From prowley at redhat.com Wed Mar 1 00:00:19 2006 From: prowley at redhat.com (Pete Rowley) Date: Tue, 28 Feb 2006 16:00:19 -0800 Subject: [Fedora-directory-users] Re: Cos? or plug-in issue? In-Reply-To: References: <000001c63b59$48f93ea0$fd0110ac@officecomputer> <44035C38.7060709@redhat.com> <4404C879.8080803@redhat.com> Message-ID: <4404E413.3010900@redhat.com> Scott wrote: >Well if that is the case and there is no underlying mechanisims that I was >exluding I am really discouraged with the ability to provide customization. Do >you see anyting wrong with how I attempted to define the attribute that could >have been causing the issue? It has to be something I am leaving out. > > > No I don't see anything wrong per se. What was your test? Was it a straight LDAP search? >Yes I restarted everytime. The onlytime I can get it to enforce the case is with >the IA5String. Since the IA5String seems to be working, do you see any problem >with me leaving it defined? Thanks again > > IA5String is essentially 7 bit ascii, so no international characters. If you are fine with that, it is ok. -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From scott.boggs at gmail.com Wed Mar 1 04:06:41 2006 From: scott.boggs at gmail.com (Scott) Date: Wed, 1 Mar 2006 04:06:41 +0000 (UTC) Subject: [Fedora-directory-users] Re: Cos? or plug-in issue? References: <000001c63b59$48f93ea0$fd0110ac@officecomputer> <44035C38.7060709@redhat.com> <4404C879.8080803@redhat.com> <4404E413.3010900@redhat.com> Message-ID: Pete Rowley redhat.com> writes: > > > > > No I don't see anything wrong per se. What was your test? Was it a > straight LDAP search? straight LDAP search via CLI and via web express interface > > > > > > IA5String is essentially 7 bit ascii, so no international characters. > If you are fine with that, it is ok. > for now I dont have any issues with using appreciate your perspective. I hope to eventually figure out what the issue is with the alternate method, but for now it meets my requirments. Thanks again. From francois.beretti at gmail.com Wed Mar 1 12:05:03 2006 From: francois.beretti at gmail.com (=?ISO-8859-1?Q?Fran=E7ois_Beretti?=) Date: Wed, 1 Mar 2006 13:05:03 +0100 Subject: [Fedora-directory-users] TLS authentication without a user mapped In-Reply-To: <43FDD124.9060404@boreham.org> References: <85d6be850602230617h473de439p@mail.gmail.com> <43FDD124.9060404@boreham.org> Message-ID: <85d6be850603010405o7db7fb58q@mail.gmail.com> Sorry for my late answer. When binding with cn=Directory Manager, the user does not exist. So the existance of the entry does not seem to be always requiered, does it ? Fran?ois 2006/2/23, David Boreham : > This would be a new feature. You'd need to write code to > implement it (or someone would). Problem is that there are > a bunch of places in the code where the existance of an > entry with the bind identity is assumed. So it wouldn't be > quite as simple as taking the cert DN and copying it into > the bind DN for the session. > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Wed Mar 1 14:16:34 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 01 Mar 2006 07:16:34 -0700 Subject: [Fedora-directory-users] TLS authentication without a user mapped In-Reply-To: <85d6be850603010405o7db7fb58q@mail.gmail.com> References: <85d6be850602230617h473de439p@mail.gmail.com> <43FDD124.9060404@boreham.org> <85d6be850603010405o7db7fb58q@mail.gmail.com> Message-ID: <4405ACC2.1050601@redhat.com> Fran?ois Beretti wrote: >Sorry for my late answer. > >When binding with cn=Directory Manager, the user does not exist. So >the existance of the entry does not seem to be always requiered, does >it ? > > That user is special, and there is lots of code in the server to handle this special case. The other instance is when using pass through auth or chaining - the user is remote. >Fran?ois > >2006/2/23, David Boreham : > > >>This would be a new feature. You'd need to write code to >>implement it (or someone would). Problem is that there are >>a bunch of places in the code where the existance of an >>entry with the bind identity is assumed. So it wouldn't be >>quite as simple as taking the cert DN and copying it into >>the bind DN for the session. >> >> >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From jimh at u.washington.edu Thu Mar 2 00:19:13 2006 From: jimh at u.washington.edu (Jim Hogan) Date: Wed, 01 Mar 2006 16:19:13 -0800 Subject: [Fedora-directory-users] Samba schema not loading in FDS... In-Reply-To: <44035C38.7060709@redhat.com> References: <000001c63b59$48f93ea0$fd0110ac@officecomputer> <44035C38.7060709@redhat.com> Message-ID: <44063A01.30507@u.washington.edu> Halloo! I am attempting to migrate an existing OpenLDAP directory to FDS 1.01. I had extended the OL setup with samba.schema and had imported a bunch of existing Samba data with scripts. This is all on Fedora Core 3. I was motivated to migrate by 1) the console apps and 2) better ACI mgmt; I figured both of these might better support a better self-service directory model where people can edit some of their own details. I have FDS running and just got console running. I found the script to convert samba.schema to FDS LDIF format and that seemed to work a treat. However, on startup, FDS seems to completely ignore my "61samba.ldif". Worse, it seems not to notice any errors. What this measn is that I am not able to import any users (and other elements) from my OL directory as they have various samba* attributes. The rest of the XXname.ldif schema files seem to be processing just fine. I have audited some of the last to load 50ns-web, 50ns-calendar and 60pam-plugin, and all of their attributes appear in the listing I can find via the console (or phpLDAPadmin). I saw nothing in the slapd-servername/logs/* so I increased error loglevel to 192 and then to some ridiculous combined value from the debug table in the FAQ. I never see any reference to problems processing "61samba" -- the only errors I can generate with "samba" in them are when I attempt to add users "has unknown object class 'sambaSamAccount'", for example. I changed 61samba.ldif to 21samba.ldif to see if this problem was order-dependent. No change. For grins, I added a junk ldif called 59nonsense.ldif and I couldn't get *that* to generate any lines in the "errors" log file or anywhere that I can tell. "service ldap restart" just seems to go on its merry way. It is like the ancillary LDIF list doesn't exist or something. So, for fun I *copied* one of the LDIF schema files to "59nonsense.ldif" and figured I would see log complaints about duplicate attributes, but *nothing*. and nothing in debug log. slapd restarts without a hitch. Anyhow, FDS looks great and I am sure it will be a lot of fun, but at the moment, I think I am missing some *big*, dope-slap-worthy item -- some big, red switch that says "COMMIT" that I need to flip! Thoughts? Thanks. Jim -- /*********************************************************/ Jim Hogan jimh *A T* u *DO T* washington *D OT* edu /*********************************************************/ From rmeggins at redhat.com Thu Mar 2 02:12:30 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 01 Mar 2006 19:12:30 -0700 Subject: [Fedora-directory-users] Samba schema not loading in FDS... In-Reply-To: <44063A01.30507@u.washington.edu> References: <000001c63b59$48f93ea0$fd0110ac@officecomputer> <44035C38.7060709@redhat.com> <44063A01.30507@u.washington.edu> Message-ID: <4406548E.6090403@redhat.com> Jim Hogan wrote: > Halloo! > > I am attempting to migrate an existing OpenLDAP directory to FDS > 1.01. I had extended the OL setup with samba.schema and had imported > a bunch of existing Samba data with scripts. This is all on Fedora > Core 3. I was motivated to migrate by 1) the console apps and 2) > better ACI mgmt; I figured both of these might better support a better > self-service directory model where people can edit some of their own > details. > > I have FDS running and just got console running. I found the script > to convert samba.schema to FDS LDIF format and that seemed to work a > treat. However, on startup, FDS seems to completely ignore my > "61samba.ldif". Worse, it seems not to notice any errors. What this > measn is that I am not able to import any users (and other elements) > from my OL directory as they have various samba* attributes. This is what I did: cd /opt/fedora-ds/slapd-localhost/config/schema perl ~/ol2rhds.pl < /usr/share/doc/samba-3.0.14a/LDAP/samba.schema > 61samba.ldif # http://www.directory.fedora.redhat.com/download/ol2rhds.pl ../../restart-slapd ldapsearch -x -h localhost -p myport -s base -b "cn=schema" "objectclass=*" | grep -i samba I see lots of output like the following: .... objectClasses: ( 1.3.6.1.4.1.7165.2.2.12 NAME 'sambaConfigOption' DESC 'Samba Configuration Option' SUP top STRUCTURAL MUST sambaOptionName X-ORIGIN 'user objectClasses: ( 1.3.6.1.4.1.7165.2.2.15 NAME 'sambaAccountPolicy' DESC 'Samba Account Policy' SUP top STRUCTURAL MUST ( sambaAccountPolicyName $ sambaAcco attributeTypes: ( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase' DESC 'Base at which the samba RID generation algorithm should operate' EQUALITY in attributeTypes: ( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType' DESC 'NT Group attributeTypes: ( 1.3.6.1.4.1.7165.2.1.55 NAME 'sambaLogonHours' DESC 'Logon H .... > > The rest of the XXname.ldif schema files seem to be processing just > fine. I have audited some of the last to load 50ns-web, 50ns-calendar > and 60pam-plugin, and all of their attributes appear in the listing I > can find via the console (or phpLDAPadmin). > > I saw nothing in the slapd-servername/logs/* so I increased error > loglevel to 192 and then to some ridiculous combined value from the > debug table in the FAQ. I never see any reference to problems > processing "61samba" -- the only errors I can generate with "samba" in > them are when I attempt to add users "has unknown object class > 'sambaSamAccount'", for example. I changed 61samba.ldif to > 21samba.ldif to see if this problem was order-dependent. No change. > For grins, I added a junk ldif called 59nonsense.ldif and I couldn't > get *that* to generate any lines in the "errors" log file or anywhere > that I can tell. "service ldap restart" just seems to go on its merry > way. It is like the ancillary LDIF list doesn't exist or something. > > So, for fun I *copied* one of the LDIF schema files to > "59nonsense.ldif" and figured I would see log complaints about > duplicate attributes, but *nothing*. and nothing in debug log. slapd > restarts without a hitch. > > Anyhow, FDS looks great and I am sure it will be a lot of fun, but at > the moment, I think I am missing some *big*, dope-slap-worthy item -- > some big, red switch that says "COMMIT" that I need to flip! > > Thoughts? Thanks. > > Jim > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From jimh at u.washington.edu Thu Mar 2 03:00:47 2006 From: jimh at u.washington.edu (Jim Hogan) Date: Wed, 1 Mar 2006 19:00:47 -0800 (PST) Subject: [Fedora-directory-users] Samba schema not loading in FDS... In-Reply-To: <4406548E.6090403@redhat.com> References: <000001c63b59$48f93ea0$fd0110ac@officecomputer> <44035C38.7060709@redhat.com> <44063A01.30507@u.washington.edu> <4406548E.6090403@redhat.com> Message-ID: On Wed, 1 Mar 2006, Richard Megginson wrote: > This is what I did: > cd /opt/fedora-ds/slapd-localhost/config/schema > perl ~/ol2rhds.pl < /usr/share/doc/samba-3.0.14a/LDAP/samba.schema > > 61samba.ldif > # http://www.directory.fedora.redhat.com/download/ol2rhds.pl This I had covered... > ../../restart-slapd BING. D'Oh! The Big Red Clue Switch right there. Something is obviously whacked with my init.d/ldap, as it causes/logs slapd start/stop, but isn't doing it right. I need to look to see if that rc script is a munged artifact of the old OL install or something (which I was just starting to do when you emailed). Anyhow, I wasn't using the restart script that was sitting there in slapd-host staring at me. > ldapsearch -x -h localhost -p myport -s base -b "cn=schema" "objectclass=*" | > grep -i samba I get lots of "samba" now. Maybe this thread will help the next wanderer :) Thanks! Jim From jimh at u.washington.edu Thu Mar 2 03:18:26 2006 From: jimh at u.washington.edu (Jim Hogan) Date: Wed, 1 Mar 2006 19:18:26 -0800 (PST) Subject: [Fedora-directory-users] Samba schema not loading in FDS... In-Reply-To: References: <000001c63b59$48f93ea0$fd0110ac@officecomputer> <44035C38.7060709@redhat.com> <44063A01.30507@u.washington.edu> <4406548E.6090403@redhat.com> Message-ID: On Wed, 1 Mar 2006, Jim Hogan wrote: > On Wed, 1 Mar 2006, Richard Megginson wrote: > >> ../../restart-slapd > > BING. D'Oh! .... To embarass myself further I can categorically say that it does not help to restart OpenLDAP slapd if you want FDS to reread your schema :) And I was wondering why it didn't write to the FDS slapd logs??? I think at one point I took openldap-server off this box, but then...put it back? And I thought I saw FDS replace the init.d/ldap. Thanks again. Jim From rmeggins at redhat.com Thu Mar 2 14:55:07 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 02 Mar 2006 07:55:07 -0700 Subject: [Fedora-directory-users] [SECURITY] Fedora Directory Server 1.0.1 Update Message-ID: <4407074B.4090505@redhat.com> --------------------------------------------------------------------- Fedora Directory Server Update Notification 2006-03-01 --------------------------------------------------------------------- Product : Fedora Directory Server Name : Directory Server Version : 1.0.1 Release : 1 Summary : The core LDAP server engine Description : The core directory server component of Fedora Directory Server is the LDAP server engine/daemon. --------------------------------------------------------------------- Update Information: Evgeny Legerov of GLEG, Ltd. (http://www.gleg.net/) discovered several flaws affecting Fedora Directory Server using the GLEG ProtoVer LDAP test suite. A remote attacker who is able to connect to the directory server could send malicious requests which would cause the server to crash leading to a denial of service. The Common Vulnerabilities and Exposures project assigned the names CVE-2006-0451, CVE-2006-0452, and CVE-2006-0453 to these issues. --------------------------------------------------------------------- This update is available by upgrading to Fedora Directory Server 1.0.2 available here: http://directory.fedora.redhat.com/wiki/Download The above link has instructions for downloading the new version and upgrading older versions. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Mar 2 14:55:17 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 02 Mar 2006 07:55:17 -0700 Subject: [Fedora-directory-users] Announcing Fedora Directory Server 1.0.2 Message-ID: <44070755.6040201@redhat.com> Fedora Directory Server 1.0.2 is released! This release contains new features, new platform support, and many bug fixes. * Extended Password Syntax checking - passwords can be checked to see if they conform to the following: ** minimum password character length (old feature, but now the default is 8 characters) ** minimum number of digit characters (0-9) ** minimum number of ASCII alpha characters (a-z, A-Z) ** minimum number of uppercase ASCII alpha characters (A-Z) ** minimum number of lowercase ASCII alpha characters (a-z) ** minimum number of special ASCII characters (!@#$, etc.) ** minimum number of 8-bit characters ** maximum number of times the same char can be immediately repeated (aaabbb) ** minimum number of character categories that are represented (categories are lower, upper, digit, special, and 8-bit) ** Screenshot - http://directory.fedora.redhat.com/wiki/Image:Pwdsyntax.png * Support for Linux x86_64 - RPMs for Fedora Core 4 and Fedora Core3/RHEL4 x86_64 are on the Download page. * Preliminary support for Fedora Core 5 - including support for Apache 2.2 and native java * Bug fixes - follow this link (https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=183369) to see the bugzilla report Release Notes: http://directory.fedora.redhat.com/wiki/Release_Notes Download: http://directory.fedora.redhat.com/wiki/Download Home Page: http://directory.fedora.redhat.com/wiki/Main_Page -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From dhollis at davehollis.com Thu Mar 2 15:16:38 2006 From: dhollis at davehollis.com (David Hollis) Date: Thu, 02 Mar 2006 10:16:38 -0500 Subject: [Fedora-directory-users] Announcing Fedora Directory Server 1.0.2 In-Reply-To: <44070755.6040201@redhat.com> References: <44070755.6040201@redhat.com> Message-ID: <1141312598.19624.5.camel@dhollis-lnx.sunera.com> On Thu, 2006-03-02 at 07:55 -0700, Richard Megginson wrote: > * Support for Linux x86_64 - RPMs for Fedora Core 4 and Fedora > Core3/RHEL4 x86_64 are > on the Download page. Would the x86_64 support be of the "it builds and it might work. Use at your own risk" variety or "it builds, it works, we've fully tested and would be the enterprise on it" variety? I've been waiting to finally upgrade from OpenLDAP until there was a native 64-bit version, and now it's here. -- David Hollis -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 191 bytes Desc: This is a digitally signed message part URL: From rmeggins at redhat.com Thu Mar 2 15:24:31 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 02 Mar 2006 08:24:31 -0700 Subject: [Fedora-directory-users] Announcing Fedora Directory Server 1.0.2 In-Reply-To: <1141312598.19624.5.camel@dhollis-lnx.sunera.com> References: <44070755.6040201@redhat.com> <1141312598.19624.5.camel@dhollis-lnx.sunera.com> Message-ID: <44070E2F.9070508@redhat.com> David Hollis wrote: >On Thu, 2006-03-02 at 07:55 -0700, Richard Megginson wrote: > > > >>* Support for Linux x86_64 - RPMs for Fedora Core 4 and Fedora >>Core3/RHEL4 x86_64 are >>on the Download page. >> >> > >Would the x86_64 support be of the "it builds and it might work. Use at >your own risk" variety or "it builds, it works, we've fully tested and >would be the enterprise on it" variety? > The former. This is the first time we've released on x86_64. However, we've had native 64 bit support for years on Sun and HP, so it's not as if this is the first ever native 64 bit version that has a lot of latent 64 bit porting issues. >I've been waiting to finally >upgrade from OpenLDAP until there was a native 64-bit version, and now >it's here. > > > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From ABliss at preferredcare.org Thu Mar 2 15:27:13 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Thu, 2 Mar 2006 10:27:13 -0500 Subject: [Fedora-directory-users] Announcing Fedora Directory Server 1.0.2 Message-ID: In my environment, I have 2 directory servers, a supplier and consumer both running fds 1.0.1; is it necessary to upgrade them both at the same time or can I run in a mixed environment for a while? Also, it looks like that this bug fix https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=180515 is addressing this thread https://www.redhat.com/archives/fedora-directory-users/2006-February/msg 00087.html If so, is there any special configuration changes that I need to make on the directory servers to make it work? Thanks very much for a great product and it's awesome to see all of the improvements that have made. Aaron www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From rmeggins at redhat.com Thu Mar 2 15:35:21 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 02 Mar 2006 08:35:21 -0700 Subject: [Fedora-directory-users] Announcing Fedora Directory Server 1.0.2 In-Reply-To: References: Message-ID: <440710B9.1080601@redhat.com> Bliss, Aaron wrote: >In my environment, I have 2 directory servers, a supplier and consumer >both running fds 1.0.1; is it necessary to upgrade them both at the same >time or can I run in a mixed environment for a while? > You don't have to upgrade them all at once. >Also, it looks >like that this bug fix >https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=180515 is >addressing this thread >https://www.redhat.com/archives/fedora-directory-users/2006-February/msg >00087.html If so, is there any special configuration changes that I >need to make on the directory servers to make it work? > Yes. You need to follow the instructions at http://directory.fedora.redhat.com/wiki/Howto:ChainOnUpdate >Thanks very much >for a great product and it's awesome to see all of the improvements that >have made. > >Aaron > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From mj at sci.fi Thu Mar 2 15:46:28 2006 From: mj at sci.fi (Mike Jackson) Date: Thu, 02 Mar 2006 17:46:28 +0200 Subject: [Fedora-directory-users] Re: [Fedora-directory-announce] Announcing Fedora Directory Server 1.0.2 In-Reply-To: <44070755.6040201@redhat.com> References: <44070755.6040201@redhat.com> Message-ID: <44071354.6040201@sci.fi> Richard Megginson wrote: > Fedora Directory Server 1.0.2 is released! This release contains new > features, new platform support, and many bug fixes. > > * Extended Password Syntax checking - passwords can be checked to see if > they conform to the following: Very nice. Can the failed tests be reported over-the-wire via controls or extended operations? How do you remotely use this feature in practice? > * Support for Linux x86_64 - RPMs for Fedora Core 4 and Fedora Core3/RHEL4 x86_64 are > on the Download page. And how about Solaris sparc? Will it ever be supported again? BR, Mike From dhollis at davehollis.com Thu Mar 2 15:48:14 2006 From: dhollis at davehollis.com (David Hollis) Date: Thu, 02 Mar 2006 10:48:14 -0500 Subject: [Fedora-directory-users] Samba schema not loading in FDS... In-Reply-To: <4406548E.6090403@redhat.com> References: <000001c63b59$48f93ea0$fd0110ac@officecomputer> <44035C38.7060709@redhat.com> <44063A01.30507@u.washington.edu> <4406548E.6090403@redhat.com> Message-ID: <1141314494.19624.9.camel@dhollis-lnx.sunera.com> On Wed, 2006-03-01 at 19:12 -0700, Richard Megginson wrote: > This is what I did: > cd /opt/fedora-ds/slapd-localhost/config/schema > perl ~/ol2rhds.pl < /usr/share/doc/samba-3.0.14a/LDAP/samba.schema > > 61samba.ldif > # http://www.directory.fedora.redhat.com/download/ol2rhds.pl > ../../restart-slapd > ldapsearch -x -h localhost -p myport -s base -b "cn=schema" > "objectclass=*" | grep -i samba > I just did those exact same steps myself and there does appear to be a problem. They "MAY" portions of the schema get dropped. Here is the sambaSamAccount from my converted schema: objectClasses: ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' DESC 'Samba 3.0 Auxilary SAM Account' SUP top AUXILIARY MUST ( uid $ sambaSID ) ) and here is the sambaSamAccount from the /usr/share/doc/ samba.schema: objectclass ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY DESC 'Samba 3.0 Auxilary SAM Account' MUST ( uid $ sambaSID ) MAY ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $ sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $ sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $ displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $ sambaProfilePath $ description $ sambaUserWorkstations $ sambaPrimaryGroupSID $ sambaDomainName $ sambaMungedDial $ sambaBadPasswordCount $ sambaBadPasswordTime $ sambaPasswordHistory $ sambaLogonHours)) Without the 'MAY' portion, when I import my directory dump from OpenLDAP, any accounts that have any of those samba attributes set (all of them unfortunately) don't import because of the invalid attributes. Looks like it's a bug in the ol2rhds.pl script. -- David Hollis -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 191 bytes Desc: This is a digitally signed message part URL: From mj at sci.fi Thu Mar 2 15:51:59 2006 From: mj at sci.fi (Mike Jackson) Date: Thu, 02 Mar 2006 17:51:59 +0200 Subject: [Fedora-directory-users] Samba schema not loading in FDS... In-Reply-To: <1141314494.19624.9.camel@dhollis-lnx.sunera.com> References: <000001c63b59$48f93ea0$fd0110ac@officecomputer> <44035C38.7060709@redhat.com> <44063A01.30507@u.washington.edu> <4406548E.6090403@redhat.com> <1141314494.19624.9.camel@dhollis-lnx.sunera.com> Message-ID: <4407149F.20607@sci.fi> David Hollis wrote: > Without the 'MAY' portion, when I import my directory dump from > OpenLDAP, any accounts that have any of those samba attributes set (all > of them unfortunately) don't import because of the invalid attributes. > > Looks like it's a bug in the ol2rhds.pl script. Try mine (and Yacine's): http://www.netauth.com/~jacksonm/ldap/ol-schema-migrate.pl -- mike From rmeggins at redhat.com Thu Mar 2 16:05:05 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 02 Mar 2006 09:05:05 -0700 Subject: [Fedora-directory-users] Re: [Fedora-directory-announce] Announcing Fedora Directory Server 1.0.2 In-Reply-To: <44071354.6040201@sci.fi> References: <44070755.6040201@redhat.com> <44071354.6040201@sci.fi> Message-ID: <440717B1.1060004@redhat.com> Mike Jackson wrote: > Richard Megginson wrote: > > > Fedora Directory Server 1.0.2 is released! This release contains new > > features, new platform support, and many bug fixes. > > > > * Extended Password Syntax checking - passwords can be checked to > see if > > they conform to the following: > > > Very nice. Can the failed tests be reported over-the-wire via controls > or extended operations? Through the same mechanisms that are used now for passwords that fail syntax checking during add or modify operations. > How do you remotely use this feature in practice? > > > > * Support for Linux x86_64 - RPMs for Fedora Core 4 and Fedora > Core3/RHEL4 x86_64 are > > on the Download page. > > > And how about Solaris sparc? Will it ever be supported again? Yes, but we have some issues, primarily with Apache and Perl. Unfortunately, we cannot use the Apache provided with some versions of Solaris, nor the version from sunfreeware.com, because they do not have support for multi threaded mode. In addition, there are no pre-built native 64 bit Apache and Perl binaries that we can use. We require native 64 bit because all of our components are native 64 bit, and we'd rather not get into the business of having to ship the full contingent of 32 bit components with our 64 bit distribution - harder to build, harder to manage, package size bloat, etc. etc. The result is that we will have to build and distribute our own versions of Apache and Perl for Solaris for 32 bit and 64 bit. We are doing this work for Red Hat Directory Server and Certificate System because we have to support our existing Solaris customers, so once that's done, we should be able to leverage that work for Fedora Directory Server. > > > BR, > Mike > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From dhollis at davehollis.com Thu Mar 2 16:05:29 2006 From: dhollis at davehollis.com (David Hollis) Date: Thu, 02 Mar 2006 11:05:29 -0500 Subject: [Fedora-directory-users] Samba schema not loading in FDS... In-Reply-To: <4407149F.20607@sci.fi> References: <000001c63b59$48f93ea0$fd0110ac@officecomputer> <44035C38.7060709@redhat.com> <44063A01.30507@u.washington.edu> <4406548E.6090403@redhat.com> <1141314494.19624.9.camel@dhollis-lnx.sunera.com> <4407149F.20607@sci.fi> Message-ID: <1141315530.19624.12.camel@dhollis-lnx.sunera.com> On Thu, 2006-03-02 at 17:51 +0200, Mike Jackson wrote: > David Hollis wrote: > > > Without the 'MAY' portion, when I import my directory dump from > > OpenLDAP, any accounts that have any of those samba attributes set (all > > of them unfortunately) don't import because of the invalid attributes. > > > > Looks like it's a bug in the ol2rhds.pl script. > > > Try mine (and Yacine's): > > http://www.netauth.com/~jacksonm/ldap/ol-schema-migrate.pl > Looks like that picked up the MAY section nicely. -- David Hollis -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 191 bytes Desc: This is a digitally signed message part URL: From lesmikesell at gmail.com Thu Mar 2 16:50:15 2006 From: lesmikesell at gmail.com (Les Mikesell) Date: Thu, 02 Mar 2006 10:50:15 -0600 Subject: [Fedora-directory-users] Re: [Fedora-directory-announce] Announcing Fedora Directory Server 1.0.2 In-Reply-To: <440717B1.1060004@redhat.com> References: <44070755.6040201@redhat.com> <44071354.6040201@sci.fi> <440717B1.1060004@redhat.com> Message-ID: <1141318215.22335.22.camel@moola.futuresource.com> On Thu, 2006-03-02 at 10:05, Richard Megginson wrote: > In addition, there are no pre-built native 64 bit Apache and Perl > binaries that we can use. We require native 64 bit because all of our > components are native 64 bit, and we'd rather not get into the business > of having to ship the full contingent of 32 bit components with our 64 > bit distribution - harder to build, harder to manage, package size > bloat, etc. etc. Aren't libraries almost certain to get out of sync on platforms with 32/64 bit capabilities if you don't bundle both versions in all binary distributions? -- Les Mikesell lesmikesell at gmail.com From rmeggins at redhat.com Thu Mar 2 17:09:20 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 02 Mar 2006 10:09:20 -0700 Subject: [Fedora-directory-users] Re: [Fedora-directory-announce] Announcing Fedora Directory Server 1.0.2 In-Reply-To: <1141318215.22335.22.camel@moola.futuresource.com> References: <44070755.6040201@redhat.com> <44071354.6040201@sci.fi> <440717B1.1060004@redhat.com> <1141318215.22335.22.camel@moola.futuresource.com> Message-ID: <440726C0.5000905@redhat.com> Les Mikesell wrote: >On Thu, 2006-03-02 at 10:05, Richard Megginson wrote: > > > >>In addition, there are no pre-built native 64 bit Apache and Perl >>binaries that we can use. We require native 64 bit because all of our >>components are native 64 bit, and we'd rather not get into the business >>of having to ship the full contingent of 32 bit components with our 64 >>bit distribution - harder to build, harder to manage, package size >>bloat, etc. etc. >> >> > >Aren't libraries almost certain to get out of sync on platforms >with 32/64 bit capabilities if you don't bundle both versions >in all binary distributions? > > I'm not sure I understand. For Solaris, we plan on having a native 32 bit version (only 32 bit components) and a native 64 bit version (only 64 bit components). Same as we have now on linux. The linux i386 packages contain only 32 bit components, and the x86_64 packages contain only 64 bit components. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From lesmikesell at gmail.com Thu Mar 2 17:26:51 2006 From: lesmikesell at gmail.com (Les Mikesell) Date: Thu, 02 Mar 2006 11:26:51 -0600 Subject: [Fedora-directory-users] Re: [Fedora-directory-announce] Announcing Fedora Directory Server 1.0.2 In-Reply-To: <440726C0.5000905@redhat.com> References: <44070755.6040201@redhat.com> <44071354.6040201@sci.fi> <440717B1.1060004@redhat.com> <1141318215.22335.22.camel@moola.futuresource.com> <440726C0.5000905@redhat.com> Message-ID: <1141320411.22335.40.camel@moola.futuresource.com> On Thu, 2006-03-02 at 11:09, Richard Megginson wrote: > > > >>In addition, there are no pre-built native 64 bit Apache and Perl > >>binaries that we can use. We require native 64 bit because all of our > >>components are native 64 bit, and we'd rather not get into the business > >>of having to ship the full contingent of 32 bit components with our 64 > >>bit distribution - harder to build, harder to manage, package size > >>bloat, etc. etc. > >> > >> > > > >Aren't libraries almost certain to get out of sync on platforms > >with 32/64 bit capabilities if you don't bundle both versions > >in all binary distributions? > > > > > I'm not sure I understand. For Solaris, we plan on having a native 32 > bit version (only 32 bit components) and a native 64 bit version (only > 64 bit components). Same as we have now on linux. The linux i386 > packages contain only 32 bit components, and the x86_64 packages contain > only 64 bit components. If none of the components can successfully interact, I suppose it doesn't matter. However, if you include both client and server libraries, shouldn't you be able to use a 32-bit app that needs client libraries to access a 64-bit server running on the same box? Or vice-versa? -- Les Mikesell lesmikesell at gmail.com From david_list at boreham.org Thu Mar 2 17:38:44 2006 From: david_list at boreham.org (David Boreham) Date: Thu, 02 Mar 2006 10:38:44 -0700 Subject: [Fedora-directory-users] Re: [Fedora-directory-announce] Announcing Fedora Directory Server 1.0.2 In-Reply-To: <1141320411.22335.40.camel@moola.futuresource.com> References: <44070755.6040201@redhat.com> <44071354.6040201@sci.fi> <440717B1.1060004@redhat.com> <1141318215.22335.22.camel@moola.futuresource.com> <440726C0.5000905@redhat.com> <1141320411.22335.40.camel@moola.futuresource.com> Message-ID: <44072DA4.5070908@boreham.org> >If none of the components can successfully interact, I suppose >it doesn't matter. However, if you include both client and >server libraries, shouldn't you be able to use a 32-bit app >that needs client libraries to access a 64-bit server running >on the same box? Or vice-versa? > > The server package is not intended to be the delivery vehicle for client libraries. Yes there are copies of the client libraries in the package today (because the server and its tools depend on them). But in a perfect world (to be achieved at some point in the future), the client libs would be shipped in their own package. So a 32-bit app that depends on client libraries would simply depend on the 32-bit client library package. That stack would be 100% independent of any 64-bit server (and its dependent libraries) that might be installed on the same box. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mont.rothstein at gmail.com Thu Mar 2 18:46:41 2006 From: mont.rothstein at gmail.com (Mont Rothstein) Date: Thu, 2 Mar 2006 10:46:41 -0800 Subject: [Fedora-directory-users] Can't login to console Message-ID: <467a83630603021046n1d7c978cr7224b9dd0c611b60@mail.gmail.com> I am trying to setup Fedora Directory Server 1.0.1 on an x86 box running RedHat ES4 in a VMWare session. I've run setup. I've created a user and group dsuser which is set as the server user. I set the admin to be dsadmin. I set the admin server to be run as root. setup completes and appears to start correctly. I use the following line to launch the console: ./startconsole ?x nologo ?u dsadmin ?a http://rheles4rs1.forayadams.foray.com:45303 In the login window I enter the dsadmin password. I then get a panel with the following message: Cannot logon because of incorrect User ID, incorrect password or Directory problem. HttpException: Response: HTTP/1.1 401 Authorization Required Status: 401 URL: http://rheles4rs1.forayadams.foray.com:45303/admin-serv/authenticate I'm sure I've done something stupid and basic somewhere, but I have no idea what and I can't find anything about this via search. Does anyone have any ideas as to what I've done wrong? Thanks, -Mont -------------- next part -------------- An HTML attachment was scrubbed... URL: From jimh at u.washington.edu Thu Mar 2 19:01:08 2006 From: jimh at u.washington.edu (Jim Hogan) Date: Thu, 02 Mar 2006 11:01:08 -0800 Subject: [Fedora-directory-users] Can't login to console In-Reply-To: <467a83630603021046n1d7c978cr7224b9dd0c611b60@mail.gmail.com> References: <467a83630603021046n1d7c978cr7224b9dd0c611b60@mail.gmail.com> Message-ID: <440740F4.4060200@u.washington.edu> Mont Rothstein wrote: > > In the login window I enter the dsadmin password. I then get a panel > with the following message: > > Cannot logon because of incorrect User ID, > incorrect password or Directory problem. FWIW, I got this exact same message until I turned iptables off (and then modified). Possibly a coincidence, but this is just to suggest that the above message could result from port/reachability issues. Jim From mont.rothstein at gmail.com Thu Mar 2 19:17:25 2006 From: mont.rothstein at gmail.com (Mont Rothstein) Date: Thu, 2 Mar 2006 11:17:25 -0800 Subject: [Fedora-directory-users] Can't login to console In-Reply-To: <440740F4.4060200@u.washington.edu> References: <467a83630603021046n1d7c978cr7224b9dd0c611b60@mail.gmail.com> <440740F4.4060200@u.washington.edu> Message-ID: <467a83630603021117i3a11897dsc94bd838b985f809@mail.gmail.com> I have both the firewall and SELinux turned off. -Mont On 3/2/06, Jim Hogan wrote: > > Mont Rothstein wrote: > > > > > In the login window I enter the dsadmin password. I then get a panel > > with the following message: > > > > Cannot logon because of incorrect User ID, > > incorrect password or Directory problem. > > FWIW, I got this exact same message until I turned iptables off (and > then modified). Possibly a coincidence, but this is just to suggest > that the above message could result from port/reachability issues. > > Jim > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nkinder at redhat.com Thu Mar 2 19:21:38 2006 From: nkinder at redhat.com (Nathan Kinder) Date: Thu, 02 Mar 2006 11:21:38 -0800 Subject: [Fedora-directory-users] Can't login to console In-Reply-To: <467a83630603021046n1d7c978cr7224b9dd0c611b60@mail.gmail.com> References: <467a83630603021046n1d7c978cr7224b9dd0c611b60@mail.gmail.com> Message-ID: <440745C2.40608@redhat.com> Mont Rothstein wrote: > I am trying to setup Fedora Directory Server 1.0.1 on an x86 box > running RedHat ES4 in a VMWare session. What version of Apache are you running on the system? > > I've run setup. I've created a user and group dsuser which is set as > the server user. I set the admin to be dsadmin. I set the admin > server to be run as root. > > setup completes and appears to start correctly. > > I use the following line to launch the console: > > ./startconsole ?x nologo ?u dsadmin ?a > http://rheles4rs1.forayadams.foray.com:45303 > > In the login window I enter the dsadmin password. I then get a panel > with the following message: > > Cannot logon because of incorrect User ID, > incorrect password or Directory problem. > > HttpException: > Response: HTTP/1.1 401 Authorization Required > Status: 401 > URL: http://rheles4rs1.forayadams.foray.com:45303/admin-serv/authenticate > > I'm sure I've done something stupid and basic somewhere, but I have no > idea what and I can't find anything about this via search. > > Does anyone have any ideas as to what I've done wrong? Make sure that your directory server is up and running. You should try doing an ldapsearch as the same user you are attempting to log into the Console as. If all else fails, tail your DS access log when you attempt to log in via Console to see if the Directory is even getting hit. -NGK > > Thanks, > -Mont > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From rmeggins at redhat.com Thu Mar 2 20:15:55 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 02 Mar 2006 13:15:55 -0700 Subject: [Fedora-directory-users] Can't login to console In-Reply-To: <467a83630603021046n1d7c978cr7224b9dd0c611b60@mail.gmail.com> References: <467a83630603021046n1d7c978cr7224b9dd0c611b60@mail.gmail.com> Message-ID: <4407527B.1060709@redhat.com> Mont Rothstein wrote: > I am trying to setup Fedora Directory Server 1.0.1 on an x86 box > running RedHat ES4 in a VMWare session. > > I've run setup. I've created a user and group dsuser which is set as > the server user. I set the admin to be dsadmin. I set the admin > server to be run as root. > > setup completes and appears to start correctly. > > I use the following line to launch the console: > > ./startconsole ?x nologo ?u dsadmin ?a > http://rheles4rs1.forayadams.foray.com:45303 > > In the login window I enter the dsadmin password. I then get a panel > with the following message: > > Cannot logon because of incorrect User ID, > incorrect password or Directory problem. > > HttpException: > Response: HTTP/1.1 401 Authorization Required > Status: 401 > URL: http://rheles4rs1.forayadams.foray.com:45303/admin-serv/authenticate > > I'm sure I've done something stupid and basic somewhere, but I have no > idea what and I can't find anything about this via search. tail admin-serv/logs/error tail admin-serv/logs/access > > Does anyone have any ideas as to what I've done wrong? > > Thanks, > -Mont > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From strong.s at crwash.org Thu Mar 2 20:23:30 2006 From: strong.s at crwash.org (Steve Strong) Date: Thu, 02 Mar 2006 14:23:30 -0600 Subject: [Fedora-directory-users] using LdapImport to migrate users and groups In-Reply-To: <4407527B.1060709@redhat.com> References: <467a83630603021046n1d7c978cr7224b9dd0c611b60@mail.gmail.com> <4407527B.1060709@redhat.com> Message-ID: <44075442.6040206@crwash.org> I'm having trouble using this extremely simple tool... After running the script and looking at the log file it appears that the users were added correctly, but I can't search for them in the console. Anyone have any ideas? thanks in advance! steve -- Steve Strong Math and Computer Science Washington High School 2205 Forest Dr. SE Cedar Rapids, IA 52403 http://crwash.org mailto:strong.s at crwash.org From mont.rothstein at gmail.com Thu Mar 2 20:25:35 2006 From: mont.rothstein at gmail.com (Mont Rothstein) Date: Thu, 2 Mar 2006 12:25:35 -0800 Subject: [Fedora-directory-users] Can't login to console In-Reply-To: <440745C2.40608@redhat.com> References: <467a83630603021046n1d7c978cr7224b9dd0c611b60@mail.gmail.com> <440745C2.40608@redhat.com> Message-ID: <467a83630603021225w1baa6e2ah33add40b7b234fc0@mail.gmail.com> I am running Apache 2.0.52 As far as verifying that my directory server is up and running: ns-slapd is running under the dsuser account httpd.worker is running under the dsuser account I fear I need help with ldapsearch. If I try the following as root: ldapsearch -LLL "(cn=Directory Manager)" I get: ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) If I try the following: ldapsearch -LLL "(cn=Directory Manager)" -x -W it prompts me for a password. I enter the administrator (dsadmin) password and get: ldap_bind: Can't contact LDAP server (-1) This may indicate something is wrong, ot simply that I am trying to use ldapsearch incorrectly. Your assistance is greatly appreciated. -Mont On 3/2/06, Nathan Kinder wrote: > > Mont Rothstein wrote: > > > I am trying to setup Fedora Directory Server 1.0.1 on an x86 box > > running RedHat ES4 in a VMWare session. > > What version of Apache are you running on the system? > > > > > I've run setup. I've created a user and group dsuser which is set as > > the server user. I set the admin to be dsadmin. I set the admin > > server to be run as root. > > > > setup completes and appears to start correctly. > > > > I use the following line to launch the console: > > > > ./startconsole ?x nologo ?u dsadmin ?a > > http://rheles4rs1.forayadams.foray.com:45303 > > > > In the login window I enter the dsadmin password. I then get a panel > > with the following message: > > > > Cannot logon because of incorrect User ID, > > incorrect password or Directory problem. > > > > HttpException: > > Response: HTTP/1.1 401 Authorization Required > > Status: 401 > > URL: > http://rheles4rs1.forayadams.foray.com:45303/admin-serv/authenticate > > > > I'm sure I've done something stupid and basic somewhere, but I have no > > idea what and I can't find anything about this via search. > > > > Does anyone have any ideas as to what I've done wrong? > > Make sure that your directory server is up and running. You should try > doing an ldapsearch as the same user you are attempting to log into the > Console as. If all else fails, tail your DS access log when you attempt > to log in via Console to see if the Directory is even getting hit. > > -NGK > > > > > Thanks, > > -Mont > > > >------------------------------------------------------------------------ > > > >-- > >Fedora-directory-users mailing list > >Fedora-directory-users at redhat.com > >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Mar 2 20:34:59 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 02 Mar 2006 13:34:59 -0700 Subject: [Fedora-directory-users] using LdapImport to migrate users and groups In-Reply-To: <44075442.6040206@crwash.org> References: <467a83630603021046n1d7c978cr7224b9dd0c611b60@mail.gmail.com> <4407527B.1060709@redhat.com> <44075442.6040206@crwash.org> Message-ID: <440756F3.7070209@redhat.com> Steve Strong wrote: > I'm having trouble using this extremely simple tool... > > After running the script and looking at the log file it appears that > the users were added correctly, but I can't search for them in the > console. > > Anyone have any ideas? What user are you logging into the console as? If you login to the console as directory manager, do you see your users? > > thanks in advance! > steve > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From strong.s at crwash.org Thu Mar 2 20:39:18 2006 From: strong.s at crwash.org (Steve Strong) Date: Thu, 02 Mar 2006 14:39:18 -0600 Subject: [Fedora-directory-users] using LdapImport to migrate users and groups In-Reply-To: <440756F3.7070209@redhat.com> References: <467a83630603021046n1d7c978cr7224b9dd0c611b60@mail.gmail.com> <4407527B.1060709@redhat.com> <44075442.6040206@crwash.org> <440756F3.7070209@redhat.com> Message-ID: <440757F6.6080207@crwash.org> I'm logged in as "admin" -- logging in as "Directory Manager" results in an error claiming that that object is not in the directory (even though i added it during setup). steve Richard Megginson wrote: > Steve Strong wrote: > >> I'm having trouble using this extremely simple tool... >> >> After running the script and looking at the log file it appears that >> the users were added correctly, but I can't search for them in the >> console. >> >> Anyone have any ideas? > > > What user are you logging into the console as? If you login to the > console as directory manager, do you see your users? > >> >> thanks in advance! >> steve >> >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- Steve Strong Math and Computer Science Washington High School 2205 Forest Dr. SE Cedar Rapids, IA 52403 http://crwash.org mailto:strong.s at crwash.org From nkinder at redhat.com Thu Mar 2 20:42:15 2006 From: nkinder at redhat.com (Nathan Kinder) Date: Thu, 02 Mar 2006 12:42:15 -0800 Subject: [Fedora-directory-users] using LdapImport to migrate users and groups In-Reply-To: <440757F6.6080207@crwash.org> References: <467a83630603021046n1d7c978cr7224b9dd0c611b60@mail.gmail.com> <4407527B.1060709@redhat.com> <44075442.6040206@crwash.org> <440756F3.7070209@redhat.com> <440757F6.6080207@crwash.org> Message-ID: <440758A7.1080103@redhat.com> Steve Strong wrote: > I'm logged in as "admin" -- logging in as "Directory Manager" results > in an error claiming that that object is not in the directory (even > though i added it during setup). > steve You should be logging in as "cn=Directory Manager". > > Richard Megginson wrote: > >> Steve Strong wrote: >> >>> I'm having trouble using this extremely simple tool... >>> >>> After running the script and looking at the log file it appears that >>> the users were added correctly, but I can't search for them in the >>> console. >>> >>> Anyone have any ideas? >> >> >> >> What user are you logging into the console as? If you login to the >> console as directory manager, do you see your users? >> >>> >>> thanks in advance! >>> steve >>> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > From strong.s at crwash.org Thu Mar 2 20:45:56 2006 From: strong.s at crwash.org (Steve Strong) Date: Thu, 02 Mar 2006 14:45:56 -0600 Subject: [Fedora-directory-users] using LdapImport to migrate users and groups In-Reply-To: <440758A7.1080103@redhat.com> References: <467a83630603021046n1d7c978cr7224b9dd0c611b60@mail.gmail.com> <4407527B.1060709@redhat.com> <44075442.6040206@crwash.org> <440756F3.7070209@redhat.com> <440757F6.6080207@crwash.org> <440758A7.1080103@redhat.com> Message-ID: <44075984.6040806@crwash.org> tried that, no change. steve Nathan Kinder wrote: > Steve Strong wrote: > >> I'm logged in as "admin" -- logging in as "Directory Manager" results >> in an error claiming that that object is not in the directory (even >> though i added it during setup). >> steve > > > You should be logging in as "cn=Directory Manager". > >> >> Richard Megginson wrote: >> >>> Steve Strong wrote: >>> >>>> I'm having trouble using this extremely simple tool... >>>> >>>> After running the script and looking at the log file it appears >>>> that the users were added correctly, but I can't search for them in >>>> the console. >>>> >>>> Anyone have any ideas? >>> >>> >>> >>> >>> What user are you logging into the console as? If you login to the >>> console as directory manager, do you see your users? >>> >>>> >>>> thanks in advance! >>>> steve >>>> >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -- Steve Strong Math and Computer Science Washington High School 2205 Forest Dr. SE Cedar Rapids, IA 52403 http://crwash.org mailto:strong.s at crwash.org From mont.rothstein at gmail.com Thu Mar 2 20:49:03 2006 From: mont.rothstein at gmail.com (Mont Rothstein) Date: Thu, 2 Mar 2006 12:49:03 -0800 Subject: [Fedora-directory-users] Can't login to console In-Reply-To: <4407527B.1060709@redhat.com> References: <467a83630603021046n1d7c978cr7224b9dd0c611b60@mail.gmail.com> <4407527B.1060709@redhat.com> Message-ID: <467a83630603021249y72386565o3a7734590dd51c32@mail.gmail.com> admin-serv/logs/access gives me: 192.168.1.115 - - [02/Mar/2006:12:38:03 -0800] "GET /admin-serv/authenticate HTTP/1.0" 401 488 admin-serv/logs/error gives me: [Thu Mar 02 12:38:03 2006] [notice] [client 192.168.1.115] admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.1.115 [Thu Mar 02 12:38:03 2006] [notice] [client 192.168.1.115] admserv_host_ip_check: host [rheles4rs1.foray.com] did not match pattern [*.forayadams.foray.com] -will scan aliases [Thu Mar 02 12:38:03 2006] [notice] [client 192.168.1.115] admserv_host_ip_check: host alias [rheles4rs1] did not match pattern [*.forayadams.foray.com] [Thu Mar 02 12:38:03 2006] [notice] [client 192.168.1.115] admserv_host_ip_check: Unauthorized host ip=192.168.1.115, connection rejected Looking at the above log entries I am not sure what to make of them. I can do a reverse lookup on the IP address via the host command. I have no idea where it is getting "rheles4rs1.foray.com" from. This is missing the forayadams subdomain. Since that is so odd, I would suspect that is the problem, except that I have no idea where it is getting that incorrect FQDN from. Do these logs entries say more to you than they do to me? Thanks, -Mont On 3/2/06, Richard Megginson wrote: > > Mont Rothstein wrote: > > > I am trying to setup Fedora Directory Server 1.0.1 on an x86 box > > running RedHat ES4 in a VMWare session. > > > > I've run setup. I've created a user and group dsuser which is set as > > the server user. I set the admin to be dsadmin. I set the admin > > server to be run as root. > > > > setup completes and appears to start correctly. > > > > I use the following line to launch the console: > > > > ./startconsole ?x nologo ?u dsadmin ?a > > http://rheles4rs1.forayadams.foray.com:45303 > > > > In the login window I enter the dsadmin password. I then get a panel > > with the following message: > > > > Cannot logon because of incorrect User ID, > > incorrect password or Directory problem. > > > > HttpException: > > Response: HTTP/1.1 401 Authorization Required > > Status: 401 > > URL: > http://rheles4rs1.forayadams.foray.com:45303/admin-serv/authenticate > > > > I'm sure I've done something stupid and basic somewhere, but I have no > > idea what and I can't find anything about this via search. > > tail admin-serv/logs/error > tail admin-serv/logs/access > > > > > Does anyone have any ideas as to what I've done wrong? > > > > Thanks, > > -Mont > > > >------------------------------------------------------------------------ > > > >-- > >Fedora-directory-users mailing list > >Fedora-directory-users at redhat.com > >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From minfrin at sharp.fm Thu Mar 2 20:54:07 2006 From: minfrin at sharp.fm (Graham Leggett) Date: Thu, 02 Mar 2006 22:54:07 +0200 Subject: [Fedora-directory-users] Fedora DS v1.0.2 src RPMs? Message-ID: <44075B6F.7050703@sharp.fm> Hi all, Are there source RPMs available for Fedora DS v1.0.2? I need to build a version for the Opteron architecture. Regards, Graham -- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3220 bytes Desc: S/MIME Cryptographic Signature URL: From dennis at ausil.us Thu Mar 2 21:03:18 2006 From: dennis at ausil.us (Dennis Gilmore) Date: Thu, 2 Mar 2006 15:03:18 -0600 Subject: [Fedora-directory-users] Fedora DS v1.0.2 src RPMs? In-Reply-To: <44075B6F.7050703@sharp.fm> References: <44075B6F.7050703@sharp.fm> Message-ID: <200603021503.18671.dennis@ausil.us> On Thursday 02 March 2006 14:54, Graham Leggett wrote: > Hi all, > > Are there source RPMs available for Fedora DS v1.0.2? > > I need to build a version for the Opteron architecture. > > Regards, > Graham > -- the x86_64 is for opteron -- Regards Dennis Gilmore, RHCE Proud Australian From ABliss at preferredcare.org Thu Mar 2 20:43:03 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Thu, 2 Mar 2006 15:43:03 -0500 Subject: [Fedora-directory-users] Can't login to console Message-ID: If you can resolve the machine name via dns or local files, try this section of this wiki http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt I had the exact same problems and this took care of it ________________________________ From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Mont Rothstein Sent: Thursday, March 02, 2006 3:26 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Can't login to console I am running Apache 2.0.52 As far as verifying that my directory server is up and running: ns-slapd is running under the dsuser account httpd.worker is running under the dsuser account I fear I need help with ldapsearch. If I try the following as root: ldapsearch -LLL "(cn=Directory Manager)" I get: ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) If I try the following: ldapsearch -LLL "(cn=Directory Manager)" -x -W it prompts me for a password. I enter the administrator (dsadmin) password and get: ldap_bind: Can't contact LDAP server (-1) This may indicate something is wrong, ot simply that I am trying to use ldapsearch incorrectly. Your assistance is greatly appreciated. -Mont On 3/2/06, Nathan Kinder wrote: Mont Rothstein wrote: > I am trying to setup Fedora Directory Server 1.0.1 on an x86 box > running RedHat ES4 in a VMWare session. What version of Apache are you running on the system? > > I've run setup. I've created a user and group dsuser which is set as > the server user. I set the admin to be dsadmin. I set the admin > server to be run as root. > > setup completes and appears to start correctly. > > I use the following line to launch the console: > > ./startconsole -x nologo -u dsadmin -a > http://rheles4rs1.forayadams.foray.com:45303 > > In the login window I enter the dsadmin password. I then get a panel > with the following message: > > Cannot logon because of incorrect User ID, > incorrect password or Directory problem. > > HttpException: > Response: HTTP/1.1 401 Authorization Required > Status: 401 > URL: http://rheles4rs1.forayadams.foray.com:45303/admin-serv/authenticate > > I'm sure I've done something stupid and basic somewhere, but I have no > idea what and I can't find anything about this via search. > > Does anyone have any ideas as to what I've done wrong? Make sure that your directory server is up and running. You should try doing an ldapsearch as the same user you are attempting to log into the Console as. If all else fails, tail your DS access log when you attempt to log in via Console to see if the Directory is even getting hit. -NGK > > Thanks, > -Mont > >----------------------------------------------------------------------- - > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ABliss at preferredcare.org Thu Mar 2 20:30:41 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Thu, 2 Mar 2006 15:30:41 -0500 Subject: [Fedora-directory-users] Can't login to console Message-ID: If you can resolve the machine name via dns or local files, try this section of this wiki http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt I had the exact same problems and this took care of it ________________________________ From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Mont Rothstein Sent: Thursday, March 02, 2006 3:26 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Can't login to console I am running Apache 2.0.52 As far as verifying that my directory server is up and running: ns-slapd is running under the dsuser account httpd.worker is running under the dsuser account I fear I need help with ldapsearch. If I try the following as root: ldapsearch -LLL "(cn=Directory Manager)" I get: ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) If I try the following: ldapsearch -LLL "(cn=Directory Manager)" -x -W it prompts me for a password. I enter the administrator (dsadmin) password and get: ldap_bind: Can't contact LDAP server (-1) This may indicate something is wrong, ot simply that I am trying to use ldapsearch incorrectly. Your assistance is greatly appreciated. -Mont On 3/2/06, Nathan Kinder wrote: Mont Rothstein wrote: > I am trying to setup Fedora Directory Server 1.0.1 on an x86 box > running RedHat ES4 in a VMWare session. What version of Apache are you running on the system? > > I've run setup. I've created a user and group dsuser which is set as > the server user. I set the admin to be dsadmin. I set the admin > server to be run as root. > > setup completes and appears to start correctly. > > I use the following line to launch the console: > > ./startconsole -x nologo -u dsadmin -a > http://rheles4rs1.forayadams.foray.com:45303 > > In the login window I enter the dsadmin password. I then get a panel > with the following message: > > Cannot logon because of incorrect User ID, > incorrect password or Directory problem. > > HttpException: > Response: HTTP/1.1 401 Authorization Required > Status: 401 > URL: http://rheles4rs1.forayadams.foray.com:45303/admin-serv/authenticate > > I'm sure I've done something stupid and basic somewhere, but I have no > idea what and I can't find anything about this via search. > > Does anyone have any ideas as to what I've done wrong? Make sure that your directory server is up and running. You should try doing an ldapsearch as the same user you are attempting to log into the Console as. If all else fails, tail your DS access log when you attempt to log in via Console to see if the Directory is even getting hit. -NGK > > Thanks, > -Mont > >----------------------------------------------------------------------- - > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. -------------- next part -------------- An HTML attachment was scrubbed... URL: From minfrin at sharp.fm Thu Mar 2 21:20:49 2006 From: minfrin at sharp.fm (Graham Leggett) Date: Thu, 02 Mar 2006 23:20:49 +0200 Subject: [Fedora-directory-users] Fedora DS v1.0.2 new setup - admin server fails (153:Unknown error.) Message-ID: <440761B1.7080707@sharp.fm> Hi all, Just tried to set up an FDS v1.0.2 from RHEL4 i386 RPM from scratch. The setup program tries to crank up the new server, but this fails as below. Anybody know what happened to the admin server? [slapd-ldap.domain.com]: starting up server ... [slapd-ldap.domain.com]: Fedora-Directory/1.0.2 B2006.060.1928 [slapd-ldap.domain.com]: ldap.domain.com:389 (/opt/fedora-ds/slapd-ldap.domain.com) [slapd-ldap.domain.com]: [slapd-ldap.domain.com]: [02/Mar/2006:15:16:21 -0600] - Fedora-Directory/1.0.2 B2006.060.1928 starting up [slapd-ldap.domain.com]: [02/Mar/2006:15:16:21 -0600] - slapd started. Listening on All Interfaces port 389 for LDAP requests Your new directory server has been started. Created new Directory Server Start Slapd Starting Slapd server configuration. Fatal Slapd ERROR: Ldap authentication failed for url ldap://ldap.domain.com:389/o=NetscapeRoot user id admin (153:Unknown error.) Fatal Slapd Did not add Directory Server information to Configuration Server. Configuring Administration Server... Setting up Administration Server Instance... ERROR: Administration Server configuration failed. You can now use the console. Here is the command to use to start the console: cd /opt/fedora-ds ./startconsole -u admin -a http://ldap.domain.com:1390/ INFO Finished with setup, logfile is setup/setup.log Regards, Graham -- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3220 bytes Desc: S/MIME Cryptographic Signature URL: From minfrin at sharp.fm Thu Mar 2 21:26:35 2006 From: minfrin at sharp.fm (Graham Leggett) Date: Thu, 02 Mar 2006 23:26:35 +0200 Subject: [Fedora-directory-users] Fedora DS v1.0.2 src RPMs? In-Reply-To: <200603021503.18671.dennis@ausil.us> References: <44075B6F.7050703@sharp.fm> <200603021503.18671.dennis@ausil.us> Message-ID: <4407630B.3030504@sharp.fm> Dennis Gilmore wrote: > the x86_64 is for opteron When I installed it, I got this: [root at s83005 rpms]# rpm -U fedora-ds-1.0.2-1.RHEL4.x86_64.opt.rpm package fedora-ds-1.0.2-1.RHEL4 is intended for a x86_64 architecture Regards, Graham -- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3220 bytes Desc: S/MIME Cryptographic Signature URL: From dennis at ausil.us Thu Mar 2 21:38:51 2006 From: dennis at ausil.us (Dennis Gilmore) Date: Thu, 2 Mar 2006 15:38:51 -0600 Subject: [Fedora-directory-users] Fedora DS v1.0.2 src RPMs? In-Reply-To: <4407630B.3030504@sharp.fm> References: <44075B6F.7050703@sharp.fm> <200603021503.18671.dennis@ausil.us> <4407630B.3030504@sharp.fm> Message-ID: <200603021538.51629.dennis@ausil.us> On Thursday 02 March 2006 15:26, Graham Leggett wrote: > Dennis Gilmore wrote: > > the x86_64 is for opteron > > When I installed it, I got this: > > [root at s83005 rpms]# rpm -U fedora-ds-1.0.2-1.RHEL4.x86_64.opt.rpm > package fedora-ds-1.0.2-1.RHEL4 is intended for a x86_64 > architecture > > Regards, > Graham > -- then you have a x86 32bit distro installed and need to use the i386 packages -- Regards Dennis Gilmore, RHCE Proud Australian From minfrin at sharp.fm Thu Mar 2 21:41:29 2006 From: minfrin at sharp.fm (Graham Leggett) Date: Thu, 02 Mar 2006 23:41:29 +0200 Subject: [Fedora-directory-users] Fedora DS v1.0.2 src RPMs? In-Reply-To: <200603021538.51629.dennis@ausil.us> References: <44075B6F.7050703@sharp.fm> <200603021503.18671.dennis@ausil.us> <4407630B.3030504@sharp.fm> <200603021538.51629.dennis@ausil.us> Message-ID: <44076689.4040403@sharp.fm> Dennis Gilmore wrote: > then you have a x86 32bit distro installed and need to use the i386 packages Hmmm... will check it out, thanks for confirming this for me. Regards, Graham -- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3220 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Mar 2 22:22:36 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 02 Mar 2006 15:22:36 -0700 Subject: [Fedora-directory-users] Fedora DS v1.0.2 new setup - admin server fails (153:Unknown error.) In-Reply-To: <440761B1.7080707@sharp.fm> References: <440761B1.7080707@sharp.fm> Message-ID: <4407702C.9020203@redhat.com> Graham Leggett wrote: > Hi all, > > Just tried to set up an FDS v1.0.2 from RHEL4 i386 RPM from scratch. > The setup program tries to crank up the new server, but this fails as > below. > > Anybody know what happened to the admin server? > > [slapd-ldap.domain.com]: starting up server ... > [slapd-ldap.domain.com]: Fedora-Directory/1.0.2 B2006.060.1928 > [slapd-ldap.domain.com]: ldap.domain.com:389 > (/opt/fedora-ds/slapd-ldap.domain.com) > [slapd-ldap.domain.com]: > [slapd-ldap.domain.com]: [02/Mar/2006:15:16:21 -0600] - > Fedora-Directory/1.0.2 B2006.060.1928 starting up > [slapd-ldap.domain.com]: [02/Mar/2006:15:16:21 -0600] - slapd started. > Listening on All Interfaces port 389 for LDAP requests > Your new directory server has been started. > Created new Directory Server > Start Slapd Starting Slapd server configuration. > Fatal Slapd ERROR: Ldap authentication failed for url > ldap://ldap.domain.com:389/o=NetscapeRoot user id admin (153:Unknown > error.) This usually means some sort of networking or DNS problem. Make sure ldap.domain.com resolves to the correct IP address in whatever hosts lookup systems you use in /etc/nsswitch.conf (e.g. files, nis, dns) and that the reverse IP address lookup resolves to the correct FQDN. > Fatal Slapd Did not add Directory Server information to Configuration > Server. > Configuring Administration Server... > Setting up Administration Server Instance... > ERROR: Administration Server configuration failed. > > You can now use the console. Here is the command to use to start the > console: > cd /opt/fedora-ds > ./startconsole -u admin -a http://ldap.domain.com:1390/ > > INFO Finished with setup, logfile is setup/setup.log > > Regards, > Graham > -- > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Mar 2 22:24:56 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 02 Mar 2006 15:24:56 -0700 Subject: [Fedora-directory-users] Fedora DS v1.0.2 src RPMs? In-Reply-To: <200603021503.18671.dennis@ausil.us> References: <44075B6F.7050703@sharp.fm> <200603021503.18671.dennis@ausil.us> Message-ID: <440770B8.4020902@redhat.com> Dennis Gilmore wrote: >On Thursday 02 March 2006 14:54, Graham Leggett wrote: > > >>Hi all, >> >>Are there source RPMs available for Fedora DS v1.0.2? >> >>I need to build a version for the Opteron architecture. >> >>Regards, >>Graham >>-- >> >> >the x86_64 is for opteron > > If you want to build it yourself the information is here - http://directory.fedora.redhat.com/wiki/Building#One-Step_Build In a nutshell: wget http://directory.fedora.redhat.com/sources/dsbuild-fds102.tar.gz tar xfz dsbuild-fds102.tar.gz cd dsbuild-fds102/meta/ds make 2>&1 | tee build.log Use make BUILD_RPM=1 to make an RPM (default is an installable setuputil package), use DEBUG=full to produce a debug build (default is optimize). -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Mar 2 22:26:06 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 02 Mar 2006 15:26:06 -0700 Subject: [Fedora-directory-users] Can't login to console In-Reply-To: <467a83630603021249y72386565o3a7734590dd51c32@mail.gmail.com> References: <467a83630603021046n1d7c978cr7224b9dd0c611b60@mail.gmail.com> <4407527B.1060709@redhat.com> <467a83630603021249y72386565o3a7734590dd51c32@mail.gmail.com> Message-ID: <440770FE.5030507@redhat.com> Mont Rothstein wrote: > admin-serv/logs/access gives me: > > 192.168.1.115 - - [02/Mar/2006:12:38:03 -0800] > "GET /admin-serv/authenticate HTTP/1.0" 401 488 > > admin-serv/logs/error gives me: > > [Thu Mar 02 12:38:03 2006] [notice] [client 192.168.1.115 > ] admserv_host_ip_check: ap_get_remote_host > could not resolve 192.168.1.115 > [Thu Mar 02 12:38:03 2006] [notice] [client 192.168.1.115 > ] admserv_host_ip_check: host > [rheles4rs1.foray.com ] did not match > pattern [*.forayadams.foray.com] -will scan aliases > [Thu Mar 02 12:38:03 2006] [notice] [client 192.168.1.115 > ] admserv_host_ip_check: host alias [rheles4rs1] > did not match pattern [*.forayadams.foray.com] > [Thu Mar 02 12:38:03 2006] [notice] [client 192.168.1.115 > ] admserv_host_ip_check: Unauthorized host > ip=192.168.1.115 , connection rejected > > Looking at the above log entries I am not sure what to make of them. > I can do a reverse lookup on the IP address via the host command. I > have no idea where it is getting "rheles4rs1.foray.com > " from. This is missing the forayadams > subdomain. It seems like a DNS problem, but if you just want to disable this checking in the meantime, see http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt > > Since that is so odd, I would suspect that is the problem, except that > I have no idea where it is getting that incorrect FQDN from. > > Do these logs entries say more to you than they do to me? > > Thanks, > -Mont > > > > On 3/2/06, *Richard Megginson* > wrote: > > Mont Rothstein wrote: > > > I am trying to setup Fedora Directory Server 1.0.1 on an x86 box > > running RedHat ES4 in a VMWare session. > > > > I've run setup. I've created a user and group dsuser which is > set as > > the server user. I set the admin to be dsadmin. I set the admin > > server to be run as root. > > > > setup completes and appears to start correctly. > > > > I use the following line to launch the console: > > > > ./startconsole ?x nologo ?u dsadmin ?a > > http://rheles4rs1.forayadams.foray.com:45303 > > > > In the login window I enter the dsadmin password. I then get a > panel > > with the following message: > > > > Cannot logon because of incorrect User ID, > > incorrect password or Directory problem. > > > > HttpException: > > Response: HTTP/1.1 401 Authorization Required > > Status: 401 > > URL: > http://rheles4rs1.forayadams.foray.com:45303/admin-serv/authenticate > > > > I'm sure I've done something stupid and basic somewhere, but I > have no > > idea what and I can't find anything about this via search. > > tail admin-serv/logs/error > tail admin-serv/logs/access > > > > > Does anyone have any ideas as to what I've done wrong? > > > > Thanks, > > -Mont > > > >------------------------------------------------------------------------ > > > >-- > >Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From dennis at ausil.us Thu Mar 2 22:33:57 2006 From: dennis at ausil.us (Dennis Gilmore) Date: Thu, 2 Mar 2006 16:33:57 -0600 Subject: [Fedora-directory-users] Fedora DS v1.0.2 src RPMs? In-Reply-To: <44076689.4040403@sharp.fm> References: <44075B6F.7050703@sharp.fm> <200603021538.51629.dennis@ausil.us> <44076689.4040403@sharp.fm> Message-ID: <200603021633.57953.dennis@ausil.us> On Thursday 02 March 2006 15:41, Graham Leggett wrote: > Dennis Gilmore wrote: > > then you have a x86 32bit distro installed and need to use the i386 > > packages > > Hmmm... will check it out, thanks for confirming this for me. > > Regards, > Graham > -- a good indication will be rpm -q --queryformat "%{name}-%{version}-%{release}.%{arch}\n" glibc if you have a 64 bit os you should get something like glibc-2.3.90-38.x86_64 glibc-2.3.90-38.i686 -- Regards Dennis Gilmore, RHCE Proud Australian From dennis at ausil.us Thu Mar 2 22:35:20 2006 From: dennis at ausil.us (Dennis Gilmore) Date: Thu, 2 Mar 2006 16:35:20 -0600 Subject: [Fedora-directory-users] Fedora DS v1.0.2 src RPMs? In-Reply-To: <440770B8.4020902@redhat.com> References: <44075B6F.7050703@sharp.fm> <200603021503.18671.dennis@ausil.us> <440770B8.4020902@redhat.com> Message-ID: <200603021635.20249.dennis@ausil.us> On Thursday 02 March 2006 16:24, Richard Megginson wrote: > > If you want to build it yourself the information is here - > http://directory.fedora.redhat.com/wiki/Building#One-Step_Build > > In a nutshell: > wget http://directory.fedora.redhat.com/sources/dsbuild-fds102.tar.gz > tar xfz dsbuild-fds102.tar.gz > cd dsbuild-fds102/meta/ds > make 2>&1 | tee build.log > > Use make BUILD_RPM=1 to make an RPM (default is an installable setuputil > package), use DEBUG=full to produce a debug build (default is optimize). How well do you think a build would go on sparc linux? -- Regards Dennis Gilmore, RHCE Proud Australian From rmeggins at redhat.com Thu Mar 2 22:42:11 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 02 Mar 2006 15:42:11 -0700 Subject: [Fedora-directory-users] Fedora DS v1.0.2 src RPMs? In-Reply-To: <200603021635.20249.dennis@ausil.us> References: <44075B6F.7050703@sharp.fm> <200603021503.18671.dennis@ausil.us> <440770B8.4020902@redhat.com> <200603021635.20249.dennis@ausil.us> Message-ID: <440774C3.1030104@redhat.com> Dennis Gilmore wrote: >On Thursday 02 March 2006 16:24, Richard Megginson wrote: > > >>If you want to build it yourself the information is here - >>http://directory.fedora.redhat.com/wiki/Building#One-Step_Build >> >>In a nutshell: >>wget http://directory.fedora.redhat.com/sources/dsbuild-fds102.tar.gz >>tar xfz dsbuild-fds102.tar.gz >>cd dsbuild-fds102/meta/ds >>make 2>&1 | tee build.log >> >>Use make BUILD_RPM=1 to make an RPM (default is an installable setuputil >>package), use DEBUG=full to produce a debug build (default is optimize). >> >> > >How well do you think a build would go on sparc linux? > > What OS? I've never tried it, but RHEL or Fedora Core should work. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From dennis at ausil.us Thu Mar 2 23:00:47 2006 From: dennis at ausil.us (Dennis Gilmore) Date: Thu, 2 Mar 2006 17:00:47 -0600 Subject: [Fedora-directory-users] Fedora DS v1.0.2 src RPMs? In-Reply-To: <440774C3.1030104@redhat.com> References: <44075B6F.7050703@sharp.fm> <200603021635.20249.dennis@ausil.us> <440774C3.1030104@redhat.com> Message-ID: <200603021700.47924.dennis@ausil.us> On Thursday 02 March 2006 16:42, Richard Megginson wrote: > Dennis Gilmore wrote: > >On Thursday 02 March 2006 16:24, Richard Megginson wrote: > >>If you want to build it yourself the information is here - > >>http://directory.fedora.redhat.com/wiki/Building#One-Step_Build > >> > >>In a nutshell: > >>wget http://directory.fedora.redhat.com/sources/dsbuild-fds102.tar.gz > >>tar xfz dsbuild-fds102.tar.gz > >>cd dsbuild-fds102/meta/ds > >>make 2>&1 | tee build.log > >> > >>Use make BUILD_RPM=1 to make an RPM (default is an installable setuputil > >>package), use DEBUG=full to produce a debug build (default is optimize). > > > >How well do you think a build would go on sparc linux? > > What OS? I've never tried it, but RHEL or Fedora Core should work. Aurora SPARC Linux its a port of Fedora to SPARC. I guess ill give it a go and see what happens -- Regards Dennis Gilmore, RHCE Proud Australian From felipe.alfaro at gmail.com Thu Mar 2 23:03:27 2006 From: felipe.alfaro at gmail.com (Felipe Alfaro Solana) Date: Fri, 3 Mar 2006 00:03:27 +0100 Subject: [Fedora-directory-users] Re: [Fedora-directory-announce] Announcing Fedora Directory Server 1.0.2 In-Reply-To: <44070755.6040201@redhat.com> References: <44070755.6040201@redhat.com> Message-ID: <6f6293f10603021503h5da556c3tc9d906ffc6139e23@mail.gmail.com> > * Preliminary support for Fedora Core 5 - including support for Apache > 2.2 and native java What RPM should I install on FC5T3? I did install http://directory.fedora.redhat.com/download/fedora-ds-1.0.2-1.FC4.i386.opt.rpm. However, during installation, the Admin Server fails to start: httpd.worker: Syntax error on line 151 of /opt/fedora-ds/admin-serv/config/httpd.conf: Cannot load /opt/fedora-ds/bin/admin/lib/libmodrestartd.so into server: /opt/fedora-ds/bin/admin/lib/libmodrestartd.so: undefined symbol: apr_filename_of_pathname What did I do wrong? From HaneJ at gsicommerce.com Thu Mar 2 23:02:22 2006 From: HaneJ at gsicommerce.com (Jason Hane) Date: Thu, 2 Mar 2006 18:02:22 -0500 Subject: [Fedora-directory-users] Fedora DS v1.0.2 src RPMs? Message-ID: Red Hat doesn't support SPARC. My co-worker just installed Aurora today on his SPARC box. It is similar, but I do see some differences. Hopefully it'll work for you. Jason Hane -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Dennis Gilmore Sent: Thursday, March 02, 2006 6:01 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Fedora DS v1.0.2 src RPMs? On Thursday 02 March 2006 16:42, Richard Megginson wrote: > Dennis Gilmore wrote: > >On Thursday 02 March 2006 16:24, Richard Megginson wrote: > >>If you want to build it yourself the information is here - > >>http://directory.fedora.redhat.com/wiki/Building#One-Step_Build > >> > >>In a nutshell: > >>wget > >>http://directory.fedora.redhat.com/sources/dsbuild-fds102.tar.gz > >>tar xfz dsbuild-fds102.tar.gz > >>cd dsbuild-fds102/meta/ds > >>make 2>&1 | tee build.log > >> > >>Use make BUILD_RPM=1 to make an RPM (default is an installable > >>setuputil package), use DEBUG=full to produce a debug build (default is optimize). > > > >How well do you think a build would go on sparc linux? > > What OS? I've never tried it, but RHEL or Fedora Core should work. Aurora SPARC Linux its a port of Fedora to SPARC. I guess ill give it a go and see what happens -- Regards Dennis Gilmore, RHCE Proud Australian -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From dennis at ausil.us Thu Mar 2 23:08:46 2006 From: dennis at ausil.us (Dennis Gilmore) Date: Thu, 2 Mar 2006 17:08:46 -0600 Subject: [Fedora-directory-users] Fedora DS v1.0.2 src RPMs? In-Reply-To: References: Message-ID: <200603021708.46847.dennis@ausil.us> On Thursday 02 March 2006 17:02, Jason Hane wrote: > Red Hat doesn't support SPARC. My co-worker just installed Aurora today > on his SPARC box. It is similar, but I do see some differences. > Hopefully it'll work for you. > > Jason Hane > Which version of Aurora did he install. 2.0 is based on fc3 and 1.0 is based on RH 7.3 I use It of my 4 sparcs -- Regards Dennis Gilmore, RHCE Proud Australian From mont.rothstein at gmail.com Thu Mar 2 23:17:25 2006 From: mont.rothstein at gmail.com (Mont Rothstein) Date: Thu, 2 Mar 2006 15:17:25 -0800 Subject: [Fedora-directory-users] Can't login to console In-Reply-To: <440770FE.5030507@redhat.com> References: <467a83630603021046n1d7c978cr7224b9dd0c611b60@mail.gmail.com> <4407527B.1060709@redhat.com> <467a83630603021249y72386565o3a7734590dd51c32@mail.gmail.com> <440770FE.5030507@redhat.com> Message-ID: <467a83630603021517i62aae207y2c230119bd32e204@mail.gmail.com> OK, I obviously have something fundamental skrewed up. If I try either the ldapsearch or ldapmodify commands on the wikipedia page I get the following error: ldap_simple_bind: Can't connect to the LDAP server - Connection reset by peer Does anyone have a guess as to what I might have skrewed up? Thanks, -Mont On 3/2/06, Richard Megginson wrote: > > Mont Rothstein wrote: > > > admin-serv/logs/access gives me: > > > > 192.168.1.115 - - [02/Mar/2006:12:38:03 -0800] > > "GET /admin-serv/authenticate HTTP/1.0" 401 488 > > > > admin-serv/logs/error gives me: > > > > [Thu Mar 02 12:38:03 2006] [notice] [client 192.168.1.115 > > ] admserv_host_ip_check: ap_get_remote_host > > could not resolve 192.168.1.115 > > [Thu Mar 02 12:38:03 2006] [notice] [client 192.168.1.115 > > ] admserv_host_ip_check: host > > [rheles4rs1.foray.com ] did not match > > pattern [*.forayadams.foray.com] -will scan aliases > > [Thu Mar 02 12:38:03 2006] [notice] [client 192.168.1.115 > > ] admserv_host_ip_check: host alias [rheles4rs1] > > did not match pattern [*.forayadams.foray.com] > > [Thu Mar 02 12:38:03 2006] [notice] [client 192.168.1.115 > > ] admserv_host_ip_check: Unauthorized host > > ip=192.168.1.115 , connection rejected > > > > Looking at the above log entries I am not sure what to make of them. > > I can do a reverse lookup on the IP address via the host command. I > > have no idea where it is getting "rheles4rs1.foray.com > > " from. This is missing the forayadams > > subdomain. > > It seems like a DNS problem, but if you just want to disable this > checking in the meantime, see > http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt > > > > > Since that is so odd, I would suspect that is the problem, except that > > I have no idea where it is getting that incorrect FQDN from. > > > > Do these logs entries say more to you than they do to me? > > > > Thanks, > > -Mont > > > > > > > > On 3/2/06, *Richard Megginson* > > wrote: > > > > Mont Rothstein wrote: > > > > > I am trying to setup Fedora Directory Server 1.0.1 on an x86 box > > > running RedHat ES4 in a VMWare session. > > > > > > I've run setup. I've created a user and group dsuser which is > > set as > > > the server user. I set the admin to be dsadmin. I set the admin > > > server to be run as root. > > > > > > setup completes and appears to start correctly. > > > > > > I use the following line to launch the console: > > > > > > ./startconsole ?x nologo ?u dsadmin ?a > > > http://rheles4rs1.forayadams.foray.com:45303 > > > > > > In the login window I enter the dsadmin password. I then get a > > panel > > > with the following message: > > > > > > Cannot logon because of incorrect User ID, > > > incorrect password or Directory problem. > > > > > > HttpException: > > > Response: HTTP/1.1 401 Authorization Required > > > Status: 401 > > > URL: > > http://rheles4rs1.forayadams.foray.com:45303/admin-serv/authenticate > > > > > > I'm sure I've done something stupid and basic somewhere, but I > > have no > > > idea what and I can't find anything about this via search. > > > > tail admin-serv/logs/error > > tail admin-serv/logs/access > > > > > > > > Does anyone have any ideas as to what I've done wrong? > > > > > > Thanks, > > > -Mont > > > > > > >------------------------------------------------------------------------ > > > > > >-- > > >Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > >------------------------------------------------------------------------ > > > >-- > >Fedora-directory-users mailing list > >Fedora-directory-users at redhat.com > >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Mar 2 23:46:53 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 02 Mar 2006 16:46:53 -0700 Subject: [Fedora-directory-users] Re: [Fedora-directory-devel] Re: [Fedora-directory-announce] Announcing Fedora Directory Server 1.0.2 In-Reply-To: <6f6293f10603021503h5da556c3tc9d906ffc6139e23@mail.gmail.com> References: <44070755.6040201@redhat.com> <6f6293f10603021503h5da556c3tc9d906ffc6139e23@mail.gmail.com> Message-ID: <440783ED.3040606@redhat.com> Felipe Alfaro Solana wrote: >>* Preliminary support for Fedora Core 5 - including support for Apache >>2.2 and native java >> >> > >What RPM should I install on FC5T3? > There are no RPMs (yet) for FC5. Instead, you'll have to build it from source. See http://directory.fedora.redhat.com/wiki/Building#One-Step_Build >I did install >http://directory.fedora.redhat.com/download/fedora-ds-1.0.2-1.FC4.i386.opt.rpm. >However, during installation, the Admin Server fails to start: > >httpd.worker: Syntax error on line 151 of >/opt/fedora-ds/admin-serv/config/httpd.conf: Cannot load >/opt/fedora-ds/bin/admin/lib/libmodrestartd.so into server: >/opt/fedora-ds/bin/admin/lib/libmodrestartd.so: undefined symbol: >apr_filename_of_pathname > >What did I do wrong? > >-- >Fedora-directory-devel mailing list >Fedora-directory-devel at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-devel > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From felipe.alfaro at gmail.com Fri Mar 3 00:36:22 2006 From: felipe.alfaro at gmail.com (Felipe Alfaro Solana) Date: Fri, 3 Mar 2006 01:36:22 +0100 Subject: [Fedora-directory-users] using LdapImport to migrate users and groups In-Reply-To: <440757F6.6080207@crwash.org> References: <467a83630603021046n1d7c978cr7224b9dd0c611b60@mail.gmail.com> <4407527B.1060709@redhat.com> <44075442.6040206@crwash.org> <440756F3.7070209@redhat.com> <440757F6.6080207@crwash.org> Message-ID: <6f6293f10603021636o27737160lc734edf836131b90@mail.gmail.com> > I'm logged in as "admin" -- logging in as "Directory Manager" results in > an error claiming that that object is not in the directory (even though > i added it during setup). User "cn=Directory Manager" is an special user and thus you won't be able to find it if you look for it in the DIT. It is configured statically, along with its password. Anyways, logging in as "cn=Directory Manager" is discouraged. Log instead as 'admin": there ACLs in the DIT will give admin power enough to peform administration while stopping your from shooting at your feet. From rmeggins at redhat.com Fri Mar 3 03:45:28 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 02 Mar 2006 20:45:28 -0700 Subject: [Fedora-directory-users] Can't login to console In-Reply-To: <467a83630603021517i62aae207y2c230119bd32e204@mail.gmail.com> References: <467a83630603021046n1d7c978cr7224b9dd0c611b60@mail.gmail.com> <4407527B.1060709@redhat.com> <467a83630603021249y72386565o3a7734590dd51c32@mail.gmail.com> <440770FE.5030507@redhat.com> <467a83630603021517i62aae207y2c230119bd32e204@mail.gmail.com> Message-ID: <4407BBD8.4060909@redhat.com> Mont Rothstein wrote: > OK, I obviously have something fundamental skrewed up. > > If I try either the ldapsearch or ldapmodify commands on the wikipedia > page I get the following error: Try putting in your host and port explicitly e.g. ldapsearch -x -h yourhost -p yourport -s base -b "" "objectclass=*" > > ldap_simple_bind: Can't connect to the LDAP server - Connection reset > by peer > > Does anyone have a guess as to what I might have skrewed up? > > Thanks, > -Mont > > > On 3/2/06, *Richard Megginson* > wrote: > > Mont Rothstein wrote: > > > admin-serv/logs/access gives me: > > > > 192.168.1.115 - - > [02/Mar/2006:12:38:03 -0800] > > "GET /admin-serv/authenticate HTTP/1.0" 401 488 > > > > admin-serv/logs/error gives me: > > > > [Thu Mar 02 12:38:03 2006] [notice] [client 192.168.1.115 > > > ] admserv_host_ip_check: ap_get_remote_host > > could not resolve 192.168.1.115 < > http://192.168.1.115> > > [Thu Mar 02 12:38:03 2006] [notice] [client 192.168.1.115 > > > ] admserv_host_ip_check: host > > [rheles4rs1.foray.com > ] did not match > > pattern [*.forayadams.foray.com] -will scan aliases > > [Thu Mar 02 12:38:03 2006] [notice] [client 192.168.1.115 > > > ] admserv_host_ip_check: host alias > [rheles4rs1] > > did not match pattern [*.forayadams.foray.com] > > [Thu Mar 02 12:38:03 2006] [notice] [client 192.168.1.115 > > > ] admserv_host_ip_check: Unauthorized host > > ip=192.168.1.115 , > connection rejected > > > > Looking at the above log entries I am not sure what to make of > them. > > I can do a reverse lookup on the IP address via the host command. I > > have no idea where it is getting "rheles4rs1.foray.com > > > < http://rheles4rs1.foray.com>" from. This is missing the > forayadams > > subdomain. > > It seems like a DNS problem, but if you just want to disable this > checking in the meantime, see > http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt > > > > > Since that is so odd, I would suspect that is the problem, > except that > > I have no idea where it is getting that incorrect FQDN from. > > > > Do these logs entries say more to you than they do to me? > > > > Thanks, > > -Mont > > > > > > > > On 3/2/06, *Richard Megginson* > > >> wrote: > > > > Mont Rothstein wrote: > > > > > I am trying to setup Fedora Directory Server 1.0.1 on an > x86 box > > > running RedHat ES4 in a VMWare session. > > > > > > I've run setup. I've created a user and group dsuser which is > > set as > > > the server user. I set the admin to be dsadmin. I set > the admin > > > server to be run as root. > > > > > > setup completes and appears to start correctly. > > > > > > I use the following line to launch the console: > > > > > > ./startconsole ?x nologo ?u dsadmin ?a > > > http://rheles4rs1.forayadams.foray.com:45303 > > > > > > In the login window I enter the dsadmin password. I then > get a > > panel > > > with the following message: > > > > > > Cannot logon because of incorrect User ID, > > > incorrect password or Directory problem. > > > > > > HttpException: > > > Response: HTTP/1.1 401 Authorization Required > > > Status: 401 > > > URL: > > > http://rheles4rs1.forayadams.foray.com:45303/admin-serv/authenticate > > > > > > > I'm sure I've done something stupid and basic somewhere, but I > > have no > > > idea what and I can't find anything about this via search. > > > > tail admin-serv/logs/error > > tail admin-serv/logs/access > > > > > > > > Does anyone have any ideas as to what I've done wrong? > > > > > > Thanks, > > > -Mont > > > > > > >------------------------------------------------------------------------ > > > > > >-- > > >Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > >------------------------------------------------------------------------ > > > >-- > >Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From david.lewis at utc.fr Fri Mar 3 11:53:26 2006 From: david.lewis at utc.fr (David Lewis) Date: Fri, 03 Mar 2006 12:53:26 +0100 Subject: [Fedora-directory-users] blocking "unauthenticated bind" Message-ID: <44082E36.3060403@utc.fr> We have just migrated from openldap to fedora, and have realized with horror that some authentication clients (for example CAS) are giving the OK to users who submit un empty password string. We have been going slowly mad trying to find how to block this in the configuration. We previously allowed anonymous binds, but since discovering the problem we have disallowed them .. but this does NOT solve the problem. In a nutshell, this is what happens : % ldapbind -h fedora_ds_server.utc.fr -p 389 -D "uid=someuser,ou=people,dc=utc,dc=fr" -w "" bind successful % ldapbind -h openldap_server.utc.fr -p 389 -D "uid=someuser,ou=people,dc=utc,dc=fr" -w "" ldap_bind: DSA is unwilling to perform ldap_bind: additional info: unauthenticated bind (DN with no password) disallowed Could anyone tell us how to get fedora to behave like openldap in this respect ? There's a lot of stuff on the web about blocking "unauthenticated binds" in openldap, but hardly anything regarding other directory servers. Any useful tips would be gratefully received. David David Lewis system administrator University of Compiegne France From mj at sci.fi Fri Mar 3 13:31:10 2006 From: mj at sci.fi (mj at sci.fi) Date: Fri, 3 Mar 2006 15:31:10 +0200 (EET) Subject: [Fedora-directory-users] blocking Message-ID: <8605499.637391141392670431.JavaMail.mj@sci.fi> > We have just migrated from openldap to fedora, and have realized with > horror that some authentication clients (for example CAS) are giving the > OK to users who submit un empty password string. > > We have been going slowly mad trying to find how to block this in the > configuration. FDS only cares about the bind method when evaluating access control to data. When only using the external bind interface, AFAIK there is currently no way to disable anonymous binds from succeeding with FDS. One could write a pre authentication plugin which, when enabled, would prevent anonymous binds from succeeding and send the unwilling to perform back to the client. BR, -- mike From kimmo.koivisto at surfeu.fi Fri Mar 3 14:50:25 2006 From: kimmo.koivisto at surfeu.fi (Kimmo Koivisto) Date: Fri, 3 Mar 2006 16:50:25 +0200 Subject: [Fedora-directory-users] Admin console and reverse DNS Message-ID: <200603031650.26280.kimmo.koivisto@surfeu.fi> Hello I installed FDS 1.0.2 to the FC4 and tried to connect it with Admin console. I have set Host filter to * and Address filter to *. When I try to use admin console from client workstation which has working reverse DNS address, connection works. But when I try to connect from workstation without working reverse DNS, login fails: [Fri Mar 03 16:41:57 2006] [notice] Access Host filter is: * [Fri Mar 03 16:41:57 2006] [notice] Access Address filter is: * [Fri Mar 03 16:41:58 2006] [notice] Access Host filter is: * [Fri Mar 03 16:41:58 2006] [notice] Access Address filter is: * [Fri Mar 03 16:41:58 2006] [notice] Apache/2.0 configured -- resuming normal operations [Fri Mar 03 16:44:06 2006] [notice] [client 192.168.19.12] admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.19.12 [Fri Mar 03 16:44:06 2006] [warn] [client 192.168.19.12] admserv_host_ip_check: failed to get host by ip addr [192.168.19.12] - check your host and DNS configuration [Fri Mar 03 16:44:06 2006] [notice] [client 192.168.19.12] admserv_host_ip_check: Unauthorized host ip=192.168.19.12, connection rejected How to allow admin console connections to admin server from addresses that do not have working reverse DNS? Best Regards Kimmo Koivisto From dennis at royalpublishing.com Thu Mar 2 22:27:00 2006 From: dennis at royalpublishing.com (Dennis Gilmore) Date: Thu, 2 Mar 2006 16:27:00 -0600 Subject: [Fedora-directory-users] Fedora DS v1.0.2 src RPMs? In-Reply-To: <44076689.4040403@sharp.fm> References: <44075B6F.7050703@sharp.fm> <200603021538.51629.dennis@ausil.us> <44076689.4040403@sharp.fm> Message-ID: <200603021627.00438.dennis@royalpublishing.com> On Thursday 02 March 2006 15:41, Graham Leggett wrote: > Dennis Gilmore wrote: > > then you have a x86 32bit distro installed and need to use the i386 > > packages > > Hmmm... will check it out, thanks for confirming this for me. > > Regards, > Graham > -- a good indication will be rpm -q --queryformat "%{name}-%{version}-%{release}.%{arch}\n" glibc if you have a 64 bit os you should get something like glibc-2.3.90-38.x86_64 glibc-2.3.90-38.i686 -- Regards Dennis Gilmore RHCE Network Manager Royal Publishing (309)693-3171 x299 7620 N. Harker Drive Peoria IL 61615 Fedora Core release 4 (Rawhide) 15:42:45 up 7:27, 7 users, load average: 0.56, 0.47, 0.56 From dennis at royalpublishing.com Thu Mar 2 22:58:05 2006 From: dennis at royalpublishing.com (Dennis Gilmore) Date: Thu, 2 Mar 2006 16:58:05 -0600 Subject: [Fedora-directory-users] Fedora DS v1.0.2 src RPMs? In-Reply-To: <440774C3.1030104@redhat.com> References: <44075B6F.7050703@sharp.fm> <200603021635.20249.dennis@ausil.us> <440774C3.1030104@redhat.com> Message-ID: <200603021658.05895.dennis@royalpublishing.com> On Thursday 02 March 2006 16:42, Richard Megginson wrote: > Dennis Gilmore wrote: > >On Thursday 02 March 2006 16:24, Richard Megginson wrote: > >>If you want to build it yourself the information is here - > >>http://directory.fedora.redhat.com/wiki/Building#One-Step_Build > >> > >>In a nutshell: > >>wget http://directory.fedora.redhat.com/sources/dsbuild-fds102.tar.gz > >>tar xfz dsbuild-fds102.tar.gz > >>cd dsbuild-fds102/meta/ds > >>make 2>&1 | tee build.log > >> > >>Use make BUILD_RPM=1 to make an RPM (default is an installable setuputil > >>package), use DEBUG=full to produce a debug build (default is optimize). > > > >How well do you think a build would go on sparc linux? > > What OS? I've never tried it, but RHEL or Fedora Core should work. Aurora SPARC Linux its a port of Fedora to SPARC. I guess ill give it a go and see what happens -- Regards Dennis Gilmore RHCE Network Manager Royal Publishing (309)693-3171 x299 7620 N. Harker Drive Peoria IL 61615 Fedora Core release 4 (Rawhide) 16:57:30 up 8:42, 6 users, load average: 0.98, 1.07, 1.21 From rmeggins at redhat.com Fri Mar 3 15:26:33 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 03 Mar 2006 08:26:33 -0700 Subject: [Fedora-directory-users] Admin console and reverse DNS In-Reply-To: <200603031650.26280.kimmo.koivisto@surfeu.fi> References: <200603031650.26280.kimmo.koivisto@surfeu.fi> Message-ID: <44086029.5080909@redhat.com> Does this help - http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt Kimmo Koivisto wrote: >Hello > >I installed FDS 1.0.2 to the FC4 and tried to connect it with Admin console. > >I have set Host filter to * and Address filter to *. When I try to use admin >console from client workstation which has working reverse DNS address, >connection works. > >But when I try to connect from workstation without working reverse DNS, login >fails: > >[Fri Mar 03 16:41:57 2006] [notice] Access Host filter is: * >[Fri Mar 03 16:41:57 2006] [notice] Access Address filter is: * >[Fri Mar 03 16:41:58 2006] [notice] Access Host filter is: * >[Fri Mar 03 16:41:58 2006] [notice] Access Address filter is: * >[Fri Mar 03 16:41:58 2006] [notice] Apache/2.0 configured -- resuming normal >operations >[Fri Mar 03 16:44:06 2006] [notice] [client 192.168.19.12] >admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.19.12 >[Fri Mar 03 16:44:06 2006] [warn] [client 192.168.19.12] >admserv_host_ip_check: failed to get host by ip addr [192.168.19.12] - check >your host and DNS configuration >[Fri Mar 03 16:44:06 2006] [notice] [client 192.168.19.12] >admserv_host_ip_check: Unauthorized host ip=192.168.19.12, connection >rejected > > >How to allow admin console connections to admin server from addresses that do >not have working reverse DNS? > >Best Regards >Kimmo Koivisto > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From thierry.lanfranchi at wanadoo.fr Fri Mar 3 15:25:44 2006 From: thierry.lanfranchi at wanadoo.fr (Thierry Lanfranchi) Date: Fri, 03 Mar 2006 16:25:44 +0100 Subject: [Fedora-directory-users] Admin console and reverse DNS Message-ID: <200603031509.k23F9Pev018007@relay1.clb.oleane.net> I think you have to set the filter to NULL or empty if you don't need dns host checking at all. ----- Original Message ----- From: Kimmo Koivisto To: "General discussion list for the Fedora Directory server project." Date: Fri, 3 Mar 2006 16:50:25 +0200 Subject: [Fedora-directory-users] Admin console and reverse DNS > Hello > > I installed FDS 1.0.2 to the FC4 and tried to connect it with Admin console. > > I have set Host filter to * and Address filter to *. When I try to use > admin > console from client workstation which has working reverse DNS address, > connection works. > > But when I try to connect from workstation without working reverse DNS, > login > fails: > > [Fri Mar 03 16:41:57 2006] [notice] Access Host filter is: * > [Fri Mar 03 16:41:57 2006] [notice] Access Address filter is: * > [Fri Mar 03 16:41:58 2006] [notice] Access Host filter is: * > [Fri Mar 03 16:41:58 2006] [notice] Access Address filter is: * > [Fri Mar 03 16:41:58 2006] [notice] Apache/2.0 configured -- resuming > normal > operations > [Fri Mar 03 16:44:06 2006] [notice] [client 192.168.19.12] > admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.19.12 > [Fri Mar 03 16:44:06 2006] [warn] [client 192.168.19.12] > admserv_host_ip_check: failed to get host by ip addr [192.168.19.12] - > check > your host and DNS configuration > [Fri Mar 03 16:44:06 2006] [notice] [client 192.168.19.12] > admserv_host_ip_check: Unauthorized host ip=192.168.19.12, connection > rejected > > > How to allow admin console connections to admin server from addresses that > do > not have working reverse DNS? > > Best Regards > Kimmo Koivisto > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > From HaneJ at gsicommerce.com Fri Mar 3 16:56:52 2006 From: HaneJ at gsicommerce.com (Jason Hane) Date: Fri, 3 Mar 2006 11:56:52 -0500 Subject: [Fedora-directory-users] Fedora DS v1.0.2 src RPMs? Message-ID: He's using 2.0 beta or something. It's the newest one. -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Dennis Gilmore Sent: Thursday, March 02, 2006 6:09 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Fedora DS v1.0.2 src RPMs? On Thursday 02 March 2006 17:02, Jason Hane wrote: > Red Hat doesn't support SPARC. My co-worker just installed Aurora > today on his SPARC box. It is similar, but I do see some differences. > Hopefully it'll work for you. > > Jason Hane > Which version of Aurora did he install. 2.0 is based on fc3 and 1.0 is based on RH 7.3 I use It of my 4 sparcs -- Regards Dennis Gilmore, RHCE Proud Australian -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From dennis at ausil.us Fri Mar 3 17:06:54 2006 From: dennis at ausil.us (Dennis Gilmore) Date: Fri, 3 Mar 2006 11:06:54 -0600 Subject: [Fedora-directory-users] Fedora DS v1.0.2 src RPMs? In-Reply-To: References: Message-ID: <200603031106.54295.dennis@ausil.us> On Friday 03 March 2006 10:56, Jason Hane wrote: > He's using 2.0 beta or something. It's the newest one. > Yeah its fc3 you shouldn't notice any differences between it and a fc3 system It has extras packages available for it -- Regards Dennis Gilmore, RHCE Proud Australian From kimmo.koivisto at surfeu.fi Fri Mar 3 17:30:44 2006 From: kimmo.koivisto at surfeu.fi (Kimmo Koivisto) Date: Fri, 3 Mar 2006 19:30:44 +0200 Subject: [Fedora-directory-users] Admin console and reverse DNS In-Reply-To: <44086029.5080909@redhat.com> References: <200603031650.26280.kimmo.koivisto@surfeu.fi> <44086029.5080909@redhat.com> Message-ID: <200603031930.45214.kimmo.koivisto@surfeu.fi> Richard Megginson kirjoitti viestiss??n (l?hetysaika Friday 03 March 2006 17:26): > Does this help - > http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt > No, or I might not understand it correctly. Wiki says: "If you're not sure about your DNS and reverse DNS configuration, you should not use host based access, you should use IP address based access." And also: "If you want to just allow access from everywhere, just use "*" for the value of nsAdminAccessAddresses." I have done that and that was the situation when I wrote the first mail. I have client address 192.168.13.72, reverse DNS works. I also have address 192.168.19.12, which has no reverse DNS name. 1. If I have nsAdminAccessAddresses=* nsAdminAccessHosts=* I get error messages that I appended to my message, only reverse DNS address works. 2. If I have nsAdminAccessAddresses= nsAdminAccessHosts= (or I delete attributes) Admin server does not start. 3. If I have nsAdminAccessAddresses=* nsAdminAccessHosts= I cannot connect even if the reverse DNS is correct [Fri Mar 03 19:18:14 2006] [notice] Access Address filter is: * [Fri Mar 03 19:18:15 2006] [notice] Access Address filter is: * [Fri Mar 03 19:18:15 2006] [notice] Apache/2.0 configured -- resuming normal operations [Fri Mar 03 19:18:15 2006] [notice] [client 192.168.13.72] admserv_host_ip_check: Unauthorized host ip=192.168.13.72, connection rejected [Fri Mar 03 19:18:18 2006] [notice] [client 192.168.13.72] admserv_host_ip_check: Unauthorized host ip=192.168.13.72, connection rejected [Fri Mar 03 19:18:21 2006] [notice] [client 192.168.13.72] admserv_host_ip_check: Unauthorized host ip=192.168.13.72, connection rejected [Fri Mar 03 19:18:24 2006] [notice] [client 192.168.13.72] admserv_host_ip_check: Unauthorized host ip=192.168.13.72, connection rejected [Fri Mar 03 19:18:27 2006] [notice] [client 192.168.13.72] admserv_host_ip_check: Unauthorized host ip=192.168.13.72, connection rejected 4. If I have nsAdminAccessAddresses= nsAdminAccessHosts=* I can connect from address with working reverse DNS, not with non-working-reverse DNS address. 5. If I have nsAdminAccessAddresses=192.*.*.* nsAdminAccessHosts=* I can connect from address with working reverse DNS, not with non-working-reverse DNS address. 6. If I have nsAdminAccessAddresses=192.*.*.* nsAdminAccessHosts= I cannot connect from any address. Any ideas, how this should be done? I need no access control, connections should be allowed from anywhere. Regards Kimmo Koivisto > >Hello > > > >I installed FDS 1.0.2 to the FC4 and tried to connect it with Admin > > console. > > > >I have set Host filter to * and Address filter to *. When I try to use > > admin console from client workstation which has working reverse DNS > > address, connection works. > > > >But when I try to connect from workstation without working reverse DNS, > > login fails: > > > >[Fri Mar 03 16:41:57 2006] [notice] Access Host filter is: * > >[Fri Mar 03 16:41:57 2006] [notice] Access Address filter is: * > >[Fri Mar 03 16:41:58 2006] [notice] Access Host filter is: * > >[Fri Mar 03 16:41:58 2006] [notice] Access Address filter is: * > >[Fri Mar 03 16:41:58 2006] [notice] Apache/2.0 configured -- resuming > > normal operations > >[Fri Mar 03 16:44:06 2006] [notice] [client 192.168.19.12] > >admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.19.12 > >[Fri Mar 03 16:44:06 2006] [warn] [client 192.168.19.12] > >admserv_host_ip_check: failed to get host by ip addr [192.168.19.12] - > > check your host and DNS configuration > >[Fri Mar 03 16:44:06 2006] [notice] [client 192.168.19.12] > >admserv_host_ip_check: Unauthorized host ip=192.168.19.12, connection > >rejected > > > > > >How to allow admin console connections to admin server from addresses that > > do not have working reverse DNS? > > > >Best Regards > >Kimmo Koivisto > > > >-- > >Fedora-directory-users mailing list > >Fedora-directory-users at redhat.com > >https://www.redhat.com/mailman/listinfo/fedora-directory-users From rmeggins at redhat.com Fri Mar 3 20:02:01 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 03 Mar 2006 13:02:01 -0700 Subject: [Fedora-directory-users] Admin console and reverse DNS In-Reply-To: <200603031930.45214.kimmo.koivisto@surfeu.fi> References: <200603031650.26280.kimmo.koivisto@surfeu.fi> <44086029.5080909@redhat.com> <200603031930.45214.kimmo.koivisto@surfeu.fi> Message-ID: <4408A0B9.7060009@redhat.com> Kimmo Koivisto wrote: >Richard Megginson kirjoitti viestiss??n (l?hetysaika Friday 03 March 2006 >17:26): > > >>Does this help - >>http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt >> >> >> > >No, or I might not understand it correctly. > >Wiki says: >"If you're not sure about your DNS and reverse DNS configuration, you should >not use host based access, you should use IP address based access." > >And also: >"If you want to just allow access from everywhere, just use "*" for the value >of nsAdminAccessAddresses." > >I have done that and that was the situation when I wrote the first mail. > >I have client address 192.168.13.72, reverse DNS works. I also have address >192.168.19.12, which has no reverse DNS name. > >1. If I have >nsAdminAccessAddresses=* >nsAdminAccessHosts=* > >I get error messages that I appended to my message, only reverse DNS address >works. > >2. If I have >nsAdminAccessAddresses= >nsAdminAccessHosts= >(or I delete attributes) >Admin server does not start. > >3. If I have >nsAdminAccessAddresses=* >nsAdminAccessHosts= > >I cannot connect even if the reverse DNS is correct > >[Fri Mar 03 19:18:14 2006] [notice] Access Address filter is: * >[Fri Mar 03 19:18:15 2006] [notice] Access Address filter is: * >[Fri Mar 03 19:18:15 2006] [notice] Apache/2.0 configured -- resuming normal >operations >[Fri Mar 03 19:18:15 2006] [notice] [client 192.168.13.72] >admserv_host_ip_check: Unauthorized host ip=192.168.13.72, connection >rejected >[Fri Mar 03 19:18:18 2006] [notice] [client 192.168.13.72] >admserv_host_ip_check: Unauthorized host ip=192.168.13.72, connection >rejected >[Fri Mar 03 19:18:21 2006] [notice] [client 192.168.13.72] >admserv_host_ip_check: Unauthorized host ip=192.168.13.72, connection >rejected >[Fri Mar 03 19:18:24 2006] [notice] [client 192.168.13.72] >admserv_host_ip_check: Unauthorized host ip=192.168.13.72, connection >rejected >[Fri Mar 03 19:18:27 2006] [notice] [client 192.168.13.72] >admserv_host_ip_check: Unauthorized host ip=192.168.13.72, connection >rejected > > > >4. If I have >nsAdminAccessAddresses= >nsAdminAccessHosts=* > >I can connect from address with working reverse DNS, not with >non-working-reverse DNS address. > >5. If I have >nsAdminAccessAddresses=192.*.*.* >nsAdminAccessHosts=* > >I can connect from address with working reverse DNS, not with >non-working-reverse DNS address. > >6. If I have >nsAdminAccessAddresses=192.*.*.* >nsAdminAccessHosts= > >I cannot connect from any address. > > This is a bug. For now, to make it work, specify nsAdminAccessHosts= and then for nsAdminAccessAddresses specify a pattern which _does not match_ the client IP address. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=183925 > >Any ideas, how this should be done? I need no access control, connections >should be allowed from anywhere. > >Regards >Kimmo Koivisto > > > > >>>Hello >>> >>>I installed FDS 1.0.2 to the FC4 and tried to connect it with Admin >>>console. >>> >>>I have set Host filter to * and Address filter to *. When I try to use >>>admin console from client workstation which has working reverse DNS >>>address, connection works. >>> >>>But when I try to connect from workstation without working reverse DNS, >>>login fails: >>> >>>[Fri Mar 03 16:41:57 2006] [notice] Access Host filter is: * >>>[Fri Mar 03 16:41:57 2006] [notice] Access Address filter is: * >>>[Fri Mar 03 16:41:58 2006] [notice] Access Host filter is: * >>>[Fri Mar 03 16:41:58 2006] [notice] Access Address filter is: * >>>[Fri Mar 03 16:41:58 2006] [notice] Apache/2.0 configured -- resuming >>>normal operations >>>[Fri Mar 03 16:44:06 2006] [notice] [client 192.168.19.12] >>>admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.19.12 >>>[Fri Mar 03 16:44:06 2006] [warn] [client 192.168.19.12] >>>admserv_host_ip_check: failed to get host by ip addr [192.168.19.12] - >>>check your host and DNS configuration >>>[Fri Mar 03 16:44:06 2006] [notice] [client 192.168.19.12] >>>admserv_host_ip_check: Unauthorized host ip=192.168.19.12, connection >>>rejected >>> >>> >>>How to allow admin console connections to admin server from addresses that >>>do not have working reverse DNS? >>> >>>Best Regards >>>Kimmo Koivisto >>> >>>-- >>>Fedora-directory-users mailing list >>>Fedora-directory-users at redhat.com >>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From mont.rothstein at gmail.com Fri Mar 3 20:29:28 2006 From: mont.rothstein at gmail.com (Mont Rothstein) Date: Fri, 3 Mar 2006 12:29:28 -0800 Subject: [Fedora-directory-users] Can't login to console In-Reply-To: <4407BBD8.4060909@redhat.com> References: <467a83630603021046n1d7c978cr7224b9dd0c611b60@mail.gmail.com> <4407527B.1060709@redhat.com> <467a83630603021249y72386565o3a7734590dd51c32@mail.gmail.com> <440770FE.5030507@redhat.com> <467a83630603021517i62aae207y2c230119bd32e204@mail.gmail.com> <4407BBD8.4060909@redhat.com> Message-ID: <467a83630603031229s3f612273v192d38ff5db66595@mail.gmail.com> If I use the FQDN I get the following: ldap_simple_bind: Can't connect to the LDAP server - No route to host However, if I use the IP address, localhost or just the server name (not the FQDN) it sits there for several minutes (5?) and then comes back with: ldap_simple_bind: Can't connect LDAP server It is totally possible that I have something hosed in DNS but I've run every test I can think of and it seems to work. Any ideas? -Mont On 3/2/06, Richard Megginson wrote: > > > Try putting in your host and port explicitly e.g. > ldapsearch -x -h yourhost -p yourport -s base -b "" "objectclass=*" > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jbender at b-ainc.com Fri Mar 3 20:36:35 2006 From: jbender at b-ainc.com (Jeremy Bender) Date: Fri, 03 Mar 2006 14:36:35 -0600 Subject: [Fedora-directory-users] Slapd error 153 installing FDS 1.0.2 on FC4 Message-ID: <4408A8D3.3070404@b-ainc.com> Hello, Pardon me if this has been covered before, I've googled for the answer, searched bugzilla, RTFM, etc, to no avail. I am trying to install FDS 1.0.2 on a Dell Precision 330 running a freshly installed and updated copy of FC4 following the instructions here: http://directory.fedora.redhat.com/wiki/Setup After answering the setup questions I get the following message: [03/Mar/2006:14:13:29 -0600] - Fedora-Directory/1.0.2 B2006.060.1951 starting up [slapd-fds]: [03/Mar/2006:14:13:30 -0600] - slapd started. Listening on All Interfaces port 389 for LDAP requests Your new directory server has been started. Created new Directory Server Start Slapd Starting Slapd server configuration. Fatal Slapd ERROR: Ldap authentication failed for url ldap://mail.b-ainc.com:389/o=NetscapeRoot user id admin (153:Unknown error.) Fatal Slapd Did not add Directory Server information to Configuration Server. Configuring Administration Server... Setting up Administration Server Instance... ERROR: Administration Server configuration failed. You can now use the console. Here is the command to use to start the console: cd /opt/fedora-ds ./startconsole -u admin -a http://mail.b-ainc.com:1500/ INFO Finished with setup, logfile is setup/setup.log Running startconsole as specified does not work. I'd really appreciate it if someone could point me in the right direction, as I'm stumped. Firewall and SELinux are completely disabled on this system, DNS resolution works forward and reverse. I'll paste the contents of setup.log and install.inf at the end of this email, and will be happy to provide any other info requested. Thanks in advance! Jeremy Bender jbender at b-ainc.com setup.log contents: [root at mail bin]# cat /opt/fedora-ds/setup/setup.log [06/03/01:11:58:58] - [Setup] Info Start... [06/03/01:11:58:58] - [Setup] Info Start binary installation... [06/03/01:11:58:58] - [Setup] Info PreInstall phrase... [06/03/01:11:58:58] - [Setup] Info Unzip component binaries... [06/03/01:11:58:58] - [Setup] Info Extracting Fedora core components ... [06/03/01:11:59:03] - [Setup] Info PostInstall phrase... [06/03/01:11:59:03] - [Setup] Info DONE INFO Begin Setup . . . [slapd-fds]: starting up server ... [slapd-fds]: Fedora-Directory/1.0.2 B2006.060.1951 [slapd-fds]: mail.b-ainc.com:389 (/opt/fedora-ds/slapd-fds) [slapd-fds]: [slapd-fds]: [03/Mar/2006:14:29:52 -0600] - Fedora-Directory/1.0.2 B2006.060.1951 starting up [slapd-fds]: [03/Mar/2006:14:29:53 -0600] - slapd started. Listening on All Interfaces port 389 for LDAP requests Your new directory server has been started. Created new Directory Server Start Slapd Starting Slapd server configuration. Fatal Slapd ERROR: Ldap authentication failed for url ldap://mail.b-ainc.com:389/o=NetscapeRoot user id admin (153:Unknown error.) Fatal Slapd Did not add Directory Server information to Configuration Server. Configuring Administration Server... Your parameters are now entered into the Administration Server database, and the Administration Server will be started. Changing ownership to admin user root... Setting up Administration Server Instance... ERROR: Ldap authentication failed (153:Unknown error.) You can now use the console. Here is the command to use to start the console: cd /opt/fedora-ds ./startconsole -u admin -a http://mail.b-ainc.com:1500/ INFO Finished with setup, logfile is setup/setup.log install.inf contents: [root at mail bin]# cat /root/install.inf [General] FullMachineName= mail.b-ainc.com SuiteSpotUserID= nobody SuiteSpotGroup= nobody ServerRoot= /opt/fedora-ds AdminDomain= b-ainc.com ConfigDirectoryAdminID= admin ConfigDirectoryAdminPwd= password ConfigDirectoryLdapURL= ldap://mail.b-ainc.com:389/o=NetscapeRoot UserDirectoryAdminID= admin UserDirectoryAdminPwd= password UserDirectoryLdapURL= ldap://mail.b-ainc.com:389/dc=b-ainc,dc=com [slapd] SlapdConfigForMC= Yes SecurityOn= No UseExistingMC= No UseExistingUG= No ServerPort= 389 ServerIdentifier= fds Suffix= dc=b-ainc, dc=com RootDN= cn=Directory Manager AddSampleEntries= No InstallLdifFile= suggest AddOrgEntries= Yes DisableSchemaChecking= No RootDNPwd= password [admin] SysUser= root Port= 1500 ServerIpAddress= ServerAdminID= admin ServerAdminPwd= password ApacheDir= /usr/sbin/ ApacheRoot= /etc/httpd [root at mail bin]# From rmeggins at redhat.com Fri Mar 3 20:41:10 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 03 Mar 2006 13:41:10 -0700 Subject: [Fedora-directory-users] Slapd error 153 installing FDS 1.0.2 on FC4 In-Reply-To: <4408A8D3.3070404@b-ainc.com> References: <4408A8D3.3070404@b-ainc.com> Message-ID: <4408A9E6.8000907@redhat.com> Jeremy Bender wrote: >Hello, > >Pardon me if this has been covered before, I've googled for the answer, >searched bugzilla, RTFM, etc, to no avail. I am trying to install FDS >1.0.2 on a Dell Precision 330 running a freshly installed and updated >copy of FC4 following the instructions here: >http://directory.fedora.redhat.com/wiki/Setup > >After answering the setup questions I get the following message: > > [03/Mar/2006:14:13:29 -0600] - Fedora-Directory/1.0.2 B2006.060.1951 >starting up >[slapd-fds]: [03/Mar/2006:14:13:30 -0600] - slapd started. Listening on >All Interfaces port 389 for LDAP requests >Your new directory server has been started. >Created new Directory Server >Start Slapd Starting Slapd server configuration. >Fatal Slapd ERROR: Ldap authentication failed for url >ldap://mail.b-ainc.com:389/o=NetscapeRoot user id admin (153:Unknown error.) > > This usually indicates a problem with network and/or DNS configuration. But you've said your DNS and reverse DNS are correct. Check your /etc/nsswitch.conf if you are not using DNS (e.g. files or nis). >Fatal Slapd Did not add Directory Server information to Configuration >Server. >Configuring Administration Server... >Setting up Administration Server Instance... >ERROR: Administration Server configuration failed. >You can now use the console. Here is the command to use to start the >console: >cd /opt/fedora-ds >./startconsole -u admin -a http://mail.b-ainc.com:1500/ >INFO Finished with setup, logfile is setup/setup.log > >Running startconsole as specified does not work. > >I'd really appreciate it if someone could point me in the right >direction, as I'm stumped. Firewall and SELinux are completely disabled >on this system, DNS resolution works forward and reverse. I'll paste the >contents of setup.log and install.inf at the end of this email, and will >be happy to provide any other info requested. > >Thanks in advance! > >Jeremy Bender >jbender at b-ainc.com > > >setup.log contents: > >[root at mail bin]# cat /opt/fedora-ds/setup/setup.log > >[06/03/01:11:58:58] - [Setup] Info Start... >[06/03/01:11:58:58] - [Setup] Info Start binary installation... >[06/03/01:11:58:58] - [Setup] Info PreInstall phrase... >[06/03/01:11:58:58] - [Setup] Info Unzip component binaries... >[06/03/01:11:58:58] - [Setup] Info Extracting Fedora core components ... > >[06/03/01:11:59:03] - [Setup] Info PostInstall phrase... >[06/03/01:11:59:03] - [Setup] Info DONE >INFO Begin Setup . . . >[slapd-fds]: starting up server ... >[slapd-fds]: Fedora-Directory/1.0.2 B2006.060.1951 >[slapd-fds]: mail.b-ainc.com:389 (/opt/fedora-ds/slapd-fds) >[slapd-fds]: >[slapd-fds]: [03/Mar/2006:14:29:52 -0600] - Fedora-Directory/1.0.2 >B2006.060.1951 starting up >[slapd-fds]: [03/Mar/2006:14:29:53 -0600] - slapd started. Listening on >All Interfaces port 389 for LDAP requests >Your new directory server has been started. >Created new Directory Server >Start Slapd Starting Slapd server configuration. >Fatal Slapd ERROR: Ldap authentication failed for url >ldap://mail.b-ainc.com:389/o=NetscapeRoot user id admin (153:Unknown error.) >Fatal Slapd Did not add Directory Server information to Configuration >Server. >Configuring Administration Server... >Your parameters are now entered into the Administration Server >database, and the Administration Server will be started. > >Changing ownership to admin user root... >Setting up Administration Server Instance... >ERROR: Ldap authentication failed (153:Unknown error.) >You can now use the console. Here is the command to use to start the >console: >cd /opt/fedora-ds >./startconsole -u admin -a http://mail.b-ainc.com:1500/ >INFO Finished with setup, logfile is setup/setup.log > > >install.inf contents: > >[root at mail bin]# cat /root/install.inf >[General] >FullMachineName= mail.b-ainc.com >SuiteSpotUserID= nobody >SuiteSpotGroup= nobody >ServerRoot= /opt/fedora-ds >AdminDomain= b-ainc.com >ConfigDirectoryAdminID= admin >ConfigDirectoryAdminPwd= password >ConfigDirectoryLdapURL= ldap://mail.b-ainc.com:389/o=NetscapeRoot >UserDirectoryAdminID= admin >UserDirectoryAdminPwd= password >UserDirectoryLdapURL= ldap://mail.b-ainc.com:389/dc=b-ainc,dc=com > >[slapd] >SlapdConfigForMC= Yes >SecurityOn= No >UseExistingMC= No >UseExistingUG= No >ServerPort= 389 >ServerIdentifier= fds >Suffix= dc=b-ainc, dc=com >RootDN= cn=Directory Manager >AddSampleEntries= No >InstallLdifFile= suggest >AddOrgEntries= Yes >DisableSchemaChecking= No >RootDNPwd= password > >[admin] >SysUser= root >Port= 1500 >ServerIpAddress= >ServerAdminID= admin >ServerAdminPwd= password >ApacheDir= /usr/sbin/ >ApacheRoot= /etc/httpd >[root at mail bin]# > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From kimmo.koivisto at surfeu.fi Fri Mar 3 20:55:57 2006 From: kimmo.koivisto at surfeu.fi (Kimmo Koivisto) Date: Fri, 3 Mar 2006 22:55:57 +0200 Subject: [Fedora-directory-users] Admin console and reverse DNS In-Reply-To: <4408A0B9.7060009@redhat.com> References: <200603031650.26280.kimmo.koivisto@surfeu.fi> <200603031930.45214.kimmo.koivisto@surfeu.fi> <4408A0B9.7060009@redhat.com> Message-ID: <200603032255.58082.kimmo.koivisto@surfeu.fi> Richard Megginson kirjoitti viestiss??n (l?hetysaika Friday 03 March 2006 22:02): > >6. If I have > >nsAdminAccessAddresses=192.*.*.* > >nsAdminAccessHosts= > > > >I cannot connect from any address. > > This is a bug. For now, to make it work, specify > nsAdminAccessHosts= > and then for nsAdminAccessAddresses specify a pattern which _does not > match_ the client IP address. > > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=183925 > Thank you, it worked. I defined nsAdminAccessAddresses=255.255.255.255 and nsAdminAccessHosts= Regards Kimmo From jbender at b-ainc.com Fri Mar 3 21:06:41 2006 From: jbender at b-ainc.com (Jeremy Bender) Date: Fri, 03 Mar 2006 15:06:41 -0600 Subject: [Fedora-directory-users] Slapd error 153 installing FDS 1.0.2 on FC4 In-Reply-To: <4408A9E6.8000907@redhat.com> References: <4408A8D3.3070404@b-ainc.com> <4408A9E6.8000907@redhat.com> Message-ID: <4408AFE1.8070900@b-ainc.com> Richard, Thank you for the response. Your suggestion got me pointed in the right direction: An old line in the /etc/hosts was pointing this system's hostname to the ip of the system that used to have that name, so resolution through dns returned the correct answer, but 'files' was specified first in nssearch, and thus the system was using the value from the hosts file. Thanks again! Jeremy Richard Megginson wrote: > Jeremy Bender wrote: > >> Hello, >> >> Pardon me if this has been covered before, I've googled for the answer, >> searched bugzilla, RTFM, etc, to no avail. I am trying to install FDS >> 1.0.2 on a Dell Precision 330 running a freshly installed and updated >> copy of FC4 following the instructions here: >> http://directory.fedora.redhat.com/wiki/Setup >> >> After answering the setup questions I get the following message: >> >> [03/Mar/2006:14:13:29 -0600] - Fedora-Directory/1.0.2 B2006.060.1951 >> starting up >> [slapd-fds]: [03/Mar/2006:14:13:30 -0600] - slapd started. Listening on >> All Interfaces port 389 for LDAP requests >> Your new directory server has been started. >> Created new Directory Server >> Start Slapd Starting Slapd server configuration. >> Fatal Slapd ERROR: Ldap authentication failed for url >> ldap://mail.b-ainc.com:389/o=NetscapeRoot user id admin (153:Unknown >> error.) >> >> > This usually indicates a problem with network and/or DNS configuration. > But you've said your DNS and reverse DNS are correct. Check your > /etc/nsswitch.conf if you are not using DNS (e.g. files or nis). > >> Fatal Slapd Did not add Directory Server information to Configuration >> Server. >> Configuring Administration Server... >> Setting up Administration Server Instance... >> ERROR: Administration Server configuration failed. >> You can now use the console. Here is the command to use to start the >> console: >> cd /opt/fedora-ds >> ./startconsole -u admin -a http://mail.b-ainc.com:1500/ >> INFO Finished with setup, logfile is setup/setup.log >> >> Running startconsole as specified does not work. >> >> I'd really appreciate it if someone could point me in the right >> direction, as I'm stumped. Firewall and SELinux are completely disabled >> on this system, DNS resolution works forward and reverse. I'll paste the >> contents of setup.log and install.inf at the end of this email, and will >> be happy to provide any other info requested. >> >> Thanks in advance! >> >> Jeremy Bender >> jbender at b-ainc.com >> >> >> setup.log contents: >> >> [root at mail bin]# cat /opt/fedora-ds/setup/setup.log >> >> [06/03/01:11:58:58] - [Setup] Info Start... >> [06/03/01:11:58:58] - [Setup] Info Start binary installation... >> [06/03/01:11:58:58] - [Setup] Info PreInstall phrase... >> [06/03/01:11:58:58] - [Setup] Info Unzip component binaries... >> [06/03/01:11:58:58] - [Setup] Info Extracting Fedora core components ... >> >> [06/03/01:11:59:03] - [Setup] Info PostInstall phrase... >> [06/03/01:11:59:03] - [Setup] Info DONE >> INFO Begin Setup . . . >> [slapd-fds]: starting up server ... >> [slapd-fds]: Fedora-Directory/1.0.2 B2006.060.1951 >> [slapd-fds]: mail.b-ainc.com:389 (/opt/fedora-ds/slapd-fds) >> [slapd-fds]: >> [slapd-fds]: [03/Mar/2006:14:29:52 -0600] - Fedora-Directory/1.0.2 >> B2006.060.1951 starting up >> [slapd-fds]: [03/Mar/2006:14:29:53 -0600] - slapd started. Listening on >> All Interfaces port 389 for LDAP requests >> Your new directory server has been started. >> Created new Directory Server >> Start Slapd Starting Slapd server configuration. >> Fatal Slapd ERROR: Ldap authentication failed for url >> ldap://mail.b-ainc.com:389/o=NetscapeRoot user id admin (153:Unknown >> error.) >> Fatal Slapd Did not add Directory Server information to Configuration >> Server. >> Configuring Administration Server... >> Your parameters are now entered into the Administration Server >> database, and the Administration Server will be started. >> >> Changing ownership to admin user root... >> Setting up Administration Server Instance... >> ERROR: Ldap authentication failed (153:Unknown error.) >> You can now use the console. Here is the command to use to start the >> console: >> cd /opt/fedora-ds >> ./startconsole -u admin -a http://mail.b-ainc.com:1500/ >> INFO Finished with setup, logfile is setup/setup.log >> >> >> install.inf contents: >> >> [root at mail bin]# cat /root/install.inf >> [General] >> FullMachineName= mail.b-ainc.com >> SuiteSpotUserID= nobody >> SuiteSpotGroup= nobody >> ServerRoot= /opt/fedora-ds >> AdminDomain= b-ainc.com >> ConfigDirectoryAdminID= admin >> ConfigDirectoryAdminPwd= password >> ConfigDirectoryLdapURL= ldap://mail.b-ainc.com:389/o=NetscapeRoot >> UserDirectoryAdminID= admin >> UserDirectoryAdminPwd= password >> UserDirectoryLdapURL= ldap://mail.b-ainc.com:389/dc=b-ainc,dc=com >> >> [slapd] >> SlapdConfigForMC= Yes >> SecurityOn= No >> UseExistingMC= No >> UseExistingUG= No >> ServerPort= 389 >> ServerIdentifier= fds >> Suffix= dc=b-ainc, dc=com >> RootDN= cn=Directory Manager >> AddSampleEntries= No >> InstallLdifFile= suggest >> AddOrgEntries= Yes >> DisableSchemaChecking= No >> RootDNPwd= password >> >> [admin] >> SysUser= root >> Port= 1500 >> ServerIpAddress= >> ServerAdminID= admin >> ServerAdminPwd= password >> ApacheDir= /usr/sbin/ >> ApacheRoot= /etc/httpd >> [root at mail bin]# >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From jo.de.troy at gmail.com Fri Mar 3 21:58:19 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Fri, 3 Mar 2006 22:58:19 +0100 Subject: [Fedora-directory-users] rpm upgrade fails Message-ID: Hello, I wanted to upgrade from fedora-ds-1.0.1 on CentOS4 to the latest release 1.0.2 and I got: root# rpm -Uvh fedora-ds-1.0.2-1.RHEL4.i386.opt.rpm error: %pre(fedora-ds-1.0.2-1.RHEL4.i386) scriptlet failed, exit status 255 error: install: %pre scriptlet failed (2), skipping fedora-ds-1.0.2-1.RHEL4 Any ideas? Best Regards, Jo -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri Mar 3 22:07:59 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 03 Mar 2006 15:07:59 -0700 Subject: [Fedora-directory-users] rpm upgrade fails In-Reply-To: References: Message-ID: <4408BE3F.6090707@redhat.com> Jo De Troy wrote: > Hello, > > I wanted to upgrade from fedora-ds-1.0.1 on CentOS4 to the latest > release 1.0.2 and I got: > > root# rpm -Uvh fedora-ds-1.0.2-1.RHEL4.i386.opt.rpm > error: %pre(fedora-ds-1.0.2-1.RHEL4.i386) scriptlet failed, exit > status 255 > error: install: %pre scriptlet failed (2), skipping > fedora-ds-1.0.2-1.RHEL4 > > Any ideas? This is the %pre section: # in case upgrade, need to shutdown the servers before the installation ls $RPM_INSTALL_PREFIX/slapd-* > /dev/null 2>&1 if [ $? -eq 0 ]; then for instance in `ls -d $RPM_INSTALL_PREFIX/slapd-*` do if [ -f $instance/logs/pid ]; then pid=`cat $instance/logs/pid` psval=`ps -ef | egrep $pid` if [ "$psval" != "" ]; then $instance/stop-slapd fi fi done fi if [ -f $RPM_INSTALL_PREFIX/admin-serv/logs/pid ]; then pid=`cat $RPM_INSTALL_PREFIX/admin-serv/logs/pid` psval=`ps -ef | egrep $pid` if [ "$psval" != "" ]; then $RPM_INSTALL_PREFIX/stop-admin fi fi So, I'm not sure, perhaps your servers are not running, or they are reporting some error attempting to stop them. If they are not running, and you don't wan't to or can't start them, try just removing the pid files referenced above. > > Best Regards, > Jo > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From jo.de.troy at gmail.com Fri Mar 3 22:34:33 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Fri, 3 Mar 2006 23:34:33 +0100 Subject: [Fedora-directory-users] rpm upgrade fails Message-ID: Hi Rich, that didn't work either. I removed the rpm without executing scripts (rpm -e --noscripts ) and tried to install the latest version. Now I get an error in the %pre scriptlet error: %pre(fedora-ds-1.0.2-1.RHEL4.i386 ) scriptlet failed, exit status 255 error: install: %pre scriptlet failed (2), skipping fedora-ds-1.0.2-1.RHEL4 Best Regards, Jo -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri Mar 3 23:08:50 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 03 Mar 2006 16:08:50 -0700 Subject: [Fedora-directory-users] rpm upgrade fails In-Reply-To: References: Message-ID: <4408CC82.8070405@redhat.com> Jo De Troy wrote: > Hi Rich, > that didn't work either. > I removed the rpm without executing scripts (rpm -e --noscripts ) and > tried to install the latest version. > Now I get an error in the %pre scriptlet > error: %pre(fedora-ds-1.0.2-1.RHEL4.i386 ) scriptlet failed, exit > status 255 > error: install: %pre scriptlet failed (2), skipping > fedora-ds-1.0.2-1.RHEL4 You completely removed your old fedora-ds installation? If so, do an rm -rf /opt/fedora-ds, then try to reinstall (using rpm -ivh). Or, if there is some rpm flag you can use to turn on verbose output of pre and post sections, try that too. All the %pre section does is shutdown any existing servers. If you have removed everything, then I'm not sure what the problem is. Is there some way to do rpm -i --nopre or something like that? Unfortunately, the %post scripts are required. You can install the server with no scripts at all, but you will have to manually apply the patch setup/console-ld-libpath.patch. > > > Best Regards, > Jo > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From mont.rothstein at gmail.com Fri Mar 3 23:20:03 2006 From: mont.rothstein at gmail.com (Mont Rothstein) Date: Fri, 3 Mar 2006 15:20:03 -0800 Subject: [Fedora-directory-users] Can't login to console In-Reply-To: <467a83630603031229s3f612273v192d38ff5db66595@mail.gmail.com> References: <467a83630603021046n1d7c978cr7224b9dd0c611b60@mail.gmail.com> <4407527B.1060709@redhat.com> <467a83630603021249y72386565o3a7734590dd51c32@mail.gmail.com> <440770FE.5030507@redhat.com> <467a83630603021517i62aae207y2c230119bd32e204@mail.gmail.com> <4407BBD8.4060909@redhat.com> <467a83630603031229s3f612273v192d38ff5db66595@mail.gmail.com> Message-ID: <467a83630603031520t5a525fd9n96bc7045ac7ccf3@mail.gmail.com> OK, I figured this out. I had two problems. 1) The FQDN in my hosts file was wrong. After I fixed this I stopped seeing entries in admin-serv/logs/errors but it still wasn't working. 2) I edited my /etc/nsswitch.conf and put dns before files on the hosts line. Once I did that the console started up. Thanks to everyone for their suggestions. -Mont On 3/3/06, Mont Rothstein wrote: > > If I use the FQDN I get the following: > > ldap_simple_bind: Can't connect to the LDAP server - No route to host > > However, if I use the IP address, localhost or just the server name (not > the FQDN) it sits there for several minutes (5?) and then comes back with: > > ldap_simple_bind: Can't connect LDAP server > > It is totally possible that I have something hosed in DNS but I've run > every test I can think of and it seems to work. > > Any ideas? > > -Mont > > > > On 3/2/06, Richard Megginson wrote: > > > > > > Try putting in your host and port explicitly e.g. > > ldapsearch -x -h yourhost -p yourport -s base -b "" "objectclass=*" > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mont.rothstein at gmail.com Fri Mar 3 23:20:03 2006 From: mont.rothstein at gmail.com (Mont Rothstein) Date: Fri, 3 Mar 2006 15:20:03 -0800 Subject: [Fedora-directory-users] Can't login to console In-Reply-To: <467a83630603031229s3f612273v192d38ff5db66595@mail.gmail.com> References: <467a83630603021046n1d7c978cr7224b9dd0c611b60@mail.gmail.com> <4407527B.1060709@redhat.com> <467a83630603021249y72386565o3a7734590dd51c32@mail.gmail.com> <440770FE.5030507@redhat.com> <467a83630603021517i62aae207y2c230119bd32e204@mail.gmail.com> <4407BBD8.4060909@redhat.com> <467a83630603031229s3f612273v192d38ff5db66595@mail.gmail.com> Message-ID: <467a83630603031520t5a525fd9n96bc7045ac7ccf3@mail.gmail.com> OK, I figured this out. I had two problems. 1) The FQDN in my hosts file was wrong. After I fixed this I stopped seeing entries in admin-serv/logs/errors but it still wasn't working. 2) I edited my /etc/nsswitch.conf and put dns before files on the hosts line. Once I did that the console started up. Thanks to everyone for their suggestions. -Mont On 3/3/06, Mont Rothstein wrote: > > If I use the FQDN I get the following: > > ldap_simple_bind: Can't connect to the LDAP server - No route to host > > However, if I use the IP address, localhost or just the server name (not > the FQDN) it sits there for several minutes (5?) and then comes back with: > > ldap_simple_bind: Can't connect LDAP server > > It is totally possible that I have something hosed in DNS but I've run > every test I can think of and it seems to work. > > Any ideas? > > -Mont > > > > On 3/2/06, Richard Megginson wrote: > > > > > > Try putting in your host and port explicitly e.g. > > ldapsearch -x -h yourhost -p yourport -s base -b "" "objectclass=*" > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jo.de.troy at gmail.com Fri Mar 3 23:22:09 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Sat, 4 Mar 2006 00:22:09 +0100 Subject: [Fedora-directory-users] rpm upgrade fails Message-ID: Hi Rich, I totally removed the old rpm and the /opt/fedora-ds directory then I installed the rpm without processing the pre-scripts root%rpm --nopre -ivh /tmp/fedora-ds-1.0.2-1.RHEL4.i386.opt.rpm Preparing... ########################################### [100%] 1:fedora-ds ########################################### [100%] error: %post(fedora-ds-1.0.2-1.RHEL4.i386) scriptlet failed, exit status 255 [root at tux opt]# rpm -q fedora-ds fedora-ds-1.0.2-1.RHEL4 So it seems installed but I do get an error in the %post section Can I see what exactly is in the different sections? Is there a spec file I can download somewhere? Could it be my rpm db is corrupt? I already tried rebuilding this, but it didn't help. Jo -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Sat Mar 4 02:26:14 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 03 Mar 2006 19:26:14 -0700 Subject: [Fedora-directory-users] rpm upgrade fails In-Reply-To: References: Message-ID: <4408FAC6.9020305@redhat.com> Jo De Troy wrote: > Hi Rich, > > I totally removed the old rpm and the /opt/fedora-ds directory then I > installed the rpm without processing the pre-scripts > root%rpm --nopre -ivh /tmp/fedora-ds-1.0.2-1.RHEL4.i386.opt.rpm > Preparing... > ########################################### [100%] > 1:fedora-ds > ########################################### [100%] > error: %post(fedora-ds-1.0.2-1.RHEL4.i386) scriptlet failed, exit > status 255 > [root at tux opt]# rpm -q fedora-ds > fedora-ds-1.0.2-1.RHEL4 > So it seems installed but I do get an error in the %post section > Can I see what exactly is in the different sections? Is there a spec > file I can download somewhere? http://cvs.fedora.redhat.com/lxr/dirsec/source/ldapserver/ldapserver.spec.tmpl The %post section begins at line 120. Note that you can also do an rpm install without running the post section, you'll have to apply the console-ld-libpath.patch manually: patch -p0 < setup/console-ld-libpath.patch > Could it be my rpm db is corrupt? I already tried rebuilding this, but > it didn't help. > > Jo > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From mj at sci.fi Sat Mar 4 15:04:49 2006 From: mj at sci.fi (Mike Jackson) Date: Sat, 04 Mar 2006 17:04:49 +0200 Subject: [Fedora-directory-users] Password Policy Request/Response Control does not work Message-ID: <4409AC91.8060601@sci.fi> Hi, Tested with 7.1.2 and 1.0.2, same result. The Password Policy Request/Response Control does not work. I have written code to test it, as well as tested it with an OpenLDAP 2.3 client tool which supports sending the control request and decoding the control response. The control request is sent to the server, but it is not returned to the client. I enabled the password syntax checking and then tried to change the password to one which would obviously fail. Example test: ldappasswd \ -a foobar \ -s foo \ -h directory.netauth.com \ -D "uid=jacksonm,ou=users,dc=netauth,dc=com" \ -x \ -Z \ -w foobar \ -e ppolicy Result: Constraint violation (19) Additional info: Failed to update password This is only the error from the modify password operation, but nothing from the password policy response. I expected a response equivalent to the corresponsong ASN schema: "passwordTooShort". Is this a bug, or are there some secret switches to toggle to get the password policy controls working? BR, -- Mike From minfrin at sharp.fm Sat Mar 4 16:06:56 2006 From: minfrin at sharp.fm (Graham Leggett) Date: Sat, 04 Mar 2006 18:06:56 +0200 Subject: [Fedora-directory-users] Switching off host filter in admin server - how? Message-ID: <4409BB20.1090501@sharp.fm> Hi all, Having got my brand new DS v1.0.2 up and running, and the admin server started up, I discover that the admin server has arbitrarily placed a host check of *.domain.com onto the server, effectively locking me out of the admin server (my client machine is not in *.domain.com). No worries, grep finds this setting in admin-serv/config/local.conf, so I change it there - no effect. Ok, maybe this setting is in the directory itself. I do a subsearch of cn=config on the directory, and I cannot find this setting anywhere there. So I start on the docs - and am faced with an encyclopaedia of information. Any ideas where the setting is to handle host settings? Regards, Graham -- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3220 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Sat Mar 4 16:21:47 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Sat, 04 Mar 2006 09:21:47 -0700 Subject: [Fedora-directory-users] Switching off host filter in admin server - how? In-Reply-To: <4409BB20.1090501@sharp.fm> References: <4409BB20.1090501@sharp.fm> Message-ID: <4409BE9B.5000802@redhat.com> Graham Leggett wrote: > Hi all, > > Having got my brand new DS v1.0.2 up and running, and the admin server > started up, I discover that the admin server has arbitrarily placed a > host check of *.domain.com onto the server, effectively locking me out > of the admin server (my client machine is not in *.domain.com). See http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt and https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=183925 > > No worries, grep finds this setting in admin-serv/config/local.conf, > so I change it there - no effect. That's a read only cache of the actual config info stored in the ds. > > Ok, maybe this setting is in the directory itself. I do a subsearch of > cn=config on the directory, and I cannot find this setting anywhere > there. Admin Server stores it's config under o=netscaperoot - http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt > > So I start on the docs - and am faced with an encyclopaedia of > information. > > Any ideas where the setting is to handle host settings? > > Regards, > Graham > -- > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From mont.rothstein at gmail.com Sat Mar 4 16:25:58 2006 From: mont.rothstein at gmail.com (Mont Rothstein) Date: Sat, 4 Mar 2006 08:25:58 -0800 Subject: [Fedora-directory-users] Understand nsswitch.conf Message-ID: <467a83630603040825p5df35f5dj4cfd24673dc02584@mail.gmail.com> I recently had a problem logging into the admin console because files was listed before dns on the hosts line of my nsswitch.conf file. It was hosts: files dns It now is hosts: dns files I understand that this line specifies the lookup order for host information. What I'd like to know is if this implies that something else is miss-configured on my system, or if this was the root problem? i.e. does FDS simply require that dns be listed first or should it have worked with files first? As far as I know files does a look up in /etc/hosts. My /etc/hosts has a single entry: 192.168.1.115 rheles4rs1.forayadams.foray.com rheles4rs1 Those are the correct IP, FQDN, and server name for my server. Any insight into this would be appreciated. Thanks, -Mont From minfrin at sharp.fm Sat Mar 4 16:44:47 2006 From: minfrin at sharp.fm (Graham Leggett) Date: Sat, 04 Mar 2006 18:44:47 +0200 Subject: [Fedora-directory-users] Switching off host filter in admin server - how? In-Reply-To: <4409BE9B.5000802@redhat.com> References: <4409BB20.1090501@sharp.fm> <4409BE9B.5000802@redhat.com> Message-ID: <4409C3FF.7030302@sharp.fm> Richard Megginson wrote: >> Having got my brand new DS v1.0.2 up and running, and the admin server >> started up, I discover that the admin server has arbitrarily placed a >> host check of *.domain.com onto the server, effectively locking me out >> of the admin server (my client machine is not in *.domain.com). > See http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt > and > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=183925 I don't follow - I need to download the source, apply the patch in the above bug, then rebuild the entire thing before I have any hope of administering this server? Is there some kind of manual override that I can use to switch this behaviour off? Or alternatively if this is not possible, to require localhost so that I can run the admin server behind a reverse proxy whose access control does work properly? Having changed the *.domain.com to * I am now getting this error: [Sat Mar 04 10:42:50 2006] [notice] [client xx.xx.xx.xx] admserv_host_ip_check: Unauthorized host ip=xx.xx.xx.xx, connection rejected Google finds other people with this problem, apparently "*" doesn't mean "let everybody in", but instead it means "let everyone in whose reverse DNS works". In this case reverse DNS does work, but I may be getting bitten by bug 183925. So in short, does the admin server in v1.0.2 work at all, or am I just wasting my time? :( Regards, Graham -- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3220 bytes Desc: S/MIME Cryptographic Signature URL: From mj at sci.fi Sat Mar 4 17:39:14 2006 From: mj at sci.fi (Mike Jackson) Date: Sat, 04 Mar 2006 19:39:14 +0200 Subject: [Fedora-directory-users] Switching off host filter in admin server - how? In-Reply-To: <4409BB20.1090501@sharp.fm> References: <4409BB20.1090501@sharp.fm> Message-ID: <4409D0C2.9090408@sci.fi> Graham Leggett wrote: > Hi all, > > Having got my brand new DS v1.0.2 up and running, and the admin server > started up, I discover that the admin server has arbitrarily placed a > host check of *.domain.com onto the server, effectively locking me out > of the admin server (my client machine is not in *.domain.com). ssh -X ldapserver cd /opt/fedora-ds ./startconsole & What's the problem? BR, -- mike From oscar.valdez at duraflex-politex.com Sat Mar 4 18:01:20 2006 From: oscar.valdez at duraflex-politex.com (Oscar A. Valdez) Date: Sat, 04 Mar 2006 12:01:20 -0600 Subject: [Fedora-directory-users] Understand nsswitch.conf In-Reply-To: <467a83630603040825p5df35f5dj4cfd24673dc02584@mail.gmail.com> References: <467a83630603040825p5df35f5dj4cfd24673dc02584@mail.gmail.com> Message-ID: <1141495280.4042.10.camel@wzowski.duraflex-politex.com> El s?b, 04-03-2006 a las 08:25 -0800, Mont Rothstein escribi?: > I recently had a problem logging into the admin console because files > was listed before dns on the hosts line of my nsswitch.conf file. > > It was hosts: files dns > It now is hosts: dns files > > I understand that this line specifies the lookup order for host > information. What I'd like to know is if this implies that something > else is miss-configured on my system, or if this was the root problem? > i.e. does FDS simply require that dns be listed first or should it > have worked with files first? > > As far as I know files does a look up in /etc/hosts. My /etc/hosts > has a single entry: > > 192.168.1.115 rheles4rs1.forayadams.foray.com rheles4rs1 > > Those are the correct IP, FQDN, and server name for my server. > > Any insight into this would be appreciated. My /etc/hosts has three other lines before that one: # Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 localhost.localdomain localhost You might be missing the 127.0.0.1 line. -- Oscar A. Valdez From kimmo.koivisto at surfeu.fi Sat Mar 4 18:03:29 2006 From: kimmo.koivisto at surfeu.fi (Kimmo Koivisto) Date: Sat, 4 Mar 2006 20:03:29 +0200 Subject: [Fedora-directory-users] Switching off host filter in admin server - how? In-Reply-To: <4409C3FF.7030302@sharp.fm> References: <4409BB20.1090501@sharp.fm> <4409BE9B.5000802@redhat.com> <4409C3FF.7030302@sharp.fm> Message-ID: <200603042003.29771.kimmo.koivisto@surfeu.fi> Graham Leggett kirjoitti viestiss??n (l?hetysaika Saturday 04 March 2006 18:44): > I don't follow - I need to download the source, apply the patch in the > above bug, then rebuild the entire thing before I have any hope of > administering this server? > > Is there some kind of manual override that I can use to switch this > behaviour off? Or alternatively if this is not possible, to require > localhost so that I can run the admin server behind a reverse proxy > whose access control does work properly? Because of the bug, you have to set nsAdminAccessAddresses to something you don't have and empty nsAdminAccessHosts. Well, there might be other ways to do it, this worked for me. I needed to allow administration from anywhere so made the following definitions: nsAdminAccessAddresses=255.255.255.255 nsAdminAccessHosts= and restarted the admin server. Regards Kimmo Koivisto From minfrin at sharp.fm Sat Mar 4 21:46:46 2006 From: minfrin at sharp.fm (Graham Leggett) Date: Sat, 04 Mar 2006 23:46:46 +0200 Subject: [Fedora-directory-users] Switching off host filter in admin server - how? In-Reply-To: <4409D0C2.9090408@sci.fi> References: <4409BB20.1090501@sharp.fm> <4409D0C2.9090408@sci.fi> Message-ID: <440A0AC6.90108@sharp.fm> Mike Jackson wrote: > ssh -X ldapserver > cd /opt/fedora-ds > ./startconsole & > > What's the problem? The problem is that the server is an San Antonio, and the client is in Johannesburg 8 timezones away. Have you seen X run over a 64kbps line? Regards, Graham -- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3220 bytes Desc: S/MIME Cryptographic Signature URL: From minfrin at sharp.fm Sat Mar 4 21:53:20 2006 From: minfrin at sharp.fm (Graham Leggett) Date: Sat, 04 Mar 2006 23:53:20 +0200 Subject: [Fedora-directory-users] Source build failure on Solaris 10 Message-ID: <440A0C50.3050906@sharp.fm> Hi all, When trying to use the automated dsbuild to try and build DS v1.0.2 on Solaris 10, I get an error with a patch that does not apply cleanly. Does anyone know what this patch is for, or how to get rid of it? bash-3.00# gmake [===== NOW BUILDING: ds-1.0.2 =====] [fetch] complete for ds. [checksum] complete for ds. [extract] complete for ds. [patch] complete for ds. ==> Building ds/mozilla as a dependency gmake[1]: Entering directory `/root/src/ldap/auto/dsbuild-fds102/ds/mozilla' [===== NOW BUILDING: mozilla- =====] [fetch] complete for mozilla. [checksum] complete for mozilla. ==> Extracting download/mozilla-components-1.0.2.tar.gz ==> Copying download/sysfdtable.patch ==> Copying download/sysfdtable2.patch [extract] complete for mozilla. install -d work/mozilla- cat download/sysfdtable.patch download/sysfdtable2.patch | ( cd work ; patch -p0 ) Looks like a unified context diff. Hunk #1 failed at line 159. 1 out of 1 hunks failed: saving rejects to mozilla/nsprpub/pr/include/obsolete/probslet.h.rej The next patch looks like a unified context diff. The next patch looks like a unified context diff. done gmake[1]: *** [post-patch] Error 1 gmake[1]: Leaving directory `/root/src/ldap/auto/dsbuild-fds102/ds/mozilla' gmake: *** [dep-../../ds/mozilla] Error 2 bash-3.00# less mozilla/nsprpub/pr/include/obsolete/probslet.h.rej mozilla/nsprpub/pr/include/obsolete/probslet.h.rej: No such file or directory Regards, Graham -- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3220 bytes Desc: S/MIME Cryptographic Signature URL: From mj at sci.fi Sat Mar 4 21:57:42 2006 From: mj at sci.fi (Mike Jackson) Date: Sat, 04 Mar 2006 23:57:42 +0200 Subject: [Fedora-directory-users] Switching off host filter in admin server - how? In-Reply-To: <440A0AC6.90108@sharp.fm> References: <4409BB20.1090501@sharp.fm> <4409D0C2.9090408@sci.fi> <440A0AC6.90108@sharp.fm> Message-ID: <440A0D56.2090102@sci.fi> Graham Leggett wrote: > Mike Jackson wrote: > >> ssh -X ldapserver >> cd /opt/fedora-ds >> ./startconsole & >> >> What's the problem? > > > The problem is that the server is an San Antonio, and the client is in > Johannesburg 8 timezones away. Have you seen X run over a 64kbps line? OK. FWIW, I never use the admin gui. Almost everything which can be done with the admin server can be done over-the-wire with LDAP. Just browse the cn=config tree and you will see what is behind the admin gui. Write some scripts, tools, libraries, etc with perl and Net::LDAP, rather quickly. If you have specific questions e.g. about cn=tasks, ask here and I will try to explain. BR, Mike From rmeggins at redhat.com Sat Mar 4 23:31:19 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Sat, 04 Mar 2006 16:31:19 -0700 Subject: [Fedora-directory-users] Switching off host filter in admin server - how? In-Reply-To: <4409C3FF.7030302@sharp.fm> References: <4409BB20.1090501@sharp.fm> <4409BE9B.5000802@redhat.com> <4409C3FF.7030302@sharp.fm> Message-ID: <440A2347.7050101@redhat.com> Graham Leggett wrote: > Richard Megginson wrote: > >>> Having got my brand new DS v1.0.2 up and running, and the admin >>> server started up, I discover that the admin server has arbitrarily >>> placed a host check of *.domain.com onto the server, effectively >>> locking me out of the admin server (my client machine is not in >>> *.domain.com). >> > >> See http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt >> and >> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=183925 > > > I don't follow - I need to download the source, apply the patch in the > above bug, then rebuild the entire thing before I have any hope of > administering this server? no, you just need to supply a pattern which _does not match_ the incoming IP address. Then it will allow it. It's backwards. > > Is there some kind of manual override that I can use to switch this > behaviour off? Or alternatively if this is not possible, to require > localhost so that I can run the admin server behind a reverse proxy > whose access control does work properly? > > Having changed the *.domain.com to * I am now getting this error: > > [Sat Mar 04 10:42:50 2006] [notice] [client xx.xx.xx.xx] > admserv_host_ip_check: Unauthorized host ip=xx.xx.xx.xx, connection > rejected > > Google finds other people with this problem, apparently "*" doesn't > mean "let everybody in", but instead it means "let everyone in whose > reverse DNS works". In this case reverse DNS does work, but I may be > getting bitten by bug 183925. > > So in short, does the admin server in v1.0.2 work at all, or am I just > wasting my time? :( > > Regards, > Graham > -- > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From minfrin at sharp.fm Sun Mar 5 00:05:54 2006 From: minfrin at sharp.fm (Graham Leggett) Date: Sun, 05 Mar 2006 02:05:54 +0200 Subject: [Fedora-directory-users] NumberFormatException from Fedora console Message-ID: <440A2B62.5030501@sharp.fm> Hi all, I am trying to connect to a v1.0.2 admin server via a v1.0.1 FDS console (still to be upgraded), and I am getting a NumberFormatException as described at: https://www.redhat.com/archives/fedora-directory-users/2005-December/msg00442.html I see no followups to this message, has anybody else encountered this problem, and if so, were there any fixes to it? Regards, Graham -- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3220 bytes Desc: S/MIME Cryptographic Signature URL: From minfrin at sharp.fm Sun Mar 5 00:12:56 2006 From: minfrin at sharp.fm (Graham Leggett) Date: Sun, 05 Mar 2006 02:12:56 +0200 Subject: [Fedora-directory-users] Mini Howto: FDS v1.0.2 and Apache v2.2.0 Message-ID: <440A2D08.1070206@sharp.fm> Hi all, I have had some success getting FDS v1.0.2 built against Apache v2.2.0 from RPM. To get this to work, do the following: - Download and install the latest (v1.2.2) of apr and apr-util, including the development packages. - Download the SRPM of httpd v2.2.0 and install it, or make your own SRPM by running rpmbuild -ts on the httpd-2.2.0.tar.gz file. - Edit the httpd.spec file to add mod_file_cache like so (this should be fixed in the next version of httpd): --enable-cache --enable-disk-cache --enable-file-cache --enable-mem-cache \ - Build the httpd RPM with rpmbuild -bb httpd.spec and install it. - Build FDS from here: http://directory.fedora.redhat.com/wiki/Building#One-Step_Build - Install the resultant FDS RPM, and run setup as normal. Regards, Graham -- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3220 bytes Desc: S/MIME Cryptographic Signature URL: From mj at sci.fi Sun Mar 5 07:05:30 2006 From: mj at sci.fi (Mike Jackson) Date: Sun, 05 Mar 2006 09:05:30 +0200 Subject: [Fedora-directory-users] Source build failure on Solaris 10 In-Reply-To: <440A0C50.3050906@sharp.fm> References: <440A0C50.3050906@sharp.fm> Message-ID: <440A8DBA.1030004@sci.fi> Graham Leggett wrote: > Hi all, > > When trying to use the automated dsbuild to try and build DS v1.0.2 on > Solaris 10, I get an error with a patch that does not apply cleanly. > Hi Graham, Are you building on x86 or sparc? Please let me know if you have any success. BR, Mike From minfrin at sharp.fm Sun Mar 5 11:31:52 2006 From: minfrin at sharp.fm (Graham Leggett) Date: Sun, 05 Mar 2006 13:31:52 +0200 Subject: [Fedora-directory-users] Source build failure on Solaris 10 In-Reply-To: <440A8DBA.1030004@sci.fi> References: <440A0C50.3050906@sharp.fm> <440A8DBA.1030004@sci.fi> Message-ID: <440ACC28.90801@sharp.fm> Mike Jackson wrote: >> When trying to use the automated dsbuild to try and build DS v1.0.2 on >> Solaris 10, I get an error with a patch that does not apply cleanly. > Are you building on x86 or sparc? Please let me know if you have any > success. I am building x86. I was slowly going through the manual build process for v1.0.1, then got stuck when it didn't support Apache v2.2.x. It was on my list of things to do to fix this, but in v1.0.2 this has already been done. I tried to do an automated build of v1.0.2 on Solaris 10 x86, but it bombed out in the beginning. I plan to start again on the build process for Solaris once I get the new Linux installation sorted. Regards, Graham -- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3220 bytes Desc: S/MIME Cryptographic Signature URL: From magobin at gmail.com Sun Mar 5 14:47:05 2006 From: magobin at gmail.com (Alex) Date: Sun, 5 Mar 2006 15:47:05 +0100 Subject: [Fedora-directory-users] HELP: Error while start startconsole Message-ID: <440afa01.4b283e10.1e90.ffffb51e@mx.gmail.com> Hi, I've an error when I try to start console before an Express Installation, the error is not the same of FAQ and I 've correctly installed xorgx11-deprecated.so; It seems that don't find a method..... the error is: ./startconsole -u magobin -a http://ldap.example.com:55087 Warning: -ms8m not understood. Ignoring. Warning: -mx64m not understood. Ignoring. Exception in thread "main" java.lang.NoSuchMethodError: method com.netscape.management.client.util.RemoteImage.setImage was not found. at _Jv_ResolvePoolEntry(java.lang.Class, int) (/usr/lib/libgcj.so.5.0.0) at com.netscape.management.client.util.RemoteImage.RemoteImage(java.lang.String ) (Unknown Source) at com.netscape.management.nmclf.SuiLookAndFeel.initComponentDefaults(javax.swi ng.UIDefaults) (Unknown Source) at com.netscape.management.nmclf.SuiLookAndFeel.getDefaults() (Unknown Source) at javax.swing.UIManager.put(java.lang.Object, java.lang.Object) (/usr/lib/libgcj.so.5.0.0) at com.netscape.management.client.components.FontFactory.initializeLFFonts() (Unknown Source) at com.netscape.management.client.console.Console.common_init(java.lang.String) (Unknown Source) at com.netscape.management.client.console.Console.Console(java.lang.String, java.lang.String, java.lang.String, java.lang.String, java.lang.String, java.lang.String) (Unknown Source) at com.netscape.management.client.console.Console.main(java.lang.String[]) (Unknown Source) Any help is appreciated Thanks in advance Alex From minfrin at sharp.fm Sun Mar 5 18:54:55 2006 From: minfrin at sharp.fm (Graham Leggett) Date: Sun, 05 Mar 2006 20:54:55 +0200 Subject: [Fedora-directory-users] PIN file for unattended SSL restarts Message-ID: <440B33FF.6070702@sharp.fm> Hi all, Does anybody know where the file should live containing the SSL key pin to enable an unattended restart of a server, and what that file should be called? There is a lot of conflicting info on this as found by Google, noen of which works :( Regards, Graham -- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3220 bytes Desc: S/MIME Cryptographic Signature URL: From mj at sci.fi Sun Mar 5 19:08:50 2006 From: mj at sci.fi (Mike Jackson) Date: Sun, 05 Mar 2006 21:08:50 +0200 Subject: [Fedora-directory-users] PIN file for unattended SSL restarts In-Reply-To: <440B33FF.6070702@sharp.fm> References: <440B33FF.6070702@sharp.fm> Message-ID: <440B3742.7090103@sci.fi> Graham Leggett wrote: > Hi all, > > Does anybody know where the file should live containing the SSL key pin > to enable an unattended restart of a server, and what that file should > be called? > > There is a lot of conflicting info on this as found by Google, noen of > which works :( [root at vectra-3 alias]# pwd /opt/fedora-ds/alias [root at vectra-3 alias]# cat slapd-netauth-pin.txt Internal (Software) Token:secret Substitute "netauth" for your instance name. Substitute "secret" for your security database's password. This is covered in the administration guide: http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#996824 BR, -- mike From minfrin at sharp.fm Sun Mar 5 19:18:54 2006 From: minfrin at sharp.fm (Graham Leggett) Date: Sun, 05 Mar 2006 21:18:54 +0200 Subject: [Fedora-directory-users] PIN file for unattended SSL restarts In-Reply-To: <440B3742.7090103@sci.fi> References: <440B33FF.6070702@sharp.fm> <440B3742.7090103@sci.fi> Message-ID: <440B399E.4040800@sharp.fm> Mike Jackson wrote: > [root at vectra-3 alias]# pwd > /opt/fedora-ds/alias > > [root at vectra-3 alias]# cat slapd-netauth-pin.txt > Internal (Software) Token:secret > > Substitute "netauth" for your instance name. Substitute "secret" for > your security database's password. Thanks for the info - it seemed to work for the LDAP server but not for the admin server for some reason. Is it possible to update the wiki entry at http://directory.fedora.redhat.com/wiki/Howto:SSL#Starting_the_Server_with_SSL_enabled with this info? It contains the line "If you do not have PIN file, it will prompt you for the password you used to create the server cert.", but doesn't explain what a PIN file is as you've explained above. Regards, Graham -- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3220 bytes Desc: S/MIME Cryptographic Signature URL: From is95kiko at surfeu.fi Sat Mar 4 17:37:58 2006 From: is95kiko at surfeu.fi (Kimmo Koivisto) Date: Sat, 4 Mar 2006 19:37:58 +0200 Subject: [Fedora-directory-users] Switching off host filter in admin server - how? In-Reply-To: <4409C3FF.7030302@sharp.fm> References: <4409BB20.1090501@sharp.fm> <4409BE9B.5000802@redhat.com> <4409C3FF.7030302@sharp.fm> Message-ID: <200603041937.58931.is95kiko@surfeu.fi> Graham Leggett kirjoitti viestiss??n (l?hetysaika Saturday 04 March 2006 18:44): > Is there some kind of manual override that I can use to switch this > behaviour off? Or alternatively if this is not possible, to require > localhost so that I can run the admin server behind a reverse proxy > whose access control does work properly? Because of the bug, you have to set nsAdminAccessAddresses to something you don't have and empty nsAdminAccessHosts. Well, there might be other ways to do it, this worked for me. I needed to allow administration from anywhere so made the following definitions: nsAdminAccessAddresses=255.255.255.255 nsAdminAccessHosts= and restarted the admin server. Regards Kimmo Koivisto > > Having changed the *.domain.com to * I am now getting this error: > > [Sat Mar 04 10:42:50 2006] [notice] [client xx.xx.xx.xx] > admserv_host_ip_check: Unauthorized host ip=xx.xx.xx.xx, connection > rejected > > Google finds other people with this problem, apparently "*" doesn't mean > "let everybody in", but instead it means "let everyone in whose reverse > DNS works". In this case reverse DNS does work, but I may be getting > bitten by bug 183925. > > So in short, does the admin server in v1.0.2 work at all, or am I just > wasting my time? :( > > Regards, > Graham > -- From rcritten at redhat.com Mon Mar 6 14:22:23 2006 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 06 Mar 2006 09:22:23 -0500 Subject: [Fedora-directory-users] PIN file for unattended SSL restarts In-Reply-To: <440B399E.4040800@sharp.fm> References: <440B33FF.6070702@sharp.fm> <440B3742.7090103@sci.fi> <440B399E.4040800@sharp.fm> Message-ID: <440C459F.1000508@redhat.com> Graham Leggett wrote: > Mike Jackson wrote: > >> [root at vectra-3 alias]# pwd >> /opt/fedora-ds/alias >> >> [root at vectra-3 alias]# cat slapd-netauth-pin.txt >> Internal (Software) Token:secret >> >> Substitute "netauth" for your instance name. Substitute "secret" for >> your security database's password. > > > Thanks for the info - it seemed to work for the LDAP server but not for > the admin server for some reason. > > Is it possible to update the wiki entry at > http://directory.fedora.redhat.com/wiki/Howto:SSL#Starting_the_Server_with_SSL_enabled > with this info? It contains the line "If you do not have PIN file, it > will prompt you for the password you used to create the server cert.", > but doesn't explain what a PIN file is as you've explained above. Edit /opt/fedora-ds/admin-serv/config/nss.conf. Look for the line: NSSPassPhraseDialog builtin Change it to the form: NSSPassPhraseDialog file:/path/to/password/file e.g. NSSPassPhraseDialog file:/opt/fedora-ds/admin-serv/config/admin.txt The format is slightly different from the DS, it is: internal:secret Substitute "secret" for the admin server security database password. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Mar 6 15:13:58 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 06 Mar 2006 08:13:58 -0700 Subject: [Fedora-directory-users] PIN file for unattended SSL restarts In-Reply-To: <440C459F.1000508@redhat.com> References: <440B33FF.6070702@sharp.fm> <440B3742.7090103@sci.fi> <440B399E.4040800@sharp.fm> <440C459F.1000508@redhat.com> Message-ID: <440C51B6.1020107@redhat.com> Rob Crittenden wrote: > Graham Leggett wrote: > >> Mike Jackson wrote: >> >>> [root at vectra-3 alias]# pwd >>> /opt/fedora-ds/alias >>> >>> [root at vectra-3 alias]# cat slapd-netauth-pin.txt >>> Internal (Software) Token:secret >>> >>> Substitute "netauth" for your instance name. Substitute "secret" for >>> your security database's password. >> >> >> >> Thanks for the info - it seemed to work for the LDAP server but not >> for the admin server for some reason. >> >> Is it possible to update the wiki entry at >> http://directory.fedora.redhat.com/wiki/Howto:SSL#Starting_the_Server_with_SSL_enabled >> with this info? It contains the line "If you do not have PIN file, it >> will prompt you for the password you used to create the server >> cert.", but doesn't explain what a PIN file is as you've explained >> above. > > > Edit /opt/fedora-ds/admin-serv/config/nss.conf. Look for the line: > > NSSPassPhraseDialog builtin > > Change it to the form: > > NSSPassPhraseDialog file:/path/to/password/file > > e.g. > > NSSPassPhraseDialog file:/opt/fedora-ds/admin-serv/config/admin.txt > > The format is slightly different from the DS, it is: > > internal:secret > > Substitute "secret" for the admin server security database password. The SSL Howto now has a shell script which automates much of the SSL setup process including the Admin Server pin file. See http://directory.fedora.redhat.com/wiki/Howto:SSL#Script for more information. > > rob > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From daniel.goolsby at verizonbusiness.com Mon Mar 6 15:14:25 2006 From: daniel.goolsby at verizonbusiness.com (Goolsby, Daniel S (Daniel)) Date: Mon, 06 Mar 2006 09:14:25 -0600 Subject: [Fedora-directory-users] FDS 1.0.2 and expiring passwords Message-ID: I have been able to use FDS with normal passwords, but have yet to figure out how to implement expiring passwords. I know that is part of just about any standard security policy. I currently have an ldap/Kerberos implementation in place, but would rather have it in one centralized gui'd location, for when I leave it would be easier to hand off-plus it looks cleaner and should work better. Daniel ______________________________________________________________________ This e-mail has been scanned by Verizon Managed Email Content Service, using Skeptic? technology powered by MessageLabs. For more information on Verizon Managed Email Content Service, visit http://www.verizonbusiness.com. ______________________________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Mar 6 15:28:33 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 06 Mar 2006 08:28:33 -0700 Subject: [Fedora-directory-users] Source build failure on Solaris 10 In-Reply-To: <440A0C50.3050906@sharp.fm> References: <440A0C50.3050906@sharp.fm> Message-ID: <440C5521.9010909@redhat.com> Graham Leggett wrote: > Hi all, > > When trying to use the automated dsbuild to try and build DS v1.0.2 on > Solaris 10, I get an error with a patch that does not apply cleanly. You must have a complete GNU tool chain in order to build DS on Solaris, and you must use the latest versions. You can usually get these from www.sunfreeware.com. This includes: make md5sum patch install grep pcre libiconv If you want to do a native 64 bit build, you must also have a native 64 bit perl (the one included with Solaris - sparc anyway - is 32 bit and will not work) so you will probably have to build that for yourself. You must also have Apache, and you cannot use the Apache from www.sunfreeware.com because it does not include support for multi threaded mode, so you have to build it yourself. Note that you can probably use the one from www.sunfreeware.com to _build_ FDS but it will not work at _runtime_. > > Does anyone know what this patch is for, or how to get rid of it? Are you using the latest GNU patch? > > bash-3.00# gmake > [===== NOW BUILDING: ds-1.0.2 =====] > [fetch] complete for ds. > [checksum] complete for ds. > [extract] complete for ds. > [patch] complete for ds. > ==> Building ds/mozilla as a dependency > gmake[1]: Entering directory > `/root/src/ldap/auto/dsbuild-fds102/ds/mozilla' > [===== NOW BUILDING: mozilla- =====] > [fetch] complete for mozilla. > [checksum] complete for mozilla. > ==> Extracting download/mozilla-components-1.0.2.tar.gz > ==> Copying download/sysfdtable.patch > ==> Copying download/sysfdtable2.patch > [extract] complete for mozilla. > install -d work/mozilla- > cat download/sysfdtable.patch download/sysfdtable2.patch | ( cd work ; > patch -p0 ) > Looks like a unified context diff. > Hunk #1 failed at line 159. > 1 out of 1 hunks failed: saving rejects to > mozilla/nsprpub/pr/include/obsolete/probslet.h.rej > The next patch looks like a unified context diff. > The next patch looks like a unified context diff. > done > gmake[1]: *** [post-patch] Error 1 > gmake[1]: Leaving directory > `/root/src/ldap/auto/dsbuild-fds102/ds/mozilla' > gmake: *** [dep-../../ds/mozilla] Error 2 > bash-3.00# less mozilla/nsprpub/pr/include/obsolete/probslet.h.rej > mozilla/nsprpub/pr/include/obsolete/probslet.h.rej: No such file or > directory > > Regards, > Graham > -- > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Mar 6 15:30:17 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 06 Mar 2006 08:30:17 -0700 Subject: [Fedora-directory-users] HELP: Error while start startconsole In-Reply-To: <440afa01.4b283e10.1e90.ffffb51e@mx.gmail.com> References: <440afa01.4b283e10.1e90.ffffb51e@mx.gmail.com> Message-ID: <440C5589.4090606@redhat.com> Alex wrote: >Hi, > >I've an error when I try to start console before an Express Installation, >the error is not the same of FAQ and I 've correctly installed >xorgx11-deprecated.so; It seems that don't find a method..... the error is: > > Which java are you using? What is your operating system and version? >./startconsole -u magobin -a http://ldap.example.com:55087 >Warning: -ms8m not understood. Ignoring. >Warning: -mx64m not understood. Ignoring. >Exception in thread "main" java.lang.NoSuchMethodError: method >com.netscape.management.client.util.RemoteImage.setImage was not found. > at _Jv_ResolvePoolEntry(java.lang.Class, int) (/usr/lib/libgcj.so.5.0.0) > at >com.netscape.management.client.util.RemoteImage.RemoteImage(java.lang.String >) (Unknown Source) > at >com.netscape.management.nmclf.SuiLookAndFeel.initComponentDefaults(javax.swi >ng.UIDefaults) (Unknown Source) > at com.netscape.management.nmclf.SuiLookAndFeel.getDefaults() (Unknown >Source) > at javax.swing.UIManager.put(java.lang.Object, java.lang.Object) >(/usr/lib/libgcj.so.5.0.0) > at >com.netscape.management.client.components.FontFactory.initializeLFFonts() >(Unknown Source) > at >com.netscape.management.client.console.Console.common_init(java.lang.String) >(Unknown Source) > at >com.netscape.management.client.console.Console.Console(java.lang.String, >java.lang.String, java.lang.String, java.lang.String, java.lang.String, >java.lang.String) (Unknown Source) > at >com.netscape.management.client.console.Console.main(java.lang.String[]) >(Unknown Source) > > > >Any help is appreciated > >Thanks in advance > >Alex > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From magobin at gmail.com Mon Mar 6 17:35:48 2006 From: magobin at gmail.com (Alex) Date: Mon, 6 Mar 2006 18:35:48 +0100 Subject: R: [Fedora-directory-users] HELP: Error while start startconsole In-Reply-To: <440C5589.4090606@redhat.com> Message-ID: <440c7306.18cbac8d.2caa.ffffe3ee@mx.gmail.com> > > > Which java are you using? What is your operating system and version? > Hi, thanks for interesting on my problem.... Ok, this is the scenario: I'm testing on lab with 2 server configured with CentOs 4.2 operating System (derived from redhat enterprise Source)...in their website there is a faq that says to download Fedora directory server...1.0.2 is compatible......everything works well and install finished correcty. But when I try to start console I received error below...I have the exact copy on vmware for testing at home...so if you have some good news...I can try on fly... Java is Sun Version version 1.4.2 but I have downloaded 1.5.0 too Thanks in advance > >./startconsole -u magobin -a http://ldap.example.com:55087 > >Warning: -ms8m not understood. Ignoring. > >Warning: -mx64m not understood. Ignoring. > >Exception in thread "main" java.lang.NoSuchMethodError: method > >com.netscape.management.client.util.RemoteImage.setImage was > not found. > > at _Jv_ResolvePoolEntry(java.lang.Class, int) ...CUT From mont.rothstein at gmail.com Mon Mar 6 18:46:03 2006 From: mont.rothstein at gmail.com (Mont Rothstein) Date: Mon, 6 Mar 2006 10:46:03 -0800 Subject: [Fedora-directory-users] getlocalsid error Message-ID: <467a83630603061046u1bef23fbu6c3e163edb0800b4@mail.gmail.com> I've just installed Fedora Directory Server (1.0.1) on RHEL 4. Samba version is 3.0.10 I am attempting to follow: http://directory.fedora.redhat.com/wiki/Howto:Samba but I am getting an error with net getlocalsid. The output is: [2006/03/06 10:00:21, 0] lib/smbldap.c:smbldap_connect_system(850) failed to bind to server with dn= cn=Directory Manager Error: Can't contact LDAP server (unknown) [2006/03/06 10:00:21, 0] lib/smbldap.c:smbldap_search_suffix(1155) smbldap_search_suffix: Problem during the LDAP search: (unknown) (Timed out) SID for domain RHELES4RS1 is: S-1-5-21-807157010-1821471989-4121009367 While I get a SID I assume I should not proceed with these errors. I've gone over my config I can't find my error. I've searched online and can't find anything. The full ouput of testparm is below. Any ideas as to what I've done wrong? Thanks, -Mont Load smb config files from /etc/samba/smb.conf Processing section "[netlogon]" Processing section "[profiles]" Processing section "[homes]" Processing section "[printers]" Processing section "[repository]" Processing section "[root directory]" Loaded services file OK. WARNING: You have some share names that are longer than 12 characters. These may not be accessible to some older clients. (Eg. Windows9x, WindowsMe, and smbclient prior to Samba 3.0.) Server role: ROLE_DOMAIN_PDC Press enter to see a dump of your service definitions # Global parameters [global] server string = rheles4rs1 password server = None passdb backend = ldapsam:ldap://rheles4rs1.forayadams.foray.com username map = /etc/samba/smbusers log file = /var/log/%m.log max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 printcap name = /etc/printcap logon path = \\%L\profiles\%u logon drive = H: logon home = \\%L\%u\profiles domain logons = Yes os level = 33 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes ldap admin dn = cn=Directory Manager ldap group suffix = ou=Groups ldap machine suffix = ou=Computers ldap suffix = dc=forayadams,dc=foray,dc=com ldap user suffix = ou=People idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 cups options = raw [netlogon] path = /var/lib/samba/netlogon browseable = No [profiles] path = /var/lib/samba/profiles read only = No create mask = 0600 directory mask = 0700 [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No [repository] path = /repository valid users = testadmin, testuser read only = No [root directory] path = / valid users = mont read only = No -------------- next part -------------- An HTML attachment was scrubbed... URL: From daniel.goolsby at verizonbusiness.com Mon Mar 6 19:08:59 2006 From: daniel.goolsby at verizonbusiness.com (Goolsby, Daniel S (Daniel)) Date: Mon, 06 Mar 2006 13:08:59 -0600 Subject: [Fedora-directory-users] HELP: Error while start startconsole Message-ID: I had a similar problem and corrected it by creating the following file: -bash-3.00$ vi /etc/profile.d/java.sh # set java home enviroment variable JAVA_HOME=/usr/java/jre1.5.0_06/bin export JAVA_HOME You might have to have java in your path, that can be done with export PATH=$PATH:$JAVA_HOME (in the same profile) Where "/usr/java/jre1.5.0_06/bin" is the path where java is installed on your box. Daniel -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Alex Sent: Monday, March 06, 2006 11:36 AM To: 'General discussion list for the Fedora Directory server project.' Subject: R: [Fedora-directory-users] HELP: Error while start startconsole > > > Which java are you using? What is your operating system and version? > Hi, thanks for interesting on my problem.... Ok, this is the scenario: I'm testing on lab with 2 server configured with CentOs 4.2 operating System (derived from redhat enterprise Source)...in their website there is a faq that says to download Fedora directory server...1.0.2 is compatible......everything works well and install finished correcty. But when I try to start console I received error below...I have the exact copy on vmware for testing at home...so if you have some good news...I can try on fly... Java is Sun Version version 1.4.2 but I have downloaded 1.5.0 too Thanks in advance > >./startconsole -u magobin -a http://ldap.example.com:55087 > >Warning: -ms8m not understood. Ignoring. > >Warning: -mx64m not understood. Ignoring. > >Exception in thread "main" java.lang.NoSuchMethodError: method > >com.netscape.management.client.util.RemoteImage.setImage was > not found. > > at _Jv_ResolvePoolEntry(java.lang.Class, int) ...CUT -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users ______________________________________________________________________ This e-mail has been scanned by Verizon Managed Email Content Service, using Skeptic(tm) technology powered by MessageLabs. For more information on Verizon Managed Email Content Service, visit http://www.verizonbusiness.com. ______________________________________________________________________ ______________________________________________________________________ This e-mail has been scanned by Verizon Managed Email Content Service, using Skeptic? technology powered by MessageLabs. For more information on Verizon Managed Email Content Service, visit http://www.verizonbusiness.com. ______________________________________________________________________ From rmeggins at redhat.com Mon Mar 6 20:10:03 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 06 Mar 2006 13:10:03 -0700 Subject: [Fedora-directory-users] Password Policy Request/Response Control does not work In-Reply-To: <4409AC91.8060601@sci.fi> References: <4409AC91.8060601@sci.fi> Message-ID: <440C971B.1020404@redhat.com> Mike Jackson wrote: > Hi, > Tested with 7.1.2 and 1.0.2, same result. > > The Password Policy Request/Response Control does not work. I have > written code to test it, as well as tested it with an OpenLDAP 2.3 > client tool which supports sending the control request and decoding > the control response. Thanks. This is definitely a bug - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=184141 > > The control request is sent to the server, but it is not returned to > the client. > > I enabled the password syntax checking and then tried to change the > password to one which would obviously fail. > > Example test: > > ldappasswd \ > -a foobar \ > -s foo \ > -h directory.netauth.com \ > -D "uid=jacksonm,ou=users,dc=netauth,dc=com" \ > -x \ > -Z \ > -w foobar \ > -e ppolicy > > Result: Constraint violation (19) > Additional info: Failed to update password > > > This is only the error from the modify password operation, but > nothing from the password policy response. I expected a response > equivalent to the corresponsong ASN schema: "passwordTooShort". > > Is this a bug, or are there some secret switches to toggle to get the > password policy controls working? > > BR, -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From bcsummers at gmail.com Mon Mar 6 23:01:38 2006 From: bcsummers at gmail.com (Bracey Summers) Date: Mon, 6 Mar 2006 17:01:38 -0600 Subject: [Fedora-directory-users] Password Syntax Checking Message-ID: I just installed Fedora Directory Server 1.02 on my FC4 box and all looks fine. I was able to successfully login using LDAP authentication and change my password. I tested password expiration and notification and that worked fine. However, I am not able to get the password syntax checking to work. I have the "Enable fine-grained password policy" checked under the Configuration tab and I have created a password policy for the subtree of "People" and on an individual user. As user bsmith: -bash-3.00$ passwd Changing password for user bsmith. Enter login(LDAP) password: # previous password blha123 New UNIX password: # new password foo123bar Retype new UNIX password: LDAP password information changed for bsmith passwd: all authentication tokens updated successfully. -bash-3.00$ passwd Changing password for user bsmith. Enter login(LDAP) password: # previous password foo123bar New UNIX password: # new password blha123 which was the password b4 foo123bar Retype new UNIX password: # which suggest password history does not work for command line LDAP password information changed for bsmith passwd: all authentication tokens updated successfully. In both cases above the "Password Syntax" section of the Subtree Password Policy was used. The "Password minimum length" was set to 10 which should have caused a failure above. Minimun required digit, alpha, uppercase and lowercase were all set to 1 which should have caused a failure on upper case in the examples above if I am understanding the usage correctly. I tried to change the password from the web interface and it does error out, but does not provide a descriptive error message. It is probalby something simple that I am leaving out, but I could not find the answers in the archives or in the documentation. Any help would be greatly appreciated. Setup: FC4 with fedora-ds-1.0.2-1.RHEL4.i386.opt.rpm installed. ************************************************************ /etc/ldap.conf pam_lookup_policy yes pam_password exop ssl no pam_password md5 host ds.example.com base dc=example,dc=com tls_cacertdir /etc/openldap/cacerts ************************************************************ -- Bracey Summers -------------- next part -------------- An HTML attachment was scrubbed... URL: From magobin at gmail.com Tue Mar 7 08:07:33 2006 From: magobin at gmail.com (Alessandro Binarelli) Date: Tue, 7 Mar 2006 09:07:33 +0100 Subject: [Fedora-directory-users] HELP: Error while start startconsole In-Reply-To: References: Message-ID: <108b923c0603070007q4c5d3574j@mail.gmail.com> > > -bash-3.00$ vi /etc/profile.d/java.sh > # set java home enviroment variable > JAVA_HOME=/usr/java/jre1.5.0_06/bin > export JAVA_HOME > > You might have to have java in your path, that can be done with > export PATH=$PATH:$JAVA_HOME (in the same profile) > > Where "/usr/java/jre1.5.0_06/bin" is the path where java is installed on > your box. > > Daniel > uhm...JAVA_HOME is not set on my distro....but in more cases is not required..... But when I found the error I tried to set it....in effect I exported the following path: export JAVA_HOME="/usr/java/jre1.4.2" ....I thought that was right....I don't exported bin... Ok....now in the (my) Afternoon I try to set as you say me.... regards Alex -------------- next part -------------- An HTML attachment was scrubbed... URL: From magobin at gmail.com Tue Mar 7 17:06:51 2006 From: magobin at gmail.com (Alex) Date: Tue, 7 Mar 2006 18:06:51 +0100 Subject: R: [Fedora-directory-users] HELP: Error while start startconsole In-Reply-To: <108b923c0603070007q4c5d3574j@mail.gmail.com> Message-ID: <440dbdbd.350e988f.6cd3.ffff9830@mx.gmail.com> > -bash-3.00$ vi /etc/profile.d/java.sh > # set java home enviroment variable > JAVA_HOME=/usr/java/jre1.5.0_06/bin > export JAVA_HOME > > You might have to have java in your path, that can be done with > export PATH=$PATH:$JAVA_HOME (in the same profile) > > Where "/usr/java/jre1.5.0_06/bin" is the path where java is installed on > your box. > > Daniel Ok, I tried to add in my path java path....then if I check with echo $PATH if it was right.....it was, but when I try to run startconsole it responds with te same error.... What can I do now???is there something to try??? thanks Alex -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Mar 7 17:10:55 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 07 Mar 2006 10:10:55 -0700 Subject: R: [Fedora-directory-users] HELP: Error while start startconsole In-Reply-To: <440dbdbd.350e988f.6cd3.ffff9830@mx.gmail.com> References: <440dbdbd.350e988f.6cd3.ffff9830@mx.gmail.com> Message-ID: <440DBE9F.7030403@redhat.com> Alex wrote: > > -bash-3.00$ vi /etc/profile.d/java.sh > > # set java home enviroment variable > > JAVA_HOME=/usr/java/jre1.5.0_06/bin This should be JAVA_HOME=/usr/java/jre1.5.0_06 JAVA_HOME is the _parent_ of the bin directory. > > export JAVA_HOME > > > > You might have to have java in your path, that can be done with > > export PATH=$PATH:$JAVA_HOME (in the same profile) ....:$JAVA_HOME/bin > > > > Where "/usr/java/jre1.5.0_06/bin" is the path where java is > installed on > > your box. > > > > Daniel > > > Ok, I tried to add in my path java path....then if I check with echo > $PATH if it was right.....it was, but when I try to run > startconsole it responds with te same error.... > > What can I do now???is there something to try??? > > > thanks > > Alex > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From magobin at gmail.com Tue Mar 7 17:19:28 2006 From: magobin at gmail.com (Alex) Date: Tue, 7 Mar 2006 18:19:28 +0100 Subject: R: R: [Fedora-directory-users] HELP: Error while start startconsole In-Reply-To: <440DBE9F.7030403@redhat.com> Message-ID: <440dc0b1.03e6c946.021d.4b02@mx.gmail.com> > > ....:$JAVA_HOME/bin > > > > > > > Where "/usr/java/jre1.5.0_06/bin" is the path where java is > > installed on > your box. > > > > > > Daniel > > > > My Path now is: [root at nodo1 fedora-ds]# echo $PATH /usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/b in:/usr/sbin:/usr/bin:/usr/X11R6/bin:/root/bin:/usr/java/j2re1.4.2_11/bin I think that this is right! Alex From rmeggins at redhat.com Tue Mar 7 17:29:50 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 07 Mar 2006 10:29:50 -0700 Subject: R: R: [Fedora-directory-users] HELP: Error while start startconsole In-Reply-To: <440dc0b1.03e6c946.021d.4b02@mx.gmail.com> References: <440dc0b1.03e6c946.021d.4b02@mx.gmail.com> Message-ID: <440DC30E.20402@redhat.com> Alex wrote: > > > > >>....:$JAVA_HOME/bin >> >> >> >>> > >>> > Where "/usr/java/jre1.5.0_06/bin" is the path where java is >>>installed on > your box. >>> > >>> > Daniel >>> >>> >>> >>> > > > >My Path now is: > > >[root at nodo1 fedora-ds]# echo $PATH > >/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/b >in:/usr/sbin:/usr/bin:/usr/X11R6/bin:/root/bin:/usr/java/j2re1.4.2_11/bin > > >I think that this is right! > > Yes. How about JAVA_HOME? >Alex > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From magobin at gmail.com Tue Mar 7 17:35:13 2006 From: magobin at gmail.com (Alex) Date: Tue, 7 Mar 2006 18:35:13 +0100 Subject: R: R: [Fedora-directory-users] HELP: Error while start startconsole In-Reply-To: <440DBE9F.7030403@redhat.com> Message-ID: <440dc463.6eb9aefe.1343.ffffa4c0@mx.gmail.com> Sorry Richard, but I don't understand.....what have I to do with your attachement?? Can you explain me please?? Thanks in advance Alex From rmeggins at redhat.com Tue Mar 7 17:40:59 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 07 Mar 2006 10:40:59 -0700 Subject: R: R: [Fedora-directory-users] HELP: Error while start startconsole In-Reply-To: <440dc463.6eb9aefe.1343.ffffa4c0@mx.gmail.com> References: <440dc463.6eb9aefe.1343.ffffa4c0@mx.gmail.com> Message-ID: <440DC5AB.7010607@redhat.com> Alex wrote: > Sorry Richard, but I don't understand.....what have I to do with your >attachement?? > > In order to run the console (startconsole) you need to define the environment variable JAVA_HOME to the parent directory of your java bin directory e.g. on my Fedora Core 4 system, I have: # ls /usr/lib/jvm/java-1.4.2-ibm-1.4.2.2 bin include jre lib So I set JAVA_HOME: JAVA_HOME=/usr/lib/jvm/java-1.4.2-ibm-1.4.2.2 ; export JAVA_HOME Then I can run startconsole >Can you explain me please?? > > >Thanks in advance >Alex > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From magobin at gmail.com Tue Mar 7 18:03:53 2006 From: magobin at gmail.com (Alex) Date: Tue, 7 Mar 2006 19:03:53 +0100 Subject: R: R: R: [Fedora-directory-users] HELP: Error while startstartconsole In-Reply-To: <440DC5AB.7010607@redhat.com> Message-ID: <440dcb19.5b5529f6.7cc0.ffffc753@mx.gmail.com> > # ls /usr/lib/jvm/java-1.4.2-ibm-1.4.2.2 > bin include jre lib > > So I set JAVA_HOME: > JAVA_HOME=/usr/lib/jvm/java-1.4.2-ibm-1.4.2.2 ; export JAVA_HOME > > Then I can run startconsole > Ok, for test... - I've unistalled jre-1.4.2 and downloaded and installed jre1_5_0_06-linux-i586.rpm from Sun - after installation I check where system put the files, so Rpm -ql jre ....return that jre is installed on /usr/java/java1.5.0_06/ If I do ls /usr/java/java1.5.0_06/ The output is: Bin COPYRIGHT lib man README Welcome.html CHANGES javaws LICENSE plugin THIRDPARTYLICENSEREADME.txt ..but exporting JAVA_HOME with that path doen't work for me :-( You have IBM and Include....I've downloaded only jre.... Any suggestion? Alex From nkinder at redhat.com Tue Mar 7 18:16:45 2006 From: nkinder at redhat.com (Nathan Kinder) Date: Tue, 07 Mar 2006 10:16:45 -0800 Subject: R: R: R: [Fedora-directory-users] HELP: Error while startstartconsole In-Reply-To: <440dcb19.5b5529f6.7cc0.ffffc753@mx.gmail.com> References: <440dcb19.5b5529f6.7cc0.ffffc753@mx.gmail.com> Message-ID: <440DCE0D.3060006@redhat.com> Alex wrote: > > > >># ls /usr/lib/jvm/java-1.4.2-ibm-1.4.2.2 >>bin include jre lib >> >>So I set JAVA_HOME: >>JAVA_HOME=/usr/lib/jvm/java-1.4.2-ibm-1.4.2.2 ; export JAVA_HOME >> >>Then I can run startconsole >> >> >> > > >Ok, for test... >- I've unistalled jre-1.4.2 and downloaded and installed >jre1_5_0_06-linux-i586.rpm from Sun >- after installation I check where system put the files, so > >Rpm -ql jre ....return that jre is installed on /usr/java/java1.5.0_06/ > >If I do >ls /usr/java/java1.5.0_06/ > >The output is: > >Bin COPYRIGHT lib man README Welcome.html >CHANGES javaws LICENSE plugin THIRDPARTYLICENSEREADME.txt > >..but exporting JAVA_HOME with that path doen't work for me :-( > >You have IBM and Include....I've downloaded only jre.... >Any suggestion? > > Try running "java --showversion" and let us know what the output is. >Alex > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From magobin at gmail.com Tue Mar 7 18:56:05 2006 From: magobin at gmail.com (Alex) Date: Tue, 7 Mar 2006 19:56:05 +0100 Subject: R: R: R: R: [Fedora-directory-users] HELP: Error while start startconsole In-Reply-To: <440DCE0D.3060006@redhat.com> Message-ID: <440dd755.1ca07938.318a.228d@mx.gmail.com> > Try running "java --showversion" and let us know what the output is. > The output is: Java version "1.5.0_06" Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_06-b05) Java HotSpot(TM) Client VM (build 1.5.0_06-b05, mixed mode, sharing) I have to inform you that this is the output from /usr/java/jre1.5.0_06/bin/java ; I specific becase in path I still have java..from 1.4.2....It's impossible because i have unistalled it (rpm -e j2re)....so...now I want to rename java(1.4.2), because this is in the path and this is before the new java path! Thanks Alex From jimh at u.washington.edu Tue Mar 7 18:58:53 2006 From: jimh at u.washington.edu (Jim Hogan) Date: Tue, 07 Mar 2006 10:58:53 -0800 Subject: [Fedora-directory-users] Samba schema not loading in FDS... In-Reply-To: <4407149F.20607@sci.fi> References: <000001c63b59$48f93ea0$fd0110ac@officecomputer> <44035C38.7060709@redhat.com> <44063A01.30507@u.washington.edu> <4406548E.6090403@redhat.com> <1141314494.19624.9.camel@dhollis-lnx.sunera.com> <4407149F.20607@sci.fi> Message-ID: <440DD7ED.7080106@u.washington.edu> Mike Jackson wrote: > Try mine (and Yacine's): > > http://www.netauth.com/~jacksonm/ldap/ol-schema-migrate.pl I should close this loop by pointing out that it was your fine script that I used to migrate my schema and not the original ol2rhds.pl that I credited. Thanks, Jim -- /*********************************************************/ Jim Hogan /*********************************************************/ From magobin at gmail.com Tue Mar 7 19:11:30 2006 From: magobin at gmail.com (Alex) Date: Tue, 7 Mar 2006 20:11:30 +0100 Subject: R: R: R: R: [Fedora-directory-users] HELP: Error whilestartstartconsole [SOLVED] In-Reply-To: <440DCE0D.3060006@redhat.com> Message-ID: <440ddaf2.0957a249.5964.1ad7@mx.gmail.com> Ok, now I can open console....the problem was that I still have java in /usr/bin from old installation (default installation)....follwing the link it came from /etc/alternatives and then point to /usr/java/1.4.2.....renaming it and putting /JAVA_HOME/bin in my path now it works and open splash image.....thanks to all for support.... Now I have to find issue why cannot connect to the Admin Server....but this is anther story...:-)) Thank to all Alex From jimh at u.washington.edu Tue Mar 7 19:24:00 2006 From: jimh at u.washington.edu (Jim Hogan) Date: Tue, 07 Mar 2006 11:24:00 -0800 Subject: [Fedora-directory-users] Directory Express...customize? separate/relocate? Message-ID: <440DDDD0.1090602@u.washington.edu> I have been looking at Directory Express pages on our new setup. Very nice! I have a few questions: I'll need to make a few schema extensions for some attributes that will be set on a do-it-yourself basis (using Directory Express, I hope). Is there any sort of guide to customizing Directory Express in such a way that changes will be preserved during future upgrades? I've rummaged aound in /var/opt/fedora-ds/clients/dsgw to get a sense of the layout, but didn't know if there was a systematic guide of sorts. (I could probably figure this next one out with more rummaging, but one of you might provide a quick "Don't even bother!" answer)... Is it feasible to move/separate the Directory Express components so that they could run on a server separate from the admin server? What I have in place is an intranet server running under PubCookie. My thought is to put "DE" under this existing PubCookie regime and take advantage of stuff like REMOTE_USER vars. Just not sure if that is doable. I also started to look at moving the Fedora-DS httpd.worker under PubCookie, but that would seem more dubious. Thanks! Jim -- /*********************************************************/ Jim Hogan /*********************************************************/ From rmeggins at redhat.com Tue Mar 7 19:54:30 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 07 Mar 2006 12:54:30 -0700 Subject: [Fedora-directory-users] Directory Express...customize? separate/relocate? In-Reply-To: <440DDDD0.1090602@u.washington.edu> References: <440DDDD0.1090602@u.washington.edu> Message-ID: <440DE4F6.7090908@redhat.com> Jim Hogan wrote: > I have been looking at Directory Express pages on our new setup. Very > nice! I have a few questions: > > I'll need to make a few schema extensions for some attributes that > will be set on a do-it-yourself basis (using Directory Express, I > hope). Is there any sort of guide to customizing Directory Express in > such a way that changes will be preserved during future upgrades? > I've rummaged aound in /var/opt/fedora-ds/clients/dsgw to get a sense > of the layout, but didn't know if there was a systematic guide of sorts. http://www.redhat.com/docs/manuals/dir-server/pdf/ds71gwcust.pdf > > (I could probably figure this next one out with more rummaging, but > one of you might provide a quick "Don't even bother!" answer)... > > Is it feasible to move/separate the Directory Express components so > that they could run on a server separate from the admin server? What > I have in place is an intranet server running under PubCookie. My > thought is to put "DE" under this existing PubCookie regime and take > advantage of stuff like REMOTE_USER vars. Just not sure if that is > doable. I also started to look at moving the Fedora-DS httpd.worker > under PubCookie, but that would seem more dubious. I assume PubCookie is some sort of SSO thing? The DE stuff uses it's own cookie scheme - you'd probably have to hack the source code. > > Thanks! > > Jim > > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From jimh at u.washington.edu Tue Mar 7 20:38:45 2006 From: jimh at u.washington.edu (Jim Hogan) Date: Tue, 07 Mar 2006 12:38:45 -0800 Subject: [Fedora-directory-users] Directory Express...customize? separate/relocate? In-Reply-To: <440DE4F6.7090908@redhat.com> References: <440DDDD0.1090602@u.washington.edu> <440DE4F6.7090908@redhat.com> Message-ID: <440DEF55.1040003@u.washington.edu> Richard Megginson wrote: > Jim Hogan wrote: > >> [...] Is there any sort of guide to customizing Directory Express in >> such a way that changes will be preserved during future upgrades? >> I've rummaged aound in /var/opt/fedora-ds/clients/dsgw to get a sense >> of the layout, but didn't know if there was a systematic guide of sorts. > > http://www.redhat.com/docs/manuals/dir-server/pdf/ds71gwcust.pdf Ah, thanks. I just bookmarked that "dir-server" doc page. >> >> [...] I also started to look at moving the Fedora-DS httpd.worker >> under PubCookie, but that would seem more dubious. > > I assume PubCookie is some sort of SSO thing? Yes, www.pubcookie.org. Produced by the folks here. Very nice, pretty simple to implement (at least when the parent organization already has has the server service in place!) > The DE stuff uses it's own cookie scheme - you'd probably have to hack > the source code. This tells me that option #2 -- moving the DS httpd.worker under PubCookie would be just as onerous. I think I'll save this goal for later :) Thanks, Jim > >> >> Thanks! >> >> Jim >> >> >> >> >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- /*********************************************************/ Jim Hogan /*********************************************************/ From mont.rothstein at gmail.com Wed Mar 8 01:10:56 2006 From: mont.rothstein at gmail.com (Mont Rothstein) Date: Tue, 7 Mar 2006 17:10:56 -0800 Subject: [Fedora-directory-users] Re: getlocalsid error In-Reply-To: <467a83630603061046u1bef23fbu6c3e163edb0800b4@mail.gmail.com> References: <467a83630603061046u1bef23fbu6c3e163edb0800b4@mail.gmail.com> Message-ID: <467a83630603071710y754c219l2523184fcec0fcbb@mail.gmail.com> In case anyone else comes across this my problem was the same for both ldapsearch and my smb.conf. I am not using the default port for Fedora Directory Server therefore I needed to specify the port. For ldapsearch it meant adding the -p option. For smb.conf my passdb line became: passdb backend = ldapsam:ldap://example.com:port -Mont On 3/6/06, Mont Rothstein wrote: > > I've just installed Fedora Directory Server (1.0.1) on RHEL 4. > > Samba version is 3.0.10 > > I am attempting to follow: > http://directory.fedora.redhat.com/wiki/Howto:Samba > > but I am getting an error with net getlocalsid. The output is: > > [2006/03/06 10:00:21, 0] lib/smbldap.c:smbldap_connect_system(850) > failed to bind to server with dn= cn=Directory Manager Error: Can't > contact LDAP server > (unknown) > [2006/03/06 10:00:21, 0] lib/smbldap.c:smbldap_search_suffix(1155) > smbldap_search_suffix: Problem during the LDAP search: (unknown) (Timed > out) > SID for domain RHELES4RS1 is: S-1-5-21-807157010-1821471989-4121009367 > > While I get a SID I assume I should not proceed with these errors. > > I've gone over my config I can't find my error. I've searched online and > can't find anything. > > The full ouput of testparm is below. > > Any ideas as to what I've done wrong? > > Thanks, > -Mont > > Load smb config files from /etc/samba/smb.conf > Processing section "[netlogon]" > Processing section "[profiles]" > Processing section "[homes]" > Processing section "[printers]" > Processing section "[repository]" > Processing section "[root directory]" > Loaded services file OK. > WARNING: You have some share names that are longer than 12 characters. > These may not be accessible to some older clients. > (Eg. Windows9x, WindowsMe, and smbclient prior to Samba 3.0.) > Server role: ROLE_DOMAIN_PDC > Press enter to see a dump of your service definitions > # Global parameters > [global] > server string = rheles4rs1 > password server = None > passdb backend = ldapsam:ldap://rheles4rs1.forayadams.foray.com > username map = /etc/samba/smbusers > log file = /var/log/%m.log > max log size = 50 > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > printcap name = /etc/printcap > logon path = \\%L\profiles\%u > logon drive = H: > logon home = \\%L\%u\profiles > domain logons = Yes > os level = 33 > preferred master = Yes > domain master = Yes > dns proxy = No > wins support = Yes > ldap admin dn = cn=Directory Manager > ldap group suffix = ou=Groups > ldap machine suffix = ou=Computers > ldap suffix = dc=forayadams,dc=foray,dc=com > ldap user suffix = ou=People > idmap uid = 16777216-33554431 > idmap gid = 16777216-33554431 > cups options = raw > > [netlogon] > path = /var/lib/samba/netlogon > browseable = No > > [profiles] > path = /var/lib/samba/profiles > read only = No > create mask = 0600 > directory mask = 0700 > > [homes] > comment = Home Directories > read only = No > browseable = No > > [printers] > comment = All Printers > path = /var/spool/samba > printable = Yes > browseable = No > > [repository] > path = /repository > valid users = testadmin, testuser > read only = No > > [root directory] > path = / > valid users = mont > read only = No > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From fzanni at cspnet.it Wed Mar 8 15:44:41 2006 From: fzanni at cspnet.it (Francesco Zanni) Date: Wed, 8 Mar 2006 16:44:41 +0100 Subject: [Fedora-directory-users] After upgrading for 1.0.1 to 1.0.2 Console don't start Message-ID: <001f01c642c7$36eb8e50$1818a8c0@06744000F5AEF00> Hi, I'm currently evaluating FDS to use it in our environment. I was using FDS 1.0.1 with full success, but after upgrading it to 1.0.2 the Admin Console don't start... I'm using Fedora core 4 on an Intel machine with JRE 1.4.2_10 When I start the console this is the result: GC Warning: Out of Memory! Returning NIL! Exception in thread "main" java.lang.OutOfMemoryError <> I tried to increase the java memory pool in the startconsole script (-mx128m instead of 64) but the result is the following: Exception in thread "main" java.lang.NullPointerException at java.util.Hashtable.put(java.lang.Object, java.lang.Object) (/usr/lib/libgcj.so.6.0.0) at javax.swing.UIDefaults.putDefaults(java.lang.Object[]) (/usr/lib/libgcj.so.6.0.0) at com.netscape.management.nmclf.SuiLookAndFeel.initComponentDefaults(javax.swi ng.UIDefaults) (Unknown Source) at com.netscape.management.nmclf.SuiLookAndFeel.getDefaults() (Unknown Source) at javax.swing.UIManager.getDefaults() (/usr/lib/libgcj.so.6.0.0) at javax.swing.UIManager.getUI(javax.swing.JComponent) (/usr/lib/libgcj.so.6.0.0) at javax.swing.JPanel.updateUI() (/usr/lib/libgcj.so.6.0.0) at javax.swing.JPanel.JPanel(java.awt.LayoutManager, boolean) (/usr/lib/libgcj.so.6.0.0) at javax.swing.JPanel.JPanel() (/usr/lib/libgcj.so.6.0.0) at javax.swing.JRootPane.createGlassPane() (/usr/lib/libgcj.so.6.0.0) at javax.swing.JRootPane.getGlassPane() (/usr/lib/libgcj.so.6.0.0) at javax.swing.JRootPane.JRootPane() (/usr/lib/libgcj.so.6.0.0) at javax.swing.JFrame.createRootPane() (/usr/lib/libgcj.so.6.0.0) at javax.swing.JFrame.getRootPane() (/usr/lib/libgcj.so.6.0.0) at javax.swing.JFrame.frameInit() (/usr/lib/libgcj.so.6.0.0) at javax.swing.JFrame.JFrame() (/usr/lib/libgcj.so.6.0.0) at com.netscape.management.client.console.Console.Console(java.lang.String, java.lang.String, java.lang.String, java.lang.String, java.lang.String, java.lang.String) (Unknown Source) at com.netscape.management.client.console.Console.main(java.lang.String[]) (Unknown Source) at gnu.java.lang.MainThread.call_main() (/usr/lib/libgcj.so.6.0.0) at gnu.java.lang.MainThread.run() (/usr/lib/libgcj.so.6.0.0) Why this happens ? Thanks a lot in advance. Cheers Francesco Zanni CSP SpA Tel. +39 02 36575509 Fax. +39 02 36575599 E-mail fzanni at cspnet.it Web www.cspnet.it -------------- next part -------------- An HTML attachment was scrubbed... URL: From nkinder at redhat.com Wed Mar 8 16:03:17 2006 From: nkinder at redhat.com (Nathan Kinder) Date: Wed, 08 Mar 2006 08:03:17 -0800 Subject: [Fedora-directory-users] After upgrading for 1.0.1 to 1.0.2 Console don't start In-Reply-To: <001f01c642c7$36eb8e50$1818a8c0@06744000F5AEF00> References: <001f01c642c7$36eb8e50$1818a8c0@06744000F5AEF00> Message-ID: <440F0045.30103@redhat.com> Francesco Zanni wrote: > Hi, > > I'm currently evaluating FDS to use it in our environment. > I was using FDS 1.0.1 with full success, but after upgrading it to > 1.0.2 the Admin Console don't start... > I'm using Fedora core 4 on an Intel machine with JRE 1.4.2_10 > FC4 comes with GCJ in /usr/bin/java. The Console does not work with GCJ out of the box. You need to ensure that the "java" executable that you want to use comes first in your PATH. -NGK > When I start the console this is the result: > > GC Warning: Out of Memory! Returning NIL! > Exception in thread "main" java.lang.OutOfMemoryError > <> > > I tried to increase the java memory pool in the startconsole script > (-mx128m instead of 64) but the result is the following: > > Exception in thread "main" java.lang.NullPointerException > at java.util.Hashtable.put(java.lang.Object, java.lang.Object) > (/usr/lib/libgcj.so.6.0.0) > at javax.swing.UIDefaults.putDefaults(java.lang.Object[]) > (/usr/lib/libgcj.so.6.0.0) > at > com.netscape.management.nmclf.SuiLookAndFeel.initComponentDefaults(javax.swing.UIDefaults) > (Unknown Source) > at com.netscape.management.nmclf.SuiLookAndFeel.getDefaults() > (Unknown Source) > at javax.swing.UIManager.getDefaults() (/usr/lib/libgcj.so.6.0.0) > at javax.swing.UIManager.getUI(javax.swing.JComponent) > (/usr/lib/libgcj.so.6.0.0) > at javax.swing.JPanel.updateUI() (/usr/lib/libgcj.so.6.0.0) > at javax.swing.JPanel.JPanel(java.awt.LayoutManager, boolean) > (/usr/lib/libgcj.so.6.0.0) > at javax.swing.JPanel.JPanel() (/usr/lib/libgcj.so.6.0.0) > at javax.swing.JRootPane.createGlassPane() (/usr/lib/libgcj.so.6.0.0) > at javax.swing.JRootPane.getGlassPane() (/usr/lib/libgcj.so.6.0.0) > at javax.swing.JRootPane.JRootPane() (/usr/lib/libgcj.so.6.0.0) > at javax.swing.JFrame.createRootPane() (/usr/lib/libgcj.so.6.0.0) > at javax.swing.JFrame.getRootPane() (/usr/lib/libgcj.so.6.0.0) > at javax.swing.JFrame.frameInit() (/usr/lib/libgcj.so.6.0.0) > at javax.swing.JFrame.JFrame() (/usr/lib/libgcj.so.6.0.0) > at > com.netscape.management.client.console.Console.Console(java.lang.String, > java.lang.String, java.lang.String, java.lang.String, > java.lang.String, java.lang.String) (Unknown Source) > > at > com.netscape.management.client.console.Console.main(java.lang.String[]) > (Unknown Source) > at gnu.java.lang.MainThread.call_main() (/usr/lib/libgcj.so.6.0.0) > at gnu.java.lang.MainThread.run() (/usr/lib/libgcj.so.6.0.0) > > Why this happens ? > Thanks a lot in advance. > > Cheers > > Francesco Zanni > CSP SpA > Tel. +39 02 36575509 > Fax. +39 02 36575599 > E-mail fzanni at cspnet.it > Web _www.cspnet.it_ > > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From bmathieu at sorbonne.fr Wed Mar 8 15:45:58 2006 From: bmathieu at sorbonne.fr (basile au siris) Date: Wed, 08 Mar 2006 16:45:58 +0100 Subject: [Fedora-directory-users] fds and sendamil on solaris9 Message-ID: <440EFC36.2060903@siris.sorbonne.fr> hi i use fds on solaris 9 as users database i can send , receive email , alias works but i have a few mail that seems to be sent but i never receive and here are logs i can see just after sendmail receive the mail : Mar 8 16:32:39 mailer sm-mta[874]: [ID 801593 mail.info] k28FWdpb000874: from=, size=375, class=0, nrcpts=1, msgid=<440EF916.30503 at siris.sorbonne.fr>, proto=ESMTP, daemon=Daemon0, relay=pc.sorbonne.fr [xxx.xxx.xxx.xxx] Mar 8 16:32:39 mailer sm-mta[878]: [ID 293258 mail.error] libsldap: Status: 91 Mesg: Error 0 Mar 8 16:32:39 mailer last message repeated 1 time Mar 8 16:32:39 mailer sm-mta[878]: [ID 293258 mail.error] libsldap: Status: 7 Mesg: Session error no available conn. thanks basile From dhollis at davehollis.com Wed Mar 8 18:50:22 2006 From: dhollis at davehollis.com (David Hollis) Date: Wed, 08 Mar 2006 13:50:22 -0500 Subject: [Fedora-directory-users] After upgrading for 1.0.1 to 1.0.2 Console don't start In-Reply-To: <440F0045.30103@redhat.com> References: <001f01c642c7$36eb8e50$1818a8c0@06744000F5AEF00> <440F0045.30103@redhat.com> Message-ID: <1141843822.5798.7.camel@dhollis-lnx.sunera.com> On Wed, 2006-03-08 at 08:03 -0800, Nathan Kinder wrote: > Francesco Zanni wrote: > > > Hi, > > > > I'm currently evaluating FDS to use it in our environment. > > I was using FDS 1.0.1 with full success, but after upgrading it to > > 1.0.2 the Admin Console don't start... > > I'm using Fedora core 4 on an Intel machine with JRE 1.4.2_10 > > > FC4 comes with GCJ in /usr/bin/java. The Console does not work with GCJ > out of the box. You need to ensure that the "java" executable that you > want to use comes first in your PATH. I seem to have had pretty good success using the jpackage.org Java RPMS (well, nosrc.rpms) to package up Suns 1.5.0 Java and it works fine with FDS. It puts all of the Java bits in the right places, and uses alternatives to allow you select between GCJ, Sun, IBM, etc. And it plays nice with the system and dependencies. -- David Hollis -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 191 bytes Desc: This is a digitally signed message part URL: From lesmikesell at gmail.com Wed Mar 8 19:57:17 2006 From: lesmikesell at gmail.com (Les Mikesell) Date: Wed, 08 Mar 2006 13:57:17 -0600 Subject: [Fedora-directory-users] After upgrading for 1.0.1 to 1.0.2 Console don't start In-Reply-To: <1141843822.5798.7.camel@dhollis-lnx.sunera.com> References: <001f01c642c7$36eb8e50$1818a8c0@06744000F5AEF00> <440F0045.30103@redhat.com> <1141843822.5798.7.camel@dhollis-lnx.sunera.com> Message-ID: <1141847836.31977.3.camel@moola.futuresource.com> On Wed, 2006-03-08 at 12:50, David Hollis wrote: > > > > > FC4 comes with GCJ in /usr/bin/java. The Console does not work with GCJ > > out of the box. You need to ensure that the "java" executable that you > > want to use comes first in your PATH. > > I seem to have had pretty good success using the jpackage.org Java RPMS > (well, nosrc.rpms) to package up Suns 1.5.0 Java and it works fine with > FDS. It puts all of the Java bits in the right places, and uses > alternatives to allow you select between GCJ, Sun, IBM, etc. And it > plays nice with the system and dependencies. Do you have a good starting point for documentation on setting this up? There is so much stuff on jpackage.org I've had trouble finding it. -- Les Mikesell lesmikesell at gmail.com From magobin at gmail.com Wed Mar 8 22:16:24 2006 From: magobin at gmail.com (Alex) Date: Wed, 8 Mar 2006 23:16:24 +0100 Subject: R: [Fedora-directory-users] After upgrading for 1.0.1 to 1.0.2Console don't start In-Reply-To: <1141847836.31977.3.camel@moola.futuresource.com> Message-ID: <440f57c6.608446e7.174c.447a@mx.gmail.com> > -----Messaggio originale----- > D > > > FC4 comes with GCJ in /usr/bin/java. The Console does > not work with > > > GCJ out of the box. You need to ensure that the "java" > executable > > > that you want to use comes first in your PATH. > > > > I seem to have had pretty good success using the jpackage.org Java > > RPMS (well, nosrc.rpms) to package up Suns 1.5.0 Java and it works > > fine with FDS. It puts all of the Java bits in the right > places, and > > uses alternatives to allow you select between GCJ, Sun, > IBM, etc. And > > it plays nice with the system and dependencies. > > Do you have a good starting point for documentation on > setting this up? There is so much stuff on jpackage.org I've > had trouble finding it. > After my trouble with java (solved....thanks to all)...I founded this link.... http://fedoranews.org/mediawiki/index.php/JPackage_Java_for_FC4 ...following this tutorial every trouble with java shoul be resolved Regards Alex From mont.rothstein at gmail.com Thu Mar 9 16:28:25 2006 From: mont.rothstein at gmail.com (Mont Rothstein) Date: Thu, 9 Mar 2006 08:28:25 -0800 Subject: [Fedora-directory-users] getlocalsid: adding domain info...failed Message-ID: <467a83630603090828g58c9c82by608b8f9b1d90433c@mail.gmail.com> I am trying to integrate Fedora Directory Server (1.0.1) and Samba (3.0.10) on RHEL ES4. When I execute "net getlocalsid" I get the following: [2006/03/07 17:55:29, 0] lib/smbldap.c:smbldap_search_domain_info(1392) Adding domain info for WORKGROUP failed with NT_STATUS_UNSUCCESSFUL SID for domain RHELES4RS1 is: S-1-5-21-807157010-1821471989-4121009367 My workgroup is currently set to workgroup and I can perform an ldapsearch. I saw one refernce on the web to ignore this, but I was skeptical. What could be causing this error? Is there something in FDS that I failed to do (I haven't done anything beyond the basic install). I'm stuck on this, any help/advice is greatly appreciated. Thanks, -Mont -------------- next part -------------- An HTML attachment was scrubbed... URL: From jsummers at bachman.cs.ou.edu Thu Mar 9 17:54:52 2006 From: jsummers at bachman.cs.ou.edu (Jim Summers) Date: Thu, 09 Mar 2006 11:54:52 -0600 Subject: [Fedora-directory-users] LdapSearch Field Length Message-ID: <44106BEC.5060901@cs.ou.edu> Hello All, I was modifying the value of an attribute, automountInformation in this instance. The modify works as expected, but when I use ldapsearch to dump the entry containing the new value it seems to truncate it at 78 characters, that is (attribute name + attribute value). The remainder of the value is on the next line, which has caused some scripts to not work as expected. The manpage for ldapsearch did not reveal any clues or switches to get around this length limit. Could it be a server limit? Interesting also is that db2ldif produces the same behavior. Ideas on what I could do to get the value retruned back on one line? STRANGE EXAMPLE OUTPUT: =============== automountInformation: -rw,actimeo=30,rsize=32768,wsize=32768 fs001:/raid/facst aff/faharris =============== EXPECTED OUTPUT: =============== automountInformation: -rw,actimeo=30,rsize=32768,wsize=32768 fs001:/raid/facstaff/faharris =============== The above examples may not be clear due to email wrapping, but in the first one ldapsearch truncates at the "t" and in the second there is not truncating. TIA -- Jim Summers School of Computer Science-University of Oklahoma ------------------------------------------------- From mj at sci.fi Thu Mar 9 17:58:17 2006 From: mj at sci.fi (Mike Jackson) Date: Thu, 09 Mar 2006 19:58:17 +0200 Subject: [Fedora-directory-users] LdapSearch Field Length In-Reply-To: <44106BEC.5060901@cs.ou.edu> References: <44106BEC.5060901@cs.ou.edu> Message-ID: <44106CB9.6000704@sci.fi> Jim Summers wrote: > Hello All, > > I was modifying the value of an attribute, automountInformation in this > instance. The modify works as expected, but when I use ldapsearch to > dump the entry containing the new value it seems to truncate it at 78 > characters, that is (attribute name + attribute value). The remainder > of the value is on the next line, which has caused some scripts to not > work as expected. Line wrapping is defined in the LDIF RFC (2849); this is not a bug, it's a feature. You can get around it when writing a script with e.g. perl-ldap (Net::LDAP). BR, Mike -- http://www.netauth.com - LDAP Directory Consulting From nkinder at redhat.com Thu Mar 9 18:03:23 2006 From: nkinder at redhat.com (Nathan Kinder) Date: Thu, 09 Mar 2006 10:03:23 -0800 Subject: [Fedora-directory-users] LdapSearch Field Length In-Reply-To: <44106BEC.5060901@cs.ou.edu> References: <44106BEC.5060901@cs.ou.edu> Message-ID: <44106DEB.3040803@redhat.com> Jim Summers wrote: > Hello All, > > I was modifying the value of an attribute, automountInformation in > this instance. The modify works as expected, but when I use > ldapsearch to dump the entry containing the new value it seems to > truncate it at 78 characters, that is (attribute name + attribute > value). The remainder of the value is on the next line, which has > caused some scripts to not work as expected. > > The manpage for ldapsearch did not reveal any clues or switches to get > around this length limit. Could it be a server limit? > > Interesting also is that db2ldif produces the same behavior. This is part of the LDIF standard. You can refer RFC 2849 for details on the LDIF syntax. > > Ideas on what I could do to get the value retruned back on one line? The "-U" option to db2ldif will tell it to not fold lines. The "-T" option to ldapsearch will do the same. -NGK > > STRANGE EXAMPLE OUTPUT: > =============== > automountInformation: -rw,actimeo=30,rsize=32768,wsize=32768 > fs001:/raid/facst > aff/faharris > =============== > > EXPECTED OUTPUT: > =============== > automountInformation: -rw,actimeo=30,rsize=32768,wsize=32768 > fs001:/raid/facstaff/faharris > =============== > > The above examples may not be clear due to email wrapping, but in the > first one ldapsearch truncates at the "t" and in the second there is > not truncating. > > TIA From rmeggins at redhat.com Thu Mar 9 18:03:31 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 09 Mar 2006 11:03:31 -0700 Subject: [Fedora-directory-users] LdapSearch Field Length In-Reply-To: <44106BEC.5060901@cs.ou.edu> References: <44106BEC.5060901@cs.ou.edu> Message-ID: <44106DF3.2070305@redhat.com> Jim Summers wrote: > Hello All, > > I was modifying the value of an attribute, automountInformation in > this instance. The modify works as expected, but when I use > ldapsearch to dump the entry containing the new value it seems to > truncate it at 78 characters, that is (attribute name + attribute > value). The remainder of the value is on the next line, which has > caused some scripts to not work as expected. > > The manpage for ldapsearch did not reveal any clues or switches to get > around this length limit. Could it be a server limit? No. This is standard LDAP LDIF behavior. If you're using perl, I suggest using either perldap or Net::LDAP - they both have LDIF parsers that handle this nicely. If you're using python, I think python-ldap also handles this. If you're using sh, see below. > > Interesting also is that db2ldif produces the same behavior. > > Ideas on what I could do to get the value retruned back on one line? I'm not sure if /usr/bin/ldapsearch supports this, but /opt/fedora-ds/shared/bin/ldapsearch has the -T option: -T don't fold (wrap) long lines (default is to fold) > > STRANGE EXAMPLE OUTPUT: > =============== > automountInformation: -rw,actimeo=30,rsize=32768,wsize=32768 > fs001:/raid/facst > aff/faharris > =============== > > EXPECTED OUTPUT: > =============== > automountInformation: -rw,actimeo=30,rsize=32768,wsize=32768 > fs001:/raid/facstaff/faharris > =============== > > The above examples may not be clear due to email wrapping, but in the > first one ldapsearch truncates at the "t" and in the second there is > not truncating. > > TIA -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From jsummers at bachman.cs.ou.edu Thu Mar 9 21:00:27 2006 From: jsummers at bachman.cs.ou.edu (Jim Summers) Date: Thu, 09 Mar 2006 15:00:27 -0600 Subject: [Fedora-directory-users] LdapSearch Field Length In-Reply-To: <44106DF3.2070305@redhat.com> References: <44106BEC.5060901@cs.ou.edu> <44106DF3.2070305@redhat.com> Message-ID: <4410976B.8050603@cs.ou.edu> Richard Megginson wrote: > > If you're using perl, I suggest using either perldap or Net::LDAP - they > both have LDIF parsers that handle this nicely. If you're using python, > I think python-ldap also handles this. If you're using sh, see below. Many thanks to all who replied on this. A quick modification using the Net::LDAP fixed all. I will also get ahold of the 2849 rfc for future reference. > >> >> Interesting also is that db2ldif produces the same behavior. >> >> Ideas on what I could do to get the value retruned back on one line? > > I'm not sure if /usr/bin/ldapsearch supports this, but I checked the /usr/bin/ldapsearch and it does not support the -T. Interestingly it doesn't fail on bad switch / parameter but it yields kinda unpredictable behavior. Kinda like getopts in perl with an unexpected parameter. Thanks again. > /opt/fedora-ds/shared/bin/ldapsearch has the -T option: > -T don't fold (wrap) long lines (default is to fold) > >> -- Jim Summers School of Computer Science-University of Oklahoma ------------------------------------------------- From ABliss at preferredcare.org Thu Mar 9 21:05:23 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Thu, 9 Mar 2006 16:05:23 -0500 Subject: [Fedora-directory-users] Not sure what version of java is needed for fds 1.0.2 Message-ID: Couple of small questions after upgrading from fds 1.0.1 to 1.0.2. I apologize in advance if this question has been answered, however I didn't see anywhere that mentions what version of jre is required; on a test box, I had issues starting the console with IBMJava2-142-ia32-SDK-1.4.2-3.0 installed; I had to install jre-1_5_0_06-linux-i586.rpm from Sun in order to get rid of the java errors; was this upgrade necessary? Also, I noticed that after starting the console, the version that is displayed (when highlighting the Directory Server icon) is still 1.0.1, however rpm -qa | grep fedora-ds shows fedora-ds-1.0.2-1.RHEL4; slapd error logs show that fedora-directory 1.0.2 B2006.060.1928 starting up; Is this just a small bug? Thanks again. Aaron -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Jim Summers Sent: Thursday, March 09, 2006 12:55 PM To: fedora-directory-users Subject: [Fedora-directory-users] LdapSearch Field Length Hello All, I was modifying the value of an attribute, automountInformation in this instance. The modify works as expected, but when I use ldapsearch to dump the entry containing the new value it seems to truncate it at 78 characters, that is (attribute name + attribute value). The remainder of the value is on the next line, which has caused some scripts to not work as expected. The manpage for ldapsearch did not reveal any clues or switches to get around this length limit. Could it be a server limit? Interesting also is that db2ldif produces the same behavior. Ideas on what I could do to get the value retruned back on one line? STRANGE EXAMPLE OUTPUT: =============== automountInformation: -rw,actimeo=30,rsize=32768,wsize=32768 fs001:/raid/facst aff/faharris =============== EXPECTED OUTPUT: =============== automountInformation: -rw,actimeo=30,rsize=32768,wsize=32768 fs001:/raid/facstaff/faharris =============== The above examples may not be clear due to email wrapping, but in the first one ldapsearch truncates at the "t" and in the second there is not truncating. TIA -- Jim Summers School of Computer Science-University of Oklahoma ------------------------------------------------- -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From rmeggins at redhat.com Thu Mar 9 21:08:55 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 09 Mar 2006 14:08:55 -0700 Subject: [Fedora-directory-users] Not sure what version of java is needed for fds 1.0.2 In-Reply-To: References: Message-ID: <44109967.4040304@redhat.com> Bliss, Aaron wrote: >Couple of small questions after upgrading from fds 1.0.1 to 1.0.2. I >apologize in advance if this question has been answered, however I >didn't see anywhere that mentions what version of jre is required; on a >test box, I had issues starting the console with >IBMJava2-142-ia32-SDK-1.4.2-3.0 installed; I had to install >jre-1_5_0_06-linux-i586.rpm from Sun in order to get rid of the java >errors; was this upgrade necessary? > I don't think so - what errors did you get? >Also, I noticed that after starting >the console, the version that is displayed (when highlighting the >Directory Server icon) is still 1.0.1, however rpm -qa | grep fedora-ds >shows fedora-ds-1.0.2-1.RHEL4; slapd error logs show that >fedora-directory 1.0.2 B2006.060.1928 starting up; Is this just a small >bug? Thanks again. > > Yes, the console still shows version 1.0.1, but it's really 1.0.2. >Aaron > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Jim >Summers >Sent: Thursday, March 09, 2006 12:55 PM >To: fedora-directory-users >Subject: [Fedora-directory-users] LdapSearch Field Length > >Hello All, > >I was modifying the value of an attribute, automountInformation in this >instance. The modify works as expected, but when I use ldapsearch to >dump the > entry containing the new value it seems to truncate it at 78 >characters, that is (attribute name + attribute value). The remainder >of the value is on the next line, which has caused some scripts to not >work as expected. > >The manpage for ldapsearch did not reveal any clues or switches to get >around this length limit. Could it be a server limit? > >Interesting also is that db2ldif produces the same behavior. > >Ideas on what I could do to get the value retruned back on one line? > >STRANGE EXAMPLE OUTPUT: >=============== >automountInformation: -rw,actimeo=30,rsize=32768,wsize=32768 >fs001:/raid/facst > aff/faharris >=============== > >EXPECTED OUTPUT: >=============== >automountInformation: -rw,actimeo=30,rsize=32768,wsize=32768 >fs001:/raid/facstaff/faharris >=============== > >The above examples may not be clear due to email wrapping, but in the >first one ldapsearch truncates at the "t" and in the second there is not >truncating. > >TIA >-- >Jim Summers >School of Computer Science-University of Oklahoma >------------------------------------------------- > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From ABliss at preferredcare.org Thu Mar 9 21:19:39 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Thu, 9 Mar 2006 16:19:39 -0500 Subject: [Fedora-directory-users] Not sure what version of java is needed for fds 1.0.2 Message-ID: I did some more testing; I removed jre-1_5_0_06-linux-i586.rpm, re-installed IBMJava2-142-ia32-SDK-1.4.2-3.0 and all seems okay; thanks again for your help. Aaron -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Thursday, March 09, 2006 4:09 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Not sure what version of java is needed for fds 1.0.2 Bliss, Aaron wrote: >Couple of small questions after upgrading from fds 1.0.1 to 1.0.2. I >apologize in advance if this question has been answered, however I >didn't see anywhere that mentions what version of jre is required; on a >test box, I had issues starting the console with >IBMJava2-142-ia32-SDK-1.4.2-3.0 installed; I had to install >jre-1_5_0_06-linux-i586.rpm from Sun in order to get rid of the java >errors; was this upgrade necessary? > I don't think so - what errors did you get? >Also, I noticed that after starting >the console, the version that is displayed (when highlighting the >Directory Server icon) is still 1.0.1, however rpm -qa | grep fedora-ds >shows fedora-ds-1.0.2-1.RHEL4; slapd error logs show that >fedora-directory 1.0.2 B2006.060.1928 starting up; Is this just a small >bug? Thanks again. > > Yes, the console still shows version 1.0.1, but it's really 1.0.2. >Aaron > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Jim >Summers >Sent: Thursday, March 09, 2006 12:55 PM >To: fedora-directory-users >Subject: [Fedora-directory-users] LdapSearch Field Length > >Hello All, > >I was modifying the value of an attribute, automountInformation in this >instance. The modify works as expected, but when I use ldapsearch to >dump the > entry containing the new value it seems to truncate it at 78 >characters, that is (attribute name + attribute value). The remainder >of the value is on the next line, which has caused some scripts to not >work as expected. > >The manpage for ldapsearch did not reveal any clues or switches to get >around this length limit. Could it be a server limit? > >Interesting also is that db2ldif produces the same behavior. > >Ideas on what I could do to get the value retruned back on one line? > >STRANGE EXAMPLE OUTPUT: >=============== >automountInformation: -rw,actimeo=30,rsize=32768,wsize=32768 >fs001:/raid/facst > aff/faharris >=============== > >EXPECTED OUTPUT: >=============== >automountInformation: -rw,actimeo=30,rsize=32768,wsize=32768 >fs001:/raid/facstaff/faharris >=============== > >The above examples may not be clear due to email wrapping, but in the >first one ldapsearch truncates at the "t" and in the second there is >not truncating. > >TIA >-- >Jim Summers >School of Computer Science-University of Oklahoma >------------------------------------------------- > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From jimh at u.washington.edu Fri Mar 10 16:38:02 2006 From: jimh at u.washington.edu (Jim Hogan) Date: Fri, 10 Mar 2006 08:38:02 -0800 Subject: [Fedora-directory-users] Directory Express...customize? separate/relocate? In-Reply-To: <440DE4F6.7090908@redhat.com> References: <440DDDD0.1090602@u.washington.edu> <440DE4F6.7090908@redhat.com> Message-ID: <4411AB6A.9020606@u.washington.edu> I had another thought on this thread.... Our FDS directory will be essentially for internal use, and we only want to expose it enough for some of our people to update their records through a Web page that pre-authenticates/authorizes them (our PubCookie scheme). Rather than try to separate the DE code onto this server, one thought I had last night was to set up a reverse proxy on our PubCookie's portal server that proxies the DE pages. Not sure how this will work out with the 2 different cookie regimes. This notion isn't particularly germane to the Fedora Directory Server lists, but I figured I'd throw it up here on the list in case someone has already been/done and can offer an opinion. Otherwise, if I try it and it works, I'll let you know! Jim Richard Megginson wrote: > Jim Hogan wrote: > >> My thought is to put "DE" under this existing PubCookie regime and >> take advantage of stuff like REMOTE_USER vars. Just not sure if that >> is doable. I also started to look at moving the Fedora-DS >> httpd.worker under PubCookie, but that would seem more dubious. > > > I assume PubCookie is some sort of SSO thing? The DE stuff uses it's > own cookie scheme - you'd probably have to hack the source code. > >> >> Thanks! >> >> Jim >> >> >> >> >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- /*********************************************************/ Jim Hogan /*********************************************************/ From ABliss at preferredcare.org Mon Mar 13 18:55:56 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Mon, 13 Mar 2006 13:55:56 -0500 Subject: [Fedora-directory-users] Getting ready to upgrade from fds 1.0.1 to 1.0.2 Message-ID: I'm planning on upgrading both my supplier and consumer fds servers tonight; do I need to worry about their server certificates? I'll just be running rpm -Uvh fedora....Thanks very much. Aaron www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From rmeggins at redhat.com Mon Mar 13 18:58:45 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 13 Mar 2006 11:58:45 -0700 Subject: [Fedora-directory-users] Getting ready to upgrade from fds 1.0.1 to 1.0.2 In-Reply-To: References: Message-ID: <4415C0E5.3010808@redhat.com> Bliss, Aaron wrote: >I'm planning on upgrading both my supplier and consumer fds servers >tonight; do I need to worry about their server certificates? I'll just >be running rpm -Uvh fedora....Thanks very much. > > Upgrade shouldn't touch any ssl information. After doing the rpm -U, do cd /opt/fedora-ds ; ./setup/setup and follow the prompts. >Aaron > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From ABliss at preferredcare.org Mon Mar 13 19:01:07 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Mon, 13 Mar 2006 14:01:07 -0500 Subject: [Fedora-directory-users] Getting ready to upgrade from fds 1.0.1 to 1.0.2 Message-ID: Thanks; just so I understand, I have to run the setup script even though my databases have already been configured? I did not have to do this on my test box in order to upgrade. Thanks. Aaron -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Monday, March 13, 2006 1:59 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Getting ready to upgrade from fds 1.0.1 to 1.0.2 Bliss, Aaron wrote: >I'm planning on upgrading both my supplier and consumer fds servers >tonight; do I need to worry about their server certificates? I'll just >be running rpm -Uvh fedora....Thanks very much. > > Upgrade shouldn't touch any ssl information. After doing the rpm -U, do cd /opt/fedora-ds ; ./setup/setup and follow the prompts. >Aaron > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From rmeggins at redhat.com Mon Mar 13 19:07:33 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 13 Mar 2006 12:07:33 -0700 Subject: [Fedora-directory-users] Getting ready to upgrade from fds 1.0.1 to 1.0.2 In-Reply-To: References: Message-ID: <4415C2F5.7000206@redhat.com> Bliss, Aaron wrote: >Thanks; just so I understand, I have to run the setup script even >though my databases have already been configured? I did not have to do >this on my test box in order to upgrade. Thanks. > > Setup will copy in the new schema files required to use the new password syntax checking, so if you skip that, you'll have to copy them in manually. Setup will also make sure the console reports the correct version of directory server. >Aaron > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard >Megginson >Sent: Monday, March 13, 2006 1:59 PM >To: General discussion list for the Fedora Directory server project. >Subject: Re: [Fedora-directory-users] Getting ready to upgrade from fds >1.0.1 to 1.0.2 > >Bliss, Aaron wrote: > > > >>I'm planning on upgrading both my supplier and consumer fds servers >>tonight; do I need to worry about their server certificates? I'll just >> >> > > > >>be running rpm -Uvh fedora....Thanks very much. >> >> >> >> >Upgrade shouldn't touch any ssl information. > >After doing the rpm -U, do cd /opt/fedora-ds ; ./setup/setup and follow >the prompts. > > > >>Aaron >> >>www.preferredcare.org >>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>Power and Associates >> >>Confidentiality Notice: >>The information contained in this electronic message is intended for >> >> >the exclusive use of the individual or entity named above and may >contain privileged or confidential information. If the reader of this >message is not the intended recipient or the employee or agent >responsible to deliver it to the intended recipient, you are hereby >notified that dissemination, distribution or copying of this information >is prohibited. If you have received this communication in error, please >notify the sender immediately by telephone and destroy the copies you >received. > > >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> > > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From ABliss at preferredcare.org Mon Mar 13 19:08:25 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Mon, 13 Mar 2006 14:08:25 -0500 Subject: [Fedora-directory-users] Getting ready to upgrade from fds 1.0.1 to 1.0.2 Message-ID: Ah, thanks again. Aaron -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Monday, March 13, 2006 2:08 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Getting ready to upgrade from fds 1.0.1 to 1.0.2 Bliss, Aaron wrote: >Thanks; just so I understand, I have to run the setup script even >though my databases have already been configured? I did not have to do >this on my test box in order to upgrade. Thanks. > > Setup will copy in the new schema files required to use the new password syntax checking, so if you skip that, you'll have to copy them in manually. Setup will also make sure the console reports the correct version of directory server. >Aaron > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard >Megginson >Sent: Monday, March 13, 2006 1:59 PM >To: General discussion list for the Fedora Directory server project. >Subject: Re: [Fedora-directory-users] Getting ready to upgrade from fds >1.0.1 to 1.0.2 > >Bliss, Aaron wrote: > > > >>I'm planning on upgrading both my supplier and consumer fds servers >>tonight; do I need to worry about their server certificates? I'll >>just >> >> > > > >>be running rpm -Uvh fedora....Thanks very much. >> >> >> >> >Upgrade shouldn't touch any ssl information. > >After doing the rpm -U, do cd /opt/fedora-ds ; ./setup/setup and follow >the prompts. > > > >>Aaron >> >>www.preferredcare.org >>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>Power and Associates >> >>Confidentiality Notice: >>The information contained in this electronic message is intended for >> >> >the exclusive use of the individual or entity named above and may >contain privileged or confidential information. If the reader of this >message is not the intended recipient or the employee or agent >responsible to deliver it to the intended recipient, you are hereby >notified that dissemination, distribution or copying of this >information is prohibited. If you have received this communication in >error, please notify the sender immediately by telephone and destroy >the copies you received. > > >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> > > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From ABliss at preferredcare.org Mon Mar 13 19:32:23 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Mon, 13 Mar 2006 14:32:23 -0500 Subject: [Fedora-directory-users] Getting ready to upgrade from fds 1.0.1 to 1.0.2 Message-ID: I have 1 more question; looking at the new password policy options, what is the difference between required special characters and required alpha characters? Are alpha characters integers and special characters keys such as #$% Thanks again. Aaron -----Original Message----- From: Bliss, Aaron Sent: Monday, March 13, 2006 2:08 PM To: 'General discussion list for the Fedora Directory server project.' Subject: RE: [Fedora-directory-users] Getting ready to upgrade from fds 1.0.1 to 1.0.2 Ah, thanks again. Aaron -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Monday, March 13, 2006 2:08 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Getting ready to upgrade from fds 1.0.1 to 1.0.2 Bliss, Aaron wrote: >Thanks; just so I understand, I have to run the setup script even >though my databases have already been configured? I did not have to do >this on my test box in order to upgrade. Thanks. > > Setup will copy in the new schema files required to use the new password syntax checking, so if you skip that, you'll have to copy them in manually. Setup will also make sure the console reports the correct version of directory server. >Aaron > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard >Megginson >Sent: Monday, March 13, 2006 1:59 PM >To: General discussion list for the Fedora Directory server project. >Subject: Re: [Fedora-directory-users] Getting ready to upgrade from fds >1.0.1 to 1.0.2 > >Bliss, Aaron wrote: > > > >>I'm planning on upgrading both my supplier and consumer fds servers >>tonight; do I need to worry about their server certificates? I'll >>just >> >> > > > >>be running rpm -Uvh fedora....Thanks very much. >> >> >> >> >Upgrade shouldn't touch any ssl information. > >After doing the rpm -U, do cd /opt/fedora-ds ; ./setup/setup and follow >the prompts. > > > >>Aaron >> >>www.preferredcare.org >>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>Power and Associates >> >>Confidentiality Notice: >>The information contained in this electronic message is intended for >> >> >the exclusive use of the individual or entity named above and may >contain privileged or confidential information. If the reader of this >message is not the intended recipient or the employee or agent >responsible to deliver it to the intended recipient, you are hereby >notified that dissemination, distribution or copying of this >information is prohibited. If you have received this communication in >error, please notify the sender immediately by telephone and destroy >the copies you received. > > >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> > > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From ABliss at preferredcare.org Mon Mar 13 19:35:37 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Mon, 13 Mar 2006 14:35:37 -0500 Subject: [Fedora-directory-users] Getting ready to upgrade from fds 1.0.1 to 1.0.2 Message-ID: Sorry about the previous post, I just checked the release notes, looks like special characters are $@# etc, digit character are integers, alpha characters are just letters. Thanks. Aaron -----Original Message----- From: Bliss, Aaron Sent: Monday, March 13, 2006 2:32 PM To: Bliss, Aaron; General discussion list for the Fedora Directory server project. Subject: RE: [Fedora-directory-users] Getting ready to upgrade from fds 1.0.1 to 1.0.2 I have 1 more question; looking at the new password policy options, what is the difference between required special characters and required alpha characters? Are alpha characters integers and special characters keys such as #$% Thanks again. Aaron -----Original Message----- From: Bliss, Aaron Sent: Monday, March 13, 2006 2:08 PM To: 'General discussion list for the Fedora Directory server project.' Subject: RE: [Fedora-directory-users] Getting ready to upgrade from fds 1.0.1 to 1.0.2 Ah, thanks again. Aaron -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Monday, March 13, 2006 2:08 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Getting ready to upgrade from fds 1.0.1 to 1.0.2 Bliss, Aaron wrote: >Thanks; just so I understand, I have to run the setup script even >though my databases have already been configured? I did not have to do >this on my test box in order to upgrade. Thanks. > > Setup will copy in the new schema files required to use the new password syntax checking, so if you skip that, you'll have to copy them in manually. Setup will also make sure the console reports the correct version of directory server. >Aaron > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard >Megginson >Sent: Monday, March 13, 2006 1:59 PM >To: General discussion list for the Fedora Directory server project. >Subject: Re: [Fedora-directory-users] Getting ready to upgrade from fds >1.0.1 to 1.0.2 > >Bliss, Aaron wrote: > > > >>I'm planning on upgrading both my supplier and consumer fds servers >>tonight; do I need to worry about their server certificates? I'll >>just >> >> > > > >>be running rpm -Uvh fedora....Thanks very much. >> >> >> >> >Upgrade shouldn't touch any ssl information. > >After doing the rpm -U, do cd /opt/fedora-ds ; ./setup/setup and follow >the prompts. > > > >>Aaron >> >>www.preferredcare.org >>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>Power and Associates >> >>Confidentiality Notice: >>The information contained in this electronic message is intended for >> >> >the exclusive use of the individual or entity named above and may >contain privileged or confidential information. If the reader of this >message is not the intended recipient or the employee or agent >responsible to deliver it to the intended recipient, you are hereby >notified that dissemination, distribution or copying of this >information is prohibited. If you have received this communication in >error, please notify the sender immediately by telephone and destroy >the copies you received. > > >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> > > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From nkinder at redhat.com Mon Mar 13 19:38:35 2006 From: nkinder at redhat.com (Nathan Kinder) Date: Mon, 13 Mar 2006 11:38:35 -0800 Subject: [Fedora-directory-users] Getting ready to upgrade from fds 1.0.1 to 1.0.2 In-Reply-To: References: Message-ID: <4415CA3B.4090908@redhat.com> Bliss, Aaron wrote: >I have 1 more question; looking at the new password policy options, what >is the difference between required special characters and required alpha >characters? Are alpha characters integers and special characters keys >such as #$% Thanks again. > > Alphas are letters only. Digits are your numeric characters. Special characters are any other 7-bit characters such as !@#$. -NGK >Aaron > >-----Original Message----- >From: Bliss, Aaron >Sent: Monday, March 13, 2006 2:08 PM >To: 'General discussion list for the Fedora Directory server project.' >Subject: RE: [Fedora-directory-users] Getting ready to upgrade from fds >1.0.1 to 1.0.2 > >Ah, thanks again. > >Aaron > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard >Megginson >Sent: Monday, March 13, 2006 2:08 PM >To: General discussion list for the Fedora Directory server project. >Subject: Re: [Fedora-directory-users] Getting ready to upgrade from fds >1.0.1 to 1.0.2 > >Bliss, Aaron wrote: > > > >>Thanks; just so I understand, I have to run the setup script even >>though my databases have already been configured? I did not have to do >> >> > > > >>this on my test box in order to upgrade. Thanks. >> >> >> >> >Setup will copy in the new schema files required to use the new password >syntax checking, so if you skip that, you'll have to copy them in >manually. Setup will also make sure the console reports the correct >version of directory server. > > > >>Aaron >> >>-----Original Message----- >>From: fedora-directory-users-bounces at redhat.com >>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard >> >> > > > >>Megginson >>Sent: Monday, March 13, 2006 1:59 PM >>To: General discussion list for the Fedora Directory server project. >>Subject: Re: [Fedora-directory-users] Getting ready to upgrade from fds >>1.0.1 to 1.0.2 >> >>Bliss, Aaron wrote: >> >> >> >> >> >>>I'm planning on upgrading both my supplier and consumer fds servers >>>tonight; do I need to worry about their server certificates? I'll >>>just >>> >>> >>> >>> >> >> >> >> >>>be running rpm -Uvh fedora....Thanks very much. >>> >>> >>> >>> >>> >>> >>Upgrade shouldn't touch any ssl information. >> >>After doing the rpm -U, do cd /opt/fedora-ds ; ./setup/setup and follow >> >> > > > >>the prompts. >> >> >> >> >> >>>Aaron >>> >>>www.preferredcare.org >>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>>Power and Associates >>> >>>Confidentiality Notice: >>>The information contained in this electronic message is intended for >>> >>> >>> >>> >>the exclusive use of the individual or entity named above and may >>contain privileged or confidential information. If the reader of this >>message is not the intended recipient or the employee or agent >>responsible to deliver it to the intended recipient, you are hereby >>notified that dissemination, distribution or copying of this >>information is prohibited. If you have received this communication in >>error, please notify the sender immediately by telephone and destroy >>the copies you received. >> >> >> >> >>>-- >>>Fedora-directory-users mailing list >>>Fedora-directory-users at redhat.com >>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >>> >>> >>> >>www.preferredcare.org >>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>Power and Associates >> >>Confidentiality Notice: >>The information contained in this electronic message is intended for >> >> >the exclusive use of the individual or entity named above and may >contain privileged or confidential information. If the reader of this >message is not the intended recipient or the employee or agent >responsible to deliver it to the intended recipient, you are hereby >notified that dissemination, distribution or copying of this information >is prohibited. If you have received this communication in error, please >notify the sender immediately by telephone and destroy the copies you >received. > > >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> > > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From mont.rothstein at gmail.com Mon Mar 13 20:10:28 2006 From: mont.rothstein at gmail.com (Mont Rothstein) Date: Mon, 13 Mar 2006 12:10:28 -0800 Subject: [Fedora-directory-users] Re: getlocalsid: adding domain info...failed In-Reply-To: <467a83630603090828g58c9c82by608b8f9b1d90433c@mail.gmail.com> References: <467a83630603090828g58c9c82by608b8f9b1d90433c@mail.gmail.com> Message-ID: <467a83630603131210s5aa97260wf70fc92dc5c7ea1c@mail.gmail.com> I figured this out, in case anyone else comes across it. The problem was with the conversion of the samba schema. Fedora has a bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=170791 The conversion script pointed to by: http://directory.fedora.redhat.com/wiki/Howto:Samba is out-of-date. A newer version, that works around this bug can be found at: http://www.netauth.com/~jacksonm/ldap/ol-schema-migrate.pl -Mont On 3/9/06, Mont Rothstein wrote: > > I am trying to integrate Fedora Directory Server (1.0.1) and Samba (3.0.10) > on RHEL ES4. > > When I execute "net getlocalsid" I get the following: > > [2006/03/07 17:55:29, 0] lib/smbldap.c:smbldap_search_domain_info(1392) > Adding domain info for WORKGROUP failed with NT_STATUS_UNSUCCESSFUL > SID for domain RHELES4RS1 is: S-1-5-21-807157010-1821471989-4121009367 > > My workgroup is currently set to workgroup and I can perform an > ldapsearch. > > I saw one refernce on the web to ignore this, but I was skeptical. > > What could be causing this error? Is there something in FDS that I failed > to do (I haven't done anything beyond the basic install). > > I'm stuck on this, any help/advice is greatly appreciated. > > Thanks, > -Mont > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ABliss at preferredcare.org Tue Mar 14 02:34:49 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Mon, 13 Mar 2006 21:34:49 -0500 Subject: [Fedora-directory-users] Getting ready to upgrade from fds 1.0.1 to 1.0.2 Message-ID: Well, I upgraded the fds rpm; after a reboot all looks okay, however I noticed this information in the setup logfile; is this indicative that something failed to update properly? Perhaps the new schema files? How can I verify that the new schema files are in use? Thanks very much. Start Slapd Starting Slapd server reconfiguration. Fatal Slapd ERROR: Could not update Directory Server Instance URL ldap://fds1.preferredcare.org:389/o=NetscapeRoot user id admin DN cn=slapd-al-lnx-s11,cn=Fedora Directory Server,cn=Server Group,cn=fds1.preferredcare.org,ou=preferredcare.org,o=NetscapeRoot (19:Constraint violation) Configuring Administration Server... InstallInfo: Apache Directory "ApacheDir" is missing. The proper fds version is disaplyed in the display console, and the new password enforcement options seem to be available. Aaron -----Original Message----- From: Bliss, Aaron Sent: Monday, March 13, 2006 2:08 PM To: 'General discussion list for the Fedora Directory server project.' Subject: RE: [Fedora-directory-users] Getting ready to upgrade from fds 1.0.1 to 1.0.2 Ah, thanks again. Aaron -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Monday, March 13, 2006 2:08 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Getting ready to upgrade from fds 1.0.1 to 1.0.2 Bliss, Aaron wrote: >Thanks; just so I understand, I have to run the setup script even >though my databases have already been configured? I did not have to do >this on my test box in order to upgrade. Thanks. > > Setup will copy in the new schema files required to use the new password syntax checking, so if you skip that, you'll have to copy them in manually. Setup will also make sure the console reports the correct version of directory server. >Aaron > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard >Megginson >Sent: Monday, March 13, 2006 1:59 PM >To: General discussion list for the Fedora Directory server project. >Subject: Re: [Fedora-directory-users] Getting ready to upgrade from fds >1.0.1 to 1.0.2 > >Bliss, Aaron wrote: > > > >>I'm planning on upgrading both my supplier and consumer fds servers >>tonight; do I need to worry about their server certificates? I'll >>just >> >> > > > >>be running rpm -Uvh fedora....Thanks very much. >> >> >> >> >Upgrade shouldn't touch any ssl information. > >After doing the rpm -U, do cd /opt/fedora-ds ; ./setup/setup and follow >the prompts. > > > >>Aaron >> >>www.preferredcare.org >>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>Power and Associates >> >>Confidentiality Notice: >>The information contained in this electronic message is intended for >> >> >the exclusive use of the individual or entity named above and may >contain privileged or confidential information. If the reader of this >message is not the intended recipient or the employee or agent >responsible to deliver it to the intended recipient, you are hereby >notified that dissemination, distribution or copying of this >information is prohibited. If you have received this communication in >error, please notify the sender immediately by telephone and destroy >the copies you received. > > >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> > > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From rmeggins at redhat.com Tue Mar 14 02:53:50 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 13 Mar 2006 19:53:50 -0700 Subject: [Fedora-directory-users] Getting ready to upgrade from fds 1.0.1 to 1.0.2 In-Reply-To: References: Message-ID: <4416303E.6090107@redhat.com> Bliss, Aaron wrote: >Well, I upgraded the fds rpm; after a reboot all looks okay, however I >noticed this information in the setup logfile; is this indicative that >something failed to update properly? Perhaps the new schema files? >How can I verify that the new schema files are in use? Thanks very >much. > >Start Slapd Starting Slapd server reconfiguration. >Fatal Slapd ERROR: Could not update Directory Server Instance >URL ldap://fds1.preferredcare.org:389/o=NetscapeRoot user id admin DN >cn=slapd-al-lnx-s11,cn=Fedora Directory Server,cn=Server >Group,cn=fds1.preferredcare.org,ou=preferredcare.org,o=NetscapeRoot >(19:Constraint violation) >Configuring Administration Server... >InstallInfo: Apache Directory "ApacheDir" is missing. > >The proper fds version is disaplyed in the display console, and the new >password enforcement options seem to be available. > > Check your directory server access log - look for err=19 - constraint violation - to see which operation it's complaining about. >Aaron >-----Original Message----- >From: Bliss, Aaron >Sent: Monday, March 13, 2006 2:08 PM >To: 'General discussion list for the Fedora Directory server project.' >Subject: RE: [Fedora-directory-users] Getting ready to upgrade from fds >1.0.1 to 1.0.2 > >Ah, thanks again. > >Aaron > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard >Megginson >Sent: Monday, March 13, 2006 2:08 PM >To: General discussion list for the Fedora Directory server project. >Subject: Re: [Fedora-directory-users] Getting ready to upgrade from fds >1.0.1 to 1.0.2 > >Bliss, Aaron wrote: > > > >>Thanks; just so I understand, I have to run the setup script even >>though my databases have already been configured? I did not have to do >> >> > > > >>this on my test box in order to upgrade. Thanks. >> >> >> >> >Setup will copy in the new schema files required to use the new password >syntax checking, so if you skip that, you'll have to copy them in >manually. Setup will also make sure the console reports the correct >version of directory server. > > > >>Aaron >> >>-----Original Message----- >>From: fedora-directory-users-bounces at redhat.com >>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard >> >> > > > >>Megginson >>Sent: Monday, March 13, 2006 1:59 PM >>To: General discussion list for the Fedora Directory server project. >>Subject: Re: [Fedora-directory-users] Getting ready to upgrade from fds >>1.0.1 to 1.0.2 >> >>Bliss, Aaron wrote: >> >> >> >> >> >>>I'm planning on upgrading both my supplier and consumer fds servers >>>tonight; do I need to worry about their server certificates? I'll >>>just >>> >>> >>> >>> >> >> >> >> >>>be running rpm -Uvh fedora....Thanks very much. >>> >>> >>> >>> >>> >>> >>Upgrade shouldn't touch any ssl information. >> >>After doing the rpm -U, do cd /opt/fedora-ds ; ./setup/setup and follow >> >> > > > >>the prompts. >> >> >> >> >> >>>Aaron >>> >>>www.preferredcare.org >>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>>Power and Associates >>> >>>Confidentiality Notice: >>>The information contained in this electronic message is intended for >>> >>> >>> >>> >>the exclusive use of the individual or entity named above and may >>contain privileged or confidential information. If the reader of this >>message is not the intended recipient or the employee or agent >>responsible to deliver it to the intended recipient, you are hereby >>notified that dissemination, distribution or copying of this >>information is prohibited. If you have received this communication in >>error, please notify the sender immediately by telephone and destroy >>the copies you received. >> >> >> >> >>>-- >>>Fedora-directory-users mailing list >>>Fedora-directory-users at redhat.com >>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >>> >>> >>> >>www.preferredcare.org >>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>Power and Associates >> >>Confidentiality Notice: >>The information contained in this electronic message is intended for >> >> >the exclusive use of the individual or entity named above and may >contain privileged or confidential information. If the reader of this >message is not the intended recipient or the employee or agent >responsible to deliver it to the intended recipient, you are hereby >notified that dissemination, distribution or copying of this information >is prohibited. If you have received this communication in error, please >notify the sender immediately by telephone and destroy the copies you >received. > > >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> > > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From ABliss at preferredcare.org Tue Mar 14 03:03:43 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Mon, 13 Mar 2006 22:03:43 -0500 Subject: [Fedora-directory-users] Getting ready to upgrade from fds 1.0.1 to 1.0.2 Message-ID: It only seems to be in the access log 1 time; looks like it only happened during the upgrade [13/Mar/2006:21:15:56 -0500] conn=0 op=11 RESULT err=19 tag=103 nentries=0 etime=0 Is there an easy way to verify that the new password schema is being used? Thanks. Aaron -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Monday, March 13, 2006 9:54 PM To: General discussion list for the Fedora Directory server project. Cc: Bliss, Aaron Subject: Re: [Fedora-directory-users] Getting ready to upgrade from fds 1.0.1 to 1.0.2 Bliss, Aaron wrote: >Well, I upgraded the fds rpm; after a reboot all looks okay, however I >noticed this information in the setup logfile; is this indicative that >something failed to update properly? Perhaps the new schema files? >How can I verify that the new schema files are in use? Thanks very >much. > >Start Slapd Starting Slapd server reconfiguration. >Fatal Slapd ERROR: Could not update Directory Server Instance URL >ldap://fds1.preferredcare.org:389/o=NetscapeRoot user id admin DN >cn=slapd-al-lnx-s11,cn=Fedora Directory Server,cn=Server >Group,cn=fds1.preferredcare.org,ou=preferredcare.org,o=NetscapeRoot >(19:Constraint violation) >Configuring Administration Server... >InstallInfo: Apache Directory "ApacheDir" is missing. > >The proper fds version is disaplyed in the display console, and the new >password enforcement options seem to be available. > > Check your directory server access log - look for err=19 - constraint violation - to see which operation it's complaining about. >Aaron >-----Original Message----- >From: Bliss, Aaron >Sent: Monday, March 13, 2006 2:08 PM >To: 'General discussion list for the Fedora Directory server project.' >Subject: RE: [Fedora-directory-users] Getting ready to upgrade from fds >1.0.1 to 1.0.2 > >Ah, thanks again. > >Aaron > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard >Megginson >Sent: Monday, March 13, 2006 2:08 PM >To: General discussion list for the Fedora Directory server project. >Subject: Re: [Fedora-directory-users] Getting ready to upgrade from fds >1.0.1 to 1.0.2 > >Bliss, Aaron wrote: > > > >>Thanks; just so I understand, I have to run the setup script even >>though my databases have already been configured? I did not have to >>do >> >> > > > >>this on my test box in order to upgrade. Thanks. >> >> >> >> >Setup will copy in the new schema files required to use the new >password syntax checking, so if you skip that, you'll have to copy them >in manually. Setup will also make sure the console reports the correct >version of directory server. > > > >>Aaron >> >>-----Original Message----- >>From: fedora-directory-users-bounces at redhat.com >>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of >>Richard >> >> > > > >>Megginson >>Sent: Monday, March 13, 2006 1:59 PM >>To: General discussion list for the Fedora Directory server project. >>Subject: Re: [Fedora-directory-users] Getting ready to upgrade from >>fds >>1.0.1 to 1.0.2 >> >>Bliss, Aaron wrote: >> >> >> >> >> >>>I'm planning on upgrading both my supplier and consumer fds servers >>>tonight; do I need to worry about their server certificates? I'll >>>just >>> >>> >>> >>> >> >> >> >> >>>be running rpm -Uvh fedora....Thanks very much. >>> >>> >>> >>> >>> >>> >>Upgrade shouldn't touch any ssl information. >> >>After doing the rpm -U, do cd /opt/fedora-ds ; ./setup/setup and >>follow >> >> > > > >>the prompts. >> >> >> >> >> >>>Aaron >>> >>>www.preferredcare.org >>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>>Power and Associates >>> >>>Confidentiality Notice: >>>The information contained in this electronic message is intended for >>> >>> >>> >>> >>the exclusive use of the individual or entity named above and may >>contain privileged or confidential information. If the reader of this >>message is not the intended recipient or the employee or agent >>responsible to deliver it to the intended recipient, you are hereby >>notified that dissemination, distribution or copying of this >>information is prohibited. If you have received this communication in >>error, please notify the sender immediately by telephone and destroy >>the copies you received. >> >> >> >> >>>-- >>>Fedora-directory-users mailing list >>>Fedora-directory-users at redhat.com >>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >>> >>> >>> >>www.preferredcare.org >>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>Power and Associates >> >>Confidentiality Notice: >>The information contained in this electronic message is intended for >> >> >the exclusive use of the individual or entity named above and may >contain privileged or confidential information. If the reader of this >message is not the intended recipient or the employee or agent >responsible to deliver it to the intended recipient, you are hereby >notified that dissemination, distribution or copying of this >information is prohibited. If you have received this communication in >error, please notify the sender immediately by telephone and destroy >the copies you received. > > >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> > > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From ABliss at preferredcare.org Tue Mar 14 03:24:21 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Mon, 13 Mar 2006 22:24:21 -0500 Subject: [Fedora-directory-users] Getting ready to upgrade from fds 1.0.1 to 1.0.2 Message-ID: I've been able to reproduce; after setting the new password policy (require 1 digit, 1 special, etc) and then I attempt to use a password that isn't compliant, this error is logged and the users new password is not accepted. [13/Mar/2006:22:19:42 -0500] conn=1073 op=10 RESULT err=19 tag=103 nentries=0 etime=0 So, it looks like everything is working like it is suppose to....it's still interesting that I received that error during the upgrade.... Aaron -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Bliss, Aaron Sent: Monday, March 13, 2006 10:04 PM To: General discussion list for the Fedora Directory server project. Subject: RE: [Fedora-directory-users] Getting ready to upgrade from fds 1.0.1 to 1.0.2 It only seems to be in the access log 1 time; looks like it only happened during the upgrade [13/Mar/2006:21:15:56 -0500] conn=0 op=11 RESULT err=19 tag=103 nentries=0 etime=0 Is there an easy way to verify that the new password schema is being used? Thanks. Aaron -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Monday, March 13, 2006 9:54 PM To: General discussion list for the Fedora Directory server project. Cc: Bliss, Aaron Subject: Re: [Fedora-directory-users] Getting ready to upgrade from fds 1.0.1 to 1.0.2 Bliss, Aaron wrote: >Well, I upgraded the fds rpm; after a reboot all looks okay, however I >noticed this information in the setup logfile; is this indicative that >something failed to update properly? Perhaps the new schema files? >How can I verify that the new schema files are in use? Thanks very >much. > >Start Slapd Starting Slapd server reconfiguration. >Fatal Slapd ERROR: Could not update Directory Server Instance URL >ldap://fds1.preferredcare.org:389/o=NetscapeRoot user id admin DN >cn=slapd-al-lnx-s11,cn=Fedora Directory Server,cn=Server >Group,cn=fds1.preferredcare.org,ou=preferredcare.org,o=NetscapeRoot >(19:Constraint violation) >Configuring Administration Server... >InstallInfo: Apache Directory "ApacheDir" is missing. > >The proper fds version is disaplyed in the display console, and the new >password enforcement options seem to be available. > > Check your directory server access log - look for err=19 - constraint violation - to see which operation it's complaining about. >Aaron >-----Original Message----- >From: Bliss, Aaron >Sent: Monday, March 13, 2006 2:08 PM >To: 'General discussion list for the Fedora Directory server project.' >Subject: RE: [Fedora-directory-users] Getting ready to upgrade from fds >1.0.1 to 1.0.2 > >Ah, thanks again. > >Aaron > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard >Megginson >Sent: Monday, March 13, 2006 2:08 PM >To: General discussion list for the Fedora Directory server project. >Subject: Re: [Fedora-directory-users] Getting ready to upgrade from fds >1.0.1 to 1.0.2 > >Bliss, Aaron wrote: > > > >>Thanks; just so I understand, I have to run the setup script even >>though my databases have already been configured? I did not have to >>do >> >> > > > >>this on my test box in order to upgrade. Thanks. >> >> >> >> >Setup will copy in the new schema files required to use the new >password syntax checking, so if you skip that, you'll have to copy them >in manually. Setup will also make sure the console reports the correct >version of directory server. > > > >>Aaron >> >>-----Original Message----- >>From: fedora-directory-users-bounces at redhat.com >>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of >>Richard >> >> > > > >>Megginson >>Sent: Monday, March 13, 2006 1:59 PM >>To: General discussion list for the Fedora Directory server project. >>Subject: Re: [Fedora-directory-users] Getting ready to upgrade from >>fds >>1.0.1 to 1.0.2 >> >>Bliss, Aaron wrote: >> >> >> >> >> >>>I'm planning on upgrading both my supplier and consumer fds servers >>>tonight; do I need to worry about their server certificates? I'll >>>just >>> >>> >>> >>> >> >> >> >> >>>be running rpm -Uvh fedora....Thanks very much. >>> >>> >>> >>> >>> >>> >>Upgrade shouldn't touch any ssl information. >> >>After doing the rpm -U, do cd /opt/fedora-ds ; ./setup/setup and >>follow >> >> > > > >>the prompts. >> >> >> >> >> >>>Aaron >>> >>>www.preferredcare.org >>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>>Power and Associates >>> >>>Confidentiality Notice: >>>The information contained in this electronic message is intended for >>> >>> >>> >>> >>the exclusive use of the individual or entity named above and may >>contain privileged or confidential information. If the reader of this >>message is not the intended recipient or the employee or agent >>responsible to deliver it to the intended recipient, you are hereby >>notified that dissemination, distribution or copying of this >>information is prohibited. If you have received this communication in >>error, please notify the sender immediately by telephone and destroy >>the copies you received. >> >> >> >> >>>-- >>>Fedora-directory-users mailing list >>>Fedora-directory-users at redhat.com >>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >>> >>> >>> >>www.preferredcare.org >>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>Power and Associates >> >>Confidentiality Notice: >>The information contained in this electronic message is intended for >> >> >the exclusive use of the individual or entity named above and may >contain privileged or confidential information. If the reader of this >message is not the intended recipient or the employee or agent >responsible to deliver it to the intended recipient, you are hereby >notified that dissemination, distribution or copying of this >information is prohibited. If you have received this communication in >error, please notify the sender immediately by telephone and destroy >the copies you received. > > >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> > > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From cino11 at gmail.com Tue Mar 14 07:41:38 2006 From: cino11 at gmail.com (A G) Date: Tue, 14 Mar 2006 09:41:38 +0200 Subject: [Fedora-directory-users] failed to install a local copy of ds10.jar (after upgrade to 1.0.2) Message-ID: <408162380603132341l590e657cpd7f0c8e9b745585a@mail.gmail.com> Hello. I have upgraded my directory to 1.0.2. I can startconsole but when I click on Directory Server node, I get the following error message: "Installing server components downloading ds10.jar (0k)" After a while it says: "Failed to install a local copy of ds10.jar or one of its supporting files: can not connect to http://localhost:3060" What is the problem? Operating system information is: fedora core 4, 2.6.15-1.1831_FC4smp java -version is: 1.5.0_06 I used the below link to install java 1.5 to get a solution for the problem : http://fedoranews.org/mediawiki/index.php/JPackage_Java_for_FC4 But it did not work. Thanks for your help. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ismailgunes81 at yahoo.com Tue Mar 14 09:17:22 2006 From: ismailgunes81 at yahoo.com (ismail gunes) Date: Tue, 14 Mar 2006 11:17:22 +0200 (EET) Subject: [Fedora-directory-users] Running Fedora on windows Message-ID: <20060314091722.6641.qmail@web80904.mail.scd.yahoo.com> Hi all, I'm new at This group and Fedora. I was looking for some directory servers on the web and I've seen the Fedora directory server. I wonder whether the Fedora directory server is available on windows or not. That is, can i install and run Fedora on a Windows machine? Thanks in advance. --------------------------------- Yahoo! kullaniyor musunuz? Simdi, 1GB e-posta saklama alani sunuyor http://tr.mail.yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From gokhan.afacan at gmail.com Tue Mar 14 07:35:34 2006 From: gokhan.afacan at gmail.com (=?ISO-8859-1?Q?G=F6khan_Afacan?=) Date: Tue, 14 Mar 2006 09:35:34 +0200 Subject: [Fedora-directory-users] failed to install a local copy of ds10.jar (after upgrade to 1.0.2) Message-ID: <2393d5a10603132335r13e95819u4e6ccaedf576fb0e@mail.gmail.com> Hello. I have upgraded my directory to 1.0.2. I can startconsole but when I click on Directory Server node, I get the following error message: "Installing server components downloading ds10.jar (0k)" After a while it says: "Failed to install a local copy of ds10.jar or one of its supporting files: can not connect to http://localhost:3060" What is the problem? Operating system information is: fedora core 4, 2.6.15-1.1831_FC4smp java -version is: 1.5.0_06 I used the below link to install java 1.5 to get a solution for the problem : http://fedoranews.org/mediawiki/index.php/JPackage_Java_for_FC4 But it did not work. Thanks for your help. From rmeggins at redhat.com Tue Mar 14 15:06:24 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 14 Mar 2006 08:06:24 -0700 Subject: [Fedora-directory-users] Getting ready to upgrade from fds 1.0.1 to 1.0.2 In-Reply-To: References: Message-ID: <4416DBF0.8070003@redhat.com> Bliss, Aaron wrote: >I've been able to reproduce; after setting the new password policy >(require 1 digit, 1 special, etc) and then I attempt to use a password >that isn't compliant, this error is logged and the users new password is >not accepted. >[13/Mar/2006:22:19:42 -0500] conn=1073 op=10 RESULT err=19 tag=103 >nentries=0 etime=0 > > Can you find out what this operation is? It's either an ADD or MOD - just search before that line for "conn=1073 op=10". I'd like to know what the DN is. >So, it looks like everything is working like it is suppose to....it's >still interesting that I received that error during the upgrade.... > >Aaron > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Bliss, >Aaron >Sent: Monday, March 13, 2006 10:04 PM >To: General discussion list for the Fedora Directory server project. >Subject: RE: [Fedora-directory-users] Getting ready to upgrade from fds >1.0.1 to 1.0.2 > >It only seems to be in the access log 1 time; looks like it only >happened during the upgrade >[13/Mar/2006:21:15:56 -0500] conn=0 op=11 RESULT err=19 tag=103 >nentries=0 etime=0 Is there an easy way to verify that the new password >schema is being used? > >Thanks. >Aaron > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard >Megginson >Sent: Monday, March 13, 2006 9:54 PM >To: General discussion list for the Fedora Directory server project. >Cc: Bliss, Aaron >Subject: Re: [Fedora-directory-users] Getting ready to upgrade from fds >1.0.1 to 1.0.2 > >Bliss, Aaron wrote: > > > >>Well, I upgraded the fds rpm; after a reboot all looks okay, however I >>noticed this information in the setup logfile; is this indicative that >>something failed to update properly? Perhaps the new schema files? >>How can I verify that the new schema files are in use? Thanks very >>much. >> >>Start Slapd Starting Slapd server reconfiguration. >>Fatal Slapd ERROR: Could not update Directory Server Instance URL >>ldap://fds1.preferredcare.org:389/o=NetscapeRoot user id admin DN >>cn=slapd-al-lnx-s11,cn=Fedora Directory Server,cn=Server >>Group,cn=fds1.preferredcare.org,ou=preferredcare.org,o=NetscapeRoot >>(19:Constraint violation) >>Configuring Administration Server... >>InstallInfo: Apache Directory "ApacheDir" is missing. >> >>The proper fds version is disaplyed in the display console, and the new >> >> > > > >>password enforcement options seem to be available. >> >> >> >> >Check your directory server access log - look for err=19 - constraint >violation - to see which operation it's complaining about. > > > >>Aaron >>-----Original Message----- >>From: Bliss, Aaron >>Sent: Monday, March 13, 2006 2:08 PM >>To: 'General discussion list for the Fedora Directory server project.' >>Subject: RE: [Fedora-directory-users] Getting ready to upgrade from fds >>1.0.1 to 1.0.2 >> >>Ah, thanks again. >> >>Aaron >> >>-----Original Message----- >>From: fedora-directory-users-bounces at redhat.com >>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard >> >> > > > >>Megginson >>Sent: Monday, March 13, 2006 2:08 PM >>To: General discussion list for the Fedora Directory server project. >>Subject: Re: [Fedora-directory-users] Getting ready to upgrade from fds >>1.0.1 to 1.0.2 >> >>Bliss, Aaron wrote: >> >> >> >> >> >>>Thanks; just so I understand, I have to run the setup script even >>>though my databases have already been configured? I did not have to >>>do >>> >>> >>> >>> >> >> >> >> >>>this on my test box in order to upgrade. Thanks. >>> >>> >>> >>> >>> >>> >>Setup will copy in the new schema files required to use the new >>password syntax checking, so if you skip that, you'll have to copy them >> >> > > > >>in manually. Setup will also make sure the console reports the correct >> >> > > > >>version of directory server. >> >> >> >> >> >>>Aaron >>> >>>-----Original Message----- >>>From: fedora-directory-users-bounces at redhat.com >>>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of >>>Richard >>> >>> >>> >>> >> >> >> >> >>>Megginson >>>Sent: Monday, March 13, 2006 1:59 PM >>>To: General discussion list for the Fedora Directory server project. >>>Subject: Re: [Fedora-directory-users] Getting ready to upgrade from >>>fds >>>1.0.1 to 1.0.2 >>> >>>Bliss, Aaron wrote: >>> >>> >>> >>> >>> >>> >>> >>>>I'm planning on upgrading both my supplier and consumer fds servers >>>>tonight; do I need to worry about their server certificates? I'll >>>>just >>>> >>>> >>>> >>>> >>>> >>>> >>> >>> >>> >>> >>>>be running rpm -Uvh fedora....Thanks very much. >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>Upgrade shouldn't touch any ssl information. >>> >>>After doing the rpm -U, do cd /opt/fedora-ds ; ./setup/setup and >>>follow >>> >>> >>> >>> >> >> >> >> >>>the prompts. >>> >>> >>> >>> >>> >>> >>> >>>>Aaron >>>> >>>>www.preferredcare.org >>>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>>> >>>> > > > >>>>Power and Associates >>>> >>>>Confidentiality Notice: >>>>The information contained in this electronic message is intended for >>>> >>>> >>>> >>>> >>>> >>>> >>>the exclusive use of the individual or entity named above and may >>>contain privileged or confidential information. If the reader of this >>> >>> > > > >>>message is not the intended recipient or the employee or agent >>>responsible to deliver it to the intended recipient, you are hereby >>>notified that dissemination, distribution or copying of this >>>information is prohibited. If you have received this communication in >>> >>> > > > >>>error, please notify the sender immediately by telephone and destroy >>>the copies you received. >>> >>> >>> >>> >>> >>> >>>>-- >>>>Fedora-directory-users mailing list >>>>Fedora-directory-users at redhat.com >>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>www.preferredcare.org >>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>>Power and Associates >>> >>>Confidentiality Notice: >>>The information contained in this electronic message is intended for >>> >>> >>> >>> >>the exclusive use of the individual or entity named above and may >>contain privileged or confidential information. If the reader of this >>message is not the intended recipient or the employee or agent >>responsible to deliver it to the intended recipient, you are hereby >>notified that dissemination, distribution or copying of this >>information is prohibited. If you have received this communication in >>error, please notify the sender immediately by telephone and destroy >>the copies you received. >> >> >> >> >>>-- >>>Fedora-directory-users mailing list >>>Fedora-directory-users at redhat.com >>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >>> >>> >>> >>www.preferredcare.org >>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>Power and Associates >> >>Confidentiality Notice: >>The information contained in this electronic message is intended for >> >> >the exclusive use of the individual or entity named above and may >contain privileged or confidential information. If the reader of this >message is not the intended recipient or the employee or agent >responsible to deliver it to the intended recipient, you are hereby >notified that dissemination, distribution or copying of this information >is prohibited. If you have received this communication in error, please >notify the sender immediately by telephone and destroy the copies you >received. > > >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> > > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the >exclusive use of the individual or entity named above and may contain >privileged or confidential information. If the reader of this message >is not the intended recipient or the employee or agent responsible to >deliver it to the intended recipient, you are hereby notified that >dissemination, distribution or copying of this information is >prohibited. If you have received this communication in error, please >notify the sender immediately by telephone and destroy the copies you >received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Mar 14 15:13:37 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 14 Mar 2006 08:13:37 -0700 Subject: [Fedora-directory-users] Running Fedora on windows In-Reply-To: <20060314091722.6641.qmail@web80904.mail.scd.yahoo.com> References: <20060314091722.6641.qmail@web80904.mail.scd.yahoo.com> Message-ID: <4416DDA1.9030206@redhat.com> ismail gunes wrote: > Hi all, > I'm new at This group and Fedora. I was looking for some directory > servers on the > web and I've seen the Fedora directory server. I wonder whether the > Fedora > directory server is available on windows or not. That is, can i > install and run Fedora > on a Windows machine? Thanks in advance. We do not have Windows binaries. You could probably build it on Windows, but it will involve quite a bit of Makefile hacking. If you just want to run it on a PC, it's probably much easier to configure your PC for dual boot, and install Fedora Core on it, and then install Fedora DS. I've done this a few times - there are even tools which will allow you to do a non-destructive resize of your existing Windows partition if you need to. http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/install-guide/ch-x86-dualboot.html > ------------------------------------------------------------------------ > Yahoo! kullaniyor musunuz? > Simdi, 1GB e-posta saklama alani sunuyor > http://tr.mail.yahoo.com > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Mar 14 15:17:08 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 14 Mar 2006 08:17:08 -0700 Subject: [Fedora-directory-users] failed to install a local copy of ds10.jar (after upgrade to 1.0.2) In-Reply-To: <2393d5a10603132335r13e95819u4e6ccaedf576fb0e@mail.gmail.com> References: <2393d5a10603132335r13e95819u4e6ccaedf576fb0e@mail.gmail.com> Message-ID: <4416DE74.3070508@redhat.com> G?khan Afacan wrote: >Hello. >I have upgraded my directory to 1.0.2. >I can startconsole but when I click on Directory Server node, I get >the following error message: > >"Installing server components downloading ds10.jar (0k)" > >After a while it says: > >"Failed to install a local copy of ds10.jar or one of its supporting files: >can not connect to http://localhost:3060" > > Are you running the console as root or as a regular user? Do ls -al $HOME/.fedora-console and $HOME/.fedora-console/jars >What is the problem? > >Operating system information is: fedora core 4, 2.6.15-1.1831_FC4smp >java -version is: 1.5.0_06 >I used the below link to install java 1.5 to get a solution for the problem : >http://fedoranews.org/mediawiki/index.php/JPackage_Java_for_FC4 > >But it did not work. > >Thanks for your help. > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From logastellus at yahoo.com Tue Mar 14 18:30:31 2006 From: logastellus at yahoo.com (Susan) Date: Tue, 14 Mar 2006 10:30:31 -0800 (PST) Subject: [Fedora-directory-users] adding a user to multiple groups Message-ID: <20060314183031.16561.qmail@web52904.mail.yahoo.com> Hi, everybody. I've a group with multiple memberUid attributes: # sysadmin, Groups, example.com dn: cn=sysadmin,ou=Groups,dc=example,dc=com memberUid: 1125 memberUid: 1234 gidNumber: 14 objectClass: top objectClass: posixgroup cn: sysadmin ____ and a user test like this: # test, UNIX, example.com dn: uid=test,ou=UNIX,dc=example,dc=com gidNumber: 1234 objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: posixAccount objectClass: account host: * givenName: test sn: asdf uidNumber: 1234 uid: test cn: test asdf homeDirectory: /home/test ___ there is also a group "test" which uid test belongs to. Now, test should be a member of both test and sysadmins, correct? However, that doesn't seem to be the case: -bash-3.00$ grep test /etc/passwd -bash-3.00$ id -a test uid=1234(test) gid=1234 groups=1234 -bash-3.00$ id -G test 1234 -bash-3.00$ gid 14 doesn't show up. What am I doing wrong here? Is this not how you add a user to multiple groups?? Thanks.. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From ABliss at preferredcare.org Tue Mar 14 18:34:17 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Tue, 14 Mar 2006 13:34:17 -0500 Subject: [Fedora-directory-users] Getting ready to upgrade from fds 1.0.1 to 1.0.2 Message-ID: I believe this is what your looking for, here is an example when I intentionally attempt to break the password rules: [13/Mar/2006:22:19:42 -0500] conn=1073 op=10 RESULT err=19 tag=103 nentries=0 et ime=0 [13/Mar/2006:22:19:42 -0500] conn=1073 op=10 MOD dn="uid=awbtest,ou=users,dc=pre ferredcare,dc=org", invalid password syntax Here is the error that occurred during the upgrade (I wouldn't worry too much about the entries below that reference fds1 instead of al-lnx-s11, I manually typed that after pasting the error log, as I wasn't comfortable displaying the real server name, but it doesn't really matter now, the real server name is al-lnx-s11) [13/Mar/2006:21:15:56 -0500] conn=0 op=3 RESULT err=0 tag=101 nentries=1 etime=0 [13/Mar/2006:21:15:56 -0500] conn=0 op=4 BIND dn="uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot" method=128 version=3 [13/Mar/2006:21:15:56 -0500] conn=0 op=5 SRCH base="cn=al-lnx-s11.preferredcare. org, ou=preferredcare.org, o=NetscapeRoot" scope=2 filter="(&(objectClass=nsAppl ication)(nsNickName=slapd)(nsInstalledLocation=/opt/fedora-ds))" attrs="* aci pa sswordExpirationTime passwordExpWarned passwordRetryCount retryCountResetTime ac countUnlockTime passwordHistory passwordAllowChangeTime nsUniqueId nsLookThrough Limit nsSizeLimit nsTimeLimit nsIdleTimeout nsRole nsRoleDN nsAccountLock" [13/Mar/2006:21:15:56 -0500] conn=0 op=4 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot" [13/Mar/2006:21:15:56 -0500] conn=0 op=5 RESULT err=0 tag=101 nentries=1 etime=0 [13/Mar/2006:21:15:56 -0500] conn=0 op=6 SRCH base="cn=Fedora Directory Server, cn=Server Group, cn=al-lnx-s11.preferredcare.org, ou=preferredcare.org, o=Netsca peRoot" scope=0 filter="(objectClass=*)" attrs="* aci passwordExpirationTime pas swordExpWarned passwordRetryCount retryCountResetTime accountUnlockTime password History passwordAllowChangeTime nsUniqueId nsLookThroughLimit nsSizeLimit nsTime Limit nsIdleTimeout nsRole nsRoleDN nsAccountLock" [13/Mar/2006:21:15:56 -0500] conn=0 op=6 RESULT err=0 tag=101 nentries=1 etime=0 [13/Mar/2006:21:15:56 -0500] conn=0 op=7 MOD dn="cn=Fedora Directory Server, cn= Server Group, cn=al-lnx-s11.preferredcare.org, ou=preferredcare.org, o=NetscapeR oot" [13/Mar/2006:21:15:56 -0500] conn=0 op=7 RESULT err=0 tag=103 nentries=0 etime=0 [13/Mar/2006:21:15:56 -0500] conn=0 op=8 SRCH base="cn=Fedora Directory Server, cn=Server Group, cn=al-lnx-s11.preferredcare.org, ou=preferredcare.org, o=Netsca peRoot" scope=1 filter="(objectClass=nsDirectoryServer)" attrs="* aci passwordEx pirationTime passwordExpWarned passwordRetryCount retryCountResetTime accountUnl ockTime passwordHistory passwordAllowChangeTime nsUniqueId nsLookThroughLimit ns SizeLimit nsTimeLimit nsIdleTimeout nsRole nsRoleDN nsAccountLock" [13/Mar/2006:21:15:56 -0500] conn=0 op=8 RESULT err=0 tag=101 nentries=1 etime=0 [13/Mar/2006:21:15:56 -0500] conn=0 op=9 SRCH base="cn=slapd-al-lnx-s11, cn=Fedo ra Directory Server, cn=Server Group, cn=al-lnx-s11.preferredcare.org, ou=prefer redcare.org, o=NetscapeRoot" scope=0 filter="(objectClass=*)" attrs="* aci passw ordExpirationTime passwordExpWarned passwordRetryCount retryCountResetTime accou ntUnlockTime passwordHistory passwordAllowChangeTime nsUniqueId nsLookThroughLim it nsSizeLimit nsTimeLimit nsIdleTimeout nsRole nsRoleDN nsAccountLock" [13/Mar/2006:21:15:56 -0500] conn=0 op=9 RESULT err=0 tag=101 nentries=1 etime=0 [13/Mar/2006:21:15:56 -0500] conn=0 op=10 SRCH base="cn=slapd-al-lnx-s11,cn=Fedo ra Directory Server,cn=Server Group,cn=al-lnx-s11.preferredcare.org,ou=preferred care.org,o=NetscapeRoot" scope=0 filter="(objectClass=*)" attrs="* aci passwordE xpirationTime passwordExpWarned passwordRetryCount retryCountResetTime accountUn lockTime passwordHistory passwordAllowChangeTime nsUniqueId nsLookThroughLimit n sSizeLimit nsTimeLimit nsIdleTimeout nsRole nsRoleDN nsAccountLock" [13/Mar/2006:21:15:56 -0500] conn=0 op=10 RESULT err=0 tag=101 nentries=1 etime= 0 [13/Mar/2006:21:15:56 -0500] conn=0 op=11 RESULT err=19 tag=103 nentries=0 etime =0 [13/Mar/2006:21:15:56 -0500] conn=0 op=11 MOD dn="cn=slapd-al-lnx-s11,cn=Fedora Directory Server,cn=Server Group,cn=al-lnx-s11.preferredcare.org,ou=preferredcar e.org,o=NetscapeRoot", invalid password syntax -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Tuesday, March 14, 2006 10:06 AM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Getting ready to upgrade from fds 1.0.1 to 1.0.2 Bliss, Aaron wrote: >I've been able to reproduce; after setting the new password policy >(require 1 digit, 1 special, etc) and then I attempt to use a password >that isn't compliant, this error is logged and the users new password >is not accepted. >[13/Mar/2006:22:19:42 -0500] conn=1073 op=10 RESULT err=19 tag=103 >nentries=0 etime=0 > > Can you find out what this operation is? It's either an ADD or MOD - just search before that line for "conn=1073 op=10". I'd like to know what the DN is. >So, it looks like everything is working like it is suppose to....it's >still interesting that I received that error during the upgrade.... > >Aaron > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Bliss, >Aaron >Sent: Monday, March 13, 2006 10:04 PM >To: General discussion list for the Fedora Directory server project. >Subject: RE: [Fedora-directory-users] Getting ready to upgrade from fds >1.0.1 to 1.0.2 > >It only seems to be in the access log 1 time; looks like it only >happened during the upgrade >[13/Mar/2006:21:15:56 -0500] conn=0 op=11 RESULT err=19 tag=103 >nentries=0 etime=0 Is there an easy way to verify that the new password >schema is being used? > >Thanks. >Aaron > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard >Megginson >Sent: Monday, March 13, 2006 9:54 PM >To: General discussion list for the Fedora Directory server project. >Cc: Bliss, Aaron >Subject: Re: [Fedora-directory-users] Getting ready to upgrade from fds >1.0.1 to 1.0.2 > >Bliss, Aaron wrote: > > > >>Well, I upgraded the fds rpm; after a reboot all looks okay, however I >>noticed this information in the setup logfile; is this indicative that >>something failed to update properly? Perhaps the new schema files? >>How can I verify that the new schema files are in use? Thanks very >>much. >> >>Start Slapd Starting Slapd server reconfiguration. >>Fatal Slapd ERROR: Could not update Directory Server Instance URL >>ldap://fds1.preferredcare.org:389/o=NetscapeRoot user id admin DN >>cn=slapd-al-lnx-s11,cn=Fedora Directory Server,cn=Server >>Group,cn=fds1.preferredcare.org,ou=preferredcare.org,o=NetscapeRoot >>(19:Constraint violation) >>Configuring Administration Server... >>InstallInfo: Apache Directory "ApacheDir" is missing. >> >>The proper fds version is disaplyed in the display console, and the >>new >> >> > > > >>password enforcement options seem to be available. >> >> >> >> >Check your directory server access log - look for err=19 - constraint >violation - to see which operation it's complaining about. > > > >>Aaron >>-----Original Message----- >>From: Bliss, Aaron >>Sent: Monday, March 13, 2006 2:08 PM >>To: 'General discussion list for the Fedora Directory server project.' >>Subject: RE: [Fedora-directory-users] Getting ready to upgrade from >>fds >>1.0.1 to 1.0.2 >> >>Ah, thanks again. >> >>Aaron >> >>-----Original Message----- >>From: fedora-directory-users-bounces at redhat.com >>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of >>Richard >> >> > > > >>Megginson >>Sent: Monday, March 13, 2006 2:08 PM >>To: General discussion list for the Fedora Directory server project. >>Subject: Re: [Fedora-directory-users] Getting ready to upgrade from >>fds >>1.0.1 to 1.0.2 >> >>Bliss, Aaron wrote: >> >> >> >> >> >>>Thanks; just so I understand, I have to run the setup script even >>>though my databases have already been configured? I did not have to >>>do >>> >>> >>> >>> >> >> >> >> >>>this on my test box in order to upgrade. Thanks. >>> >>> >>> >>> >>> >>> >>Setup will copy in the new schema files required to use the new >>password syntax checking, so if you skip that, you'll have to copy >>them >> >> > > > >>in manually. Setup will also make sure the console reports the >>correct >> >> > > > >>version of directory server. >> >> >> >> >> >>>Aaron >>> >>>-----Original Message----- >>>From: fedora-directory-users-bounces at redhat.com >>>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of >>>Richard >>> >>> >>> >>> >> >> >> >> >>>Megginson >>>Sent: Monday, March 13, 2006 1:59 PM >>>To: General discussion list for the Fedora Directory server project. >>>Subject: Re: [Fedora-directory-users] Getting ready to upgrade from >>>fds >>>1.0.1 to 1.0.2 >>> >>>Bliss, Aaron wrote: >>> >>> >>> >>> >>> >>> >>> >>>>I'm planning on upgrading both my supplier and consumer fds servers >>>>tonight; do I need to worry about their server certificates? I'll >>>>just >>>> >>>> >>>> >>>> >>>> >>>> >>> >>> >>> >>> >>>>be running rpm -Uvh fedora....Thanks very much. >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>Upgrade shouldn't touch any ssl information. >>> >>>After doing the rpm -U, do cd /opt/fedora-ds ; ./setup/setup and >>>follow >>> >>> >>> >>> >> >> >> >> >>>the prompts. >>> >>> >>> >>> >>> >>> >>> >>>>Aaron >>>> >>>>www.preferredcare.org >>>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>>> >>>> > > > >>>>Power and Associates >>>> >>>>Confidentiality Notice: >>>>The information contained in this electronic message is intended for >>>> >>>> >>>> >>>> >>>> >>>> >>>the exclusive use of the individual or entity named above and may >>>contain privileged or confidential information. If the reader of >>>this >>> >>> > > > >>>message is not the intended recipient or the employee or agent >>>responsible to deliver it to the intended recipient, you are hereby >>>notified that dissemination, distribution or copying of this >>>information is prohibited. If you have received this communication >>>in >>> >>> > > > >>>error, please notify the sender immediately by telephone and destroy >>>the copies you received. >>> >>> >>> >>> >>> >>> >>>>-- >>>>Fedora-directory-users mailing list >>>>Fedora-directory-users at redhat.com >>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>www.preferredcare.org >>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>>Power and Associates >>> >>>Confidentiality Notice: >>>The information contained in this electronic message is intended for >>> >>> >>> >>> >>the exclusive use of the individual or entity named above and may >>contain privileged or confidential information. If the reader of this >>message is not the intended recipient or the employee or agent >>responsible to deliver it to the intended recipient, you are hereby >>notified that dissemination, distribution or copying of this >>information is prohibited. If you have received this communication in >>error, please notify the sender immediately by telephone and destroy >>the copies you received. >> >> >> >> >>>-- >>>Fedora-directory-users mailing list >>>Fedora-directory-users at redhat.com >>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >>> >>> >>> >>www.preferredcare.org >>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>Power and Associates >> >>Confidentiality Notice: >>The information contained in this electronic message is intended for >> >> >the exclusive use of the individual or entity named above and may >contain privileged or confidential information. If the reader of this >message is not the intended recipient or the employee or agent >responsible to deliver it to the intended recipient, you are hereby >notified that dissemination, distribution or copying of this >information is prohibited. If you have received this communication in >error, please notify the sender immediately by telephone and destroy >the copies you received. > > >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> > > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for >the exclusive use of the individual or entity named above and may >contain privileged or confidential information. If the reader of this >message is not the intended recipient or the employee or agent >responsible to deliver it to the intended recipient, you are hereby >notified that dissemination, distribution or copying of this >information is prohibited. If you have received this communication in >error, please notify the sender immediately by telephone and destroy >the copies you received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From prowley at redhat.com Tue Mar 14 18:42:21 2006 From: prowley at redhat.com (Pete Rowley) Date: Tue, 14 Mar 2006 10:42:21 -0800 Subject: [Fedora-directory-users] adding a user to multiple groups In-Reply-To: <20060314183031.16561.qmail@web52904.mail.yahoo.com> References: <20060314183031.16561.qmail@web52904.mail.yahoo.com> Message-ID: <44170E8D.3050608@redhat.com> Susan wrote: >gid 14 doesn't show up. What am I doing wrong here? Is this not how you add a user to multiple >groups?? > > > Perhaps you have nscd running and you are getting a cached answer? -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From logastellus at yahoo.com Tue Mar 14 19:00:10 2006 From: logastellus at yahoo.com (Susan) Date: Tue, 14 Mar 2006 11:00:10 -0800 (PST) Subject: [Fedora-directory-users] adding a user to multiple groups In-Reply-To: <44170E8D.3050608@redhat.com> Message-ID: <20060314190010.89400.qmail@web52903.mail.yahoo.com> Nop, I checked that: [root at acmegrid1 ~]# /etc/init.d/nscd stop Stopping nscd: [ OK ] [root at acmegrid1 ~]# id -G test 1234 [root at acmegrid1 ~]# /etc/init.d/nscd start Starting nscd: [ OK ] [root at acmegrid1 ~]# id -G test 1234 still no gID 14....? --- Pete Rowley wrote: > Susan wrote: > > >gid 14 doesn't show up. What am I doing wrong here? Is this not how you add a user to > multiple > >groups?? > > > > > > > Perhaps you have nscd running and you are getting a cached answer? > > -- > Pete > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From prowley at redhat.com Tue Mar 14 19:17:20 2006 From: prowley at redhat.com (Pete Rowley) Date: Tue, 14 Mar 2006 11:17:20 -0800 Subject: [Fedora-directory-users] adding a user to multiple groups In-Reply-To: <20060314190010.89400.qmail@web52903.mail.yahoo.com> References: <20060314190010.89400.qmail@web52903.mail.yahoo.com> Message-ID: <441716C0.600@redhat.com> Susan wrote: >Nop, I checked that: >[root at acmegrid1 ~]# /etc/init.d/nscd stop >Stopping nscd: [ OK ] >[root at acmegrid1 ~]# id -G test >1234 >[root at acmegrid1 ~]# /etc/init.d/nscd start >Starting nscd: [ OK ] >[root at acmegrid1 ~]# id -G test >1234 > >still no gID 14....? > > > Can you create a user with gid 14 as the primary group? -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From felipe.alfaro at gmail.com Tue Mar 14 19:51:38 2006 From: felipe.alfaro at gmail.com (Felipe Alfaro Solana) Date: Tue, 14 Mar 2006 20:51:38 +0100 Subject: [Fedora-directory-users] Running Fedora on windows In-Reply-To: <4416DDA1.9030206@redhat.com> References: <20060314091722.6641.qmail@web80904.mail.scd.yahoo.com> <4416DDA1.9030206@redhat.com> Message-ID: <6f6293f10603141151w193aae1bl49d952f8c4f2ee30@mail.gmail.com> > We do not have Windows binaries. You could probably build it on > Windows, but it will involve quite a bit of Makefile hacking. If you > just want to run it on a PC, it's probably much easier to configure your > PC for dual boot, and install Fedora Core on it, and then install Fedora > DS. I've done this a few times - there are even tools which will allow > you to do a non-destructive resize of your existing Windows partition if > you need to. > http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/install-guide/ch-x86-dualboot.html Have you tried using CoLinux? It allows running Linux inside Windows, so it is an alternative to using dual boot. From logastellus at yahoo.com Tue Mar 14 20:03:11 2006 From: logastellus at yahoo.com (Susan) Date: Tue, 14 Mar 2006 12:03:11 -0800 (PST) Subject: [Fedora-directory-users] adding a user to multiple groups In-Reply-To: <20060314183031.16561.qmail@web52904.mail.yahoo.com> Message-ID: <20060314200311.84302.qmail@web52901.mail.yahoo.com> well, gid 14 was in conflict with uucp group, so I changed it a bit: # testGroup, Groups, example.com dn: cn=testGroup,ou=Groups,dc=example,dc=com memberUid: 1234 cn: testGroup gidNumber: 1234 objectClass: top objectClass: posixgroup # sysadmin, Groups, example.com dn: cn=sysadmin,ou=Groups,dc=example,dc=com gidNumber: 666 memberUid: 1125 memberUid: 1234 objectClass: top objectClass: posixgroup cn: sysadmin # test, UNIX, example.com dn: uid=test,ou=UNIX,dc=example,dc=com gidNumber: 1234 givenName: test uidNumber: 1234 uid: test now, test should belong to testGroup & sysadmin, correct? but that's not happening: # id test -a uid=1234(test) gid=1234(testGroup) groups=1234(testGroup) I don't understand this. It seemed so straight forward! (after switching test's gidNumber from 1234 to 666): # id test -a uid=1234(test) gid=666(sysadmin) groups=666(sysadmin) so, it's not recognizing the memberUid attribute, I think. There's this in /etc/ldap.conf: # Group member attribute #pam_member_attribute uniquemember I changed uniquemember to memberuid but that didn't do anything.... --- Susan wrote: > Hi, everybody. > > I've a group with multiple memberUid attributes: > > # sysadmin, Groups, example.com > dn: cn=sysadmin,ou=Groups,dc=example,dc=com > memberUid: 1125 > memberUid: 1234 > gidNumber: 14 > objectClass: top > objectClass: posixgroup > cn: sysadmin > ____ > > and a user test like this: > > # test, UNIX, example.com > dn: uid=test,ou=UNIX,dc=example,dc=com > gidNumber: 1234 > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetorgperson > objectClass: posixAccount > objectClass: account > host: * > givenName: test > sn: asdf > uidNumber: 1234 > uid: test > cn: test asdf > homeDirectory: /home/test > > ___ > > there is also a group "test" which uid test belongs to. Now, test should be a member of both > test > and sysadmins, correct? > > However, that doesn't seem to be the case: > > -bash-3.00$ grep test /etc/passwd > -bash-3.00$ id -a test > uid=1234(test) gid=1234 groups=1234 > -bash-3.00$ id -G test > 1234 > -bash-3.00$ > > gid 14 doesn't show up. What am I doing wrong here? Is this not how you add a user to multiple > groups?? > > Thanks.. > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From logastellus at yahoo.com Tue Mar 14 20:07:57 2006 From: logastellus at yahoo.com (Susan) Date: Tue, 14 Mar 2006 12:07:57 -0800 (PST) Subject: [Fedora-directory-users] adding a user to multiple groups In-Reply-To: <441716C0.600@redhat.com> Message-ID: <20060314200757.5868.qmail@web52911.mail.yahoo.com> Nevermind, got it! Turns out, in the memberuid attribute, you must specify the NAME of the user, NOT the UID. (I know, makes perfect sense, doesn't it??? I mean, who in his infinite wisdom named the attribute memberUID, when it doesn't work with a UID???) Anyway, after changing 1234 to test, it works: # id test -a uid=1234(test) gid=666(sysadmin) groups=666(sysadmin),1234(testGroup) Thank you, Pete. --- Pete Rowley wrote: > Susan wrote: > > >Nop, I checked that: > >[root at acmegrid1 ~]# /etc/init.d/nscd stop > >Stopping nscd: [ OK ] > >[root at acmegrid1 ~]# id -G test > >1234 > >[root at acmegrid1 ~]# /etc/init.d/nscd start > >Starting nscd: [ OK ] > >[root at acmegrid1 ~]# id -G test > >1234 > > > >still no gID 14....? > > > > > > > Can you create a user with gid 14 as the primary group? > > -- > Pete > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From prowley at redhat.com Tue Mar 14 20:14:18 2006 From: prowley at redhat.com (Pete Rowley) Date: Tue, 14 Mar 2006 12:14:18 -0800 Subject: [Fedora-directory-users] adding a user to multiple groups In-Reply-To: <20060314200757.5868.qmail@web52911.mail.yahoo.com> References: <20060314200757.5868.qmail@web52911.mail.yahoo.com> Message-ID: <4417241A.7040801@redhat.com> Susan wrote: >Nevermind, got it! > >Turns out, in the memberuid attribute, you must specify the NAME of the user, NOT the UID. (I >know, makes perfect sense, doesn't it??? I mean, who in his infinite wisdom named the attribute >memberUID, when it doesn't work with a UID???) > > > Ah yes, that is all a little confusing. In RFC2307 parlance, a unix uid is referred to as uidNumber because in LDAP uid generally refers to textual representation of the user. >Anyway, after changing 1234 to test, it works: > ># id test -a >uid=1234(test) gid=666(sysadmin) groups=666(sysadmin),1234(testGroup) > > > Good stuff -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From warthog at warthogsolutions.com Tue Mar 14 20:14:36 2006 From: warthog at warthogsolutions.com (Jamie McKnight) Date: Tue, 14 Mar 2006 15:14:36 -0500 (EST) Subject: [Fedora-directory-users] adding a user to multiple groups In-Reply-To: <20060314200311.84302.qmail@web52901.mail.yahoo.com> References: <20060314183031.16561.qmail@web52904.mail.yahoo.com> <20060314200311.84302.qmail@web52901.mail.yahoo.com> Message-ID: <21878.198.185.18.210.1142367276.squirrel@www.warthogsolutions.com> Shouldn't memberuid be the user name, not the numeric uid? That is how we have it set up and we don't have any issues. So under sysadmin memberUid should be memberUid: test not memberUid: 1234 Jamie > well, gid 14 was in conflict with uucp group, so I changed it a bit: > > # testGroup, Groups, example.com > dn: cn=testGroup,ou=Groups,dc=example,dc=com > memberUid: 1234 > cn: testGroup > gidNumber: 1234 > objectClass: top > objectClass: posixgroup > > > # sysadmin, Groups, example.com > dn: cn=sysadmin,ou=Groups,dc=example,dc=com > gidNumber: 666 > memberUid: 1125 > memberUid: 1234 > objectClass: top > objectClass: posixgroup > cn: sysadmin > > # test, UNIX, example.com > dn: uid=test,ou=UNIX,dc=example,dc=com > gidNumber: 1234 > givenName: test > uidNumber: 1234 > uid: test > > now, test should belong to testGroup & sysadmin, correct? but that's not > happening: > > # id test -a > uid=1234(test) gid=1234(testGroup) groups=1234(testGroup) > > I don't understand this. It seemed so straight forward! > > (after switching test's gidNumber from 1234 to 666): > > # id test -a > uid=1234(test) gid=666(sysadmin) groups=666(sysadmin) > > so, it's not recognizing the memberUid attribute, I think. > > There's this in /etc/ldap.conf: > > # Group member attribute > #pam_member_attribute uniquemember > > > I changed uniquemember to memberuid but that didn't do anything.... > From logastellus at yahoo.com Tue Mar 14 21:46:10 2006 From: logastellus at yahoo.com (Susan) Date: Tue, 14 Mar 2006 13:46:10 -0800 (PST) Subject: [Fedora-directory-users] adding a user to multiple groups In-Reply-To: <21878.198.185.18.210.1142367276.squirrel@www.warthogsolutions.com> Message-ID: <20060314214610.22068.qmail@web52913.mail.yahoo.com> You are absolutely right, Jamie. I just now discovered this by accident.. :) --- Jamie McKnight wrote: > > Shouldn't memberuid be the user name, not the numeric uid? > > That is how we have it set up and we don't have any issues. > > So under sysadmin memberUid should be > > memberUid: test > > not > > memberUid: 1234 > > > Jamie > > > > well, gid 14 was in conflict with uucp group, so I changed it a bit: > > > > # testGroup, Groups, example.com > > dn: cn=testGroup,ou=Groups,dc=example,dc=com > > memberUid: 1234 > > cn: testGroup > > gidNumber: 1234 > > objectClass: top > > objectClass: posixgroup > > > > > > # sysadmin, Groups, example.com > > dn: cn=sysadmin,ou=Groups,dc=example,dc=com > > gidNumber: 666 > > memberUid: 1125 > > memberUid: 1234 > > objectClass: top > > objectClass: posixgroup > > cn: sysadmin > > > > # test, UNIX, example.com > > dn: uid=test,ou=UNIX,dc=example,dc=com > > gidNumber: 1234 > > givenName: test > > uidNumber: 1234 > > uid: test > > > > now, test should belong to testGroup & sysadmin, correct? but that's not > > happening: > > > > # id test -a > > uid=1234(test) gid=1234(testGroup) groups=1234(testGroup) > > > > I don't understand this. It seemed so straight forward! > > > > (after switching test's gidNumber from 1234 to 666): > > > > # id test -a > > uid=1234(test) gid=666(sysadmin) groups=666(sysadmin) > > > > so, it's not recognizing the memberUid attribute, I think. > > > > There's this in /etc/ldap.conf: > > > > # Group member attribute > > #pam_member_attribute uniquemember > > > > > > I changed uniquemember to memberuid but that didn't do anything.... > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From mont.rothstein at gmail.com Wed Mar 15 00:49:16 2006 From: mont.rothstein at gmail.com (Mont Rothstein) Date: Tue, 14 Mar 2006 16:49:16 -0800 Subject: [Fedora-directory-users] Trouble Populating FDS with PDC Entry Message-ID: <467a83630603141649w1a207c6fn6998d656027d2c89@mail.gmail.com> I am trying to follow http://directory.fedora.redhat.com/wiki/Howto:Sambaand running into trouble. I'm at the "Populating FDS with PDC Entry" section. I get my SID, and create my domainName.ldif file as sepcified (contents below). I then run the command: /opt/fedora-ds/slapd-rheles4rs1/ldif2ldap "cn=Directory manager" myDMPassword /tmp/forayadams.ldif What this gives me is: adding new entry sambaDomainName=forayadams,dc=forayadams,dc=foray,dc=com ldap_add: Already exists I can't find anything on this. None of the log files (admin-serv/logs/access, admin-serv/logs/error, slapd-rheles4rs1/logs/access, slapd-rheles4rs1/logs/errors) show anything when I issue this command. Any ideas as to what I've done wrong? Thanks, -Mont Contents of my /tmp/forayadams.ldif: dn: sambaDomainName=forayadams,dc=forayadams,dc=foray,dc=com objectclass: sambaDomain objectclass: sambaUnixIDPool objectclass: top sambaDomainName: forayadams sambaSID: S-1-5-21-807157010-1821471989-4121009367 uidNumber: 550 gidNumber: 550 -------------- next part -------------- An HTML attachment was scrubbed... URL: From ABliss at preferredcare.org Wed Mar 15 01:10:02 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Tue, 14 Mar 2006 20:10:02 -0500 Subject: [Fedora-directory-users] Getting ready to upgrade from fds 1.0.1 to 1.0.2 Message-ID: Is there any easy way that I can verify that the schemas have been updated properly? Thanks. Aaron -----Original Message----- From: Bliss, Aaron Sent: Tuesday, March 14, 2006 1:34 PM To: 'General discussion list for the Fedora Directory server project.' Subject: RE: [Fedora-directory-users] Getting ready to upgrade from fds 1.0.1 to 1.0.2 I believe this is what your looking for, here is an example when I intentionally attempt to break the password rules: [13/Mar/2006:22:19:42 -0500] conn=1073 op=10 RESULT err=19 tag=103 nentries=0 et ime=0 [13/Mar/2006:22:19:42 -0500] conn=1073 op=10 MOD dn="uid=awbtest,ou=users,dc=pre ferredcare,dc=org", invalid password syntax Here is the error that occurred during the upgrade (I wouldn't worry too much about the entries below that reference fds1 instead of al-lnx-s11, I manually typed that after pasting the error log, as I wasn't comfortable displaying the real server name, but it doesn't really matter now, the real server name is al-lnx-s11) [13/Mar/2006:21:15:56 -0500] conn=0 op=3 RESULT err=0 tag=101 nentries=1 etime=0 [13/Mar/2006:21:15:56 -0500] conn=0 op=4 BIND dn="uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot" method=128 version=3 [13/Mar/2006:21:15:56 -0500] conn=0 op=5 SRCH base="cn=al-lnx-s11.preferredcare. org, ou=preferredcare.org, o=NetscapeRoot" scope=2 filter="(&(objectClass=nsAppl ication)(nsNickName=slapd)(nsInstalledLocation=/opt/fedora-ds))" attrs="* aci pa sswordExpirationTime passwordExpWarned passwordRetryCount retryCountResetTime ac countUnlockTime passwordHistory passwordAllowChangeTime nsUniqueId nsLookThrough Limit nsSizeLimit nsTimeLimit nsIdleTimeout nsRole nsRoleDN nsAccountLock" [13/Mar/2006:21:15:56 -0500] conn=0 op=4 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot" [13/Mar/2006:21:15:56 -0500] conn=0 op=5 RESULT err=0 tag=101 nentries=1 etime=0 [13/Mar/2006:21:15:56 -0500] conn=0 op=6 SRCH base="cn=Fedora Directory Server, cn=Server Group, cn=al-lnx-s11.preferredcare.org, ou=preferredcare.org, o=Netsca peRoot" scope=0 filter="(objectClass=*)" attrs="* aci passwordExpirationTime pas swordExpWarned passwordRetryCount retryCountResetTime accountUnlockTime password History passwordAllowChangeTime nsUniqueId nsLookThroughLimit nsSizeLimit nsTime Limit nsIdleTimeout nsRole nsRoleDN nsAccountLock" [13/Mar/2006:21:15:56 -0500] conn=0 op=6 RESULT err=0 tag=101 nentries=1 etime=0 [13/Mar/2006:21:15:56 -0500] conn=0 op=7 MOD dn="cn=Fedora Directory Server, cn= Server Group, cn=al-lnx-s11.preferredcare.org, ou=preferredcare.org, o=NetscapeR oot" [13/Mar/2006:21:15:56 -0500] conn=0 op=7 RESULT err=0 tag=103 nentries=0 etime=0 [13/Mar/2006:21:15:56 -0500] conn=0 op=8 SRCH base="cn=Fedora Directory Server, cn=Server Group, cn=al-lnx-s11.preferredcare.org, ou=preferredcare.org, o=Netsca peRoot" scope=1 filter="(objectClass=nsDirectoryServer)" attrs="* aci passwordEx pirationTime passwordExpWarned passwordRetryCount retryCountResetTime accountUnl ockTime passwordHistory passwordAllowChangeTime nsUniqueId nsLookThroughLimit ns SizeLimit nsTimeLimit nsIdleTimeout nsRole nsRoleDN nsAccountLock" [13/Mar/2006:21:15:56 -0500] conn=0 op=8 RESULT err=0 tag=101 nentries=1 etime=0 [13/Mar/2006:21:15:56 -0500] conn=0 op=9 SRCH base="cn=slapd-al-lnx-s11, cn=Fedo ra Directory Server, cn=Server Group, cn=al-lnx-s11.preferredcare.org, ou=prefer redcare.org, o=NetscapeRoot" scope=0 filter="(objectClass=*)" attrs="* aci passw ordExpirationTime passwordExpWarned passwordRetryCount retryCountResetTime accou ntUnlockTime passwordHistory passwordAllowChangeTime nsUniqueId nsLookThroughLim it nsSizeLimit nsTimeLimit nsIdleTimeout nsRole nsRoleDN nsAccountLock" [13/Mar/2006:21:15:56 -0500] conn=0 op=9 RESULT err=0 tag=101 nentries=1 etime=0 [13/Mar/2006:21:15:56 -0500] conn=0 op=10 SRCH base="cn=slapd-al-lnx-s11,cn=Fedo ra Directory Server,cn=Server Group,cn=al-lnx-s11.preferredcare.org,ou=preferred care.org,o=NetscapeRoot" scope=0 filter="(objectClass=*)" attrs="* aci passwordE xpirationTime passwordExpWarned passwordRetryCount retryCountResetTime accountUn lockTime passwordHistory passwordAllowChangeTime nsUniqueId nsLookThroughLimit n sSizeLimit nsTimeLimit nsIdleTimeout nsRole nsRoleDN nsAccountLock" [13/Mar/2006:21:15:56 -0500] conn=0 op=10 RESULT err=0 tag=101 nentries=1 etime= 0 [13/Mar/2006:21:15:56 -0500] conn=0 op=11 RESULT err=19 tag=103 nentries=0 etime =0 [13/Mar/2006:21:15:56 -0500] conn=0 op=11 MOD dn="cn=slapd-al-lnx-s11,cn=Fedora Directory Server,cn=Server Group,cn=al-lnx-s11.preferredcare.org,ou=preferredcar e.org,o=NetscapeRoot", invalid password syntax -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Tuesday, March 14, 2006 10:06 AM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Getting ready to upgrade from fds 1.0.1 to 1.0.2 Bliss, Aaron wrote: >I've been able to reproduce; after setting the new password policy >(require 1 digit, 1 special, etc) and then I attempt to use a password >that isn't compliant, this error is logged and the users new password >is not accepted. >[13/Mar/2006:22:19:42 -0500] conn=1073 op=10 RESULT err=19 tag=103 >nentries=0 etime=0 > > Can you find out what this operation is? It's either an ADD or MOD - just search before that line for "conn=1073 op=10". I'd like to know what the DN is. >So, it looks like everything is working like it is suppose to....it's >still interesting that I received that error during the upgrade.... > >Aaron > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Bliss, >Aaron >Sent: Monday, March 13, 2006 10:04 PM >To: General discussion list for the Fedora Directory server project. >Subject: RE: [Fedora-directory-users] Getting ready to upgrade from fds >1.0.1 to 1.0.2 > >It only seems to be in the access log 1 time; looks like it only >happened during the upgrade >[13/Mar/2006:21:15:56 -0500] conn=0 op=11 RESULT err=19 tag=103 >nentries=0 etime=0 Is there an easy way to verify that the new password >schema is being used? > >Thanks. >Aaron > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard >Megginson >Sent: Monday, March 13, 2006 9:54 PM >To: General discussion list for the Fedora Directory server project. >Cc: Bliss, Aaron >Subject: Re: [Fedora-directory-users] Getting ready to upgrade from fds >1.0.1 to 1.0.2 > >Bliss, Aaron wrote: > > > >>Well, I upgraded the fds rpm; after a reboot all looks okay, however I >>noticed this information in the setup logfile; is this indicative that >>something failed to update properly? Perhaps the new schema files? >>How can I verify that the new schema files are in use? Thanks very >>much. >> >>Start Slapd Starting Slapd server reconfiguration. >>Fatal Slapd ERROR: Could not update Directory Server Instance URL >>ldap://fds1.preferredcare.org:389/o=NetscapeRoot user id admin DN >>cn=slapd-al-lnx-s11,cn=Fedora Directory Server,cn=Server >>Group,cn=fds1.preferredcare.org,ou=preferredcare.org,o=NetscapeRoot >>(19:Constraint violation) >>Configuring Administration Server... >>InstallInfo: Apache Directory "ApacheDir" is missing. >> >>The proper fds version is disaplyed in the display console, and the >>new >> >> > > > >>password enforcement options seem to be available. >> >> >> >> >Check your directory server access log - look for err=19 - constraint >violation - to see which operation it's complaining about. > > > >>Aaron >>-----Original Message----- >>From: Bliss, Aaron >>Sent: Monday, March 13, 2006 2:08 PM >>To: 'General discussion list for the Fedora Directory server project.' >>Subject: RE: [Fedora-directory-users] Getting ready to upgrade from >>fds >>1.0.1 to 1.0.2 >> >>Ah, thanks again. >> >>Aaron >> >>-----Original Message----- >>From: fedora-directory-users-bounces at redhat.com >>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of >>Richard >> >> > > > >>Megginson >>Sent: Monday, March 13, 2006 2:08 PM >>To: General discussion list for the Fedora Directory server project. >>Subject: Re: [Fedora-directory-users] Getting ready to upgrade from >>fds >>1.0.1 to 1.0.2 >> >>Bliss, Aaron wrote: >> >> >> >> >> >>>Thanks; just so I understand, I have to run the setup script even >>>though my databases have already been configured? I did not have to >>>do >>> >>> >>> >>> >> >> >> >> >>>this on my test box in order to upgrade. Thanks. >>> >>> >>> >>> >>> >>> >>Setup will copy in the new schema files required to use the new >>password syntax checking, so if you skip that, you'll have to copy >>them >> >> > > > >>in manually. Setup will also make sure the console reports the >>correct >> >> > > > >>version of directory server. >> >> >> >> >> >>>Aaron >>> >>>-----Original Message----- >>>From: fedora-directory-users-bounces at redhat.com >>>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of >>>Richard >>> >>> >>> >>> >> >> >> >> >>>Megginson >>>Sent: Monday, March 13, 2006 1:59 PM >>>To: General discussion list for the Fedora Directory server project. >>>Subject: Re: [Fedora-directory-users] Getting ready to upgrade from >>>fds >>>1.0.1 to 1.0.2 >>> >>>Bliss, Aaron wrote: >>> >>> >>> >>> >>> >>> >>> >>>>I'm planning on upgrading both my supplier and consumer fds servers >>>>tonight; do I need to worry about their server certificates? I'll >>>>just >>>> >>>> >>>> >>>> >>>> >>>> >>> >>> >>> >>> >>>>be running rpm -Uvh fedora....Thanks very much. >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>Upgrade shouldn't touch any ssl information. >>> >>>After doing the rpm -U, do cd /opt/fedora-ds ; ./setup/setup and >>>follow >>> >>> >>> >>> >> >> >> >> >>>the prompts. >>> >>> >>> >>> >>> >>> >>> >>>>Aaron >>>> >>>>www.preferredcare.org >>>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>>> >>>> > > > >>>>Power and Associates >>>> >>>>Confidentiality Notice: >>>>The information contained in this electronic message is intended for >>>> >>>> >>>> >>>> >>>> >>>> >>>the exclusive use of the individual or entity named above and may >>>contain privileged or confidential information. If the reader of >>>this >>> >>> > > > >>>message is not the intended recipient or the employee or agent >>>responsible to deliver it to the intended recipient, you are hereby >>>notified that dissemination, distribution or copying of this >>>information is prohibited. If you have received this communication >>>in >>> >>> > > > >>>error, please notify the sender immediately by telephone and destroy >>>the copies you received. >>> >>> >>> >>> >>> >>> >>>>-- >>>>Fedora-directory-users mailing list >>>>Fedora-directory-users at redhat.com >>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>www.preferredcare.org >>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>>Power and Associates >>> >>>Confidentiality Notice: >>>The information contained in this electronic message is intended for >>> >>> >>> >>> >>the exclusive use of the individual or entity named above and may >>contain privileged or confidential information. If the reader of this >>message is not the intended recipient or the employee or agent >>responsible to deliver it to the intended recipient, you are hereby >>notified that dissemination, distribution or copying of this >>information is prohibited. If you have received this communication in >>error, please notify the sender immediately by telephone and destroy >>the copies you received. >> >> >> >> >>>-- >>>Fedora-directory-users mailing list >>>Fedora-directory-users at redhat.com >>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >>> >>> >>> >>www.preferredcare.org >>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>Power and Associates >> >>Confidentiality Notice: >>The information contained in this electronic message is intended for >> >> >the exclusive use of the individual or entity named above and may >contain privileged or confidential information. If the reader of this >message is not the intended recipient or the employee or agent >responsible to deliver it to the intended recipient, you are hereby >notified that dissemination, distribution or copying of this >information is prohibited. If you have received this communication in >error, please notify the sender immediately by telephone and destroy >the copies you received. > > >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> > > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for >the exclusive use of the individual or entity named above and may >contain privileged or confidential information. If the reader of this >message is not the intended recipient or the employee or agent >responsible to deliver it to the intended recipient, you are hereby >notified that dissemination, distribution or copying of this >information is prohibited. If you have received this communication in >error, please notify the sender immediately by telephone and destroy >the copies you received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From avaalak at yahoo.com Wed Mar 15 06:54:17 2006 From: avaalak at yahoo.com (Douglas Hussey) Date: Wed, 15 Mar 2006 09:54:17 +0300 Subject: [Fedora-directory-users] adding a user to multiple groups In-Reply-To: <20060314190010.89400.qmail@web52903.mail.yahoo.com> References: <20060314190010.89400.qmail@web52903.mail.yahoo.com> Message-ID: <678B4CB2-01B8-4CDE-B100-8273A98A1410@yahoo.com> If you are running nscd you need to try as root service nscd reload Just stop and starting will not do the trick. cheers Doug On Mar 14, 2006, at 10:00 PM, Susan wrote: > Nop, I checked that: > [root at acmegrid1 ~]# /etc/init.d/nscd stop > Stopping nscd: [ OK ] > [root at acmegrid1 ~]# id -G test > 1234 > [root at acmegrid1 ~]# /etc/init.d/nscd start > Starting nscd: [ OK ] > [root at acmegrid1 ~]# id -G test > 1234 > > still no gID 14....? > > > --- Pete Rowley wrote: > >> Susan wrote: >> >>> gid 14 doesn't show up. What am I doing wrong here? Is this not >>> how you add a user to >> multiple >>> groups?? >>> >>> >>> >> Perhaps you have nscd running and you are getting a cached answer? >> >> -- >> Pete >> >>> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users ================================= Douglas Hussey Systems Engineer SAIC Cell: 571-201-1294 DSN: 318-835-1442 FAX: 703-253-1061 ================================= Walking the road to enlightenment... I found a penguin and a camel on the way. From sam.sharpe at imperial.ac.uk Wed Mar 15 08:48:21 2006 From: sam.sharpe at imperial.ac.uk (Sharpe, Sam J) Date: Wed, 15 Mar 2006 08:48:21 +0000 Subject: [Fedora-directory-users] adding a user to multiple groups In-Reply-To: <678B4CB2-01B8-4CDE-B100-8273A98A1410@yahoo.com> References: <20060314190010.89400.qmail@web52903.mail.yahoo.com> <678B4CB2-01B8-4CDE-B100-8273A98A1410@yahoo.com> Message-ID: <8695F3D3-39C2-40A7-BDB2-0E992CDD97D8@imperial.ac.uk> >> [root at acmegrid1 ~]# /etc/init.d/nscd stop >> Stopping nscd: [ OK ] >> [root at acmegrid1 ~]# id -G test >> 1234 > If you are running nscd you need to try > as root service nscd reload What Sarah did is stop nscd, then did an id lookup while nscd is stopped. It is certainly a valid test. The problem is that a stop/start does not invalidate the nscd cache - a simple "nscd -i passwd ; nscd -i group" will do that without a service reload. On 15 Mar 2006, at 06:54, Douglas Hussey wrote: > If you are running nscd you need to try > as root service nscd reload > > Just stop and starting will not do the trick. > > cheers > Doug > On Mar 14, 2006, at 10:00 PM, Susan wrote: > >> Nop, I checked that: >> [root at acmegrid1 ~]# /etc/init.d/nscd stop >> Stopping nscd: [ OK ] >> [root at acmegrid1 ~]# id -G test >> 1234 >> [root at acmegrid1 ~]# /etc/init.d/nscd start >> Starting nscd: [ OK ] >> [root at acmegrid1 ~]# id -G test >> 1234 >> >> still no gID 14....? >> >> >> --- Pete Rowley wrote: >> >>> Susan wrote: >>> >>>> gid 14 doesn't show up. What am I doing wrong here? Is this >>>> not how you add a user to >>> multiple >>>> groups?? >>>> >>>> >>>> >>> Perhaps you have nscd running and you are getting a cached answer? >>> >>> -- >>> Pete >>> >>>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> >> __________________________________________________ >> Do You Yahoo!? >> Tired of spam? Yahoo! Mail has the best spam protection around >> http://mail.yahoo.com >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > ================================= > Douglas Hussey > Systems Engineer > SAIC > Cell: 571-201-1294 > DSN: 318-835-1442 > FAX: 703-253-1061 > ================================= > Walking the road to enlightenment... I found a penguin and a camel > on the way. > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From mohdzainal.abidin at gmail.com Wed Mar 15 08:49:42 2006 From: mohdzainal.abidin at gmail.com (M Zainal Abidin) Date: Wed, 15 Mar 2006 16:49:42 +0800 Subject: [Fedora-directory-users] Problem with glib Message-ID: <41f2714b0603150049l5dc754cay1b47069f99a079d0@mail.gmail.com> Hello all, I have a bit problem here. I'm using fedora core 4. The problem is i cannot install xmms player foe movie. The system said cannot found glib-1.2.2.Icannot install glib. Why? Can anyone teach me how to install it.. Regard, newbie -------------- next part -------------- An HTML attachment was scrubbed... URL: From pengunix at yahoo.com Wed Mar 15 14:40:38 2006 From: pengunix at yahoo.com (*nixplorer) Date: Wed, 15 Mar 2006 06:40:38 -0800 (PST) Subject: [Fedora-directory-users] startconsole doesn't work In-Reply-To: <678B4CB2-01B8-4CDE-B100-8273A98A1410@yahoo.com> Message-ID: <20060315144038.24992.qmail@web60618.mail.yahoo.com> Hi everyone, I have a problem with starting ds. When I execute the ./startconsole, I got following errors. [root at xyz fedora-ds]# ./startconsole -u admin -a http://xyz.domain.com:20000 GC Warning: Out of Memory! Returning NIL! Exception in thread "main" java.lang.OutOfMemoryError <> [root at xyz fedora-ds]# I installed j2re-1_4_2_11-linux-i586.rpm. What is the solution? Any suggestion. thnx --------------------------------- Yahoo! Mail Use Photomail to share photos without annoying attachments. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Mar 15 14:42:13 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 15 Mar 2006 07:42:13 -0700 Subject: [Fedora-directory-users] Getting ready to upgrade from fds 1.0.1 to 1.0.2 In-Reply-To: References: Message-ID: <441827C5.5040501@redhat.com> Bliss, Aaron wrote: >Is there any easy way that I can verify that the schemas have been >updated properly? Thanks. > > Yes. See if your slapd-instance/config/schema/00core.ldif file has definitions for these attributes: passwordMinDigits $ passwordMinAlphas $ passwordMinUppers $ passwordMinLowers $ passwordMinSpecials $ passwordMin8bit $ passwordMaxRepeats $ passwordMinCategories $ passwordMinTokenLength >Aaron > >-----Original Message----- >From: Bliss, Aaron >Sent: Tuesday, March 14, 2006 1:34 PM >To: 'General discussion list for the Fedora Directory server project.' >Subject: RE: [Fedora-directory-users] Getting ready to upgrade from fds >1.0.1 to 1.0.2 > >I believe this is what your looking for, here is an example when I >intentionally attempt to break the password rules: >[13/Mar/2006:22:19:42 -0500] conn=1073 op=10 RESULT err=19 tag=103 >nentries=0 et ime=0 >[13/Mar/2006:22:19:42 -0500] conn=1073 op=10 MOD >dn="uid=awbtest,ou=users,dc=pre ferredcare,dc=org", invalid password >syntax > >Here is the error that occurred during the upgrade (I wouldn't worry too >much about the entries below that reference fds1 instead of al-lnx-s11, >I manually typed that after pasting the error log, as I wasn't >comfortable displaying the real server name, but it doesn't really >matter now, the real server name is al-lnx-s11) > >[13/Mar/2006:21:15:56 -0500] conn=0 op=3 RESULT err=0 tag=101 nentries=1 >etime=0 >[13/Mar/2006:21:15:56 -0500] conn=0 op=4 BIND dn="uid=admin, >ou=Administrators, ou=TopologyManagement, o=NetscapeRoot" method=128 >version=3 >[13/Mar/2006:21:15:56 -0500] conn=0 op=5 SRCH >base="cn=al-lnx-s11.preferredcare. >org, ou=preferredcare.org, o=NetscapeRoot" scope=2 >filter="(&(objectClass=nsAppl >ication)(nsNickName=slapd)(nsInstalledLocation=/opt/fedora-ds))" >attrs="* aci pa sswordExpirationTime passwordExpWarned >passwordRetryCount retryCountResetTime ac countUnlockTime >passwordHistory passwordAllowChangeTime nsUniqueId nsLookThrough Limit >nsSizeLimit nsTimeLimit nsIdleTimeout nsRole nsRoleDN nsAccountLock" >[13/Mar/2006:21:15:56 -0500] conn=0 op=4 RESULT err=0 tag=97 nentries=0 >etime=0 >dn="uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot" >[13/Mar/2006:21:15:56 -0500] conn=0 op=5 RESULT err=0 tag=101 nentries=1 >etime=0 >[13/Mar/2006:21:15:56 -0500] conn=0 op=6 SRCH base="cn=Fedora Directory >Server, cn=Server Group, cn=al-lnx-s11.preferredcare.org, >ou=preferredcare.org, o=Netsca peRoot" scope=0 filter="(objectClass=*)" >attrs="* aci passwordExpirationTime pas swordExpWarned >passwordRetryCount retryCountResetTime accountUnlockTime password >History passwordAllowChangeTime nsUniqueId nsLookThroughLimit >nsSizeLimit nsTime Limit nsIdleTimeout nsRole nsRoleDN nsAccountLock" >[13/Mar/2006:21:15:56 -0500] conn=0 op=6 RESULT err=0 tag=101 nentries=1 >etime=0 >[13/Mar/2006:21:15:56 -0500] conn=0 op=7 MOD dn="cn=Fedora Directory >Server, cn= Server Group, cn=al-lnx-s11.preferredcare.org, >ou=preferredcare.org, o=NetscapeR oot" >[13/Mar/2006:21:15:56 -0500] conn=0 op=7 RESULT err=0 tag=103 nentries=0 >etime=0 >[13/Mar/2006:21:15:56 -0500] conn=0 op=8 SRCH base="cn=Fedora Directory >Server, cn=Server Group, cn=al-lnx-s11.preferredcare.org, >ou=preferredcare.org, o=Netsca peRoot" scope=1 >filter="(objectClass=nsDirectoryServer)" attrs="* aci passwordEx >pirationTime passwordExpWarned passwordRetryCount retryCountResetTime >accountUnl ockTime passwordHistory passwordAllowChangeTime nsUniqueId >nsLookThroughLimit ns SizeLimit nsTimeLimit nsIdleTimeout nsRole >nsRoleDN nsAccountLock" >[13/Mar/2006:21:15:56 -0500] conn=0 op=8 RESULT err=0 tag=101 nentries=1 >etime=0 >[13/Mar/2006:21:15:56 -0500] conn=0 op=9 SRCH base="cn=slapd-al-lnx-s11, >cn=Fedo ra Directory Server, cn=Server Group, >cn=al-lnx-s11.preferredcare.org, ou=prefer redcare.org, o=NetscapeRoot" >scope=0 filter="(objectClass=*)" attrs="* aci passw ordExpirationTime >passwordExpWarned passwordRetryCount retryCountResetTime accou >ntUnlockTime passwordHistory passwordAllowChangeTime nsUniqueId >nsLookThroughLim it nsSizeLimit nsTimeLimit nsIdleTimeout nsRole >nsRoleDN nsAccountLock" >[13/Mar/2006:21:15:56 -0500] conn=0 op=9 RESULT err=0 tag=101 nentries=1 >etime=0 >[13/Mar/2006:21:15:56 -0500] conn=0 op=10 SRCH >base="cn=slapd-al-lnx-s11,cn=Fedo ra Directory Server,cn=Server >Group,cn=al-lnx-s11.preferredcare.org,ou=preferred >care.org,o=NetscapeRoot" scope=0 filter="(objectClass=*)" attrs="* aci >passwordE xpirationTime passwordExpWarned passwordRetryCount >retryCountResetTime accountUn lockTime passwordHistory >passwordAllowChangeTime nsUniqueId nsLookThroughLimit n sSizeLimit >nsTimeLimit nsIdleTimeout nsRole nsRoleDN nsAccountLock" >[13/Mar/2006:21:15:56 -0500] conn=0 op=10 RESULT err=0 tag=101 >nentries=1 etime= 0 >[13/Mar/2006:21:15:56 -0500] conn=0 op=11 RESULT err=19 tag=103 >nentries=0 etime =0 >[13/Mar/2006:21:15:56 -0500] conn=0 op=11 MOD >dn="cn=slapd-al-lnx-s11,cn=Fedora Directory Server,cn=Server >Group,cn=al-lnx-s11.preferredcare.org,ou=preferredcar >e.org,o=NetscapeRoot", invalid password syntax > > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard >Megginson >Sent: Tuesday, March 14, 2006 10:06 AM >To: General discussion list for the Fedora Directory server project. >Subject: Re: [Fedora-directory-users] Getting ready to upgrade from fds >1.0.1 to 1.0.2 > >Bliss, Aaron wrote: > > > >>I've been able to reproduce; after setting the new password policy >>(require 1 digit, 1 special, etc) and then I attempt to use a password >>that isn't compliant, this error is logged and the users new password >>is not accepted. >>[13/Mar/2006:22:19:42 -0500] conn=1073 op=10 RESULT err=19 tag=103 >>nentries=0 etime=0 >> >> >> >> >Can you find out what this operation is? It's either an ADD or MOD - >just search before that line for "conn=1073 op=10". I'd like to know >what the DN is. > > > >>So, it looks like everything is working like it is suppose to....it's >>still interesting that I received that error during the upgrade.... >> >>Aaron >> >>-----Original Message----- >>From: fedora-directory-users-bounces at redhat.com >>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Bliss, >>Aaron >>Sent: Monday, March 13, 2006 10:04 PM >>To: General discussion list for the Fedora Directory server project. >>Subject: RE: [Fedora-directory-users] Getting ready to upgrade from fds >>1.0.1 to 1.0.2 >> >>It only seems to be in the access log 1 time; looks like it only >>happened during the upgrade >>[13/Mar/2006:21:15:56 -0500] conn=0 op=11 RESULT err=19 tag=103 >>nentries=0 etime=0 Is there an easy way to verify that the new password >> >> > > > >>schema is being used? >> >>Thanks. >>Aaron >> >>-----Original Message----- >>From: fedora-directory-users-bounces at redhat.com >>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard >> >> > > > >>Megginson >>Sent: Monday, March 13, 2006 9:54 PM >>To: General discussion list for the Fedora Directory server project. >>Cc: Bliss, Aaron >>Subject: Re: [Fedora-directory-users] Getting ready to upgrade from fds >>1.0.1 to 1.0.2 >> >>Bliss, Aaron wrote: >> >> >> >> >> >>>Well, I upgraded the fds rpm; after a reboot all looks okay, however I >>> >>> > > > >>>noticed this information in the setup logfile; is this indicative that >>>something failed to update properly? Perhaps the new schema files? >>>How can I verify that the new schema files are in use? Thanks very >>>much. >>> >>>Start Slapd Starting Slapd server reconfiguration. >>>Fatal Slapd ERROR: Could not update Directory Server Instance URL >>>ldap://fds1.preferredcare.org:389/o=NetscapeRoot user id admin DN >>>cn=slapd-al-lnx-s11,cn=Fedora Directory Server,cn=Server >>>Group,cn=fds1.preferredcare.org,ou=preferredcare.org,o=NetscapeRoot >>>(19:Constraint violation) >>>Configuring Administration Server... >>>InstallInfo: Apache Directory "ApacheDir" is missing. >>> >>>The proper fds version is disaplyed in the display console, and the >>>new >>> >>> >>> >>> >> >> >> >> >>>password enforcement options seem to be available. >>> >>> >>> >>> >>> >>> >>Check your directory server access log - look for err=19 - constraint >>violation - to see which operation it's complaining about. >> >> >> >> >> >>>Aaron >>>-----Original Message----- >>>From: Bliss, Aaron >>>Sent: Monday, March 13, 2006 2:08 PM >>>To: 'General discussion list for the Fedora Directory server project.' >>>Subject: RE: [Fedora-directory-users] Getting ready to upgrade from >>>fds >>>1.0.1 to 1.0.2 >>> >>>Ah, thanks again. >>> >>>Aaron >>> >>>-----Original Message----- >>>From: fedora-directory-users-bounces at redhat.com >>>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of >>>Richard >>> >>> >>> >>> >> >> >> >> >>>Megginson >>>Sent: Monday, March 13, 2006 2:08 PM >>>To: General discussion list for the Fedora Directory server project. >>>Subject: Re: [Fedora-directory-users] Getting ready to upgrade from >>>fds >>>1.0.1 to 1.0.2 >>> >>>Bliss, Aaron wrote: >>> >>> >>> >>> >>> >>> >>> >>>>Thanks; just so I understand, I have to run the setup script even >>>>though my databases have already been configured? I did not have to >>>>do >>>> >>>> >>>> >>>> >>>> >>>> >>> >>> >>> >>> >>>>this on my test box in order to upgrade. Thanks. >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>Setup will copy in the new schema files required to use the new >>>password syntax checking, so if you skip that, you'll have to copy >>>them >>> >>> >>> >>> >> >> >> >> >>>in manually. Setup will also make sure the console reports the >>>correct >>> >>> >>> >>> >> >> >> >> >>>version of directory server. >>> >>> >>> >>> >>> >>> >>> >>>>Aaron >>>> >>>>-----Original Message----- >>>>From: fedora-directory-users-bounces at redhat.com >>>>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of >>>>Richard >>>> >>>> >>>> >>>> >>>> >>>> >>> >>> >>> >>> >>>>Megginson >>>>Sent: Monday, March 13, 2006 1:59 PM >>>>To: General discussion list for the Fedora Directory server project. >>>>Subject: Re: [Fedora-directory-users] Getting ready to upgrade from >>>>fds >>>>1.0.1 to 1.0.2 >>>> >>>>Bliss, Aaron wrote: >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>>I'm planning on upgrading both my supplier and consumer fds servers >>>>>tonight; do I need to worry about their server certificates? I'll >>>>>just >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>>be running rpm -Uvh fedora....Thanks very much. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>Upgrade shouldn't touch any ssl information. >>>> >>>>After doing the rpm -U, do cd /opt/fedora-ds ; ./setup/setup and >>>>follow >>>> >>>> >>>> >>>> >>>> >>>> >>> >>> >>> >>> >>>>the prompts. >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>>Aaron >>>>> >>>>>www.preferredcare.org >>>>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. >>>>> >>>>> >D. > > >>>>> >>>>> >>>>> >>>>> >> >> >> >> >>>>>Power and Associates >>>>> >>>>>Confidentiality Notice: >>>>>The information contained in this electronic message is intended for >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>the exclusive use of the individual or entity named above and may >>>>contain privileged or confidential information. If the reader of >>>>this >>>> >>>> >>>> >>>> >> >> >> >> >>>>message is not the intended recipient or the employee or agent >>>>responsible to deliver it to the intended recipient, you are hereby >>>>notified that dissemination, distribution or copying of this >>>>information is prohibited. If you have received this communication >>>>in >>>> >>>> >>>> >>>> >> >> >> >> >>>>error, please notify the sender immediately by telephone and destroy >>>>the copies you received. >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>>-- >>>>>Fedora-directory-users mailing list >>>>>Fedora-directory-users at redhat.com >>>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>www.preferredcare.org >>>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>>> >>>> > > > >>>>Power and Associates >>>> >>>>Confidentiality Notice: >>>>The information contained in this electronic message is intended for >>>> >>>> >>>> >>>> >>>> >>>> >>>the exclusive use of the individual or entity named above and may >>>contain privileged or confidential information. If the reader of this >>> >>> > > > >>>message is not the intended recipient or the employee or agent >>>responsible to deliver it to the intended recipient, you are hereby >>>notified that dissemination, distribution or copying of this >>>information is prohibited. If you have received this communication in >>> >>> > > > >>>error, please notify the sender immediately by telephone and destroy >>>the copies you received. >>> >>> >>> >>> >>> >>> >>>>-- >>>>Fedora-directory-users mailing list >>>>Fedora-directory-users at redhat.com >>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>www.preferredcare.org >>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>>Power and Associates >>> >>>Confidentiality Notice: >>>The information contained in this electronic message is intended for >>> >>> >>> >>> >>the exclusive use of the individual or entity named above and may >>contain privileged or confidential information. If the reader of this >>message is not the intended recipient or the employee or agent >>responsible to deliver it to the intended recipient, you are hereby >>notified that dissemination, distribution or copying of this >>information is prohibited. If you have received this communication in >>error, please notify the sender immediately by telephone and destroy >>the copies you received. >> >> >> >> >>>-- >>>Fedora-directory-users mailing list >>>Fedora-directory-users at redhat.com >>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >>> >>> >>> >>www.preferredcare.org >>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>Power and Associates >> >>Confidentiality Notice: >>The information contained in this electronic message is intended for >>the exclusive use of the individual or entity named above and may >>contain privileged or confidential information. If the reader of this >>message is not the intended recipient or the employee or agent >>responsible to deliver it to the intended recipient, you are hereby >>notified that dissemination, distribution or copying of this >>information is prohibited. If you have received this communication in >>error, please notify the sender immediately by telephone and destroy >>the copies you received. >> >> >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> > > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Mar 15 15:40:00 2006 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 15 Mar 2006 10:40:00 -0500 Subject: [Fedora-directory-users] Problem with glib In-Reply-To: <41f2714b0603150049l5dc754cay1b47069f99a079d0@mail.gmail.com> References: <41f2714b0603150049l5dc754cay1b47069f99a079d0@mail.gmail.com> Message-ID: <44183550.5050903@redhat.com> M Zainal Abidin wrote: > Hello all, > > I have a bit problem here. I'm using fedora core 4. The problem is i > cannot install xmms player foe movie. The system said cannot found > glib-1.2.2.I cannot install glib. Why? Can anyone teach me how to > install it.. > > Regard, > newbie This list is for the Fedora Directory Server, an LDAP server. You want the general Fedora users mailing list. You can sign up at http://www.redhat.com/mailman/listinfo/fedora-list rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From ABliss at preferredcare.org Wed Mar 15 15:40:24 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Wed, 15 Mar 2006 10:40:24 -0500 Subject: [Fedora-directory-users] Getting ready to upgrade from fds 1.0.1 to 1.0.2 Message-ID: Here is what 00core.ldif looks like (I'm sorry, but this is very foreign to me; does this look okay)? Thanks again. Aaron cat 00core.ldif | more | grep -i passwordMaxrepeats attributeTypes: ( 2.16.840.1.113730.3.1.2081 NAME ( 'passwordMaxRepeats' 'pwdMaxRepeats' ) DESC 'Netscape defined password policy attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) objectClasses: ( 2.16.840.1.113730.3.2.13 NAME 'passwordPolicy' DESC 'Netscape defined password policy objectclass' SUP top MAY ( passwordMaxAge $ passwordExp $ passwordMinLength $ passwordKeepHistory $ passwordInHistory $ passwordChange $ passwordWarning $ passwordLockout $ passwordMaxFailure $ passwordResetDuration $ passwordUnlock $ passwordLockoutDuration $ passwordCheckSyntax $ passwordMustChange $ passwordStorageScheme $ passwordMinAge $ passwordResetFailureCount $ passwordGraceLimit $ passwordMinDigits $ passwordMinAlphas $ passwordMinUppers $ passwordMinLowers $ passwordMinSpecials $ passwordMin8bit $ passwordMaxRepeats $ passwordMinCategories $ passwordMinTokenLength ) X-ORIGIN 'Netscape Directory Server' ) -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Wednesday, March 15, 2006 9:42 AM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Getting ready to upgrade from fds 1.0.1 to 1.0.2 Bliss, Aaron wrote: >Is there any easy way that I can verify that the schemas have been >updated properly? Thanks. > > Yes. See if your slapd-instance/config/schema/00core.ldif file has definitions for these attributes: passwordMinDigits $ passwordMinAlphas $ passwordMinUppers $ passwordMinLowers $ passwordMinSpecials $ passwordMin8bit $ passwordMaxRepeats $ passwordMinCategories $ passwordMinTokenLength >Aaron > >-----Original Message----- >From: Bliss, Aaron >Sent: Tuesday, March 14, 2006 1:34 PM >To: 'General discussion list for the Fedora Directory server project.' >Subject: RE: [Fedora-directory-users] Getting ready to upgrade from fds >1.0.1 to 1.0.2 > >I believe this is what your looking for, here is an example when I >intentionally attempt to break the password rules: >[13/Mar/2006:22:19:42 -0500] conn=1073 op=10 RESULT err=19 tag=103 >nentries=0 et ime=0 >[13/Mar/2006:22:19:42 -0500] conn=1073 op=10 MOD >dn="uid=awbtest,ou=users,dc=pre ferredcare,dc=org", invalid password >syntax > >Here is the error that occurred during the upgrade (I wouldn't worry >too much about the entries below that reference fds1 instead of >al-lnx-s11, I manually typed that after pasting the error log, as I >wasn't comfortable displaying the real server name, but it doesn't >really matter now, the real server name is al-lnx-s11) > >[13/Mar/2006:21:15:56 -0500] conn=0 op=3 RESULT err=0 tag=101 >nentries=1 etime=0 >[13/Mar/2006:21:15:56 -0500] conn=0 op=4 BIND dn="uid=admin, >ou=Administrators, ou=TopologyManagement, o=NetscapeRoot" method=128 >version=3 >[13/Mar/2006:21:15:56 -0500] conn=0 op=5 SRCH >base="cn=al-lnx-s11.preferredcare. >org, ou=preferredcare.org, o=NetscapeRoot" scope=2 >filter="(&(objectClass=nsAppl >ication)(nsNickName=slapd)(nsInstalledLocation=/opt/fedora-ds))" >attrs="* aci pa sswordExpirationTime passwordExpWarned >passwordRetryCount retryCountResetTime ac countUnlockTime >passwordHistory passwordAllowChangeTime nsUniqueId nsLookThrough Limit >nsSizeLimit nsTimeLimit nsIdleTimeout nsRole nsRoleDN nsAccountLock" >[13/Mar/2006:21:15:56 -0500] conn=0 op=4 RESULT err=0 tag=97 nentries=0 >etime=0 >dn="uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot" >[13/Mar/2006:21:15:56 -0500] conn=0 op=5 RESULT err=0 tag=101 >nentries=1 etime=0 >[13/Mar/2006:21:15:56 -0500] conn=0 op=6 SRCH base="cn=Fedora Directory >Server, cn=Server Group, cn=al-lnx-s11.preferredcare.org, >ou=preferredcare.org, o=Netsca peRoot" scope=0 filter="(objectClass=*)" >attrs="* aci passwordExpirationTime pas swordExpWarned >passwordRetryCount retryCountResetTime accountUnlockTime password >History passwordAllowChangeTime nsUniqueId nsLookThroughLimit >nsSizeLimit nsTime Limit nsIdleTimeout nsRole nsRoleDN nsAccountLock" >[13/Mar/2006:21:15:56 -0500] conn=0 op=6 RESULT err=0 tag=101 >nentries=1 etime=0 >[13/Mar/2006:21:15:56 -0500] conn=0 op=7 MOD dn="cn=Fedora Directory >Server, cn= Server Group, cn=al-lnx-s11.preferredcare.org, >ou=preferredcare.org, o=NetscapeR oot" >[13/Mar/2006:21:15:56 -0500] conn=0 op=7 RESULT err=0 tag=103 >nentries=0 etime=0 >[13/Mar/2006:21:15:56 -0500] conn=0 op=8 SRCH base="cn=Fedora Directory >Server, cn=Server Group, cn=al-lnx-s11.preferredcare.org, >ou=preferredcare.org, o=Netsca peRoot" scope=1 >filter="(objectClass=nsDirectoryServer)" attrs="* aci passwordEx >pirationTime passwordExpWarned passwordRetryCount retryCountResetTime >accountUnl ockTime passwordHistory passwordAllowChangeTime nsUniqueId >nsLookThroughLimit ns SizeLimit nsTimeLimit nsIdleTimeout nsRole >nsRoleDN nsAccountLock" >[13/Mar/2006:21:15:56 -0500] conn=0 op=8 RESULT err=0 tag=101 >nentries=1 etime=0 >[13/Mar/2006:21:15:56 -0500] conn=0 op=9 SRCH >base="cn=slapd-al-lnx-s11, cn=Fedo ra Directory Server, cn=Server >Group, cn=al-lnx-s11.preferredcare.org, ou=prefer redcare.org, o=NetscapeRoot" >scope=0 filter="(objectClass=*)" attrs="* aci passw ordExpirationTime >passwordExpWarned passwordRetryCount retryCountResetTime accou >ntUnlockTime passwordHistory passwordAllowChangeTime nsUniqueId >nsLookThroughLim it nsSizeLimit nsTimeLimit nsIdleTimeout nsRole >nsRoleDN nsAccountLock" >[13/Mar/2006:21:15:56 -0500] conn=0 op=9 RESULT err=0 tag=101 >nentries=1 etime=0 >[13/Mar/2006:21:15:56 -0500] conn=0 op=10 SRCH >base="cn=slapd-al-lnx-s11,cn=Fedo ra Directory Server,cn=Server >Group,cn=al-lnx-s11.preferredcare.org,ou=preferred >care.org,o=NetscapeRoot" scope=0 filter="(objectClass=*)" attrs="* aci >passwordE xpirationTime passwordExpWarned passwordRetryCount >retryCountResetTime accountUn lockTime passwordHistory >passwordAllowChangeTime nsUniqueId nsLookThroughLimit n sSizeLimit >nsTimeLimit nsIdleTimeout nsRole nsRoleDN nsAccountLock" >[13/Mar/2006:21:15:56 -0500] conn=0 op=10 RESULT err=0 tag=101 >nentries=1 etime= 0 >[13/Mar/2006:21:15:56 -0500] conn=0 op=11 RESULT err=19 tag=103 >nentries=0 etime =0 >[13/Mar/2006:21:15:56 -0500] conn=0 op=11 MOD >dn="cn=slapd-al-lnx-s11,cn=Fedora Directory Server,cn=Server >Group,cn=al-lnx-s11.preferredcare.org,ou=preferredcar >e.org,o=NetscapeRoot", invalid password syntax > > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard >Megginson >Sent: Tuesday, March 14, 2006 10:06 AM >To: General discussion list for the Fedora Directory server project. >Subject: Re: [Fedora-directory-users] Getting ready to upgrade from fds >1.0.1 to 1.0.2 > >Bliss, Aaron wrote: > > > >>I've been able to reproduce; after setting the new password policy >>(require 1 digit, 1 special, etc) and then I attempt to use a password >>that isn't compliant, this error is logged and the users new password >>is not accepted. >>[13/Mar/2006:22:19:42 -0500] conn=1073 op=10 RESULT err=19 tag=103 >>nentries=0 etime=0 >> >> >> >> >Can you find out what this operation is? It's either an ADD or MOD - >just search before that line for "conn=1073 op=10". I'd like to know >what the DN is. > > > >>So, it looks like everything is working like it is suppose to....it's >>still interesting that I received that error during the upgrade.... >> >>Aaron >> >>-----Original Message----- >>From: fedora-directory-users-bounces at redhat.com >>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Bliss, >>Aaron >>Sent: Monday, March 13, 2006 10:04 PM >>To: General discussion list for the Fedora Directory server project. >>Subject: RE: [Fedora-directory-users] Getting ready to upgrade from >>fds >>1.0.1 to 1.0.2 >> >>It only seems to be in the access log 1 time; looks like it only >>happened during the upgrade >>[13/Mar/2006:21:15:56 -0500] conn=0 op=11 RESULT err=19 tag=103 >>nentries=0 etime=0 Is there an easy way to verify that the new >>password >> >> > > > >>schema is being used? >> >>Thanks. >>Aaron >> >>-----Original Message----- >>From: fedora-directory-users-bounces at redhat.com >>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of >>Richard >> >> > > > >>Megginson >>Sent: Monday, March 13, 2006 9:54 PM >>To: General discussion list for the Fedora Directory server project. >>Cc: Bliss, Aaron >>Subject: Re: [Fedora-directory-users] Getting ready to upgrade from >>fds >>1.0.1 to 1.0.2 >> >>Bliss, Aaron wrote: >> >> >> >> >> >>>Well, I upgraded the fds rpm; after a reboot all looks okay, however >>>I >>> >>> > > > >>>noticed this information in the setup logfile; is this indicative that >>>something failed to update properly? Perhaps the new schema files? >>>How can I verify that the new schema files are in use? Thanks very >>>much. >>> >>>Start Slapd Starting Slapd server reconfiguration. >>>Fatal Slapd ERROR: Could not update Directory Server Instance URL >>>ldap://fds1.preferredcare.org:389/o=NetscapeRoot user id admin DN >>>cn=slapd-al-lnx-s11,cn=Fedora Directory Server,cn=Server >>>Group,cn=fds1.preferredcare.org,ou=preferredcare.org,o=NetscapeRoot >>>(19:Constraint violation) >>>Configuring Administration Server... >>>InstallInfo: Apache Directory "ApacheDir" is missing. >>> >>>The proper fds version is disaplyed in the display console, and the >>>new >>> >>> >>> >>> >> >> >> >> >>>password enforcement options seem to be available. >>> >>> >>> >>> >>> >>> >>Check your directory server access log - look for err=19 - constraint >>violation - to see which operation it's complaining about. >> >> >> >> >> >>>Aaron >>>-----Original Message----- >>>From: Bliss, Aaron >>>Sent: Monday, March 13, 2006 2:08 PM >>>To: 'General discussion list for the Fedora Directory server project.' >>>Subject: RE: [Fedora-directory-users] Getting ready to upgrade from >>>fds >>>1.0.1 to 1.0.2 >>> >>>Ah, thanks again. >>> >>>Aaron >>> >>>-----Original Message----- >>>From: fedora-directory-users-bounces at redhat.com >>>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of >>>Richard >>> >>> >>> >>> >> >> >> >> >>>Megginson >>>Sent: Monday, March 13, 2006 2:08 PM >>>To: General discussion list for the Fedora Directory server project. >>>Subject: Re: [Fedora-directory-users] Getting ready to upgrade from >>>fds >>>1.0.1 to 1.0.2 >>> >>>Bliss, Aaron wrote: >>> >>> >>> >>> >>> >>> >>> >>>>Thanks; just so I understand, I have to run the setup script even >>>>though my databases have already been configured? I did not have to >>>>do >>>> >>>> >>>> >>>> >>>> >>>> >>> >>> >>> >>> >>>>this on my test box in order to upgrade. Thanks. >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>Setup will copy in the new schema files required to use the new >>>password syntax checking, so if you skip that, you'll have to copy >>>them >>> >>> >>> >>> >> >> >> >> >>>in manually. Setup will also make sure the console reports the >>>correct >>> >>> >>> >>> >> >> >> >> >>>version of directory server. >>> >>> >>> >>> >>> >>> >>> >>>>Aaron >>>> >>>>-----Original Message----- >>>>From: fedora-directory-users-bounces at redhat.com >>>>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of >>>>Richard >>>> >>>> >>>> >>>> >>>> >>>> >>> >>> >>> >>> >>>>Megginson >>>>Sent: Monday, March 13, 2006 1:59 PM >>>>To: General discussion list for the Fedora Directory server project. >>>>Subject: Re: [Fedora-directory-users] Getting ready to upgrade from >>>>fds >>>>1.0.1 to 1.0.2 >>>> >>>>Bliss, Aaron wrote: >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>>I'm planning on upgrading both my supplier and consumer fds servers >>>>>tonight; do I need to worry about their server certificates? I'll >>>>>just >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>>be running rpm -Uvh fedora....Thanks very much. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>Upgrade shouldn't touch any ssl information. >>>> >>>>After doing the rpm -U, do cd /opt/fedora-ds ; ./setup/setup and >>>>follow >>>> >>>> >>>> >>>> >>>> >>>> >>> >>> >>> >>> >>>>the prompts. >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>>Aaron >>>>> >>>>>www.preferredcare.org >>>>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. >>>>> >>>>> >D. > > >>>>> >>>>> >>>>> >>>>> >> >> >> >> >>>>>Power and Associates >>>>> >>>>>Confidentiality Notice: >>>>>The information contained in this electronic message is intended >>>>>for >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>the exclusive use of the individual or entity named above and may >>>>contain privileged or confidential information. If the reader of >>>>this >>>> >>>> >>>> >>>> >> >> >> >> >>>>message is not the intended recipient or the employee or agent >>>>responsible to deliver it to the intended recipient, you are hereby >>>>notified that dissemination, distribution or copying of this >>>>information is prohibited. If you have received this communication >>>>in >>>> >>>> >>>> >>>> >> >> >> >> >>>>error, please notify the sender immediately by telephone and destroy >>>>the copies you received. >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>>-- >>>>>Fedora-directory-users mailing list >>>>>Fedora-directory-users at redhat.com >>>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>www.preferredcare.org >>>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>>> >>>> > > > >>>>Power and Associates >>>> >>>>Confidentiality Notice: >>>>The information contained in this electronic message is intended for >>>> >>>> >>>> >>>> >>>> >>>> >>>the exclusive use of the individual or entity named above and may >>>contain privileged or confidential information. If the reader of >>>this >>> >>> > > > >>>message is not the intended recipient or the employee or agent >>>responsible to deliver it to the intended recipient, you are hereby >>>notified that dissemination, distribution or copying of this >>>information is prohibited. If you have received this communication >>>in >>> >>> > > > >>>error, please notify the sender immediately by telephone and destroy >>>the copies you received. >>> >>> >>> >>> >>> >>> >>>>-- >>>>Fedora-directory-users mailing list >>>>Fedora-directory-users at redhat.com >>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>www.preferredcare.org >>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>>Power and Associates >>> >>>Confidentiality Notice: >>>The information contained in this electronic message is intended for >>> >>> >>> >>> >>the exclusive use of the individual or entity named above and may >>contain privileged or confidential information. If the reader of this >>message is not the intended recipient or the employee or agent >>responsible to deliver it to the intended recipient, you are hereby >>notified that dissemination, distribution or copying of this >>information is prohibited. If you have received this communication in >>error, please notify the sender immediately by telephone and destroy >>the copies you received. >> >> >> >> >>>-- >>>Fedora-directory-users mailing list >>>Fedora-directory-users at redhat.com >>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >>> >>> >>> >>www.preferredcare.org >>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>Power and Associates >> >>Confidentiality Notice: >>The information contained in this electronic message is intended for >>the exclusive use of the individual or entity named above and may >>contain privileged or confidential information. If the reader of this >>message is not the intended recipient or the employee or agent >>responsible to deliver it to the intended recipient, you are hereby >>notified that dissemination, distribution or copying of this >>information is prohibited. If you have received this communication in >>error, please notify the sender immediately by telephone and destroy >>the copies you received. >> >> >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> > > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From rmeggins at redhat.com Wed Mar 15 16:19:39 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 15 Mar 2006 09:19:39 -0700 Subject: [Fedora-directory-users] Getting ready to upgrade from fds 1.0.1 to 1.0.2 In-Reply-To: References: Message-ID: <44183E9B.4080906@redhat.com> Bliss, Aaron wrote: >Here is what 00core.ldif looks like (I'm sorry, but this is very foreign >to me; does this look okay)? Thanks again. > > Looks good. >Aaron > >cat 00core.ldif | more | grep -i passwordMaxrepeats >attributeTypes: ( 2.16.840.1.113730.3.1.2081 NAME ( 'passwordMaxRepeats' >'pwdMaxRepeats' ) DESC 'Netscape defined password policy attribute type' >SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape >Directory Server' ) >objectClasses: ( 2.16.840.1.113730.3.2.13 NAME 'passwordPolicy' DESC >'Netscape defined password policy objectclass' SUP top MAY ( >passwordMaxAge $ passwordExp $ passwordMinLength $ passwordKeepHistory $ >passwordInHistory $ passwordChange $ passwordWarning $ passwordLockout $ >passwordMaxFailure $ passwordResetDuration $ passwordUnlock $ >passwordLockoutDuration $ passwordCheckSyntax $ passwordMustChange $ >passwordStorageScheme $ passwordMinAge $ passwordResetFailureCount $ >passwordGraceLimit $ passwordMinDigits $ passwordMinAlphas $ >passwordMinUppers $ passwordMinLowers $ passwordMinSpecials $ >passwordMin8bit $ passwordMaxRepeats $ passwordMinCategories $ >passwordMinTokenLength ) X-ORIGIN 'Netscape Directory Server' ) > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard >Megginson >Sent: Wednesday, March 15, 2006 9:42 AM >To: General discussion list for the Fedora Directory server project. >Subject: Re: [Fedora-directory-users] Getting ready to upgrade from fds >1.0.1 to 1.0.2 > >Bliss, Aaron wrote: > > > >>Is there any easy way that I can verify that the schemas have been >>updated properly? Thanks. >> >> >> >> >Yes. See if your slapd-instance/config/schema/00core.ldif file has >definitions for these attributes: >passwordMinDigits $ passwordMinAlphas $ passwordMinUppers $ >passwordMinLowers $ passwordMinSpecials $ passwordMin8bit $ >passwordMaxRepeats $ passwordMinCategories $ passwordMinTokenLength > > > >>Aaron >> >>-----Original Message----- >>From: Bliss, Aaron >>Sent: Tuesday, March 14, 2006 1:34 PM >>To: 'General discussion list for the Fedora Directory server project.' >>Subject: RE: [Fedora-directory-users] Getting ready to upgrade from fds >>1.0.1 to 1.0.2 >> >>I believe this is what your looking for, here is an example when I >>intentionally attempt to break the password rules: >>[13/Mar/2006:22:19:42 -0500] conn=1073 op=10 RESULT err=19 tag=103 >>nentries=0 et ime=0 >>[13/Mar/2006:22:19:42 -0500] conn=1073 op=10 MOD >>dn="uid=awbtest,ou=users,dc=pre ferredcare,dc=org", invalid password >>syntax >> >>Here is the error that occurred during the upgrade (I wouldn't worry >>too much about the entries below that reference fds1 instead of >>al-lnx-s11, I manually typed that after pasting the error log, as I >>wasn't comfortable displaying the real server name, but it doesn't >>really matter now, the real server name is al-lnx-s11) >> >>[13/Mar/2006:21:15:56 -0500] conn=0 op=3 RESULT err=0 tag=101 >>nentries=1 etime=0 >>[13/Mar/2006:21:15:56 -0500] conn=0 op=4 BIND dn="uid=admin, >>ou=Administrators, ou=TopologyManagement, o=NetscapeRoot" method=128 >>version=3 >>[13/Mar/2006:21:15:56 -0500] conn=0 op=5 SRCH >>base="cn=al-lnx-s11.preferredcare. >>org, ou=preferredcare.org, o=NetscapeRoot" scope=2 >>filter="(&(objectClass=nsAppl >>ication)(nsNickName=slapd)(nsInstalledLocation=/opt/fedora-ds))" >>attrs="* aci pa sswordExpirationTime passwordExpWarned >>passwordRetryCount retryCountResetTime ac countUnlockTime >>passwordHistory passwordAllowChangeTime nsUniqueId nsLookThrough Limit >>nsSizeLimit nsTimeLimit nsIdleTimeout nsRole nsRoleDN nsAccountLock" >>[13/Mar/2006:21:15:56 -0500] conn=0 op=4 RESULT err=0 tag=97 nentries=0 >> >> > > > >>etime=0 >>dn="uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot" >>[13/Mar/2006:21:15:56 -0500] conn=0 op=5 RESULT err=0 tag=101 >>nentries=1 etime=0 >>[13/Mar/2006:21:15:56 -0500] conn=0 op=6 SRCH base="cn=Fedora Directory >> >> > > > >>Server, cn=Server Group, cn=al-lnx-s11.preferredcare.org, >>ou=preferredcare.org, o=Netsca peRoot" scope=0 filter="(objectClass=*)" >>attrs="* aci passwordExpirationTime pas swordExpWarned >>passwordRetryCount retryCountResetTime accountUnlockTime password >>History passwordAllowChangeTime nsUniqueId nsLookThroughLimit >>nsSizeLimit nsTime Limit nsIdleTimeout nsRole nsRoleDN nsAccountLock" >>[13/Mar/2006:21:15:56 -0500] conn=0 op=6 RESULT err=0 tag=101 >>nentries=1 etime=0 >>[13/Mar/2006:21:15:56 -0500] conn=0 op=7 MOD dn="cn=Fedora Directory >>Server, cn= Server Group, cn=al-lnx-s11.preferredcare.org, >>ou=preferredcare.org, o=NetscapeR oot" >>[13/Mar/2006:21:15:56 -0500] conn=0 op=7 RESULT err=0 tag=103 >>nentries=0 etime=0 >>[13/Mar/2006:21:15:56 -0500] conn=0 op=8 SRCH base="cn=Fedora Directory >> >> > > > >>Server, cn=Server Group, cn=al-lnx-s11.preferredcare.org, >>ou=preferredcare.org, o=Netsca peRoot" scope=1 >>filter="(objectClass=nsDirectoryServer)" attrs="* aci passwordEx >>pirationTime passwordExpWarned passwordRetryCount retryCountResetTime >>accountUnl ockTime passwordHistory passwordAllowChangeTime nsUniqueId >>nsLookThroughLimit ns SizeLimit nsTimeLimit nsIdleTimeout nsRole >>nsRoleDN nsAccountLock" >>[13/Mar/2006:21:15:56 -0500] conn=0 op=8 RESULT err=0 tag=101 >>nentries=1 etime=0 >>[13/Mar/2006:21:15:56 -0500] conn=0 op=9 SRCH >>base="cn=slapd-al-lnx-s11, cn=Fedo ra Directory Server, cn=Server >>Group, cn=al-lnx-s11.preferredcare.org, ou=prefer redcare.org, >> >> >o=NetscapeRoot" > > >>scope=0 filter="(objectClass=*)" attrs="* aci passw ordExpirationTime >>passwordExpWarned passwordRetryCount retryCountResetTime accou >>ntUnlockTime passwordHistory passwordAllowChangeTime nsUniqueId >>nsLookThroughLim it nsSizeLimit nsTimeLimit nsIdleTimeout nsRole >>nsRoleDN nsAccountLock" >>[13/Mar/2006:21:15:56 -0500] conn=0 op=9 RESULT err=0 tag=101 >>nentries=1 etime=0 >>[13/Mar/2006:21:15:56 -0500] conn=0 op=10 SRCH >>base="cn=slapd-al-lnx-s11,cn=Fedo ra Directory Server,cn=Server >>Group,cn=al-lnx-s11.preferredcare.org,ou=preferred >>care.org,o=NetscapeRoot" scope=0 filter="(objectClass=*)" attrs="* aci >>passwordE xpirationTime passwordExpWarned passwordRetryCount >>retryCountResetTime accountUn lockTime passwordHistory >>passwordAllowChangeTime nsUniqueId nsLookThroughLimit n sSizeLimit >>nsTimeLimit nsIdleTimeout nsRole nsRoleDN nsAccountLock" >>[13/Mar/2006:21:15:56 -0500] conn=0 op=10 RESULT err=0 tag=101 >>nentries=1 etime= 0 >>[13/Mar/2006:21:15:56 -0500] conn=0 op=11 RESULT err=19 tag=103 >>nentries=0 etime =0 >>[13/Mar/2006:21:15:56 -0500] conn=0 op=11 MOD >>dn="cn=slapd-al-lnx-s11,cn=Fedora Directory Server,cn=Server >>Group,cn=al-lnx-s11.preferredcare.org,ou=preferredcar >>e.org,o=NetscapeRoot", invalid password syntax >> >> >>-----Original Message----- >>From: fedora-directory-users-bounces at redhat.com >>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard >> >> > > > >>Megginson >>Sent: Tuesday, March 14, 2006 10:06 AM >>To: General discussion list for the Fedora Directory server project. >>Subject: Re: [Fedora-directory-users] Getting ready to upgrade from fds >>1.0.1 to 1.0.2 >> >>Bliss, Aaron wrote: >> >> >> >> >> >>>I've been able to reproduce; after setting the new password policy >>>(require 1 digit, 1 special, etc) and then I attempt to use a password >>> >>> > > > >>>that isn't compliant, this error is logged and the users new password >>>is not accepted. >>>[13/Mar/2006:22:19:42 -0500] conn=1073 op=10 RESULT err=19 tag=103 >>>nentries=0 etime=0 >>> >>> >>> >>> >>> >>> >>Can you find out what this operation is? It's either an ADD or MOD - >>just search before that line for "conn=1073 op=10". I'd like to know >>what the DN is. >> >> >> >> >> >>>So, it looks like everything is working like it is suppose to....it's >>>still interesting that I received that error during the upgrade.... >>> >>>Aaron >>> >>>-----Original Message----- >>>From: fedora-directory-users-bounces at redhat.com >>>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Bliss, >>> >>> > > > >>>Aaron >>>Sent: Monday, March 13, 2006 10:04 PM >>>To: General discussion list for the Fedora Directory server project. >>>Subject: RE: [Fedora-directory-users] Getting ready to upgrade from >>>fds >>>1.0.1 to 1.0.2 >>> >>>It only seems to be in the access log 1 time; looks like it only >>>happened during the upgrade >>>[13/Mar/2006:21:15:56 -0500] conn=0 op=11 RESULT err=19 tag=103 >>>nentries=0 etime=0 Is there an easy way to verify that the new >>>password >>> >>> >>> >>> >> >> >> >> >>>schema is being used? >>> >>>Thanks. >>>Aaron >>> >>>-----Original Message----- >>>From: fedora-directory-users-bounces at redhat.com >>>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of >>>Richard >>> >>> >>> >>> >> >> >> >> >>>Megginson >>>Sent: Monday, March 13, 2006 9:54 PM >>>To: General discussion list for the Fedora Directory server project. >>>Cc: Bliss, Aaron >>>Subject: Re: [Fedora-directory-users] Getting ready to upgrade from >>>fds >>>1.0.1 to 1.0.2 >>> >>>Bliss, Aaron wrote: >>> >>> >>> >>> >>> >>> >>> >>>>Well, I upgraded the fds rpm; after a reboot all looks okay, however >>>>I >>>> >>>> >>>> >>>> >> >> >> >> >>>>noticed this information in the setup logfile; is this indicative >>>> >>>> >that > > >>>>something failed to update properly? Perhaps the new schema files? >>>>How can I verify that the new schema files are in use? Thanks very >>>>much. >>>> >>>>Start Slapd Starting Slapd server reconfiguration. >>>>Fatal Slapd ERROR: Could not update Directory Server Instance URL >>>>ldap://fds1.preferredcare.org:389/o=NetscapeRoot user id admin DN >>>>cn=slapd-al-lnx-s11,cn=Fedora Directory Server,cn=Server >>>>Group,cn=fds1.preferredcare.org,ou=preferredcare.org,o=NetscapeRoot >>>>(19:Constraint violation) >>>>Configuring Administration Server... >>>>InstallInfo: Apache Directory "ApacheDir" is missing. >>>> >>>>The proper fds version is disaplyed in the display console, and the >>>>new >>>> >>>> >>>> >>>> >>>> >>>> >>> >>> >>> >>> >>>>password enforcement options seem to be available. >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>Check your directory server access log - look for err=19 - constraint >>>violation - to see which operation it's complaining about. >>> >>> >>> >>> >>> >>> >>> >>>>Aaron >>>>-----Original Message----- >>>>From: Bliss, Aaron >>>>Sent: Monday, March 13, 2006 2:08 PM >>>>To: 'General discussion list for the Fedora Directory server >>>> >>>> >project.' > > >>>>Subject: RE: [Fedora-directory-users] Getting ready to upgrade from >>>>fds >>>>1.0.1 to 1.0.2 >>>> >>>>Ah, thanks again. >>>> >>>>Aaron >>>> >>>>-----Original Message----- >>>>From: fedora-directory-users-bounces at redhat.com >>>>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of >>>>Richard >>>> >>>> >>>> >>>> >>>> >>>> >>> >>> >>> >>> >>>>Megginson >>>>Sent: Monday, March 13, 2006 2:08 PM >>>>To: General discussion list for the Fedora Directory server project. >>>>Subject: Re: [Fedora-directory-users] Getting ready to upgrade from >>>>fds >>>>1.0.1 to 1.0.2 >>>> >>>>Bliss, Aaron wrote: >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>>Thanks; just so I understand, I have to run the setup script even >>>>>though my databases have already been configured? I did not have to >>>>> >>>>> > > > >>>>>do >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>>this on my test box in order to upgrade. Thanks. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>Setup will copy in the new schema files required to use the new >>>>password syntax checking, so if you skip that, you'll have to copy >>>>them >>>> >>>> >>>> >>>> >>>> >>>> >>> >>> >>> >>> >>>>in manually. Setup will also make sure the console reports the >>>>correct >>>> >>>> >>>> >>>> >>>> >>>> >>> >>> >>> >>> >>>>version of directory server. >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>>Aaron >>>>> >>>>>-----Original Message----- >>>>>From: fedora-directory-users-bounces at redhat.com >>>>>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of >>>>>Richard >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>>Megginson >>>>>Sent: Monday, March 13, 2006 1:59 PM >>>>>To: General discussion list for the Fedora Directory server project. >>>>>Subject: Re: [Fedora-directory-users] Getting ready to upgrade from >>>>>fds >>>>>1.0.1 to 1.0.2 >>>>> >>>>>Bliss, Aaron wrote: >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>>I'm planning on upgrading both my supplier and consumer fds servers >>>>>> >>>>>> > > > >>>>>>tonight; do I need to worry about their server certificates? I'll >>>>>>just >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>>be running rpm -Uvh fedora....Thanks very much. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>Upgrade shouldn't touch any ssl information. >>>>> >>>>>After doing the rpm -U, do cd /opt/fedora-ds ; ./setup/setup and >>>>>follow >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>>the prompts. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>>Aaron >>>>>> >>>>>>www.preferredcare.org >>>>>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. >>>>>> >>>>>> >>>>>> >>>>>> >>D. >> >> >> >> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>> >>> >>> >>> >>>>>>Power and Associates >>>>>> >>>>>>Confidentiality Notice: >>>>>>The information contained in this electronic message is intended >>>>>>for >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>the exclusive use of the individual or entity named above and may >>>>>contain privileged or confidential information. If the reader of >>>>>this >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>> >>> >>> >>> >>>>>message is not the intended recipient or the employee or agent >>>>>responsible to deliver it to the intended recipient, you are hereby >>>>>notified that dissemination, distribution or copying of this >>>>>information is prohibited. If you have received this communication >>>>>in >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>> >>> >>> >>> >>>>>error, please notify the sender immediately by telephone and destroy >>>>> >>>>> > > > >>>>>the copies you received. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>>-- >>>>>>Fedora-directory-users mailing list >>>>>>Fedora-directory-users at redhat.com >>>>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>www.preferredcare.org >>>>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. >>>>> >>>>> >D. > > >>>>> >>>>> >>>>> >>>>> >> >> >> >> >>>>>Power and Associates >>>>> >>>>>Confidentiality Notice: >>>>>The information contained in this electronic message is intended for >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>the exclusive use of the individual or entity named above and may >>>>contain privileged or confidential information. If the reader of >>>>this >>>> >>>> >>>> >>>> >> >> >> >> >>>>message is not the intended recipient or the employee or agent >>>>responsible to deliver it to the intended recipient, you are hereby >>>>notified that dissemination, distribution or copying of this >>>>information is prohibited. If you have received this communication >>>>in >>>> >>>> >>>> >>>> >> >> >> >> >>>>error, please notify the sender immediately by telephone and destroy >>>>the copies you received. >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>>-- >>>>>Fedora-directory-users mailing list >>>>>Fedora-directory-users at redhat.com >>>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>www.preferredcare.org >>>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>>> >>>> > > > >>>>Power and Associates >>>> >>>>Confidentiality Notice: >>>>The information contained in this electronic message is intended for >>>> >>>> >>>> >>>> >>>> >>>> >>>the exclusive use of the individual or entity named above and may >>>contain privileged or confidential information. If the reader of this >>> >>> > > > >>>message is not the intended recipient or the employee or agent >>>responsible to deliver it to the intended recipient, you are hereby >>>notified that dissemination, distribution or copying of this >>>information is prohibited. If you have received this communication in >>> >>> > > > >>>error, please notify the sender immediately by telephone and destroy >>>the copies you received. >>> >>> >>> >>> >>> >>> >>>>-- >>>>Fedora-directory-users mailing list >>>>Fedora-directory-users at redhat.com >>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>www.preferredcare.org >>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>>Power and Associates >>> >>>Confidentiality Notice: >>>The information contained in this electronic message is intended for >>>the exclusive use of the individual or entity named above and may >>>contain privileged or confidential information. If the reader of this >>> >>> > > > >>>message is not the intended recipient or the employee or agent >>>responsible to deliver it to the intended recipient, you are hereby >>>notified that dissemination, distribution or copying of this >>>information is prohibited. If you have received this communication in >>> >>> > > > >>>error, please notify the sender immediately by telephone and destroy >>>the copies you received. >>> >>> >>>-- >>>Fedora-directory-users mailing list >>>Fedora-directory-users at redhat.com >>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>>-- >>>Fedora-directory-users mailing list >>>Fedora-directory-users at redhat.com >>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >>> >>> >>> >>www.preferredcare.org >>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>Power and Associates >> >>Confidentiality Notice: >>The information contained in this electronic message is intended for >> >> >the exclusive use of the individual or entity named above and may >contain privileged or confidential information. If the reader of this >message is not the intended recipient or the employee or agent >responsible to deliver it to the intended recipient, you are hereby >notified that dissemination, distribution or copying of this information >is prohibited. If you have received this communication in error, please >notify the sender immediately by telephone and destroy the copies you >received. > > >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> > > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From mont.rothstein at gmail.com Wed Mar 15 18:11:03 2006 From: mont.rothstein at gmail.com (Mont Rothstein) Date: Wed, 15 Mar 2006 10:11:03 -0800 Subject: [Fedora-directory-users] Re: Trouble Populating FDS with PDC Entry In-Reply-To: <467a83630603141649w1a207c6fn6998d656027d2c89@mail.gmail.com> References: <467a83630603141649w1a207c6fn6998d656027d2c89@mail.gmail.com> Message-ID: <467a83630603151011m19531c9ft893636f8b5695544@mail.gmail.com> Just to clarify, if I do a ldapsearch for "objectclass=sambaDomain" I get nothing back. I believe the "Already exists" is erroneous, but I don't know why. -Mont On 3/14/06, Mont Rothstein wrote: > > I am trying to follow http://directory.fedora.redhat.com/wiki/Howto:Sambaand running into trouble. > > I'm at the "Populating FDS with PDC Entry" section. I get my SID, and > create my domainName.ldif file as sepcified (contents below). > > I then run the command: > > /opt/fedora-ds/slapd-rheles4rs1/ldif2ldap "cn=Directory manager" myDMPassword /tmp/forayadams.ldif > > What this gives me is: > > adding new entry sambaDomainName=forayadams,dc=forayadams,dc=foray,dc=com > ldap_add: Already exists > > I can't find anything on this. > > None of the log files (admin-serv/logs/access, admin-serv/logs/error, > slapd-rheles4rs1/logs/access, slapd-rheles4rs1/logs/errors) show anything > when I issue this command. > > Any ideas as to what I've done wrong? > > Thanks, > -Mont > > Contents of my /tmp/forayadams.ldif: > > dn: sambaDomainName=forayadams,dc=forayadams,dc=foray,dc=com > objectclass: sambaDomain > objectclass: sambaUnixIDPool > objectclass: top > sambaDomainName: forayadams > sambaSID: S-1-5-21-807157010-1821471989-4121009367 > uidNumber: 550 > gidNumber: 550 > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From craigwhite at azapple.com Wed Mar 15 18:19:48 2006 From: craigwhite at azapple.com (Craig White) Date: Wed, 15 Mar 2006 11:19:48 -0700 Subject: [Fedora-directory-users] Re: Trouble Populating FDS with PDC Entry In-Reply-To: <467a83630603151011m19531c9ft893636f8b5695544@mail.gmail.com> References: <467a83630603141649w1a207c6fn6998d656027d2c89@mail.gmail.com> <467a83630603151011m19531c9ft893636f8b5695544@mail.gmail.com> Message-ID: <1142446788.2835.86.camel@lin-workstation.azapple.com> That's clearly a problem... ldapsearch -x -D 'cn=Directory Manager' -W '(objectclass=sambadomain)' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <> with scope sub # filter: (objectclass=sambadomain) # requesting: ALL # # example, example.com dn: sambaDomainName=example,dc=example,dc=com sambaSID: S-1-5-21-9999999999-9999999999-9999999999 objectClass: top objectClass: sambaDomain objectClass: sambaunixidpool sambaAlgorithmicRidBase: 1000 sambaDomainName: example gidNumber: 1000 uidNumber: 1001 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Craig On Wed, 2006-03-15 at 10:11 -0800, Mont Rothstein wrote: > Just to clarify, if I do a ldapsearch for "objectclass=sambaDomain" I > get nothing back. > > I believe the "Already exists" is erroneous, but I don't know why. > > -Mont > > > On 3/14/06, Mont Rothstein wrote: > I am trying to follow > http://directory.fedora.redhat.com/wiki/Howto:Samba and > running into trouble. > > I'm at the "Populating FDS with PDC Entry" section. I get my > SID, and create my domainName.ldif file as sepcified (contents > below). > > I then run the command: > > /opt/fedora-ds/slapd-rheles4rs1/ldif2ldap "cn=Directory manager" myDMPassword /tmp/forayadams.ldif > What this gives me is: > > adding new entry > sambaDomainName=forayadams,dc=forayadams,dc=foray,dc=com > ldap_add: Already exists > > I can't find anything on this. > > None of the log files (admin-serv/logs/access, > admin-serv/logs/error, slapd-rheles4rs1/logs/access, > slapd-rheles4rs1/logs/errors) show anything when I issue this > command. > > Any ideas as to what I've done wrong? > > Thanks, > -Mont > > Contents of my /tmp/forayadams.ldif: > > dn: sambaDomainName=forayadams,dc=forayadams,dc=foray,dc=com > objectclass: sambaDomain > objectclass: sambaUnixIDPool > objectclass: top > sambaDomainName: forayadams > sambaSID: S-1-5-21-807157010-1821471989-4121009367 > uidNumber: 550 > gidNumber: 550 > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From prowley at redhat.com Wed Mar 15 19:40:10 2006 From: prowley at redhat.com (Pete Rowley) Date: Wed, 15 Mar 2006 11:40:10 -0800 Subject: [Fedora-directory-users] Re: Trouble Populating FDS with PDC Entry In-Reply-To: <467a83630603151011m19531c9ft893636f8b5695544@mail.gmail.com> References: <467a83630603141649w1a207c6fn6998d656027d2c89@mail.gmail.com> <467a83630603151011m19531c9ft893636f8b5695544@mail.gmail.com> Message-ID: <44186D9A.4000308@redhat.com> Mont Rothstein wrote: > Just to clarify, if I do a ldapsearch for "objectclass=sambaDomain" I > get nothing back. > > I believe the "Already exists" is erroneous, but I don't know why. > If the server says it is there it is there. So, either the entry does not have the sambaDomain objectclass or the user you are using to search for the entry does not have permission to see it. Try a base scope search with basedn sambaDomainName=forayadams,dc=forayadams,dc=foray,dc=com using cn=Directory Manager as your bind id and objectclass=* for the filter. -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From mont.rothstein at gmail.com Wed Mar 15 20:03:14 2006 From: mont.rothstein at gmail.com (Mont Rothstein) Date: Wed, 15 Mar 2006 12:03:14 -0800 Subject: [Fedora-directory-users] Re: Trouble Populating FDS with PDC Entry In-Reply-To: <44186D9A.4000308@redhat.com> References: <467a83630603141649w1a207c6fn6998d656027d2c89@mail.gmail.com> <467a83630603151011m19531c9ft893636f8b5695544@mail.gmail.com> <44186D9A.4000308@redhat.com> Message-ID: <467a83630603151203k59c7dbc8ve866924acc4f805e@mail.gmail.com> Thanks Pete. I am now finding it, I'm not sure if I was typing something wrong before or it is the reboot I just did, but I now find the entry. I'm not sure how it got there but it is there. I tried to add the ldif file a single time before I got the already exists error, but on that try I had miss-typed the password and it complained about it. Could the fact that I was running as root have forced it to add even through my directory manager password was wrong? Thanks again, -Mont On 3/15/06, Pete Rowley wrote: > > > Mont Rothstein wrote: > > > Just to clarify, if I do a ldapsearch for "objectclass=sambaDomain" I > > get nothing back. > > > > I believe the "Already exists" is erroneous, but I don't know why. > > > If the server says it is there it is there. So, either the entry does > not have the sambaDomain objectclass or the user you are using to search > for the entry does not have permission to see it. Try a base scope > search with basedn > sambaDomainName=forayadams,dc=forayadams,dc=foray,dc=com using > cn=Directory Manager as your bind id and objectclass=* for the filter. > > > -- > Pete > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From prowley at redhat.com Wed Mar 15 21:17:18 2006 From: prowley at redhat.com (Pete Rowley) Date: Wed, 15 Mar 2006 13:17:18 -0800 Subject: [Fedora-directory-users] Re: Trouble Populating FDS with PDC Entry In-Reply-To: <467a83630603151203k59c7dbc8ve866924acc4f805e@mail.gmail.com> References: <467a83630603141649w1a207c6fn6998d656027d2c89@mail.gmail.com> <467a83630603151011m19531c9ft893636f8b5695544@mail.gmail.com> <44186D9A.4000308@redhat.com> <467a83630603151203k59c7dbc8ve866924acc4f805e@mail.gmail.com> Message-ID: <4418845E.5020202@redhat.com> Mont Rothstein wrote: > Could the fact that I was running as root have forced it to add even > through my directory manager password was wrong? > No. The credentials are entirely different. -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From mont.rothstein at gmail.com Wed Mar 15 22:18:42 2006 From: mont.rothstein at gmail.com (Mont Rothstein) Date: Wed, 15 Mar 2006 14:18:42 -0800 Subject: [Fedora-directory-users] Re: Trouble Populating FDS with PDC Entry In-Reply-To: <4418845E.5020202@redhat.com> References: <467a83630603141649w1a207c6fn6998d656027d2c89@mail.gmail.com> <467a83630603151011m19531c9ft893636f8b5695544@mail.gmail.com> <44186D9A.4000308@redhat.com> <467a83630603151203k59c7dbc8ve866924acc4f805e@mail.gmail.com> <4418845E.5020202@redhat.com> Message-ID: <467a83630603151418g5bff4203lf1513637ca8e3bf1@mail.gmail.com> Hmm, I didn't think so but I thought I'd ask because I then have no idea how it got added. I'm going to re-build the whole thing from scratch once I get all the way through, so perhaps I will determine where this got added then. Thanks, -Mont On 3/15/06, Pete Rowley wrote: > > Mont Rothstein wrote: > > > Could the fact that I was running as root have forced it to add even > > through my directory manager password was wrong? > > > No. The credentials are entirely different. > > -- > Pete > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mont.rothstein at gmail.com Wed Mar 15 22:57:02 2006 From: mont.rothstein at gmail.com (Mont Rothstein) Date: Wed, 15 Mar 2006 14:57:02 -0800 Subject: [Fedora-directory-users] migrate_common.ph on RHEL ES4 Message-ID: <467a83630603151457h4e7b5959uad9226e8118eeaf7@mail.gmail.com> I am running RHEL ES4 and the FDS/Samba integration HowTo: http://directory.fedora.redhat.com/wiki/Howto:Samba calls for the use of: /usr/share/openldap/migration/migrate_common.ph which does not exist. In fact, /usr/share/openldap exists but is empty. Do I have to install openldap just to get this, or is there somewhere I can download it from? Thanks, -Mont -------------- next part -------------- An HTML attachment was scrubbed... URL: From craigwhite at azapple.com Wed Mar 15 23:06:49 2006 From: craigwhite at azapple.com (Craig White) Date: Wed, 15 Mar 2006 16:06:49 -0700 Subject: [Fedora-directory-users] migrate_common.ph on RHEL ES4 In-Reply-To: <467a83630603151457h4e7b5959uad9226e8118eeaf7@mail.gmail.com> References: <467a83630603151457h4e7b5959uad9226e8118eeaf7@mail.gmail.com> Message-ID: <1142464009.2835.129.camel@lin-workstation.azapple.com> On Wed, 2006-03-15 at 14:57 -0800, Mont Rothstein wrote: > I am running RHEL ES4 and the FDS/Samba integration HowTo: > > http://directory.fedora.redhat.com/wiki/Howto:Samba > > calls for the use of: > > /usr/share/openldap/migration/migrate_common.ph > > which does not exist. In fact, /usr/share/openldap exists but is > empty. > > Do I have to install openldap just to get this, or is there somewhere > I can download it from? ---- rpm -q --whatprovides /usr/share/openldap/migration/migrate_common.ph openldap-servers-2.2.13-4 up2date openldap-servers Craig From gholbert at broadcom.com Wed Mar 15 23:09:05 2006 From: gholbert at broadcom.com (George Holbert) Date: Wed, 15 Mar 2006 15:09:05 -0800 Subject: [Fedora-directory-users] migrate_common.ph on RHEL ES4 In-Reply-To: <1142464009.2835.129.camel@lin-workstation.azapple.com> References: <467a83630603151457h4e7b5959uad9226e8118eeaf7@mail.gmail.com> <1142464009.2835.129.camel@lin-workstation.azapple.com> Message-ID: <44189E91.9020102@broadcom.com> If you prefer, you can also get this directly from PADL: http://www.padl.com/download/MigrationTools.tar.gz Craig White wrote: > On Wed, 2006-03-15 at 14:57 -0800, Mont Rothstein wrote: > >> I am running RHEL ES4 and the FDS/Samba integration HowTo: >> >> http://directory.fedora.redhat.com/wiki/Howto:Samba >> >> calls for the use of: >> >> /usr/share/openldap/migration/migrate_common.ph >> >> which does not exist. In fact, /usr/share/openldap exists but is >> empty. >> >> Do I have to install openldap just to get this, or is there somewhere >> I can download it from? >> > ---- > rpm -q --whatprovides /usr/share/openldap/migration/migrate_common.ph > openldap-servers-2.2.13-4 > > up2date openldap-servers > > Craig > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From mont.rothstein at gmail.com Wed Mar 15 23:15:49 2006 From: mont.rothstein at gmail.com (Mont Rothstein) Date: Wed, 15 Mar 2006 15:15:49 -0800 Subject: [Fedora-directory-users] migrate_common.ph on RHEL ES4 In-Reply-To: <44189E91.9020102@broadcom.com> References: <467a83630603151457h4e7b5959uad9226e8118eeaf7@mail.gmail.com> <1142464009.2835.129.camel@lin-workstation.azapple.com> <44189E91.9020102@broadcom.com> Message-ID: <467a83630603151515y5a951f84if273a25679e1640d@mail.gmail.com> Thanks for the download link. Do you know if these tools are fairly stable? I am creating instructions that we will use to build servers for some time and I'm wondering if I can just include a copy with our instructions, or if we will need to download the most recent every time. Thanks, -Mont On 3/15/06, George Holbert wrote: > > If you prefer, you can also get this directly from PADL: > http://www.padl.com/download/MigrationTools.tar.gz > > Craig White wrote: > > On Wed, 2006-03-15 at 14:57 -0800, Mont Rothstein wrote: > > > >> I am running RHEL ES4 and the FDS/Samba integration HowTo: > >> > >> http://directory.fedora.redhat.com/wiki/Howto:Samba > >> > >> calls for the use of: > >> > >> /usr/share/openldap/migration/migrate_common.ph > >> > >> which does not exist. In fact, /usr/share/openldap exists but is > >> empty. > >> > >> Do I have to install openldap just to get this, or is there somewhere > >> I can download it from? > >> > > ---- > > rpm -q --whatprovides /usr/share/openldap/migration/migrate_common.ph > > openldap-servers-2.2.13-4 > > > > up2date openldap-servers > > > > Craig > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From gholbert at broadcom.com Wed Mar 15 23:23:21 2006 From: gholbert at broadcom.com (George Holbert) Date: Wed, 15 Mar 2006 15:23:21 -0800 Subject: [Fedora-directory-users] migrate_common.ph on RHEL ES4 In-Reply-To: <467a83630603151515y5a951f84if273a25679e1640d@mail.gmail.com> References: <467a83630603151457h4e7b5959uad9226e8118eeaf7@mail.gmail.com> <1142464009.2835.129.camel@lin-workstation.azapple.com> <44189E91.9020102@broadcom.com> <467a83630603151515y5a951f84if273a25679e1640d@mail.gmail.com> Message-ID: <4418A1E9.3010603@broadcom.com> Take a look at the directory index (http://www.padl.com/download) and you'll see how often they're updated. Mont Rothstein wrote: > Thanks for the download link. > > Do you know if these tools are fairly stable? I am creating > instructions that we will use to build servers for some time and I'm > wondering if I can just include a copy with our instructions, or if we > will need to download the most recent every time. > > Thanks, > -Mont > > > On 3/15/06, *George Holbert* > wrote: > > If you prefer, you can also get this directly from PADL: > http://www.padl.com/download/MigrationTools.tar.gz > > Craig White wrote: > > On Wed, 2006-03-15 at 14:57 -0800, Mont Rothstein wrote: > > > >> I am running RHEL ES4 and the FDS/Samba integration HowTo: > >> > >> http://directory.fedora.redhat.com/wiki/Howto:Samba > >> > >> calls for the use of: > >> > >> /usr/share/openldap/migration/migrate_common.ph > >> > >> which does not exist. In fact, /usr/share/openldap exists but is > >> empty. > >> > >> Do I have to install openldap just to get this, or is there > somewhere > >> I can download it from? > >> > > ---- > > rpm -q --whatprovides > /usr/share/openldap/migration/migrate_common.ph > > openldap-servers-2.2.13-4 > > > > up2date openldap-servers > > > > Craig > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From logastellus at yahoo.com Thu Mar 16 15:11:28 2006 From: logastellus at yahoo.com (Susan) Date: Thu, 16 Mar 2006 07:11:28 -0800 (PST) Subject: [Fedora-directory-users] adding a user to multiple groups In-Reply-To: <8695F3D3-39C2-40A7-BDB2-0E992CDD97D8@imperial.ac.uk> Message-ID: <20060316151128.99693.qmail@web52903.mail.yahoo.com> --- "Sharpe, Sam J" wrote: > >> [root at acmegrid1 ~]# /etc/init.d/nscd stop > >> Stopping nscd: [ OK ] > >> [root at acmegrid1 ~]# id -G test > >> 1234 > > > If you are running nscd you need to try > > as root service nscd reload > > What Sarah did is stop nscd, then did an id lookup while nscd is > stopped. It is certainly a valid test. > > The problem is that a stop/start does not invalidate the nscd cache - > a simple "nscd -i passwd ; nscd -i group" will do that without a > service reload. > Ah -- didn't know this one! Thank you, Sam.. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From dshackel at arbor.edu Thu Mar 16 19:31:47 2006 From: dshackel at arbor.edu (Daniel Shackelford) Date: Thu, 16 Mar 2006 14:31:47 -0500 Subject: [Fedora-directory-users] PasSync Message-ID: <4419BD23.8040908@arbor.edu> Hello all, I moved the Password Sync Service to another server and now I am having some trouble with this: "Failed to load entries from file" in the passync.log file I see connections on our FDS, but I am not seeing passwords change. Any ideas? -- Daniel Shackelford Systems Administrator Technology Services Spring Arbor University 517 750-6648 "For even the Son of Man did not come to be served, but to serve, and to give His life a ransom for many" Mark 10:45 From mont.rothstein at gmail.com Fri Mar 17 00:23:27 2006 From: mont.rothstein at gmail.com (Mont Rothstein) Date: Thu, 16 Mar 2006 16:23:27 -0800 Subject: [Fedora-directory-users] Adding Samba Groups to FDS Message-ID: <467a83630603161623g53c57a23webb5811cd7939a69@mail.gmail.com> I am (still) following the How To for integrating Samba with FDS and I am working on adding Samba groups to FDS. Everything went well until I got to the "net groupmap" section. For each net groupmap command I got a "Can't lookup UNIX group Domain Admins" message. Were the group names specified in the previous steps merely examples? I have a bare install and haven't created any groups in unix (other than those created with new users) nor have I created any in Samba. If they were not simply examples are these messages expected or is something else wrong? Thanks, -Mont -------------- next part -------------- An HTML attachment was scrubbed... URL: From mont.rothstein at gmail.com Fri Mar 17 00:27:43 2006 From: mont.rothstein at gmail.com (Mont Rothstein) Date: Thu, 16 Mar 2006 16:27:43 -0800 Subject: [Fedora-directory-users] Reporting errors in a How To Message-ID: <467a83630603161627p29fc4387i963c07f9d5f317f4@mail.gmail.com> I've been using http://directory.fedora.redhat.com/wiki/Howto:Samba and I have found a few errors. I can't seem to request an account in the wiki (the new user form is never displayed for me). Does anyone know how else I might report these issues? Thanks, -Mont -------------- next part -------------- An HTML attachment was scrubbed... URL: From prowley at redhat.com Fri Mar 17 00:33:28 2006 From: prowley at redhat.com (Pete Rowley) Date: Thu, 16 Mar 2006 16:33:28 -0800 Subject: [Fedora-directory-users] Reporting errors in a How To In-Reply-To: <467a83630603161627p29fc4387i963c07f9d5f317f4@mail.gmail.com> References: <467a83630603161627p29fc4387i963c07f9d5f317f4@mail.gmail.com> Message-ID: <441A03D8.1070208@redhat.com> Mont Rothstein wrote: > Does anyone know how else I might report these issues? > Feel free to file bugs: http://directory.fedora.redhat.com/wiki/Bugs -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From prowley at redhat.com Fri Mar 17 00:38:50 2006 From: prowley at redhat.com (Pete Rowley) Date: Thu, 16 Mar 2006 16:38:50 -0800 Subject: [Fedora-directory-users] Adding Samba Groups to FDS In-Reply-To: <467a83630603161623g53c57a23webb5811cd7939a69@mail.gmail.com> References: <467a83630603161623g53c57a23webb5811cd7939a69@mail.gmail.com> Message-ID: <441A051A.7000305@redhat.com> Mont Rothstein wrote: > Were the group names specified in the previous steps merely examples? > I have a bare install and haven't created any groups in unix (other > than those created with new users) nor have I created any in Samba. > They are not examples, but you will have to change DN's etc. -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From mont.rothstein at gmail.com Fri Mar 17 00:45:31 2006 From: mont.rothstein at gmail.com (Mont Rothstein) Date: Thu, 16 Mar 2006 16:45:31 -0800 Subject: [Fedora-directory-users] Reporting errors in a How To In-Reply-To: <441A03D8.1070208@redhat.com> References: <467a83630603161627p29fc4387i963c07f9d5f317f4@mail.gmail.com> <441A03D8.1070208@redhat.com> Message-ID: <467a83630603161645v5f7db4dfy20c1f48df8e43629@mail.gmail.com> Thanks, I will. -Mont On 3/16/06, Pete Rowley wrote: > > Mont Rothstein wrote: > > > Does anyone know how else I might report these issues? > > > Feel free to file bugs: http://directory.fedora.redhat.com/wiki/Bugs > > -- > Pete > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mont.rothstein at gmail.com Fri Mar 17 00:53:41 2006 From: mont.rothstein at gmail.com (Mont Rothstein) Date: Thu, 16 Mar 2006 16:53:41 -0800 Subject: [Fedora-directory-users] Adding Samba Groups to FDS In-Reply-To: <441A051A.7000305@redhat.com> References: <467a83630603161623g53c57a23webb5811cd7939a69@mail.gmail.com> <441A051A.7000305@redhat.com> Message-ID: <467a83630603161653g4604b36ah777cc454f1cef34b@mail.gmail.com> I apologize for being so ignorant but I don't know what you mean by "change DNs etc". In my sambaGroups.ldif my dn's look like: dn: cn=Domain Admins,ou=Groups,dc=forayadams,dc=foray,dc=com which as far as I know is correct for my setup. What am I missing? Thanks, -Mont On 3/16/06, Pete Rowley wrote: > > Mont Rothstein wrote: > > > Were the group names specified in the previous steps merely examples? > > I have a bare install and haven't created any groups in unix (other > > than those created with new users) nor have I created any in Samba. > > > They are not examples, but you will have to change DN's etc. > > > -- > Pete > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From prowley at redhat.com Fri Mar 17 01:09:02 2006 From: prowley at redhat.com (Pete Rowley) Date: Thu, 16 Mar 2006 17:09:02 -0800 Subject: [Fedora-directory-users] Adding Samba Groups to FDS In-Reply-To: <467a83630603161653g4604b36ah777cc454f1cef34b@mail.gmail.com> References: <467a83630603161623g53c57a23webb5811cd7939a69@mail.gmail.com> <441A051A.7000305@redhat.com> <467a83630603161653g4604b36ah777cc454f1cef34b@mail.gmail.com> Message-ID: <441A0C2E.1010704@redhat.com> Mont Rothstein wrote: > I apologize for being so ignorant but I don't know what you mean by > "change DNs etc". > > In my sambaGroups.ldif my dn's look like: > > dn: cn=Domain Admins,ou=Groups,dc=forayadams,dc=foray,dc=com > > which as far as I know is correct for my setup. > > What am I missing? That's fine, I was simply referring to the suffix. -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From mont.rothstein at gmail.com Fri Mar 17 01:16:45 2006 From: mont.rothstein at gmail.com (Mont Rothstein) Date: Thu, 16 Mar 2006 17:16:45 -0800 Subject: [Fedora-directory-users] Adding Samba Groups to FDS In-Reply-To: <441A0C2E.1010704@redhat.com> References: <467a83630603161623g53c57a23webb5811cd7939a69@mail.gmail.com> <441A051A.7000305@redhat.com> <467a83630603161653g4604b36ah777cc454f1cef34b@mail.gmail.com> <441A0C2E.1010704@redhat.com> Message-ID: <467a83630603161716y3617738bj95b3613642918f8a@mail.gmail.com> If my dn is fine then do you know why I am getting the "Can't lookup UNIX group Domain Admins" message? Can I safely ignore it? -Mont On 3/16/06, Pete Rowley wrote: > > Mont Rothstein wrote: > > > I apologize for being so ignorant but I don't know what you mean by > > "change DNs etc". > > > > In my sambaGroups.ldif my dn's look like: > > > > dn: cn=Domain Admins,ou=Groups,dc=forayadams,dc=foray,dc=com > > > > which as far as I know is correct for my setup. > > > > What am I missing? > > That's fine, I was simply referring to the suffix. > > -- > Pete > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From prowley at redhat.com Fri Mar 17 01:30:59 2006 From: prowley at redhat.com (Pete Rowley) Date: Thu, 16 Mar 2006 17:30:59 -0800 Subject: [Fedora-directory-users] Adding Samba Groups to FDS In-Reply-To: <467a83630603161716y3617738bj95b3613642918f8a@mail.gmail.com> References: <467a83630603161623g53c57a23webb5811cd7939a69@mail.gmail.com> <441A051A.7000305@redhat.com> <467a83630603161653g4604b36ah777cc454f1cef34b@mail.gmail.com> <441A0C2E.1010704@redhat.com> <467a83630603161716y3617738bj95b3613642918f8a@mail.gmail.com> Message-ID: <441A1153.6010302@redhat.com> Mont Rothstein wrote: > If my dn is fine then do you know why I am getting the "Can't lookup > UNIX group Domain Admins" message? > > Can I safely ignore it? > When you do an ldap search using the credentials that Samba uses, can you see those entries? -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From craigwhite at azapple.com Fri Mar 17 05:33:54 2006 From: craigwhite at azapple.com (Craig White) Date: Thu, 16 Mar 2006 22:33:54 -0700 Subject: [Fedora-directory-users] Adding Samba Groups to FDS In-Reply-To: <467a83630603161653g4604b36ah777cc454f1cef34b@mail.gmail.com> References: <467a83630603161623g53c57a23webb5811cd7939a69@mail.gmail.com> <441A051A.7000305@redhat.com> <467a83630603161653g4604b36ah777cc454f1cef34b@mail.gmail.com> Message-ID: <1142573634.11115.154.camel@lin-workstation.azapple.com> grep Groups /etc/ldap.conf I bet you get nothing... then grep Group /etc/ldap.conf I think your answer lies within Craig On Thu, 2006-03-16 at 16:53 -0800, Mont Rothstein wrote: > I apologize for being so ignorant but I don't know what you mean by > "change DNs etc". > > In my sambaGroups.ldif my dn's look like: > > dn: cn=Domain Admins,ou=Groups,dc=forayadams,dc=foray,dc=com > > which as far as I know is correct for my setup. > > What am I missing? > > Thanks, > -Mont > > > On 3/16/06, Pete Rowley wrote: > Mont Rothstein wrote: > > > Were the group names specified in the previous steps merely > examples? > > I have a bare install and haven't created any groups in unix > (other > > than those created with new users) nor have I created any in > Samba. > > > They are not examples, but you will have to change DN's etc. > > > -- > Pete > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From mont.rothstein at gmail.com Fri Mar 17 16:58:19 2006 From: mont.rothstein at gmail.com (Mont Rothstein) Date: Fri, 17 Mar 2006 08:58:19 -0800 Subject: [Fedora-directory-users] Adding Samba Groups to FDS In-Reply-To: <441A1153.6010302@redhat.com> References: <467a83630603161623g53c57a23webb5811cd7939a69@mail.gmail.com> <441A051A.7000305@redhat.com> <467a83630603161653g4604b36ah777cc454f1cef34b@mail.gmail.com> <441A0C2E.1010704@redhat.com> <467a83630603161716y3617738bj95b3613642918f8a@mail.gmail.com> <441A1153.6010302@redhat.com> Message-ID: <467a83630603170858h1e9f542cob567c4a851c2a4e0@mail.gmail.com> Here is the output I get: ./ldapsearch -p 3911 -b "dc=forayadams,dc=foray,dc=com" -D "cn=directory manager" -w - "objectclass=*" | grep Domain Enter bind password: dn: sambaDomainName=FORAYADAMS,dc=forayadams,dc=foray,dc=com sambaDomainName: FORAYADAMS objectClass: sambaDomain dn: cn=Domain Admins,ou=Groups,dc=forayadams,dc=foray,dc=com cn: Domain Admins dn: cn=Domain Users,ou=Groups,dc=forayadams,dc=foray,dc=com cn: Domain Users dn: cn=Domain Guests,ou=Groups,dc=forayadams,dc=foray,dc=com cn: Domain Guests dn: cn=Domain Computers,ou=Groups,dc=forayadams,dc=foray,dc=com cn: Domain Computers So, the groups appear to be in FDS but it sounded like it couldn't see them in Unix. Thoughts? -Mont On 3/16/06, Pete Rowley wrote: > > Mont Rothstein wrote: > > > If my dn is fine then do you know why I am getting the "Can't lookup > > UNIX group Domain Admins" message? > > > > Can I safely ignore it? > > > When you do an ldap search using the credentials that Samba uses, can > you see those entries? > > -- > Pete > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mont.rothstein at gmail.com Fri Mar 17 17:41:53 2006 From: mont.rothstein at gmail.com (Mont Rothstein) Date: Fri, 17 Mar 2006 09:41:53 -0800 Subject: [Fedora-directory-users] Adding Samba Groups to FDS In-Reply-To: <1142573634.11115.154.camel@lin-workstation.azapple.com> References: <467a83630603161623g53c57a23webb5811cd7939a69@mail.gmail.com> <441A051A.7000305@redhat.com> <467a83630603161653g4604b36ah777cc454f1cef34b@mail.gmail.com> <1142573634.11115.154.camel@lin-workstation.azapple.com> Message-ID: <467a83630603170941j4768c4b0sf77dbd87a4dac3e7@mail.gmail.com> I get output for both, but it is all commented out. I don't know what this means. Here is my output: [root at rheles4rs1 bin]# grep Groups /etc/ldap.conf #pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com [root at rheles4rs1 bin]# grep Group /etc/ldap.conf # Group to enforce membership of #pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com # Group member attribute #nss_base_group ou=Group,dc=example,dc=com?one #nss_map_objectclass posixGroup Group #nss_map_objectclass posixGroup Group #nss_map_objectclass posixGroup group #nss_map_objectclass posixGroup aixAccessGroup Does this mean something to you? -Mont On 3/16/06, Craig White wrote: > > grep Groups /etc/ldap.conf > > I bet you get nothing... > > then > > grep Group /etc/ldap.conf > > I think your answer lies within > > Craig > > On Thu, 2006-03-16 at 16:53 -0800, Mont Rothstein wrote: > > I apologize for being so ignorant but I don't know what you mean by > > "change DNs etc". > > > > In my sambaGroups.ldif my dn's look like: > > > > dn: cn=Domain Admins,ou=Groups,dc=forayadams,dc=foray,dc=com > > > > which as far as I know is correct for my setup. > > > > What am I missing? > > > > Thanks, > > -Mont > > > > > > On 3/16/06, Pete Rowley wrote: > > Mont Rothstein wrote: > > > > > Were the group names specified in the previous steps merely > > examples? > > > I have a bare install and haven't created any groups in unix > > (other > > > than those created with new users) nor have I created any in > > Samba. > > > > > They are not examples, but you will have to change DN's etc. > > > > > > -- > > Pete > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From craigwhite at azapple.com Fri Mar 17 17:56:48 2006 From: craigwhite at azapple.com (Craig White) Date: Fri, 17 Mar 2006 10:56:48 -0700 Subject: [Fedora-directory-users] Adding Samba Groups to FDS In-Reply-To: <467a83630603170941j4768c4b0sf77dbd87a4dac3e7@mail.gmail.com> References: <467a83630603161623g53c57a23webb5811cd7939a69@mail.gmail.com> <441A051A.7000305@redhat.com> <467a83630603161653g4604b36ah777cc454f1cef34b@mail.gmail.com> <1142573634.11115.154.camel@lin-workstation.azapple.com> <467a83630603170941j4768c4b0sf77dbd87a4dac3e7@mail.gmail.com> Message-ID: <1142618208.19371.55.camel@lin-workstation.azapple.com> of course...it is why nss_base_passwd works and why nss_base_group doesn't work and why getent passwd works and why getent group doesn't work Craig On Fri, 2006-03-17 at 09:41 -0800, Mont Rothstein wrote: > I get output for both, but it is all commented out. I don't know what > this means. > > Here is my output: > > [root at rheles4rs1 bin]# grep Groups /etc/ldap.conf #pam_groupdn > cn=PAM,ou=Groups,dc=example,dc=com > [root at rheles4rs1 bin]# grep Group /etc/ldap.conf # Group to enforce > membership of > #pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com > # Group member attribute > #nss_base_group ou=Group,dc=example,dc=com?one > #nss_map_objectclass posixGroup Group > #nss_map_objectclass posixGroup Group > #nss_map_objectclass posixGroup group > #nss_map_objectclass posixGroup aixAccessGroup > > > Does this mean something to you? > > -Mont > > > On 3/16/06, Craig White wrote: > grep Groups /etc/ldap.conf > > I bet you get nothing... > > then > > grep Group /etc/ldap.conf > > I think your answer lies within > > Craig > > On Thu, 2006-03-16 at 16:53 -0800, Mont Rothstein wrote: > > I apologize for being so ignorant but I don't know what you > mean by > > "change DNs etc". > > > > In my sambaGroups.ldif my dn's look like: > > > > dn: cn=Domain > Admins,ou=Groups,dc=forayadams,dc=foray,dc=com > > > > which as far as I know is correct for my setup. > > > > What am I missing? > > > > Thanks, > > -Mont > > > > > > On 3/16/06, Pete Rowley wrote: > > Mont Rothstein wrote: > > > > > Were the group names specified in the previous > steps merely > > examples? > > > I have a bare install and haven't created any > groups in unix > > (other > > > than those created with new users) nor have I > created any in > > Samba. > > > > > They are not examples, but you will have to change > DN's etc. > > > > > > -- > > Pete From magobin at gmail.com Fri Mar 17 18:06:49 2006 From: magobin at gmail.com (Alex) Date: Fri, 17 Mar 2006 19:06:49 +0100 Subject: [Fedora-directory-users] Installing Fedora DS on HA cluster ! Message-ID: <441afac1.076bf9c0.2f0b.1521@mx.gmail.com> Hi, I'm preparing to install Fedora DS on a HA cluster (only two node for now) Have someone any tips or recommendations ? Thanks in advance! Alex From felipe.alfaro at gmail.com Fri Mar 17 18:11:14 2006 From: felipe.alfaro at gmail.com (Felipe Alfaro Solana) Date: Fri, 17 Mar 2006 19:11:14 +0100 Subject: [Fedora-directory-users] Installing Fedora DS on HA cluster ! In-Reply-To: <441afac1.076bf9c0.2f0b.1521@mx.gmail.com> References: <441afac1.076bf9c0.2f0b.1521@mx.gmail.com> Message-ID: <6f6293f10603171011x54496b76x48e99a9e6b7ee787@mail.gmail.com> > I'm preparing to install Fedora DS on a HA cluster (only two node for now) > Have someone any tips or recommendations ? Typically speaking, rarely should you configure a Directory Server in HA Clustering. Instead, install two instances, one on each machine, and configure master-master replication. From magobin at gmail.com Fri Mar 17 19:08:12 2006 From: magobin at gmail.com (Alex) Date: Fri, 17 Mar 2006 20:08:12 +0100 Subject: R: [Fedora-directory-users] Installing Fedora DS on HA cluster ! In-Reply-To: <6f6293f10603171011x54496b76x48e99a9e6b7ee787@mail.gmail.com> Message-ID: <441b0925.7774bbf6.30de.fffffdbf@mx.gmail.com> > Typically speaking, rarely should you configure a Directory > Server in HA Clustering. Instead, install two instances, one > on each machine, and configure master-master replication. > Uhm...yes you are in right, but in that case...I have to use the real address of each node...and in this case I fall in security issue... Regards Alex From logastellus at yahoo.com Fri Mar 17 19:28:05 2006 From: logastellus at yahoo.com (Susan) Date: Fri, 17 Mar 2006 11:28:05 -0800 (PST) Subject: [Fedora-directory-users] Installing Fedora DS on HA cluster ! In-Reply-To: <6f6293f10603171011x54496b76x48e99a9e6b7ee787@mail.gmail.com> Message-ID: <20060317192805.58358.qmail@web52909.mail.yahoo.com> --- Felipe Alfaro Solana wrote: > > I'm preparing to install Fedora DS on a HA cluster (only two node for now) > > Have someone any tips or recommendations ? > > Typically speaking, rarely should you configure a Directory Server in > HA Clustering. Instead, install two instances, one on each machine, > and configure master-master replication. the limitation of MM replication is that it doesn't replicate FDS settings. So, if I change say the password storage scheme on 1 server, I must go and change it on the other. If you can get a gfs-managed shared storage, with 2 machines & an ip address takeover, it could be a pretty good solution. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From logastellus at yahoo.com Fri Mar 17 19:31:04 2006 From: logastellus at yahoo.com (Susan) Date: Fri, 17 Mar 2006 11:31:04 -0800 (PST) Subject: R: [Fedora-directory-users] Installing Fedora DS on HA cluster ! In-Reply-To: <441b0925.7774bbf6.30de.fffffdbf@mx.gmail.com> Message-ID: <20060317193105.73100.qmail@web52913.mail.yahoo.com> --- Alex wrote: > > > Typically speaking, rarely should you configure a Directory > > Server in HA Clustering. Instead, install two instances, one > > on each machine, and configure master-master replication. > > > > > > Uhm...yes you are in right, but in that case...I have to use the real > address of each node...and in this case I fall in security issue... are your FD servers on a DMZ or something? You could setup ip takeover but manage the database with fedora's MMR. It works quite nicely and is really easy to setup, using mmr.pl script provided on the FDS wiki. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From felipe.alfaro at gmail.com Fri Mar 17 22:43:30 2006 From: felipe.alfaro at gmail.com (Felipe Alfaro Solana) Date: Fri, 17 Mar 2006 23:43:30 +0100 Subject: [Fedora-directory-users] Installing Fedora DS on HA cluster ! In-Reply-To: <20060317192805.58358.qmail@web52909.mail.yahoo.com> References: <6f6293f10603171011x54496b76x48e99a9e6b7ee787@mail.gmail.com> <20060317192805.58358.qmail@web52909.mail.yahoo.com> Message-ID: <6f6293f10603171443t10374ed6j1d38e29a9889ff48@mail.gmail.com> > the limitation of MM replication is that it doesn't replicate FDS settings. You can also replicate the o=netscape config DIT subtree, can't you? From magobin at gmail.com Sat Mar 18 07:29:19 2006 From: magobin at gmail.com (Alex) Date: Sat, 18 Mar 2006 08:29:19 +0100 Subject: R: R: [Fedora-directory-users] Installing Fedora DS on HA cluster ! In-Reply-To: <20060317193105.73100.qmail@web52913.mail.yahoo.com> Message-ID: <441bb6d9.738acc05.03d5.fffff980@mx.gmail.com> > are your FD servers on a DMZ or something? You could setup > ip takeover but manage the database with fedora's MMR. It > works quite nicely and is really easy to setup, using mmr.pl > script provided on the FDS wiki. > In this moment i have only a cluster (redhat Cluster suite)....there isn't a DMZ...so you say to use a floating Ip (that is a rule in a cluster) and then manage database with multi master repeplication? In this way I have to setup two instances of fedora DS as Alvaro says. Can you make an example or some link where to see an implementation?? Regards Alex From magobin at gmail.com Sat Mar 18 08:18:21 2006 From: magobin at gmail.com (Alex) Date: Sat, 18 Mar 2006 09:18:21 +0100 Subject: R: R: [Fedora-directory-users] Installing Fedora DS on HA cluster ! In-Reply-To: <20060317193105.73100.qmail@web52913.mail.yahoo.com> Message-ID: <441bc25a.0cd34171.6619.ffffcb10@mx.gmail.com> Link to mmr.pl doesn't work any more.... Susan, can you send me that script??? My email is: Magobin gmail com Thanks in advance! Alex From rajkumars at asianetindia.com Mon Mar 20 12:34:06 2006 From: rajkumars at asianetindia.com (Rajkumar S) Date: Mon, 20 Mar 2006 18:04:06 +0530 Subject: [Fedora-directory-users] Running admin console from a remote machine Message-ID: <441EA13E.6070005@asianetindia.com> Hi, I have installed fedora-ds on a remote machine for which I do not have access to X Window. I have installed admin console in a local box and can connect to server. From the install doc it seems I need to access from local box atleast once, to change the IP Addresses to Allow from: http://www.redhat.com/docs/manuals/dir-server/install/7.1/ch.post.installation.html But I do not have a means to connect and do this once, is there any other way ? raj From rajkumars at asianetindia.com Mon Mar 20 12:47:14 2006 From: rajkumars at asianetindia.com (Rajkumar S) Date: Mon, 20 Mar 2006 18:17:14 +0530 Subject: [Fedora-directory-users] Running admin console from a remote machine In-Reply-To: <441EA13E.6070005@asianetindia.com> References: <441EA13E.6070005@asianetindia.com> Message-ID: <441EA452.7040107@asianetindia.com> Rajkumar S wrote: > But I do not have a means to connect and do this once, is there any > other way ? Sorry, Just saw: AdminServerLDAPMgmt HowTO raj From logastellus at yahoo.com Mon Mar 20 14:57:52 2006 From: logastellus at yahoo.com (Susan) Date: Mon, 20 Mar 2006 06:57:52 -0800 (PST) Subject: [Fedora-directory-users] Installing Fedora DS on HA cluster ! In-Reply-To: <6f6293f10603171443t10374ed6j1d38e29a9889ff48@mail.gmail.com> Message-ID: <20060320145752.98741.qmail@web52915.mail.yahoo.com> --- Felipe Alfaro Solana wrote: > > the limitation of MM replication is that it doesn't replicate FDS settings. > > You can also replicate the o=netscape config DIT subtree, can't you? that's an interesting idea.. Have you tried that, does that work OK? __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From felipe.alfaro at gmail.com Mon Mar 20 15:01:14 2006 From: felipe.alfaro at gmail.com (Felipe Alfaro Solana) Date: Mon, 20 Mar 2006 16:01:14 +0100 Subject: [Fedora-directory-users] Installing Fedora DS on HA cluster ! In-Reply-To: <20060320145752.98741.qmail@web52915.mail.yahoo.com> References: <6f6293f10603171443t10374ed6j1d38e29a9889ff48@mail.gmail.com> <20060320145752.98741.qmail@web52915.mail.yahoo.com> Message-ID: <6f6293f10603200701r7b6e48a8tfd886649b1a8d1fc@mail.gmail.com> > > You can also replicate the o=netscape config DIT subtree, can't you? > > that's an interesting idea.. Have you tried that, does that work OK? No, I haven't tried, but I guess it should work pretty well. Has anyone? Richard? From mont.rothstein at gmail.com Mon Mar 20 18:10:25 2006 From: mont.rothstein at gmail.com (Mont Rothstein) Date: Mon, 20 Mar 2006 10:10:25 -0800 Subject: [Fedora-directory-users] Adding Samba Groups to FDS In-Reply-To: <1142618208.19371.55.camel@lin-workstation.azapple.com> References: <467a83630603161623g53c57a23webb5811cd7939a69@mail.gmail.com> <441A051A.7000305@redhat.com> <467a83630603161653g4604b36ah777cc454f1cef34b@mail.gmail.com> <1142573634.11115.154.camel@lin-workstation.azapple.com> <467a83630603170941j4768c4b0sf77dbd87a4dac3e7@mail.gmail.com> <1142618208.19371.55.camel@lin-workstation.azapple.com> Message-ID: <467a83630603201010k37352541k573ee8ebfea554e8@mail.gmail.com> Figured this out. Once again (I think I am being punished) it was the fact that I followed the install guide's advice and didn't use the default port. Once I added the port to ldap.conf (via a URI) the net groupmap add started working. -Mont On 3/17/06, Craig White wrote: > > of course...it is why > > nss_base_passwd works and why > nss_base_group doesn't work > > and why getent passwd works and why > getent group doesn't work > > Craig > > On Fri, 2006-03-17 at 09:41 -0800, Mont Rothstein wrote: > > I get output for both, but it is all commented out. I don't know what > > this means. > > > > Here is my output: > > > > [root at rheles4rs1 bin]# grep Groups /etc/ldap.conf #pam_groupdn > > cn=PAM,ou=Groups,dc=example,dc=com > > [root at rheles4rs1 bin]# grep Group /etc/ldap.conf # Group to enforce > > membership of > > #pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com > > # Group member attribute > > #nss_base_group ou=Group,dc=example,dc=com?one > > #nss_map_objectclass posixGroup Group > > #nss_map_objectclass posixGroup Group > > #nss_map_objectclass posixGroup group > > #nss_map_objectclass posixGroup aixAccessGroup > > > > > > Does this mean something to you? > > > > -Mont > > > > > > On 3/16/06, Craig White wrote: > > grep Groups /etc/ldap.conf > > > > I bet you get nothing... > > > > then > > > > grep Group /etc/ldap.conf > > > > I think your answer lies within > > > > Craig > > > > On Thu, 2006-03-16 at 16:53 -0800, Mont Rothstein wrote: > > > I apologize for being so ignorant but I don't know what you > > mean by > > > "change DNs etc". > > > > > > In my sambaGroups.ldif my dn's look like: > > > > > > dn: cn=Domain > > Admins,ou=Groups,dc=forayadams,dc=foray,dc=com > > > > > > which as far as I know is correct for my setup. > > > > > > What am I missing? > > > > > > Thanks, > > > -Mont > > > > > > > > > On 3/16/06, Pete Rowley wrote: > > > Mont Rothstein wrote: > > > > > > > Were the group names specified in the previous > > steps merely > > > examples? > > > > I have a bare install and haven't created any > > groups in unix > > > (other > > > > than those created with new users) nor have I > > created any in > > > Samba. > > > > > > > They are not examples, but you will have to change > > DN's etc. > > > > > > > > > -- > > > Pete > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Mar 20 23:01:08 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 20 Mar 2006 16:01:08 -0700 Subject: [Fedora-directory-users] Installing Fedora DS on HA cluster ! In-Reply-To: <6f6293f10603200701r7b6e48a8tfd886649b1a8d1fc@mail.gmail.com> References: <6f6293f10603171443t10374ed6j1d38e29a9889ff48@mail.gmail.com> <20060320145752.98741.qmail@web52915.mail.yahoo.com> <6f6293f10603200701r7b6e48a8tfd886649b1a8d1fc@mail.gmail.com> Message-ID: <441F3434.5080408@redhat.com> Felipe Alfaro Solana wrote: >>>You can also replicate the o=netscape config DIT subtree, can't you? >>> >>> >>that's an interesting idea.. Have you tried that, does that work OK? >> >> > >No, I haven't tried, but I guess it should work pretty well. Has >anyone? Richard? > > Yes, but the problem is that there is not a lot of failover built-in to the console. You'll have to manually reconfigure things if your o=NetscapeRoot master fails and you need to use the other master. >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From mj at sci.fi Tue Mar 21 12:43:07 2006 From: mj at sci.fi (mj at sci.fi) Date: Tue, 21 Mar 2006 14:43:07 +0200 (EET) Subject: R: R: [Fedora-directory-users] Installing Fedora DS on HA cluster ! Message-ID: <7904618.511101142944987893.JavaMail.mj@sci.fi> > Link to mmr.pl doesn't work any more.... Sorry, my server experienced some problems while I was out of town (happens every time). I will have it fixed within the next several hours. BR, Mike From mont.rothstein at gmail.com Tue Mar 21 16:55:05 2006 From: mont.rothstein at gmail.com (Mont Rothstein) Date: Tue, 21 Mar 2006 08:55:05 -0800 Subject: [Fedora-directory-users] Problem adding user Message-ID: <467a83630603210855p5dbfddb3oa7688265401b9de1@mail.gmail.com> I am trying to create a Samba Admin account in FDS as per the final steps of http://directory.fedora.redhat.com/wiki/Howto:Samba I've created a sambaAdmin file with contents: Administrator:x:0:0:Samba Admin:/root:/bin/bash I then ran: /usr/share/openldap/migration/migrate_passwd.pl /tmp/sambaAdmin > /tmp/sambaAdmin.ldif but when I get to converting the ldif to ldap via: /opt/fedora-ds/slapd-/ldif2ldap "cn=Directory manager" password /tmp/sambaAdmin.ldif I get the following error: adding new entry uid=Administrator,ou=People,dc=forayadams,dc=foray,dc=com ldap_add: Object class violation ldap_add: additional info: unknown object class "kerberosSecurityObject" As far as I know I haven't enabled kerberos anywhere. Does anyone know what I need to do to resolve this? Thanks, -Mont -------------- next part -------------- An HTML attachment was scrubbed... URL: From mont.rothstein at gmail.com Tue Mar 21 18:37:04 2006 From: mont.rothstein at gmail.com (Mont Rothstein) Date: Tue, 21 Mar 2006 10:37:04 -0800 Subject: [Fedora-directory-users] How to add a computer (feeling foolish) Message-ID: <467a83630603211037t13e5f306sceaa4cc87d704bab@mail.gmail.com> I can't figure out how to add a computer to the domain. I've searched but can't find anything on this, which I assume means it is so easy that no one has even bothered to write about it. I created a user in the Domain Admins group. I made that user an NT User, set the NT User ID to be the same as the FDS User ID, and checked Create New NT Account. On a Windows XP box I went to System Properties->Computer Name->Computer Name Changes and entered the domain name. I am prompted to enter the name and password of an account with permission to join the domain. I have tried entering the user name both as domainname\username and just username. No matter what I entered I get: "unknown user name or bad password" I also tried adding a similar user (different User ID) to the Directory Administrators group. Using that user produced the same result. If someone could please explain what needs to be done, or point me to a doc no this very basic process, I would appreciate it. Thanks, -Mont -------------- next part -------------- An HTML attachment was scrubbed... URL: From magobin at gmail.com Wed Mar 22 10:32:28 2006 From: magobin at gmail.com (Alex aka Magobin) Date: Wed, 22 Mar 2006 11:32:28 +0100 Subject: [Fedora-directory-users] SSL problem on replication! Message-ID: <1143023548.7656.28.camel@localhost.localdomain> hi, I used Replication HOWTO to make a replica with 2 server; after that I saw that replication was without encryption, so I maked my own CA Authority and I maked two certificate for both server...I maked request from Fedora Console and then I installed it from same console. Testing on second server, I tried to restart slapd, but when I tried the server ask correctly PIN for Internal Software Token, but then it says: 22/Mar/2006:11:20:39 +0100] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert nodo2-cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8179 - Peer's Certificate issuer is not recognized.) [22/Mar/2006:11:20:39 +0100] - SSL failure: None of the cipher are valid ...what does it mean?...maybe that I have maked some mistakes about ssl? ...how can I resolv this problem? ...is it possible to come back?? thanks in advance Alex From rmeggins at redhat.com Wed Mar 22 16:01:21 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 22 Mar 2006 09:01:21 -0700 Subject: [Fedora-directory-users] SSL problem on replication! In-Reply-To: <1143023548.7656.28.camel@localhost.localdomain> References: <1143023548.7656.28.camel@localhost.localdomain> Message-ID: <442174D1.2060209@redhat.com> Alex aka Magobin wrote: > hi, > I used Replication HOWTO to make a replica with 2 server; after that I > saw that replication was without encryption, so I maked my own CA > Authority and I maked two certificate for both server...I maked request > from Fedora Console and then I installed it from same console. > > Testing on second server, I tried to restart slapd, but when I tried the > server ask correctly PIN for Internal Software Token, but then it says: > > 22/Mar/2006:11:20:39 +0100] - SSL alert: CERT_VerifyCertificateNow: > verify certificate failed for cert nodo2-cert of family > cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8179 - > Peer's Certificate issuer is not recognized.) > [22/Mar/2006:11:20:39 +0100] - SSL failure: None of the cipher are valid > > > > ...what does it mean?...maybe that I have maked some mistakes about ssl? > ...how can I resolv this problem? > ...is it possible to come back?? > I think you may need to add the CA cert to the cert db for nodo2 > > thanks in advance > > Alex > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From logastellus at yahoo.com Thu Mar 23 16:43:31 2006 From: logastellus at yahoo.com (Susan) Date: Thu, 23 Mar 2006 08:43:31 -0800 (PST) Subject: [Fedora-directory-users] SSL problem on replication! In-Reply-To: <442174D1.2060209@redhat.com> Message-ID: <20060323164331.97322.qmail@web52911.mail.yahoo.com> This is what I did to get ssl repl working: 1. generate a single CA certificate and use that to sign both the supplier and consumer certificates. Each server doesn't need its own CA. on the consumer: [root at cnjldap01 alias]# ../shared/bin/certutil -L -d . -n "NJ CA certificate" -a > cnjldap01.cert.asc #send to supplier: scp cnjldap01.cert.asc root at cnyldap01:/opt/fedora-ds/alias/ #import it into the supplier's cert db: [root at cnyldap01 /]# ../shared/bin/certutil -A -d . -P slapd-cnyldap01- -n "NJ CA certificate" -t "CT,," -a -i cnjldap01.cert.asc That's it. --- Richard Megginson wrote: > Alex aka Magobin wrote: > > hi, > > I used Replication HOWTO to make a replica with 2 server; after that I > > saw that replication was without encryption, so I maked my own CA > > Authority and I maked two certificate for both server...I maked request > > from Fedora Console and then I installed it from same console. > > > > Testing on second server, I tried to restart slapd, but when I tried the > > server ask correctly PIN for Internal Software Token, but then it says: > > > > 22/Mar/2006:11:20:39 +0100] - SSL alert: CERT_VerifyCertificateNow: > > verify certificate failed for cert nodo2-cert of family > > cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8179 - > > Peer's Certificate issuer is not recognized.) > > [22/Mar/2006:11:20:39 +0100] - SSL failure: None of the cipher are valid > > > > > > > > ...what does it mean?...maybe that I have maked some mistakes about ssl? > > ...how can I resolv this problem? > > ...is it possible to come back?? > > > I think you may need to add the CA cert to the cert db for nodo2 > > > > thanks in advance > > > > Alex > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From mont.rothstein at gmail.com Thu Mar 23 17:58:07 2006 From: mont.rothstein at gmail.com (Mont Rothstein) Date: Thu, 23 Mar 2006 09:58:07 -0800 Subject: [Fedora-directory-users] Re: How to add a computer (feeling foolish) In-Reply-To: <467a83630603211037t13e5f306sceaa4cc87d704bab@mail.gmail.com> References: <467a83630603211037t13e5f306sceaa4cc87d704bab@mail.gmail.com> Message-ID: <467a83630603230958pc3dd00cx8637d9662525f754@mail.gmail.com> It seems that this is a Samba issue and not a FDS issue. I hadn't locked on to the fact that Samba is the Domain controller and FDS is only the Directory server. -Mont On 3/21/06, Mont Rothstein wrote: > > I can't figure out how to add a computer to the domain. > > I've searched but can't find anything on this, which I assume means it is > so easy that no one has even bothered to write about it. > > I created a user in the Domain Admins group. I made that user an NT User, > set the NT User ID to be the same as the FDS User ID, and checked Create New > NT Account. > > On a Windows XP box I went to System Properties->Computer Name->Computer > Name Changes and entered the domain name. > > I am prompted to enter the name and password of an account with permission > to join the domain. I have tried entering the user name both as > domainname\username and just username. No matter what I entered I get: > > "unknown user name or bad password" > > I also tried adding a similar user (different User ID) to the Directory > Administrators group. Using that user produced the same result. > > If someone could please explain what needs to be done, or point me to a > doc no this very basic process, I would appreciate it. > > Thanks, > -Mont > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From craigwhite at azapple.com Fri Mar 24 03:37:38 2006 From: craigwhite at azapple.com (Craig White) Date: Thu, 23 Mar 2006 20:37:38 -0700 Subject: [Fedora-directory-users] Re: How to add a computer (feeling foolish) In-Reply-To: <467a83630603230958pc3dd00cx8637d9662525f754@mail.gmail.com> References: <467a83630603211037t13e5f306sceaa4cc87d704bab@mail.gmail.com> <467a83630603230958pc3dd00cx8637d9662525f754@mail.gmail.com> Message-ID: <1143171458.28895.61.camel@lin-workstation.azapple.com> NT User has nothing to do with samba. Samba uses SambaSamAccount objectclass - you can look through the schema and check which attributes apply to samba. You could make things easier on yourself and go through Samba documentation... http://www.samba.org/samba/docs check out the 'By Example' which pretty much covers everything you would need to know. Craig On Thu, 2006-03-23 at 09:58 -0800, Mont Rothstein wrote: > It seems that this is a Samba issue and not a FDS issue. I hadn't > locked on to the fact that Samba is the Domain controller and FDS is > only the Directory server. > > -Mont > > > On 3/21/06, Mont Rothstein wrote: > I can't figure out how to add a computer to the domain. > > I've searched but can't find anything on this, which I assume > means it is so easy that no one has even bothered to write > about it. > > I created a user in the Domain Admins group. I made that user > an NT User, set the NT User ID to be the same as the FDS User > ID, and checked Create New NT Account. > > On a Windows XP box I went to System Properties->Computer > Name->Computer Name Changes and entered the domain name. > > I am prompted to enter the name and password of an account > with permission to join the domain. I have tried entering the > user name both as domainname\username and just username. No > matter what I entered I get: > > "unknown user name or bad password" > > I also tried adding a similar user (different User ID) to the > Directory Administrators group. Using that user produced the > same result. > > If someone could please explain what needs to be done, or > point me to a doc no this very basic process, I would > appreciate it. > > Thanks, > > -Mont > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From magobin at gmail.com Fri Mar 24 08:43:56 2006 From: magobin at gmail.com (Alex aka Magobin) Date: Fri, 24 Mar 2006 09:43:56 +0100 Subject: [Fedora-directory-users] SSL problem on replication! In-Reply-To: <20060323164331.97322.qmail@web52911.mail.yahoo.com> References: <20060323164331.97322.qmail@web52911.mail.yahoo.com> Message-ID: <1143189836.7750.20.camel@localhost.localdomain> On gio, 2006-03-23 at 08:43 -0800, Susan wrote: > This is what I did to get ssl repl working: > > 1. generate a single CA certificate and use that to sign both the supplier and consumer > certificates. Each server doesn't need its own CA. > > on the consumer: > Thank you Susan for your reply...two question 4 you if possible: 1) This procedure..similar to (Chapter 8 in Administration Guide)...but you have to create cert db before 2) To make secure replication...I have to enable ssl on DS...in this case...is still possible to query LDAP on port 389 ?? Thanks in advance!! Alex From mont.rothstein at gmail.com Fri Mar 24 17:24:00 2006 From: mont.rothstein at gmail.com (Mont Rothstein) Date: Fri, 24 Mar 2006 09:24:00 -0800 Subject: [Fedora-directory-users] Re: How to add a computer (feeling foolish) In-Reply-To: <1143171458.28895.61.camel@lin-workstation.azapple.com> References: <467a83630603211037t13e5f306sceaa4cc87d704bab@mail.gmail.com> <467a83630603230958pc3dd00cx8637d9662525f754@mail.gmail.com> <1143171458.28895.61.camel@lin-workstation.azapple.com> Message-ID: <467a83630603240924x48ace933gcc93cb18eacb78f4@mail.gmail.com> Thank you for the heads up and the doc pointer. -Mont On 3/23/06, Craig White wrote: > > NT User has nothing to do with samba. > > Samba uses SambaSamAccount objectclass - you can look through the schema > and check which attributes apply to samba. > > You could make things easier on yourself and go through Samba > documentation... > > http://www.samba.org/samba/docs > > check out the 'By Example' which pretty much covers everything you would > need to know. > > Craig > > On Thu, 2006-03-23 at 09:58 -0800, Mont Rothstein wrote: > > It seems that this is a Samba issue and not a FDS issue. I hadn't > > locked on to the fact that Samba is the Domain controller and FDS is > > only the Directory server. > > > > -Mont > > > > > > On 3/21/06, Mont Rothstein wrote: > > I can't figure out how to add a computer to the domain. > > > > I've searched but can't find anything on this, which I assume > > means it is so easy that no one has even bothered to write > > about it. > > > > I created a user in the Domain Admins group. I made that user > > an NT User, set the NT User ID to be the same as the FDS User > > ID, and checked Create New NT Account. > > > > On a Windows XP box I went to System Properties->Computer > > Name->Computer Name Changes and entered the domain name. > > > > I am prompted to enter the name and password of an account > > with permission to join the domain. I have tried entering the > > user name both as domainname\username and just username. No > > matter what I entered I get: > > > > "unknown user name or bad password" > > > > I also tried adding a similar user (different User ID) to the > > Directory Administrators group. Using that user produced the > > same result. > > > > If someone could please explain what needs to be done, or > > point me to a doc no this very basic process, I would > > appreciate it. > > > > Thanks, > > > > -Mont > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mont.rothstein at gmail.com Fri Mar 24 18:26:57 2006 From: mont.rothstein at gmail.com (Mont Rothstein) Date: Fri, 24 Mar 2006 10:26:57 -0800 Subject: [Fedora-directory-users] Re: Problem adding user In-Reply-To: <467a83630603210855p5dbfddb3oa7688265401b9de1@mail.gmail.com> References: <467a83630603210855p5dbfddb3oa7688265401b9de1@mail.gmail.com> Message-ID: <467a83630603241026r1f22b3c1p1a0e0206d89322f6@mail.gmail.com> A suggestion was made that I should add the contents of my sambaAdmin.ldiffile to this post. They are below. The kerberosSecurityObject isn't in my schema, so thus the error. But why did migrate_password.pl put that in my ldif? Is there a config option somewhere that should be switched to disable Kerberos or do I just need to manually edit the ldif and delete the offending line? Thanks, -Mont dn: uid=Administrator,ou=People,dc=forayadams,dc=foray,dc=com uid: Administrator cn: Samba Admin givenName: Samba sn: Admin mail: Administrator at forayadams.foray.com mailRoutingAddress: Administrator at mail.forayadams.foray.com mailHost: mail.forayadams.foray.com objectClass: inetLocalMailRecipient objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: kerberosSecurityObject userPassword: {crypt}x krbName: Administrator at FORAYADAMS.FORAY.COM loginShell: /bin/bash uidNumber: 0 gidNumber: 0 homeDirectory: /root gecos: Samba Admin -------------- next part -------------- An HTML attachment was scrubbed... URL: From gholbert at broadcom.com Fri Mar 24 19:04:28 2006 From: gholbert at broadcom.com (George Holbert) Date: Fri, 24 Mar 2006 11:04:28 -0800 Subject: [Fedora-directory-users] SSL problem on replication! In-Reply-To: <1143189836.7750.20.camel@localhost.localdomain> References: <20060323164331.97322.qmail@web52911.mail.yahoo.com> <1143189836.7750.20.camel@localhost.localdomain> Message-ID: <442442BC.5000107@broadcom.com> > > 2) To make secure replication...I have to enable ssl on DS...in this > case...is still possible to query LDAP on port 389 ?? Absolutely, enabling SSL does not affect unencrypted connections on port 389. Alex aka Magobin wrote: > On gio, 2006-03-23 at 08:43 -0800, Susan wrote: > >> This is what I did to get ssl repl working: >> >> 1. generate a single CA certificate and use that to sign both the supplier and consumer >> certificates. Each server doesn't need its own CA. >> >> on the consumer: >> >> > > > > Thank you Susan for your reply...two question 4 you if possible: > > 1) This procedure..similar to (Chapter 8 in Administration Guide)...but > you have to create cert db before > > > 2) To make secure replication...I have to enable ssl on DS...in this > case...is still possible to query LDAP on port 389 ?? > > Thanks in advance!! > > Alex > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From logastellus at yahoo.com Fri Mar 24 20:21:36 2006 From: logastellus at yahoo.com (Susan) Date: Fri, 24 Mar 2006 12:21:36 -0800 (PST) Subject: [Fedora-directory-users] SSL problem on replication! In-Reply-To: <1143189836.7750.20.camel@localhost.localdomain> Message-ID: <20060324202136.60383.qmail@web52910.mail.yahoo.com> --- Alex aka Magobin wrote: > On gio, 2006-03-23 at 08:43 -0800, Susan wrote: > > This is what I did to get ssl repl working: > > > > 1. generate a single CA certificate and use that to sign both the supplier and consumer > > certificates. Each server doesn't need its own CA. > > > > on the consumer: > > > > > > Thank you Susan for your reply...two question 4 you if possible: > > 1) This procedure..similar to (Chapter 8 in Administration Guide)...but > you have to create cert db before yes, cert db must exist, for a cert to be exported out of it :) > > 2) To make secure replication...I have to enable ssl on DS...in this > case...is still possible to query LDAP on port 389 ?? yes. One way to disable it is to set the ldap port to 0, FDS will then say on startup that non secure access has been disabled, proceeding. That will break the console access, however. I haven't been able to turn off non-ssl access AND still be able to use the console. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From nkinder at redhat.com Fri Mar 24 22:23:28 2006 From: nkinder at redhat.com (Nathan Kinder) Date: Fri, 24 Mar 2006 14:23:28 -0800 Subject: [Fedora-directory-users] SSL problem on replication! In-Reply-To: <20060324202136.60383.qmail@web52910.mail.yahoo.com> References: <20060324202136.60383.qmail@web52910.mail.yahoo.com> Message-ID: <44247160.9070501@redhat.com> Susan wrote: >--- Alex aka Magobin wrote: > > > >>On gio, 2006-03-23 at 08:43 -0800, Susan wrote: >> >> >>>This is what I did to get ssl repl working: >>> >>>1. generate a single CA certificate and use that to sign both the supplier and consumer >>>certificates. Each server doesn't need its own CA. >>> >>>on the consumer: >>> >>> >>> >> >>Thank you Susan for your reply...two question 4 you if possible: >> >>1) This procedure..similar to (Chapter 8 in Administration Guide)...but >>you have to create cert db before >> >> > >yes, cert db must exist, for a cert to be exported out of it :) > > > > >>2) To make secure replication...I have to enable ssl on DS...in this >>case...is still possible to query LDAP on port 389 ?? >> >> > >yes. One way to disable it is to set the ldap port to 0, FDS will then say on startup that non >secure access has been disabled, proceeding. That will break the console access, however. I >haven't been able to turn off non-ssl access AND still be able to use the console. > > You can configure Console to talk LDAPS. I was just able to disable the standard LDAP port on my FDS 1.0.2 install and still use Console. You need to check the "Use SSL in Fedora Console" checkbox in the "Configuration" tab of the Directory Server Console. -NGK >__________________________________________________ >Do You Yahoo!? >Tired of spam? Yahoo! Mail has the best spam protection around >http://mail.yahoo.com > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From schibeci at arginine.murdoch.edu.au Sat Mar 25 01:53:08 2006 From: schibeci at arginine.murdoch.edu.au (David Schibeci) Date: Sat, 25 Mar 2006 09:53:08 +0800 Subject: [Fedora-directory-users] Mac OS X Client authenticating against Fedora Directory Server Message-ID: <4A999A67-3E88-4F01-BCC1-A30AAAB49B74@cbbc.murdoch.edu.au> I am in the process of migrating our directory from OpenLDAP to Fedora Directory Server. The only client I can't get to authenticate against FDS is Mac OS X. I've searched to net to no avail. Has anyone been able to do this successfully? Cheers, David ------------------------------------------------------------------------ ------ David Schibeci Systems Administrator/Software Developer Centre for Bioinformatics and Biological Computing Murdoch University South Street Murdoch WA 6150 Phone: 61 8 9360 2961 Fax: 61 8 9360 7238 E-Mail: schibeci at cbbc.murdoch.edu.au From craigwhite at azapple.com Sat Mar 25 04:21:56 2006 From: craigwhite at azapple.com (Craig White) Date: Fri, 24 Mar 2006 21:21:56 -0700 Subject: [Fedora-directory-users] Re: Problem adding user In-Reply-To: <467a83630603241026r1f22b3c1p1a0e0206d89322f6@mail.gmail.com> References: <467a83630603210855p5dbfddb3oa7688265401b9de1@mail.gmail.com> <467a83630603241026r1f22b3c1p1a0e0206d89322f6@mail.gmail.com> Message-ID: <1143260516.31170.107.camel@lin-workstation.azapple.com> On Fri, 2006-03-24 at 10:26 -0800, Mont Rothstein wrote: > A suggestion was made that I should add the contents of my > sambaAdmin.ldif file to this post. They are below. > > The kerberosSecurityObject isn't in my schema, so thus the error. But > why did migrate_password.pl put that in my ldif? Is there a config > option somewhere that should be switched to disable Kerberos or do I > just need to manually edit the ldif and delete the offending line? > > Thanks, > -Mont > > > dn: uid=Administrator,ou=People,dc=forayadams,dc=foray,dc=com > uid: Administrator > cn: Samba Admin > givenName: Samba > sn: Admin > mail: Administrator at forayadams.foray.com > mailRoutingAddress: Administrator at mail.forayadams.foray.com > mailHost: mail.forayadams.foray.com > objectClass: inetLocalMailRecipient > objectClass: person > objectClass: organizationalPerson > objectClass: inetOrgPerson > objectClass: posixAccount > objectClass: top > objectClass: kerberosSecurityObject > userPassword: {crypt}x > krbName: Administrator at FORAYADAMS.FORAY.COM > loginShell: /bin/bash > uidNumber: 0 > gidNumber: 0 > homeDirectory: /root > gecos: Samba Admin ---- the option of course is yours. If you read through the source within the padl migration scripts (I'm assuming that you used the ones installed by openldap-server package from the distribution, you will probably notice how and why it is put there...presumably because you have chosen to use an extended schema. I think the object is to test, tune, test, tune until you get what you want from the migration scripts. I suspect the reasons no one else answered this question was that the source isn't part of FDS, the DSA setup will be as you design it to be and the source is lightweight and should be simple enough to comprehend and adjust as needed. Craig From alex at darkhonor.com Sun Mar 26 00:04:32 2006 From: alex at darkhonor.com (Alex Ackerman) Date: Sat, 25 Mar 2006 19:04:32 -0500 Subject: [Fedora-directory-users] Question on FDS Usage Message-ID: <1143331472.18950.12.camel@seth.darkhonor.net> Ok, this may seem like old hat to some of you, but I'm feeling like I'm playing stump the dummy with my computer. I am trying to modify my directory's schema to add support for Open-XChange. I have a schema file that I have converted to FDS format from the shipped OpenLDAP format (thanks to tools on the Fedora Directory Server site), but I can't seem to add this to the server. I first tried: Code: [root at bastet ~]# ldapmodify -h localhost -x -f openxchange.ldif2 modifying entry "cn=schema" ldap_modify: Insufficient access (50) additional info: Insufficient 'write' privilege to the 'attributeTypes' attribute of entry 'cn=schema'. I then tried: Code: [root at bastet ~]# ldapadd -x -D "cn=Directory Manager,dc=domain,dc=net" -h localhost -W -f openxchange.ldif2 Enter LDAP Password: ldap_bind: No such object (32) matched DN: dc=domain,dc=net As you can see, I'm getting really stumped. What is the right command that I'm missing? I'm new to the directory server realm and this has been my attempt at trying to learn. Thanks for any assistance you can provide. Alex An excert of the schema follows: # ################################################################################ # dn: cn=schema # ################################################################################ # attributeTypes: ( 1.1.2.1.1.1 NAME ( 'mailEnabled' ) DESC 'Is the user enabled or not, for pam_ldap,postfix etc. filtering...' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} SINGLE-VALUE ) # ################################################################################ # attributeTypes: ( 1.1.2.1.1.2 NAME ( 'alias' ) DESC 'email alias' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) # ################################################################################ # attributeTypes: ( 1.1.2.1.1.3 NAME ( 'imapServer' ) DESC 'Users Imap Server' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} SINGLE-VALUE ) ... ------------------------------------ This email has been ClamScanned! www.clamav.net From gholbert at broadcom.com Sun Mar 26 00:42:10 2006 From: gholbert at broadcom.com (George Holbert) Date: Sat, 25 Mar 2006 16:42:10 -0800 Subject: [Fedora-directory-users] Question on FDS Usage References: <1143331472.18950.12.camel@seth.darkhonor.net> Message-ID: <002b01c6506e$1dde4b50$4bfdf00a@chunky> > I then tried: > Code: > [root at bastet ~]# ldapadd -x -D "cn=Directory Manager,dc=domain,dc=net" -h > localhost -W -f openxchange.ldif2 > Enter LDAP Password: > ldap_bind: No such object (32) > matched DN: dc=domain,dc=net This is close, you just need to use the right DN for the Directory Manager. Try: ldapadd -x -D "cn=Directory Manager" ... Directory Manager is a special DN that doesn't exist inside your suffix. ----- Original Message ----- From: "Alex Ackerman" To: Sent: Saturday, March 25, 2006 4:04 PM Subject: [Fedora-directory-users] Question on FDS Usage > Ok, this may seem like old hat to some of you, but I'm feeling like I'm > playing stump the dummy with my computer. I am trying to modify my > directory's schema to add support for Open-XChange. I have a schema file > that I have converted to FDS format from the shipped OpenLDAP format > (thanks to tools on the Fedora Directory Server site), but I can't seem > to add this to the server. I first tried: > > Code: > [root at bastet ~]# ldapmodify -h localhost -x -f openxchange.ldif2 > modifying entry "cn=schema" > ldap_modify: Insufficient access (50) > additional info: Insufficient 'write' privilege to the > 'attributeTypes' attribute of entry 'cn=schema'. > > I then tried: > Code: > [root at bastet ~]# ldapadd -x -D "cn=Directory Manager,dc=domain,dc=net" -h > localhost -W -f openxchange.ldif2 > Enter LDAP Password: > ldap_bind: No such object (32) > matched DN: dc=domain,dc=net > > As you can see, I'm getting really stumped. What is the right command > that I'm missing? I'm new to the directory server realm and this has > been my attempt at trying to learn. Thanks for any assistance you can > provide. > > Alex > > An excert of the schema follows: > # > ################################################################################ > # > dn: cn=schema > # > ################################################################################ > # > attributeTypes: ( > 1.1.2.1.1.1 > NAME ( 'mailEnabled' ) > DESC 'Is the user enabled or not, for pam_ldap,postfix etc. > filtering...' > EQUALITY caseIgnoreMatch > SUBSTR caseIgnoreSubstringsMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} > SINGLE-VALUE > ) > # > ################################################################################ > # > attributeTypes: ( > 1.1.2.1.1.2 > NAME ( 'alias' ) > DESC 'email alias' > EQUALITY caseIgnoreMatch > SUBSTR caseIgnoreSubstringsMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} > ) > # > ################################################################################ > # > attributeTypes: ( > 1.1.2.1.1.3 > NAME ( 'imapServer' ) > DESC 'Users Imap Server' > EQUALITY caseIgnoreMatch > SUBSTR caseIgnoreSubstringsMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} > SINGLE-VALUE > ) > ... > > > > ------------------------------------ > This email has been ClamScanned! > www.clamav.net > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From magobin at gmail.com Mon Mar 27 10:23:44 2006 From: magobin at gmail.com (Alex aka Magobin) Date: Mon, 27 Mar 2006 12:23:44 +0200 Subject: [Fedora-directory-users] SSL problem on replication! In-Reply-To: <20060323164331.97322.qmail@web52911.mail.yahoo.com> References: <20060323164331.97322.qmail@web52911.mail.yahoo.com> Message-ID: <1143455025.8153.21.camel@localhost.localdomain> I still have problem with ssl replication...in order to resolv this problem I post my steps to configure it..thanks in advance if someone could help me..: 1)in alias directory I make pwdfile.txt and noise .txt 2) Make a .db file: ../shared/bin/certutil -N -d . -f pwdfile.txt 3) Make an encrypted key: ../shared/bin/certutil -G -d . -z noise.txt -f pwdfile.txt 4) Make an mysel certificate: ../shared/bin/certutil -S -n "CA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d . -z noise.txt -f pwdfile.txt 5) make a CA server ../shared/bin/certutil -S -n "Server-Cert" -s "cn=domain.example.com" -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d . -z noise.txt -f pwdfile.txt 6) Rename db and relink: mv cert8.db slapd-server-cert8.db mv key3.db slapd-server-key3.db ln -s slapd-server-cert8.db cert8.db ln -s slapd-server-key3.db key3.db chown nobody *.db 7) Esporting certificate: ../shared/bin/certutil -L -d . -n "CA Certificate" -a > nodo1.cert.asc 8) Send to nodo2 scp nodo1.cert.asc root at nodo2:/opt/fedora-ds/alias/ 9)Importing in db: ../shared/bin/certutil -A -d . -P slapd-nodo2- -n "CA Certificate" -t "CT,," -a -i nodo1.cert.asc 10) make a replication with mmr.pl script ./mmr.pl --host1 nodo1.domain.example.com --host2 nodo2.domain.example.com --host_id 1 --host_id 2 --bindpw secretpwd --repmanpw secret --create --with-ssl 11) After that....should be a replication...but if in slapd log I find: NSMMReplicationPlugin - agmt=cn"Replication to nodo2.domain.example.com"" (nodo2:636): SSL Not Initialized, Replication over SSL FAILED NSMMReplicationPlugin - agmt=cn"Replication to nodo2.domain.example.com"" (nodo2:636):incremental update failed and requires administrator action Any help is greetly apreciated! Alex From osi at terra.com.cn Mon Mar 27 01:20:48 2006 From: osi at terra.com.cn (Olivier SILBER) Date: Mon, 27 Mar 2006 09:20:48 +0800 Subject: [Fedora-directory-users] Replication, migration from slaver to master, error with agreement Message-ID: <44273DF0.4000007@terra.com.cn> Dear all, I have setup 4 servers: 2 master (server1 & server2) and 2 slaves (server3 & server4). Server1 and Server2 have the agreement to replica each other but also the agreement for replication to server3 and server4. Everything works perfectly now with this solution. After a while, I think that I do not need a so big setting and would like to remove DS from server1 and server2 and use only server3 and server4 as masters with replication between them. Why? because server1 and server2 are also my end-user servers and DS use too much resources, so they have started to be very slow.... and my end-user complain!!!! So my first try was to define server3 and server4 as multi-master as well as server1 and server2, and after add an agreement into this 2 servers. But I can not add any agreement into server3 and server4, I have always this error from my logs: NSMMReplicationPlugin - agmtlist_add_callback: Can't start agreement "cn=replication to server4,cn=replica,cn=o=xxxx\,c=xx,cn=mapping tree,cn=config" I have used both the admin console and the script to generate a multimaster replication (perl), both are providing me this error. I have put the debug level to the maxi (8156) with the same error (no more detail !!!!). What I did into server3: 1) uncheck consumer -> restart 2) check replica with multi-master -> restart (of course with an unique ID) 3) create the agreement -> error I think that an old slave could be a master as easy as this and probably I will need to refresh the database from scrash into server3 and server4 (backup, init and restore). But because this 2 servers are in operation, I do not want to do this if there is another solution more accurate. Thanks Olivier -- ---------------------------------------------------------------- Olivier SILBER - Terra Proxyma China Ltd. Email: osi at terra.com.cn Website: http://www.terra.com.cn/ Address: 10th Floor, GuangHua Building, Tower B, No.8 Guang Hua Road, Chaoyang district, Beijing, 100026, P.R. CHINA Telephone: (8610) 6581 1030 - Fax: (8610) 6581 2814 /**** DISCLAIMER ****/ /"This e-mail and any attachments thereto may contain information which is confidential and/or protected by intellectual property rights and are intended for the sole use of the recipient(s) named above. Any use of the information contained herein (including, but not limited to, total or partial reproduction, communication or distribution in any form) by persons other than the designated recipient(s) is prohibited. If you have received this e-mail in error, please notify the sender either by telephone or by e-mail and delete the material from any computer. Although Terra Proxyma attempts to sweep e-mail and attachments for viruses, it does not guarantee that either are virus-free and accepts no liability for any damage sustained as a result of viruses." A fanatic is one who can't change his mind and won't change the subject. - Sir Winston Leonard Spencer Churchill/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From logastellus at yahoo.com Mon Mar 27 14:43:03 2006 From: logastellus at yahoo.com (Susan) Date: Mon, 27 Mar 2006 06:43:03 -0800 (PST) Subject: [Fedora-directory-users] SSL problem on replication! In-Reply-To: <44247160.9070501@redhat.com> Message-ID: <20060327144303.66419.qmail@web52912.mail.yahoo.com> --- Nathan Kinder wrote: > You can configure Console to talk LDAPS. I was just able to disable the > standard LDAP port on my FDS 1.0.2 install and still use Console. You > need to check the "Use SSL in Fedora Console" checkbox in the > "Configuration" tab of the Directory Server Console. yea, I did that. I set the port to 0 & click on "use SSL for console connections." [root at cnyitlin02 /]# /opt/fedora-ds/slapd-cnyitlin02/restart-slapd [27/Mar/2006:09:40:20 -0500] - Information: Non-Secure Port Disabled, server only contactable via secure port So far so good. But when I restart the console, I get this: "Cannot connect to directory server ldap://cnyitlin02:389. Would you like to restart?" Now, obviously that port is no longer there. Have you not had this problem? How do I tell the console to go to 636 instead (I'm assuming that's what the problem is..) __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From magobin at gmail.com Mon Mar 27 15:32:52 2006 From: magobin at gmail.com (Alex) Date: Mon, 27 Mar 2006 17:32:52 +0200 Subject: [Fedora-directory-users] SSL problem on replication! In-Reply-To: <20060327144303.66419.qmail@web52912.mail.yahoo.com> Message-ID: <442805ab.5f015638.50f9.ffff8806@mx.gmail.com> Some news on my situation...finally I solved the problem about initialized ssl failed as explained in my previous post....I maked exactly the same thing but in a fresh install and now the certificate are present. Now the problem is: [27/Mar/2006:14:13:48 +0000] - Fedora-Directory/1.0.2 B2006.060.1928 starting up [27/Mar/2006:14:13:50 +0000] - slapd started. Listening on All Interfaces port 389 for LDAP requests [27/Mar/2006:14:13:50 +0000] - Listening on All Interfaces port 636 for LDAPS requests [27/Mar/2006:14:14:06 +0000] NSMMReplicationPlugin - agmt="cn="Replication to nodo2.domain.example.com"" (nodo2:636): Simple bind failed, LDAP sdk error 91 (Can't connect to the LDAP server), Netscape Portable Runtime error -5961 (TCP connection reset by peer.) [27/Mar/2006:14:14:07 +0000] NSMMReplicationPlugin - agmt="cn="Replication to nodo2.domain.example.com"" (nodo2:636): Simple bind failed, LDAP sdk error 91 (Can't connect to the LDAP server), Netscape Portable Runtime error -5961 (TCP connection reset by peer.) According with that suggested from Susan...I configured in a cluster in both nodes Fedora DS in the same manner; both are named ldap.domain.example.com; this is for working with ip take over; in fact I configured an Ip that point to ldap.domain.example.com. Without ssl everything works, but with ssl enable the mmr.pl script reports the error above when try to make a replication How can I solve it?...Is there some other doc to study?? Thanks in advance! Alex From rmeggins at redhat.com Mon Mar 27 16:02:07 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 27 Mar 2006 09:02:07 -0700 Subject: [Fedora-directory-users] Question on FDS Usage In-Reply-To: <002b01c6506e$1dde4b50$4bfdf00a@chunky> References: <1143331472.18950.12.camel@seth.darkhonor.net> <002b01c6506e$1dde4b50$4bfdf00a@chunky> Message-ID: <44280C7F.7040301@redhat.com> George Holbert wrote: >> I then tried: >> Code: >> [root at bastet ~]# ldapadd -x -D "cn=Directory >> Manager,dc=domain,dc=net" -h localhost -W -f openxchange.ldif2 >> Enter LDAP Password: >> ldap_bind: No such object (32) >> matched DN: dc=domain,dc=net > > > This is close, you just need to use the right DN for the Directory > Manager. Try: > ldapadd -x -D "cn=Directory Manager" ... > > Directory Manager is a special DN that doesn't exist inside your suffix. You can also just copy your schema file into the config/schema directory and restart the server e.g. cp openxchange.ldif2 slapd-instance/config/schema/60openxchange.ldif > > ----- Original Message ----- From: "Alex Ackerman" > To: > Sent: Saturday, March 25, 2006 4:04 PM > Subject: [Fedora-directory-users] Question on FDS Usage > > >> Ok, this may seem like old hat to some of you, but I'm feeling like I'm >> playing stump the dummy with my computer. I am trying to modify my >> directory's schema to add support for Open-XChange. I have a schema file >> that I have converted to FDS format from the shipped OpenLDAP format >> (thanks to tools on the Fedora Directory Server site), but I can't seem >> to add this to the server. I first tried: >> >> Code: >> [root at bastet ~]# ldapmodify -h localhost -x -f openxchange.ldif2 >> modifying entry "cn=schema" >> ldap_modify: Insufficient access (50) >> additional info: Insufficient 'write' privilege to the >> 'attributeTypes' attribute of entry 'cn=schema'. >> >> I then tried: >> Code: >> [root at bastet ~]# ldapadd -x -D "cn=Directory >> Manager,dc=domain,dc=net" -h localhost -W -f openxchange.ldif2 >> Enter LDAP Password: >> ldap_bind: No such object (32) >> matched DN: dc=domain,dc=net >> >> As you can see, I'm getting really stumped. What is the right command >> that I'm missing? I'm new to the directory server realm and this has >> been my attempt at trying to learn. Thanks for any assistance you can >> provide. >> >> Alex >> >> An excert of the schema follows: >> # >> ################################################################################ >> >> # >> dn: cn=schema >> # >> ################################################################################ >> >> # >> attributeTypes: ( >> 1.1.2.1.1.1 >> NAME ( 'mailEnabled' ) >> DESC 'Is the user enabled or not, for pam_ldap,postfix etc. >> filtering...' >> EQUALITY caseIgnoreMatch >> SUBSTR caseIgnoreSubstringsMatch >> SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} >> SINGLE-VALUE >> ) >> # >> ################################################################################ >> >> # >> attributeTypes: ( >> 1.1.2.1.1.2 >> NAME ( 'alias' ) >> DESC 'email alias' >> EQUALITY caseIgnoreMatch >> SUBSTR caseIgnoreSubstringsMatch >> SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} >> ) >> # >> ################################################################################ >> >> # >> attributeTypes: ( >> 1.1.2.1.1.3 >> NAME ( 'imapServer' ) >> DESC 'Users Imap Server' >> EQUALITY caseIgnoreMatch >> SUBSTR caseIgnoreSubstringsMatch >> SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} >> SINGLE-VALUE >> ) >> ... >> >> >> >> ------------------------------------ >> This email has been ClamScanned! >> www.clamav.net >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Mar 27 16:12:58 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 27 Mar 2006 09:12:58 -0700 Subject: [Fedora-directory-users] Replication, migration from slaver to master, error with agreement In-Reply-To: <44273DF0.4000007@terra.com.cn> References: <44273DF0.4000007@terra.com.cn> Message-ID: <44280F0A.50907@redhat.com> Olivier SILBER wrote: > Dear all, > > I have setup 4 servers: 2 master (server1 & server2) and 2 slaves > (server3 & server4). Server1 and Server2 have the agreement to replica > each other but also the agreement for replication to server3 and > server4. Everything works perfectly now with this solution. > > After a while, I think that I do not need a so big setting and would > like to remove DS from server1 and server2 and use only server3 and > server4 as masters with replication between them. Why? because server1 > and server2 are also my end-user servers and DS use too much > resources, so they have started to be very slow.... and my end-user > complain!!!! Why is it so slow? How many operations are the servers serving? What types of operations? BINDs? Searches? Add/modify/delete? If searches, are all of the searches appropriately indexed? > > So my first try was to define server3 and server4 as multi-master as > well as server1 and server2, and after add an agreement into this 2 > servers. But I can not add any agreement into server3 and server4, I > have always this error from my logs: > > NSMMReplicationPlugin - agmtlist_add_callback: Can't start agreement > "cn=replication to server4,cn=replica,cn=o=xxxx\,c=xx,cn=mapping > tree,cn=config" > > I have used both the admin console and the script to generate a > multimaster replication (perl), both are providing me this error. I > have put the debug level to the maxi (8156) with the same error (no > more detail !!!!). Actually, the debug level should be 8192 for replication issues. > > What I did into server3: > 1) uncheck consumer -> restart > 2) check replica with multi-master -> restart (of course with an > unique ID) > 3) create the agreement -> error > > I think that an old slave could be a master as easy as this and > probably I will need to refresh the database from scrash into server3 > and server4 (backup, init and restore). But because this 2 servers are > in operation, I do not want to do this if there is another solution > more accurate. > > Thanks > > Olivier > -- > ---------------------------------------------------------------- > Olivier SILBER - Terra Proxyma China Ltd. > Email: osi at terra.com.cn Website: > http://www.terra.com.cn/ > Address: 10th Floor, GuangHua Building, Tower B, No.8 Guang Hua Road, > Chaoyang district, Beijing, 100026, P.R. CHINA > Telephone: (8610) 6581 1030 - Fax: (8610) 6581 2814 > > /**** DISCLAIMER ****/ > /"This e-mail and any attachments thereto may contain information > which is confidential and/or protected by intellectual property rights > and are intended for the sole use of the recipient(s) named above. Any > use of the information contained herein (including, but not limited > to, total or partial reproduction, communication or distribution in > any form) by persons other than the designated recipient(s) is > prohibited. If you have received this e-mail in error, please notify > the sender either by telephone or by e-mail and delete the material > from any computer. Although Terra Proxyma attempts to sweep e-mail and > attachments for viruses, it does not guarantee that either are > virus-free and accepts no liability for any damage sustained as a > result of viruses." > > A fanatic is one who can't change his mind and won't change the > subject. - Sir Winston Leonard Spencer Churchill/ > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From logastellus at yahoo.com Mon Mar 27 16:44:23 2006 From: logastellus at yahoo.com (Susan) Date: Mon, 27 Mar 2006 08:44:23 -0800 (PST) Subject: [Fedora-directory-users] SSL problem on replication! In-Reply-To: <442805ab.5f015638.50f9.ffff8806@mx.gmail.com> Message-ID: <20060327164423.50331.qmail@web52901.mail.yahoo.com> --- Alex wrote: > [27/Mar/2006:14:14:07 +0000] NSMMReplicationPlugin - agmt="cn="Replication > to nodo2.domain.example.com"" (nodo2:636): Simple bind failed, LDAP sdk > error 91 (Can't connect to the LDAP server), Netscape Portable Runtime error > -5961 (TCP connection reset by peer.) it doesn't look like nodo2 is listening on 636.. can you run telnet nodo2 636 does that return anything? > According with that suggested from Susan...I configured in a cluster in both > nodes Fedora DS in the same manner; both are named ldap.domain.example.com; > this is for working with ip take over; in fact I configured an Ip that point > to ldap.domain.example.com. wait, so both servers have the same name? meaning, if you run hostname on either server, hostname returns the same thing? also, if you think mmr.pl is the problem, comment out these two lines: # add replication agreements #add_rep_agreement($host1, $host2, $repmanpw); #add_rep_agreement($host2, $host1, $repmanpw); that'll make mmr.pl do all the heavy work of setting up the configs and then you can add the rep agreements from the UI, step by step, according to the manual. run the modified mmr.pl, just regular run and then load the console and start step by step. tail -f the logs while you're doing it, you'll see the replication kick in in real time. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From mont.rothstein at gmail.com Mon Mar 27 17:08:24 2006 From: mont.rothstein at gmail.com (Mont Rothstein) Date: Mon, 27 Mar 2006 09:08:24 -0800 Subject: [Fedora-directory-users] Re: Problem adding user In-Reply-To: <1143260516.31170.107.camel@lin-workstation.azapple.com> References: <467a83630603210855p5dbfddb3oa7688265401b9de1@mail.gmail.com> <467a83630603241026r1f22b3c1p1a0e0206d89322f6@mail.gmail.com> <1143260516.31170.107.camel@lin-workstation.azapple.com> Message-ID: <467a83630603270908w2a19d007v37a4ea0b6c333e7@mail.gmail.com> Thank you for your reply. I grabbed the migration scripts from http://www.padl.com/download/ because I wanted to avoid installing openldap when all I needed was the scripts. Looking at the source the kerberosSecurityObject is inserted as long as there is a default realm, though the extended schema does cause a problem with mail related values (see below). It sounds like what I was missing is the fact that editing the migration scripts is expected. I was under the impression that if my migration didn't work it was a mistake I had made. After commenting out the following items in the password_migration script my admin user finally added: - mailRoutingAddress - mailHost - inetLocalMailRecipient - kerberosSecurityObject - krbName Is not having these in my schema common/normal? Thanks, -Mont* * On 3/24/06, Craig White wrote: > > On Fri, 2006-03-24 at 10:26 -0800, Mont Rothstein wrote: > > A suggestion was made that I should add the contents of my > > sambaAdmin.ldif file to this post. They are below. > > > > The kerberosSecurityObject isn't in my schema, so thus the error. But > > why did migrate_password.pl put that in my ldif? Is there a config > > option somewhere that should be switched to disable Kerberos or do I > > just need to manually edit the ldif and delete the offending line? > > > > Thanks, > > -Mont > > > > > > dn: uid=Administrator,ou=People,dc=forayadams,dc=foray,dc=com > > uid: Administrator > > cn: Samba Admin > > givenName: Samba > > sn: Admin > > mail: Administrator at forayadams.foray.com > > mailRoutingAddress: Administrator at mail.forayadams.foray.com > > mailHost: mail.forayadams.foray.com > > objectClass: inetLocalMailRecipient > > objectClass: person > > objectClass: organizationalPerson > > objectClass: inetOrgPerson > > objectClass: posixAccount > > objectClass: top > > objectClass: kerberosSecurityObject > > userPassword: {crypt}x > > krbName: Administrator at FORAYADAMS.FORAY.COM > > loginShell: /bin/bash > > uidNumber: 0 > > gidNumber: 0 > > homeDirectory: /root > > gecos: Samba Admin > ---- > the option of course is yours. > > If you read through the source within the padl migration scripts (I'm > assuming that you used the ones installed by openldap-server package > from the distribution, you will probably notice how and why it is put > there...presumably because you have chosen to use an extended schema. > > I think the object is to test, tune, test, tune until you get what you > want from the migration scripts. > > I suspect the reasons no one else answered this question was that the > source isn't part of FDS, the DSA setup will be as you design it to be > and the source is lightweight and should be simple enough to comprehend > and adjust as needed. > > Craig > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mj at sci.fi Mon Mar 27 16:07:24 2006 From: mj at sci.fi (Mike Jackson) Date: Mon, 27 Mar 2006 19:07:24 +0300 Subject: [Fedora-directory-users] SSL problem on replication! In-Reply-To: <442805ab.5f015638.50f9.ffff8806@mx.gmail.com> References: <442805ab.5f015638.50f9.ffff8806@mx.gmail.com> Message-ID: <44280DBC.9090701@sci.fi> Alex wrote: > > Some news on my situation...finally I solved the problem about initialized > ssl failed as explained in my previous post....I maked exactly the same > thing but in a fresh install and now the certificate are present. > The mmr.pl script does not configure an SSL enabled LDAP service, it configures replication. You must first have an SSL LDAP service working before you attempt to configure SSL replication, with mmr.pl or the admin console. BR, -- mike From magobin at gmail.com Mon Mar 27 17:16:42 2006 From: magobin at gmail.com (Alex) Date: Mon, 27 Mar 2006 19:16:42 +0200 Subject: [Fedora-directory-users] SSL problem on replication! In-Reply-To: <20060327164423.50331.qmail@web52901.mail.yahoo.com> Message-ID: <44281dfe.5a81ebf1.50f9.ffffa017@mx.gmail.com> > wait, so both servers have the same name? meaning, if you > run hostname on either server, hostname returns the same thing? > No, nodo1 is 10.23.5.252 and nodo2 is 10.23.5.253, but in cluster suite I configured a Ip-service (10.23.5.250); with this ip I configured DS...in DNS I cofigured 10.23.5.250 that point to ldap.domain.example.com; then I configured during DS setup that both DS point to ldap.domain.example.com..so the configurations are exactly the same!...in clear works but with ssl.... > also, if you think mmr.pl is the problem, comment out these two lines: > > # add replication agreements > #add_rep_agreement($host1, $host2, $repmanpw); > #add_rep_agreement($host2, $host1, $repmanpw); > I don't know if this is the problem...I can try...otherwise...the only solution that I thought is to configure DS on their real hostname (nodo1 and nodo2) and then in DNS via round robin configure a ldap entry that point both nodo1 and nodo2...but in this way I don't solve ip issue! Thanks in advance! Alex From magobin at gmail.com Mon Mar 27 17:23:41 2006 From: magobin at gmail.com (Alex) Date: Mon, 27 Mar 2006 19:23:41 +0200 Subject: [Fedora-directory-users] SSL problem on replication! In-Reply-To: <44280DBC.9090701@sci.fi> Message-ID: <44281fa0.373ad0ec.0e8f.0916@mx.gmail.com> > The mmr.pl script does not configure an SSL enabled LDAP > service, it configures replication. > > You must first have an SSL LDAP service working before you > attempt to configure SSL replication, with mmr.pl or the > admin console. > > The problem is that DS doesn't report any error now after configuring SSL...I have correctly installed certificate according with documentation...plus today I spent 3 hours on understand why I didn't able to configure ssl following step by step the documentation and howto...the problem was maybe a DS corruption after a lot of tests...because after unistalled it and reinstall..when i configured SSl on fresh install everything worked. So...at this time 4 me the problem is not ssl but somehing about resolution in my particular configuration about DS on cluster system Regards Alex From craigwhite at azapple.com Mon Mar 27 17:34:13 2006 From: craigwhite at azapple.com (Craig White) Date: Mon, 27 Mar 2006 10:34:13 -0700 Subject: [Fedora-directory-users] Re: Problem adding user In-Reply-To: <467a83630603270908w2a19d007v37a4ea0b6c333e7@mail.gmail.com> References: <467a83630603210855p5dbfddb3oa7688265401b9de1@mail.gmail.com> <467a83630603241026r1f22b3c1p1a0e0206d89322f6@mail.gmail.com> <1143260516.31170.107.camel@lin-workstation.azapple.com> <467a83630603270908w2a19d007v37a4ea0b6c333e7@mail.gmail.com> Message-ID: <1143480853.10498.234.camel@lin-workstation.azapple.com> On Mon, 2006-03-27 at 09:08 -0800, Mont Rothstein wrote: > Thank you for your reply. > > I grabbed the migration scripts from http://www.padl.com/download/ > because I wanted to avoid installing openldap when all I needed was > the scripts. > > Looking at the source the kerberosSecurityObject is inserted as long > as there is a default realm, though the extended schema does cause a > problem with mail related values (see below). > > It sounds like what I was missing is the fact that editing the > migration scripts is expected. I was under the impression that if my > migration didn't work it was a mistake I had made. > > After commenting out the following items in the password_migration > script my admin user finally added: > > * mailRoutingAddress > * mailHost > * inetLocalMailRecipient > * kerberosSecurityObject > * krbName > > Is not having these in my schema common/normal? ---- I don't know what is common - I think the issue is that it is your DSA and you should be able to configure the desired attributes and eliminate the attributes that aren't desired - I think that is the point of the migration scripts in general. Thus you should be able to take a flat file such as /etc/passwd, using the padl migration scripts output it into whatever form you desire for your directory. Craig ---- > > Thanks, > -Mont > > On 3/24/06, Craig White wrote: > On Fri, 2006-03-24 at 10:26 -0800, Mont Rothstein wrote: > > A suggestion was made that I should add the contents of my > > sambaAdmin.ldif file to this post. They are below. > > > > The kerberosSecurityObject isn't in my schema, so thus the > error. But > > why did migrate_password.pl put that in my ldif? Is there a > config > > option somewhere that should be switched to disable Kerberos > or do I > > just need to manually edit the ldif and delete the offending > line? > > > > Thanks, > > -Mont > > > > > > dn: > uid=Administrator,ou=People,dc=forayadams,dc=foray,dc=com > > uid: Administrator > > cn: Samba Admin > > givenName: Samba > > sn: Admin > > mail: Administrator at forayadams.foray.com > > mailRoutingAddress: Administrator at mail.forayadams.foray.com > > mailHost: mail.forayadams.foray.com > > objectClass: inetLocalMailRecipient > > objectClass: person > > objectClass: organizationalPerson > > objectClass: inetOrgPerson > > objectClass: posixAccount > > objectClass: top > > objectClass: kerberosSecurityObject > > userPassword: {crypt}x > > krbName: Administrator at FORAYADAMS.FORAY.COM > > loginShell: /bin/bash > > uidNumber: 0 > > gidNumber: 0 > > homeDirectory: /root > > gecos: Samba Admin > ---- > the option of course is yours. > > If you read through the source within the padl migration > scripts (I'm > assuming that you used the ones installed by openldap-server > package > from the distribution, you will probably notice how and why it > is put > there...presumably because you have chosen to use an extended > schema. > > I think the object is to test, tune, test, tune until you get > what you > want from the migration scripts. > > I suspect the reasons no one else answered this question was > that the > source isn't part of FDS, the DSA setup will be as you design > it to be > and the source is lightweight and should be simple enough to > comprehend > and adjust as needed. > > Craig > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From mj at sci.fi Mon Mar 27 16:33:11 2006 From: mj at sci.fi (Mike Jackson) Date: Mon, 27 Mar 2006 19:33:11 +0300 Subject: [Fedora-directory-users] SSL problem on replication! In-Reply-To: <44281fa0.373ad0ec.0e8f.0916@mx.gmail.com> References: <44281fa0.373ad0ec.0e8f.0916@mx.gmail.com> Message-ID: <442813C7.3060706@sci.fi> Alex wrote: > > The problem is that DS doesn't report any error now after configuring > SSL...I have correctly installed certificate according with > documentation...plus today I spent 3 hours on understand why I didn't able > to configure ssl following step by step the documentation and howto...the > problem was maybe a DS corruption after a lot of tests...because after > unistalled it and reinstall..when i configured SSl on fresh install > everything worked. If you are not able to connect to every one of your servers with SSL, then you are not able to configure SSL replication between them. Get the SSL LDAP service working before trying to do anything else with it. -- mike From gholbert at broadcom.com Mon Mar 27 17:41:42 2006 From: gholbert at broadcom.com (George Holbert) Date: Mon, 27 Mar 2006 09:41:42 -0800 Subject: [Fedora-directory-users] Re: Problem adding user In-Reply-To: <467a83630603270908w2a19d007v37a4ea0b6c333e7@mail.gmail.com> References: <467a83630603210855p5dbfddb3oa7688265401b9de1@mail.gmail.com> <467a83630603241026r1f22b3c1p1a0e0206d89322f6@mail.gmail.com> <1143260516.31170.107.camel@lin-workstation.azapple.com> <467a83630603270908w2a19d007v37a4ea0b6c333e7@mail.gmail.com> Message-ID: <442823D6.90902@broadcom.com> > > > * mailRoutingAddress > * mailHost > * inetLocalMailRecipient > * kerberosSecurityObject > * krbName > > Is not having these in my schema common/normal? I'm sure there's plenty of directories out there that don't maintain these attributes on account objects. If all you want to do is import the UNIX /etc/passwd attributes, you definitely don't need these. Mont Rothstein wrote: > Thank you for your reply. > > I grabbed the migration scripts from http://www.padl.com/download/ > because I wanted to avoid installing openldap when all I needed was > the scripts. > > Looking at the source the kerberosSecurityObject is inserted as long > as there is a default realm, though the extended schema does cause a > problem with mail related values (see below). > > It sounds like what I was missing is the fact that editing the > migration scripts is expected. I was under the impression that if my > migration didn't work it was a mistake I had made. > > After commenting out the following items in the password_migration > script my admin user finally added: > > * mailRoutingAddress > * mailHost > * inetLocalMailRecipient > * kerberosSecurityObject > * krbName > > > Is not having these in my schema common/normal? > > Thanks, > -Mont/ > / > On 3/24/06, *Craig White* < craigwhite at azapple.com > > wrote: > > On Fri, 2006-03-24 at 10:26 -0800, Mont Rothstein wrote: > > A suggestion was made that I should add the contents of my > > sambaAdmin.ldif file to this post. They are below. > > > > The kerberosSecurityObject isn't in my schema, so thus the > error. But > > why did migrate_password.pl put that in my ldif? Is there a config > > option somewhere that should be switched to disable Kerberos or do I > > just need to manually edit the ldif and delete the offending line? > > > > Thanks, > > -Mont > > > > > > dn: uid=Administrator,ou=People,dc=forayadams,dc=foray,dc=com > > uid: Administrator > > cn: Samba Admin > > givenName: Samba > > sn: Admin > > mail: Administrator at forayadams.foray.com > > > mailRoutingAddress: Administrator at mail.forayadams.foray.com > > > mailHost: mail.forayadams.foray.com > > > objectClass: inetLocalMailRecipient > > objectClass: person > > objectClass: organizationalPerson > > objectClass: inetOrgPerson > > objectClass: posixAccount > > objectClass: top > > objectClass: kerberosSecurityObject > > userPassword: {crypt}x > > krbName: Administrator at FORAYADAMS.FORAY.COM > > > loginShell: /bin/bash > > uidNumber: 0 > > gidNumber: 0 > > homeDirectory: /root > > gecos: Samba Admin > ---- > the option of course is yours. > > If you read through the source within the padl migration scripts (I'm > assuming that you used the ones installed by openldap-server package > from the distribution, you will probably notice how and why it is put > there...presumably because you have chosen to use an extended schema. > > I think the object is to test, tune, test, tune until you get what you > want from the migration scripts. > > I suspect the reasons no one else answered this question was that the > source isn't part of FDS, the DSA setup will be as you design it to be > and the source is lightweight and should be simple enough to > comprehend > and adjust as needed. > > Craig > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From mont.rothstein at gmail.com Mon Mar 27 17:57:59 2006 From: mont.rothstein at gmail.com (Mont Rothstein) Date: Mon, 27 Mar 2006 09:57:59 -0800 Subject: [Fedora-directory-users] Re: Problem adding user In-Reply-To: <442823D6.90902@broadcom.com> References: <467a83630603210855p5dbfddb3oa7688265401b9de1@mail.gmail.com> <467a83630603241026r1f22b3c1p1a0e0206d89322f6@mail.gmail.com> <1143260516.31170.107.camel@lin-workstation.azapple.com> <467a83630603270908w2a19d007v37a4ea0b6c333e7@mail.gmail.com> <442823D6.90902@broadcom.com> Message-ID: <467a83630603270957g6a9bc371i10c7449c80c4d2b8@mail.gmail.com> Thanks to both of you. It is hard to know when changing something is acceptable and when there is a deeper problem. On to the next issue. -Mont -------------- next part -------------- An HTML attachment was scrubbed... URL: From logastellus at yahoo.com Mon Mar 27 18:51:08 2006 From: logastellus at yahoo.com (Susan) Date: Mon, 27 Mar 2006 10:51:08 -0800 (PST) Subject: [Fedora-directory-users] SSL problem on replication! In-Reply-To: <44281dfe.5a81ebf1.50f9.ffffa017@mx.gmail.com> Message-ID: <20060327185108.9603.qmail@web52903.mail.yahoo.com> --- Alex wrote: > > > wait, so both servers have the same name? meaning, if you > > run hostname on either server, hostname returns the same thing? > > > > No, nodo1 is 10.23.5.252 and nodo2 is 10.23.5.253, but in cluster suite I > configured a Ip-service (10.23.5.250); with this ip I configured DS...in DNS > I cofigured 10.23.5.250 that point to ldap.domain.example.com; then I > configured during DS setup that both DS point to ldap.domain.example.com..so > the configurations are exactly the same!...in clear works but with ssl.... well, can you successfully query BOTH DSs with ldapsearch -ZZ, with their real IPs? If you cannot do that, then like Mike J said, no replication will ever happen. In fact, because the floating IP will only reside on 1 server at a time but you configured both FDSs to listen on that IP, which will not exist on one of the servers, it's a problem. Plus, you don't have to do that. Make FDS listen on its OWN REAL IP and keep your floating cluster setup the same way. That way, any clients will talk to the floating IP but the FDS is really listening on any interface: tcp 0 0 *:ldaps *:* LISTEN which means that even if a packet arrives to a floating IP and FDS is listening on a real IP, it'll pick it up anyway. This way, replication will always happen to real IPs and there is no dependency on the cluster IP for replication (it's not needed, obviously) > I don't know if this is the problem...I can try...otherwise...the only > solution that I thought is to configure DS on their real hostname (nodo1 and > nodo2) and then in DNS via round robin configure a ldap entry that point > both nodo1 and nodo2...but in this way I don't solve ip issue! not needed! No DNS round robin, that's lame. although if you're using dns RR, then there is no IP issue -- you're not talking to an IP. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From clonay at free.fr Mon Mar 27 23:01:45 2006 From: clonay at free.fr (Yann) Date: Mon, 27 Mar 2006 18:01:45 -0500 Subject: [Fedora-directory-users] Rename or Hide o=NetscapeRoot Message-ID: <1143500505.44286ed9544be@imp1-g19.free.fr> Hi all, I've, again, a curious question :-) ; It's possible to rename o=NetscapeRoot ? to something else like o=MyRoot ? And/or, it's possible to hide the entry o=NetscapeRoot from unpriviligied users ? I've ACL on it to deny read inside, but, the "o=NetscapeRoot" stay visible when anonymous user browse with an LDAP browser for example. Thanks ! Yann From rmeggins at redhat.com Mon Mar 27 23:13:41 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 27 Mar 2006 16:13:41 -0700 Subject: [Fedora-directory-users] Rename or Hide o=NetscapeRoot In-Reply-To: <1143500505.44286ed9544be@imp1-g19.free.fr> References: <1143500505.44286ed9544be@imp1-g19.free.fr> Message-ID: <442871A5.908@redhat.com> Yann wrote: > Hi all, > > I've, again, a curious question :-) ; > > It's possible to rename o=NetscapeRoot ? to something else like o=MyRoot ? > It's possible only with some serious code-fu, and it's not something we're likely going to do in the near future. > And/or, it's possible to hide the entry o=NetscapeRoot from unpriviligied users > ? I've ACL on it to deny read inside, but, the "o=NetscapeRoot" stay visible > when anonymous user browse with an LDAP browser for example. > The console requires anonymous search/read access on o=netscaperoot in order to login. This is so you can just type in "admin" for your user name instead of "uid=admin,cn=Administrators,ou=TopologyManagement,o=NetscapeRoot". However, if you don't mind typing in the latter every time you authenticate to the console or to admin express, you should be able to remove that anonymous access aci. > Thanks ! > > Yann > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From gholbert at broadcom.com Mon Mar 27 23:12:15 2006 From: gholbert at broadcom.com (George Holbert) Date: Mon, 27 Mar 2006 15:12:15 -0800 Subject: [Fedora-directory-users] Rename or Hide o=NetscapeRoot In-Reply-To: <1143500505.44286ed9544be@imp1-g19.free.fr> References: <1143500505.44286ed9544be@imp1-g19.free.fr> Message-ID: <4428714F.6060402@broadcom.com> I don't think renaming o=NetscapeRoot is a good idea. What is it you want to do? If you just want to prevent people from browsing it, you're on the right track with setting up some ACIs. If it can be browsed anonymously, there's some ACI that's allowing this. Look for "allow (anyone)" ACIs on o=NetscapeRoot. Yann wrote: > Hi all, > > I've, again, a curious question :-) ; > > It's possible to rename o=NetscapeRoot ? to something else like o=MyRoot ? > > And/or, it's possible to hide the entry o=NetscapeRoot from unpriviligied users > ? I've ACL on it to deny read inside, but, the "o=NetscapeRoot" stay visible > when anonymous user browse with an LDAP browser for example. > > Thanks ! > > Yann > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From magobin at gmail.com Tue Mar 28 08:58:18 2006 From: magobin at gmail.com (Alex aka Magobin) Date: Tue, 28 Mar 2006 10:58:18 +0200 Subject: [Fedora-directory-users] SSL problem on replication! In-Reply-To: <20060323164331.97322.qmail@web52911.mail.yahoo.com> References: <20060323164331.97322.qmail@web52911.mail.yahoo.com> Message-ID: <1143536298.7813.21.camel@localhost.localdomain> As suggested, I checked if ssl worked....to test it I did a fresh install and I corrected the problem about node, now each node use its real address and name (I moved in future cluster configuration)...About SSL I exactly follow documentation and your tips...according with SSL howto in fedora wiki directory, I follow it until "Importing the CA cert into another Fedora DS"...after that: - in console I activated ssl for my directory. - I restarted directory server - In log I can see that now slapd listening on all interfaces on port 389 and port 636 for LDAPS requests. unfortunatly, when I try : ldapsearch -ZZ -h nodo1.domain.example.com -b "dc=domain,dc=example,dc=com" -s sub "objectclass=*" the answer is: SSL initialization failed: error -8174 (security library:bad database) ..but in log...nothing I tried also to erase db andfollowing the link below to make it http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1087158 From alex at darkhonor.com Tue Mar 28 10:21:57 2006 From: alex at darkhonor.com (Alex Ackerman) Date: Tue, 28 Mar 2006 05:21:57 -0500 Subject: [Fedora-directory-users] Question on FDS Usage In-Reply-To: <44280C7F.7040301@redhat.com> References: <1143331472.18950.12.camel@seth.darkhonor.net> <002b01c6506e$1dde4b50$4bfdf00a@chunky> <44280C7F.7040301@redhat.com> Message-ID: <1143541317.30978.5.camel@seth.darkhonor.net> Thank you both for your assistance. I tried the new ldapadd statement and received the following error: adding new entry "cn=schema" ldap_add: Object class violation (65) additional info: missing required attribute "objectclass" Not having any more info than this, I tried placing the schema in the schema directory. Upon restart I received the following error: [root at bastet slapd-bastet]# ./restart-slapd [28/Mar/2006:05:07:49 -0500] dse - The entry cn=schema in file /opt/fedora-ds/slapd-bastet/config/schema/60openxchange.ldif is invalid, error code 20 (Type or value exists) - attribute type url: Does not match the OID "1.1.2.1.1.45". Another attribute type is already using the name or OID. [28/Mar/2006:05:07:50 -0500] dse - Please edit the file to correct the reported problems and then restart the server. The line that caused this in 60openxchange.ldif is: attributeTypes: ( 1.1.2.1.1.45 NAME ( 'url' ) DESC 'Users business Homepage' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) It is conflicting with the following line in 50ns-legacy.ldif: attributeTypes: ( url-oid NAME 'url' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Legacy' ) For kicks, I commented out the following lines and the server started up. #attributeTypes: ( url-oid NAME 'url' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Legacy' ) #objectClasses: ( nsLegacyServer-oid NAME 'nsLegacyServer' DESC 'Netscape defined objectclass' SUP netscapeServer MAY ( nsServerID $ url ) X-ORIGIN 'Netscape Legacy' ) Now, the real question: what is these definitions for and have I done something I'm going to regret later? Is there a better solution assuming that I can't modify the schema for OpenXChange? Thank you, Alex On Mon, 2006-03-27 at 09:02 -0700, Richard Megginson wrote: > George Holbert wrote: > >> I then tried: > >> Code: > >> [root at bastet ~]# ldapadd -x -D "cn=Directory > >> Manager,dc=domain,dc=net" -h localhost -W -f openxchange.ldif2 > >> Enter LDAP Password: > >> ldap_bind: No such object (32) > >> matched DN: dc=domain,dc=net > > > > > > This is close, you just need to use the right DN for the Directory > > Manager. Try: > > ldapadd -x -D "cn=Directory Manager" ... > > > > Directory Manager is a special DN that doesn't exist inside your suffix. > You can also just copy your schema file into the config/schema directory > and restart the server e.g. cp openxchange.ldif2 > slapd-instance/config/schema/60openxchange.ldif > > > > ----- Original Message ----- From: "Alex Ackerman" > > To: > > Sent: Saturday, March 25, 2006 4:04 PM > > Subject: [Fedora-directory-users] Question on FDS Usage > > > > > >> Ok, this may seem like old hat to some of you, but I'm feeling like I'm > >> playing stump the dummy with my computer. I am trying to modify my > >> directory's schema to add support for Open-XChange. I have a schema file > >> that I have converted to FDS format from the shipped OpenLDAP format > >> (thanks to tools on the Fedora Directory Server site), but I can't seem > >> to add this to the server. I first tried: > >> > >> Code: > >> [root at bastet ~]# ldapmodify -h localhost -x -f openxchange.ldif2 > >> modifying entry "cn=schema" > >> ldap_modify: Insufficient access (50) > >> additional info: Insufficient 'write' privilege to the > >> 'attributeTypes' attribute of entry 'cn=schema'. > >> > >> I then tried: > >> Code: > >> [root at bastet ~]# ldapadd -x -D "cn=Directory > >> Manager,dc=domain,dc=net" -h localhost -W -f openxchange.ldif2 > >> Enter LDAP Password: > >> ldap_bind: No such object (32) > >> matched DN: dc=domain,dc=net > >> > >> As you can see, I'm getting really stumped. What is the right command > >> that I'm missing? I'm new to the directory server realm and this has > >> been my attempt at trying to learn. Thanks for any assistance you can > >> provide. > >> > >> Alex > >> > >> An excert of the schema follows: > >> # > >> ################################################################################ > >> > >> # > >> dn: cn=schema > >> # > >> ################################################################################ > >> > >> # > >> attributeTypes: ( > >> 1.1.2.1.1.1 > >> NAME ( 'mailEnabled' ) > >> DESC 'Is the user enabled or not, for pam_ldap,postfix etc. > >> filtering...' > >> EQUALITY caseIgnoreMatch > >> SUBSTR caseIgnoreSubstringsMatch > >> SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} > >> SINGLE-VALUE > >> ) > >> # > >> ################################################################################ > >> > >> # > >> attributeTypes: ( > >> 1.1.2.1.1.2 > >> NAME ( 'alias' ) > >> DESC 'email alias' > >> EQUALITY caseIgnoreMatch > >> SUBSTR caseIgnoreSubstringsMatch > >> SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} > >> ) > >> # > >> ################################################################################ > >> > >> # > >> attributeTypes: ( > >> 1.1.2.1.1.3 > >> NAME ( 'imapServer' ) > >> DESC 'Users Imap Server' > >> EQUALITY caseIgnoreMatch > >> SUBSTR caseIgnoreSubstringsMatch > >> SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} > >> SINGLE-VALUE > >> ) > >> ... > >> > >> > >> > >> ------------------------------------ > >> This email has been ClamScanned! > >> www.clamav.net > >> > >> -- > >> Fedora-directory-users mailing list > >> Fedora-directory-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > >> > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users ------------------------------------ This email has been ClamScanned! www.clamav.net From msmedeus at csc.com Tue Mar 28 14:43:23 2006 From: msmedeus at csc.com (Michael Smedeus) Date: Tue, 28 Mar 2006 15:43:23 +0100 Subject: [Fedora-directory-users] Bind FDS to one specific ip-address In-Reply-To: <4407074B.4090505@redhat.com> Message-ID: Hi, I'm trying to bind FDS 1.0.2 on Fedora Core 4 to only listen to one specific ip-address on the regular 389 port. The machine has one physical interface, eth0, with two virtual interfaces eth0 and eth0:1 with different IP and subnets. IP on interface eth0 is already used for an OpenLDAP proxy that must not be interfered. I can't find any solution in the documentation or FAQ's. And test's on a testserver with a similar setup hasn't helped out much. Is it possible to configure FDS to only listen to eth0:1port 389 without interfering with eth0 port 389? My best M.Smed?us From rmeggins at redhat.com Tue Mar 28 15:05:29 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 28 Mar 2006 08:05:29 -0700 Subject: [Fedora-directory-users] Bind FDS to one specific ip-address In-Reply-To: References: Message-ID: <442950B9.5060004@redhat.com> If the two interfaces have different IP addresses, you can use the attribute nsslapd-listenhost in cn=config e.g. in dse.ldif: dn: cn=config .... nsslapd-listenhost: 192.168.1.1 There is also an nsslapd-securelistenhost if you want to do the same for your SSL port. Michael Smedeus wrote: > > > Hi, > > I'm trying to bind FDS 1.0.2 on Fedora Core 4 to only listen to one > specific ip-address on the regular 389 port. The machine has one physical > interface, eth0, with two virtual interfaces eth0 and eth0:1 with different > IP and subnets. IP on interface eth0 is already used for an OpenLDAP proxy > that must not be interfered. > I can't find any solution in the documentation or FAQ's. And test's on a > testserver with a similar setup hasn't helped out much. > > Is it possible to configure FDS to only listen to eth0:1port 389 without > interfering with eth0 port 389? > > > My best > M.Smed?us > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Mar 28 15:06:55 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 28 Mar 2006 08:06:55 -0700 Subject: [Fedora-directory-users] Question on FDS Usage In-Reply-To: <1143541317.30978.5.camel@seth.darkhonor.net> References: <1143331472.18950.12.camel@seth.darkhonor.net> <002b01c6506e$1dde4b50$4bfdf00a@chunky> <44280C7F.7040301@redhat.com> <1143541317.30978.5.camel@seth.darkhonor.net> Message-ID: <4429510F.5060409@redhat.com> Alex Ackerman wrote: > Thank you both for your assistance. I tried the new ldapadd statement > and received the following error: > > adding new entry "cn=schema" > ldap_add: Object class violation (65) > additional info: missing required attribute "objectclass" > > Not having any more info than this, I tried placing the schema in the > schema directory. Upon restart I received the following error: > > [root at bastet slapd-bastet]# ./restart-slapd > [28/Mar/2006:05:07:49 -0500] dse - The entry cn=schema in > file /opt/fedora-ds/slapd-bastet/config/schema/60openxchange.ldif is > invalid, error code 20 (Type or value exists) - attribute type url: Does > not match the OID "1.1.2.1.1.45". Another attribute type is already > using the name or OID. > [28/Mar/2006:05:07:50 -0500] dse - Please edit the file to correct the > reported problems and then restart the server. > > The line that caused this in 60openxchange.ldif is: > > attributeTypes: ( > 1.1.2.1.1.45 > NAME ( 'url' ) > DESC 'Users business Homepage' > EQUALITY caseIgnoreMatch > SUBSTR caseIgnoreSubstringsMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 > ) > > It is conflicting with the following line in 50ns-legacy.ldif: > attributeTypes: ( url-oid NAME 'url' DESC 'Netscape defined attribute > type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Legacy' ) > > For kicks, I commented out the following lines and the server started > up. > > #attributeTypes: ( url-oid NAME 'url' DESC 'Netscape defined attribute > type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Legacy' ) > #objectClasses: ( nsLegacyServer-oid NAME 'nsLegacyServer' DESC > 'Netscape defined objectclass' SUP netscapeServer MAY ( nsServerID $ > url ) X-ORIGIN 'Netscape Legacy' ) > > Now, the real question: what is these definitions for and have I done > something I'm going to regret later? Is there a better solution > assuming that I can't modify the schema for OpenXChange? > No, that's fine. Most of the 50ns-*.ldif schema is old, legacy schema that can be safely removed or commented out. > Thank you, > Alex > > > On Mon, 2006-03-27 at 09:02 -0700, Richard Megginson wrote: > >> George Holbert wrote: >> >>>> I then tried: >>>> Code: >>>> [root at bastet ~]# ldapadd -x -D "cn=Directory >>>> Manager,dc=domain,dc=net" -h localhost -W -f openxchange.ldif2 >>>> Enter LDAP Password: >>>> ldap_bind: No such object (32) >>>> matched DN: dc=domain,dc=net >>>> >>> This is close, you just need to use the right DN for the Directory >>> Manager. Try: >>> ldapadd -x -D "cn=Directory Manager" ... >>> >>> Directory Manager is a special DN that doesn't exist inside your suffix. >>> >> You can also just copy your schema file into the config/schema directory >> and restart the server e.g. cp openxchange.ldif2 >> slapd-instance/config/schema/60openxchange.ldif >> >>> ----- Original Message ----- From: "Alex Ackerman" >>> To: >>> Sent: Saturday, March 25, 2006 4:04 PM >>> Subject: [Fedora-directory-users] Question on FDS Usage >>> >>> >>> >>>> Ok, this may seem like old hat to some of you, but I'm feeling like I'm >>>> playing stump the dummy with my computer. I am trying to modify my >>>> directory's schema to add support for Open-XChange. I have a schema file >>>> that I have converted to FDS format from the shipped OpenLDAP format >>>> (thanks to tools on the Fedora Directory Server site), but I can't seem >>>> to add this to the server. I first tried: >>>> >>>> Code: >>>> [root at bastet ~]# ldapmodify -h localhost -x -f openxchange.ldif2 >>>> modifying entry "cn=schema" >>>> ldap_modify: Insufficient access (50) >>>> additional info: Insufficient 'write' privilege to the >>>> 'attributeTypes' attribute of entry 'cn=schema'. >>>> >>>> I then tried: >>>> Code: >>>> [root at bastet ~]# ldapadd -x -D "cn=Directory >>>> Manager,dc=domain,dc=net" -h localhost -W -f openxchange.ldif2 >>>> Enter LDAP Password: >>>> ldap_bind: No such object (32) >>>> matched DN: dc=domain,dc=net >>>> >>>> As you can see, I'm getting really stumped. What is the right command >>>> that I'm missing? I'm new to the directory server realm and this has >>>> been my attempt at trying to learn. Thanks for any assistance you can >>>> provide. >>>> >>>> Alex >>>> >>>> An excert of the schema follows: >>>> # >>>> ################################################################################ >>>> >>>> # >>>> dn: cn=schema >>>> # >>>> ################################################################################ >>>> >>>> # >>>> attributeTypes: ( >>>> 1.1.2.1.1.1 >>>> NAME ( 'mailEnabled' ) >>>> DESC 'Is the user enabled or not, for pam_ldap,postfix etc. >>>> filtering...' >>>> EQUALITY caseIgnoreMatch >>>> SUBSTR caseIgnoreSubstringsMatch >>>> SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} >>>> SINGLE-VALUE >>>> ) >>>> # >>>> ################################################################################ >>>> >>>> # >>>> attributeTypes: ( >>>> 1.1.2.1.1.2 >>>> NAME ( 'alias' ) >>>> DESC 'email alias' >>>> EQUALITY caseIgnoreMatch >>>> SUBSTR caseIgnoreSubstringsMatch >>>> SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} >>>> ) >>>> # >>>> ################################################################################ >>>> >>>> # >>>> attributeTypes: ( >>>> 1.1.2.1.1.3 >>>> NAME ( 'imapServer' ) >>>> DESC 'Users Imap Server' >>>> EQUALITY caseIgnoreMatch >>>> SUBSTR caseIgnoreSubstringsMatch >>>> SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} >>>> SINGLE-VALUE >>>> ) >>>> ... >>>> >>>> >>>> >>>> ------------------------------------ >>>> This email has been ClamScanned! >>>> www.clamav.net >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > > ------------------------------------ > This email has been ClamScanned! > www.clamav.net > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From logastellus at yahoo.com Tue Mar 28 15:08:41 2006 From: logastellus at yahoo.com (Susan) Date: Tue, 28 Mar 2006 07:08:41 -0800 (PST) Subject: [Fedora-directory-users] SSL problem on replication! In-Reply-To: <1143536298.7813.21.camel@localhost.localdomain> Message-ID: <20060328150841.26759.qmail@web52906.mail.yahoo.com> --- Alex aka Magobin wrote: > As suggested, I checked if ssl worked....to test it I did a fresh > install and I corrected the problem about node, now each node use its > real address and name (I moved in future cluster configuration)... Do a fresh install. Shut the server down and tarball the /opt/fedora-ds directory, stash somewhere safe. It helped me a lot because whenever I would screw something up, I would just rm -fr /opt/fedora-ds; tar xvf fedora.bkup.tar and I'd have a fresh good install ready to test again. That way you don't have to go thru the whole rpm -e, rpm -Uvh, setup business. Then run this (make sure you have noise.txt and pwdfile.txt): run it from /opt/fedora-ds/alias : #!/bin/sh ../shared/bin/certutil -N -d . -f pwdfile.txt ../shared/bin/certutil -G -d . -z noise.txt -f pwdfile.txt ../shared/bin/certutil -S -n "CA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d . -z noise.txt -f pwdfile.txt ../shared/bin/certutil -S -n "Server-Cert" -s "cn=server-cert" -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d . -z noise.txt -f pwdfile.txt echo moving key.. mv key3.db slapd-node1-key3.db mv cert8.db slapd-node1-cert8.db ln -s slapd-node1-key3.db key3.db ln -s slapd-node1-cert8.db cert8.db echo pk.. ../shared/bin/pk12util -d . -P slapd-node1- -o servercert.pfx -n Server-Cert (replace node1 with your hostname) Then when you enable SSL, the certificate should appear in the window. Choose your server cert and then it'll all work. I had to script the above because like you, it took me about 5 tries to get it going correctly. btw, I had to use different noise/password files for each server's cert. Not sure why, perhaps something else I was doing wrong... __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From rmeggins at redhat.com Tue Mar 28 15:10:36 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 28 Mar 2006 08:10:36 -0700 Subject: [Fedora-directory-users] SSL problem on replication! In-Reply-To: <1143536298.7813.21.camel@localhost.localdomain> References: <20060323164331.97322.qmail@web52911.mail.yahoo.com> <1143536298.7813.21.camel@localhost.localdomain> Message-ID: <442951EC.9040507@redhat.com> Alex aka Magobin wrote: > As suggested, I checked if ssl worked....to test it I did a fresh > install and I corrected the problem about node, now each node use its > real address and name (I moved in future cluster configuration)...About > SSL I exactly follow documentation and your tips...according with SSL > howto in fedora wiki directory, I follow it until "Importing the CA cert > into another Fedora DS"...after that: > > - in console I activated ssl for my directory. > - I restarted directory server > - In log I can see that now slapd listening on all interfaces on port > 389 and port 636 for LDAPS requests. > > unfortunatly, when I try : > > ldapsearch -ZZ -h nodo1.domain.example.com -b > "dc=domain,dc=example,dc=com" -s sub "objectclass=*" > > the answer is: > > SSL initialization failed: error -8174 (security library:bad database) > The instructions at http://directory.fedora.redhat.com/wiki/Howto:SSL#Configure_LDAP_clients refer to /usr/bin/ldapsearch and other openldap clients (e.g. pam_ldap, nss_ldap, other system LDAP usage). We do not have instructions for using /opt/fedora-ds/shared/bin/ldapsearch with SSL (but we should). I suggest following the instructions at the link specified above and use /usr/bin/ldapsearch to test SSL. > ..but in log...nothing > > I tried also to erase db andfollowing the link below to make it > > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1087158 > If you want to just start over from scratch, I suggest using the setup_ssl.sh script found here - http://directory.fedora.redhat.com/wiki/Howto:SSL#Script > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From matteo at sif.it Tue Mar 28 15:24:21 2006 From: matteo at sif.it (Matteo Centonza) Date: Tue, 28 Mar 2006 17:24:21 +0200 (CEST) Subject: [Fedora-directory-users] nsAdminAccessHosts Message-ID: Hi, after adding a single ip address to the list of allowed hosts/domains for admin-server i can't log in anymore. The change was made trough the console: from e.g.: configuration.nsAdminAccessHosts: *.example.com to: configuration.nsAdminAccessHosts: (*.example.com|185.118.64.237) Trying to connect from both addresses, i receive an error, corresponding in the admin-serv access log file to a pattern mismatch. My question is: how can i reset this value? Thanks in advance, -m From msmedeus at csc.com Tue Mar 28 15:22:13 2006 From: msmedeus at csc.com (Michael Smedeus) Date: Tue, 28 Mar 2006 16:22:13 +0100 Subject: [Fedora-directory-users] Re: Bind FDS to one specific ip-address Message-ID: Hi Richard, That solved it, thank you very much for quick respons. My best M.Smed?us From: Richard Megginson To: "General discussion list for the Fedora Directory server project." Subject: Re: [Fedora-directory-users] Bind FDS to one specific ip-address Date: Tue, 28 Mar 2006 08:05:29 -0700 If the two interfaces have different IP addresses, you can use the attribute nsslapd-listenhost in cn=config e.g. in dse.ldif: dn: cn=config .... nsslapd-listenhost: 192.168.1.1 There is also an nsslapd-securelistenhost if you want to do the same for your SSL port. Michael Smedeus wrote: Hi, I'm trying to bind FDS 1.0.2 on Fedora Core 4 to only listen to one specific ip-address on the regular 389 port. The machine has one physical interface, eth0, with two virtual interfaces eth0 and eth0:1 with different IP and subnets. IP on interface eth0 is already used for an OpenLDAP proxy that must not be interfered. I can't find any solution in the documentation or FAQ's. And test's on a testserver with a similar setup hasn't helped out much. Is it possible to configure FDS to only listen to eth0:1port 389 without interfering with eth0 port 389? My best M.Smed?us From rmeggins at redhat.com Tue Mar 28 15:45:02 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 28 Mar 2006 08:45:02 -0700 Subject: [Fedora-directory-users] nsAdminAccessHosts In-Reply-To: References: Message-ID: <442959FE.6070001@redhat.com> Matteo Centonza wrote: > Hi, > > after adding a single ip address to the list of allowed hosts/domains > for admin-server i can't log in anymore. > > The change was made trough the console: > > from e.g.: > configuration.nsAdminAccessHosts: *.example.com > > to: > configuration.nsAdminAccessHosts: (*.example.com|185.118.64.237) > > Trying to connect from both addresses, i receive an error, corresponding > in the admin-serv access log file to a pattern mismatch. > > My question is: how can i reset this value? > See http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt#How_to_set_the_hosts.2FIP_addresses_allowed_to_access_the_Admin_Server However, there is a bug when using Addresses instead of hosts - see https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=183925 > Thanks in advance, > > -m > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From magobin at gmail.com Tue Mar 28 15:53:41 2006 From: magobin at gmail.com (Alex) Date: Tue, 28 Mar 2006 17:53:41 +0200 Subject: [Fedora-directory-users] SSL problem on replication! In-Reply-To: <442951EC.9040507@redhat.com> Message-ID: <44295c08.529a1a9d.644a.fffffefe@mx.gmail.com> > If you want to just start over from scratch, I suggest using > the setup_ssl.sh script found here - > http://directory.fedora.redhat.com/wiki/Howto:SSL#Script > > Today I did it too...no one error...I did it in nodo1 and according with it, it generates a cacert.asc that I can export to node2...in node2 I run(under alias) ../shared/bin/certutil -L -d . -P slapd-nodo1- -n "CA certificate" -a > cacert.asc ...after that it imports certificate...but if I go in console and manage certificates...I see this certificate in CA cert and not in Server Certs...so I can't enable ssl on nodo2... Is it the correct way? Alex From magobin at gmail.com Tue Mar 28 16:03:56 2006 From: magobin at gmail.com (Alex) Date: Tue, 28 Mar 2006 18:03:56 +0200 Subject: [Fedora-directory-users] SSL problem on replication! In-Reply-To: <20060328150841.26759.qmail@web52906.mail.yahoo.com> Message-ID: <44295e6e.592f5f68.2158.527d@mx.gmail.com> > run it from /opt/fedora-ds/alias : > > #!/bin/sh > ../shared/bin/certutil -N -d . -f pwdfile.txt > ../shared/bin/certutil -G -d . -z noise.txt -f pwdfile.txt > ../shared/bin/certutil -S -n "CA certificate" -s "cn=CAcert" > -x -t "CT,," -m 1000 -v 120 -d . -z noise.txt -f pwdfile.txt > ../shared/bin/certutil -S -n "Server-Cert" -s > "cn=server-cert" -c "CA certificate" -t "u,u,u" -m > 1001 -v 120 -d . -z noise.txt -f pwdfile.txt echo moving key.. > > mv key3.db slapd-node1-key3.db > mv cert8.db slapd-node1-cert8.db > ln -s slapd-node1-key3.db key3.db > ln -s slapd-node1-cert8.db cert8.db > echo pk.. > ../shared/bin/pk12util -d . -P slapd-node1- -o servercert.pfx > -n Server-Cert > > (replace node1 with your hostname) Ciao Susan....I did 3(!!!) fresh installation and the script above is exactly what I did today...only I replace "cn=Server-Cert" with my fqdn, according with documentation...after that I export .asc to second server (nodo2) as doc says...so, in this way in nodo1, where I run the script above I can see certificate in Server CA under console/manage Certificate; in nodo2, after : ../shared/bin/certutil -A -d . -P slapd-nodo2- -n "CA certificate" -t "CT,," -a -i cacert.asc I can see in console/manage certificate...only in CA certs and not in Server certs..so in nodo2 I'm not able to use certificate for use ssl encryption. > btw, I had to use different noise/password files for each server's cert. Not sure why, perhaps something else I was doing wrong... Uhm...what does it mean?....you run script in each server? Regards Alex From rmeggins at redhat.com Tue Mar 28 16:06:41 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 28 Mar 2006 09:06:41 -0700 Subject: [Fedora-directory-users] SSL problem on replication! In-Reply-To: <44295c08.529a1a9d.644a.fffffefe@mx.gmail.com> References: <44295c08.529a1a9d.644a.fffffefe@mx.gmail.com> Message-ID: <44295F11.8010808@redhat.com> Alex wrote: > > >> If you want to just start over from scratch, I suggest using >> the setup_ssl.sh script found here - >> http://directory.fedora.redhat.com/wiki/Howto:SSL#Script >> > > > Today I did it too...no one error...I did it in nodo1 and according with it, > it generates a cacert.asc that I can export to node2...in node2 I run(under > alias) > > ../shared/bin/certutil -L -d . -P slapd-nodo1- -n "CA certificate" -a > > cacert.asc > > > ...after that it imports certificate...but if I go in console and manage > certificates...I see this certificate in CA cert and not in Server > Certs...so I can't enable ssl on nodo2... > Because cacert.asc is a CA certificate, not a Server Certificate. > Is it the correct way? > > Alex > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From magobin at gmail.com Tue Mar 28 16:23:11 2006 From: magobin at gmail.com (Alex) Date: Tue, 28 Mar 2006 18:23:11 +0200 Subject: [Fedora-directory-users] SSL problem on replication! In-Reply-To: <44295F11.8010808@redhat.com> Message-ID: <442962f5.41a3e97d.4e99.ffffcfa5@mx.gmail.com> > Because cacert.asc is a CA certificate, not a Server Certificate. MA porc(/(&$"?%/$"(?&%?)....you are in right...now I 'm at home, but I have a VMWARE version of my test here and I want to try..... Only one thing: SSL HOWTO in the fedora wiki says: "Exporting the CA cert for use with other apps Now that you have your server cert, client applications will need to be able to verify that cert when connecting to the server. In order to do that, the SSL client must have the CA cert to verify that the cert presented by the SSL server is valid. This includes server to server communication such as replication. In this case, the replication supplier is the SSL client, and the consumer is the SSL server. " Thanks... Alex From logastellus at yahoo.com Tue Mar 28 16:24:32 2006 From: logastellus at yahoo.com (Susan) Date: Tue, 28 Mar 2006 08:24:32 -0800 (PST) Subject: [Fedora-directory-users] SSL problem on replication! In-Reply-To: <44295c08.529a1a9d.644a.fffffefe@mx.gmail.com> Message-ID: <20060328162432.50058.qmail@web52905.mail.yahoo.com> --- Alex wrote: > ...after that it imports certificate...but if I go in console and manage > certificates...I see this certificate in CA cert and not in Server > Certs...so I can't enable ssl on nodo2... > > Is it the correct way? well, no. The reason why you don't see ssl server cert on nodo2 is because you never created it! __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From rmeggins at redhat.com Tue Mar 28 16:34:10 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 28 Mar 2006 09:34:10 -0700 Subject: [Fedora-directory-users] SSL problem on replication! In-Reply-To: <442962f5.41a3e97d.4e99.ffffcfa5@mx.gmail.com> References: <442962f5.41a3e97d.4e99.ffffcfa5@mx.gmail.com> Message-ID: <44296582.8090206@redhat.com> Alex wrote: > > > >> Because cacert.asc is a CA certificate, not a Server Certificate. >> > > MA porc(/(&$"?%/$"(?&%?)....you are in right...now I 'm at home, but I have > a VMWARE version of my test here and I want to try..... > > Only one thing: SSL HOWTO in the fedora wiki says: > > > "Exporting the CA cert for use with other apps > Now that you have your server cert, client applications will need to be able > to verify that cert when connecting to the server. In order to do that, the > SSL client must have the CA cert to verify that the cert presented by the > SSL server is valid. This includes server to server communication such as > replication. In this case, the replication supplier is the SSL client, and > the consumer is the SSL server. " > Yes. The SSL client apps need the CA cert - during the SSL handshake process, the client receives the SSL server cert and needs to verify it using the CA cert that signed the SSL server cert. > > Thanks... > > Alex > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From magobin at gmail.com Tue Mar 28 16:52:43 2006 From: magobin at gmail.com (Alex) Date: Tue, 28 Mar 2006 18:52:43 +0200 Subject: [Fedora-directory-users] SSL problem on replication! In-Reply-To: <20060328162432.50058.qmail@web52905.mail.yahoo.com> Message-ID: <442969df.3890da6a.68c0.ffffc1d4@mx.gmail.com> > well, no. The reason why you don't see ssl server cert on > nodo2 is because you never created it! > At this point i want to be sure that I understand correctly...I did 5 minutes ago exactly what you say in your previous post...now i have in window of nodo1 Server-Cert and Ca certificate...so in "Encryption tab" I checked "enable ssl for this server" and in certificate I used Server-Cert....at this point, to enable ssl on nodo2 what exactly have I to do? -Export Server-Cert on nodo2 -Run the script in nodo2 ...I 'm apologize but this is the first time that I use both Fedora DS and configuring SSL..and IMHO documentation is not very clear about this point! Thank's in advance Alex From rmeggins at redhat.com Tue Mar 28 17:07:46 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 28 Mar 2006 10:07:46 -0700 Subject: [Fedora-directory-users] SSL problem on replication! In-Reply-To: <442969df.3890da6a.68c0.ffffc1d4@mx.gmail.com> References: <442969df.3890da6a.68c0.ffffc1d4@mx.gmail.com> Message-ID: <44296D62.10508@redhat.com> Alex wrote: > > >> well, no. The reason why you don't see ssl server cert on >> nodo2 is because you never created it! >> >> > > At this point i want to be sure that I understand correctly...I did 5 > minutes ago exactly what you say in your previous post...now i have in > window of nodo1 Server-Cert and Ca certificate...so in "Encryption tab" I > checked "enable ssl for this server" and in certificate I used > Server-Cert....at this point, to enable ssl on nodo2 what exactly have I to > do? > > -Export Server-Cert on nodo2 > -Run the script in nodo2 > > ...I 'm apologize but this is the first time that I use both Fedora DS and > configuring SSL..and IMHO documentation is not very clear about this point! > I'm not sure, but I think what you need to do is to create another key/cert pair to have another Server Cert for your nodo2 directory server. And you are correct, this is not explicit in the documentation. Note: You should perform these steps using your original key/cert database because you are going to use your original CA key/cert to create a new server key/cert for nodo2. Step 1: This is the same as step 7 in the SSL HowTo - http://directory.fedora.redhat.com/wiki/Howto:SSL#Basic_Steps (with the caveat to use the FQDN in the cn of the server cert subject DN - in this case, use the FQDN of nodo2) You must use a different name (e.g. Server-Cert-nodo2 or something like that) when creating the cert Step 2: The DS on nodo2 needs both the key and cert that you have created, so you will need to export that information as a p12 file e.g. ./shared/bin/pk12util -d . -P slapd-serverID- -o servercertnodo2.pfx -n Server-Cert-nodo2 Step 3: You need to import this servercertnodo2.pfx file into the key/cert db on nodo2. After copying the file to the /opt/fedora-ds/alias directory on that machine: ../shared/bin/pk12util -d . -P slapd-nodo2- -i servercertnodo2.pfx -n Server-Cert You must specify the name as Server-Cert here in order to use the default SSL configuration. Step 4: Import your CA cert into slapd-nodo2 - you may need to copy cacert.asc to nodo2. Then ../shared/bin/certutil -A -d . -P slapd-nodo2- -n "CA certificate" -t "CT,," -a -i cacert.asc > Thank's in advance > > Alex > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From logastellus at yahoo.com Tue Mar 28 17:08:31 2006 From: logastellus at yahoo.com (Susan) Date: Tue, 28 Mar 2006 09:08:31 -0800 (PST) Subject: [Fedora-directory-users] SSL problem on replication! In-Reply-To: <442969df.3890da6a.68c0.ffffc1d4@mx.gmail.com> Message-ID: <20060328170831.32108.qmail@web52909.mail.yahoo.com> --- Alex wrote: > > > well, no. The reason why you don't see ssl server cert on > > nodo2 is because you never created it! > > > > At this point i want to be sure that I understand correctly...I did 5 > minutes ago exactly what you say in your previous post...now i have in > window of nodo1 Server-Cert and Ca certificate...so in "Encryption tab" I > checked "enable ssl for this server" and in certificate I used > Server-Cert....at this point, to enable ssl on nodo2 what exactly have I to > do? > > -Export Server-Cert on nodo2 no, export is only for MM replication. > -Run the script in nodo2 yes, do this only to enable SSL. THEN export. you must run the script on BOTH servers. SSL must work correctly on BOTH servers, before any replication is possible. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From logastellus at yahoo.com Tue Mar 28 16:22:16 2006 From: logastellus at yahoo.com (Susan) Date: Tue, 28 Mar 2006 08:22:16 -0800 (PST) Subject: [Fedora-directory-users] SSL problem on replication! In-Reply-To: <44295e6e.592f5f68.2158.527d@mx.gmail.com> Message-ID: <20060328162216.43982.qmail@web52908.mail.yahoo.com> --- Alex wrote: > Uhm...what does it mean?....you run script in each server? of course! each server will have its own certificate. OK, you have servers A & B. 1. Fresh install, run the scripts on both servers. 1a. verify that ssl works against BOTH servers with ldapsearch -ZZ -h A & -h B 2. export B's cert to a file 3. send it to A 4. import B's cert into A's database 5. enable replication voila. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From magobin at gmail.com Tue Mar 28 17:48:07 2006 From: magobin at gmail.com (Alex) Date: Tue, 28 Mar 2006 19:48:07 +0200 Subject: [Fedora-directory-users] SSL problem on replication! In-Reply-To: <20060328162216.43982.qmail@web52908.mail.yahoo.com> Message-ID: <442976da.759d1dbb.0f7d.5f3f@mx.gmail.com> > of course! > > each server will have its own certificate. OK, you have > servers A & B. > Answer to richard too... Ok, i tried..on my virtual....I run all command as you know..both in nodo1 and nodo2... Now..both have ssl enabled....but if I try to import CA certificate from nodo1 to nodo2 : ../shared/bin/certutil -A -d . -P slapd-nodo2- -n "CA certificate" -t "CT,," -a -i cacert.asc It says: Certutil-bin: could not obtain certificate from file: You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert Plus...as suggested from Susan I ran /usr/bin/ldapsearch -ZZ -h nodo1.... Ant it reports: Ldap_start_tls: Connect error (-11) additional info: Start TLS request accepted.Server willing to negotiate SSL. Alex From rmeggins at redhat.com Tue Mar 28 18:01:41 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 28 Mar 2006 11:01:41 -0700 Subject: [Fedora-directory-users] SSL problem on replication! In-Reply-To: <442976da.759d1dbb.0f7d.5f3f@mx.gmail.com> References: <442976da.759d1dbb.0f7d.5f3f@mx.gmail.com> Message-ID: <44297A05.70206@redhat.com> Alex wrote: > > >> of course! >> >> each server will have its own certificate. OK, you have >> servers A & B. >> >> > > Answer to richard too... > > Ok, i tried..on my virtual....I run all command as you know..both in nodo1 > and nodo2... > Now..both have ssl enabled....but if I try to import CA certificate from > nodo1 to nodo2 : > > ../shared/bin/certutil -A -d . -P slapd-nodo2- -n "CA certificate" -t "CT,," > -a -i cacert.asc > > It says: > > Certutil-bin: could not obtain certificate from file: You are attempting to > import a cert with the same issuer/serial as an existing cert, but that is > not the same cert > The problem with using the script is that, if you run it from a completely clean install, it will create a brand new CA cert. I think the script may be able to detect if you already have a CA cert. > Plus...as suggested from Susan I ran /usr/bin/ldapsearch -ZZ -h nodo1.... > Ant it reports: > > Ldap_start_tls: Connect error (-11) > additional info: Start TLS request accepted.Server willing > to negotiate SSL. > > Alex > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From logastellus at yahoo.com Tue Mar 28 18:08:25 2006 From: logastellus at yahoo.com (Susan) Date: Tue, 28 Mar 2006 10:08:25 -0800 (PST) Subject: [Fedora-directory-users] SSL problem on replication! In-Reply-To: <442976da.759d1dbb.0f7d.5f3f@mx.gmail.com> Message-ID: <20060328180825.6269.qmail@web52906.mail.yahoo.com> --- Alex wrote: > > > of course! > > > > each server will have its own certificate. OK, you have > > servers A & B. > > > > Answer to richard too... > > Ok, i tried..on my virtual....I run all command as you know..both in nodo1 > and nodo2... > Now..both have ssl enabled....but if I try to import CA certificate from > nodo1 to nodo2 : > > ../shared/bin/certutil -A -d . -P slapd-nodo2- -n "CA certificate" -t "CT,," > -a -i cacert.asc > > It says: > > Certutil-bin: could not obtain certificate from file: You are attempting to > import a cert with the same issuer/serial as an existing cert, but that is > not the same cert yea, that's what I was saying earlier. I think the problem is that identical scripts/noise/password files produce identical certs, I think. I had to change both noise & password on the 2nd server to produce a 2nd server cert which I could then import into the server A DB. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From magobin at gmail.com Tue Mar 28 19:18:57 2006 From: magobin at gmail.com (Alex) Date: Tue, 28 Mar 2006 21:18:57 +0200 Subject: [Fedora-directory-users] SSL problem on replication! In-Reply-To: <20060328180825.6269.qmail@web52906.mail.yahoo.com> Message-ID: <44298c24.1ae2cac0.644a.544d@mx.gmail.com> > yea, that's what I was saying earlier. I think the problem > is that identical scripts/noise/password files produce > identical certs, I think. I had to change both noise & > password on the 2nd server to produce a 2nd server cert which > I could then import into the server A DB. > Uff...it's a soap-opera :-)...so: For SUSAN: I tried to make a certificate from nodo2 changing both pwdfile.txt and noise.txt...importing CA certificate in nodo1 it return the same error...(same issuer/serial)...have you change only that? For RICHARD: I tried also to make a certificate for nodo2 from nodo1, but when I try to run Step 7 command, it return an error (same issuer/serial ) Plus..I want specify that when I said script before I intend the Susan script....that is all commands in sequence....I tried to run howto script today but with same outcome Thanks Alex From rmeggins at redhat.com Tue Mar 28 19:26:04 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 28 Mar 2006 12:26:04 -0700 Subject: [Fedora-directory-users] SSL problem on replication! In-Reply-To: <44298c24.1ae2cac0.644a.544d@mx.gmail.com> References: <44298c24.1ae2cac0.644a.544d@mx.gmail.com> Message-ID: <44298DCC.4070504@redhat.com> Alex wrote: > > >> yea, that's what I was saying earlier. I think the problem >> is that identical scripts/noise/password files produce >> identical certs, I think. I had to change both noise & >> password on the 2nd server to produce a 2nd server cert which >> I could then import into the server A DB. >> >> > > > Uff...it's a soap-opera :-)...so: > > For SUSAN: > > I tried to make a certificate from nodo2 changing both pwdfile.txt and > noise.txt...importing CA certificate in nodo1 it return the same > error...(same issuer/serial)...have you change only that? > > For RICHARD: > > I tried also to make a certificate for nodo2 from nodo1, but when I try to > run Step 7 command, it return an error (same issuer/serial ) > Ah yes - you must use a unique number for the -m argument. > Plus..I want specify that when I said script before I intend the Susan > script....that is all commands in sequence....I tried to run howto script > today but with same outcome > > > Thanks > Alex > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From logastellus at yahoo.com Tue Mar 28 19:33:08 2006 From: logastellus at yahoo.com (Susan) Date: Tue, 28 Mar 2006 11:33:08 -0800 (PST) Subject: [Fedora-directory-users] SSL problem on replication! In-Reply-To: <44298c24.1ae2cac0.644a.544d@mx.gmail.com> Message-ID: <20060328193308.96506.qmail@web52909.mail.yahoo.com> --- Alex wrote: > > > yea, that's what I was saying earlier. I think the problem > > is that identical scripts/noise/password files produce > > identical certs, I think. I had to change both noise & > > password on the 2nd server to produce a 2nd server cert which > > I could then import into the server A DB. > > > > > Uff...it's a soap-opera :-)...so: > > For SUSAN: > > I tried to make a certificate from nodo2 changing both pwdfile.txt and > noise.txt...importing CA certificate in nodo1 it return the same > error...(same issuer/serial)...have you change only that? hmm.. well, I actually have two different CA certs but my understanding is that I goofed there, you don't need to have 2 different CAs, only 1 will do. 2 server certs, 1 CA cert. at least, you've to change the cn= when you generate the server cert. THen sign both certs with the same CA cert. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From magobin at gmail.com Tue Mar 28 19:45:40 2006 From: magobin at gmail.com (Alex) Date: Tue, 28 Mar 2006 21:45:40 +0200 Subject: [Fedora-directory-users] SSL problem on replication! In-Reply-To: <20060328193308.96506.qmail@web52909.mail.yahoo.com> Message-ID: <44299268.294912b1.50f9.ffffb526@mx.gmail.com> > hmm.. well, I actually have two different CA certs but my > understanding is that I goofed there, you don't need to have > 2 different CAs, only 1 will do. 2 server certs, 1 CA cert. > > at least, you've to change the cn= when you generate the > server cert. THen sign both certs with the same CA cert. > Yes...I use m fqdn for that...and I tried to sign both with the same CA and different CA Alex From magobin at gmail.com Tue Mar 28 19:47:32 2006 From: magobin at gmail.com (Alex) Date: Tue, 28 Mar 2006 21:47:32 +0200 Subject: [Fedora-directory-users] SSL problem on replication! In-Reply-To: <44298DCC.4070504@redhat.com> Message-ID: <442992d7.6f351d30.2158.ffff8e91@mx.gmail.com> > Ah yes - you must use a unique number for the -m argument. Ok...changing that I can make a Server CA, but when I try to import in nodo2 db....it return: Pk12util-bin: PKCS12 decode import bags failed: error 0 Alex From rcritten at redhat.com Tue Mar 28 20:33:16 2006 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 28 Mar 2006 15:33:16 -0500 Subject: [Fedora-directory-users] SSL problem on replication! In-Reply-To: <44298DCC.4070504@redhat.com> References: <44298c24.1ae2cac0.644a.544d@mx.gmail.com> <44298DCC.4070504@redhat.com> Message-ID: <44299D8C.6050908@redhat.com> Richard Megginson wrote: > Alex wrote: > >> >> >> >>> yea, that's what I was saying earlier. I think the problem is that >>> identical scripts/noise/password files produce identical certs, I >>> think. I had to change both noise & password on the 2nd server to >>> produce a 2nd server cert which I could then import into the server A >>> DB. >>> >>> >> >> >> >> Uff...it's a soap-opera :-)...so: >> >> For SUSAN: >> >> I tried to make a certificate from nodo2 changing both pwdfile.txt and >> noise.txt...importing CA certificate in nodo1 it return the same >> error...(same issuer/serial)...have you change only that? >> >> For RICHARD: >> >> I tried also to make a certificate for nodo2 from nodo1, but when I >> try to >> run Step 7 command, it return an error (same issuer/serial ) >> > > Ah yes - you must use a unique number for the -m argument. > Ok, a few things. I don't know a lot about the script(s) being used to generate the certificates, but the noise file affects only the quality of the key generated, not the certificate itself. The idea of using noise is to seed the random number generator within NSS so you get a good key. The password file also is just a nice thing to have. You can have the same password anywhere you want, as long as your policy allows it. It also ultimately allows for unattended startup. If I understand it, you want to issue 2 server certs using the same CA. Here is what you need to do. You can do this all one one machine if you want, then move the database. I'm going to skip the -P argument for brevity, you can rename the database later. I'm also skipping the password and noise files. The difference is that you'll be prompted a few times for your PIN and to enter a bunch of keystrokes to seed the random number generator, no big deal. Note that I tend to use a lot of certificate extensions, so this may differ from the setupssl script. The serial number I'm using starts at 1. It doesn't really matter, as long as they are all unique. 1. Create a certificate database. # cd /opt/fedora-ds/alias # ../shared/bin/certutil -N -d . 2. Generate your self-signed CA # ../shared/bin/certutil -S -d . -n 'CA Certificate' -s 'cn=CAcert' -x -t CTu,CTu,CTu -g 1024 -m 1 -v 120 -2 -1 -5 (type in a bunch of characters) You will answer: 5 - Cert signing key 9 - finish n - not a critical extension y - yes CA cert 10 - path length y - critical extension 5 - SSL CA 6 - SSL S/MIME CA 7 - Object Signing CA 9 - finish n - not a critical extension 3. Generate server key and certificate for server #1 # ../shared/bin/certutil -R -d . -s 'CN=hostname.example.com,ou=Fedora Directory Server' -o tmpcertreq -g 1024 # ../shared/bin/certutil -C -d . -c "CA Certificate" -i tmpcertreq -o tmpcert.der -m 3 -v 120 -1 -5 You will answer: 2 - Key encipherment 9 - finish n - not a critical extension 1 - SSL server 9 - finish n - not a critical extension 4. Import the server certificate # ../shared/bin/certutil -A -d . -n "host.example.com" -t u,u,u -i tmpcert.der # rm tmpcert.der # rm tmpcertreq 5. Generate server key and certificate for server #2 # ../shared/bin/certutil -R -d . -s 'CN=hostname2.example.com,ou=Fedora Directory Server' -o tmpcertreq -g 1024 # ../shared/bin/certutil -C -d . -c "CA Certificate" -i tmpcertreq -o tmpcert.der -m 4 -v 120 -1 -5 You will answer: 2 - Key encipherment 9 - finish n - not a critical extension 1 - SSL server 9 - finish n - not a critical extension 6. Import the server certificate # ../shared/bin/certutil -A -d . -n "host2.example.com" -t u,u,u -i tmpcert.der # rm tmpcert.der # rm tmpcertreq 7. List your certs: # ../shared/bin/certutil -L -d . CA certificate CTu,Cu,Cu host.example.com u,u,u host2.example.com u,u,u 8. Verify your certificates just to be sure: # ../shared/bin/certutil -V -u V -d . -n host.example.com certutil-bin: certificate is valid # ../shared/bin/certutil -V -u V -d . -n host2.example.com certutil-bin: certificate is valid Now you have one certificate database with a self-signed CA and 2 server certificates. Now just copy this database to server #2. If you want you can remove the extra server cert from each of the database, so on server #1 you would do: # ../shared/bin/certutil -D -d . -n "host2.example.com" And on server #2 you would do: # ../shared/bin/certutil -D -d . -n "host.example.com" Now you can rename the database with your prefix and away you go. Create a pin file if you want. And finally, double check the file permissions! The database(s) need to be owned by the user that the server runs as and permissions should be 600. Hope this helps. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From magobin at gmail.com Wed Mar 29 08:28:54 2006 From: magobin at gmail.com (Alex aka Magobin) Date: Wed, 29 Mar 2006 10:28:54 +0200 Subject: [Fedora-directory-users] SSL problem on replication!...SOLVED ! In-Reply-To: <20060323164331.97322.qmail@web52911.mail.yahoo.com> References: <20060323164331.97322.qmail@web52911.mail.yahoo.com> Message-ID: <1143620934.7683.20.camel@localhost.localdomain> >Now you can rename the database with your prefix and away you go. > >Create a pin file if you want. > >And finally, double check the file permissions! The database(s) need to >be owned by the user that the server runs as and permissions should be >600. >Hope this helps. > >rob Thanks Rob...following your instruction now is possible to use ssl... IMHO...your post must begin a Faq or an Howto to configure basically ssl Thanks to Richard and Susan for patience and tips too :-)...I don't know why it doesn't work with your method...(exactly the same way as in doc) LAST CURIOSITY: Now works and I can make a replication with mmr.pl script...everything works...but in "Replication Status"..in console.. I can see consumer and supplier. This is from nodo1: Consumer: nodo1.domain.example.com:636 Supplier: nodo2.domain.example.com:389 This is from nodo2: Consumer: nodo2.domain.example.com:636 Supplier: nodo1.domain.example.com:389 ..is it correct port 389 in Supplier?....repeat...everything works...but I want to be sure that this replication is in encrypt mode!..in log no one error Thanks to all 4 patience and helps Alex From ahamino at gmail.com Wed Mar 29 12:36:03 2006 From: ahamino at gmail.com (Abdelrahman) Date: Wed, 29 Mar 2006 14:36:03 +0200 Subject: [Fedora-directory-users] FDS AD Sync Message-ID: Hi all, i have been playing with FDS for a couple of months now. My company has about many windows machines and the users are on stored ldap. and they want to control the access from the windows machines to the internet through 802.1x authentication and without having to purchase a third party client for them. up to my knowledge, windows doesn't support pap authentication and there isn't a way that ldap support mschapv2 authentication. While reading the documentation, i found out about the Pass sync. After struggling for a while, i was able to start SSL on the FDS and my AD, i installed pass sync on the windows machine and started a sync agreement policy on the FDS. Everything is working perfectly but i have the following problem: When i start the sync between the FDS and AD, the accounts synced become disabled by default of the AD, also, even when i enable them, their passwords aren't copied at the first time. I tried to enable a synced account and login on a machine in the domain, a message said that i am required to change the password for the first time, so i concluded that passwords weren't copied with the account! I thought that it was a policy on the windows domain controller, so i disabled all the policies on it, especially the passwords ones. I tried checking the logs but i don't know where to search or what for?! I don't know what to do? Regards Abdelrahman -------------- next part -------------- An HTML attachment was scrubbed... URL: From matteo at sif.it Wed Mar 29 14:25:08 2006 From: matteo at sif.it (Matteo Centonza) Date: Wed, 29 Mar 2006 16:25:08 +0200 (CEST) Subject: [Fedora-directory-users] fedora-ds FC5 rpm Message-ID: Hi, is there any chance of having FC5 rpm for fedora-ds 1.0.2? I know that i can build it my own but unfortunately in this particular test environment (FC5 under vmware server) there's a problem with dsbuild (gcc/vmware related). Thanks in advance, -m From logastellus at yahoo.com Wed Mar 29 15:11:40 2006 From: logastellus at yahoo.com (Susan) Date: Wed, 29 Mar 2006 07:11:40 -0800 (PST) Subject: [Fedora-directory-users] SSL problem on replication!...SOLVED ! In-Reply-To: <1143620934.7683.20.camel@localhost.localdomain> Message-ID: <20060329151140.30415.qmail@web52911.mail.yahoo.com> > This is from nodo1: > > Consumer: nodo1.domain.example.com:636 > Supplier: nodo2.domain.example.com:389 > > This is from nodo2: > > Consumer: nodo2.domain.example.com:636 > Supplier: nodo1.domain.example.com:389 I don't think this is a problem. As long as it arrives to a consumer on an encrypted port, you're fine. Still, I once had a case where everything looked right but once i sniffed the traffic, I could see people's info in cleartext. Turned out I made a mistake during early config. You must sniff the traffic to make sure you can't read anything. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From magobin at gmail.com Wed Mar 29 16:03:03 2006 From: magobin at gmail.com (Alex) Date: Wed, 29 Mar 2006 18:03:03 +0200 Subject: [Fedora-directory-users] SSL problem on replication!...SOLVED ! In-Reply-To: <20060329151140.30415.qmail@web52911.mail.yahoo.com> Message-ID: <442aafba.2f378c0f.50f5.1ead@mx.gmail.com> > Still, I once had a case where everything looked right but > once i sniffed the traffic, I could see people's info in > cleartext. Turned out I made a mistake during early config. > You must sniff the traffic to make sure you can't read anything. > This is my care....ok...I'll try to sniff traffic between server and client (of course...as soon as I'll configure at least one :-) Thanks Susan for your support ...now I have to study how to configure postfix to have authentication client from Fedora DS, but this is another story :-) Alex From ahamino at gmail.com Wed Mar 29 17:18:20 2006 From: ahamino at gmail.com (Abdelrahman) Date: Wed, 29 Mar 2006 19:18:20 +0200 Subject: [Fedora-directory-users] FDS AD Sync In-Reply-To: References: Message-ID: Hi all, i have been playing with FDS for a couple of months now. My company has about many windows machines and the users are on stored ldap. and they want to control the access from the windows machines to the internet through 802.1x authentication and without having to purchase a third party client for them. up to my knowledge, windows doesn't support pap authentication and there isn't a way that ldap support mschapv2 authentication. While reading the documentation, i found out about the Pass sync. After struggling for a while, i was able to start SSL on the FDS and my AD, i installed pass sync on the windows machine and started a sync agreement policy on the FDS. Everything is working perfectly but i have the following problem: When i start the sync between the FDS and AD, the accounts synced become disabled by default of the AD, also, even when i enable them, their passwords aren't copied at the first time. I tried to enable a synced account and login on a machine in the domain, a message said that i am required to change the password for the first time, so i concluded that passwords weren't copied with the account! I thought that it was a policy on the windows domain controller, so i disabled all the policies on it, especially the passwords ones. I tried checking the logs but i don't know where to search or what for?! I don't know what to do? Regards Abdelrahman -------------- next part -------------- An HTML attachment was scrubbed... URL: From logastellus at yahoo.com Wed Mar 29 18:31:17 2006 From: logastellus at yahoo.com (Susan) Date: Wed, 29 Mar 2006 10:31:17 -0800 (PST) Subject: [Fedora-directory-users] comment about setupssl.sh Message-ID: <20060329183117.93065.qmail@web52905.mail.yahoo.com> I was looking through the script from the wiki and I saw this line: ../shared/bin/certutil -S -n "Server-Cert" -s "cn=$myhost,ou=Fedora Directory Server" ..... Wouldn't it be better to change that to -n "`hostname`" or something like that because when you create certs for multiple servers, they all end up being called Server-Cert which causes confusion. What do you guys think? __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From rmeggins at redhat.com Wed Mar 29 18:39:32 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 29 Mar 2006 11:39:32 -0700 Subject: [Fedora-directory-users] comment about setupssl.sh In-Reply-To: <20060329183117.93065.qmail@web52905.mail.yahoo.com> References: <20060329183117.93065.qmail@web52905.mail.yahoo.com> Message-ID: <442AD464.1070700@redhat.com> Susan wrote: > I was looking through the script from the wiki and I saw this line: > > ../shared/bin/certutil -S -n "Server-Cert" -s "cn=$myhost,ou=Fedora Directory Server" ..... > > Wouldn't it be better to change that to -n "`hostname`" or something like that because when you > create certs for multiple servers, they all end up being called Server-Cert which causes > confusion. > > What do you guys think? > setupssl.sh was created in order to create only 3 certs - the initial CA cert, the initial DS cert, and the initial AS cert. It uses Server-Cert for DS and server-cert for AS because that is what the defaults are for those servers. If you do not use those names (and the server cannot automatically discover an appropriate cert to use), you will have to change the server SSL configuration. There needs to be a script that you can use to generate multiple key/cert pairs for multiple hosts, using your CA key/cert. One solution would be to change setupssl.sh to accept a list of FQDNs for which to create DS and AS certs. Then you could just create all of the key/cert databases at once, and just copy them to the /opt/fedora-ds/alias directory on each machine. Another solution would be to change setupssl.sh to be run on each machine. The first time you run it on your first machine, it would create a key/cert db for the CA only in addition to key/cert dbs for the DS and the AS. Then you would just copy the CA key/cert db and the setupssl.sh script to each machine and run it there. > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Mar 29 18:40:24 2006 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 29 Mar 2006 13:40:24 -0500 Subject: [Fedora-directory-users] comment about setupssl.sh In-Reply-To: <20060329183117.93065.qmail@web52905.mail.yahoo.com> References: <20060329183117.93065.qmail@web52905.mail.yahoo.com> Message-ID: <442AD498.2010601@redhat.com> Susan wrote: > I was looking through the script from the wiki and I saw this line: > > ../shared/bin/certutil -S -n "Server-Cert" -s "cn=$myhost,ou=Fedora Directory Server" ..... > > Wouldn't it be better to change that to -n "`hostname`" or something like that because when you > create certs for multiple servers, they all end up being called Server-Cert which causes > confusion. > > What do you guys think? > > Server-Cert is a hold over from our Netscape days. It's been the default certificate nickname for all the products for as long as I can remember (so at least 8 years). This script seems designed to get one host setup for SSL, not to setup multiple servers (e.g. for MMR) each with their own server cert. It does provide a good basis for issuing multiple certs and demonstrates how to do it in a safe way (by not writing over databases, re-issuing certs with conflicting nicknames, etc). Ideally you will use a real CA to issue the server certificates. Self-signed CA's are bad, bad, bad. You don't want your users to get in the habit of accepting unknown server certificates (though I guess this applies more to web servers than LDAP servers). rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From magobin at gmail.com Wed Mar 29 18:55:01 2006 From: magobin at gmail.com (Alex) Date: Wed, 29 Mar 2006 20:55:01 +0200 Subject: [Fedora-directory-users] comment about setupssl.sh In-Reply-To: <20060329183117.93065.qmail@web52905.mail.yahoo.com> Message-ID: <442ad805.1887578d.280b.03ef@mx.gmail.com> > I was looking through the script from the wiki and I saw this line: > > ../shared/bin/certutil -S -n "Server-Cert" -s > "cn=$myhost,ou=Fedora Directory Server" ..... > > Wouldn't it be better to change that to -n "`hostname`" or > something like that because when you create certs for > multiple servers, they all end up being called Server-Cert > which causes confusion. > Ciao Susan, after so many troubles that you know..I think that your idea is useful....during my test I confuse it a lot of time...and I represent a classic newbe about it. I pinpoint that running setupssl.sh on both server after a fresh install didn't resolve my problem...so I become doubtful about this way to generate ssl certificate My opinion is that Rob post could become a faq or a miniHowto Regards Alex From dshackel at arbor.edu Wed Mar 29 19:46:12 2006 From: dshackel at arbor.edu (Daniel Shackelford) Date: Wed, 29 Mar 2006 14:46:12 -0500 Subject: [Fedora-directory-users] FDS AD Sync Message-ID: <442AE404.1000200@arbor.edu> I had some trouble myself with passwords from AD making it into FDS. Unfortunately no passwords are synced until they are changed on AD, which means that if you have a 7000 user base like we do, there are very few options for getting the passwords populated in FDS. PassSync uses a DLL to capture passwords in plain text during the set password process, and send them to FDS. This means that all those users that are synced magically when you set up replication, will not have passwords until they change their password on AD somehow. We started collecting credentials from our proxy auth, and storing them for a massive import after a few months. The import went well (I can tell you the process if you like), but we still have 5000 accounts without passwords in FDS for off-site users, and those who should be pruned. Now we are looking at a web interface for handling these special cases (is it special when it effects the majority of your users?). The PassSync that was distributed with FDS 7.1 did not give much info on what it was doing, and this led to an incorrect setup without knowing it was incorrect. If you use the most recent version, you can enable verbose logging, and see what is going on (it is a registry key under HKEY_Local_Machine->Software->PasswordSync->Log Level). It turned out that PassSync and FDS were not speaking to one another yet. I went through the key import process (pk12util + certutil), restarted the service, and away we went. If you think you might be able to get the unix crypted passwords via msSFU (Microsoft Services for Unix), and populate FDS, you would be right, unless you are also wanting to synchronize those passwords. I tried it and blew out the password for every user on our domain, and had to recover from tape. The crypt is one-way, so once it is in FDS, you can successfully authenticate, but it looks like junk to the password sync code, and it ends up syncing junk to AD, which in turn, syncs junk back to FDS. Bad bad bad. So it sounds like you may not have the PassSync service set up quite right, or you are expecting the passwords to be synced with the accounts, but they won't because that is not really what PassSync does. Either way you will have to address the issues of missing passwords in FDS. Do you have any secure way of collecting the credentials of users? A proxy/sniffer in front of your POP3 server? Just a suggestion. -- Daniel Shackelford Systems Administrator Technology Services Spring Arbor University 517 750-6648 "For even the Son of Man did not come to be served, but to serve, and to give His life a ransom for many" Mark 10:45 From logastellus at yahoo.com Wed Mar 29 20:48:56 2006 From: logastellus at yahoo.com (Susan) Date: Wed, 29 Mar 2006 12:48:56 -0800 (PST) Subject: [Fedora-directory-users] comment about setupssl.sh In-Reply-To: <442AD464.1070700@redhat.com> Message-ID: <20060329204856.52229.qmail@web52905.mail.yahoo.com> --- Richard Megginson wrote: > One solution would be to change setupssl.sh to accept a list of FQDNs > for which to create DS and AS certs. Then you could just create all of > the key/cert databases at once, and just copy them to the > /opt/fedora-ds/alias directory on each machine. yeah, this is a good idea. Because I don't know about other users but for me, creating certs is just 1 of the steps towards SSL encrypted client<->FDS comms & MMR. Another thing is this. If you create your certs with FQDNs, doesn't that mean that all clients must refer to ldap server by FQDN? Because that's how it works in the web world. If I create/sign a cert for webserver and somebody goes to https://webserver.company.com it'll prompt the user, asking about this "new" cert, even though you're already trusting the CA that signed it. If that's the case, that would be pretty annoying because within a company, everybody always refers to hostnames, not fqdns (provided DNS works properly, obv.) __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From logastellus at yahoo.com Wed Mar 29 21:07:01 2006 From: logastellus at yahoo.com (Susan) Date: Wed, 29 Mar 2006 13:07:01 -0800 (PST) Subject: [Fedora-directory-users] FDS & Red Hat Certificate System Message-ID: <20060329210701.87091.qmail@web52912.mail.yahoo.com> Hi, everyone. I think this subject has been briefly raised before but I've more questions. Can RHCS be used to hand out CA certs to Unix clients (linux/solaris)? Has anybody done this? RHCS doesn't seem to be opensourced. Is there a reliable free alternative? The problem I'm trying to solve is that my CA cert is self-signed. I guess even if it weren't, the management is a little concerned about MITM attacks against the FDS, so we need a way to verify that the server saying that it's our FDS really is the FDS. Right now no certs are deployed on the clients, we're using them only for SSL traffic encryption. What's the best way to go about doing this? I don't want to manually create/deploy dozens of certs for various clients. I also need a way to implement CRL somehow, in case a box is comprosmised. Thank you. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From gholbert at broadcom.com Wed Mar 29 21:13:15 2006 From: gholbert at broadcom.com (George Holbert) Date: Wed, 29 Mar 2006 13:13:15 -0800 Subject: [Fedora-directory-users] comment about setupssl.sh In-Reply-To: <20060329204856.52229.qmail@web52905.mail.yahoo.com> References: <20060329204856.52229.qmail@web52905.mail.yahoo.com> Message-ID: <442AF86B.6060704@broadcom.com> > > If you create your certs with FQDNs, doesn't that mean that all clients > must refer to ldap server by FQDN? In general, the answer is "yes." For example, Solaris' LDAP name service will not work unless the server name in the Solaris client config exactly matches the CN on the LDAP server certificate. Some clients (like PADL's nss_ldap used in most Linuxes) can be configured to disable server cert verification. Or others just have it always turned off (Outlook Express). In these cases, you could get away with using a shortname or alias instead of the exact name listed in the CN. So it depends on the LDAP client apps you need to support. Depending on your environment and requirements, you could technically use shortnames or aliases. But you're really better off using FQDNs in both the server cert and your client configs, if possible. Of course, for non-SSL/TLS connections, no cert verification is involved, so you can use whatever name or alias you want for those. Susan wrote: > --- Richard Megginson wrote: > >> One solution would be to change setupssl.sh to accept a list of FQDNs >> for which to create DS and AS certs. Then you could just create all of >> the key/cert databases at once, and just copy them to the >> /opt/fedora-ds/alias directory on each machine. >> > > yeah, this is a good idea. Because I don't know about other users but for me, creating certs is > just 1 of the steps towards SSL encrypted client<->FDS comms & MMR. > > Another thing is this. If you create your certs with FQDNs, doesn't that mean that all clients > must refer to ldap server by FQDN? Because that's how it works in the web world. If I > create/sign a cert for webserver and somebody goes to https://webserver.company.com it'll prompt > the user, asking about this "new" cert, even though you're already trusting the CA that signed it. > If that's the case, that would be pretty annoying because within a company, everybody always > refers to hostnames, not fqdns (provided DNS works properly, obv.) > > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From gholbert at broadcom.com Wed Mar 29 21:27:53 2006 From: gholbert at broadcom.com (George Holbert) Date: Wed, 29 Mar 2006 13:27:53 -0800 Subject: [Fedora-directory-users] FDS & Red Hat Certificate System In-Reply-To: <20060329210701.87091.qmail@web52912.mail.yahoo.com> References: <20060329210701.87091.qmail@web52912.mail.yahoo.com> Message-ID: <442AFBD9.5030901@broadcom.com> > > ...the management is a little concerned about MITM attacks against the FDS, so we need a way to > verify that the server saying that it's our FDS really is the FDS. Right now no certs are > deployed on the clients, we're using them only for SSL traffic encryption. If I'm interpreting your question right, I think you're already covered for this as long as: - Your client apps do server cert verification. - Your internal CA isn't compromised. - Your cert/key DB files on your FDS servers haven't been compromised. You shouldn't need to sign a new certificate for every client, you just need a copy of the CA certificate on each client. Susan wrote: > Hi, everyone. I think this subject has been briefly raised before but I've more questions. > > Can RHCS be used to hand out CA certs to Unix clients (linux/solaris)? > Has anybody done this? > RHCS doesn't seem to be opensourced. Is there a reliable free alternative? > > The problem I'm trying to solve is that my CA cert is self-signed. I guess even if it weren't, > the management is a little concerned about MITM attacks against the FDS, so we need a way to > verify that the server saying that it's our FDS really is the FDS. Right now no certs are > deployed on the clients, we're using them only for SSL traffic encryption. > > What's the best way to go about doing this? I don't want to manually create/deploy dozens of > certs for various clients. I also need a way to implement CRL somehow, in case a box is > comprosmised. > > Thank you. > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From rmeggins at redhat.com Wed Mar 29 21:40:03 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 29 Mar 2006 14:40:03 -0700 Subject: [Fedora-directory-users] FDS & Red Hat Certificate System In-Reply-To: <20060329210701.87091.qmail@web52912.mail.yahoo.com> References: <20060329210701.87091.qmail@web52912.mail.yahoo.com> Message-ID: <442AFEB3.2090606@redhat.com> Susan wrote: > Hi, everyone. I think this subject has been briefly raised before but I've more questions. > > Can RHCS be used to hand out CA certs to Unix clients (linux/solaris)? > Yes. You go to the RHCS web interface, click "Get CA Cert Chain", and you can download or copy/paste the CA cert for use with client apps (or importing into your web browser or email program or etc.). This assumes you are using RHCS as your CA. > Has anybody done this? > We used this extensively at Netscape. > RHCS doesn't seem to be opensourced. Is there a reliable free alternative? > I don't know. > The problem I'm trying to solve is that my CA cert is self-signed. I guess even if it weren't, > the management is a little concerned about MITM attacks against the FDS, so we need a way to > verify that the server saying that it's our FDS really is the FDS. The only way to do this is to have a real FQDN as the cn of your server cert subject DN. When the server presents its cert during the SSL handshake, the client can verify that the CA (whose cert you have in the client cert db) signed the server's cert, and that the hostname in subject DN in the server cert corresponds to the hostname that the server is on (reverse DNS lookup of the IP address of the server). > Right now no certs are > deployed on the clients, we're using them only for SSL traffic encryption. > Do you mean client cert auth? > What's the best way to go about doing this? I don't want to manually create/deploy dozens of > certs for various clients. CA certs or client certs? For the CA cert problem, AFAIK, there is no way around it - you have to configure your clients to trust your CA one way or another. You can mitigate this somewhat by going through the process of getting a real CA cert from one of the trusted root CAs listed in your web browser or email client. > I also need a way to implement CRL somehow, in case a box is > comprosmised. > RHCS also implements CRL generation and publishing, and also supports OCSP. One of our engineers is developing a mod_revocator Apache module which will automatically get CRLs for Apache certificate status checking (for servers and clients). > Thank you. > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From logastellus at yahoo.com Wed Mar 29 21:43:40 2006 From: logastellus at yahoo.com (Susan) Date: Wed, 29 Mar 2006 13:43:40 -0800 (PST) Subject: [Fedora-directory-users] FDS & Red Hat Certificate System In-Reply-To: <442AFBD9.5030901@broadcom.com> Message-ID: <20060329214340.62005.qmail@web52910.mail.yahoo.com> --- George Holbert wrote: > You shouldn't need to sign a new certificate for every client, you just > need a copy of the CA certificate on each client. right. That's what I was wondering, is there a way to have all ldap clients to go to some url & download the CA cert or something like that. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From mj at sci.fi Wed Mar 29 21:43:58 2006 From: mj at sci.fi (Mike Jackson) Date: Thu, 30 Mar 2006 00:43:58 +0300 Subject: [Fedora-directory-users] FDS & Red Hat Certificate System In-Reply-To: <20060329210701.87091.qmail@web52912.mail.yahoo.com> References: <20060329210701.87091.qmail@web52912.mail.yahoo.com> Message-ID: <442AFF9E.3030702@sci.fi> Susan wrote: > Can RHCS be used to hand out CA certs to Unix clients (linux/solaris)? Handing out CA certs to clients is simply a matter of copying the file to the client, and maybe entering it into the certificate database e.g. like the Netscape Communicator or FDS certdb. > Is there a reliable free alternative? OpenSSL is a free tool with all of the capabilities which are required to run a CA. I use it for all of my CA operations. > The problem I'm trying to solve is that my CA cert is self-signed. That is not a problem, it's a fact. Contrary to popular belief, self-signed CA certs are not bad when used company internal. In fact, there are many benefits compared to having all of your certs issued from a commercial CA. Commercial server certs are for when you run public internet services and don't want your customers to see certificate questions. Why would they see certificate questions? Because their applications don't come bundled with your root CA cert... When you control the network, you can deploy applications with your root CA cert already inserted, or you can simply deploy it to workstations with Tivoli or cfengine, etc. Your internal customers still don't see certificate questions. > I guess even if it weren't, the management is a little concerned about > MITM attacks against the FDS, so we need a way to verify that the server > saying that it's our FDS really is the FDS. No problem. Just issue the FDS server certs from your own CA, e.g. OpenSSL. Import your own root CA cert into FDS as well. Import your own root CA cert to your clients, e.g. linux, solaris. The clients will verify the FDS cert against their copy of the root CA cert. > Right now no certs are deployed on the clients, we're using them only > for SSL traffic encryption. > > What's the best way to go about doing this? I don't want to manually create/deploy dozens of > certs for various clients. I also need a way to implement CRL somehow, in case a box is > comprosmised. Your clients don't need certificates, they only need a copy of your root CA cert - the same file for every client. You do not generally need to use "client authentication"; you really have to know what you are doing with PKI to know why you would want to use it. Clients generally do not need their own certs unless they are people and are doing S/MIME email. It appears that you have fundamental misunderstandings of what a PKI is and does, and I suggest that you study the subject instead of using the learn-as-you-go ad-hoc network architecture method. http://ospkibook.sourceforge.net/docs/OSPKI-2.4.7/OSPKI-html/ospki-book.htm http://www.opengroup.org/messaging/G260/pki_tutorial.htm Finally, as soon as I get time, I will update the SSL Howto. I already have all of the scripts and methods for fully automated setup up FDS with a third-party CA, namely OpenSSL. Lack of time is the only reason why I haven't yet written it up on the wiki. BR, -- mike From logastellus at yahoo.com Wed Mar 29 21:55:37 2006 From: logastellus at yahoo.com (Susan) Date: Wed, 29 Mar 2006 13:55:37 -0800 (PST) Subject: [Fedora-directory-users] FDS & Red Hat Certificate System In-Reply-To: <442AFEB3.2090606@redhat.com> Message-ID: <20060329215537.81311.qmail@web52905.mail.yahoo.com> --- Richard Megginson wrote: > Susan wrote: > > Hi, everyone. I think this subject has been briefly raised before but I've more questions. > > > > Can RHCS be used to hand out CA certs to Unix clients (linux/solaris)? > > > Yes. You go to the RHCS web interface, click "Get CA Cert Chain", and > you can download or copy/paste the CA cert for use with client apps (or > importing into your web browser or email program or etc.). This assumes > you are using RHCS as your CA. well, I'm speaking strictly of ldap clients. Browsers I don't care about. > > Has anybody done this? > > > We used this extensively at Netscape. to automatically hand out CA certs to ldap clients upon request? > > Right now no certs are > > deployed on the clients, we're using them only for SSL traffic encryption. > > > Do you mean client cert auth? well, no. We don't care whether the clients misrepresent themselves. We care if the FDS misrepresents itself. > CA certs or client certs? For the CA cert problem, AFAIK, there is no > way around it - you have to configure your clients to trust your CA one > way or another. You can mitigate this somewhat by going through the > process of getting a real CA cert from one of the trusted root CAs > listed in your web browser or email client. yea but what about ldap clients? AFAIK no ldap client implicitly trusts verisign or anything like that. So, even if I do get a real CA cert, will a plain vanilla FC4 install trust it? I'm guessing no....? __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From rcritten at redhat.com Wed Mar 29 22:02:33 2006 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 29 Mar 2006 17:02:33 -0500 Subject: [Fedora-directory-users] FDS & Red Hat Certificate System In-Reply-To: <442AFF9E.3030702@sci.fi> References: <20060329210701.87091.qmail@web52912.mail.yahoo.com> <442AFF9E.3030702@sci.fi> Message-ID: <442B03F9.90509@redhat.com> Mike Jackson wrote: > Susan wrote: > >> Can RHCS be used to hand out CA certs to Unix clients (linux/solaris)? > > > Handing out CA certs to clients is simply a matter of copying the file > to the client, and maybe entering it into the certificate database e.g. > like the Netscape Communicator or FDS certdb. > >> Is there a reliable free alternative? > > > OpenSSL is a free tool with all of the capabilities which are required > to run a CA. I use it for all of my CA operations. > > >> The problem I'm trying to solve is that my CA cert is self-signed. > > > That is not a problem, it's a fact. Contrary to popular belief, > self-signed CA certs are not bad when used company internal. In fact, > there are many benefits compared to having all of your certs issued from > a commercial CA. Commercial server certs are for when you run public > internet services and don't want your customers to see certificate > questions. Why would they see certificate questions? Because their > applications don't come bundled with your root CA cert... It really depends on where you are deploying SSL. If you are deploying certificates for web servers it is a real a problem. The trouble is that unless there is a central authority, dozens of internal sites will each have their own CA, training users to blindly accept every unknown web server as ok. So when these same users encounter the situation outside of the intranet, well, you get the picture. It opens up users to man-in-the-middle attacks. > When you control the network, you can deploy applications with your root > CA cert already inserted, or you can simply deploy it to workstations > with Tivoli or cfengine, etc. Your internal customers still don't see > certificate questions. > > >> I guess even if it weren't, the management is a little concerned about > > > MITM attacks against the FDS, so we need a way to verify that the server > > saying that it's our FDS really is the FDS. > > No problem. Just issue the FDS server certs from your own CA, e.g. > OpenSSL. Import your own root CA cert into FDS as well. Import your own > root CA cert to your clients, e.g. linux, solaris. The clients will > verify the FDS cert against their copy of the root CA cert. > > > Finally, as soon as I get time, I will update the SSL Howto. I already > have all of the scripts and methods for fully automated setup up FDS > with a third-party CA, namely OpenSSL. Lack of time is the only reason > why I haven't yet written it up on the wiki. > Note that OpenSSL could introduce exactly the same problems that users have encountered trying to use NSS as a poor-man's CA, namely issuing multiple CA certificates for each server in the MMR. The solution here isn't the SSL library, it is the method in which it is used. NSS can easily handle these too and you can operate more directly on the certificate databases with it. PKI is definitely not for the weak of heart but the illusion of security is worse than no security at all. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From logastellus at yahoo.com Wed Mar 29 22:08:26 2006 From: logastellus at yahoo.com (Susan) Date: Wed, 29 Mar 2006 14:08:26 -0800 (PST) Subject: [Fedora-directory-users] FDS & Red Hat Certificate System In-Reply-To: <442AFF9E.3030702@sci.fi> Message-ID: <20060329220826.17566.qmail@web52902.mail.yahoo.com> --- Mike Jackson wrote: > > What's the best way to go about doing this? I don't want to manually create/deploy dozens of > > certs for various clients. I also need a way to implement CRL somehow, in case a box is > > comprosmised. > > Your clients don't need certificates, they only need a copy of your root > CA cert - the same file for every client. right, I think I was confused on that point. I meant to say that I don't want to deploy the CA cert to dozens of clients. So, forget the CRL, then... Because we have about 60 servers total. Now, /etc/openldap/cacerts/ is writable by root only and I'd have to do some serious expect/perl scripting to ssh into every machine, accept the key, su - root, scp the CA cert, log out. I really don't want to do this if I don't have to. So, are you saying I can use openSSL + linux openldap client to do this automagically? __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From gholbert at broadcom.com Wed Mar 29 22:15:16 2006 From: gholbert at broadcom.com (George Holbert) Date: Wed, 29 Mar 2006 14:15:16 -0800 Subject: [Fedora-directory-users] FDS & Red Hat Certificate System In-Reply-To: <20060329215537.81311.qmail@web52905.mail.yahoo.com> References: <20060329215537.81311.qmail@web52905.mail.yahoo.com> Message-ID: <442B06F4.8090204@broadcom.com> > > ...to automatically hand out CA certs to ldap clients upon request? There is no standard mechanism for this. You have to manually copy CA certs to the location and in the format that each of your secure LDAP client apps expects. > yea but what about ldap clients? AFAIK no ldap client implicitly trusts verisign or anything like > that. So, even if I do get a real CA cert, will a plain vanilla FC4 install trust it? I'm > guessing no....? RedHat Linux in the past has come with a bundle of well-known CA certs in /usr/share/ssl/cert.pem. I haven't used FC4, but I'm guessing it has this too? You would still need to configure LDAP client apps to know about this file. Using PADL's pam_ldap/nss_ldap as an example, you would need to add: tls_cacertfile /usr/share/ssl/cert.pem ...to /etc/ldap.conf. Susan wrote: > --- Richard Megginson wrote: > > >> Susan wrote: >> >>> Hi, everyone. I think this subject has been briefly raised before but I've more questions. >>> >>> Can RHCS be used to hand out CA certs to Unix clients (linux/solaris)? >>> >>> >> Yes. You go to the RHCS web interface, click "Get CA Cert Chain", and >> you can download or copy/paste the CA cert for use with client apps (or >> importing into your web browser or email program or etc.). This assumes >> you are using RHCS as your CA. >> > > well, I'm speaking strictly of ldap clients. Browsers I don't care about. > > > >>> Has anybody done this? >>> >>> >> We used this extensively at Netscape. >> > > to automatically hand out CA certs to ldap clients upon request? > > >>> Right now no certs are >>> deployed on the clients, we're using them only for SSL traffic encryption. >>> >>> >> Do you mean client cert auth? >> > > well, no. We don't care whether the clients misrepresent themselves. We care if the FDS > misrepresents itself. > > >> CA certs or client certs? For the CA cert problem, AFAIK, there is no >> way around it - you have to configure your clients to trust your CA one >> way or another. You can mitigate this somewhat by going through the >> process of getting a real CA cert from one of the trusted root CAs >> listed in your web browser or email client. >> > > yea but what about ldap clients? AFAIK no ldap client implicitly trusts verisign or anything like > that. So, even if I do get a real CA cert, will a plain vanilla FC4 install trust it? I'm > guessing no....? > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From rmeggins at redhat.com Wed Mar 29 22:23:26 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 29 Mar 2006 15:23:26 -0700 Subject: [Fedora-directory-users] FDS & Red Hat Certificate System In-Reply-To: <442B06F4.8090204@broadcom.com> References: <20060329215537.81311.qmail@web52905.mail.yahoo.com> <442B06F4.8090204@broadcom.com> Message-ID: <442B08DE.9060402@redhat.com> George Holbert wrote: >> >> ...to automatically hand out CA certs to ldap clients upon request? > > There is no standard mechanism for this. You have to manually copy CA > certs to the location and in the format that each of your secure LDAP > client apps expects. > > >> yea but what about ldap clients? AFAIK no ldap client implicitly >> trusts verisign or anything like >> that. So, even if I do get a real CA cert, will a plain vanilla FC4 >> install trust it? I'm >> guessing no....? > > RedHat Linux in the past has come with a bundle of well-known CA certs > in /usr/share/ssl/cert.pem. I haven't used FC4, but I'm guessing it > has this too? > > You would still need to configure LDAP client apps to know about this > file. > Using PADL's pam_ldap/nss_ldap as an example, you would need to add: > tls_cacertfile /usr/share/ssl/cert.pem > ...to /etc/ldap.conf. In Fedora Core 5 this is in /etc/pki/tls/cert.pem: # This is a bundle of X.509 certificates of public Certificate # Authorities. It was generated from the Mozilla root CA list. # # Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt # # Generated from certdata.txt RCS revision 1.37 # ..... > > > > > Susan wrote: >> --- Richard Megginson wrote: >> >> >>> Susan wrote: >>> >>>> Hi, everyone. I think this subject has been briefly raised before >>>> but I've more questions. >>>> >>>> Can RHCS be used to hand out CA certs to Unix clients (linux/solaris)? >>>> >>> Yes. You go to the RHCS web interface, click "Get CA Cert Chain", >>> and you can download or copy/paste the CA cert for use with client >>> apps (or importing into your web browser or email program or etc.). >>> This assumes you are using RHCS as your CA. >>> >> >> well, I'm speaking strictly of ldap clients. Browsers I don't care >> about. >> >> >> >>>> Has anybody done this? >>>> >>> We used this extensively at Netscape. >>> >> >> to automatically hand out CA certs to ldap clients upon request? >> >> >>>> Right now no certs are >>>> deployed on the clients, we're using them only for SSL traffic >>>> encryption. >>> Do you mean client cert auth? >>> >> >> well, no. We don't care whether the clients misrepresent >> themselves. We care if the FDS >> misrepresents itself. >> >> >>> CA certs or client certs? For the CA cert problem, AFAIK, there is >>> no way around it - you have to configure your clients to trust your >>> CA one way or another. You can mitigate this somewhat by going >>> through the process of getting a real CA cert from one of the >>> trusted root CAs listed in your web browser or email client. >>> >> >> yea but what about ldap clients? AFAIK no ldap client implicitly >> trusts verisign or anything like >> that. So, even if I do get a real CA cert, will a plain vanilla FC4 >> install trust it? I'm >> guessing no....? >> >> __________________________________________________ >> Do You Yahoo!? >> Tired of spam? Yahoo! Mail has the best spam protection around >> http://mail.yahoo.com >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From mchristianjr at gmail.com Wed Mar 29 23:49:25 2006 From: mchristianjr at gmail.com (Michael Christian) Date: Wed, 29 Mar 2006 18:49:25 -0500 Subject: [Fedora-directory-users] Getting Started, POSIX accounts Message-ID: Hi guys. I've installed FDS and the setup is killing me. Essentially all I want to use it for is Posix accounts and groups and I'm having trouble with groups. Getting user accounts is no problem, the attributes are aleady there, but posix groups are from scratch? If someone could point me in the right direction, or send me a link I would appreciate it. I've combed through the RHDS documentation and not been able to find what I was looking for. -- Michael -------------- next part -------------- An HTML attachment was scrubbed... URL: From logastellus at yahoo.com Thu Mar 30 01:12:32 2006 From: logastellus at yahoo.com (Susan) Date: Wed, 29 Mar 2006 17:12:32 -0800 (PST) Subject: [Fedora-directory-users] Getting Started, POSIX accounts In-Reply-To: Message-ID: <20060330011232.61431.qmail@web52905.mail.yahoo.com> --- Michael Christian wrote: > Hi guys. I've installed FDS and the setup is killing me. Essentially all I > want to use it for is Posix accounts and groups and I'm having trouble with > groups. > > Getting user accounts is no problem, the attributes are aleady there, but > posix groups are from scratch? > > If someone could point me in the right direction, or send me a link I would > appreciate it. I've combed through the RHDS documentation and not been able > to find what I was looking for. Groups are easy, what are you having problems with? Just run migrate_group.pl script on /etc/group on a representative machine, that'll produce an LDIF you can import into your FDS. Verify that the dn is correct and load it in. It puts all posix groups into an ou=Groups, which I found convenient. From the UI, you can see all your posix groups grouped together under Groups. If you are adding groups from the console, remember to highlight the Groups OU, right click, add new, "other" posix group. I also change the index to the cn, instead of gid, that makes it easier to read. You just have to decide whether you want to continue with the Linux standard where every user is a member of his own group. As the number of users grows, that becomes a PITA. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From craigwhite at azapple.com Thu Mar 30 01:31:06 2006 From: craigwhite at azapple.com (Craig White) Date: Wed, 29 Mar 2006 18:31:06 -0700 Subject: [Fedora-directory-users] Getting Started, POSIX accounts In-Reply-To: <20060330011232.61431.qmail@web52905.mail.yahoo.com> References: <20060330011232.61431.qmail@web52905.mail.yahoo.com> Message-ID: <1143682266.26793.103.camel@lin-workstation.azapple.com> On Wed, 2006-03-29 at 17:12 -0800, Susan wrote: > > --- Michael Christian wrote: > > > Hi guys. I've installed FDS and the setup is killing me. Essentially all I > > want to use it for is Posix accounts and groups and I'm having trouble with > > groups. > > > > Getting user accounts is no problem, the attributes are aleady there, but > > posix groups are from scratch? > > > > If someone could point me in the right direction, or send me a link I would > > appreciate it. I've combed through the RHDS documentation and not been able > > to find what I was looking for. > > Groups are easy, what are you having problems with? > > Just run migrate_group.pl script on /etc/group on a representative machine, that'll produce an > LDIF you can import into your FDS. Verify that the dn is correct and load it in. > > It puts all posix groups into an ou=Groups, which I found convenient. From the UI, you can see > all your posix groups grouped together under Groups. ---- on a Red Hat system, it will default to Group and not Groups - I found this incredibly confusing at first. ---- > > If you are adding groups from the console, remember to highlight the Groups OU, right click, add > new, "other" posix group. I also change the index to the cn, instead of gid, that makes it easier > to read. > > You just have to decide whether you want to continue with the Linux standard where every user is a > member of his own group. As the number of users grows, that becomes a PITA. ---- and pretty pointless for workgroups, domains, etc. Craig From ABliss at preferredcare.org Thu Mar 30 01:51:10 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Wed, 29 Mar 2006 20:51:10 -0500 Subject: [Fedora-directory-users] fds and oracle authentication Message-ID: Were running fds in our environment; it's running great, however I was wondering if it's possible to use the directory servers to authenticate Oracle database users against? I know that Oracle has an application called Oracle Internet Directory server, however I would rather not put up yet another directory server. Any thoughts? Thanks very much. Aaron www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From rmeggins at redhat.com Thu Mar 30 04:43:55 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 29 Mar 2006 21:43:55 -0700 Subject: [Fedora-directory-users] fds and oracle authentication In-Reply-To: References: Message-ID: <442B620B.50208@redhat.com> Bliss, Aaron wrote: > Were running fds in our environment; it's running great, however I was > wondering if it's possible to use the directory servers to authenticate > Oracle database users against? I know that Oracle has an application > called Oracle Internet Directory server, however I would rather not put > up yet another directory server. Any thoughts? Thanks very much. > Do you want to authenticate users to LDAP using their Oracle credentials? Maybe there is an odbc SASL data source? Then it might be possible to configure the DS SASL to use it. Can PAM be configured to auth against a database? If so, then you could use the PAM passthrough plugin. Otherwise, this sounds like a job for a BIND pre-op plugin. Or do you want to authenticate users to Oracle apps using their LDAP credentials? I don't know how LDAP aware Oracle apps are, but in most cases I've seen this involves some sort of sync process by which passwords and other data are synchronized between Oracle and LDAP. > Aaron > > www.preferredcare.org > "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates > > Confidentiality Notice: > The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From Gary_Tay at platts.com Thu Mar 30 04:42:15 2006 From: Gary_Tay at platts.com (Tay, Gary) Date: Thu, 30 Mar 2006 12:42:15 +0800 Subject: [Fedora-directory-users] Getting Started, POSIX accounts Message-ID: It depends on if you intend to use one of these options in /etc/ldap.conf 1) pam_member_attribute uniquemember or 2) pam_member_attribute memberuid Pls note that the default FDS install would create ou=Groups and some sample group entries if you choose to create samples, whereas the sample PADL or RH client's /etc/ldap.conf would usually use ou=group (or ou=Group) instead of ou=Groups. nss_base_group ou=Group,dc=padl,dc=com?one If your choice is 1), you could point to group lookup to ou=Groups and use objectclass groupofuniquenames If your choice is 2), you could point to group lookup to ou=Group and use objectclass posixgroup I usually won't use ou=Groups and will manually create an additional OU (New OU in Admin GUI) called ou=group after the default install, and when populating the DIT with group entries I will add objectclass: posixgroup in ldif file, and with user entries I will add objectclass: posixaccount and objectclass: shadowaccount. If I use Admin GUI to create an user entry, I will have to manually "Enable Posix User Attributes", so that I could enter uidNumber and gidNumber and so on, I also add additional objectclass: shadowaccount by clicking the Advanced Properties and insert new objectclass, if not LDAP Auth won't work. You may find a HOW-TO I wrote for Solaris Native LDAP Client useful. http://web.singnet.com.sg/~garyttt/Configuring%20Solaris%20Native%20LDAP %20Client%20for%20Fedora%20Directory%20Server.htm Gary -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Michael Christian Sent: Thursday, March 30, 2006 7:49 AM To: Fedora-directory-users at redhat.com Subject: [Fedora-directory-users] Getting Started, POSIX accounts Hi guys. I've installed FDS and the setup is killing me. Essentially all I want to use it for is Posix accounts and groups and I'm having trouble with groups. Getting user accounts is no problem, the attributes are aleady there, but posix groups are from scratch? If someone could point me in the right direction, or send me a link I would appreciate it. I've combed through the RHDS documentation and not been able to find what I was looking for. -- Michael -------------- next part -------------- An HTML attachment was scrubbed... URL: From craigwhite at azapple.com Thu Mar 30 03:59:24 2006 From: craigwhite at azapple.com (Craig White) Date: Wed, 29 Mar 2006 20:59:24 -0700 Subject: [Fedora-directory-users] fds and oracle authentication In-Reply-To: References: Message-ID: <1143691165.26793.144.camel@lin-workstation.azapple.com> On Wed, 2006-03-29 at 20:51 -0500, Bliss, Aaron wrote: > Were running fds in our environment; it's running great, however I was > wondering if it's possible to use the directory servers to authenticate > Oracle database users against? I know that Oracle has an application > called Oracle Internet Directory server, however I would rather not put > up yet another directory server. Any thoughts? Thanks very much. ---- FDS is indifferent to which client applications authenticate - it's only the manner - i.e. LDAPv2 or LDAPv3, using plain/TLS/SASL/SSL etc. Thus your question is really for Oracle users and not FDS users. Craig From mj at sci.fi Thu Mar 30 05:15:14 2006 From: mj at sci.fi (Mike Jackson) Date: Thu, 30 Mar 2006 08:15:14 +0300 Subject: [Fedora-directory-users] fds and oracle authentication In-Reply-To: References: Message-ID: <442B6962.2050005@sci.fi> Bliss, Aaron wrote: > Were running fds in our environment; it's running great, however I was > wondering if it's possible to use the directory servers to authenticate > Oracle database users against? One of my colleagues told me just last week that he is using FDS for Oracle authentication without any problems. BR, -- mike From Gary_Tay at platts.com Thu Mar 30 08:28:51 2006 From: Gary_Tay at platts.com (Tay, Gary) Date: Thu, 30 Mar 2006 16:28:51 +0800 Subject: [Fedora-directory-users] Install_Guide is still pointing to old FDS7.X guide Message-ID: No sure if you have already noticed, the Documentation main page is still having old pointers to FDS 7.X guides. Use and Deployment The best documentation for use and deployment can be found in the Red Hat Directory Server 7.1 documentation (http://www.redhat.com/docs/manuals/dir-server/). If you are new to the Directory Server you may want to check these out: * Installation Guide (http://www.redhat.com/docs/manuals/dir-server/install/7.1/) Administrator's Guide (http://www.redhat.com/docs/manuals/dir-server/ag/7.1/adminTOC.html) Deployment Guide (http://www.redhat.com/docs/manuals/dir-server/deploy/7.1/deployTOC.html) Screenshots If the FDS1.X Guides are still under-construction, at least we should add another section to guide people to those already constructed guide(s): eg: Use and Deployment for FDS 1.X . Installation Guide (http://directory.fedora.redhat.com/wiki/Install_Guide) .... Gary -------------- next part -------------- An HTML attachment was scrubbed... URL: From magobin at gmail.com Thu Mar 30 12:28:03 2006 From: magobin at gmail.com (Alex aka Magobin) Date: Thu, 30 Mar 2006 14:28:03 +0200 Subject: [Fedora-directory-users] Replication Problem! Message-ID: <1143721683.7831.11.camel@localhost.localdomain> hi, testing replication, I've configured a user in consumer and it correctly replicate to nodo2 supplier....after that, I've set up a second user in supplier...but nothing is replicated in consumer...so I tried to re-run mmr.pl...and in supplier logs: NSMMReplicationPlugin: - replica_reload_ruv: Warning: new data for replica dc=domain,dc=example,dc=com does not match the data in the changelog, Recreating the changelog file. This could affect replication with replica's consumers in which case the consumers should be reinitialized. How do I procede in this case?... How and where do I recreate changelog? Thanks Alex P.S: Where is documentation about configuring Fedora DS to authenticate users for both user login and mail accounts with postfix? From oscar.valdez at duraflex-politex.com Thu Mar 30 15:01:36 2006 From: oscar.valdez at duraflex-politex.com (Oscar A. Valdez) Date: Thu, 30 Mar 2006 09:01:36 -0600 Subject: [Fedora-directory-users] Getting Started, POSIX accounts In-Reply-To: <20060330011232.61431.qmail@web52905.mail.yahoo.com> References: <20060330011232.61431.qmail@web52905.mail.yahoo.com> Message-ID: <1143730898.2110.12.camel@wzowski.duraflex-politex.com> El mi?, 29-03-2006 a las 17:12 -0800, Susan escribi?: > You just have to decide whether you want to continue with the Linux standard where every user is a > member of his own group. As the number of users grows, that becomes a PITA. I've struggled with this issue, researching the rationale behind it, but I'm not any wiser. Would anyone care to comment on the "every user has a group" issue? -- Oscar A. Valdez From rmeggins at redhat.com Thu Mar 30 15:17:53 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 30 Mar 2006 08:17:53 -0700 Subject: [Fedora-directory-users] Install_Guide is still pointing to old FDS7.X guide In-Reply-To: References: Message-ID: <442BF6A1.7050206@redhat.com> Tay, Gary wrote: > > No sure if you have already noticed, the Documentation main page is > still having old pointers to FDS 7.X guides. > > Use and Deployment > > The best documentation for use and deployment can be found in the _Red > Hat Directory Server 7.1 documentation_ > > (/http://www.redhat.com/docs/manuals/dir-server//). > > If you are new to the Directory Server you may want to check these out: > > * _Installation Guide_ > > (/http://www.redhat.com/docs/manuals/dir-server/install/7.1//) > * _Administrator's Guide_ > (/http://www.redhat.com/docs/manuals/dir-server/ag/7.1/adminTOC.html/) > > * _Deployment Guide_ > (/http://www.redhat.com/docs/manuals/dir-server/deploy/7.1/deployTOC.html/) > > * _Screenshots_ > > If the FDS1.X Guides are still under-construction, at least we should > add another section to guide people to those already constructed > guide(s): eg: > Thanks. I've updated the wording to better describe the relationship between the Red Hat docs and Fedora DS. There probably won't be any officially produced and branded Fedora DS docs like there are for Red Hat DS, but since Red Hat DS maintains such a close relationship with Fedora DS, the RH docs will always be applicable, with a couple of caveats that I have noted on the wiki pages. > > Use and Deployment for FDS 1.X > > . Installation Guide > (_http://directory.fedora.redhat.com/wiki/Install_Guide_) > ?. > > Gary > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From logastellus at yahoo.com Thu Mar 30 15:55:02 2006 From: logastellus at yahoo.com (Susan) Date: Thu, 30 Mar 2006 07:55:02 -0800 (PST) Subject: [Fedora-directory-users] fds and oracle authentication In-Reply-To: Message-ID: <20060330155502.39800.qmail@web52909.mail.yahoo.com> --- "Bliss, Aaron" wrote: > Were running fds in our environment; it's running great, however I was > wondering if it's possible to use the directory servers to authenticate > Oracle database users against? I know that Oracle has an application > called Oracle Internet Directory server, however I would rather not put > up yet another directory server. Any thoughts? Thanks very much. if you've access to metalink, check out this Note:152872.1 __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From craigwhite at azapple.com Thu Mar 30 17:06:07 2006 From: craigwhite at azapple.com (Craig White) Date: Thu, 30 Mar 2006 10:06:07 -0700 Subject: [Fedora-directory-users] Getting Started, POSIX accounts In-Reply-To: <1143730898.2110.12.camel@wzowski.duraflex-politex.com> References: <20060330011232.61431.qmail@web52905.mail.yahoo.com> <1143730898.2110.12.camel@wzowski.duraflex-politex.com> Message-ID: <1143738367.26793.240.camel@lin-workstation.azapple.com> On Thu, 2006-03-30 at 09:01 -0600, Oscar A. Valdez wrote: > El mi?, 29-03-2006 a las 17:12 -0800, Susan escribi?: > > You just have to decide whether you want to continue with the Linux standard where every user is a > > member of his own group. As the number of users grows, that becomes a PITA. > > I've struggled with this issue, researching the rationale behind it, but > I'm not any wiser. > > Would anyone care to comment on the "every user has a group" issue? ---- I can't speak to Linux standard - I only am familiar with the Red Hat packaging, which would by default... useradd craig add both a user and a group named craig the man page for useradd on a Red Hat system has this caveat..." The version provided with Red Hat Linux will create a group for each user added to the system by default." I suspect this is what Susan is referring to. Of course, you can always pass a parameter to useradd... useradd -g dom_users craig which would not create a group named craig Craig From lesmikesell at gmail.com Thu Mar 30 17:48:16 2006 From: lesmikesell at gmail.com (Les Mikesell) Date: Thu, 30 Mar 2006 11:48:16 -0600 Subject: [Fedora-directory-users] Getting Started, POSIX accounts In-Reply-To: <1143738367.26793.240.camel@lin-workstation.azapple.com> References: <20060330011232.61431.qmail@web52905.mail.yahoo.com> <1143730898.2110.12.camel@wzowski.duraflex-politex.com> <1143738367.26793.240.camel@lin-workstation.azapple.com> Message-ID: <1143740895.12541.13.camel@moola.futuresource.com> On Thu, 2006-03-30 at 11:06, Craig White wrote: > > > You just have to decide whether you want to continue with the Linux standard where every user is a > > > member of his own group. As the number of users grows, that becomes a PITA. > > > > I've struggled with this issue, researching the rationale behind it, but > > I'm not any wiser. > > > > Would anyone care to comment on the "every user has a group" issue? > ---- > I can't speak to Linux standard - I only am familiar with the Red Hat > packaging, which would by default... > > useradd craig > > add both a user and a group named craig > > the man page for useradd on a Red Hat system has this caveat..." The > version provided with Red Hat Linux will create a group for each user > added to the system by default." Yes, I think this is redhat-specific. The reasoning is that the home directories can be made group rw and a default umask of 0002 used without initially introducing any new permission problems since no one else but the user is in the group. This simplifies the changes needed when you do want group access since the permissions are already there and the groups are unique. All you have to do is add the other user(s) to your group. -- Les Mikesell lesmikesell at gmail.com From ahamino at gmail.com Thu Mar 30 22:01:27 2006 From: ahamino at gmail.com (Abdelrahman) Date: Fri, 31 Mar 2006 00:01:27 +0200 Subject: [Fedora-directory-users] FDS AD Sync In-Reply-To: <442AE404.1000200@arbor.edu> References: <442AE404.1000200@arbor.edu> Message-ID: >From your mail, i understood that you are trying to sync passwords from AD to FDS. I am trying to sync accounts the other way round from FDS to AD. If pass sync doesn't full sync accounts between FDS and AD which i regard as a replica of FDS, when i create new user i have to create him on the AD and ask the user who's password is already saved on FDS to login and change his password which he just created! This is wasn't i hoped for :( regards, Abdelrahman On 3/29/06, Daniel Shackelford wrote: > > I had some trouble myself with passwords from AD making it into FDS. > Unfortunately no passwords are synced until they are changed on AD, > which means that if you have a 7000 user base like we do, there are very > few options for getting the passwords populated in FDS. PassSync uses a > DLL to capture passwords in plain text during the set password process, > and send them to FDS. This means that all those users that are synced > magically when you set up replication, will not have passwords until > they change their password on AD somehow. We started collecting > credentials from our proxy auth, and storing them for a massive import > after a few months. The import went well (I can tell you the process if > you like), but we still have 5000 accounts without passwords in FDS for > off-site users, and those who should be pruned. Now we are looking at a > web interface for handling these special cases (is it special when it > effects the majority of your users?). > > The PassSync that was distributed with FDS 7.1 did not give much info on > what it was doing, and this led to an incorrect setup without knowing it > was incorrect. If you use the most recent version, you can enable > verbose logging, and see what is going on (it is a registry key under > HKEY_Local_Machine->Software->PasswordSync->Log Level). It turned out > that PassSync and FDS were not speaking to one another yet. I went > through the key import process (pk12util + certutil), restarted the > service, and away we went. > > If you think you might be able to get the unix crypted passwords via > msSFU (Microsoft Services for Unix), and populate FDS, you would be > right, unless you are also wanting to synchronize those passwords. I > tried it and blew out the password for every user on our domain, and had > to recover from tape. The crypt is one-way, so once it is in FDS, you > can successfully authenticate, but it looks like junk to the password > sync code, and it ends up syncing junk to AD, which in turn, syncs junk > back to FDS. Bad bad bad. > > So it sounds like you may not have the PassSync service set up quite > right, or you are expecting the passwords to be synced with the > accounts, but they won't because that is not really what PassSync does. > Either way you will have to address the issues of missing passwords in > FDS. Do you have any secure way of collecting the credentials of > users? A proxy/sniffer in front of your POP3 server? Just a suggestion. > > -- > Daniel Shackelford > Systems Administrator > Technology Services > Spring Arbor University > 517 750-6648 > > "For even the Son of Man did not come to be served, but to serve, and to > give His life a ransom for many" > Mark 10:45 > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From magobin at gmail.com Fri Mar 31 08:54:59 2006 From: magobin at gmail.com (Alex aka Magobin) Date: Fri, 31 Mar 2006 10:54:59 +0200 Subject: [Fedora-directory-users] mmr.pl, replication and changelog Message-ID: <1143795299.7855.16.camel@localhost.localdomain> hI, I reinitialize consumer (from supplier...initialize consumer)...replication didn't works for 5 time...at 6 worked and now server1 replicate to server2 (but I don't know why).Plus I had to remove replication with mmr.pl and re-run the script... But consulting log I still see errors below: NSMMReplicationPlugin: - replica_reload_ruv: Warning: new data for replica dc=domain,dc=example,dc=com does not match the data in the changelog, Recreating the changelog file. This could affect replication with replica's consumers in which case the consumers should be reinitialized. How can I clear this problem?? Thanks Alex From francois.beretti at gmail.com Fri Mar 31 09:04:38 2006 From: francois.beretti at gmail.com (=?ISO-8859-1?Q?Fran=E7ois_Beretti?=) Date: Fri, 31 Mar 2006 11:04:38 +0200 Subject: [Fedora-directory-users] API to detect password expiration Message-ID: <85d6be850603310104x65fbd47dh60b2df3e43c17d40@mail.gmail.com> Hi, I am trying to implement password expiration in my LDAP software. I am not using the fedora/mozilla/sun API, but the Novell API. So I can't use specific functions if they exist. There are three concepts I would like to integrate : - Password must be changed after a reset - Password expiration warning - Password expired How can I detect these three events ? Moreover, what can I do within the maximum login attempts ? Only bind then change the password ? Thank you very much, and congratulations for this beautiful software Regards, Fran?ois Beretti From hariharan at lantana.cs.iitm.ernet.in Fri Mar 31 04:03:25 2006 From: hariharan at lantana.cs.iitm.ernet.in (HARIHARAN R) Date: Fri, 31 Mar 2006 09:33:25 +0530 (IST) Subject: [Fedora-directory-users] Consumer initiated replication Message-ID: Hi, Does the Fedora Directory Server support consumer initiated replication. If not, is there any work around for this ? Please advise. --- Hariharan.R From ABliss at preferredcare.org Fri Mar 31 13:50:29 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Fri, 31 Mar 2006 08:50:29 -0500 Subject: [Fedora-directory-users] Consumer initiated replication Message-ID: I would setup your servers so that both are masters (multi-master) instead of supplier-consumer in which either server can commit changes and initiate replication to the other. Aaron -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of HARIHARAN R Sent: Thursday, March 30, 2006 11:03 PM To: fedora-directory-users at redhat.com Subject: [Fedora-directory-users] Consumer initiated replication Hi, Does the Fedora Directory Server support consumer initiated replication. If not, is there any work around for this ? Please advise. --- Hariharan.R -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From rmeggins at redhat.com Fri Mar 31 14:51:20 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 31 Mar 2006 07:51:20 -0700 Subject: [Fedora-directory-users] Consumer initiated replication In-Reply-To: References: Message-ID: <442D41E8.2070702@redhat.com> HARIHARAN R wrote: > > Hi, > > Does the Fedora Directory Server support consumer initiated > replication. If not, is there any work around for this ? No Fedora DS does not support consumer initiated replication. For what reasons do you require CIR? > > Please advise. > > --- > Hariharan.R > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Mar 31 14:53:53 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 31 Mar 2006 07:53:53 -0700 Subject: [Fedora-directory-users] API to detect password expiration In-Reply-To: <85d6be850603310104x65fbd47dh60b2df3e43c17d40@mail.gmail.com> References: <85d6be850603310104x65fbd47dh60b2df3e43c17d40@mail.gmail.com> Message-ID: <442D4281.30400@redhat.com> Fran?ois Beretti wrote: > Hi, > > I am trying to implement password expiration in my LDAP software. I am > not using the fedora/mozilla/sun API, but the Novell API. So I can't > use specific functions if they exist. > > There are three concepts I would like to integrate : > > - Password must be changed after a reset > - Password expiration warning > - Password expired > > How can I detect these three events ? > I'm not sure. You may want to ask on a Novell list to find out what is supported by their API. But in general, these events are returned to all LDAPv3 clients in the form of controls, so as long as the Novell API allows you to receive and parse the response controls, you should be able to get all of that information. > Moreover, what can I do within the maximum login attempts ? Only bind > then change the password ? > Yes. Fedora DS allows a configurable number of "grace logins" - the user is only allowed to BIND, then change their password. > Thank you very much, and congratulations for this beautiful software > > Regards, > > Fran?ois Beretti > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From dshackel at arbor.edu Fri Mar 31 15:16:05 2006 From: dshackel at arbor.edu (Daniel Shackelford) Date: Fri, 31 Mar 2006 10:16:05 -0500 Subject: [Fedora-directory-users] FDS AD Sync Message-ID: <442D47B5.5000000@arbor.edu> When you are replicating to AD, user accounts are fully synced upon creation. If you create a new user in FDS, the account and password will be immediately synced to AD. The issue is with accounts that already exist in AD (I am not sure about those that are in FDS) before a replication agreement is set up. If you are just now setting up FSD and want accounts created in FDS to also be created in AD at the same time, then you should not have any trouble if you have set up replication correctly. We use FDS for provisioning new accounts via a portal. The account is created in FDS and it is replicated to AD. The user can immediately log onto our network. The PassSync part on AD makes sure that if their password is changed via the windows tools (Ctrl-Alt-Del -> change password, Computers and Users MMC -> reset password), it will also set the new password in FDS. Our system goes both ways. Accounts can be created in either directory, and they will be replicated (with passwords) to the other one. Again, the issue is not with account creation, but with handling accounts that already exist before replication is set up. AD will not allow passwords to be read, only to be compared, and that is the main problem. I am not sure about FDS, and it may be possible to get the passwords out in order to reset them. Importing an ldif file to change the passwords will work, providing the passwords are in plain text. So if you can find a way to export the passwords in plain text (with the uid or dn), you may be able to reset them all in both directories in one fell swoop. Good luck (and be careful) >From your mail, i understood that you are trying to sync passwords from AD >to FDS. I am trying to sync accounts the other way round from FDS to AD. > >If pass sync doesn't full sync accounts between FDS and AD which i regard as >a replica of FDS, when i create new user i have to create him on the AD and >ask the user who's password is already saved on FDS to login and change his >password which he just created! > >This is wasn't i hoped for :( > >regards, >Abdelrahman -- Daniel Shackelford Systems Administrator Technology Services Spring Arbor University 517 750-6648 "For even the Son of Man did not come to be served, but to serve, and to give His life a ransom for many" Mark 10:45 From francois.beretti at gmail.com Fri Mar 31 16:38:14 2006 From: francois.beretti at gmail.com (=?ISO-8859-1?Q?Fran=E7ois_Beretti?=) Date: Fri, 31 Mar 2006 18:38:14 +0200 Subject: [Fedora-directory-users] API to detect password expiration In-Reply-To: <442D4281.30400@redhat.com> References: <85d6be850603310104x65fbd47dh60b2df3e43c17d40@mail.gmail.com> <442D4281.30400@redhat.com> Message-ID: <85d6be850603310838i225b941flaf1574c4fca23e22@mail.gmail.com> On 3/31/06, Richard Megginson wrote: > Fran?ois Beretti wrote: > > - Password must be changed after a reset > > - Password expiration warning > > - Password expired > > > > How can I detect these three events ? > > > I'm not sure. You may want to ask on a Novell list to find out what is > supported by their API. But in general, these events are returned to > all LDAPv3 clients in the form of controls, so as long as the Novell API > allows you to receive and parse the response controls, you should be > able to get all of that information. Thank you for your answer. Is there a description somewhere of which controls are used by the Directory Server ? > Yes. Fedora DS allows a configurable number of "grace logins" - the > user is only allowed to BIND, then change their password. Thank you again Fran?ois From rmeggins at redhat.com Fri Mar 31 17:13:01 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 31 Mar 2006 10:13:01 -0700 Subject: [Fedora-directory-users] API to detect password expiration In-Reply-To: <85d6be850603310838i225b941flaf1574c4fca23e22@mail.gmail.com> References: <85d6be850603310104x65fbd47dh60b2df3e43c17d40@mail.gmail.com> <442D4281.30400@redhat.com> <85d6be850603310838i225b941flaf1574c4fca23e22@mail.gmail.com> Message-ID: <442D631D.5080700@redhat.com> Fran?ois Beretti wrote: > On 3/31/06, Richard Megginson wrote: > >> Fran?ois Beretti wrote: >> >>> - Password must be changed after a reset >>> - Password expiration warning >>> - Password expired >>> >>> How can I detect these three events ? >>> >>> >> I'm not sure. You may want to ask on a Novell list to find out what is >> supported by their API. But in general, these events are returned to >> all LDAPv3 clients in the form of controls, so as long as the Novell API >> allows you to receive and parse the response controls, you should be >> able to get all of that information. >> > > Thank you for your answer. Is there a description somewhere of which > controls are used by the Directory Server ? > > >> Yes. Fedora DS allows a configurable number of "grace logins" - the >> user is only allowed to BIND, then change their password. >> > > Thank you again > The internet draft has unfortunately expired (again), but there is a recent copy of it here - http://www.dfn-pca.de/bibliothek/standards/ietf/none/internet-drafts/draft-behera-ldap-password-policy-07.txt You have to specify the control with the request so that the server will know the client is aware of the response control. See section 5 and later for details about the control OID to send, what is available in the response, and the behavior for different operations. > Fran?ois > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From mont.rothstein at gmail.com Fri Mar 31 19:22:51 2006 From: mont.rothstein at gmail.com (Mont Rothstein) Date: Fri, 31 Mar 2006 11:22:51 -0800 Subject: [Fedora-directory-users] People vs. Domain Users Message-ID: <467a83630603311122j78c575aas6a4169d711256fbd@mail.gmail.com> I've been working with the Samba Howto ( http://directory.fedora.redhat.com/wiki/Howto:Samba). In it the ldap user suffix is set to "ou=People". Later, it walks through the creation of Samba Domain Groups, including Domain Users. I am confused by these two. When do user accounts go in ou=People and when do they go in cn=Domain Users? If someone could explain the difference between these two I would greatly appreciate it. Thanks, -Mont -------------- next part -------------- An HTML attachment was scrubbed... URL: From dhollis at davehollis.com Fri Mar 31 19:56:45 2006 From: dhollis at davehollis.com (David Hollis) Date: Fri, 31 Mar 2006 14:56:45 -0500 Subject: [Fedora-directory-users] People vs. Domain Users In-Reply-To: <467a83630603311122j78c575aas6a4169d711256fbd@mail.gmail.com> References: <467a83630603311122j78c575aas6a4169d711256fbd@mail.gmail.com> Message-ID: <1143835005.8276.20.camel@dhollis-lnx.sunera.com> On Fri, 2006-03-31 at 11:22 -0800, Mont Rothstein wrote: > I've been working with the Samba Howto > (http://directory.fedora.redhat.com/wiki/Howto:Samba). > > In it the ldap user suffix is set to "ou=People". > > Later, it walks through the creation of Samba Domain Groups, including > Domain Users. > > I am confused by these two. When do user accounts go in ou=People and > when do they go in cn=Domain Users? cn=Domain Users is a Group. Users are added as members of the Group. ou=People is an Organizational Unit. It is just that - for organization. Just because a user is under an OU, doesn't necessarily mean that they have any additional rights (though you might tie some type of security to the user account being under a specific OU). Think about it like this, if your org has an office in NYC and another office in LA, you might have a separate phone list for each office. The people in NYC generally don't care about the people in the LA office. -- David Hollis -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 191 bytes Desc: This is a digitally signed message part URL: From ahamino at gmail.com Fri Mar 31 20:55:13 2006 From: ahamino at gmail.com (Abdelrahman) Date: Fri, 31 Mar 2006 22:55:13 +0200 Subject: [Fedora-directory-users] FDS AD Sync In-Reply-To: <442D47B5.5000000@arbor.edu> References: <442D47B5.5000000@arbor.edu> Message-ID: Mr. Daniel, Luckly, i have the accounts previously on FDS therefore, i think i won't face the same problem you have. Yet, when i create a new user on FDS via Console its not fully sync to AD. only the username is sync but the accounts becomes automaticly disabled on the AD and the user have to reset his password! It might be a problem with my configuration but i don't know where. regards, Abdelrahman On 3/31/06, Daniel Shackelford wrote: > > When you are replicating to AD, user accounts are fully synced upon > creation. If you create a new user in FDS, the account and password will be > immediately synced to AD. The issue is with accounts that already exist in > AD (I am not sure about those that are in FDS) before a replication > agreement is set up. If you are just now setting up FSD and want accounts > created in FDS to also be created in AD at the same time, then you should > not have any trouble if you have set up replication correctly. > > We use FDS for provisioning new accounts via a portal. The account is > created in FDS and it is replicated to AD. The user can immediately log > onto our network. The PassSync part on AD makes sure that if their password > is changed via the windows tools (Ctrl-Alt-Del -> change password, Computers > and Users MMC -> reset password), it will also set the new password in > FDS. Our system goes both ways. Accounts can be created in either > directory, and they will be replicated (with passwords) to the other one. > > Again, the issue is not with account creation, but with handling accounts > that already exist before replication is set up. AD will not allow > passwords to be read, only to be compared, and that is the main problem. I > am not sure about FDS, and it may be possible to get the passwords out in > order to reset them. Importing an ldif file to change the passwords will > work, providing the passwords are in plain text. So if you can find a way > to export the passwords in plain text (with the uid or dn), you may be able > to reset them all in both directories in one fell swoop. > > Good luck (and be careful) > > >From your mail, i understood that you are trying to sync passwords from > AD > >to FDS. I am trying to sync accounts the other way round from FDS to AD. > > > >If pass sync doesn't full sync accounts between FDS and AD which i regard > as > >a replica of FDS, when i create new user i have to create him on the AD > and > >ask the user who's password is already saved on FDS to login and change > his > >password which he just created! > > > >This is wasn't i hoped for :( > > > >regards, > >Abdelrahman > > -- > Daniel Shackelford > Systems Administrator > Technology Services > Spring Arbor University > 517 750-6648 > > "For even the Son of Man did not come to be served, but to serve, and to > give His life a ransom for many" > Mark 10:45 > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jsummers at bachman.cs.ou.edu Fri Mar 31 21:48:00 2006 From: jsummers at bachman.cs.ou.edu (Jim Summers) Date: Fri, 31 Mar 2006 15:48:00 -0600 Subject: [Fedora-directory-users] Mac OS X Client authenticating against Fedora Directory Server Message-ID: <442DA390.4070607@cs.ou.edu> Hello List, I am following up on a thread that was initiated by David Schibeci a few weeks back. He was trying to configure os/x machines to authenticate against fds. I to will have to authenticate some os/x machines when I migrate over to fds. So I thought I should test it out. Unfortunately I was not able to get it to work. All I am seeing in the system.log file are entries such as: DSOpenNode(): dsOpenDirNode("/LDAPv3/ipaddress") == -14002 DSGetCurrentConfigInfo(): dsGetRecordEntry() == -14061 Not to informative. Any ideas or suggestions will be greatly appreciated. Thanks -- Jim Summers School of Computer Science-University of Oklahoma ------------------------------------------------- From rmeggins at redhat.com Fri Mar 31 21:51:10 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 31 Mar 2006 14:51:10 -0700 Subject: [Fedora-directory-users] FDS AD Sync In-Reply-To: References: <442D47B5.5000000@arbor.edu> Message-ID: <442DA44E.80105@redhat.com> Abdelrahman wrote: > Mr. Daniel, > Luckly, i have the accounts previously on FDS therefore, i think i > won't face the same problem you have. Yet, when i create a new user on > FDS via Console its not fully sync to AD. > only the username is sync but the accounts becomes automaticly > disabled on the AD and the user have to reset his password! > > It might be a problem with my configuration but i don't know where. There is some setting in the AD configuration which says to disable new users. It is on by default. You have to find it and tell it not to disable new users. > > regards, > Abdelrahman > > > On 3/31/06, *Daniel Shackelford* < dshackel at arbor.edu > > wrote: > > When you are replicating to AD, user accounts are fully synced > upon creation. If you create a new user in FDS, the account and > password will be immediately synced to AD. The issue is with > accounts that already exist in AD (I am not sure about those that > are in FDS) before a replication agreement is set up. If you are > just now setting up FSD and want accounts created in FDS to also > be created in AD at the same time, then you should not have any > trouble if you have set up replication correctly. > > We use FDS for provisioning new accounts via a portal. The > account is created in FDS and it is replicated to AD. The user > can immediately log onto our network. The PassSync part on AD > makes sure that if their password is changed via the windows tools > (Ctrl-Alt-Del -> change password, Computers and Users MMC -> reset > password), it will also set the new password in FDS. Our system > goes both ways. Accounts can be created in either directory, and > they will be replicated (with passwords) to the other one. > > Again, the issue is not with account creation, but with handling > accounts that already exist before replication is set up. AD will > not allow passwords to be read, only to be compared, and that is > the main problem. I am not sure about FDS, and it may be possible > to get the passwords out in order to reset them. Importing an > ldif file to change the passwords will work, providing the > passwords are in plain text. So if you can find a way to export > the passwords in plain text (with the uid or dn), you may be able > to reset them all in both directories in one fell swoop. > > Good luck (and be careful) > > >From your mail, i understood that you are trying to sync > passwords from AD > >to FDS. I am trying to sync accounts the other way round from FDS > to AD. > > > >If pass sync doesn't full sync accounts between FDS and AD which > i regard as > >a replica of FDS, when i create new user i have to create him on > the AD and > >ask the user who's password is already saved on FDS to login and > change his > >password which he just created! > > > >This is wasn't i hoped for :( > > > >regards, > >Abdelrahman > > -- > Daniel Shackelford > Systems Administrator > Technology Services > Spring Arbor University > 517 750-6648 > > "For even the Son of Man did not come to be served, but to serve, > and to give His life a ransom for many" > Mark 10:45 > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From mont.rothstein at gmail.com Fri Mar 31 22:53:10 2006 From: mont.rothstein at gmail.com (Mont Rothstein) Date: Fri, 31 Mar 2006 14:53:10 -0800 Subject: [Fedora-directory-users] People vs. Domain Users In-Reply-To: <1143835005.8276.20.camel@dhollis-lnx.sunera.com> References: <467a83630603311122j78c575aas6a4169d711256fbd@mail.gmail.com> <1143835005.8276.20.camel@dhollis-lnx.sunera.com> Message-ID: <467a83630603311453m7d7486f4vad9bdd54b40ae651@mail.gmail.com> OK, thanks. I guess what I then don't understand is role of the ldap user/machine/group suffixes in smb.conf. I'll have to go do some more digging. Thanks, -Mont On 3/31/06, David Hollis wrote: > > On Fri, 2006-03-31 at 11:22 -0800, Mont Rothstein wrote: > > I've been working with the Samba Howto > > (http://directory.fedora.redhat.com/wiki/Howto:Samba). > > > > In it the ldap user suffix is set to "ou=People". > > > > Later, it walks through the creation of Samba Domain Groups, including > > Domain Users. > > > > I am confused by these two. When do user accounts go in ou=People and > > when do they go in cn=Domain Users? > > cn=Domain Users is a Group. Users are added as members of the Group. > ou=People is an Organizational Unit. It is just that - for > organization. Just because a user is under an OU, doesn't necessarily > mean that they have any additional rights (though you might tie some > type of security to the user account being under a specific OU). Think > about it like this, if your org has an office in NYC and another office > in LA, you might have a separate phone list for each office. The people > in NYC generally don't care about the people in the LA office. > > -- > David Hollis > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2.2 (GNU/Linux) > > iD8DBQBELYl9xasLqOyGHncRAh0uAJ99wanqeczLF8v712hZNqTM2iyiPACfT3Sb > 4fGEU8ypGH/Zx3cQK+w2YVo= > =aX47 > -----END PGP SIGNATURE----- > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: