.1.12 NAME 'autoAddRCPTHosts' > DESC 'Automatically add domain to ~controls/rcpthosts attribute [True/False]?' > EQUALITY booleanMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 > SINGLE-VALUE ) > > # PQL_ATTR_CONTROL_AUTOADDHOSTNAME (true | false) > attributetype ( 1.3.6.1.4.1.8767.3.2.1.13 NAME 'autoAddHostName' > DESC 'Automatically add hostname to domain for ~controls/rcpthosts attribute [True/False]?' > EQUALITY booleanMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 > SINGLE-VALUE ) > > # PQL_ATTR_AUTOCREATE_USERNAME > attributetype ( 1.3.6.1.4.1.8767.3.2.1.14 NAME 'autoCreateUserName' > DESC 'Automatically create username when creating a user [True/False]?' > EQUALITY booleanMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 > SINGLE-VALUE ) > > # PQL_ATTR_CREATE_ADDRESS > attributetype ( 1.3.6.1.4.1.8767.3.2.1.15 NAME 'autoCreateMailAddress' > DESC 'Automatically create email address when creating a user [True/False]?' > EQUALITY booleanMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 > SINGLE-VALUE ) > > # PQL_ATTR_CREATE_PASSWORD > attributetype ( 1.3.6.1.4.1.8767.3.2.1.16 NAME 'autoCreatePassWord' > DESC 'Automatically create password when creating a user [True/False]?' > EQUALITY booleanMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 > SINGLE-VALUE ) > > # PQL_ATTR_WEBSRV_USE (true | false) > attributetype ( 1.3.6.1.4.1.8767.3.2.1.17 NAME 'useWebSrv' > DESC 'Manage a webserver [True/False]?' > EQUALITY booleanMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 > SINGLE-VALUE ) > > # PQL_ATTR_START_ADVANCED (true | false) > attributetype ( 1.3.6.1.4.1.8767.3.2.1.18 NAME 'startWithAdvancedMode' > DESC 'Start phpQLAdmin in advanced mode when logging in [True/False]?' > EQUALITY booleanMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 > SINGLE-VALUE ) > > # PQL_ATTR_ACI_USE (true | false) > attributetype ( 1.3.6.1.4.1.8767.3.2.1.19 NAME 'useACI' > DESC 'Manage Access Control Informations [True/False]?' > EQUALITY booleanMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 > SINGLE-VALUE ) > > # PQL_ATTR_CREATE_MBOX (true | false) > attributetype ( 1.3.6.1.4.1.8767.3.2.1.20 NAME 'useMBox' > DESC 'Create MBox instead of Maildir mail boxes [True/False]?' > EQUALITY booleanMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 > SINGLE-VALUE ) > > # PQL_ATTR_EZMLM_REMOTE (true | false) > attributetype ( 1.3.6.1.4.1.8767.3.2.1.21 NAME 'ezmlmRemote' > DESC 'Ezmlm lists are located on remote server [True/False]?' > EQUALITY booleanMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 > SINGLE-VALUE ) > > # PQL_ATTR_SIMSCAN_USE (true | false) > attributetype ( 1.3.6.1.4.1.8767.3.2.1.22 NAME 'useSimScan' > DESC 'Allow setting SimScan values for domain/branch [True/False]?' > EQUALITY booleanMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 > SINGLE-VALUE ) > > # PQL_ATTR_SIMSCAN_SPAM (true | false) > attributetype ( 1.3.6.1.4.1.8767.3.2.1.23 NAME 'simScanSpamAssassin' > DESC 'Run SpamAssassin in domain [True/False]?' > EQUALITY booleanMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 > SINGLE-VALUE ) > > # PQL_ATTR_SIMSCAN_CLAM (true | false) > attributetype ( 1.3.6.1.4.1.8767.3.2.1.24 NAME 'simScanClamAntiVirus' > DESC 'Run Clam AntiVirus in domain [True/False]?' > EQUALITY booleanMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 > SINGLE-VALUE ) > > # PQL_ATTR_SIMSCAN_TROPHIE (true | false) > attributetype ( 1.3.6.1.4.1.8767.3.2.1.25 NAME 'simScanTrophie' > DESC 'Run Trophie in domain [True/False]?' > EQUALITY booleanMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 > SINGLE-VALUE ) > > # PQL_ATTR_AUTOCREATE_UGIDNUMBER (true | false) > attributetype ( 1.3.6.1.4.1.8767.3.2.1.26 NAME 'autoCreateUGidNumber' > DESC 'Automatically create the uidNumber and gidNumber [True/False]?' > EQUALITY booleanMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 > SINGLE-VALUE ) > > # PQL_ATTR_ALLOW_ALL_CHARS (true | false) > attributetype ( 1.3.6.1.4.1.8767.3.2.1.27 NAME 'allowAllPasswordChars' > DESC 'Allow all characters in passwords [True/False]?' > EQUALITY booleanMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 > SINGLE-VALUE ) > > # PQL_ATTR_HOSTACL_USE (true | false) > attributetype ( 1.3.6.1.4.1.8767.3.2.1.28 NAME 'useHostACL' > DESC 'Allow setting host ACLs for domain/branch [True/False]?' > EQUALITY booleanMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 > SINGLE-VALUE ) > > # PQL_ATTR_SUDO_USE (true | false) > attributetype ( 1.3.6.1.4.1.8767.3.2.1.29 NAME 'useSudo' > DESC 'Allow setting sudo values for domain/branch [True/False]?' > EQUALITY booleanMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 > SINGLE-VALUE ) > > # ----------------------------------------- > > # PQL_CONF_WHOAREWE > attributetype ( 1.3.6.1.4.1.8767.3.2.2.1 NAME 'whoAreWe' > DESC 'Title' > EQUALITY caseIgnoreMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} > SINGLE-VALUE ) > > # PQL_CONF_SUBTREE_USERS > attributetype ( 1.3.6.1.4.1.8767.3.2.2.2 NAME 'subTreeUsers' > DESC 'Subtree value - Users' > EQUALITY caseIgnoreMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} > SINGLE-VALUE ) > > # PQL_CONF_SUBTREE_GROUPS > attributetype ( 1.3.6.1.4.1.8767.3.2.2.3 NAME 'subTreeGroups' > DESC 'Subtree value - Groups' > EQUALITY caseIgnoreMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} > SINGLE-VALUE ) > > # PQL_ATTR_OBJECTCLASS_DOMAIN (LDAP object classes) > attributetype ( 1.3.6.1.4.1.8767.3.2.2.4 NAME 'branchObjectClass' > DESC 'Domain/Branch object classes' > EQUALITY caseExactIA5Match > SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) > > # PQL_CONF_OBJECTCLASS_* (LDAP object classes) > attributetype ( 1.3.6.1.4.1.8767.3.2.2.5 NAME 'userObjectClass' > DESC 'User object classes' > EQUALITY caseExactIA5Match > SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) > > # PQL_CONF_REFERENCE_USERS_WITH (LDAP attribute name) > attributetype ( 1.3.6.1.4.1.8767.3.2.2.6 NAME 'userReference' > DESC 'Defines which attribute phpQLAdmin passes to various functions when it needs to reference users' > EQUALITY caseIgnoreMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} > SINGLE-VALUE ) > > # PQL_CONF_REFERENCE_BRANCHES_WITH (LDAP attribute name) > attributetype ( 1.3.6.1.4.1.8767.3.2.2.7 NAME 'branchReference' > DESC 'Defines which attribute phpQLAdmin passes to various functions when it needs to reference branches' > EQUALITY caseIgnoreMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} > SINGLE-VALUE ) > > # PQL_ATTR_EZMLM_PATH > attributetype ( 1.3.6.1.4.1.8767.3.2.2.8 NAME 'ezmlmBinaryPath' > DESC 'Path to ezmlm-* binaries' > EQUALITY caseExactIA5Match > SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 > SINGLE-VALUE ) > > # PQL_ATTR_PASSWORD_SCHEMES > attributetype ( 1.3.6.1.4.1.8767.3.2.2.9 NAME 'passWordScheme' > DESC 'Password scheme to allow' > EQUALITY caseExactIA5Match > SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) > > # PQL_ATTR_CATCHALLUSER > attributetype ( 1.3.6.1.4.1.8767.3.2.2.10 NAME 'catchAllUser' > DESC 'Name of the catchall user' > EQUALITY caseExactIA5Match > SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 > SINGLE-VALUE ) > > # PQL_ATTR_* > attributetype ( 1.3.6.1.4.1.8767.3.2.2.11 NAME 'userAttribute' > DESC '' > EQUALITY caseIgnoreMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} ) > > # PQL_ATTR_LANG > attributetype ( 1.3.6.1.4.1.8767.3.2.2.12 NAME 'language' > DESC 'Language to be used by the interface' > EQUALITY caseExactIA5Match > SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 > SINGLE-VALUE ) > > # PQL_ATTR_SCRIPT_CREATE_USER > attributetype ( 1.3.6.1.4.1.8767.3.2.2.13 NAME 'externalScriptUser' > DESC 'Path to external user creation script' > EQUALITY caseExactIA5Match > SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 > SINGLE-VALUE ) > > # PQL_ATTR_SCRIPT_CREATE_DOMAIN > attributetype ( 1.3.6.1.4.1.8767.3.2.2.14 NAME 'externalScriptDomain' > DESC 'Path to external domain/branch creation script' > EQUALITY caseExactIA5Match > SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 > SINGLE-VALUE ) > > # This is also availible in krb5-kdc.schema (from OpenLDAP.org) > #attributetype ( 1.3.6.1.4.1.5322.10.1.12 > # NAME 'krb5RealmName' > # EQUALITY octetStringMatch > # SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} ) > # > #attributetype ( 1.3.6.1.4.1.5322.10.1.1 > # NAME 'krb5PrincipalName' > # DESC 'The unparsed Kerberos principal name' > # EQUALITY caseExactIA5Match > # SINGLE-VALUE > # SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) > > # PQL_ATTR_KRB5_ADMIN_SERVER > attributetype ( 1.3.6.1.4.1.8767.3.2.2.15 NAME 'krb5AdminServer' > DESC 'Fully Qualified Host Name of the Kerberos admin server' > EQUALITY caseExactIA5Match > SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 > SINGLE-VALUE ) > > # PQL_ATTR_KRB5_ADMIN_KEYTAB > attributetype ( 1.3.6.1.4.1.8767.3.2.2.16 NAME 'krb5AdminKeytab' > DESC 'Path to keytab for use with kadmin command' > EQUALITY caseExactIA5Match > SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 > SINGLE-VALUE ) > > # PQL_ATTR_KRB5_ADMIN_COMMAND_PATH > attributetype ( 1.3.6.1.4.1.8767.3.2.2.17 NAME 'krb5AdminCommandPath' > DESC 'Path to the kadmin command' > EQUALITY caseExactIA5Match > SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 > SINGLE-VALUE ) > > # PQL_ATTR_EZMLM_USER > attributetype ( 1.3.6.1.4.1.8767.3.2.2.18 NAME 'ezmlmVirtualUser' > DESC 'EZMLM Mailing List User (in which homedirectory to store the .qmail files)' > EQUALITY caseExactIA5Match > SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 > SINGLE-VALUE ) > > # PQL_ATTR_SCRIPT_DELETE_USER > attributetype ( 1.3.6.1.4.1.8767.3.2.2.19 NAME 'externalScriptUserDelete' > DESC 'Path to external user removal script' > EQUALITY caseExactIA5Match > SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 > SINGLE-VALUE ) > > # PQL_ATTR_SCRIPT_DELETE_USER > attributetype ( 1.3.6.1.4.1.8767.3.2.2.20 NAME 'externalScriptDomainDelete' > DESC 'Path to external domain removal script' > EQUALITY caseExactIA5Match > SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 > SINGLE-VALUE ) > > # PQL_ATTR_EZMLM_REMOTE_RETREIVE_SCRIPT > attributetype ( 1.3.6.1.4.1.8767.3.2.2.21 NAME 'ezmlmRemoteRetreiveScript' > DESC 'Path to script that retreives lists and information on remote ezmlm hosts' > EQUALITY caseExactIA5Match > SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 > SINGLE-VALUE ) > > # ----------------------------------------- > > # PQL_ATTR_HOSTMASTER (emailaddress) > attributetype ( 1.3.6.1.4.1.8767.3.2.3.1 NAME 'hostMaster' > DESC 'Sender of testmails etc' > EQUALITY caseIgnoreMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} > SINGLE-VALUE ) > > # PQL_ATTR_TESTMAIL_SUBJECT (text) > attributetype ( 1.3.6.1.4.1.8767.3.2.3.2 NAME 'testMailSubject' > DESC 'Subject of test mails' > EQUALITY caseIgnoreMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} > SINGLE-VALUE ) > > # PQL_ATTR_TESTMAIL_MAILTEXT (text) > attributetype ( 1.3.6.1.4.1.8767.3.2.3.3 NAME 'testMailText' > DESC 'Content of test mails' > EQUALITY caseIgnoreMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} > SINGLE-VALUE ) > > # PQL_ATTR_FORWARDINGACCOUNT_UIDNUMBER (integer) > attributetype ( 1.3.6.1.4.1.8767.3.2.3.4 NAME 'forwardUIDNumber' > DESC 'UIDNumber of every forwarding account' > EQUALITY integerMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 > SINGLE-VALUE ) > > # PQL_ATTR_MINIMUM_UIDNUMBER (integer) > attributetype ( 1.3.6.1.4.1.8767.3.2.3.5 NAME 'minimumUIDNumber' > DESC 'Minimum UID Number to be used for shell and system accounts' > EQUALITY integerMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 > SINGLE-VALUE ) > > # PQL_ATTR_MINIMUM_GIDNUMBER (integer) > attributetype ( 1.3.6.1.4.1.8767.3.2.3.6 NAME 'minimumGIDNumber' > DESC 'Minimum GID Number to be used for shell and system accounts' > EQUALITY integerMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 > SINGLE-VALUE ) > > # ----------------------------------------- > > # This is also availible in qmailControl.schema (from QmailLDAP/Controls) > #attributetype ( 1.3.6.1.4.1.8767.3.2.4.1 NAME 'defaultDomain' > # DESC 'Default domain name for the branch' > # EQUALITY caseIgnoreMatch > # SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} > # SINGLE-VALUE ) > > attributetype ( 1.3.6.1.4.1.8767.3.2.4.2 NAME 'baseHomeDir' > DESC 'Prefix/Base home directory for users' > EQUALITY caseIgnoreMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} > SINGLE-VALUE ) > > attributetype ( 1.3.6.1.4.1.8767.3.2.4.3 NAME 'baseMailDir' > DESC 'Prefix/Base mail directory for users' > EQUALITY caseIgnoreMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} > SINGLE-VALUE ) > > attributetype ( 1.3.6.1.4.1.8767.3.2.4.4 NAME 'administrator' > DESC 'Administrator for branch' > EQUALITY distinguishedNameMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 > SINGLE-VALUE) > > attributetype ( 1.3.6.1.4.1.8767.3.2.4.5 NAME 'controlBaseDn' > DESC 'Search base DN for QmailLDAP/Controls objects' > EQUALITY distinguishedNameMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 > SINGLE-VALUE) > > attributetype ( 1.3.6.1.4.1.8767.3.2.4.6 NAME 'baseQuota' > DESC 'Default mail quota for domain' > SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 > SINGLE-VALUE ) > > attributetype ( 1.3.6.1.4.1.8767.3.2.4.7 NAME 'maximumDomainUsers' > DESC 'Maximum users allowed in a domain branch' > EQUALITY integerMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 > SINGLE-VALUE ) > > attributetype ( 1.3.6.1.4.1.8767.3.2.4.8 NAME 'additionalDomainName' > DESC 'Additional domain names for branch/domain' > EQUALITY caseIgnoreMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024}) > > attributetype ( 1.3.6.1.4.1.8767.3.2.4.9 NAME 'defaultPasswordScheme' > DESC 'Default password scheme to use in branch' > EQUALITY caseIgnoreMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024}) > > attributetype ( 1.3.6.1.4.1.8767.3.2.4.10 NAME 'ezmlmAdministrator' > DESC 'Mailinglist Administrator for branch' > EQUALITY distinguishedNameMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 > SINGLE-VALUE) > > attributetype ( 1.3.6.1.4.1.8767.3.2.4.11 NAME 'maximumMailingLists' > DESC 'Maximum mailinglists allowed in a domain branch' > EQUALITY integerMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 > SINGLE-VALUE ) > > # PQL_CONF_ADMINISTRATE_CONTROLS > attributetype ( 1.3.6.1.4.1.8767.3.2.4.12 NAME 'controlsAdministrator' > DESC 'QmailLDAP/Controls information administrator(s)?' > EQUALITY distinguishedNameMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 > SINGLE-VALUE) > > # PQL_CONF_AUTOMATIC_USERNAME_CREATION_PREFIX > attributetype ( 1.3.6.1.4.1.8767.3.2.4.13 NAME 'userNamePrefix' > DESC 'The prefix to use when automaticly creating a username/uid' > EQUALITY caseIgnoreMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024}) > > # PQL_ATTR_USERNAME_PREFIX_LENGTH (integer) > attributetype ( 1.3.6.1.4.1.8767.3.2.4.14 NAME 'userNamePrefixLength' > DESC 'Length of username prefix when automaticly creating usernames' > EQUALITY integerMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 > SINGLE-VALUE ) > > # PQL_ATTR_VAT_NUMBER > attributetype ( 1.3.6.1.4.1.8767.3.2.4.15 NAME 'vatNumber' > DESC 'Company or VAT number' > EQUALITY caseIgnoreMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64} > SINGLE-VALUE ) > > # PQL_ATTR_USER_TEMPLATE_NAME > attributetype ( 1.3.6.1.4.1.8767.3.2.4.17 NAME 'userTemplateName' > DESC 'Short name of of user template' > EQUALITY caseIgnoreMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64} > SINGLE-VALUE ) > > # PQL_ATTR_USER_TEMPLATE_DESC_SHORT > attributetype ( 1.3.6.1.4.1.8767.3.2.4.18 NAME 'userTemplateDescriptionShort' > DESC 'Short description of a user template' > EQUALITY caseIgnoreMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64} > SINGLE-VALUE ) > > # PQL_ATTR_USER_TEMPLATE_DESC_LONG > attributetype ( 1.3.6.1.4.1.8767.3.2.4.19 NAME 'userTemplateDescriptionLong' > DESC 'Long description of a user template' > EQUALITY caseIgnoreMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64} > SINGLE-VALUE ) > > # PQL_ATTR_EZMLM_REMOTE_HOST > attributetype ( 1.3.6.1.4.1.8767.3.2.4.20 NAME 'ezmlmRemoteHost' > DESC 'FQDN of remote ezmlm mailinglist host' > EQUALITY caseIgnoreMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64} > SINGLE-VALUE ) > > # PQL_ATTR_EZMLM_REMOTE_USER > attributetype ( 1.3.6.1.4.1.8767.3.2.4.21 NAME 'ezmlmRemoteUser' > DESC 'Username for rsh to remote ezmlm mailinglist host' > EQUALITY caseIgnoreMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64} > SINGLE-VALUE ) > > # PQL_ATTR_NONPRIMARY_RCPT_HOSTS > attributetype ( 1.3.6.1.4.1.8767.3.2.4.22 NAME 'nonPrimaryRcptHosts' > DESC 'Same thing as rcptHosts, but a helper to phpQLAdmin.' > EQUALITY caseIgnoreMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) > > # PQL_ATTR_ > attributetype ( 1.3.6.1.4.1.8767.3.2.4.23 NAME 'simScanSpamAssassinHits' > DESC 'How many SA hits before mail is considered spam' > EQUALITY caseIgnoreMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} > SINGLE-VALUE ) > > # PQL_ATTR_ > attributetype ( 1.3.6.1.4.1.8767.3.2.4.24 NAME 'simScanAttachmentSuffix' > DESC 'Which attachement suffixes to check for spam/virus' > EQUALITY caseIgnoreMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) > > # ----------------------------------------- > > objectclass ( 1.3.6.1.4.1.8767.3.1.1 > NAME 'phpQLAdminConfig' > DESC 'phpQLAdmin BRANCH configuration values' > MAY ( showUsers $ autoSend $ autoAddLocals $ > allowAbsoluteMailPath $ deleteVerification $ > subTreeUsers $ subTreeGroups $ > branchObjectClass $ userObjectClass $ > userReference $ branchReference $ > passwordScheme $ > testMailSubject $ testMailText $ > forwardUIDNumber $ test $ > baseQuota $ externalScriptUser $ > externalScriptDomain $ minimumUIDNumber $ > minimumGIDNumber $ autoAddRCPTHosts $ > autoAddHostName $ externalScriptUserDelete $ > externalScriptDomainDelete $ allowAllPasswordChars ) > SUP top AUXILIARY ) > > objectclass ( 1.3.6.1.4.1.8767.3.1.2 > NAME 'phpQLAdminGlobal' > DESC 'phpQLAdmin GLOBAL configuration values' > MAY ( useControls $ useEzmlm $ useBind9 $ useWebSrv $ > autoReload $ allowServerChange $ whoAreWe $ > language $ hostMaster $ ezmlmBinaryPath $ > krb5RealmName $ krb5AdminServer $ krb5PrincipalName $ > krb5AdminKeytab $ krb5AdminCommandPath $ > controlBaseDn $ ezmlmAdministrator $ > controlsAdministrator $ useACI $ useMBox $ > ezmlmRemote $ ezmlmRemoteHost $ ezmlmRemoteUser $ > ezmlmRemoteRetreiveScript $ useSimScan $ > simScanSpamAssassin $ simScanClamAntiVirus $ > simScanTrophie $ simScanSpamAssassinHits $ > simScanAttachmentSuffix ) > SUP top AUXILIARY ) > > objectclass ( 1.3.6.1.4.1.8767.3.1.3 > NAME 'phpQLAdminBranch' > DESC 'phpQLAdmin branch ACL values' > MAY ( defaultDomain $ baseHomeDir $ baseMailDir $ > administrator $ test $ o $ maximumDomainUsers $ > additionalDomainName $ defaultPasswordScheme $ > maximumMailingLists $ ezmlmVirtualUser $ > autoCreateUsername $ autoCreateMailAddress $ > autoCreatePassWord $ userNamePrefix $ > userNamePrefixLength $ useHostACL $ useSudo ) > SUP top AUXILIARY ) > > objectclass ( 1.3.6.1.4.1.8767.3.1.5 > NAME 'phpQLAdminInfo' > DESC 'phpQLAdmin branch information values' > MAY ( vatNumber $ mobile $ info ) > SUP top AUXILIARY ) > > objectclass ( 1.3.6.1.4.1.8767.3.1.6 > NAME 'phpQLAdminUser' > DESC 'phpQLAdmin user settings' > MAY ( startWithAdvancedMode ) > SUP top AUXILIARY ) > > objectclass ( 1.3.6.1.4.1.8767.3.1.7 > NAME 'phpQLAdminUserTemplate' > DESC 'phpQLAdmin user template' > MUST ( userTemplateName $ userTemplateDescriptionShort ) > MAY ( userTemplateDescriptionLong $ userObjectClass $ > passWordScheme $ autoCreateUGidNumber ) > SUP top STRUCTURAL ) > > objectclass ( 1.3.6.1.4.1.8767.3.1.8 > NAME 'phpQLAdminMXHostAddition' > DESC 'Additions for phpQLAdmin that wont fit in a QmailLDAP/Controls object' > MAY ( nonPrimaryRcptHosts $ simScanSpamAssassin $ > simScanClamAntiVirus $simScanTrophie $ > simScanSpamAssassinHits $ simScanAttachmentSuffix ) > SUP top AUXILIARY ) > > # > # Local variables: > # mode: fundamental > # mode: font-lock > # tab-width: 2 > # indent-tabs-mode: nil > # End: > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From jo.de.troy at gmail.com Mon Jul 10 16:36:00 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Mon, 10 Jul 2006 18:36:00 +0200 Subject: [Fedora-directory-users] admin-server SSL Message-ID: Hi Rich, I'm getting the timeouts from within the startconsole application when I try to open up the admin server console. I just tried in shutting down startconsole and starting it up again and now I get Cannot logon because of an incorrent User ID, Incorrect password or Directory problem. java.io.InterruptedIOException: HTTP response timeout Kind Regards, Jo -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Jul 10 16:39:53 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 10 Jul 2006 10:39:53 -0600 Subject: [Fedora-directory-users] admin-server SSL In-Reply-To: References: Message-ID: <44B282D9.7060704@redhat.com> Jo De Troy wrote: > Hi Rich, > > I'm getting the timeouts from within the startconsole application when > I try to open up the admin server console. The third field in the login dialog box is the url of the admin server. Are you using https instead of http in the url? > I just tried in shutting down startconsole and starting it up again > and now I get Cannot logon because of an incorrent User ID, Incorrect > password or Directory problem. java.io.InterruptedIOException: HTTP > response timeout > > Kind Regards, > Jo > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From jo.de.troy at gmail.com Mon Jul 10 16:41:49 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Mon, 10 Jul 2006 18:41:49 +0200 Subject: [Fedora-directory-users] admin-server SSL Message-ID: Hi Rich, I tried without SSL and got the error I mentioned in my previous post. I'm trying now with https. It's taking a lot of time. The splash screen keeps saying Authenticating user ID "admin" I don't think it will get through. Best Regards, Jo -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Jul 10 16:51:57 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 10 Jul 2006 10:51:57 -0600 Subject: [Fedora-directory-users] admin-server SSL In-Reply-To: References: Message-ID: <44B285AD.7050607@redhat.com> Jo De Troy wrote: > Hi Rich, > > I tried without SSL and got the error I mentioned in my previous post. Once you enable SSL in the admin server, you cannot use the non-encrypted port anymore. > I'm trying now with https. It's taking a lot of time. The splash > screen keeps saying Authenticating user ID "admin" I don't think it > will get through. I think you have to enable ssl in the console - but you can't do that because you can't use the console. > > Best Regards, > Jo > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From jo.de.troy at gmail.com Mon Jul 10 17:07:06 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Mon, 10 Jul 2006 19:07:06 +0200 Subject: [Fedora-directory-users] admin-server SSL Message-ID: Hi Rich, has anyone got a procedure to disable SSL in the admin server without having to reinstall everything? Is there a procedure to reinstall without having to recreate the certificates? Or can I just copy back the old key and cert db's? Thanks again, Jo -------------- next part -------------- An HTML attachment was scrubbed... URL: From JFGamsby at lbl.gov Mon Jul 10 18:10:34 2006 From: JFGamsby at lbl.gov (Jeff Gamsby) Date: Mon, 10 Jul 2006 11:10:34 -0700 Subject: [Fedora-directory-users] Customizing Windows Sync attributes Message-ID: <44B2981A.5050701@lbl.gov> Is it possible to customize the attributes that get synchronized from AD to FDS? For example, I installed the Unix schemas on AD, and if I create a user on AD with UNIX attributes like uid,gid.loginshell it would be nice if they synced over to FDS. Thanks, Jeff From nkinder at redhat.com Mon Jul 10 18:10:39 2006 From: nkinder at redhat.com (Nathan Kinder) Date: Mon, 10 Jul 2006 11:10:39 -0700 Subject: [Fedora-directory-users] Customizing Windows Sync attributes In-Reply-To: <44B2981A.5050701@lbl.gov> References: <44B2981A.5050701@lbl.gov> Message-ID: <44B2981F.80603@redhat.com> Jeff Gamsby wrote: > Is it possible to customize the attributes that get synchronized from > AD to FDS? No. The attributes that are sync'd are hard-coded. -NGK > > For example, I installed the Unix schemas on AD, and if I create a > user on AD with UNIX attributes like uid,gid.loginshell it would be > nice if they synced over to FDS. > > Thanks, > Jeff > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Jul 10 19:33:38 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 10 Jul 2006 13:33:38 -0600 Subject: [Fedora-directory-users] admin-server SSL In-Reply-To: References: Message-ID: <44B2AB92.7020605@redhat.com> Jo De Troy wrote: > Hi Rich, > > has anyone got a procedure to disable SSL in the admin server without > having to reinstall everything? I've added some info here - http://directory.fedora.redhat.com/wiki/Howto:SSL#Admin_Server_SSL_Information > Is there a procedure to reinstall without having to recreate the > certificates? Or can I just copy back the old key and cert db's? You can just copy back the old key/cert files. > > Thanks again, > Jo > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From ccesario at isic.com.br Mon Jul 10 20:20:37 2006 From: ccesario at isic.com.br (Carlos Cesario) Date: Mon, 10 Jul 2006 17:20:37 -0300 Subject: [Fedora-directory-users] phpQLAdmin schema In-Reply-To: <44B28219.2060400@redhat.com> References: <44B150970200008B00000F49@gwise.isicbrasil.com.br> <44B28219.2060400@redhat.com> Message-ID: <1152562839.4698.40.camel@localhost.localdomain> Hi Richard Yes, I noticed this, I see the attribute 'mailQuotaSize' in qmail.ldif and I see that this attribute use the SYNTAX 1.3.6.1.4.1.1466.115.121.1.27, Then I put this in baseQuota (in phpqladmin schema) and work.... Well, (don't give errors :P) I can to keep this sintax or you suggest change to 1.3.6.1.4.1.1466.115.121.1.15. > I think this is the numeric string syntax which is not supported by > Fedora DS. If the baseQuota value is an integer (e.g. [0-9]+) and does > not contain . or - or other alpha characters, you can use the integer > syntax which is 1.3.6.1.4.1.1466.115.121.1.15. Otherwise, you can just > use something like 1.3.6.1.4.1.1466.115.121.1.15 which should work fine. Thanks Carlos -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 191 bytes Desc: Esta ? uma parte de mensagem assinada digitalmente URL: From rmeggins at redhat.com Mon Jul 10 20:23:25 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 10 Jul 2006 14:23:25 -0600 Subject: [Fedora-directory-users] phpQLAdmin schema In-Reply-To: <1152562839.4698.40.camel@localhost.localdomain> References: <44B150970200008B00000F49@gwise.isicbrasil.com.br> <44B28219.2060400@redhat.com> <1152562839.4698.40.camel@localhost.localdomain> Message-ID: <44B2B73D.5020304@redhat.com> Carlos Cesario wrote: >Hi Richard > >Yes, I noticed this, I see the attribute 'mailQuotaSize' in qmail.ldif >and I see that this attribute use the SYNTAX >1.3.6.1.4.1.1466.115.121.1.27, Then I put this in baseQuota (in >phpqladmin schema) and work.... > >Well, (don't give errors :P) > >I can to keep this sintax or you suggest change to >1.3.6.1.4.1.1466.115.121.1.15. > > I don't know for sure, but I think .27 should work. > > >>I think this is the numeric string syntax which is not supported by >>Fedora DS. If the baseQuota value is an integer (e.g. [0-9]+) and does >>not contain . or - or other alpha characters, you can use the integer >>syntax which is 1.3.6.1.4.1.1466.115.121.1.15. Otherwise, you can just >>use something like 1.3.6.1.4.1.1466.115.121.1.15 which should work fine. >> >> > > >Thanks > > >Carlos > > > > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Tue Jul 11 12:52:44 2006 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 11 Jul 2006 08:52:44 -0400 Subject: [Fedora-directory-users] Converting a 4-way replication setup to SSL In-Reply-To: <9C0091F428E697439E7A773FFD083427025EF0@szexchange.Shopzilla.inc> References: <9C0091F428E697439E7A773FFD083427025EF0@szexchange.Shopzilla.inc> Message-ID: <44B39F1C.5000605@redhat.com> Philip Kime wrote: > What a nightmare. > > I tried to use the script on the Wiki but this isn't really set up to do > this. I would like one CA and then to generate all of the DS and AS > certificates from this. I can't work out if I need to copy the CA db or > just the .asc file to the other servers to generate the certs - it seems > to need the key for the CA cert and also the noise and pwd files? I > finally got two servers on SSL but they won't replicate as they don't > like each other's certificates even though I had the CA certs on both > servers. > > I have spent eight hours getting nowhere and will have to start again > from scratch. If there are any clues on how to: > > Have one CA for all server certs > How to install this CA cert on all servers > What is needed for replication over SSL to work > > It sounds like you're trying to use the setupssl.sh script from the How to at http://directory.fedora.redhat.com/wiki/Howto:SSL. It isn't really designed to be a poor-man's CA, as you're seeing. I can't help with the replication but I can help getting SSL set up. It should be possible to use this setupssl.sh script, here is one way. Just know that setting up a PKI infrastructure is hard (and harder to do properly). If this CA is going to be only used for the replication agreements it's probably fine. If you want to use it for web servers, client certificates, LDAP-based login, you may want to spend some time planning. In any case, let's jump right in. Normally when one has a CA you keep the key material locked away and just pulled it out when you want to issue a new certificate. If you really are going to use this just for replication agreements this is less a problem. I'm assuming you have 4 servers, A-D, and each server only 1 instance installed. So, start with server A, and blow away /opt/fedora-ds/alias/slapd--*.db (or better, make a copy somewhere in case you ever want it). This is going to be our "master" server. Run setupssl.sh. You now have a self-signed CA that has issued a server certificate for server A. The nickname is Server-Cert. Now you could just copy this whole certificate database to the other machines, tweak setupssl.sh a bit, and re-run it and get your certificates that way, but you'd really be spreading your CA keys all over the place, so I'm not going to do that. Instead we're going to use the server A certificate database to generate the 3 remaining certificates we need. You'll do this 3 times: 1. edit setupssl.sh and find step 7 2. replace myhost=`hostname --fqdn` with myhost="foo.domain.com" where foo.domain.com is the output of hostname -fqdn on the target server (B, C or D). 3. Find the certutil line 2 lines below this myhost statement you'll see something like "-m 1001". Increment this starting from 1003. This is the certificate serial number and it needs to be unique. 1002 is the server A admin server certificate. 4. in the same line you'll see -n "Server-Cert". This nickname needs to be unique, pick another one. It could be Server-CertB, a name, it isn't important as long as it is unique. 5. run setupssl.sh Now that you've done this 3 times, you now have in server A a certificate database with a CA certificate and 4 server certificates (5 if you count the admin one) IMPORTANT: there is a trailing dash (-) at the end of each -P argument. If you do not have this dash things will not work. Now we need to export the 3 other server certificates, we do this with: # cd /opt/fedora-ds/alias # ../shared/bin/pk12util -o serverb.p12 -P slapd-- -d . -n "Server-CertB" Do this for each of the 3 nicknames you created. Do the following on servers B - D. Note that the prefix for slapd- will likely be different for each server. 1. Copy the appropriate server?.p12 and the file cacert.asc to /opt/fedora-ds/alias on the target server (B,C,D) 2. Remove/archive *.db 3. Generate a new database with: # ../shared/bin/certutil -N -P slapd-- -d . 4. Import the CA certificate with: # ../shared/bin/certutil -A -d . -P slapd-- -n "CA certificate" -t "CT,," -a -i cacert.asc 5. Import your server certificate with: # ../shared/bin/pk12util -i serverb.p12 -P slapd-- -d . -n "Server-CertB" 6. Check ownership/permissions of the database(s). They should be owned by nobody by default. I think it would probably best to do this just on Server A and B and give it a quick test. You can always go back and add in C and D later. This would be infinitely easier if you had a real CA. There are also easier ways to do this using a combination of the java console and the command-line, but I've stuck with the command-line here. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From jo.de.troy at gmail.com Tue Jul 11 14:57:56 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Tue, 11 Jul 2006 16:57:56 +0200 Subject: [Fedora-directory-users] admin-server SSL Message-ID: Hello again, I got SSL working on the admin server and can connect to it with startconsole https:// However once that was working I enabled the flag "Secure Connection" in the admin-server console- ConfigurationDS tab and now I cannot connect any more. The startconsole initializes forever. Any idea what might be causing this? How can I reset this flag? Which entry in the directory stores this setting? And which entry stores the "Use SSL in Fedora Console" setting in the Encryption tab of the Directory server console? Or are both stored in a config file? Thanks again, Jo -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Jul 11 17:10:51 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 11 Jul 2006 10:10:51 -0700 Subject: [Fedora-directory-users] admin-server SSL In-Reply-To: References: Message-ID: <44B3DB9B.4080208@redhat.com> Jo De Troy wrote: > Hello again, > > I got SSL working on the admin server and can connect to it with > startconsole https:// > However once that was working I enabled the flag "Secure Connection" > in the admin-server console- ConfigurationDS tab and now I cannot > connect any more. The startconsole initializes forever. Any idea what > might be causing this? Did this information help at all? http://directory.fedora.redhat.com/wiki/Howto:SSL#Admin_Server_SSL_Information That might be in admin-serv/config/adm.conf or shared/config/dbswitch.conf Try startconsole -D to see where it is hanging, and also look at the admin server error and access logs in admin-serv/logs/ > How can I reset this flag? Which entry in the directory stores this > setting? > And which entry stores the "Use SSL in Fedora Console" setting in the > Encryption tab of the Directory server console? > Or are both stored in a config file? > > > Thanks again, > Jo > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From beyonddc.storage at gmail.com Wed Jul 12 14:06:43 2006 From: beyonddc.storage at gmail.com (Chun Tat David Chu) Date: Wed, 12 Jul 2006 10:06:43 -0400 Subject: [Fedora-directory-users] Question on Schema Object Class Inheritance Message-ID: <20e4c38c0607120706l7b5c5c1tea95604ed2ec4269@mail.gmail.com> Hi, I think I got the answer, but I would like to confirm that if I'm correct. At any given time, a single object class can only inherit from one and only one object class (no multiple inheritance). For example, if I have 3 object classes 1. objectclassA with attribute1 2. objectclassB with attribute2 3. objectclassC with attribute3 Then objectclassC can only either inherit from objectclassA or objectclassB. If I want multiple inheirtance, then I'll need the following setup 1. objectclassB inherits from objectclassA 2. objectclassC inheirts from objectclassB If I am correct about the object class inheritance, so that means thdoes this rule only apply on Fedora Directory Server or it applies to all other LDAP-enabled directory servers? Thanks! David Chu -------------- next part -------------- An HTML attachment was scrubbed... URL: From Dirk.Kastens at uni-osnabrueck.de Wed Jul 12 14:49:17 2006 From: Dirk.Kastens at uni-osnabrueck.de (Dirk Kastens) Date: Wed, 12 Jul 2006 16:49:17 +0200 Subject: [Fedora-directory-users] Question on Schema Object Class Inheritance In-Reply-To: <20e4c38c0607120706l7b5c5c1tea95604ed2ec4269@mail.gmail.com> References: <20e4c38c0607120706l7b5c5c1tea95604ed2ec4269@mail.gmail.com> Message-ID: <44B50BED.7010900@uni-osnabrueck.de> Hi, Chun Tat David Chu schrieb: > At any given time, a single object class can only inherit from one and > only one object class (no multiple inheritance). No. In the Tivoli IBM Directory Server an objectclass can inherit from multiple objectclasses. Regards, Dirk Kastens From mj at sci.fi Wed Jul 12 14:46:53 2006 From: mj at sci.fi (Mike Jackson) Date: Wed, 12 Jul 2006 17:46:53 +0300 Subject: [Fedora-directory-users] Question on Schema Object Class Inheritance In-Reply-To: <20e4c38c0607120706l7b5c5c1tea95604ed2ec4269@mail.gmail.com> References: <20e4c38c0607120706l7b5c5c1tea95604ed2ec4269@mail.gmail.com> Message-ID: <44B50B5D.4010505@sci.fi> Chun Tat David Chu wrote: > Hi, > > I think I got the answer, but I would like to confirm that if I'm correct. > > At any given time, a single object class can only inherit from one and > only one object class (no multiple inheritance). > > For example, if I have 3 object classes > 1. objectclassA with attribute1 > 2. objectclassB with attribute2 > 3. objectclassC with attribute3 > Then objectclassC can only either inherit from objectclassA or objectclassB. Correct. > If I want multiple inheirtance, then I'll need the following setup > 1. objectclassB inherits from objectclassA > 2. objectclassC inheirts from objectclassB No, it doesn't work. Superior classes can only inherit from top. Mike -- http://www.netauth.com - LDAP Directory Consulting From ccesario at isic.com.br Wed Jul 12 16:50:41 2006 From: ccesario at isic.com.br (Carlos Cesario) Date: Wed, 12 Jul 2006 13:50:41 -0300 Subject: [Fedora-directory-users] phpQLAdmin schema In-Reply-To: <44B1287C0200008B00000F3A@gwise.isicbrasil.com.br> References: <44B1287C0200008B00000F3A@gwise.isicbrasil.com.br> Message-ID: <1152723043.4700.12.camel@localhost.localdomain> Thank you Mike! The schema is OK! Carlos -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 191 bytes Desc: Esta ? uma parte de mensagem assinada digitalmente URL: From fochlere at grc.nia.nih.gov Wed Jul 12 17:09:52 2006 From: fochlere at grc.nia.nih.gov (Edward Fochler) Date: Wed, 12 Jul 2006 13:09:52 -0400 Subject: [Fedora-directory-users] Converting a 4-way replication setup to SSL In-Reply-To: <44B39F1C.5000605@redhat.com> References: <9C0091F428E697439E7A773FFD083427025EF0@szexchange.Shopzilla.inc> <44B39F1C.5000605@redhat.com> Message-ID: <0DC15464-565F-4DED-9E84-D60B239F11D2@grc.nia.nih.gov> I've been using XCA as my program of choice for handling CA stuff. It's nice, powerful, relatively friendly, etc. I create the root CA, get all of my servers to trust that, and issue individual certs based off of that CA for each of my servers. That much has worked very well. I didn't use any scripts for this. And I absolutely hate the openssl command line options. Your mileage may vary. ED. On Jul 11, 2006, at 8:52 am, Rob Crittenden wrote: > Philip Kime wrote: >> What a nightmare. >> I tried to use the script on the Wiki but this isn't really set >> up to do >> this. I would like one CA and then to generate all of the DS and AS >> certificates from this. I can't work out if I need to copy the CA >> db or >> just the .asc file to the other servers to generate the certs - it >> seems >> to need the key for the CA cert and also the noise and pwd files? I >> finally got two servers on SSL but they won't replicate as they don't >> like each other's certificates even though I had the CA certs on both >> servers. >> I have spent eight hours getting nowhere and will have to start >> again >> from scratch. If there are any clues on how to: >> Have one CA for all server certs >> How to install this CA cert on all servers >> What is needed for replication over SSL to work >> > > It sounds like you're trying to use the setupssl.sh script from the > How to at http://directory.fedora.redhat.com/wiki/Howto:SSL. It > isn't really designed to be a poor-man's CA, as you're seeing. > > I can't help with the replication but I can help getting SSL set up. > > It should be possible to use this setupssl.sh script, here is one > way. Just know that setting up a PKI infrastructure is hard (and > harder to do properly). If this CA is going to be only used for the > replication agreements it's probably fine. If you want to use it > for web servers, client certificates, LDAP-based login, you may > want to spend some time planning. > > In any case, let's jump right in. > > Normally when one has a CA you keep the key material locked away > and just pulled it out when you want to issue a new certificate. If > you really are going to use this just for replication agreements > this is less a problem. > > I'm assuming you have 4 servers, A-D, and each server only 1 > instance installed. > > So, start with server A, and blow away /opt/fedora-ds/alias/slapd- > -*.db (or better, make a copy somewhere in case you ever > want it). > > This is going to be our "master" server. Run setupssl.sh. > > You now have a self-signed CA that has issued a server certificate > for server A. The nickname is Server-Cert. > > Now you could just copy this whole certificate database to the > other machines, tweak setupssl.sh a bit, and re-run it and get your > certificates that way, but you'd really be spreading your CA keys > all over the place, so I'm not going to do that. > > Instead we're going to use the server A certificate database to > generate the 3 remaining certificates we need. > > You'll do this 3 times: > > 1. edit setupssl.sh and find step 7 > 2. replace myhost=`hostname --fqdn` with myhost="foo.domain.com" > where foo.domain.com is the output of hostname -fqdn on the target > server (B, C or D). > 3. Find the certutil line 2 lines below this myhost statement > you'll see something like "-m 1001". Increment this starting from > 1003. This is the certificate serial number and it needs to be > unique. 1002 is the server A admin server certificate. > 4. in the same line you'll see -n "Server-Cert". This nickname > needs to be unique, pick another one. It could be Server-CertB, a > name, it isn't important as long as it is unique. > 5. run setupssl.sh > > Now that you've done this 3 times, you now have in server A a > certificate database with a CA certificate and 4 server > certificates (5 if you count the admin one) > > IMPORTANT: there is a trailing dash (-) at the end of each -P > argument. If you do not have this dash things will not work. > > Now we need to export the 3 other server certificates, we do this > with: > > # cd /opt/fedora-ds/alias > # ../shared/bin/pk12util -o serverb.p12 -P slapd-- -d . - > n "Server-CertB" > > Do this for each of the 3 nicknames you created. > > Do the following on servers B - D. Note that the prefix for slapd- > will likely be different for each server. > > 1. Copy the appropriate server?.p12 and the file cacert.asc to /opt/ > fedora-ds/alias on the target server (B,C,D) > 2. Remove/archive *.db > 3. Generate a new database with: > # ../shared/bin/certutil -N -P slapd-- -d . > 4. Import the CA certificate with: > # ../shared/bin/certutil -A -d . -P slapd-- -n "CA > certificate" -t "CT,," -a -i cacert.asc > 5. Import your server certificate with: > # ../shared/bin/pk12util -i serverb.p12 -P slapd-- -d . > -n "Server-CertB" > 6. Check ownership/permissions of the database(s). They should be > owned by nobody by default. > > I think it would probably best to do this just on Server A and B > and give it a quick test. You can always go back and add in C and D > later. > > This would be infinitely easier if you had a real CA. > > There are also easier ways to do this using a combination of the > java console and the command-line, but I've stuck with the command- > line here. > > rob > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From rmeggins at redhat.com Wed Jul 12 17:31:20 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 12 Jul 2006 10:31:20 -0700 Subject: [Fedora-directory-users] Converting a 4-way replication setup to SSL In-Reply-To: <0DC15464-565F-4DED-9E84-D60B239F11D2@grc.nia.nih.gov> References: <9C0091F428E697439E7A773FFD083427025EF0@szexchange.Shopzilla.inc> <44B39F1C.5000605@redhat.com> <0DC15464-565F-4DED-9E84-D60B239F11D2@grc.nia.nih.gov> Message-ID: <44B531E8.30700@redhat.com> Edward Fochler wrote: > I've been using XCA as my program of choice for handling CA stuff. > It's nice, powerful, relatively friendly, etc. I create the root CA, > get all of my servers to trust that, and issue individual certs based > off of that CA for each of my servers. That much has worked very well. What is XCA? > > I didn't use any scripts for this. And I absolutely hate the openssl > command line options. Your mileage may vary. > > ED. > > On Jul 11, 2006, at 8:52 am, Rob Crittenden wrote: > >> Philip Kime wrote: >> >>> What a nightmare. >>> I tried to use the script on the Wiki but this isn't really set up >>> to do >>> this. I would like one CA and then to generate all of the DS and AS >>> certificates from this. I can't work out if I need to copy the CA >>> db or >>> just the .asc file to the other servers to generate the certs - it >>> seems >>> to need the key for the CA cert and also the noise and pwd files? I >>> finally got two servers on SSL but they won't replicate as they don't >>> like each other's certificates even though I had the CA certs on both >>> servers. >>> I have spent eight hours getting nowhere and will have to start again >>> from scratch. If there are any clues on how to: >>> Have one CA for all server certs >>> How to install this CA cert on all servers >>> What is needed for replication over SSL to work >>> >> >> It sounds like you're trying to use the setupssl.sh script from the >> How to at http://directory.fedora.redhat.com/wiki/Howto:SSL. It >> isn't really designed to be a poor-man's CA, as you're seeing. >> >> I can't help with the replication but I can help getting SSL set up. >> >> It should be possible to use this setupssl.sh script, here is one >> way. Just know that setting up a PKI infrastructure is hard (and >> harder to do properly). If this CA is going to be only used for the >> replication agreements it's probably fine. If you want to use it for >> web servers, client certificates, LDAP-based login, you may want to >> spend some time planning. >> >> In any case, let's jump right in. >> >> Normally when one has a CA you keep the key material locked away and >> just pulled it out when you want to issue a new certificate. If you >> really are going to use this just for replication agreements this is >> less a problem. >> >> I'm assuming you have 4 servers, A-D, and each server only 1 >> instance installed. >> >> So, start with server A, and blow away /opt/fedora-ds/alias/slapd- >> -*.db (or better, make a copy somewhere in case you ever >> want it). >> >> This is going to be our "master" server. Run setupssl.sh. >> >> You now have a self-signed CA that has issued a server certificate >> for server A. The nickname is Server-Cert. >> >> Now you could just copy this whole certificate database to the other >> machines, tweak setupssl.sh a bit, and re-run it and get your >> certificates that way, but you'd really be spreading your CA keys >> all over the place, so I'm not going to do that. >> >> Instead we're going to use the server A certificate database to >> generate the 3 remaining certificates we need. >> >> You'll do this 3 times: >> >> 1. edit setupssl.sh and find step 7 >> 2. replace myhost=`hostname --fqdn` with myhost="foo.domain.com" >> where foo.domain.com is the output of hostname -fqdn on the target >> server (B, C or D). >> 3. Find the certutil line 2 lines below this myhost statement you'll >> see something like "-m 1001". Increment this starting from 1003. >> This is the certificate serial number and it needs to be unique. >> 1002 is the server A admin server certificate. >> 4. in the same line you'll see -n "Server-Cert". This nickname needs >> to be unique, pick another one. It could be Server-CertB, a name, it >> isn't important as long as it is unique. >> 5. run setupssl.sh >> >> Now that you've done this 3 times, you now have in server A a >> certificate database with a CA certificate and 4 server certificates >> (5 if you count the admin one) >> >> IMPORTANT: there is a trailing dash (-) at the end of each -P >> argument. If you do not have this dash things will not work. >> >> Now we need to export the 3 other server certificates, we do this with: >> >> # cd /opt/fedora-ds/alias >> # ../shared/bin/pk12util -o serverb.p12 -P slapd-- -d . - n >> "Server-CertB" >> >> Do this for each of the 3 nicknames you created. >> >> Do the following on servers B - D. Note that the prefix for slapd- >> will likely be different for each server. >> >> 1. Copy the appropriate server?.p12 and the file cacert.asc to /opt/ >> fedora-ds/alias on the target server (B,C,D) >> 2. Remove/archive *.db >> 3. Generate a new database with: >> # ../shared/bin/certutil -N -P slapd-- -d . >> 4. Import the CA certificate with: >> # ../shared/bin/certutil -A -d . -P slapd-- -n "CA >> certificate" -t "CT,," -a -i cacert.asc >> 5. Import your server certificate with: >> # ../shared/bin/pk12util -i serverb.p12 -P slapd-- -d . >> -n "Server-CertB" >> 6. Check ownership/permissions of the database(s). They should be >> owned by nobody by default. >> >> I think it would probably best to do this just on Server A and B and >> give it a quick test. You can always go back and add in C and D later. >> >> This would be infinitely easier if you had a real CA. >> >> There are also easier ways to do this using a combination of the >> java console and the command-line, but I've stuck with the command- >> line here. >> >> rob >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From beyonddc.storage at gmail.com Wed Jul 12 18:20:31 2006 From: beyonddc.storage at gmail.com (Chun Tat David Chu) Date: Wed, 12 Jul 2006 14:20:31 -0400 Subject: [Fedora-directory-users] Question on Schema Object Class Inheritance In-Reply-To: <44B50B5D.4010505@sci.fi> References: <20e4c38c0607120706l7b5c5c1tea95604ed2ec4269@mail.gmail.com> <44B50B5D.4010505@sci.fi> Message-ID: <20e4c38c0607121120p2c0f23aek59387dd644bd1cb5@mail.gmail.com> Mike, > If I want multiple inheirtance, then I'll need the following setup > 1. objectclassB inherits from objectclassA > 2. objectclassC inheirts from objectclassB >> No, it doesn't work. Superior classes can only inherit from top. Um... That's strange, because I'm able to do that. Maybe my description is not clear? If I have the following schema setup 1. objectClassA with attribute1 inherits from top 2. objectClassB with attribute2 inherits from objectClassA 3. objectClassC with attribute3 inherits from objectClassB then I can achieve multiple schema object class inheritance. objectClassC will contains attribute1, attribute2 and attribute3. objectClassA is my superior class who inherits from top. Am I correct? Thanks, David Chu On 7/12/06, Mike Jackson wrote: > > Chun Tat David Chu wrote: > > Hi, > > > > I think I got the answer, but I would like to confirm that if I'm > correct. > > > > At any given time, a single object class can only inherit from one and > > only one object class (no multiple inheritance). > > > > For example, if I have 3 object classes > > 1. objectclassA with attribute1 > > 2. objectclassB with attribute2 > > 3. objectclassC with attribute3 > > Then objectclassC can only either inherit from objectclassA or > objectclassB. > > Correct. > > > > If I want multiple inheirtance, then I'll need the following setup > > 1. objectclassB inherits from objectclassA > > 2. objectclassC inheirts from objectclassB > > No, it doesn't work. Superior classes can only inherit from top. > > > Mike > -- > http://www.netauth.com - LDAP Directory Consulting > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jo.de.troy at gmail.com Thu Jul 13 14:24:45 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Thu, 13 Jul 2006 16:24:45 +0200 Subject: [Fedora-directory-users] Re: admin-server SSL and replication Message-ID: Hi Rich, I can access the admin-server again with startconsole after having changed admin-serv/config/adm.conf and shared/config/dbswitch.conf. What exactly does "Secure Connection" in the admin-server console ConfigurationDS tab do? And why would this break the startup of startconsole? And what exactly does the "Use SSL in Fedora Console" setting in the Encryption tab of the Directory server console do? Another question I have about multi-master replication. If you create the same replication manager entry with the same password on the replication nodes, why is it necessary to have the same directory manager entry and the same password? I thought the same replication mgr entry would be sufficient Thanks again, Jo From rmeggins at redhat.com Thu Jul 13 15:26:07 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 13 Jul 2006 08:26:07 -0700 Subject: [Fedora-directory-users] Re: admin-server SSL and replication In-Reply-To: References: Message-ID: <44B6660F.7040606@redhat.com> Jo De Troy wrote: > Hi Rich, > > I can access the admin-server again with startconsole after having > changed > admin-serv/config/adm.conf and shared/config/dbswitch.conf. > What exactly does "Secure Connection" in the admin-server console > ConfigurationDS tab > do? That tells Admin Server to use SSL when talking to the config DS e.g. the url that's in shared/config/dbswitch.conf. This is both for the Admin Server itself (the Apache mod_admserv module) and for the admin server CGIs. The url in dbswitch.conf should be ldaps instead of ldap and have the secure port instead of the unsecure port. I don't know if it helps but I recently completed an admin server configuration summary (of the files anyway) - http://directory.fedora.redhat.com/wiki/AdminServer#Admin_Server_Config_Files > And why would this break the startup of startconsole? startconsole must be configured to use SSL. > And what exactly does the "Use SSL in Fedora Console" setting in the > Encryption tab of the Directory server console do? This tells the console to use SSL for communicating with both the admin server and the directory server. Otherwise, it uses the non-secure port for the directory server instead of the secure one and, if the admin server is running with SSL enabled, it will hang attempting to auth to the admin server, since the admin server listens with SSL or not, not both as the DS does. > > Another question I have about multi-master replication. If you create > the same replication manager entry with the same password on the > replication nodes, why is it necessary to have the same directory > manager entry and the same password? ??? you mean cn=directory manager? > I thought the same replication > mgr entry would be sufficient It should be . . . what are you seeing that makes you think otherwise? > > Thanks again, > Jo > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From jo.de.troy at gmail.com Thu Jul 13 15:45:36 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Thu, 13 Jul 2006 17:45:36 +0200 Subject: [Fedora-directory-users] Re: admin-server SSL and replication Message-ID: Hi Rich, > startconsole must be configured to use SSL. I guess it's sufficient to use https://: on Linux or not? I've tried to get the console on Windows to connect to https://: without any luck yet. I did follow the wiki page (downloading and install nss and nspr) but I get: Exception in thread "main" java.lang.NoClassDefFoundError: org/mozilla/jss/crypt o/AlreadyInitializedException at com.netscape.management.client.console.Console.(Unknown Source) at com.netscape.management.client.console.Console.main(Unknown Source) Another question I have about multi-master replication. If you create the same replication manager entry with the same password on the replication nodes, why is it necessary to have the same directory manager entry and the same password? >??? you mean cn=directory manager? I thought the same replication mgr entry would be sufficient >It should be . . . what are you seeing that makes you think otherwise? That's what's written in the requirements on the wiki page http://directory.fedora.redhat.com/wiki/Howto:MultiMasterReplication So I guess this is a prereq for the mmr.pl script or is this just an error. Any idea when the next release will be available? Thanks again, Jo From rmeggins at redhat.com Thu Jul 13 15:48:52 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 13 Jul 2006 08:48:52 -0700 Subject: [Fedora-directory-users] Re: admin-server SSL and replication In-Reply-To: References: Message-ID: <44B66B64.2010607@redhat.com> Jo De Troy wrote: > Hi Rich, > >> startconsole must be configured to use SSL. > > I guess it's sufficient to use https://: on > Linux or not? In the startconsole dialog box - url field? Yes. > I've tried to get the console on Windows to connect to > https://: without any luck yet. I did follow > the wiki page (downloading and install nss and nspr) but I get: > Exception in thread "main" java.lang.NoClassDefFoundError: > org/mozilla/jss/crypt > o/AlreadyInitializedException > at > com.netscape.management.client.console.Console.(Unknown Source) > > at com.netscape.management.client.console.Console.main(Unknown > Source) It can't find jss3.jar. > Another question I have about multi-master replication. If you create > the same replication manager entry with the same password on the > replication nodes, why is it necessary to have the same directory > manager entry and the same password? > >> ??? you mean cn=directory manager? > > > > I thought the same replication > mgr entry would be sufficient > >> It should be . . . what are you seeing that makes you think otherwise? > > That's what's written in the requirements on the wiki page > http://directory.fedora.redhat.com/wiki/Howto:MultiMasterReplication > So I guess this is a prereq for the mmr.pl script or is this just an > error. It's a prereq for the mmr.pl script - so you don't have to specify a different password for each server. You could probably hack the script to introduce a hash table that maps hosts to passwords. > > Any idea when the next release will be available? We're working on it . . . no date yet. The majority of the work we're doing now involves splitting up the monolithic package into discrete chunks, better rpms/srpms, autoconf support, better package layout, and related work. > > Thanks again, > Jo > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From pkime at Shopzilla.com Thu Jul 13 16:12:38 2006 From: pkime at Shopzilla.com (Philip Kime) Date: Thu, 13 Jul 2006 09:12:38 -0700 Subject: [Fedora-directory-users] Re: Converting a 4-way replication setup to SSL Message-ID: <9C0091F428E697439E7A773FFD083427025F19@szexchange.Shopzilla.inc> Many thanks to all replies about this - in the end, I drew up a plan using bits and pieces pulled from the setupssl.sh and the RH manual for DS. It worked nicely. I made a CA cert as per the setupssl.sh script and then generated server cert requests from the GUI, generated the certs on the command-line from the CA and installed the server certs in the GUI. Then I imported the CA cert via the GUI. Everything works. It allowed me to name the certs nicely to instead of all being "server-cert" or whatever. Replication is now working over SSL and client TLS access to any server is working when clients have a copy of the CA cert. From pkime at Shopzilla.com Thu Jul 13 17:24:52 2006 From: pkime at Shopzilla.com (Philip Kime) Date: Thu, 13 Jul 2006 10:24:52 -0700 Subject: [Fedora-directory-users] Host-based access restrictions Message-ID: <9C0091F428E697439E7A773FFD083427025F1A@szexchange.Shopzilla.inc> I'm wondering - can I use something like netgroups in the LDAP host-based ("host" attribute) for access restriction? I have over 1000 servers and there is no way I can list every combination of user/host explicity. I have looked at pam_access with LDAP netgroups, which is great but there is one crucial problem - if a user needs temporary access for example to a certain machine and this falls outside of my netgroup definitions then there seems to be no way to allow specific access using pam_access and /etc/security/access.conf, without having to push out over 1000 new copies of this file. I need to be able to grant special access like this on the LDAP server. The only thing I can think of is this in access.conf: + @special@@special : ALL where the "special" netgroup contains nisnetgroup triples like (user,machine,) Normally, you don't use both fields in a netgroup triple but this works fine in access.conf because PAM uses the user part when the netgroup is used in the user position of the user at host field and uses the machine part when the netgroup is in the "host" position. I thought this was really nice until I realised that this means that if the "special" netgroup contains several entries like: (user1,machine1) (user2,machine2) Then user2 also gets access to machine1 and user1 gets access to machine 2 because PAM doesn't understand that these netgroup entries are supposed to be kept together - it just parses the user and machine parts completely seperately. I just need to have one entry in access.conf that will cover special-case creation on the LDAP server but it doesn't seem to be possible, hence I am now looking at the LDAP-based host access thing. -- Philip Kime NOPS Systems Architect 310 401 0407 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mj at sci.fi Thu Jul 13 19:49:16 2006 From: mj at sci.fi (Mike Jackson) Date: Thu, 13 Jul 2006 22:49:16 +0300 Subject: [Fedora-directory-users] Question on Schema Object Class Inheritance In-Reply-To: <20e4c38c0607121120p2c0f23aek59387dd644bd1cb5@mail.gmail.com> References: <20e4c38c0607120706l7b5c5c1tea95604ed2ec4269@mail.gmail.com> <44B50B5D.4010505@sci.fi> <20e4c38c0607121120p2c0f23aek59387dd644bd1cb5@mail.gmail.com> Message-ID: <44B6A3BC.4090607@sci.fi> Chun Tat David Chu wrote: > > Um... That's strange, because I'm able to do that. > Maybe my description is not clear? > > If I have the following schema setup > 1. objectClassA with attribute1 inherits from top > 2. objectClassB with attribute2 inherits from objectClassA > 3. objectClassC with attribute3 inherits from objectClassB > then I can achieve multiple schema object class inheritance. > > objectClassC will contains attribute1, attribute2 and attribute3. > > objectClassA is my superior class who inherits from top. > > Am I correct? You're correct. I was confused when I read your description. My bad. BR, Mike From SStrong at cr.k12.ia.us Thu Jul 13 20:20:56 2006 From: SStrong at cr.k12.ia.us (Strong Steve) Date: Thu, 13 Jul 2006 15:20:56 -0500 Subject: [Fedora-directory-users] can't become a pdc Message-ID: i'm using fedora directory on rhel 4.0 and i'm trying to set the server up so that it can be a windows (ick) pdc. the documentation "how-to" is very clear and things went well until i tried to get the local SID. after issuing the command: net getlocalsid, i got two sets of error messages, both suggesting that in couldn't find the ldap server. i can authenticate on the server using ldap, but samba doesn't seem to be able to find it. any help resolving this issue would be greatly appreciated, thanks, steve Steve Strong Computer Science Teacher Washington High School 2205 Forest Dr. SE Cedar Rapids, Iowa 52403 http://crwash.org mailto:sstrong at crwash.org From mj at sci.fi Thu Jul 13 20:22:03 2006 From: mj at sci.fi (Mike Jackson) Date: Thu, 13 Jul 2006 23:22:03 +0300 Subject: [Fedora-directory-users] can't become a pdc In-Reply-To: References: Message-ID: <44B6AB6B.1070204@sci.fi> Strong Steve wrote: > i'm using fedora directory on rhel 4.0 and i'm trying to set the server up so that it can be a windows (ick) pdc. the documentation "how-to" is very clear and things went well until i tried to get the local SID. after issuing the command: net getlocalsid, i got two sets of error messages, both suggesting that in couldn't find the ldap server. i can authenticate on the server using ldap, but samba doesn't seem to be able to find it. > > any help resolving this issue would be greatly appreciated, thanks, > steve Steve, What value do you have in smb.conf for "passdb backend"? BR, -- Mike From mj at sci.fi Thu Jul 13 20:35:56 2006 From: mj at sci.fi (Mike Jackson) Date: Thu, 13 Jul 2006 23:35:56 +0300 Subject: [Fedora-directory-users] Host-based access restrictions In-Reply-To: <9C0091F428E697439E7A773FFD083427025F1A@szexchange.Shopzilla.inc> References: <9C0091F428E697439E7A773FFD083427025F1A@szexchange.Shopzilla.inc> Message-ID: <44B6AEAC.9020201@sci.fi> Philip Kime wrote: > I'm wondering - can I use something like netgroups in the LDAP > host-based ("host" attribute) for access restriction? I have over 1000 > servers and there is no way I can list every combination of user/host > explicity. > Hi Phil, You could easily accomplish what you are after by designing and writing a pre-authentication plugin for FDS, which parses the data structure you define in the "host" or other attribute of your choice. BR, Mike -- http://www.netauth.com - LDAP Directory Consulting From SStrong at cr.k12.ia.us Fri Jul 14 02:52:55 2006 From: SStrong at cr.k12.ia.us (Strong Steve) Date: Thu, 13 Jul 2006 21:52:55 -0500 Subject: [Fedora-directory-users] can't become a pdc] Message-ID: actually, i fixed this problem and i've got samba and fedora directory working well with each other. BUT.... how do you add computers to the windoze domain? i saw a reference to some scripts from IDEALX, but it seems like now that the users, groups and authentication are working for people logging in from linux clients, that i'd rather not start all over. by the way, the documentation's "how-to" had some errors. can someone tell me how to get them fixed? can users add to the wiki somehow? thanks again, steve -------- Original Message -------- > Subject: Re: [Fedora-directory-users] can't become a pdc > Date: Thu, 13 Jul 2006 23:22:03 +0300 > From: Mike Jackson > Reply-To: General discussion list for the Fedora Directory server > project. > To: General discussion list for the Fedora Directory server > project. > > References: > > > > Strong Steve wrote: > > i'm using fedora directory on rhel 4.0 and i'm trying to > set the server up so that it can be a windows (ick) pdc. the > documentation "how-to" is very clear and things went well > until i tried to get the local SID. after issuing the > command: net getlocalsid, i got two sets of error messages, > both suggesting that in couldn't find the ldap server. i can > authenticate on the server using ldap, but samba doesn't seem > to be able to find it. > > > > any help resolving this issue would be greatly appreciated, thanks, > > steve > > Steve, > What value do you have in smb.conf for "passdb backend"? > > BR, > -- > Mike > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Steve Strong > Math and Computer Science > Washington High School > 2205 Forest Dr. SE > Cedar Rapids, IA 52403 > http://crwash.org > mailto:strong.s at crwash.org > > From jo.de.troy at gmail.com Fri Jul 14 15:08:52 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Fri, 14 Jul 2006 17:08:52 +0200 Subject: [Fedora-directory-users] Replication question Message-ID: Hello, I was wondering if you could do replication between 2 LDAP servers who each have a different root suffix (eg eu.example.com and na.example.com) and replicate the both parts to each other. Both servers have a different suffix in their userRoot database Another question is When looking in the replication agreement the supplier has port 389 and the consumer has port 636. How can I get the supplier port to be 636 also? Or is this not needed for security? Is there somewhere a list explaining the different status error codes? Thanks again, Jo From patrick.morris at hp.com Fri Jul 14 15:20:33 2006 From: patrick.morris at hp.com (Morris, Patrick) Date: Fri, 14 Jul 2006 11:20:33 -0400 Subject: [Fedora-directory-users] Replication question In-Reply-To: Message-ID: > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf > Of Jo De Troy > Sent: Friday, July 14, 2006 8:09 AM > To: fedora-directory-users at redhat.com > Subject: [Fedora-directory-users] Replication question > > Hello, > > I was wondering if you could do replication between 2 LDAP > servers who each have a different root suffix (eg eu.example.com and > na.example.com) and replicate the both parts to each other. > Both servers have a different suffix in their userRoot > database Another question is When looking in the replication > agreement the supplier has port 389 and the consumer has port > 636. How can I get the supplier port to be > 636 also? Or is this not needed for security? > Is there somewhere a list explaining the different status error codes? Your question is a little confusing, but if you're asking if you can use replication to merge two different trees, no. The DN's of the objects won't match. You can replicate the two with each other, but you'd still have two separate trees on each: eu.example,com and na.example.com. As far as which port you see in the replication agreement for the supplier, I don't think it really matters. All replication is from the supplier to the comsumer, so as long as that connection is encrypted, the entire process will be. From jo.de.troy at gmail.com Fri Jul 14 15:40:56 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Fri, 14 Jul 2006 17:40:56 +0200 Subject: [Fedora-directory-users] Replication question Message-ID: Hi Patrick, I was wondering if the underlying database names would clash. eg eu.example.com being on 1 server in userRoot while on the other server na.example.com is in the userRoot database. That's what I'm trying and I get errors Replication error acquiring replica: no such replica Error code 6 and for the other suffix Replication error acquiring replica: permission denied. Error code 3 Thanks again, Jo From patrick.morris at hp.com Fri Jul 14 16:23:36 2006 From: patrick.morris at hp.com (Morris, Patrick) Date: Fri, 14 Jul 2006 12:23:36 -0400 Subject: [Fedora-directory-users] Replication question In-Reply-To: Message-ID: > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf > Of Jo De Troy > Sent: Friday, July 14, 2006 8:41 AM > To: fedora-directory-users at redhat.com > Subject: RE: [Fedora-directory-users] Replication question > > I was wondering if the underlying database names would clash. > eg eu.example.com being on 1 server in userRoot while on the > other server na.example.com is in the userRoot database. > That's what I'm trying and I get errors Replication error > acquiring replica: no such replica Error code 6 and for the > other suffix Replication error acquiring replica: permission > denied. Error code 3 Have you initialized the new replicas on the consumers? From Ian.Bishop at netoptions.com.au Sat Jul 15 04:39:19 2006 From: Ian.Bishop at netoptions.com.au (Ian Bishop) Date: Sat, 15 Jul 2006 14:39:19 +1000 Subject: [Fedora-directory-users] Blank Password Policy Screen Message-ID: <08422C17320455488F792FCD66404BB36BF760@bnesbexc01.datacom.com.au> I've just installed Fedora DS 1.0.2 on Redhat Enterprise 4 with Jave Runtime RPM jre-1.5.0_07 installed. I go into the GUI console and bring up the Directory. When I select a user in the 'people' OU and right click, then select 'manage password policy' -> 'User' -> 'For User..' I get a popup window, blank except two bars at right angles to each other in the middle of the window and a 'close' button in the lower right corner. This happens regardless of which user I select or if I select the parent OU, right click and choose 'For subtree..'. Is this a glitch in the GUI or have I missed something? Thanks, Ian. From addi at hugsmidjan.is Sun Jul 16 20:31:12 2006 From: addi at hugsmidjan.is (=?ISO-8859-1?Q?S=E6valdur?= Arnar Gunnarsson) Date: Sun, 16 Jul 2006 20:31:12 +0000 Subject: [Fedora-directory-users] Disable TLS/SSL security check for password changing Message-ID: <1153081872.11907.5.camel@titanium> I'm trying to configure Fedora Directory Server as a back-end to Samba 3.x and I've succeeded in doing that with just one exception. There seems to be a security mechanism that prevents users from changing their passwords over non-SSL/TLS connections. (and gives the following error: "Operation requires a secure connection") I'm assuming this can be specified somewhere on the administrative console so instead of wasting days looking I thought this would be a good place to ask this question :) Bottom line, how do I disable the security check that demands TLS/SSL connection in order to change passwords ? From david_list at boreham.org Sun Jul 16 20:58:43 2006 From: david_list at boreham.org (David Boreham) Date: Sun, 16 Jul 2006 14:58:43 -0600 Subject: [Fedora-directory-users] Disable TLS/SSL security check for password changing In-Reply-To: <1153081872.11907.5.camel@titanium> References: <1153081872.11907.5.camel@titanium> Message-ID: <44BAA883.9000701@boreham.org> S?valdur Arnar Gunnarsson wrote: >Bottom line, how do I disable the security check that demands TLS/SSL >connection in order to change passwords ? > > You can't, without editing the source code that is. RFC3062 says: 4. Security Considerations This operation is used to modify user passwords. The operation itself does not provide any security protection to ensure integrity and/or confidentiality of the information. Use of this operation is strongly discouraged when privacy protections are not in place to guarantee confidentiality and may result in the disclosure of the password to unauthorized parties. This extension MUST be used with confidentiality protection, such as Start TLS [RFC 2830]. The NULL cipher suite MUST NOT be used. There was a hack put in during development that allowed sanity to be preserved while debugging the feature, by disabling the requirement for SSL. You could flip that on and recompile. See here: http://cvs.fedora.redhat.com/lxr/dirsec/source/ldapserver/ldap/servers/slapd/passwd_extop.c#63 From pkime at Shopzilla.com Mon Jul 17 01:37:19 2006 From: pkime at Shopzilla.com (Philip Kime) Date: Sun, 16 Jul 2006 18:37:19 -0700 Subject: [Fedora-directory-users] No check box to enable SNMP? Message-ID: <9C0091F428E697439E7A773FFD083427025F2F@szexchange.Shopzilla.inc> I am running fedora-ds-1.0.2-1 on CentOS 4 which I installed from a binary rpm. I can't see the checkbox to enable SNMP in the SNMP config tab - I can see the fields to fill in but there is no checkbox as per the documentation - does this mean that it wasn't compiled with snmp support? The MIB and agent etc. are all present and I have the ldap-agent subagent running ... PK -- Philip Kime NOPS Systems Architect 310 401 0407 -------------- next part -------------- An HTML attachment was scrubbed... URL: From jrussler at helix.nih.gov Mon Jul 17 17:26:37 2006 From: jrussler at helix.nih.gov (Jason Russler) Date: Mon, 17 Jul 2006 13:26:37 -0400 Subject: [Fedora-directory-users] Disable TLS/SSL security check for password changing In-Reply-To: <1153081872.11907.5.camel@titanium> References: <1153081872.11907.5.camel@titanium> Message-ID: <44BBC84D.1030001@helix.nih.gov> Are you sure it's not the LDAP client that's requiring a secure connection? I'm pretty sure FDS will happily replace password entries without SSL/TLS. Since I've never done this with Samba I can't help any more than that. S?valdur Arnar Gunnarsson wrote: > I'm trying to configure Fedora Directory Server as a back-end to Samba > 3.x and I've succeeded in doing that with just one exception. > > There seems to be a security mechanism that prevents users from changing > their passwords over non-SSL/TLS connections. (and gives the following > error: "Operation requires a secure connection") > > I'm assuming this can be specified somewhere on the administrative > console so instead of wasting days looking I thought this would be a > good place to ask this question :) > > Bottom line, how do I disable the security check that demands TLS/SSL > connection in order to change passwords ? > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From rmeggins at redhat.com Mon Jul 17 17:44:02 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 17 Jul 2006 11:44:02 -0600 Subject: [Fedora-directory-users] FHS packaging - combine old and new with symlinks Message-ID: <44BBCC62.80606@redhat.com> As an attempt to compromise between the users who want the old layout and those who want an FHS style layout, I propose having the package do both. That is, the files would be put on disk under /opt/fedora-ds, then symlinks would be created to those files and directories to correspond to the FHS layout. For example, /var/log/fedora-ds/slapd-instance/access would just be a symlink to /opt/fedora-ds/slapd-instance/logs/access or /etc/fedora-ds/slapd-instance/dse.ldif would just be a symlink to /opt/fedora-ds/slapd-instance/config/dse.ldif Rationale: 1) allows admins already familiar with fedora ds layout to continue to use current tools/processes (e.g. tar up contents/restore contents, which is much more difficult with FHS layout) 2) allows admins familiar with FHS to find files in familiar places -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From mas at wellthot.com Mon Jul 17 19:18:44 2006 From: mas at wellthot.com (Mark A. Schwenk) Date: Mon, 17 Jul 2006 14:18:44 -0500 Subject: [Fedora-directory-users] FHS packaging - combine old and new with symlinks In-Reply-To: <44BBCC62.80606@redhat.com> References: <44BBCC62.80606@redhat.com> Message-ID: <44BBE294.4010509@wellthot.com> Richard Megginson wrote: > As an attempt to compromise between the users who want the old layout > and those who want an FHS style layout, I propose having the package do > both. That is, the files would be put on disk under /opt/fedora-ds, > then symlinks would be created to those files and directories to > correspond to the FHS layout. I have worked with systems that use symbolic links in similar capacities and usually find that in spite of having an understanding of symbolic links, I tend to get caught up in the iliusion that they are trying to create and do things that make sense in the illusory world but not in the real world. For example copying /etc/named.conf to /etc/named.conf.bak before modifying it and then afterward discovering that /etc/named.conf and /etc/named.conf.bak are now both symbolic links to the same changed copy of the real file in /var/named/chroot/etc/named.conf. I vote for either layout in preference to this proposed compromise. But if pressed, my preference between FHS and /opt/fedora-ds would be for FHS. -Mark Schwenk WellThot Inc. Helping buisnesses realize the value of free software http://wellthot.com/ From mj at sci.fi Mon Jul 17 19:16:35 2006 From: mj at sci.fi (Mike Jackson) Date: Mon, 17 Jul 2006 22:16:35 +0300 Subject: [Fedora-directory-users] FHS packaging - combine old and new with symlinks In-Reply-To: <44BBCC62.80606@redhat.com> References: <44BBCC62.80606@redhat.com> Message-ID: <44BBE213.6020407@sci.fi> Richard Megginson wrote: > As an attempt to compromise between the users who want the old layout > and those who want an FHS style layout, I propose having the package do > both. That is, the files would be put on disk under /opt/fedora-ds, > then symlinks would be created to those files and directories to > correspond to the FHS layout. > > For example, /var/log/fedora-ds/slapd-instance/access would just be a > symlink to /opt/fedora-ds/slapd-instance/logs/access > or > /etc/fedora-ds/slapd-instance/dse.ldif would just be a symlink to > /opt/fedora-ds/slapd-instance/config/dse.ldif > > Rationale: > 1) allows admins already familiar with fedora ds layout to continue to > use current tools/processes (e.g. tar up contents/restore contents, > which is much more difficult with FHS layout) > 2) allows admins familiar with FHS to find files in familiar places Hi, Sounds fine to me, just as long as nothing depends on those symlinks being present, e.g. start/stop scripts, backup/restore scripts, etc. For example, if one of my tools creates a new instance, but doesn't symlink it to the FHS place, that shouldn't cause any lack of functionality. BR, Mike From mj at sci.fi Mon Jul 17 19:23:42 2006 From: mj at sci.fi (Mike Jackson) Date: Mon, 17 Jul 2006 22:23:42 +0300 Subject: [Fedora-directory-users] FHS packaging - combine old and new with symlinks In-Reply-To: <44BBE294.4010509@wellthot.com> References: <44BBCC62.80606@redhat.com> <44BBE294.4010509@wellthot.com> Message-ID: <44BBE3BE.4070309@sci.fi> Mark A. Schwenk wrote: > > For example copying /etc/named.conf to /etc/named.conf.bak before > modifying it and then afterward discovering that /etc/named.conf and > /etc/named.conf.bak are now both symbolic links to the same changed copy > of the real file in /var/named/chroot/etc/named.conf. Which filesystem are you using? Ext3: # echo foobar > 1 # ln -s 1 2 # cp 2 3 # ls -al -rw-r--r-- 1 jacksonm users 7 Jul 17 22:17 1 lrwxrwxrwx 1 jacksonm users 10 Jul 17 22:18 2 -> 1 -rw-r--r-- 1 jacksonm users 7 Jul 17 22:18 3 BR, -- mike From mas at wellthot.com Mon Jul 17 20:52:23 2006 From: mas at wellthot.com (Mark A. Schwenk) Date: Mon, 17 Jul 2006 15:52:23 -0500 Subject: [Fedora-directory-users] FHS packaging - combine old and new with symlinks In-Reply-To: <44BBE3BE.4070309@sci.fi> References: <44BBCC62.80606@redhat.com> <44BBE294.4010509@wellthot.com> <44BBE3BE.4070309@sci.fi> Message-ID: <44BBF887.6010100@wellthot.com> Mike Jackson wrote: > Mark A. Schwenk wrote: > >> >> For example copying /etc/named.conf to /etc/named.conf.bak before >> modifying it and then afterward discovering that /etc/named.conf and >> /etc/named.conf.bak are now both symbolic links to the same changed >> copy of the real file in /var/named/chroot/etc/named.conf. > > > Which filesystem are you using? > > Ext3: > > # echo foobar > 1 > # ln -s 1 2 > # cp 2 3 > # ls -al > -rw-r--r-- 1 jacksonm users 7 Jul 17 22:17 1 > lrwxrwxrwx 1 jacksonm users 10 Jul 17 22:18 2 -> 1 > -rw-r--r-- 1 jacksonm users 7 Jul 17 22:18 3 > > Ext3. Right you are. I was trying to quickly provide an example of how the symbolic links can bite back and didn't think through it clearly. How about this: # mv /etc/named.conf /etc/named.conf.bak # cp /etc/named.conf.bak /etc/named.conf At this point /etc/named.conf.bak is a symbolic link to /var/named/chroot/etc/named.conf and /etc/named.conf is a regular file. Then editing the /etc/named.conf file no longer modifies the real source file at /var/named/chroot/etc/named.conf. -Mark Schwenk From pkime at Shopzilla.com Mon Jul 17 20:57:20 2006 From: pkime at Shopzilla.com (Philip Kime) Date: Mon, 17 Jul 2006 13:57:20 -0700 Subject: [Fedora-directory-users] SNMP monitoring issues Message-ID: <9C0091F428E697439E7A773FFD083427025F38@szexchange.Shopzilla.inc> The AgentX subagent config file is supposed to take a config line agentx-logdir I have set this but the agent still logs to the same dir at the config file is in (which is the default location) - any ideas? -- Philip Kime NOPS Systems Architect 310 401 0407 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Jul 17 21:52:40 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 17 Jul 2006 15:52:40 -0600 Subject: [Fedora-directory-users] FHS packaging - combine old and new with symlinks In-Reply-To: <44BBF887.6010100@wellthot.com> References: <44BBCC62.80606@redhat.com> <44BBE294.4010509@wellthot.com> <44BBE3BE.4070309@sci.fi> <44BBF887.6010100@wellthot.com> Message-ID: <44BC06A8.2060406@redhat.com> Mark A. Schwenk wrote: > Mike Jackson wrote: >> Mark A. Schwenk wrote: >> >>> >>> For example copying /etc/named.conf to /etc/named.conf.bak before >>> modifying it and then afterward discovering that /etc/named.conf and >>> /etc/named.conf.bak are now both symbolic links to the same changed >>> copy of the real file in /var/named/chroot/etc/named.conf. >> >> >> Which filesystem are you using? >> >> Ext3: >> >> # echo foobar > 1 >> # ln -s 1 2 >> # cp 2 3 >> # ls -al >> -rw-r--r-- 1 jacksonm users 7 Jul 17 22:17 1 >> lrwxrwxrwx 1 jacksonm users 10 Jul 17 22:18 2 -> 1 >> -rw-r--r-- 1 jacksonm users 7 Jul 17 22:18 3 >> >> > > Ext3. Right you are. I was trying to quickly provide an example of how > the symbolic links can bite back and didn't think through it clearly. > > How about this: > > # mv /etc/named.conf /etc/named.conf.bak > # cp /etc/named.conf.bak /etc/named.conf > > At this point /etc/named.conf.bak is a symbolic link to > /var/named/chroot/etc/named.conf and /etc/named.conf is a regular file. > > Then editing the /etc/named.conf file no longer modifies the real > source file at /var/named/chroot/etc/named.conf. That's bad, and exactly what would/could happen with my proposal. Even if we swap the direction of the symlinks, it would still break in the other way i.e. if you tried to do the same thing under /opt/fedora-ds/slapd-instance/config - and if you tried to backup/restore with tar, you would either be getting only the symlinks, or if following symlinks, they would be broken upon restore. So, is there a way to have both? If not symlinks, then what? > > -Mark Schwenk > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From JFGamsby at lbl.gov Mon Jul 17 22:12:46 2006 From: JFGamsby at lbl.gov (Jeff Gamsby) Date: Mon, 17 Jul 2006 15:12:46 -0700 Subject: [Fedora-directory-users] Win2003 AD SSL certs Message-ID: <44BC0B5E.3050404@lbl.gov> Can someone please tell me if I have this right? 1) Create certs for FDS server. 2) export servercerts on FDS. 3) install Active Directory and certificate services ( Enterprise Root CA ) 4) Setup Active Directory for SSL ( tested with ldp.exe ) 5) Export AD cert, import into FDS 6) Install PassSync, import servercerts from FDS 7) Test ldapsearch over SSL to AD. I have just upgraded to Windows server 2003 R2 and I can't get SSL from FDS to AD working again. I get this error. ../shared/bin/ldapsearch -Z -P . -h ad-server -p 636 -D "cn=administrator,cn=users,dc=xxx,dc=xxx,dc=xxx" -w - -s sub -b "cn=users,dc=xxx,dc=xxx,dc=xxx" "cn=*" -v ldap_simple_bind: Can't contact LDAP server SSL error -8179 (Peer's Certificate issuer is not recognized.) Thanks in advance. J.G. From rmeggins at redhat.com Mon Jul 17 22:26:06 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 17 Jul 2006 16:26:06 -0600 Subject: [Fedora-directory-users] Win2003 AD SSL certs In-Reply-To: <44BC0B5E.3050404@lbl.gov> References: <44BC0B5E.3050404@lbl.gov> Message-ID: <44BC0E7E.4060900@redhat.com> Jeff Gamsby wrote: > > Can someone please tell me if I have this right? > > 1) Create certs for FDS server. > 2) export servercerts on FDS. > 3) install Active Directory and certificate services ( Enterprise Root > CA ) > 4) Setup Active Directory for SSL ( tested with ldp.exe ) > 5) Export AD cert, import into FDS > 6) Install PassSync, import servercerts from FDS > 7) Test ldapsearch over SSL to AD. > > I have just upgraded to Windows server 2003 R2 and I can't get SSL > from FDS to AD working again. > > I get this error. > > ../shared/bin/ldapsearch -Z -P . -h ad-server -p 636 -D > "cn=administrator,cn=users,dc=xxx,dc=xxx,dc=xxx" -w - -s sub -b > "cn=users,dc=xxx,dc=xxx,dc=xxx" "cn=*" -v Assuming you're not using cert8.db and key3.db as your key/cert db names, the argument to -P should be the full path and filename of the key/cert database e.g. -P /opt/fedora-ds/alias/slapd-instance-cert8.db. > > ldap_simple_bind: Can't contact LDAP server > SSL error -8179 (Peer's Certificate issuer is not recognized.) > > Thanks in advance. > > J.G. > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From mas at wellthot.com Tue Jul 18 02:05:09 2006 From: mas at wellthot.com (Mark A. Schwenk) Date: Mon, 17 Jul 2006 21:05:09 -0500 Subject: [Fedora-directory-users] FHS packaging - combine old and new with symlinks In-Reply-To: <44BC06A8.2060406@redhat.com> References: <44BBCC62.80606@redhat.com> <44BBE294.4010509@wellthot.com> <44BBE3BE.4070309@sci.fi> <44BBF887.6010100@wellthot.com> <44BC06A8.2060406@redhat.com> Message-ID: <44BC41D5.60904@wellthot.com> Richard Megginson wrote: > That's bad, and exactly what would/could happen with my proposal. Even > if we swap the direction of the symlinks, it would still break in the > other way i.e. if you tried to do the same thing under > /opt/fedora-ds/slapd-instance/config - and if you tried to > backup/restore with tar, you would either be getting only the symlinks, > or if following symlinks, they would be broken upon restore. > > So, is there a way to have both? If not symlinks, then what? I don't think there is a way to have both that doesn't create more problems that it solves. If moving to FHS right now doesn't have lots of clear advantages, perhaps things should stay as they are and energies more fruitfully applied to other issues. -Mark Schwenk From JFGamsby at lbl.gov Tue Jul 18 15:02:16 2006 From: JFGamsby at lbl.gov (Jeff Gamsby) Date: Tue, 18 Jul 2006 08:02:16 -0700 Subject: [Fedora-directory-users] Win2003 AD SSL certs In-Reply-To: <44BC0E7E.4060900@redhat.com> References: <44BC0B5E.3050404@lbl.gov> <44BC0E7E.4060900@redhat.com> Message-ID: <44BCF7F8.4050803@lbl.gov> Thanks, I tried that, it doesn't seem to matter. When I had it running on a Win2k server, it worked with the "-P ." I'm wondering if there is anything that has to be done differently when using Win2003 vs. Win2k servers? I guess it could be a DNS problem. I'm looking into that now. Any suggestions are welcome. Richard Megginson wrote: > Jeff Gamsby wrote: >> >> Can someone please tell me if I have this right? >> >> 1) Create certs for FDS server. >> 2) export servercerts on FDS. >> 3) install Active Directory and certificate services ( Enterprise >> Root CA ) >> 4) Setup Active Directory for SSL ( tested with ldp.exe ) >> 5) Export AD cert, import into FDS >> 6) Install PassSync, import servercerts from FDS >> 7) Test ldapsearch over SSL to AD. >> >> I have just upgraded to Windows server 2003 R2 and I can't get SSL >> from FDS to AD working again. >> >> I get this error. >> >> ../shared/bin/ldapsearch -Z -P . -h ad-server -p 636 -D >> "cn=administrator,cn=users,dc=xxx,dc=xxx,dc=xxx" -w - -s sub -b >> "cn=users,dc=xxx,dc=xxx,dc=xxx" "cn=*" -v > Assuming you're not using cert8.db and key3.db as your key/cert db > names, the argument to -P should be the full path and filename of the > key/cert database e.g. -P /opt/fedora-ds/alias/slapd-instance-cert8.db. > >> >> ldap_simple_bind: Can't contact LDAP server >> SSL error -8179 (Peer's Certificate issuer is not recognized.) >> >> Thanks in advance. >> >> J.G. >> >> >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Tue Jul 18 15:12:13 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 18 Jul 2006 09:12:13 -0600 Subject: [Fedora-directory-users] Win2003 AD SSL certs In-Reply-To: <44BCF7F8.4050803@lbl.gov> References: <44BC0B5E.3050404@lbl.gov> <44BC0E7E.4060900@redhat.com> <44BCF7F8.4050803@lbl.gov> Message-ID: <44BCFA4D.6090702@redhat.com> Jeff Gamsby wrote: > Thanks, > > I tried that, it doesn't seem to matter. When I had it running on a > Win2k server, it worked with the "-P ." Then you probably have a file called cert8.db in that directory. > I'm wondering if there is anything that has to be done differently > when using Win2003 vs. Win2k servers? Not that I know of. > > I guess it could be a DNS problem. I'm looking into that now. Yes, could be DNS. > > Any suggestions are welcome. > > > Richard Megginson wrote: >> Jeff Gamsby wrote: >>> >>> Can someone please tell me if I have this right? >>> >>> 1) Create certs for FDS server. >>> 2) export servercerts on FDS. >>> 3) install Active Directory and certificate services ( Enterprise >>> Root CA ) >>> 4) Setup Active Directory for SSL ( tested with ldp.exe ) >>> 5) Export AD cert, import into FDS >>> 6) Install PassSync, import servercerts from FDS >>> 7) Test ldapsearch over SSL to AD. >>> >>> I have just upgraded to Windows server 2003 R2 and I can't get SSL >>> from FDS to AD working again. >>> >>> I get this error. >>> >>> ../shared/bin/ldapsearch -Z -P . -h ad-server -p 636 -D >>> "cn=administrator,cn=users,dc=xxx,dc=xxx,dc=xxx" -w - -s sub -b >>> "cn=users,dc=xxx,dc=xxx,dc=xxx" "cn=*" -v >> Assuming you're not using cert8.db and key3.db as your key/cert db >> names, the argument to -P should be the full path and filename of the >> key/cert database e.g. -P /opt/fedora-ds/alias/slapd-instance-cert8.db. >> >>> >>> ldap_simple_bind: Can't contact LDAP server >>> SSL error -8179 (Peer's Certificate issuer is not recognized.) >>> >>> Thanks in advance. >>> >>> J.G. >>> >>> >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From david.bogen at icecube.wisc.edu Tue Jul 18 16:34:52 2006 From: david.bogen at icecube.wisc.edu (David Bogen) Date: Tue, 18 Jul 2006 11:34:52 -0500 Subject: [Fedora-directory-users] Blank Password Policy Screen In-Reply-To: <08422C17320455488F792FCD66404BB36BF760@bnesbexc01.datacom.com.au> References: <08422C17320455488F792FCD66404BB36BF760@bnesbexc01.datacom.com.au> Message-ID: <44BD0DAC.9020802@icecube.wisc.edu> I've seen this problem, but only with 1.5.0_07 on RHEL4. Unfortunately, I have not been able to consistently reproduce the problem, so I can't do any sort of troubleshooting. Regardless, you're not the only one who has seen this problem. David -- David Bogen :: (608) 263-0168 Unix SysAdmin :: IceCube Project david.bogen at icecube.wisc.edu -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3298 bytes Desc: S/MIME Cryptographic Signature URL: From pkime at Shopzilla.com Tue Jul 18 18:43:16 2006 From: pkime at Shopzilla.com (Philip Kime) Date: Tue, 18 Jul 2006 11:43:16 -0700 Subject: [Fedora-directory-users] SNMP monitoring Message-ID: <9C0091F428E697439E7A773FFD083427025F3C@szexchange.Shopzilla.inc> My knowledge of SNMP is only fair, bear with me ... I've set up the subagent for SNMP monitoring and can snmpwalk the rhds stuff, with the output below. I have a few questions though: 1. what is the ".389" suffix on the variables? Looks like the port number of the server? 2. If I query the DS, none of the counters change? 3. The dsIntTable part of the MIB has no entries (I tried with snmptable) - how does this get populated? 4. Do I need to do anything to "enable" SNMP on the servers? The checkbox mentioned in the docs doesn't exist but dse.ldif does have "nsSNMPEnabled: on" RHDS-MIB::dsAnonymousBinds.389 = Counter32: 0 RHDS-MIB::dsUnAuthBinds.389 = Counter32: 0 RHDS-MIB::dsSimpleAuthBinds.389 = Counter32: 21 RHDS-MIB::dsStrongAuthBinds.389 = Counter32: 0 RHDS-MIB::dsBindSecurityErrors.389 = Counter32: 0 RHDS-MIB::dsInOps.389 = Counter32: 306 RHDS-MIB::dsReadOps.389 = Counter32: 0 RHDS-MIB::dsCompareOps.389 = Counter32: 0 RHDS-MIB::dsAddEntryOps.389 = Counter32: 0 RHDS-MIB::dsRemoveEntryOps.389 = Counter32: 0 RHDS-MIB::dsModifyEntryOps.389 = Counter32: 53 RHDS-MIB::dsModifyRDNOps.389 = Counter32: 0 RHDS-MIB::dsListOps.389 = Counter32: 0 RHDS-MIB::dsSearchOps.389 = Counter32: 81 RHDS-MIB::dsOneLevelSearchOps.389 = Counter32: 6 RHDS-MIB::dsWholeSubtreeSearchOps.389 = Counter32: 7 RHDS-MIB::dsReferrals.389 = Counter32: 0 RHDS-MIB::dsChainings.389 = Counter32: 0 RHDS-MIB::dsSecurityErrors.389 = Counter32: 0 RHDS-MIB::dsErrors.389 = Counter32: 72 RHDS-MIB::dsMasterEntries.389 = Gauge32: 0 RHDS-MIB::dsCopyEntries.389 = Gauge32: 0 RHDS-MIB::dsCacheEntries.389 = Gauge32: 0 RHDS-MIB::dsCacheHits.389 = Counter32: 0 RHDS-MIB::dsSlaveHits.389 = Counter32: 0 -- Philip Kime NOPS Systems Architect 310 401 0407 -------------- next part -------------- An HTML attachment was scrubbed... URL: From brian.smith at worldpub.net Tue Jul 18 18:45:39 2006 From: brian.smith at worldpub.net (brian) Date: Tue, 18 Jul 2006 14:45:39 -0400 Subject: [Fedora-directory-users] Administrative Domains Message-ID: <1153248339.15734.9.camel@localhost.localdomain> Hello all, quick question I am not sure about. I am trying to setup different administrative domains for my ldap servers. I created ldapconfig.domain.com which contains dc=ldapconfig,dc=domain,dc=com and o=NetscapeRoot for my configuration servers, which are load balanced in master master configuration on server1 and server2. When I click on configdirectory.domain.com the "User directory host and port are set to server1.domain.com:389. Is there any problems setting it to configdirectory.domain.com which resolves to my loadbalancer and sends requests to both servers? I've tested authentication with server1 down then with server2 down, and they work fine and re-sync when the other one is back online. I wasn't sure if this setting is just for a reference? Thanks Brian Smith From jo.de.troy at gmail.com Wed Jul 19 13:45:30 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Wed, 19 Jul 2006 15:45:30 +0200 Subject: [Fedora-directory-users] Replication multiple suffixes Message-ID: Hello, I was wondering what the best way to setup multi-master replication was when multiple suffixes exist on each supplier. Should we first setup each supplier with the same root suffix in the userRoot DB, then setup replication. Then create the 2nd suffix in a separare database and setup replication for this suffix ... I'm currently trying to use the mmr script to setup replication without succes. I have 2 Fedora DS servers running each with a different suffix in their userRoot and would like to setup replication te each other. Thanks in advance, Jo From dhollis at davehollis.com Wed Jul 19 15:52:31 2006 From: dhollis at davehollis.com (David Hollis) Date: Wed, 19 Jul 2006 11:52:31 -0400 Subject: [Fedora-directory-users] FHS packaging - combine old and new with symlinks In-Reply-To: <44BC06A8.2060406@redhat.com> References: <44BBCC62.80606@redhat.com> <44BBE294.4010509@wellthot.com> <44BBE3BE.4070309@sci.fi> <44BBF887.6010100@wellthot.com> <44BC06A8.2060406@redhat.com> Message-ID: <1153324351.12371.3.camel@dhollis-lnx.sunera.com> On Mon, 2006-07-17 at 15:52 -0600, Richard Megginson wrote: > > Then editing the /etc/named.conf file no longer modifies the real > > source file at /var/named/chroot/etc/named.conf. > That's bad, and exactly what would/could happen with my proposal. Even > if we swap the direction of the symlinks, it would still break in the > other way i.e. if you tried to do the same thing under > /opt/fedora-ds/slapd-instance/config - and if you tried to > backup/restore with tar, you would either be getting only the symlinks, > or if following symlinks, they would be broken upon restore. > > So, is there a way to have both? If not symlinks, then what? > > If the FHS layout is used, but all of the actual directory data winds up under something like /var/lib/fedora-ds//, wouldn't that suffice for making backup/restores easy and the like? Maybe there would also be a corresponding /etc/fedora-ds/ directory for config files and such, but the actual DBs under /var. I normally don't worry too much about backing up executables and libraries that are just stock RPMs as I can always recreate that portion of the environment. The data is certainly the other story. -- David Hollis -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From Diana.Shepard at cusys.edu Thu Jul 20 22:02:18 2006 From: Diana.Shepard at cusys.edu (Diana Shepard) Date: Thu, 20 Jul 2006 16:02:18 -0600 Subject: [Fedora-directory-users] Can't start console Message-ID: <7315857F21D51B449CC55ADE3A568318C37FEB@ex2k3.ad.cusys.edu> I have Fedora DS v1.0.2 installed on Linux AS v. 4, 64-bit. I get the following when I try /opt/fedora-ds/startconsole. The libjss3.so file does indeed exist. I tried setting and exporting LD_LIBRARY_PATH=/opt/fedora-ds/shared/lib:/opt/fedora-ds/lib to no avail. What the heck does it want? [root at ldap2 fedora-ds]# ./startconsole Exception in thread "main" java.lang.UnsatisfiedLinkError: /opt/fedora-ds/lib/libjss3.so: /opt/fedora-ds/lib/libjss3.so: cannot open shared object file: No such file or directory at java.lang.ClassLoader$NativeLibrary.load(Native Method) at java.lang.ClassLoader.loadLibrary0(ClassLoader.java:1560) at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1485) at java.lang.Runtime.loadLibrary0(Runtime.java:788) at java.lang.System.loadLibrary(System.java:834) at org.mozilla.jss.CryptoManager.loadNativeLibraries(CryptoManager.java:133 0) at org.mozilla.jss.CryptoManager.initialize(CryptoManager.java:822) at org.mozilla.jss.CryptoManager.initialize(CryptoManager.java:795) at com.netscape.management.client.util.UtilConsoleGlobals.initJSS(Unknown Source) at com.netscape.management.client.util.UtilConsoleGlobals.getLDAPSSLSocketF actory(Unknown Source) at com.netscape.management.client.console.Console.LDAPinitialization(Unknow n Source) at com.netscape.management.client.console.Console.(Unknown Source) at com.netscape.management.client.console.Console.main(Unknown Source) Diana Shepard University of Colorado,Boulder University Management Systems -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri Jul 21 01:09:19 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 20 Jul 2006 19:09:19 -0600 Subject: [Fedora-directory-users] Can't start console In-Reply-To: <7315857F21D51B449CC55ADE3A568318C37FEB@ex2k3.ad.cusys.edu> References: <7315857F21D51B449CC55ADE3A568318C37FEB@ex2k3.ad.cusys.edu> Message-ID: <44C0293F.6020505@redhat.com> Which jre are you using? Diana Shepard wrote: > > I have Fedora DS v1.0.2 installed on Linux AS v. 4, 64-bit. > > I get the following when I try /opt/fedora-ds/startconsole. The > libjss3.so > file does indeed exist. I tried setting and exporting > > LD_LIBRARY_PATH=/opt/fedora-ds/shared/lib:/opt/fedora-ds/lib > > to no avail. What the heck does it want? > > [root at ldap2 fedora-ds]# ./startconsole > Exception in thread "main" java.lang.UnsatisfiedLinkError: > /opt/fedora-ds/lib/libjss3.so: /opt/fedora-ds/lib/libjss3.so: cannot > open shared object file: No such file or directory > > at java.lang.ClassLoader$NativeLibrary.load(Native Method) > at java.lang.ClassLoader.loadLibrary0(ClassLoader.java:1560) > at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1485) > at java.lang.Runtime.loadLibrary0(Runtime.java:788) > at java.lang.System.loadLibrary(System.java:834) > at > org.mozilla.jss.CryptoManager.loadNativeLibraries(CryptoManager.java:1330) > > at > org.mozilla.jss.CryptoManager.initialize(CryptoManager.java:822) > at > org.mozilla.jss.CryptoManager.initialize(CryptoManager.java:795) > at > com.netscape.management.client.util.UtilConsoleGlobals.initJSS(Unknown > Source) > at > com.netscape.management.client.util.UtilConsoleGlobals.getLDAPSSLSocketFactory(Unknown > Source) > at > com.netscape.management.client.console.Console.LDAPinitialization(Unknown > Source) > at > com.netscape.management.client.console.Console.(Unknown Source) > at com.netscape.management.client.console.Console.main(Unknown > Source) > > Diana Shepard > University of Colorado,Boulder > University Management Systems > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From brian.smith at worldpub.net Fri Jul 21 15:58:52 2006 From: brian.smith at worldpub.net (brian) Date: Fri, 21 Jul 2006 11:58:52 -0400 Subject: [Fedora-directory-users] Can't start console In-Reply-To: <7315857F21D51B449CC55ADE3A568318C37FEB@ex2k3.ad.cusys.edu> References: <7315857F21D51B449CC55ADE3A568318C37FEB@ex2k3.ad.cusys.edu> Message-ID: <1153497532.22758.6.camel@localhost.localdomain> what does "ls -l /opt/fedora-ds/lib/libjss3.so" show? On Thu, 2006-07-20 at 16:02 -0600, Diana Shepard wrote: > I have Fedora DS v1.0.2 installed on Linux AS v. 4, 64-bit. > > I get the following when I try /opt/fedora-ds/startconsole. The > libjss3.so > file does indeed exist. I tried setting and exporting > > LD_LIBRARY_PATH=/opt/fedora-ds/shared/lib:/opt/fedora-ds/lib > > to no avail. What the heck does it want? > > [root at ldap2 fedora-ds]# ./startconsole > Exception in thread "main" > java.lang.UnsatisfiedLinkError: /opt/fedora-ds/lib/libjss3.so: /opt/fedora-ds/lib/libjss3.so: cannot open shared object file: No such file or directory > > at java.lang.ClassLoader$NativeLibrary.load(Native Method) > at java.lang.ClassLoader.loadLibrary0(ClassLoader.java:1560) > at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1485) > at java.lang.Runtime.loadLibrary0(Runtime.java:788) > at java.lang.System.loadLibrary(System.java:834) > at > org.mozilla.jss.CryptoManager.loadNativeLibraries(CryptoManager.java:1330) > at > org.mozilla.jss.CryptoManager.initialize(CryptoManager.java:822) > at > org.mozilla.jss.CryptoManager.initialize(CryptoManager.java:795) > at > com.netscape.management.client.util.UtilConsoleGlobals.initJSS(Unknown > Source) > at > com.netscape.management.client.util.UtilConsoleGlobals.getLDAPSSLSocketFactory(Unknown Source) > at > com.netscape.management.client.console.Console.LDAPinitialization(Unknown Source) > at > com.netscape.management.client.console.Console.(Unknown Source) > at com.netscape.management.client.console.Console.main(Unknown > Source) > > Diana Shepard > University of Colorado,Boulder > University Management Systems > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From perk at funcom.com Fri Jul 21 17:15:36 2006 From: perk at funcom.com (Per Kristiansen) Date: Fri, 21 Jul 2006 19:15:36 +0200 Subject: [Fedora-directory-users] I'm feeling like I'm drowning! Message-ID: <44C10BB8.9050409@funcom.com> I've been reading about LDAP for the last couple of years, and finally got to start planning an implementation. I've settled for a pretty simple config, where I would put user info (unix), samba and general user info on LDAP for starters (future plans is SSH public keys and host based access rules) But...I'm feeling like I'm drowning, I've read the o'reilly book, and I've googled my behind off. And so far I have found that LDAP is like PERL , there is no ONE way of doing it:)... I've read the white papers at redhat.com, and managed to get SMB authentication to work, but the one thing that keeps bugging me is this: Do I have to write my own data entry interface ? I had hoped to let the people at HR do the data entry on the "soft" information , while the operations people do the "hard" information. I hoped FDS would have something I could use, but I'm unable to figure out if it has a web interface or if it must be entry via the X-Windows program. I'm sorry to be so whiny :)..and yes I'll have some cheese later, but please, anyone throw me a friggin' bone here :) From patrick.morris at hp.com Fri Jul 21 17:20:51 2006 From: patrick.morris at hp.com (Morris, Patrick) Date: Fri, 21 Jul 2006 13:20:51 -0400 Subject: [Fedora-directory-users] I'm feeling like I'm drowning! In-Reply-To: <44C10BB8.9050409@funcom.com> Message-ID: > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf > Of Per Kristiansen > Sent: Friday, July 21, 2006 10:16 AM > To: fedora-directory-users at redhat.com > Subject: [Fedora-directory-users] I'm feeling like I'm drowning! > > I had hoped to let the people at HR do the data entry on the "soft" > information , while the operations people do the "hard" information. > When you set up your directory server, you specified a port for the admin interface. Browse to it and see if it does what you want. From ben.steeves at unb.ca Fri Jul 21 18:20:58 2006 From: ben.steeves at unb.ca (Ben Steeves) Date: Fri, 21 Jul 2006 15:20:58 -0300 Subject: [Fedora-directory-users] I'm feeling like I'm drowning! In-Reply-To: <44C10BB8.9050409@funcom.com> References: <44C10BB8.9050409@funcom.com> Message-ID: <7ebb24d10607211120v43cc0ca6md7bb973d20d99768@mail.gmail.com> On 7/21/06, Per Kristiansen wrote: > But...I'm feeling like I'm drowning, I've read the o'reilly book, and > I've googled my behind off. The O'Reilly book is OK as far as it goes but it barely scratches the surface. It's also focussed on OpenLDAP which is almost, but not entirely unlike FDS. "Understanding and Deploying LDAP Directory Services" by Howes, Smith & Good is an excellent reference, especially when you get to dealing with the internals... http://www.amazon.com/gp/product/0672323168/sr=8-1/qid=1153505689/ref=pd_bbs_1/103-6902275-7741413?ie=UTF8 > Do I have to write my own data entry interface ? It depends on entirely on what you need and how much power you're willing to give to people. The built-in web interface is fairly robust, but there's also phpLDAPAdmin (http://phpldapadmin.sf.net/) which I really like. Our account admins use it. > I had hoped to let the people at HR do the data entry on the "soft" > information , while the operations people do the "hard" information. If people are going to need access to just a few attributes, or you need to apply business rules to the process before it hits the directory, you're probably best off building your own interfaces (or a framework on which to build multiple interfaces). In our case I built a PERL module that our devs use to talk to the directory that implements our directory organization principles, neatly abstracting it out so that they don't have to worry about mundate directory matters but can concentrate on the business rules and user interface. -- _ Ben Steeves bcs at metacon.ca ( ) The ASCII ribbon campaign ben.steeves at unb.ca X against HTML e-mail GPG ID: 0xB3EBF1D9 / \ http://www.metacon.ca/ascii Yahoo Messenger: ben_steeves From rmeggins at redhat.com Fri Jul 21 18:24:50 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 21 Jul 2006 12:24:50 -0600 Subject: [Fedora-directory-users] I'm feeling like I'm drowning! In-Reply-To: <44C10BB8.9050409@funcom.com> References: <44C10BB8.9050409@funcom.com> Message-ID: <44C11BF2.1000104@redhat.com> Per Kristiansen wrote: > I've been reading about LDAP for the last couple of years, and finally > got to start planning an implementation. > > I've settled for a pretty simple config, where I would put user info > (unix), samba and general user info on LDAP for starters (future plans > is SSH public keys and host based access rules) > > But...I'm feeling like I'm drowning, I've read the o'reilly book, and > I've googled my behind off. > > And so far I have found that LDAP is like PERL , there is no ONE way > of doing it:)... > > I've read the white papers at redhat.com, and managed to get SMB > authentication to work, but the one thing that keeps bugging me is this: > > Do I have to write my own data entry interface ? > > I had hoped to let the people at HR do the data entry on the "soft" > information , while the operations people do the "hard" information. What usually happens (in medium/large enterprises) is that HR people enter data into their Oracle/Peoplesoft/SAP system, and this data gets sync'd over to the LDAP server. For example, check out this - ftp://ftp.mozilla.org/pub/mozilla.org/directory/tools - written using perldap by our LDAP admin at Netscape many years ago. There are probably newer, better tools for doing this now. > I hoped FDS would have something I could use, but I'm unable to figure > out if it has a web interface or if it must be entry via the X-Windows > program. There are two web interfaces. The Directory Express web app is used to allow self service user data administration (including password change). > > I'm sorry to be so whiny :)..and yes I'll have some cheese later, but > please, anyone throw me a friggin' bone here :) > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From jclowser at unitedmessaging.com Fri Jul 21 18:38:04 2006 From: jclowser at unitedmessaging.com (Jeff Clowser) Date: Fri, 21 Jul 2006 14:38:04 -0400 Subject: [Fedora-directory-users] I'm feeling like I'm drowning! In-Reply-To: <7ebb24d10607211120v43cc0ca6md7bb973d20d99768@mail.gmail.com> References: <44C10BB8.9050409@funcom.com> <7ebb24d10607211120v43cc0ca6md7bb973d20d99768@mail.gmail.com> Message-ID: <44C11F0C.6090302@unitedmessaging.com> Ben Steeves wrote: > On 7/21/06, Per Kristiansen wrote: > >> I had hoped to let the people at HR do the data entry on the "soft" >> information , while the operations people do the "hard" information. > > If people are going to need access to just a few attributes, or you > need to apply business rules to the process before it hits the > directory, you're probably best off building your own interfaces (or a > framework on which to build multiple interfaces). In our case I built > a PERL module that our devs use to talk to the directory that > implements our directory organization principles, neatly abstracting > it out so that they don't have to worry about mundate directory > matters but can concentrate on the business rules and user interface. I like to think of LDAP as a building block toward creating an infrastructure. Think of it like an SQL database, if you are familiar with that - you can set it up, but the structure of the data, as well as permissions on who can do what with the data, is more or less external to the directory/db server. Creating a useful LDAP service, esp if you are integrating lots of end user services against it, is sometimes a bit of an art. You can write a custom interface in perl, java, etc - I prefer php, but that's just me (actually, php's LDAP api is pretty primitive, but php is simple to code in, and has just enough api to do most things you'll want)... Anyway, that lets me create an interface that looks exactly the way I want it to, covers all the components I have working against LDAP, allows me to apply business logic against it, etc. You can find prebuilt generic ldap browsers, but these tend to either not include business logic (see below), or aren't "aware" enough about apps you have (for example, if you are using samba, there may be certain restrictions of the values you put in ldap that a generic browser that just lets you edit fields doesn't know about). Interfaces that ARE aware of some apps you use tend to not know about others - i.e. you might find one that creates users for samba, but knows nothing about your other apps and how they use LDAP, so you may not get a single "complete" admin tool. ACI's in ldap can be used to restrict who can do what - i.e. an ops group that can create users, and HR group that can edit address, phone, etc info on existing users, etc. However, if you want to incorporate business logic (i.e. make uid's all lower case, restrict the state field to only upper case/valid US state abbreviations, etc), you have to have an admin tool that enforces this - there is nothing inherent in LDAP to do this. - Jeff From Diana.Shepard at cusys.edu Fri Jul 21 19:54:27 2006 From: Diana.Shepard at cusys.edu (Diana Shepard) Date: Fri, 21 Jul 2006 13:54:27 -0600 Subject: [Fedora-directory-users] Can't start console In-Reply-To: <20060721160006.2A27D735BF@hormel.redhat.com> Message-ID: <7315857F21D51B449CC55ADE3A568318C380D4@ex2k3.ad.cusys.edu> Thanks for the responses. Here are answers: [root at ldap2 ~]# java -version java version "1.4.2_04" Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_04-b05) Java HotSpot(TM) Client VM (build 1.4.2_04-b05, mixed mode) [root at ldap2 ~]# ls -l /opt/fedora-ds/lib/libjss3.so -rwxr-xr-x 1 root root 213324 Nov 15 2005 /opt/fedora-ds/lib/libjss3.so [root at ldap2 ~]# echo $LD_LIBRARY_PATH /opt/fedora-ds/lib:/opt/fedora-ds/shared/lib [root at ldap2 ~]# ldd /opt/fedora-ds/lib/libjss3.so libnss3.so => /opt/fedora-ds/shared/lib/libnss3.so (0x0000002a95682000) libsmime3.so => /opt/fedora-ds/shared/lib/libsmime3.so (0x0000002a95807000) libssl3.so => /opt/fedora-ds/shared/lib/libssl3.so (0x0000002a95932000) libplc4.so => /opt/fedora-ds/shared/lib/libplc4.so (0x0000002a95a5f000) libplds4.so => /opt/fedora-ds/shared/lib/libplds4.so (0x0000002a95b64000) libnspr4.so => /opt/fedora-ds/shared/lib/libnspr4.so (0x0000002a95c67000) libc.so.6 => /lib64/tls/libc.so.6 (0x0000002a95dad000) libsoftokn3.so => /opt/fedora-ds/shared/lib/libsoftokn3.so (0x0000002a95fe1000) libpthread.so.0 => /lib64/tls/libpthread.so.0 (0x0000002a9613b000) libdl.so.2 => /lib64/libdl.so.2 (0x0000002a96251000) /lib64/ld-linux-x86-64.so.2 (0x000000552aaaa000) Diana Shepard University of Colorado, Boulder > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf > Of fedora-directory-users-request at redhat.com > Sent: Friday, July 21, 2006 10:00 AM > To: fedora-directory-users at redhat.com > Subject: Fedora-directory-users Digest, Vol 14, Issue 22 > > Send Fedora-directory-users mailing list submissions to > fedora-directory-users at redhat.com > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.redhat.com/mailman/listinfo/fedora-directory-users > or, via email, send a message with subject or body 'help' to > fedora-directory-users-request at redhat.com > > You can reach the person managing the list at > fedora-directory-users-owner at redhat.com > > When replying, please edit your Subject line so it is more > specific than "Re: Contents of Fedora-directory-users digest..." > > > Today's Topics: > > 1. Can't start console (Diana Shepard) > 2. Re: Can't start console (Richard Megginson) > 3. Re: Can't start console (brian) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 20 Jul 2006 16:02:18 -0600 > From: "Diana Shepard" > Subject: [Fedora-directory-users] Can't start console > To: > Message-ID: > <7315857F21D51B449CC55ADE3A568318C37FEB at ex2k3.ad.cusys.edu> > Content-Type: text/plain; charset="us-ascii" > > I have Fedora DS v1.0.2 installed on Linux AS v. 4, 64-bit. > > I get the following when I try /opt/fedora-ds/startconsole. > The libjss3.so file does indeed exist. I tried setting and exporting > > LD_LIBRARY_PATH=/opt/fedora-ds/shared/lib:/opt/fedora-ds/lib > > to no avail. What the heck does it want? > > [root at ldap2 fedora-ds]# ./startconsole > Exception in thread "main" java.lang.UnsatisfiedLinkError: > /opt/fedora-ds/lib/libjss3.so: /opt/fedora-ds/lib/libjss3.so: > cannot open shared object file: No such file or directory > at java.lang.ClassLoader$NativeLibrary.load(Native Method) > at java.lang.ClassLoader.loadLibrary0(ClassLoader.java:1560) > at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1485) > at java.lang.Runtime.loadLibrary0(Runtime.java:788) > at java.lang.System.loadLibrary(System.java:834) > at > org.mozilla.jss.CryptoManager.loadNativeLibraries(CryptoManage > r.java:133 > 0) > at > org.mozilla.jss.CryptoManager.initialize(CryptoManager.java:822) > at > org.mozilla.jss.CryptoManager.initialize(CryptoManager.java:795) > at > com.netscape.management.client.util.UtilConsoleGlobals.initJSS(Unknown > Source) > at > com.netscape.management.client.util.UtilConsoleGlobals.getLDAP > SSLSocketF > actory(Unknown Source) > at > com.netscape.management.client.console.Console.LDAPinitializat > ion(Unknow > n Source) > at > com.netscape.management.client.console.Console.(Unknown > Source) > at com.netscape.management.client.console.Console.main(Unknown > Source) > > Diana Shepard > University of Colorado,Boulder > University Management Systems > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > https://www.redhat.com/archives/fedora-directory-users/attachm ents/20060720/d1742a42/attachment.html > > ------------------------------ > > Message: 2 > Date: Thu, 20 Jul 2006 19:09:19 -0600 > From: Richard Megginson > Subject: Re: [Fedora-directory-users] Can't start console > To: "General discussion list for the Fedora Directory server project." > > Message-ID: <44C0293F.6020505 at redhat.com> > Content-Type: text/plain; charset="iso-8859-1" > > Which jre are you using? > > Diana Shepard wrote: > > > > I have Fedora DS v1.0.2 installed on Linux AS v. 4, 64-bit. > > > > I get the following when I try /opt/fedora-ds/startconsole. The > > libjss3.so file does indeed exist. I tried setting and exporting > > > > LD_LIBRARY_PATH=/opt/fedora-ds/shared/lib:/opt/fedora-ds/lib > > > > to no avail. What the heck does it want? > > > > [root at ldap2 fedora-ds]# ./startconsole Exception in thread "main" > > java.lang.UnsatisfiedLinkError: > > /opt/fedora-ds/lib/libjss3.so: > /opt/fedora-ds/lib/libjss3.so: cannot > > open shared object file: No such file or directory > > > > at java.lang.ClassLoader$NativeLibrary.load(Native Method) > > at java.lang.ClassLoader.loadLibrary0(ClassLoader.java:1560) > > at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1485) > > at java.lang.Runtime.loadLibrary0(Runtime.java:788) > > at java.lang.System.loadLibrary(System.java:834) > > at > > > org.mozilla.jss.CryptoManager.loadNativeLibraries(CryptoManager.java:1 > > 330) > > > > at > > org.mozilla.jss.CryptoManager.initialize(CryptoManager.java:822) > > at > > org.mozilla.jss.CryptoManager.initialize(CryptoManager.java:795) > > at > > > com.netscape.management.client.util.UtilConsoleGlobals.initJSS(Unknown > > Source) > > at > > > com.netscape.management.client.util.UtilConsoleGlobals.getLDAPSSLSocke > > tFactory(Unknown > > Source) > > at > > > com.netscape.management.client.console.Console.LDAPinitialization(Unkn > > own > > Source) > > at > > > com.netscape.management.client.console.Console.(Unknown Source) > > at > com.netscape.management.client.console.Console.main(Unknown > > Source) > > > > Diana Shepard > > University of Colorado,Boulder > > University Management Systems > > > > > > > ---------------------------------------------------------------------- > > -- > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: smime.p7s > Type: application/x-pkcs7-signature > Size: 3178 bytes > Desc: S/MIME Cryptographic Signature > Url : > https://www.redhat.com/archives/fedora-directory-users/attachm ents/20060720/01edfbce/smime.bin > > ------------------------------ > > Message: 3 > Date: Fri, 21 Jul 2006 11:58:52 -0400 > From: brian > Subject: Re: [Fedora-directory-users] Can't start console > To: "General discussion list for the Fedora Directory server project." > > Message-ID: <1153497532.22758.6.camel at localhost.localdomain> > Content-Type: text/plain > > what does "ls -l /opt/fedora-ds/lib/libjss3.so" show? > > On Thu, 2006-07-20 at 16:02 -0600, Diana Shepard wrote: > > I have Fedora DS v1.0.2 installed on Linux AS v. 4, 64-bit. > > > > I get the following when I try /opt/fedora-ds/startconsole. The > > libjss3.so file does indeed exist. I tried setting and exporting > > > > LD_LIBRARY_PATH=/opt/fedora-ds/shared/lib:/opt/fedora-ds/lib > > > > to no avail. What the heck does it want? > > > > [root at ldap2 fedora-ds]# ./startconsole Exception in thread "main" > > java.lang.UnsatisfiedLinkError: /opt/fedora-ds/lib/libjss3.so: > > /opt/fedora-ds/lib/libjss3.so: cannot open shared object > file: No such > > file or directory > > > > at java.lang.ClassLoader$NativeLibrary.load(Native Method) > > at > java.lang.ClassLoader.loadLibrary0(ClassLoader.java:1560) > > at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1485) > > at java.lang.Runtime.loadLibrary0(Runtime.java:788) > > at java.lang.System.loadLibrary(System.java:834) > > at > > > org.mozilla.jss.CryptoManager.loadNativeLibraries(CryptoManage > r.java:1330) > > at > > org.mozilla.jss.CryptoManager.initialize(CryptoManager.java:822) > > at > > org.mozilla.jss.CryptoManager.initialize(CryptoManager.java:795) > > at > > > com.netscape.management.client.util.UtilConsoleGlobals.initJSS(Unknown > > Source) > > at > > > com.netscape.management.client.util.UtilConsoleGlobals.getLDAP > SSLSocketFactory(Unknown Source) > > at > > > com.netscape.management.client.console.Console.LDAPinitializat > ion(Unknown Source) > > at > > > com.netscape.management.client.console.Console.(Unknown Source) > > at > com.netscape.management.client.console.Console.main(Unknown > > Source) > > > > Diana Shepard > > University of Colorado,Boulder > > University Management Systems > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > ------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > End of Fedora-directory-users Digest, Vol 14, Issue 22 > ****************************************************** > From ccesario at isic.com.br Fri Jul 21 20:02:21 2006 From: ccesario at isic.com.br (Carlos Cesario) Date: Fri, 21 Jul 2006 17:02:21 -0300 Subject: [Fedora-directory-users] Init script to Suse 9x 10x Message-ID: <1153512142.5660.4.camel@localhost.localdomain> Hi peoples, I make two scripts (slapd-aplication and admin server) to Suse 9x 10x system. I based from scripts to RH (in wiki) If somebody found any error please make the fix or report to list :) Excuse me by my English :) Instructions to setup: (to default path install) #####fedora-ds script###### chmod 755 fedora-ds cp fedora-ds /etc/init.d/ ln -s /etc/init.d/fedora-ds /usr/sbin/rcfedora-ds Edit /etc/init.d/fedora-ds and change APP_NAME var valeu to name of you aplication and enable the service in yast or in console chkconfing fedora-ds on ########################### ######fedora-ds-admin###### chmod 755 fedora-ds-admin cp fedora-ds-admin /etc/init.d/ ln -s /etc/init.d/fedora-ds-admin /usr/sbin/rcfedora-ds-admin and enable the service in yast or in console chkconfing fedora-ds-admin on ########################## I find that it is this thanks Carlos Cesario -------------- next part -------------- A non-text attachment was scrubbed... Name: fedora-ds Type: application/x-shellscript Size: 3285 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: fedora-ds-admin Type: application/x-shellscript Size: 2929 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 191 bytes Desc: Esta ? uma parte de mensagem assinada digitalmente URL: From JFGamsby at lbl.gov Mon Jul 24 17:00:31 2006 From: JFGamsby at lbl.gov (Jeff Gamsby) Date: Mon, 24 Jul 2006 10:00:31 -0700 Subject: [Fedora-directory-users] PassSync sync password errors Message-ID: <44C4FCAF.4040309@lbl.gov> I am testing out the PassSync program, but the FDS logs throw an error when trying to sync the passwords. Can anyone translate this for me please? [24/Jul/2006:09:48:15 -0700] NSMMReplicationPlugin - agmt="cn=FDS Sync" (fds:636): windows_replay_update: Looking at modify operation local dn="uid=user,ou=people,dc=ldap,dc=example,dc=com" (ours,user,not group) [24/Jul/2006:09:48:15 -0700] NSMMReplicationPlugin - agmt="cn=FDS Sync" (fds:636): windows_replay_update: Processing modify operation local dn="uid=user,ou=people,dc=ldap,dc=example,dc=com" remote dn="" [24/Jul/2006:09:48:15 -0700] NSMMReplicationPlugin - agmt="cn=FDS Sync" (fds:636): Received result code 32 (0000208D: NameErr: DSID-031001A8, problem 2001 (NO_OBJECT), data 0, best match of: '' ) for modify operation [24/Jul/2006:09:48:15 -0700] NSMMReplicationPlugin - agmt="cn=FDS Sync" (fds:636): windows_replay_update: update password returned 1 [24/Jul/2006:09:48:15 -0700] NSMMReplicationPlugin - agmt="cn=FDS Sync" (fds:636): Consumer failed to replay change (uniqueid bfad6881-1dd111b2-8033cdea-25db0000, CSN 44c4f9e7000000010000): No such object. Skipping. [24/Jul/2006:09:48:15 -0700] agmt="cn=FDS Sync" (fds:636) - load=1 rec=2 csn=44c4f9e7000100010000 [24/Jul/2006:09:48:15 -0700] NSMMReplicationPlugin - agmt="cn=FDS Sync" (fds:636): windows_replay_update: Looking at modify operation local dn="uid=user,ou=people,dc=ldap,dc=example,dc=com" (ours,user,not group) [24/Jul/2006:09:48:15 -0700] NSMMReplicationPlugin - agmt="cn=FDS Sync" (fds:636): windows_replay_update: Processing modify operation local dn="uid=user,ou=people,dc=ldap,dc=example,dc=com" remote dn="" [24/Jul/2006:09:48:15 -0700] agmt="cn=FDS Sync" (fds:636) - clcache_load_buffer: rc=-30990 [24/Jul/2006:09:48:15 -0700] NSMMReplicationPlugin - agmt="cn=FDS Sync" (fds:636): No more updates to send (cl5GetNextOperationToReplay) Thank you, Jeff G. From tomryan at camlaw.rutgers.edu Tue Jul 25 19:19:27 2006 From: tomryan at camlaw.rutgers.edu (Tom Ryan) Date: Tue, 25 Jul 2006 15:19:27 -0400 Subject: [Fedora-directory-users] Question re: {KERBEROS} syntax Message-ID: I am in the midst of migrating from openldap to fedora ds. In openldap, I could specify the userpassword as {KERBEROS}kerberosprinc at REALM And openldap would utilize that for bind verification.. Is this possible under fedora ds? Would a plugin be required (is one currently available?) Thanks! Tom From rmeggins at redhat.com Tue Jul 25 19:37:19 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 25 Jul 2006 13:37:19 -0600 Subject: [Fedora-directory-users] Question re: {KERBEROS} syntax In-Reply-To: References: Message-ID: <44C672EF.7020408@redhat.com> Tom Ryan wrote: > I am in the midst of migrating from openldap to fedora ds. > > In openldap, I could specify the userpassword as > > {KERBEROS}kerberosprinc at REALM > > And openldap would utilize that for bind verification.. > > Is this possible under fedora ds? Would a plugin be required (is one > currently available?) > Did you see this? http://directory.fedora.redhat.com/wiki/Howto:Kerberos > Thanks! > > Tom > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From tomryan at camlaw.rutgers.edu Tue Jul 25 19:39:21 2006 From: tomryan at camlaw.rutgers.edu (Tom Ryan) Date: Tue, 25 Jul 2006 15:39:21 -0400 Subject: [Fedora-directory-users] Question re: {KERBEROS} syntax In-Reply-To: <44C672EF.7020408@redhat.com> Message-ID: Yes, but its not quite what I?m looking for. Using {KERBEROS} under openldap, the ldap server would validate the supplied user/password using kerberos.. Unless I?m missing something, this won?t work for me.. Tom On 7/25/06 3:37 PM, "Richard Megginson" wrote: > Tom Ryan wrote: >> > I am in the midst of migrating from openldap to fedora ds. >> > >> > In openldap, I could specify the userpassword as >> > >> > {KERBEROS}kerberosprinc at REALM >> > >> > And openldap would utilize that for bind verification.. >> > >> > Is this possible under fedora ds? Would a plugin be required (is one >> > currently available?) >> > > Did you see this? http://directory.fedora.redhat.com/wiki/Howto:Kerberos >> > Thanks! >> > >> > Tom >> > >> > -- >> > Fedora-directory-users mailing list >> > Fedora-directory-users at redhat.com >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Jul 25 19:51:45 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 25 Jul 2006 13:51:45 -0600 Subject: [Fedora-directory-users] Question re: {KERBEROS} syntax In-Reply-To: References: Message-ID: <44C67651.1090601@redhat.com> Tom Ryan wrote: > Yes, but its not quite what I?m looking for. Using {KERBEROS} under > openldap, the ldap server would validate the supplied user/password > using kerberos.. > > Unless I?m missing something, this won?t work for me.. Are you attempting a SASL/Kerberos bind or a simple username/password bind? If the latter, you will need the PAM passthru auth plugin: http://cvs.fedora.redhat.com/viewcvs/ldapserver/ldap/servers/plugins/pam_passthru/README?root=dirsec&rev=1.4&view=auto > > Tom > > > On 7/25/06 3:37 PM, "Richard Megginson" wrote: > > Tom Ryan wrote: > > I am in the midst of migrating from openldap to fedora ds. > > > > In openldap, I could specify the userpassword as > > > > {KERBEROS}kerberosprinc at REALM > > > > And openldap would utilize that for bind verification.. > > > > Is this possible under fedora ds? Would a plugin be required (is one > > currently available?) > > > Did you see this? > http://directory.fedora.redhat.com/wiki/Howto:Kerberos > > Thanks! > > > > Tom > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > ------------------------------------------------------------------------ > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From tomryan at camlaw.rutgers.edu Tue Jul 25 19:56:51 2006 From: tomryan at camlaw.rutgers.edu (Tom Ryan) Date: Tue, 25 Jul 2006 15:56:51 -0400 Subject: [Fedora-directory-users] Question re: {KERBEROS} syntax In-Reply-To: <44C67651.1090601@redhat.com> Message-ID: On 7/25/06 3:51 PM, "Richard Megginson" wrote: > Tom Ryan wrote: >> > Yes, but its not quite what I?m looking for. Using {KERBEROS} under >> > openldap, the ldap server would validate the supplied user/password >> > using kerberos.. >> > >> > Unless I?m missing something, this won?t work for me.. > Are you attempting a SASL/Kerberos bind or a simple username/password > bind? If the latter, you will need the PAM passthru auth plugin: > http://cvs.fedora.redhat.com/viewcvs/ldapserver/ldap/servers/plugins/pam_passt > hru/README?root=dirsec=1.4=auto > thru/README?root=dirsec&rev=1.4&view=auto> That?s the general idea of what I want.. The problem is that users might not necessarily have an account on the box.. Essentially a simple username/password bind that the fedora ds would then use kerberos to authenticate.. That being said, it would appear that fedora ds does not have an equiv capability as the openldap server correct out of the box? Thanks for your very quick responses! Tom -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Jul 25 20:00:22 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 25 Jul 2006 14:00:22 -0600 Subject: [Fedora-directory-users] Question re: {KERBEROS} syntax In-Reply-To: References: Message-ID: <44C67856.5090203@redhat.com> Tom Ryan wrote: > > On 7/25/06 3:51 PM, "Richard Megginson" wrote: > > Tom Ryan wrote: > > Yes, but its not quite what I?m looking for. Using {KERBEROS} under > > openldap, the ldap server would validate the supplied user/password > > using kerberos.. > > > > Unless I?m missing something, this won?t work for me.. > Are you attempting a SASL/Kerberos bind or a simple username/password > bind? If the latter, you will need the PAM passthru auth plugin: > http://cvs.fedora.redhat.com/viewcvs/ldapserver/ldap/servers/plugins/pam_passthru/README?root=dirsec=1.4=auto > > > > > > That?s the general idea of what I want.. The problem is that users > might not necessarily have an account on the box.. > Essentially a simple username/password bind that the fedora ds would > then use kerberos to authenticate.. > > That being said, it would appear that fedora ds does not have an equiv > capability as the openldap server correct out of the box? That is correct, but the pam passthru auth plugin will do what you want. > > Thanks for your very quick responses! > > Tom > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From EMLiberman at ra.rockwell.com Tue Jul 25 20:01:45 2006 From: EMLiberman at ra.rockwell.com (Eugene M Liberman) Date: Tue, 25 Jul 2006 16:01:45 -0400 Subject: [Fedora-directory-users] Fedora Directory server on Windows XP. Can it be done? Message-ID: I am trying to build FDS on the Windows XP platform. Can it be done? Has somebody done it? Thank you in advance, Gene Liberman -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Jul 25 20:04:52 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 25 Jul 2006 14:04:52 -0600 Subject: [Fedora-directory-users] Fedora Directory server on Windows XP. Can it be done? In-Reply-To: References: Message-ID: <44C67964.2020803@redhat.com> Eugene M Liberman wrote: > > I am trying to build FDS on the Windows XP platform. Can it be done? > Has somebody done it? Yes, about 18 months ago, and not since. The Windows port has rotted quite a bit. You can probably do it, but it will take a couple of weeks or more. > > > Thank you in advance, > > Gene Liberman > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From tomryan at camlaw.rutgers.edu Tue Jul 25 20:10:58 2006 From: tomryan at camlaw.rutgers.edu (Tom Ryan) Date: Tue, 25 Jul 2006 16:10:58 -0400 Subject: [Fedora-directory-users] Question re: {KERBEROS} syntax In-Reply-To: <44C67856.5090203@redhat.com> Message-ID: On 7/25/06 4:00 PM, "Richard Megginson" wrote: >> > >> > That being said, it would appear that fedora ds does not have an equiv >> > capability as the openldap server correct out of the box? > > That is correct, but the pam passthru auth plugin will do what you want. I?m confused.. It would appear that while it would do something (albeit similar), it would not do what I want.. I.e. Allow me to authenticate a user (irregardless of whether they have an account on the local system) by using the supplied simple bind credentials and attempting a kerberos validation of them. Thanks and again, please pardon my ignorance. Tom -------------- next part -------------- An HTML attachment was scrubbed... URL: From EMLiberman at ra.rockwell.com Tue Jul 25 20:14:47 2006 From: EMLiberman at ra.rockwell.com (Eugene M Liberman) Date: Tue, 25 Jul 2006 15:14:47 -0500 Subject: [Fedora-directory-users] Fedora Directory server on Windows XP.Can it be done? Message-ID: Richard, Is it possible to get the build files to use as a template for this new build? Thank you for good news and such a quick response! Gene Liberman Richard Megginson Sent by: fedora-directory-users-bounces at redhat.com 07/25/2006 04:04 PM Please respond to "General discussion list for the Fedora Directory server project." To: "General discussion list for the Fedora Directory server project." cc: Subject: Re: [Fedora-directory-users] Fedora Directory server on Windows XP. Can it be done? Eugene M Liberman wrote: > > I am trying to build FDS on the Windows XP platform. Can it be done? > Has somebody done it? Yes, about 18 months ago, and not since. The Windows port has rotted quite a bit. You can probably do it, but it will take a couple of weeks or more. > > > Thank you in advance, > > Gene Liberman > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users << Attachment clipped: smime.p7s (4356 bytes ) >> -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/octet-stream Size: 3180 bytes Desc: not available URL: From rmeggins at redhat.com Tue Jul 25 20:22:54 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 25 Jul 2006 14:22:54 -0600 Subject: [Fedora-directory-users] Question re: {KERBEROS} syntax In-Reply-To: References: Message-ID: <44C67D9E.8010605@redhat.com> Tom Ryan wrote: > > > > On 7/25/06 4:00 PM, "Richard Megginson" wrote: > > > > > That being said, it would appear that fedora ds does not have an > equiv > > capability as the openldap server correct out of the box? > > That is correct, but the pam passthru auth plugin will do what you > want. > > > I?m confused.. It would appear that while it would do something > (albeit similar), it would not do what I want.. > > I.e. Allow me to authenticate a user (irregardless of whether they > have an account on the local system) by using the supplied simple bind > credentials and attempting a kerberos validation of them. Yes, because with the plugin, fedora ds simply passes the credentials through to PAM, which can be configured to do kerberos auth (local or remote). So, instead of using saslauthd (as in openldap) you just use PAM to do the same thing. > > Thanks and again, please pardon my ignorance. > > Tom > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Jul 25 20:23:50 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 25 Jul 2006 14:23:50 -0600 Subject: [Fedora-directory-users] Fedora Directory server on Windows XP.Can it be done? In-Reply-To: References: Message-ID: <44C67DD6.3010109@redhat.com> Eugene M Liberman wrote: > > Richard, > > Is it possible to get the build files to use as a template for this > new build? I don't think we have them anymore. > > Thank you for good news and such a quick response! > > Gene Liberman > > > > > *Richard Megginson * > Sent by: fedora-directory-users-bounces at redhat.com > > 07/25/2006 04:04 PM > Please respond to "General discussion list for the Fedora Directory > server project." > > > To: "General discussion list for the Fedora Directory > server project." > cc: > Subject: Re: [Fedora-directory-users] Fedora Directory > server on Windows XP. Can it be done? > > > > > Eugene M Liberman wrote: > > > > I am trying to build FDS on the Windows XP platform. Can it be done? > > Has somebody done it? > Yes, about 18 months ago, and not since. The Windows port has rotted > quite a bit. You can probably do it, but it will take a couple of weeks > or more. > > > > > > Thank you in advance, > > > > Gene Liberman > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > << Attachment clipped: smime.p7s (4356 bytes ) >> > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From tomryan at camlaw.rutgers.edu Tue Jul 25 20:32:41 2006 From: tomryan at camlaw.rutgers.edu (Tom Ryan) Date: Tue, 25 Jul 2006 16:32:41 -0400 Subject: [Fedora-directory-users] Question re: {KERBEROS} syntax In-Reply-To: <44C67D9E.8010605@redhat.com> Message-ID: On 7/25/06 4:22 PM, "Richard Megginson" wrote: > >> > I.e. Allow me to authenticate a user (irregardless of whether they >> > have an account on the local system) by using the supplied simple bind >> > credentials and attempting a kerberos validation of them. > Yes, because with the plugin, fedora ds simply passes the credentials > through to PAM, which can be configured to do kerberos auth (local or > remote). So, instead of using saslauthd (as in openldap) you just use > PAM to do the same thing. I?m curious how the pam framework allows for a kerberos principal/realm and password to be checked... I.e. Lets say, in openldap, I have {KERBEROS}user at KRB.REALM.COM, under openldap, this works as expected. You?re saying that I can use the pam pass through module and then put rhuid: user at KRB.REALM.COM And then in /etc/pam.d/ldapserver (or whatever I compile it as the name to be), configure it in such a way that Pam will return success.. Maybe pam_krb5.so? Ahh.. Maybe no_user_check... Now I see what you might be referring to.. Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: From tomryan at camlaw.rutgers.edu Tue Jul 25 20:59:54 2006 From: tomryan at camlaw.rutgers.edu (Tom Ryan) Date: Tue, 25 Jul 2006 16:59:54 -0400 Subject: [Fedora-directory-users] Question re: {KERBEROS} syntax In-Reply-To: Message-ID: Also, is there a reason this (the pam_passthru) module is not distributed in the rpm? Tom On 7/25/06 4:32 PM, "Tom Ryan" wrote: > > > > On 7/25/06 4:22 PM, "Richard Megginson" wrote: >> >>> > I.e. Allow me to authenticate a user (irregardless of whether they >>> > have an account on the local system) by using the supplied simple bind >>> > credentials and attempting a kerberos validation of them. >> Yes, because with the plugin, fedora ds simply passes the credentials >> through to PAM, which can be configured to do kerberos auth (local or >> remote). So, instead of using saslauthd (as in openldap) you just use >> PAM to do the same thing. > > I?m curious how the pam framework allows for a kerberos principal/realm and > password to be checked... > > I.e. Lets say, in openldap, I have {KERBEROS}user at KRB.REALM.COM, under > openldap, this works as expected. > > You?re saying that I can use the pam pass through module and then put > > rhuid: user at KRB.REALM.COM > > And then in /etc/pam.d/ldapserver (or whatever I compile it as the name to > be), configure it in such a way that > > Pam will return success.. > > Maybe pam_krb5.so? > > Ahh.. Maybe no_user_check... > > Now I see what you might be referring to.. > Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Jul 25 21:06:05 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 25 Jul 2006 15:06:05 -0600 Subject: [Fedora-directory-users] Question re: {KERBEROS} syntax In-Reply-To: References: Message-ID: <44C687BD.5000801@redhat.com> Tom Ryan wrote: > Also, is there a reason this (the pam_passthru) module is not > distributed in the rpm? It hasn't been fully tested yet, although it has been in production in Red Hat for a few months now - it's how we do the same thing - simple username/password auth against Kerberos. > > Tom > > > On 7/25/06 4:32 PM, "Tom Ryan" wrote: > > > > > On 7/25/06 4:22 PM, "Richard Megginson" wrote: > > > > I.e. Allow me to authenticate a user (irregardless of whether > they > > have an account on the local system) by using the supplied > simple bind > > credentials and attempting a kerberos validation of them. > Yes, because with the plugin, fedora ds simply passes the > credentials > through to PAM, which can be configured to do kerberos auth > (local or > remote). So, instead of using saslauthd (as in openldap) you > just use > PAM to do the same thing. > > > I?m curious how the pam framework allows for a kerberos > principal/realm and password to be checked... > > I.e. Lets say, in openldap, I have {KERBEROS}user at KRB.REALM.COM, > under openldap, this works as expected. > > You?re saying that I can use the pam pass through module and then put > > rhuid: user at KRB.REALM.COM > > And then in /etc/pam.d/ldapserver (or whatever I compile it as the > name to be), configure it in such a way that > > Pam will return success.. > > Maybe pam_krb5.so? > > Ahh.. Maybe no_user_check... > > Now I see what you might be referring to.. > > Thanks! > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From tomryan at camlaw.rutgers.edu Tue Jul 25 21:13:56 2006 From: tomryan at camlaw.rutgers.edu (Tom Ryan) Date: Tue, 25 Jul 2006 17:13:56 -0400 Subject: [Fedora-directory-users] Question re: {KERBEROS} syntax In-Reply-To: <44C687BD.5000801@redhat.com> Message-ID: On 7/25/06 5:06 PM, "Richard Megginson" wrote: > Tom Ryan wrote: >> > Also, is there a reason this (the pam_passthru) module is not >> > distributed in the rpm? > It hasn't been fully tested yet, although it has been in production in > Red Hat for a few months now - it's how we do the same thing - simple > username/password auth against Kerberos. Any chance of a binary being made available of it? I am having a heck of a time building it :) Tom -------------- next part -------------- An HTML attachment was scrubbed... URL: From tomryan at camlaw.rutgers.edu Tue Jul 25 21:31:59 2006 From: tomryan at camlaw.rutgers.edu (Tom Ryan) Date: Tue, 25 Jul 2006 17:31:59 -0400 Subject: [Fedora-directory-users] Question re: {KERBEROS} syntax In-Reply-To: <44C687BD.5000801@redhat.com> Message-ID: On 7/25/06 5:06 PM, "Richard Megginson" wrote: > Tom Ryan wrote: >> > Also, is there a reason this (the pam_passthru) module is not >> > distributed in the rpm? > It hasn't been fully tested yet, although it has been in production in > Red Hat for a few months now - it's how we do the same thing - simple > username/password auth against Kerberos. Last question, I promise.. Where do I get 60pam-config.ldif? Tom -------------- next part -------------- An HTML attachment was scrubbed... URL: From pengle at rice.edu Tue Jul 25 21:36:42 2006 From: pengle at rice.edu (Paul Engle) Date: Tue, 25 Jul 2006 16:36:42 -0500 Subject: [Fedora-directory-users] Question re: {KERBEROS} syntax In-Reply-To: References: Message-ID: <5B5E67433DBC0DB80284A1D2@nueces.is.rice.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --On Tuesday, July 25, 2006 05:13:56 PM -0400 Tom Ryan wrote: > > On 7/25/06 5:06 PM, "Richard Megginson" wrote: > > > Tom Ryan wrote: >> Also, is there a reason this (the pam_passthru) module is not >> distributed in the rpm? > It hasn't been fully tested yet, although it has been in production in > Red Hat for a few months now - it's how we do the same thing - simple > username/password auth against Kerberos. > > > Any chance of a binary being made available of it? I am having a heck of > a time building it :) > > Tom It was a klunky solution, but when I wanted to build the plugin, I ended up downloading the dsbuild-fds102 (all-in-one) source tarball, modifying dsbuild-fds102/ds/ldapserver/work/fedora-ds-1.0.2/ldap/servers/plugins/Makefile so that the pam_plugin was built by default, and doing the full build. Afterwards, I just grabbed the pam-passthrough-plugin.so file and dropped it into place into the existing /opt/fedora-ds/lib directory from my binary rpm install. Waaaay overkill, I know. But I wasn't going to fight with trying to build just one module on its own. I'm lazy. :) It seems to be working just fine. We're about to bless the system and roll it out into production. -paul - -- Paul D. Engle | Rice University Sr. Systems Administrator | Information Technology - MS119 (713) 348-4702 | P.O. Box 1892 pengle at rice.edu | Houston, TX 77251-1892 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFExo7qCpkISWtyHNsRAjcsAJsEgEn/oZDaYhWL2bmouAx39XGSHACfYfwr r1Pbl3ujxGeZXpyOg93qxI4= =dqhl -----END PGP SIGNATURE----- From tomryan at camlaw.rutgers.edu Tue Jul 25 21:42:19 2006 From: tomryan at camlaw.rutgers.edu (Tom Ryan) Date: Tue, 25 Jul 2006 17:42:19 -0400 Subject: [Fedora-directory-users] Question re: {KERBEROS} syntax In-Reply-To: <5B5E67433DBC0DB80284A1D2@nueces.is.rice.edu> Message-ID: On 7/25/06 5:36 PM, "Paul Engle" wrote: > > It was a klunky solution, but when I wanted to build the plugin, I ended up > downloading the dsbuild-fds102 (all-in-one) source tarball, modifying > dsbuild-fds102/ds/ldapserver/work/fedora-ds-1.0.2/ldap/servers/plugins/Makefil> e > so that the pam_plugin was built by default, and doing the full build. > Afterwards, I just grabbed the pam-passthrough-plugin.so file and dropped > it into place into the existing /opt/fedora-ds/lib directory from my binary > rpm install. > > Waaaay overkill, I know. But I wasn't going to fight with trying to build > just one module on its own. I'm lazy. :) It seems to be working just fine. > We're about to bless the system and roll it out into production. > > -paul > That?s what I ended up doing.. Now I?m stuck with the dreaded ?reset required? messsage.. How did you solve that? Thanks! Tom -------------- next part -------------- An HTML attachment was scrubbed... URL: From pengle at rice.edu Tue Jul 25 21:47:25 2006 From: pengle at rice.edu (Paul Engle) Date: Tue, 25 Jul 2006 16:47:25 -0500 Subject: [Fedora-directory-users] Question re: {KERBEROS} syntax In-Reply-To: References: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --On Tuesday, July 25, 2006 05:42:19 PM -0400 Tom Ryan wrote: > > That's what I ended up doing.. Now I'm stuck with the dreaded "reset > required" messsage.. How did you solve that? > > Thanks! > > Tom I'm not familiar with that message. I don't recall having any issues. I wasn't trying do add it to a live server, though. I was working on a development machine and was able to yank the DS up and down with impunity. - -- Paul D. Engle | Rice University Sr. Systems Administrator | Information Technology - MS119 (713) 348-4702 | P.O. Box 1892 pengle at rice.edu | Houston, TX 77251-1892 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFExpFtCpkISWtyHNsRApTpAKDIjHKZCbqiodW+Ezrln+bRRTklFACgwa1l QCJUBxk6Gleb5CDnscko6Qs= =CyfG -----END PGP SIGNATURE----- From tomryan at camlaw.rutgers.edu Tue Jul 25 21:49:51 2006 From: tomryan at camlaw.rutgers.edu (Tom Ryan) Date: Tue, 25 Jul 2006 17:49:51 -0400 Subject: [Fedora-directory-users] Question re: {KERBEROS} syntax In-Reply-To: Message-ID: On 7/25/06 5:47 PM, "Paul Engle" wrote: > > > I'm not familiar with that message. I don't recall having any issues. I > wasn't trying do add it to a live server, though. I was working on a > development machine and was able to yank the DS up and down with impunity. In this message, http://www.redhat.com/archives/fedora-directory-users/2006-May/msg00081.html You noted you had the same error (reset required) when simple binding at first.. Tom -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Jul 25 21:52:30 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 25 Jul 2006 15:52:30 -0600 Subject: [Fedora-directory-users] Question re: {KERBEROS} syntax In-Reply-To: References: Message-ID: <44C6929E.4040108@redhat.com> Tom Ryan wrote: > > > > On 7/25/06 5:06 PM, "Richard Megginson" wrote: > > Tom Ryan wrote: > > Also, is there a reason this (the pam_passthru) module is not > > distributed in the rpm? > It hasn't been fully tested yet, although it has been in production in > Red Hat for a few months now - it's how we do the same thing - simple > username/password auth against Kerberos. > > > Last question, I promise.. > > Where do I get 60pam-config.ldif? /opt/fedora-ds/bin/slapd/install/schema > > Tom > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Jul 25 22:07:06 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 25 Jul 2006 16:07:06 -0600 Subject: [Fedora-directory-users] PassSync sync password errors In-Reply-To: <44C4FCAF.4040309@lbl.gov> References: <44C4FCAF.4040309@lbl.gov> Message-ID: <44C6960A.80800@redhat.com> Jeff Gamsby wrote: > I am testing out the PassSync program, but the FDS logs throw an error > when trying to sync the passwords. > > Can anyone translate this for me please? > > [24/Jul/2006:09:48:15 -0700] NSMMReplicationPlugin - agmt="cn=FDS > Sync" (fds:636): windows_replay_update: Looking at modify operation > local dn="uid=user,ou=people,dc=ldap,dc=example,dc=com" (ours,user,not > group) > [24/Jul/2006:09:48:15 -0700] NSMMReplicationPlugin - agmt="cn=FDS > Sync" (fds:636): windows_replay_update: Processing modify operation > local dn="uid=user,ou=people,dc=ldap,dc=example,dc=com" remote > dn="" > [24/Jul/2006:09:48:15 -0700] NSMMReplicationPlugin - agmt="cn=FDS > Sync" (fds:636): Received result code 32 (0000208D: NameErr: > DSID-031001A8, problem 2001 (NO_OBJECT), data 0, best match of: > '' ) for modify operation Well, I'm not sure why, but it looks as though the entry dn="uid=user,ou=people,dc=ldap,dc=example,dc=com" remote dn="" was not found in AD. I don't know if AD has a log, but you might want to check there. > [24/Jul/2006:09:48:15 -0700] NSMMReplicationPlugin - agmt="cn=FDS > Sync" (fds:636): windows_replay_update: update password returned 1 > [24/Jul/2006:09:48:15 -0700] NSMMReplicationPlugin - agmt="cn=FDS > Sync" (fds:636): Consumer failed to replay change (uniqueid > bfad6881-1dd111b2-8033cdea-25db0000, CSN 44c4f9e7000000010000): No > such object. Skipping. > [24/Jul/2006:09:48:15 -0700] agmt="cn=FDS Sync" (fds:636) - load=1 > rec=2 csn=44c4f9e7000100010000 > [24/Jul/2006:09:48:15 -0700] NSMMReplicationPlugin - agmt="cn=FDS > Sync" (fds:636): windows_replay_update: Looking at modify operation > local dn="uid=user,ou=people,dc=ldap,dc=example,dc=com" (ours,user,not > group) > [24/Jul/2006:09:48:15 -0700] NSMMReplicationPlugin - agmt="cn=FDS > Sync" (fds:636): windows_replay_update: Processing modify operation > local dn="uid=user,ou=people,dc=ldap,dc=example,dc=com" remote > dn="" > [24/Jul/2006:09:48:15 -0700] agmt="cn=FDS Sync" (fds:636) - > clcache_load_buffer: rc=-30990 > [24/Jul/2006:09:48:15 -0700] NSMMReplicationPlugin - agmt="cn=FDS > Sync" (fds:636): No more updates to send (cl5GetNextOperationToReplay) > > Thank you, > > Jeff G. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From tomryan at camlaw.rutgers.edu Tue Jul 25 22:53:46 2006 From: tomryan at camlaw.rutgers.edu (Tom Ryan) Date: Tue, 25 Jul 2006 18:53:46 -0400 Subject: [Fedora-directory-users] Question re: {KERBEROS} syntax In-Reply-To: Message-ID: On 7/25/06 5:49 PM, "Tom Ryan" wrote: > > > > On 7/25/06 5:47 PM, "Paul Engle" wrote: >> >> >> I'm not familiar with that message. I don't recall having any issues. I >> wasn't trying do add it to a live server, though. I was working on a >> development machine and was able to yank the DS up and down with impunity. > > In this message, > > http://www.redhat.com/archives/fedora-directory-users/2006-May/msg00081.html > > You noted you had the same error (reset required) when simple binding at > first.. > Argh.. Account required pam_krb5.so.. Sorry all, and thanks everyone who helped me this far!! I am curious if its possible to pass user at REALM.. Will need to play with that a bit more.. tom -------------- next part -------------- An HTML attachment was scrubbed... URL: From richip at richip.dhs.org Wed Jul 26 06:03:52 2006 From: richip at richip.dhs.org (Richi Plana) Date: Wed, 26 Jul 2006 00:03:52 -0600 Subject: [Fedora-directory-users] Fedora Core 5 Blocking on Boot Message-ID: <1153893833.2975.9.camel@richip.dhs.org> Hi, I recently set up fedora-ds and managed to configure several FC5 machines to authenticate and get user information from the LDAP server. Unfortunately, the laptop isn't always connected to the network so when it boots up, the process hangs when it tries to start the "message bus". I figure the process blocks when it tries to change UID to that of the dbus user. When the machine isn't connected to the network (ie. no cable and wireless isn't available), the process just hangs. Any suggestions on fixing this? -- Richi Plana From rmeggins at redhat.com Wed Jul 26 13:15:16 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 26 Jul 2006 07:15:16 -0600 Subject: [Fedora-directory-users] Fedora Core 5 Blocking on Boot In-Reply-To: <1153893833.2975.9.camel@richip.dhs.org> References: <1153893833.2975.9.camel@richip.dhs.org> Message-ID: <44C76AE4.5030105@redhat.com> Richi Plana wrote: > Hi, > > I recently set up fedora-ds and managed to configure several FC5 > machines to authenticate and get user information from the LDAP server. > Unfortunately, the laptop isn't always connected to the network so when > it boots up, the process hangs when it tries to start the "message bus". > I figure the process blocks when it tries to change UID to that of the > dbus user. When the machine isn't connected to the network (ie. no cable > and wireless isn't available), the process just hangs. > > Any suggestions on fixing this? > Probably some /etc/nsswitch.conf logic will do the trick e.g. passwd: ldap [NOTFOUND=return] files shadow: ldap [NOTFOUND=return] ffiles group: ldap [NOTFOUND=return] ffiles And use /usr/sbin/useradd to add a local (i.e. non-ldap) dbususer. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From pengle at rice.edu Wed Jul 26 13:18:50 2006 From: pengle at rice.edu (Paul Engle) Date: Wed, 26 Jul 2006 08:18:50 -0500 Subject: [Fedora-directory-users] Question re: {KERBEROS} syntax In-Reply-To: References: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 *Blush* Okay, that's just plain embarrassing. That ended up being caused by having the 'auth' part in the pam configuratoin but no 'account' line for pam_krb5.so. -paul - --On Tuesday, July 25, 2006 05:49:51 PM -0400 Tom Ryan wrote: > > > > On 7/25/06 5:47 PM, "Paul Engle" wrote: > > > > I'm not familiar with that message. I don't recall having any issues. I > wasn't trying do add it to a live server, though. I was working on a > development machine and was able to yank the DS up and down with impunity. > > > In this message, > > http://www.redhat.com/archives/fedora-directory-users/2006-May/msg00081.h > tml > > You noted you had the same error (reset required) when simple binding at > first.. > > Tom - -- Paul D. Engle | Rice University Sr. Systems Administrator | Information Technology - MS119 (713) 348-4702 | P.O. Box 1892 pengle at rice.edu | Houston, TX 77251-1892 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFEx2vHCpkISWtyHNsRAkdYAKD9mCDZCSGoG+PDcteXOttgyBZYywCfXjmM g1p3GL9gbu4Ja5M880MwZX0= =JFVj -----END PGP SIGNATURE----- From tomryan at camlaw.rutgers.edu Wed Jul 26 15:20:58 2006 From: tomryan at camlaw.rutgers.edu (Tom Ryan) Date: Wed, 26 Jul 2006 11:20:58 -0400 Subject: [Fedora-directory-users] Question re: {KERBEROS} syntax In-Reply-To: Message-ID: It happens to all of us... I am still having a couple of issues though (for everyone else listening :) I changed pamMapMethod to Entry I then set pamIDAttr to aliasedObjectName (out of laziness for now) When I start the slapd with this, I get this.. pam_passthru-plugin - Warning: The following suffixes listed in pamExcludeSuffix or pamIncludeSuffix are not present in this server: o=NetscapeRoot But, the admin server will still start just fine.. Regardless, the system does not appear to try to use the aliasedobjectname for the user to pass to pam.. (I have KRBPRINC at REALM.COM in aliasedobjectname).. Any ideas? Tom Ps.. If I leave it as RDN, I get no error on startup about suffix and as long as my bind dn matches my krb princ in the default realm, it works.. So I?m halfway there? On 7/26/06 9:18 AM, "Paul Engle" wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > *Blush* Okay, that's just plain embarrassing. That ended up being caused > by having the 'auth' part in the pam configuratoin but no 'account' line > for pam_krb5.so. > > -paul > > - --On Tuesday, July 25, 2006 05:49:51 PM -0400 Tom Ryan > wrote: > >> > >> > >> > >> > On 7/25/06 5:47 PM, "Paul Engle" wrote: >> > >> > >> > >> > I'm not familiar with that message. I don't recall having any issues. I >> > wasn't trying do add it to a live server, though. I was working on a >> > development machine and was able to yank the DS up and down with impunity. >> > >> > >> > In this message, >> > >> > http://www.redhat.com/archives/fedora-directory-users/2006-May/msg00081.h >> > tml >> > >> > You noted you had the same error (reset required) when simple binding at >> > first.. >> > >> > Tom > > > > - -- > Paul D. Engle | Rice University > Sr. Systems Administrator | Information Technology - MS119 > (713) 348-4702 | P.O. Box 1892 > pengle at rice.edu | Houston, TX 77251-1892 > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.6 (GNU/Linux) > > iD8DBQFEx2vHCpkISWtyHNsRAkdYAKD9mCDZCSGoG+PDcteXOttgyBZYywCfXjmM > g1p3GL9gbu4Ja5M880MwZX0= > =JFVj > -----END PGP SIGNATURE----- > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From tomryan at camlaw.rutgers.edu Wed Jul 26 15:32:11 2006 From: tomryan at camlaw.rutgers.edu (Tom Ryan) Date: Wed, 26 Jul 2006 11:32:11 -0400 Subject: [Fedora-directory-users] Question re: {KERBEROS} syntax In-Reply-To: Message-ID: Just as a followup, if the pam entries appear at the end of the dse.ldif file, the server starts without warning, but that?s it.. Once stopped, the dse.ldif is rearranged, the pam entry moves up, and the error persists on subsequent starts.. Regardless, when I manually start it with the entry at the bottom of the ldif, I still can not get the system to use the aliasedobjectname instead of the rdn.. Tom On 7/26/06 11:20 AM, "Tom Ryan" wrote: > It happens to all of us... > > I am still having a couple of issues though (for everyone else listening :) > > I changed pamMapMethod to Entry > I then set pamIDAttr to aliasedObjectName (out of laziness for now) > > When I start the slapd with this, I get this.. > > pam_passthru-plugin - Warning: The following suffixes listed in > pamExcludeSuffix or pamIncludeSuffix are not present in this server: > o=NetscapeRoot > > But, the admin server will still start just fine.. > > Regardless, the system does not appear to try to use the aliasedobjectname for > the user to pass to pam.. (I have KRBPRINC at REALM.COM in aliasedobjectname).. > > Any ideas? > > Tom > > Ps.. If I leave it as RDN, I get no error on startup about suffix and as long > as my bind dn matches my krb princ in the default realm, it works.. So I?m > halfway there? -------------- next part -------------- An HTML attachment was scrubbed... URL: From elebsack at mitre.org Wed Jul 26 15:43:48 2006 From: elebsack at mitre.org (Lebsack, Eliot) Date: Wed, 26 Jul 2006 11:43:48 -0400 Subject: [Fedora-directory-users] Password Policy enforcement mechanism question Message-ID: <3DD2072FFE53004EA1A74D7E483D43157CBFF4@IMCSRV2.MITRE.ORG> Good morning. I have been playing with FDS 1.0.2 for some time, and have been successful in getting the Directory Server to enforce password policy by toggling the "nsslapd-pwpolicy-local" flag to "on", then establishing a local policy for my "ou=People" subtree. This enforcement appears to work only when I change the password for a user through the Fedora Management Console interface when I'm logged in as the Directory Manager (cn=Directory Manager). When I attempt to change the "userPassword" attribute for my test user via perl's Net::LDAP library using the smbldap-tools scripts (smbldap-passwd), smbldap-passwd takes the cleartext of the new password, and hashes it using SSHA. This hashed text (ciphertext) is then used to replace the "userPassword" attribute for the user in a subsequent LDAP bind operation. This process effectively bypasses the password policy defined for the user's subtree. Is there a way (through Perl or Java) to supply the cleartext to the server through SSL/TLS, and have it apply the password policy on the cleartext before the server hashes the cleartext? Regards, Eliot ====================================== Eliot Lebsack Lead Communications Engineer The MITRE Corporation Bedford, MA -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Jul 26 15:59:28 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 26 Jul 2006 09:59:28 -0600 Subject: [Fedora-directory-users] Question re: {KERBEROS} syntax In-Reply-To: References: Message-ID: <44C79160.9070806@redhat.com> Tom Ryan wrote: > It happens to all of us... > > I am still having a couple of issues though (for everyone else > listening :) > > I changed pamMapMethod to Entry > I then set pamIDAttr to aliasedObjectName (out of laziness for now) > > When I start the slapd with this, I get this.. > > pam_passthru-plugin - Warning: The following suffixes listed in > pamExcludeSuffix or pamIncludeSuffix are not present in this server: > o=NetscapeRoot > > But, the admin server will still start just fine.. The warning is just for your information, for debugging the set up, if you accidentally set an incorrect suffix. If you don't have the o=NetscapeRoot suffix on this server, or if you don't want to do pam passthru on that suffix, you can either omit it from the include/exclude list, or set the attribute pamMissingSuffix in the pam plugin entry to "IGNORE". > > Regardless, the system does not appear to try to use the > aliasedobjectname for the user to pass to pam.. (I have > KRBPRINC at REALM.COM in aliasedobjectname).. Any errors in the errors log? Does it work any better if your krbprinc name is all lower case and the realm is all upper case e.g. krbprinc at REALM.COM? > > Any ideas? > > Tom > > Ps.. If I leave it as RDN, I get no error on startup about suffix and > as long as my bind dn matches my krb princ in the default realm, it > works.. So I?m halfway there? > > > > On 7/26/06 9:18 AM, "Paul Engle" wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > *Blush* Okay, that's just plain embarrassing. That ended up being > caused > by having the 'auth' part in the pam configuratoin but no > 'account' line > for pam_krb5.so. > > -paul > > - --On Tuesday, July 25, 2006 05:49:51 PM -0400 Tom Ryan > wrote: > > > > > > > > > On 7/25/06 5:47 PM, "Paul Engle" wrote: > > > > > > > > I'm not familiar with that message. I don't recall having any > issues. I > > wasn't trying do add it to a live server, though. I was working on a > > development machine and was able to yank the DS up and down with > impunity. > > > > > > In this message, > > > > http://www.redhat.com/archives/fedora-directory-users/2006-May/msg00081.h > > tml > > > > You noted you had the same error (reset required) when simple > binding at > > first.. > > > > Tom > > > > - -- > Paul D. Engle | Rice University > Sr. Systems Administrator | Information Technology - MS119 > (713) 348-4702 | P.O. Box 1892 > pengle at rice.edu | Houston, TX 77251-1892 > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.6 (GNU/Linux) > > iD8DBQFEx2vHCpkISWtyHNsRAkdYAKD9mCDZCSGoG+PDcteXOttgyBZYywCfXjmM > g1p3GL9gbu4Ja5M880MwZX0= > =JFVj > -----END PGP SIGNATURE----- > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From tomryan at camlaw.rutgers.edu Wed Jul 26 16:15:33 2006 From: tomryan at camlaw.rutgers.edu (Tom Ryan) Date: Wed, 26 Jul 2006 12:15:33 -0400 Subject: [Fedora-directory-users] Question re: {KERBEROS} syntax In-Reply-To: <44C79160.9070806@redhat.com> Message-ID: On 7/26/06 11:59 AM, "Richard Megginson" wrote: > >> > Regardless, the system does not appear to try to use the >> > aliasedobjectname for the user to pass to pam.. (I have >> > KRBPRINC at REALM.COM in aliasedobjectname).. > Any errors in the errors log? Does it work any better if your krbprinc > name is all lower case and the realm is all upper case e.g. > krbprinc at REALM.COM? Our princs are very odd.. But there?s no error, even if I have it set to ENTRY, it still does the default RDN.. Tom -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Jul 26 16:31:24 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 26 Jul 2006 10:31:24 -0600 Subject: [Fedora-directory-users] Question re: {KERBEROS} syntax In-Reply-To: References: Message-ID: <44C798DC.80600@redhat.com> Tom Ryan wrote: > > > > On 7/26/06 11:59 AM, "Richard Megginson" wrote: > > > > Regardless, the system does not appear to try to use the > > aliasedobjectname for the user to pass to pam.. (I have > > KRBPRINC at REALM.COM in aliasedobjectname).. > Any errors in the errors log? Does it work any better if your krbprinc > name is all lower case and the realm is all upper case e.g. > krbprinc at REALM.COM? > > > Our princs are very odd.. But there?s no error, even if I have it set > to ENTRY, it still does the default RDN.. Hmm - Try restarting the server. If that doesn't fix it, post your pam passthru config entry and your pam config (e.g. /etc/pam.d/ldapserver). > > > > Tom > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From tomryan at camlaw.rutgers.edu Wed Jul 26 18:21:12 2006 From: tomryan at camlaw.rutgers.edu (Tom Ryan) Date: Wed, 26 Jul 2006 14:21:12 -0400 Subject: [Fedora-directory-users] Question re: {KERBEROS} syntax In-Reply-To: <44C798DC.80600@redhat.com> Message-ID: On 7/26/06 12:31 PM, "Richard Megginson" wrote: > > Hmm - Try restarting the server. If that doesn't fix it, post your pam > passthru config entry and your pam config (e.g. /etc/pam.d/ldapserver). I have already restarted the server multiple times.. Here?s the info.. cat /etc/pam.d/ldapserver auth sufficient /lib/security/pam_krb5.so no_user_check account required /lib/security/pam_krb5.so no_user_check And in dse.ldif dn: cn=PAM Pass Through Auth,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject objectClass: pamConfig cn: PAM Pass Through Auth nsslapd-pluginPath: /opt/fedora-ds/lib/pam-passthru-plugin.so nsslapd-pluginInitfunc: pam_passthruauth_init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on nsslapd-pluginloadglobal: true nsslapd-plugin-depends-on-type: database pamMissingSuffix: ALLOW pamExcludeSuffix: o=NetscapeRoot pamExcludeSuffix: cn=config pamMapMethod: ENTRY pamFallback: 0 pamSecure: 1 pamService: ldapserver nsslapd-pluginId: pam_passthruauth nsslapd-pluginVersion: 1.0.2 nsslapd-pluginVendor: Fedora Project nsslapd-pluginDescription: PAM pass through authentication plugin pamIDAttr: aliasedObjectName modifiersName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoo t modifyTimestamp: 20060726142549Z -------------- next part -------------- An HTML attachment was scrubbed... URL: From brian.smith at worldpub.net Wed Jul 26 19:39:45 2006 From: brian.smith at worldpub.net (brian) Date: Wed, 26 Jul 2006 15:39:45 -0400 Subject: [Fedora-directory-users] passync log entries Message-ID: <1153942786.20013.1.camel@localhost.localdomain> What do these messages mean in the passync log, the services starts up and I see 1 successful auth on the directory server but all i get is this in the passync log: 07/26/06 14:19:10: PassSync service started 07/26/06 14:19:10: Failed to load entries from file 07/26/06 14:19:12: Password list is empty. Waiting for passhook event if i change a password or add a user, nothing happens. Thanks in advance Brian From tomryan at camlaw.rutgers.edu Wed Jul 26 20:31:11 2006 From: tomryan at camlaw.rutgers.edu (Tom Ryan) Date: Wed, 26 Jul 2006 16:31:11 -0400 Subject: [Fedora-directory-users] Dos issue in fedora directory server Message-ID: I have noticed that I can crash fds remotely pretty easily.. I have pam_passthru setup (obvious to those reading my recent emails).. Anyway, if I run the following from a remote system Ldapsearch -x uid=anything -H ldaps://fds-server -x -W -D uid=+ And enter anything for a password, It goes away.. Here's a strace of the pid poll([{fd=22, events=POLLIN}, {fd=6, events=POLLIN}, {fd=7, events=POLLIN}], 3, 250) = 0 gettimeofday({1153945615, 879597}, NULL) = 0 poll([{fd=22, events=POLLIN}, {fd=6, events=POLLIN}, {fd=7, events=POLLIN, revents=POLLIN}], 3, 250) = 1 accept(7, {sa_family=AF_INET6, sin6_port=htons(51128), inet_pton(AF_INET6, "::ffff:CLIENTIP", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, [28]) = 24 fcntl64(24, F_GETFL) = 0x2 (flags O_RDWR) fcntl64(24, F_SETFL, O_RDWR|O_NONBLOCK) = 0 brk(0x88cf000) = 0x88cf000 fcntl64(24, F_DUPFD, 64) = 64 close(24) = 0 setsockopt(64, SOL_TCP, TCP_NODELAY, [0], 4) = 0 getsockname(64, {sa_family=AF_INET6, sin6_port=htons(636), inet_pton(AF_INET6, "::ffff:FDSSERVERIP", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, [28]) = 0 stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1267, ...}) = 0 getpeername(7, 0xbfecf5c0, [108]) = -1 ENOTCONN (Transport endpoint is not connected) gettimeofday({1153945615, 974890}, NULL) = 0 poll([{fd=22, events=POLLIN}, {fd=6, events=POLLIN}, {fd=7, events=POLLIN}, {fd=64, events=POLLIN, revents=POLLIN}], 4, 250) = 1 futex(0x8613a78, FUTEX_WAKE, 1) = 1 getpeername(7, 0xbfecf5c0, [108]) = -1 ENOTCONN (Transport endpoint is not connected) gettimeofday({1153945615, 978689}, NULL) = 0 poll([{fd=22, events=POLLIN, revents=POLLIN}, {fd=6, events=POLLIN}, {fd=7, events=POLLIN}], 3, 250) = 1 read(22, "\0", 200) = 1 getpeername(7, 0xbfecf5c0, [108]) = -1 ENOTCONN (Transport endpoint is not connected) gettimeofday({1153945615, 992926}, NULL) = 0 poll([{fd=22, events=POLLIN}, {fd=6, events=POLLIN}, {fd=7, events=POLLIN}, {fd=64, events=POLLIN}], 4, 250) = -1 EINTR (Interrupted system call) +++ killed by SIGSEGV +++ Process 20095 detached Bummer.. From nkinder at redhat.com Wed Jul 26 21:01:53 2006 From: nkinder at redhat.com (Nathan Kinder) Date: Wed, 26 Jul 2006 14:01:53 -0700 Subject: [Fedora-directory-users] passync log entries In-Reply-To: <1153942786.20013.1.camel@localhost.localdomain> References: <1153942786.20013.1.camel@localhost.localdomain> Message-ID: <44C7D841.7020000@redhat.com> brian wrote: >What do these messages mean in the passync log, the services starts up >and I see 1 successful auth on the directory server but all i get is >this in the passync log: > >07/26/06 14:19:10: PassSync service started >07/26/06 14:19:10: Failed to load entries from file >07/26/06 14:19:12: Password list is empty. Waiting for passhook event > >if i change a password or add a user, nothing happens. > > Did you restart the windows box after instaling PassSync.msi? You need to do this to have the pashook.dll plugin registered. -NGK >Thanks in advance > >Brian > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Jul 26 21:29:25 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 26 Jul 2006 15:29:25 -0600 Subject: [Fedora-directory-users] Question re: {KERBEROS} syntax In-Reply-To: References: Message-ID: <44C7DEB5.60506@redhat.com> Tom Ryan wrote: > > On 7/26/06 12:31 PM, "Richard Megginson" wrote: > > > Hmm - Try restarting the server. If that doesn't fix it, post your pam > passthru config entry and your pam config (e.g. > /etc/pam.d/ldapserver). > > > I have already restarted the server multiple times.. > > Here?s the info.. > > cat /etc/pam.d/ldapserver > > auth sufficient /lib/security/pam_krb5.so no_user_check > account required /lib/security/pam_krb5.so no_user_check > > And in dse.ldif > > dn: cn=PAM Pass Through Auth,cn=plugins,cn=config > objectClass: top > objectClass: nsSlapdPlugin > objectClass: extensibleObject > objectClass: pamConfig > cn: PAM Pass Through Auth > nsslapd-pluginPath: /opt/fedora-ds/lib/pam-passthru-plugin.so > nsslapd-pluginInitfunc: pam_passthruauth_init > nsslapd-pluginType: preoperation > nsslapd-pluginEnabled: on > nsslapd-pluginloadglobal: true > nsslapd-plugin-depends-on-type: database > pamMissingSuffix: ALLOW > pamExcludeSuffix: o=NetscapeRoot > pamExcludeSuffix: cn=config > pamMapMethod: ENTRY This should be pamIDMapMethod. The reason it always uses the RDN value is because that is the default if none is specified. > pamFallback: 0 > pamSecure: 1 > pamService: ldapserver > nsslapd-pluginId: pam_passthruauth > nsslapd-pluginVersion: 1.0.2 > nsslapd-pluginVendor: Fedora Project > nsslapd-pluginDescription: PAM pass through authentication plugin > pamIDAttr: aliasedObjectName > modifiersName: > uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoo > t > modifyTimestamp: 20060726142549Z > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From tomryan at camlaw.rutgers.edu Wed Jul 26 21:41:29 2006 From: tomryan at camlaw.rutgers.edu (Tom Ryan) Date: Wed, 26 Jul 2006 17:41:29 -0400 Subject: [Fedora-directory-users] Question re: {KERBEROS} syntax In-Reply-To: <44C7DEB5.60506@redhat.com> Message-ID: On 7/26/06 5:29 PM, "Richard Megginson" wrote: > >> > pamMapMethod: ENTRY > This should be pamIDMapMethod. The reason it always uses the RDN value > is because that is the default if none is specified. > Sweet! I wasn?t looking at the code, just the readme/etc which says pammapmethod Regardless, if I use that, it doesn?t start up now.. I tried adjusting the schema files to state pamidmapmethod instead.. I?m getting nothing.. :) Tom -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Jul 26 22:42:42 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 26 Jul 2006 16:42:42 -0600 Subject: [Fedora-directory-users] Question re: {KERBEROS} syntax In-Reply-To: References: Message-ID: <44C7EFE2.6080902@redhat.com> Tom Ryan wrote: > > > > On 7/26/06 5:29 PM, "Richard Megginson" wrote: > > > > pamMapMethod: ENTRY > This should be pamIDMapMethod. The reason it always uses the RDN value > is because that is the default if none is specified. > > Sweet! I wasn?t looking at the code, just the readme/etc which says > pammapmethod > > Regardless, if I use that, it doesn?t start up now.. > > I tried adjusting the schema files to state pamidmapmethod instead.. > I?m getting nothing.. Congratulations - you are the first tester of the ENTRY method! :-) I've made some fixes to pam_ptconfig.c - try the attached file. > > :) > > Tom > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: pam_ptconfig.c Type: text/x-csrc Size: 18129 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From Justin.Crawford at cusys.edu Wed Jul 26 23:25:48 2006 From: Justin.Crawford at cusys.edu (Justin Crawford) Date: Wed, 26 Jul 2006 17:25:48 -0600 Subject: [Fedora-directory-users] Plugin configuration Message-ID: <7315857F21D51B449CC55ADE3A5683182BFC97@ex2k3.ad.cusys.edu> Howdy- We use P-synch, a password synchronization tool. It has a plugin that works on Netscape and Sun LDAP servers, so I'm hoping it'll work with Fedora, and I'm testing that now. I have configured the plugin in dse.ldif as specified by the vendor (and as it has worked on SunOne). When I try to start the directory instance, I get an error right away: $ sudo ./start-slapd [26/Jul/2006:17:27:19 -0600] - Netscape Portable Runtime error -5977: /opt/fedora-ds/lib/passwdop.nsldap.linux.x86: cannot open shared object file: No such file or directory [26/Jul/2006:17:27:19 -0600] - Could not open library "/opt/fedora-ds/lib/passwdop.nsldap.linux.x86" for plugin Psynch Check Password [26/Jul/2006:17:27:19 -0600] - Unable to load plugin "cn=Psynch Check Password,cn=plugins,cn=config" But the file is there, and its real accessible: $ ls -l /opt/fedora-ds/lib/passwdop.nsldap.linux.x86 -rwxrwxrwx 1 ldap ldap 87127 Jul 26 17:25 /opt/fedora-ds/lib/passwdop.nsldap.linux.x86 So I'm trying to figure out what might cause this. 1. It's a 64-bit linux box, but the plugin binary is 32-bit? (I'd expect a different error) 2. The plugin is not working with the directory software? (I'd expect a different error) 3. There is a secret about installing Fedora plugins that my experience with SunOne hasn't taught me? 4. ?? Anyone have any great ideas? Thanks. Justin From rmeggins at redhat.com Wed Jul 26 23:43:58 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 26 Jul 2006 17:43:58 -0600 Subject: [Fedora-directory-users] Plugin configuration In-Reply-To: <7315857F21D51B449CC55ADE3A5683182BFC97@ex2k3.ad.cusys.edu> References: <7315857F21D51B449CC55ADE3A5683182BFC97@ex2k3.ad.cusys.edu> Message-ID: <44C7FE3E.6070504@redhat.com> Justin Crawford wrote: > Howdy- > > We use P-synch, a password synchronization tool. It has a plugin that works on Netscape and Sun LDAP servers, so I'm hoping it'll work with Fedora, and I'm testing that now. I have configured the plugin in dse.ldif as specified by the vendor (and as it has worked on SunOne). When I try to start the directory instance, I get an error right away: > > $ sudo ./start-slapd > [26/Jul/2006:17:27:19 -0600] - Netscape Portable Runtime error -5977: /opt/fedora-ds/lib/passwdop.nsldap.linux.x86: cannot open shared object file: No such file or directory > [26/Jul/2006:17:27:19 -0600] - Could not open library "/opt/fedora-ds/lib/passwdop.nsldap.linux.x86" for plugin Psynch Check Password > [26/Jul/2006:17:27:19 -0600] - Unable to load plugin "cn=Psynch Check Password,cn=plugins,cn=config" > > But the file is there, and its real accessible: > > $ ls -l /opt/fedora-ds/lib/passwdop.nsldap.linux.x86 > -rwxrwxrwx 1 ldap ldap 87127 Jul 26 17:25 /opt/fedora-ds/lib/passwdop.nsldap.linux.x86 > > So I'm trying to figure out what might cause this. > > 1. It's a 64-bit linux box, but the plugin binary is 32-bit? (I'd expect a different error) > No, you might get that. "cannot open shared object file: No such file or directory" can also mean one of the library dependencies e.g. try ldd /opt/fedora-ds/lib/passwdop.nsldap.linux.x86 You can edit the start-slapd script to add whatever other paths. But it may be that the 64-bit slapd won't load the 32-bit plugin. Do they have a 64-bit version? > 2. The plugin is not working with the directory software? (I'd expect a different error) > 3. There is a secret about installing Fedora plugins that my experience with SunOne hasn't taught me? > No. > 4. ?? > > Anyone have any great ideas? > > Thanks. > > Justin > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From tomryan at camlaw.rutgers.edu Thu Jul 27 01:58:47 2006 From: tomryan at camlaw.rutgers.edu (Tom Ryan) Date: Wed, 26 Jul 2006 21:58:47 -0400 Subject: [Fedora-directory-users] Question re: {KERBEROS} syntax References: <44C7EFE2.6080902@redhat.com> Message-ID: <54412B5439B52948B0EFFF85D23F91640102AF54@exchange.camexch-ad.rutgers.edu> > Congratulations - you are the first tester of the ENTRY method! :-) > I've made some fixes to pam_ptconfig.c - try the attached file. well, it starts now :) but then.. allow_operation: component identity is NULL pam_passthru-plugin - Could not find BIND dn uid=VALUE (error 32 - No such object) for testing, i'm using pamIDAttr: uid pamIDMapMethod: ENTRY so closer.. Tom -------------- next part -------------- A non-text attachment was scrubbed... Name: winmail.dat Type: application/ms-tnef Size: 2900 bytes Desc: not available URL: From rmeggins at redhat.com Thu Jul 27 13:16:04 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 27 Jul 2006 07:16:04 -0600 Subject: [Fedora-directory-users] Question re: {KERBEROS} syntax In-Reply-To: <54412B5439B52948B0EFFF85D23F91640102AF54@exchange.camexch-ad.rutgers.edu> References: <44C7EFE2.6080902@redhat.com> <54412B5439B52948B0EFFF85D23F91640102AF54@exchange.camexch-ad.rutgers.edu> Message-ID: <44C8BC94.1050104@redhat.com> Tom Ryan wrote: >> Congratulations - you are the first tester of the ENTRY method! :-) >> I've made some fixes to pam_ptconfig.c - try the attached file. >> > > well, it starts now :) > > but then.. > > allow_operation: component identity is NULL > pam_passthru-plugin - Could not find BIND dn uid=VALUE (error 32 - No such object) > This says your bind DN is uid=VALUE - was that supposed to be uid=VALUE, ou=people, dc=domain, dc=tld? > > for testing, i'm using > > pamIDAttr: uid > pamIDMapMethod: ENTRY > > so closer.. > > Tom > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From tomryan at camlaw.rutgers.edu Thu Jul 27 13:58:49 2006 From: tomryan at camlaw.rutgers.edu (Tom Ryan) Date: Thu, 27 Jul 2006 09:58:49 -0400 Subject: [Fedora-directory-users] Question re: {KERBEROS} syntax In-Reply-To: <44C8BC94.1050104@redhat.com> Message-ID: It makes no difference and regardless, it dies anyway.. Tom On 7/27/06 9:16 AM, "Richard Megginson" wrote: > Tom Ryan wrote: >>> >> Congratulations - you are the first tester of the ENTRY method! :-) >>> >> I've made some fixes to pam_ptconfig.c - try the attached file. >>> >> >> > >> > well, it starts now :) >> > >> > but then.. >> > >> > allow_operation: component identity is NULL >> > pam_passthru-plugin - Could not find BIND dn uid=VALUE (error 32 - No such >> object) >> > > This says your bind DN is uid=VALUE - was that supposed to be uid=VALUE, > ou=people, dc=domain, dc=tld? >> > >> > for testing, i'm using >> > >> > pamIDAttr: uid >> > pamIDMapMethod: ENTRY >> > >> > so closer.. >> > >> > Tom >> > >> > ------------------------------------------------------------------------ >> > >> > -- >> > Fedora-directory-users mailing list >> > Fedora-directory-users at redhat.com >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Jul 27 14:04:57 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 27 Jul 2006 08:04:57 -0600 Subject: [Fedora-directory-users] Question re: {KERBEROS} syntax In-Reply-To: References: Message-ID: <44C8C809.3060705@redhat.com> Tom Ryan wrote: > It makes no difference and regardless, it dies anyway.. So if you specify the full DN, you get this error: > pam_passthru-plugin - Could not find BIND dn (error 32 - No such object) And the server still core dumps? > > Tom > > > On 7/27/06 9:16 AM, "Richard Megginson" wrote: > > Tom Ryan wrote: > >> Congratulations - you are the first tester of the ENTRY method! :-) > >> I've made some fixes to pam_ptconfig.c - try the attached file. > >> > > > > well, it starts now :) > > > > but then.. > > > > allow_operation: component identity is NULL > > pam_passthru-plugin - Could not find BIND dn uid=VALUE (error 32 > - No such object) > > > This says your bind DN is uid=VALUE - was that supposed to be > uid=VALUE, > ou=people, dc=domain, dc=tld? > > > > for testing, i'm using > > > > pamIDAttr: uid > > pamIDMapMethod: ENTRY > > > > so closer.. > > > > Tom > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > ------------------------------------------------------------------------ > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From tomryan at camlaw.rutgers.edu Thu Jul 27 14:04:43 2006 From: tomryan at camlaw.rutgers.edu (Tom Ryan) Date: Thu, 27 Jul 2006 10:04:43 -0400 Subject: [Fedora-directory-users] Question re: {KERBEROS} syntax In-Reply-To: <44C8C809.3060705@redhat.com> Message-ID: On 7/27/06 10:04 AM, "Richard Megginson" wrote: > Tom Ryan wrote: >> > It makes no difference and regardless, it dies anyway.. > So if you specify the full DN, you get this error: >> > pam_passthru-plugin - Could not find BIND dn (error 32 - No > such object) > > And the server still core dumps? > > yep, and stracing the pid reveals nothing obvious to me.. > > Tom > >> > >> > Tom >> > >> > >> > On 7/27/06 9:16 AM, "Richard Megginson" wrote: >> > >> > Tom Ryan wrote: >>>> > >> Congratulations - you are the first tester of the ENTRY method! :-) >>>> > >> I've made some fixes to pam_ptconfig.c - try the attached file. >>>> > >> >>> > > >>> > > well, it starts now :) >>> > > >>> > > but then.. >>> > > >>> > > allow_operation: component identity is NULL >>> > > pam_passthru-plugin - Could not find BIND dn uid=VALUE (error 32 >> > - No such object) >>> > > >> > This says your bind DN is uid=VALUE - was that supposed to be >> > uid=VALUE, >> > ou=people, dc=domain, dc=tld? >>> > > >>> > > for testing, i'm using >>> > > >>> > > pamIDAttr: uid >>> > > pamIDMapMethod: ENTRY >>> > > >>> > > so closer.. >>> > > >>> > > Tom >>> > > >>> > > >>> ------------------------------------------------------------------------ >>> > > >>> > > -- >>> > > Fedora-directory-users mailing list >>> > > Fedora-directory-users at redhat.com >>> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> > > >> > >> > >> ------------------------------------------------------------------------ >> > -- >> > Fedora-directory-users mailing list >> > Fedora-directory-users at redhat.com >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > >> > >> > ------------------------------------------------------------------------ >> > >> > -- >> > Fedora-directory-users mailing list >> > Fedora-directory-users at redhat.com >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From alex-saf at archit.vrn.ru Thu Jul 27 11:41:40 2006 From: alex-saf at archit.vrn.ru (Safonov Alexey) Date: Thu, 27 Jul 2006 15:41:40 +0400 Subject: [Fedora-directory-users] Error at work of the utility ldapsearch. Message-ID: Hi ! I ask to help to solve a problem with the utility ldapsearch. is a problem to carry out synchronization between FDS and AD. Has made the following: 1) Install FDS 2) Configuring SSL Enabled FDS. For this purpose has started script setupssl.sh (http://directory.fedora.redhat.com/download/setupssl.sh) from HOWTO "Howto:SSL" (http://directory.fedora.redhat.com/wiki/Howto:SSL) 3) Restart FDS. netstat -atupn | grep ns- tcp 0 0 :::389 :::* LISTEN 6039/ns-slapd tcp 0 0 :::636 :::* LISTEN 6039/ns-slapd 4) Enable SSL on AD. Install Certificate Service Check util ldp.exe: Connected param: Server- srv-vm1.mup-example.vrn.ru Port - 636 Checkbox "SSL" ld = ldap_sslinit("srv-vm1.mup-example.vrn.ru", 636, 1); Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, LDAP_VERSION3); Error <0x0> = ldap_connect(hLdap, NULL); Error <0x0> = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv); Host supports SSL, SSL cipher strength = 128 bits Established connection to srv-vm1.mup-example.vrn.ru. Retrieving base DSA information... ..... 5) Import AD CA certificate in DER mode. 6) Copy, convert (PEM) and install AD CA certificate in FDS. Check: [root at asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P slapd-asterisk1- CA certificate CTu,u,u server-cert u,u,u Server-Cert u,u,u ad-cert CT,C,C <- install this 6) [root at asterisk1 alias]# ldapsearch -Z -P /opt/fedora-ds/alias/slapd-asterisk1-cert8.db -h rv-vm1.mup-example.vrn.ru -p 636 -D "cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w secret01 -s base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*" Error: ldapsearch: unabel to parse protocol version "/opt/fedora-ds/alias/slapd-asterisk1-cert8.db" Help my! Thanks ------------------------------------------------------ My Setup: Fedora Core 5 (i386) Fedora Directory Server 1.0.2 Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru) ------------------------------------------------------ From rmeggins at redhat.com Thu Jul 27 15:35:57 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 27 Jul 2006 09:35:57 -0600 Subject: [Fedora-directory-users] Error at work of the utility ldapsearch. In-Reply-To: References: Message-ID: <44C8DD5D.7010901@redhat.com> Safonov Alexey wrote: > Hi ! > > I ask to help to solve a problem with the utility ldapsearch. > > is a problem to carry out synchronization between FDS and AD. Has made the > following: > 1) Install FDS > 2) Configuring SSL Enabled FDS. For this purpose has started script > setupssl.sh (http://directory.fedora.redhat.com/download/setupssl.sh) from > HOWTO "Howto:SSL" (http://directory.fedora.redhat.com/wiki/Howto:SSL) > 3) Restart FDS. > netstat -atupn | grep ns- > tcp 0 0 :::389 :::* LISTEN 6039/ns-slapd > tcp 0 0 :::636 :::* LISTEN 6039/ns-slapd > 4) Enable SSL on AD. > Install Certificate Service > Check util ldp.exe: > Connected param: Server- srv-vm1.mup-example.vrn.ru > Port - 636 > Checkbox "SSL" > ld = ldap_sslinit("srv-vm1.mup-example.vrn.ru", 636, 1); > Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, > LDAP_VERSION3); > Error <0x0> = ldap_connect(hLdap, NULL); > Error <0x0> = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv); > Host supports SSL, SSL cipher strength = 128 bits > Established connection to srv-vm1.mup-example.vrn.ru. > Retrieving base DSA information... > ..... > 5) Import AD CA certificate in DER mode. > 6) Copy, convert (PEM) and install AD CA certificate in FDS. Check: > [root at asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P > slapd-asterisk1- > CA certificate CTu,u,u > server-cert u,u,u > Server-Cert u,u,u > ad-cert CT,C,C <- install this > > 6) [root at asterisk1 alias]# ldapsearch -Z -P > /opt/fedora-ds/alias/slapd-asterisk1-cert8.db -h > rv-vm1.mup-example.vrn.ru -p 636 -D > "cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w secret01 -s > base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*" > That's /usr/bin/ldapsearch, which is openldap ldapsearch, which uses openssl for crypto, which is completely different than NSS. You need to use the ldapsearch in /opt/fedora-ds/shared/bin e.g. cd /opt/fedora-ds/shared/bin ; ./ldapsearch .... > Error: > ldapsearch: unabel to parse protocol version > "/opt/fedora-ds/alias/slapd-asterisk1-cert8.db" > > Help my! > Thanks > > ------------------------------------------------------ > My Setup: > > Fedora Core 5 (i386) > Fedora Directory Server 1.0.2 > Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru) > ------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From nkinder at redhat.com Thu Jul 27 15:52:40 2006 From: nkinder at redhat.com (Nathan Kinder) Date: Thu, 27 Jul 2006 08:52:40 -0700 Subject: [Fedora-directory-users] SNMP monitoring In-Reply-To: <9C0091F428E697439E7A773FFD083427025F3C@szexchange.Shopzilla.inc> References: <9C0091F428E697439E7A773FFD083427025F3C@szexchange.Shopzilla.inc> Message-ID: <44C8E148.6090102@redhat.com> Philip Kime wrote: > My knowledge of SNMP is only fair, bear with me ... > > I've set up the subagent for SNMP monitoring and can snmpwalk the rhds > stuff, with the output below. I have a few questions though: > > 1. what is the ".389" suffix on the variables? Looks like the port > number of the server? Yes, this is the port number. It is used as an index to identify which server instance you are looking at. > 2. If I query the DS, none of the counters change? The dsInOps counter should be increasing, as should dsSearchOps. I believe that the refresh interval for the counters is 5 seconds. > 3. The dsIntTable part of the MIB has no entries (I tried with > snmptable) - how does this get populated? This table is not implemented at this time. > 4. Do I need to do anything to "enable" SNMP on the servers? The > checkbox mentioned in the docs doesn't exist but dse.ldif does have > "nsSNMPEnabled: on" No, nothing is required to enable SNMP on the server. That checkbox was unnecessary, and was removed from the UI. The documentation needs to be updated accordingly. -NGK > > RHDS-MIB::dsAnonymousBinds.389 = Counter32: 0 > RHDS-MIB::dsUnAuthBinds.389 = Counter32: 0 > RHDS-MIB::dsSimpleAuthBinds.389 = Counter32: 21 > RHDS-MIB::dsStrongAuthBinds.389 = Counter32: 0 > RHDS-MIB::dsBindSecurityErrors.389 = Counter32: 0 > RHDS-MIB::dsInOps.389 = Counter32: 306 > RHDS-MIB::dsReadOps.389 = Counter32: 0 > RHDS-MIB::dsCompareOps.389 = Counter32: 0 > RHDS-MIB::dsAddEntryOps.389 = Counter32: 0 > RHDS-MIB::dsRemoveEntryOps.389 = Counter32: 0 > RHDS-MIB::dsModifyEntryOps.389 = Counter32: 53 > RHDS-MIB::dsModifyRDNOps.389 = Counter32: 0 > RHDS-MIB::dsListOps.389 = Counter32: 0 > RHDS-MIB::dsSearchOps.389 = Counter32: 81 > RHDS-MIB::dsOneLevelSearchOps.389 = Counter32: 6 > RHDS-MIB::dsWholeSubtreeSearchOps.389 = Counter32: 7 > RHDS-MIB::dsReferrals.389 = Counter32: 0 > RHDS-MIB::dsChainings.389 = Counter32: 0 > RHDS-MIB::dsSecurityErrors.389 = Counter32: 0 > RHDS-MIB::dsErrors.389 = Counter32: 72 > RHDS-MIB::dsMasterEntries.389 = Gauge32: 0 > RHDS-MIB::dsCopyEntries.389 = Gauge32: 0 > RHDS-MIB::dsCacheEntries.389 = Gauge32: 0 > RHDS-MIB::dsCacheHits.389 = Counter32: 0 > RHDS-MIB::dsSlaveHits.389 = Counter32: 0 > > -- > Philip Kime > NOPS Systems Architect > 310 401 0407 > > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From nkinder at redhat.com Thu Jul 27 15:57:35 2006 From: nkinder at redhat.com (Nathan Kinder) Date: Thu, 27 Jul 2006 08:57:35 -0700 Subject: [Fedora-directory-users] SNMP monitoring issues In-Reply-To: <9C0091F428E697439E7A773FFD083427025F38@szexchange.Shopzilla.inc> References: <9C0091F428E697439E7A773FFD083427025F38@szexchange.Shopzilla.inc> Message-ID: <44C8E26F.4060600@redhat.com> Philip Kime wrote: > The AgentX subagent config file is supposed to take a config line > > agentx-logdir The correct configuration parameter is "agent-logdir". There is a typo in the documentation where it incorrectly refers to it as "agentx-logdir". I will get this updated in the documentation. -NGK > > I have set this but the agent still logs to the same dir at the config > file is in (which is the default location) - any ideas? > > -- > Philip Kime > NOPS Systems Architect > 310 401 0407 > > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From alex-saf at archit.vrn.ru Thu Jul 27 16:12:13 2006 From: alex-saf at archit.vrn.ru (Safonov Alexey) Date: Thu, 27 Jul 2006 20:12:13 +0400 Subject: [Fedora-directory-users] Error at work of the utility ldapsearch. In-Reply-To: <44C8DD5D.7010901@redhat.com> Message-ID: Thanks Richard! Has absolutely forgotten, that the openldap-client is established. Safonov Alexey -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com]On Behalf Of Richard Megginson Sent: Thursday, July 27, 2006 7:36 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Error at work of the utility ldapsearch. Safonov Alexey wrote: > Hi ! > > I ask to help to solve a problem with the utility ldapsearch. > > is a problem to carry out synchronization between FDS and AD. Has made the > following: > 1) Install FDS > 2) Configuring SSL Enabled FDS. For this purpose has started script > setupssl.sh (http://directory.fedora.redhat.com/download/setupssl.sh) from > HOWTO "Howto:SSL" (http://directory.fedora.redhat.com/wiki/Howto:SSL) > 3) Restart FDS. > netstat -atupn | grep ns- > tcp 0 0 :::389 :::* LISTEN 6039/ns-slapd > tcp 0 0 :::636 :::* LISTEN 6039/ns-slapd > 4) Enable SSL on AD. > Install Certificate Service > Check util ldp.exe: > Connected param: Server- srv-vm1.mup-example.vrn.ru > Port - 636 > Checkbox "SSL" > ld = ldap_sslinit("srv-vm1.mup-example.vrn.ru", 636, 1); > Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, > LDAP_VERSION3); > Error <0x0> = ldap_connect(hLdap, NULL); > Error <0x0> = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv); > Host supports SSL, SSL cipher strength = 128 bits > Established connection to srv-vm1.mup-example.vrn.ru. > Retrieving base DSA information... > ..... > 5) Import AD CA certificate in DER mode. > 6) Copy, convert (PEM) and install AD CA certificate in FDS. Check: > [root at asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P > slapd-asterisk1- > CA certificate CTu,u,u > server-cert u,u,u > Server-Cert u,u,u > ad-cert CT,C,C <- install this > > 6) [root at asterisk1 alias]# ldapsearch -Z -P > /opt/fedora-ds/alias/slapd-asterisk1-cert8.db -h > rv-vm1.mup-example.vrn.ru -p 636 -D > "cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w secret01 -s > base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*" > That's /usr/bin/ldapsearch, which is openldap ldapsearch, which uses openssl for crypto, which is completely different than NSS. You need to use the ldapsearch in /opt/fedora-ds/shared/bin e.g. cd /opt/fedora-ds/shared/bin ; ./ldapsearch .... > Error: > ldapsearch: unabel to parse protocol version > "/opt/fedora-ds/alias/slapd-asterisk1-cert8.db" > > Help my! > Thanks > > ------------------------------------------------------ > My Setup: > > Fedora Core 5 (i386) > Fedora Directory Server 1.0.2 > Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru) > ------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From richip at richip.dhs.org Thu Jul 27 16:25:30 2006 From: richip at richip.dhs.org (Richi Plana) Date: Thu, 27 Jul 2006 10:25:30 -0600 Subject: [Fedora-directory-users] Fedora Core 5 Blocking on Boot In-Reply-To: <1153893833.2975.9.camel@richip.dhs.org> References: <1153893833.2975.9.camel@richip.dhs.org> Message-ID: <1154017530.2975.30.camel@richip.dhs.org> Hi, All. On Wed, 2006-07-26 at 00:03 -0600, Richi Plana wrote: > I recently set up fedora-ds and managed to configure several FC5 > machines to authenticate and get user information from the LDAP server. > Unfortunately, the laptop isn't always connected to the network so when > it boots up, the process hangs when it tries to start the "message bus". > I figure the process blocks when it tries to change UID to that of the > dbus user. When the machine isn't connected to the network (ie. no cable > and wireless isn't available), the process just hangs. > > Any suggestions on fixing this? So I've implemented one fix. For some reason, even with /etc/nsswitch.conf configured as follows, FC5 systems still go to LDAP even if a user exists locally (dbus user exists in /etc/passwd): /etc/nsswitch.conf: ... passwd: files ldap shadow: files ldap group: files ldap ... So the solution I applied was to edit /etc/ldap.conf and added the entry "bind_policy hard". This is supposed to make nss_ldap exit after failing a connection attempt (instead of the default infinite retries). My problem now is that none of my DS users can log on to the newly-started machine. I thought that's what the "Cache User Information" option in system-config-authentication -> Account Information does, but it apparently doesn't. Is there a way to cache LDAP Authentication and Account information so that offline machines will allow logons from LDAP users? Kind of like how WinXP does? -- Richi Plana From Ian.Bishop at netoptions.com.au Fri Jul 28 12:13:04 2006 From: Ian.Bishop at netoptions.com.au (Ian Bishop) Date: Fri, 28 Jul 2006 22:13:04 +1000 Subject: [Fedora-directory-users] LDAP and GDM Message-ID: <08422C17320455488F792FCD66404BB370FB0C@bnesbexc01.datacom.com.au> I've setup my Fedora box to authenticate SSH session off Fedora Directory, however I'm having some trouble getting X session to authenticate. I searched on google and found someone with exactly the same problem, unfortunately noone seemed to have an answer for them at the time: http://mail.gnome.org/archives/gdm-list/2003-January/msg00012.html Is anyone successfully authenticating X sessions with GDM & LDAP? Thanks, Ian. From alex-saf at archit.vrn.ru Fri Jul 28 12:40:50 2006 From: alex-saf at archit.vrn.ru (Safonov Alexey) Date: Fri, 28 Jul 2006 16:40:50 +0400 Subject: [Fedora-directory-users] Error at work of the utility ldapsearch. In-Reply-To: <44C8DD5D.7010901@redhat.com> Message-ID: Thanks Richard! Now I start so: [root at asterisk1 bin]# ./ldapsearch -Z -P /opt/fedora-ds/alias/slapd-asterisk1-cert8.db -K /opt/fedora-ds/alias/slapd-asterisk1-key3.db -h rv-vm1.mup-example.vrn.ru -p 636 -D "cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w mupAdmin02 -s base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*" -v Also I receive a error: ldapsearch: started Fri Jul 28 16:21:39 2006 ldap_init( srv-vm1.mup-example.vrn.ru, 636 ) ldaptool_getcertpath -- /opt/fedora-ds/alias/slapd-asterisk1-cert8.db ldaptool_getkeypath -- /opt/fedora-ds/alias/slapd-asterisk1-key3.db ldaptool_getmodpath -- (null) ldaptool_getdonglefilename -- (null) ldap_simple_bind: Can't contact LDAP server SSL error -8156 (Issuer certificate is invalid.) Though the certificate ad-cert (from Windows DC) is established. The utility certutil and Fedora Management Console (Manage Certificates) shows it. [root at asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P slapd-asterisk1- CA certificate CTu,u,u server-cert u,u,u Server-Cert u,u,u ad-cert CT,C,C Help my! Safonov Alexey -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com]On Behalf Of Richard Megginson Sent: Thursday, July 27, 2006 7:36 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Error at work of the utility ldapsearch. Safonov Alexey wrote: > Hi ! > > I ask to help to solve a problem with the utility ldapsearch. > > is a problem to carry out synchronization between FDS and AD. Has made the > following: > 1) Install FDS > 2) Configuring SSL Enabled FDS. For this purpose has started script > setupssl.sh (http://directory.fedora.redhat.com/download/setupssl.sh) from > HOWTO "Howto:SSL" (http://directory.fedora.redhat.com/wiki/Howto:SSL) > 3) Restart FDS. > netstat -atupn | grep ns- > tcp 0 0 :::389 :::* LISTEN 6039/ns-slapd > tcp 0 0 :::636 :::* LISTEN 6039/ns-slapd > 4) Enable SSL on AD. > Install Certificate Service > Check util ldp.exe: > Connected param: Server- srv-vm1.mup-example.vrn.ru > Port - 636 > Checkbox "SSL" > ld = ldap_sslinit("srv-vm1.mup-example.vrn.ru", 636, 1); > Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, > LDAP_VERSION3); > Error <0x0> = ldap_connect(hLdap, NULL); > Error <0x0> = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv); > Host supports SSL, SSL cipher strength = 128 bits > Established connection to srv-vm1.mup-example.vrn.ru. > Retrieving base DSA information... > ..... > 5) Import AD CA certificate in DER mode. > 6) Copy, convert (PEM) and install AD CA certificate in FDS. Check: > [root at asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P > slapd-asterisk1- > CA certificate CTu,u,u > server-cert u,u,u > Server-Cert u,u,u > ad-cert CT,C,C <- install this > > 6) [root at asterisk1 alias]# ldapsearch -Z -P > /opt/fedora-ds/alias/slapd-asterisk1-cert8.db -h > rv-vm1.mup-example.vrn.ru -p 636 -D > "cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w secret01 -s > base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*" > That's /usr/bin/ldapsearch, which is openldap ldapsearch, which uses openssl for crypto, which is completely different than NSS. You need to use the ldapsearch in /opt/fedora-ds/shared/bin e.g. cd /opt/fedora-ds/shared/bin ; ./ldapsearch .... > Error: > ldapsearch: unabel to parse protocol version > "/opt/fedora-ds/alias/slapd-asterisk1-cert8.db" > > Help my! > Thanks > > ------------------------------------------------------ > My Setup: > > Fedora Core 5 (i386) > Fedora Directory Server 1.0.2 > Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru) > ------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Fri Jul 28 13:44:54 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 28 Jul 2006 07:44:54 -0600 Subject: [Fedora-directory-users] Error at work of the utility ldapsearch. In-Reply-To: References: Message-ID: <44CA14D6.1010809@redhat.com> Safonov Alexey wrote: > Thanks Richard! > > Now I start so: > [root at asterisk1 bin]# ./ldapsearch -Z -P > /opt/fedora-ds/alias/slapd-asterisk1-cert8.db -K > /opt/fedora-ds/alias/slapd-asterisk1-key3.db -h > rv-vm1.mup-example.vrn.ru -p 636 -D > "cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w mupAdmin02 -s > base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*" -v > > Also I receive a error: > > ldapsearch: started Fri Jul 28 16:21:39 2006 > > ldap_init( srv-vm1.mup-example.vrn.ru, 636 ) > ldaptool_getcertpath -- /opt/fedora-ds/alias/slapd-asterisk1-cert8.db > ldaptool_getkeypath -- /opt/fedora-ds/alias/slapd-asterisk1-key3.db > ldaptool_getmodpath -- (null) > ldaptool_getdonglefilename -- (null) > ldap_simple_bind: Can't contact LDAP server > SSL error -8156 (Issuer certificate is invalid.) > > Though the certificate ad-cert (from Windows DC) is established. The utility > certutil and Fedora Management Console (Manage Certificates) shows it. > [root at asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P > slapd-asterisk1- > CA certificate CTu,u,u > server-cert u,u,u > Server-Cert u,u,u > ad-cert CT,C,C > > Help my! > Is ad-cert the certificate of the AD server or the certificate of the CA that issued the AD cert? An SSL client only needs to trust the CA cert of the issuer of the server certs it wants to use. > Safonov Alexey > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com]On Behalf Of Richard > Megginson > Sent: Thursday, July 27, 2006 7:36 PM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Error at work of the utility > ldapsearch. > > > Safonov Alexey wrote: > >> Hi ! >> >> I ask to help to solve a problem with the utility ldapsearch. >> >> is a problem to carry out synchronization between FDS and AD. Has made the >> following: >> 1) Install FDS >> 2) Configuring SSL Enabled FDS. For this purpose has started script >> setupssl.sh (http://directory.fedora.redhat.com/download/setupssl.sh) from >> HOWTO "Howto:SSL" (http://directory.fedora.redhat.com/wiki/Howto:SSL) >> 3) Restart FDS. >> netstat -atupn | grep ns- >> tcp 0 0 :::389 :::* LISTEN 6039/ns-slapd >> tcp 0 0 :::636 :::* LISTEN 6039/ns-slapd >> 4) Enable SSL on AD. >> Install Certificate Service >> Check util ldp.exe: >> Connected param: Server- srv-vm1.mup-example.vrn.ru >> Port - 636 >> Checkbox "SSL" >> ld = ldap_sslinit("srv-vm1.mup-example.vrn.ru", 636, 1); >> Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, >> LDAP_VERSION3); >> Error <0x0> = ldap_connect(hLdap, NULL); >> Error <0x0> = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv); >> Host supports SSL, SSL cipher strength = 128 bits >> Established connection to srv-vm1.mup-example.vrn.ru. >> Retrieving base DSA information... >> ..... >> 5) Import AD CA certificate in DER mode. >> 6) Copy, convert (PEM) and install AD CA certificate in FDS. Check: >> [root at asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P >> slapd-asterisk1- >> CA certificate CTu,u,u >> server-cert u,u,u >> Server-Cert u,u,u >> ad-cert CT,C,C <- install this >> >> 6) [root at asterisk1 alias]# ldapsearch -Z -P >> /opt/fedora-ds/alias/slapd-asterisk1-cert8.db -h >> rv-vm1.mup-example.vrn.ru -p 636 -D >> "cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w secret01 -s >> base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*" >> >> > That's /usr/bin/ldapsearch, which is openldap ldapsearch, which uses > openssl for crypto, which is completely different than NSS. You need to > use the ldapsearch in /opt/fedora-ds/shared/bin e.g. > cd /opt/fedora-ds/shared/bin ; ./ldapsearch .... > >> Error: >> ldapsearch: unabel to parse protocol version >> "/opt/fedora-ds/alias/slapd-asterisk1-cert8.db" >> >> Help my! >> Thanks >> >> ------------------------------------------------------ >> My Setup: >> >> Fedora Core 5 (i386) >> Fedora Directory Server 1.0.2 >> Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru) >> ------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From alex-saf at archit.vrn.ru Fri Jul 28 15:25:01 2006 From: alex-saf at archit.vrn.ru (Safonov Alexey) Date: Fri, 28 Jul 2006 19:25:01 +0400 Subject: [Fedora-directory-users] Error at work of the utility ldapsearch. In-Reply-To: <44CA14D6.1010809@redhat.com> Message-ID: Thanks Richard! In my opinion it the certificate of the CA. Certificates you can see details of reception of it on a screenshot (see the attached file) Safonov Alexey -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com]On Behalf Of Richard Megginson Sent: Friday, July 28, 2006 5:45 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Error at work of the utility ldapsearch. Safonov Alexey wrote: > Thanks Richard! > > Now I start so: > [root at asterisk1 bin]# ./ldapsearch -Z -P > /opt/fedora-ds/alias/slapd-asterisk1-cert8.db -K > /opt/fedora-ds/alias/slapd-asterisk1-key3.db -h > rv-vm1.mup-example.vrn.ru -p 636 -D > "cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w secret01 -s > base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*" -v > > Also I receive a error: > > ldapsearch: started Fri Jul 28 16:21:39 2006 > > ldap_init( srv-vm1.mup-example.vrn.ru, 636 ) > ldaptool_getcertpath -- /opt/fedora-ds/alias/slapd-asterisk1-cert8.db > ldaptool_getkeypath -- /opt/fedora-ds/alias/slapd-asterisk1-key3.db > ldaptool_getmodpath -- (null) > ldaptool_getdonglefilename -- (null) > ldap_simple_bind: Can't contact LDAP server > SSL error -8156 (Issuer certificate is invalid.) > > Though the certificate ad-cert (from Windows DC) is established. The utility > certutil and Fedora Management Console (Manage Certificates) shows it. > [root at asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P > slapd-asterisk1- > CA certificate CTu,u,u > server-cert u,u,u > Server-Cert u,u,u > ad-cert CT,C,C > > Help my! > Is ad-cert the certificate of the AD server or the certificate of the CA that issued the AD cert? An SSL client only needs to trust the CA cert of the issuer of the server certs it wants to use. > Safonov Alexey > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com]On Behalf Of Richard > Megginson > Sent: Thursday, July 27, 2006 7:36 PM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Error at work of the utility > ldapsearch. > > > Safonov Alexey wrote: > >> Hi ! >> >> I ask to help to solve a problem with the utility ldapsearch. >> >> is a problem to carry out synchronization between FDS and AD. Has made the >> following: >> 1) Install FDS >> 2) Configuring SSL Enabled FDS. For this purpose has started script >> setupssl.sh (http://directory.fedora.redhat.com/download/setupssl.sh) from >> HOWTO "Howto:SSL" (http://directory.fedora.redhat.com/wiki/Howto:SSL) >> 3) Restart FDS. >> netstat -atupn | grep ns- >> tcp 0 0 :::389 :::* LISTEN 6039/ns-slapd >> tcp 0 0 :::636 :::* LISTEN 6039/ns-slapd >> 4) Enable SSL on AD. >> Install Certificate Service >> Check util ldp.exe: >> Connected param: Server- srv-vm1.mup-example.vrn.ru >> Port - 636 >> Checkbox "SSL" >> ld = ldap_sslinit("srv-vm1.mup-example.vrn.ru", 636, 1); >> Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, >> LDAP_VERSION3); >> Error <0x0> = ldap_connect(hLdap, NULL); >> Error <0x0> = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv); >> Host supports SSL, SSL cipher strength = 128 bits >> Established connection to srv-vm1.mup-example.vrn.ru. >> Retrieving base DSA information... >> ..... >> 5) Import AD CA certificate in DER mode. >> 6) Copy, convert (PEM) and install AD CA certificate in FDS. Check: >> [root at asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P >> slapd-asterisk1- >> CA certificate CTu,u,u >> server-cert u,u,u >> Server-Cert u,u,u >> ad-cert CT,C,C <- install this >> >> 6) [root at asterisk1 alias]# ldapsearch -Z -P >> /opt/fedora-ds/alias/slapd-asterisk1-cert8.db -h >> rv-vm1.mup-example.vrn.ru -p 636 -D >> "cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w secret01 -s >> base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*" >> >> > That's /usr/bin/ldapsearch, which is openldap ldapsearch, which uses > openssl for crypto, which is completely different than NSS. You need to > use the ldapsearch in /opt/fedora-ds/shared/bin e.g. > cd /opt/fedora-ds/shared/bin ; ./ldapsearch .... > >> Error: >> ldapsearch: unabel to parse protocol version >> "/opt/fedora-ds/alias/slapd-asterisk1-cert8.db" >> >> Help my! >> Thanks >> >> ------------------------------------------------------ >> My Setup: >> >> Fedora Core 5 (i386) >> Fedora Directory Server 1.0.2 >> Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru) >> ------------------------------------------------------ > use the ldapsearch in /opt/fedora-ds/shared/bin e.g. > cd /opt/fedora-ds/shared/bin ; ./ldapsearch .... > >> Error: >> ldapsearch: unabel to parse protocol version >> "/opt/fedora-ds/alias/slapd-asterisk1-cert8.db" >> >> Help my! >> Thanks >> >> ------------------------------------------------------ >> My Setup: >> >> Fedora Core 5 (i386) >> Fedora Directory Server 1.0.2 >> Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru) >> ------------------------------------------------------ -------------- next part -------------- A non-text attachment was scrubbed... Name: sert2.jpg Type: image/jpeg Size: 37399 bytes Desc: not available URL: From alex-saf at archit.vrn.ru Fri Jul 28 15:05:34 2006 From: alex-saf at archit.vrn.ru (Safonov Alexey) Date: Fri, 28 Jul 2006 19:05:34 +0400 Subject: [Fedora-directory-users] Error at work of the utility ldapsearch. In-Reply-To: <44CA14D6.1010809@redhat.com> Message-ID: Thanks Richard! In my opinion it the certificate of the CA. Certificates you can see details of reception of it on a screenshot (see the attached file) Safonov Alexey -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com]On Behalf Of Richard Megginson Sent: Friday, July 28, 2006 5:45 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Error at work of the utility ldapsearch. Safonov Alexey wrote: > Thanks Richard! > > Now I start so: > [root at asterisk1 bin]# ./ldapsearch -Z -P > /opt/fedora-ds/alias/slapd-asterisk1-cert8.db -K > /opt/fedora-ds/alias/slapd-asterisk1-key3.db -h > rv-vm1.mup-example.vrn.ru -p 636 -D > "cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w secret01 -s > base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*" -v > > Also I receive a error: > > ldapsearch: started Fri Jul 28 16:21:39 2006 > > ldap_init( srv-vm1.mup-example.vrn.ru, 636 ) > ldaptool_getcertpath -- /opt/fedora-ds/alias/slapd-asterisk1-cert8.db > ldaptool_getkeypath -- /opt/fedora-ds/alias/slapd-asterisk1-key3.db > ldaptool_getmodpath -- (null) > ldaptool_getdonglefilename -- (null) > ldap_simple_bind: Can't contact LDAP server > SSL error -8156 (Issuer certificate is invalid.) > > Though the certificate ad-cert (from Windows DC) is established. The utility > certutil and Fedora Management Console (Manage Certificates) shows it. > [root at asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P > slapd-asterisk1- > CA certificate CTu,u,u > server-cert u,u,u > Server-Cert u,u,u > ad-cert CT,C,C > > Help my! > Is ad-cert the certificate of the AD server or the certificate of the CA that issued the AD cert? An SSL client only needs to trust the CA cert of the issuer of the server certs it wants to use. > Safonov Alexey > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com]On Behalf Of Richard > Megginson > Sent: Thursday, July 27, 2006 7:36 PM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Error at work of the utility > ldapsearch. > > > Safonov Alexey wrote: > >> Hi ! >> >> I ask to help to solve a problem with the utility ldapsearch. >> >> is a problem to carry out synchronization between FDS and AD. Has made the >> following: >> 1) Install FDS >> 2) Configuring SSL Enabled FDS. For this purpose has started script >> setupssl.sh (http://directory.fedora.redhat.com/download/setupssl.sh) from >> HOWTO "Howto:SSL" (http://directory.fedora.redhat.com/wiki/Howto:SSL) >> 3) Restart FDS. >> netstat -atupn | grep ns- >> tcp 0 0 :::389 :::* LISTEN 6039/ns-slapd >> tcp 0 0 :::636 :::* LISTEN 6039/ns-slapd >> 4) Enable SSL on AD. >> Install Certificate Service >> Check util ldp.exe: >> Connected param: Server- srv-vm1.mup-example.vrn.ru >> Port - 636 >> Checkbox "SSL" >> ld = ldap_sslinit("srv-vm1.mup-example.vrn.ru", 636, 1); >> Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, >> LDAP_VERSION3); >> Error <0x0> = ldap_connect(hLdap, NULL); >> Error <0x0> = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv); >> Host supports SSL, SSL cipher strength = 128 bits >> Established connection to srv-vm1.mup-example.vrn.ru. >> Retrieving base DSA information... >> ..... >> 5) Import AD CA certificate in DER mode. >> 6) Copy, convert (PEM) and install AD CA certificate in FDS. Check: >> [root at asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P >> slapd-asterisk1- >> CA certificate CTu,u,u >> server-cert u,u,u >> Server-Cert u,u,u >> ad-cert CT,C,C <- install this >> >> 6) [root at asterisk1 alias]# ldapsearch -Z -P >> /opt/fedora-ds/alias/slapd-asterisk1-cert8.db -h >> rv-vm1.mup-example.vrn.ru -p 636 -D >> "cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w secret01 -s >> base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*" >> >> > That's /usr/bin/ldapsearch, which is openldap ldapsearch, which uses > openssl for crypto, which is completely different than NSS. You need to > use the ldapsearch in /opt/fedora-ds/shared/bin e.g. > cd /opt/fedora-ds/shared/bin ; ./ldapsearch .... > >> Error: >> ldapsearch: unabel to parse protocol version >> "/opt/fedora-ds/alias/slapd-asterisk1-cert8.db" >> >> Help my! >> Thanks >> >> ------------------------------------------------------ >> My Setup: >> >> Fedora Core 5 (i386) >> Fedora Directory Server 1.0.2 >> Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru) >> ------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: sert1.jpg Type: image/jpeg Size: 142485 bytes Desc: not available URL: From wilmer5 at gmail.com Sun Jul 30 19:26:09 2006 From: wilmer5 at gmail.com (Wilmer Jaramillo M.) Date: Sun, 30 Jul 2006 15:26:09 -0400 Subject: [Fedora-directory-users] Replication question In-Reply-To: References: Message-ID: <2b26c4260607301226s4880c042m3e3aafd20224161b@mail.gmail.com> On 7/14/06, Jo De Troy wrote: > When looking in the replication agreement the supplier has port 389 > and the consumer has port 636. How can I get the supplier port to be > 636 also? Or is this not needed for security? > Is there somewhere a list explaining the different status error codes? Yes, in the Red Hat Knowledgebase there is a article with the error codes http://kbase.redhat.com/faq/FAQ_91_5317.shtm -- Wilmer Jaramillo M. TALUG - http://www.linuxtachira.org GPG Key Fingerprint = 0666 D0D3 24CE 8935 9C24 BBF1 87DD BEA2 A4B2 1E8A From massoo at 30gigs.com Mon Jul 31 13:02:56 2006 From: massoo at 30gigs.com (prashant n) Date: Mon, 31 Jul 2006 8:02:56 -0500 Subject: [Fedora-directory-users] Few Fedora Directory Server questions Message-ID: <81070448a399501e6d8027eaaa70397a@imap.30gigs.com> hi, Can Fedora Directory Server be used for : 1) to provide enterprise-wide identity for employees ? 2) can this be integrated into Access Cards - Flash / Swipe 3) can this be integrated into EPABX 4) can we replace Windows Active Directory PDC which is authentifying my windows and *NIX workstations by Samba PDC using Fedora Directory Server. 5) Can my Cisco PIX, Squid Proxy, IPSec / SSL-VPN or any other Application (Apache, Zimbra, Subversion, Jive-WildeFire IM , etc which can talk to Active Directory and OpenLDAP for authentification) be configured to get user autentification from Fedora Directory Server 6) SSO ? Can I integrate Fedora Directory Server to my windows and *NIX workstation logons? will it result into, the email client MS Outlook 200x , Mozilla ThunderBird 1.x, Kontact 1.2.x, my browsers (IE 5.x & above, Mozilla Firefox 1.x) get authenticated automagically and will serve what they are intented to ie, send / receive emails, browse internet, etc without asking the user to key in his/her email id, email password etc Please clarify my doubts Thanks & Regards Shann ----------------------------------------------------------- Sign up and get your 30GB webmail at www.30gigs.com now! -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Jul 31 13:32:28 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 31 Jul 2006 07:32:28 -0600 Subject: [Fedora-directory-users] Few Fedora Directory Server questions In-Reply-To: <81070448a399501e6d8027eaaa70397a@imap.30gigs.com> References: <81070448a399501e6d8027eaaa70397a@imap.30gigs.com> Message-ID: <44CE066C.2060104@redhat.com> prashant n wrote: > hi, > > Can Fedora Directory Server be used for : > > 1) to provide enterprise-wide identity for employees ? Yes. > > 2) can this be integrated into Access Cards - Flash / Swipe I'm not sure. Are these smart cards with X.509 certificates? If so, then yes - Fedora DS supports client cert based auth. > > 3) can this be integrated into EPABX Yes. > > 4) can we replace Windows Active Directory PDC which is authentifying > my windows and *NIX workstations by Samba PDC using Fedora Directory > Server. No. Fedora DS does not provide all of the PDC capabilities of AD expected by Windows clients. > > 5) Can my Cisco PIX, Squid Proxy, IPSec / SSL-VPN or any other > Application (Apache, Zimbra, Subversion, Jive-WildeFire IM , etc which > can talk to Active Directory and OpenLDAP for authentification) be > configured to get user autentification from Fedora Directory Server If it can use openldap, it can use Fedora DS. > > 6) SSO ? Can I integrate Fedora Directory Server to my windows and > *NIX workstation logons? will it result into, the email client MS > Outlook 200x , Mozilla ThunderBird 1.x, Kontact 1.2.x, my browsers (IE > 5.x & above, Mozilla Firefox 1.x) get authenticated automagically and > will serve what they are intented to ie, send / receive emails, browse > internet, etc without asking the user to key in his/her email id, > email password etc MS Active Directory has some additional functionality with respect to Windows clients such as MS Outlook. I've heard that it is possible to get cross domain Kerberos working with sasl/kerberos on the *nix side and AD on the Windows side. But in general, if the client uses plain old LDAP or sasl/kerberos or client certs for auth, then Fedora DS should work just fine. > > Please clarify my doubts > > Thanks & Regards > Shann > > ----------------------------------------------------------- > Hi..! Get this Exclusive Offer From 30gigs.com. Free Ipod Nano! Click > Here. > > Don't have 30gigs email account yet? Sign up and get your 30GB Webmail > account > Now! > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From Arjan at FranzenOnline.com Mon Jul 31 16:55:31 2006 From: Arjan at FranzenOnline.com (Arjan Franzen) Date: Mon, 31 Jul 2006 18:55:31 +0200 Subject: [Fedora-directory-users] Why is the attribute nsaccountlock a multi-value? Message-ID: <44CE3603.5070207@FranzenOnline.com> Hi all, In an application I'm currently developing I'm using the internal attribute nsaccountlock to lockout accounts. While trying to set the attribute I ran into trouble since it is a multi value: the result was that a account at one point had the nsaccountlock attribute set to "null, true" (mutli-value). I solved the problem by altering 00-core.ldif (sorry) and make the nsaccountlock a single value because I can't think of a scenario in where you would want to have the account status set to multiple values. Since then I've not run into trouble and I'm testing it now in a MM environment (starting to test it) Does anyone have any experience with this approach or can someone point out the risks I'm taking with this? regards, Arjan From alan.ferrier at iplay.com Mon Jul 31 17:03:38 2006 From: alan.ferrier at iplay.com (Alan Ferrier) Date: Mon, 31 Jul 2006 18:03:38 +0100 Subject: [Fedora-directory-users] mod_nss compile fails Message-ID: <44CE37EA.5010100@iplay.com> Hi guys, Trying to do a "one-step" build. It's failing during the compile of mod_nss-1.0.2 with: nss_expr_eval.c: In function `nss_expr_eval_comp': nss_expr_eval.c:116: error: `ap_regex_t' undeclared (first use in this function) nss_expr_eval.c:116: error: (Each undeclared identifier is reported only once nss_expr_eval.c:116: error: for each function it appears in.) nss_expr_eval.c:116: error: `regex' undeclared (first use in this function) nss_expr_eval.c:121: error: syntax error before ')' token nss_expr_eval.c:133: error: syntax error before ')' token make[2]: *** [nss_expr_eval.lo] Error 1 make[2]: Leaving directory `/usr/local/src/dsbuild-fds102/ds/mod_nss/work/mod_nss-1.0.2' make[1]: *** [build-work/mod_nss-1.0.2/Makefile] Error 2 make[1]: Leaving directory `/usr/local/src/dsbuild-fds102/ds/mod_nss' make: *** [dep-../../ds/mod_nss] Error 2 Any clues would be appreciated. Regards Alan -- ----------------------------- e-Commerce Systems Manager I-play 3 Pitreavie Court Pitreavie Business Park Dunfermline KY11 8UU UK Tel: +44 (0) 1383 723234 Fax: +44 (0) 1383 723235 Mob: +44 (0) 7796 148326 ============================= ________________________________________________________________________ E-mail is an informal method of communication and may be subject to data corruption, interception and unauthorised amendment for which I-play, a trading name of Digital Bridges Ltd will accept no liability. Therefore, it will normally be inappropriate to rely on information contained on e-mail without obtaining written confirmation. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. (C) 2005. I-play is a trademark and trading name of Digital Bridges Limited. All Rights Reserved. ________________________________________________________________________ This message has been checked for all known viruses by the MessageLabs Virus Scanning Service. For further information visit http://www.messagelabs.com/stats.asp From rcritten at redhat.com Mon Jul 31 18:08:01 2006 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 31 Jul 2006 14:08:01 -0400 Subject: [Fedora-directory-users] mod_nss compile fails In-Reply-To: <44CE37EA.5010100@iplay.com> References: <44CE37EA.5010100@iplay.com> Message-ID: <44CE4701.5050606@redhat.com> Alan Ferrier wrote: > Hi guys, > > Trying to do a "one-step" build. It's failing during the compile of > mod_nss-1.0.2 with: > > nss_expr_eval.c: In function `nss_expr_eval_comp': > nss_expr_eval.c:116: error: `ap_regex_t' undeclared (first use in this > function) > nss_expr_eval.c:116: error: (Each undeclared identifier is reported only > once > nss_expr_eval.c:116: error: for each function it appears in.) > nss_expr_eval.c:116: error: `regex' undeclared (first use in this function) > nss_expr_eval.c:121: error: syntax error before ')' token > nss_expr_eval.c:133: error: syntax error before ')' token > make[2]: *** [nss_expr_eval.lo] Error 1 > make[2]: Leaving directory > `/usr/local/src/dsbuild-fds102/ds/mod_nss/work/mod_nss-1.0.2' > make[1]: *** [build-work/mod_nss-1.0.2/Makefile] Error 2 > make[1]: Leaving directory `/usr/local/src/dsbuild-fds102/ds/mod_nss' > make: *** [dep-../../ds/mod_nss] Error 2 > > Any clues would be appreciated. > The problem is that in Apache 2.0.54 (and below) there was no way for the compiler to know the numeric version. Starting with 2.2 they added a define for AP_SERVER_MAJORVERSION_NUMBER. So what I did was assume that if that wasn't defined then we were dealing with Apache 2.0 otherwise 2.2. In at least 2.0.58 someone added this define in and caused the code to blow up. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: