From rmeggins at redhat.com Mon May 1 15:21:43 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 01 May 2006 09:21:43 -0600 Subject: [Fedora-directory-users] referential integrity checks for disactivated users In-Reply-To: <9711147e0604300723g2d7f5be1u4de23dc2685c56b6@mail.gmail.com> References: <9711147e0604300723g2d7f5be1u4de23dc2685c56b6@mail.gmail.com> Message-ID: <44562787.5000206@redhat.com> Mikael Kermorgant wrote: > Hello, > > I'm interested by the Referential Integrity plugin for updating groups > when a user is disactivated. > > My problem is that disactivated users are not deleted but moved from > "ou=People" to "ou=disabled". What is the process by which a user is "moved" from ou=people to ou=disabled? If you do an LDAP delete (from ou=people) followed by an LDAP add (from ou=disabled), then the group cleanup will be performed during the LDAP delete process by the referential integrity checking. Note that Fedora DS does not support "moving" a "leaf" entry from one container to another, so there is no other way to accomplish this move process over LDAP using Fedora DS. > > Would you have an idea of how to use Referential Integrity with this > way of handling users ? > > Thanks, > > -- > Mikael Kermorgant > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From sysadmin.linux at gmail.com Mon May 1 21:13:28 2006 From: sysadmin.linux at gmail.com (Linux Admin) Date: Mon, 1 May 2006 16:13:28 -0500 Subject: [Fedora-directory-users] replicating configuration directotry (NetscapeRoot) In-Reply-To: <696934990604280833w48492228q4c634fb02cbacee0@mail.gmail.com> References: <696934990604271935r53646904xd64d928c847fcc93@mail.gmail.com> <445226B9.1020201@redhat.com> <696934990604280801v3d924cecvb0505c7f24757717@mail.gmail.com> <4452340D.20205@redhat.com> <696934990604280833w48492228q4c634fb02cbacee0@mail.gmail.com> Message-ID: <696934990605011413k355cc4cbl133e0dc0fea4ddbe@mail.gmail.com> Richard, I have tried disabling the pass-through on server 2 and unfortunately I still can not replicate from 2 to 1. Replications from 1 to 2 works fine. I had to manually create NetscapeRoot on 2 initially, could be it that is created with different set of attributes then on 1. The error is 3. Permission denied. What else could it be. Thanks for all your help. On 4/28/06, Linux Admin wrote: > > Richard, > Thanks, let me try. I am surprised there is no documentation at all on > NetScape root replication. > You help is very much appricated > > > > > On 4/28/06, Richard Megginson wrote: > > > > Linux Admin wrote: > > > Richard, > > > Thanks, this is very good. > > > I do not want to really disable it right now, > > I think you may need to disable it on the replica in order to make > > replication work. > > > I just want to have 2 way replication between Server 1 and Server 2, > > > and used authenticate against server1. I would then setup in pluging > > > authentication against both 1 and 2. Is this right way? > > > Thank your very much for your time and advice. > > > > > > > > > On 4/28/06, *Richard Megginson* < rmeggins at redhat.com > > > > wrote: > > > > > > Linux Admin wrote: > > > > Folks, > > > > Is it possible to set up multi-master replication of > > NetscapeRoot > > > > configuration directory. > > > > I have tried and I can successfully initialize subscribers from > > the > > > > current configuration directory server. > > > > However initialization of replication in opposite direction > > fails. > > > > > > > > Server 1 current conf dir -> Server 2: rplication sucsfull > > > > o=NetscapeRoot is populated > > > > Server 1 current conf dir <- Server 2: rplication failes with > > error: > > > > Permission denied. Error code 3 > > > Part of the problem is that, when you set up a second instance, > > the > > > installer automatically enables pass through authentication for > > the > > > console admin user, which allows that user to login as > > > uid=admin,.....,o=NetscapeRoot on machines which do not have > > > o=NetscapeRoot. So the first thing you need to do is to disable > > the > > > pass through auth plugin (console -> directory console -> > > > Configuration > > > -> Plug-ins -> Pass Through -> uncheck the Enable box - then > > > restart the > > > server. > > > > > > > > on Server 2 I had to manully create NetscapeRoot database. > > > > What am I missing?. Is it "idiot prrof" feature? > > > > > > > > Thanks in advance for any help > > > > SysLin > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > -- > > > > Fedora-directory-users mailing list > > > > Fedora-directory-users at redhat.com > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon May 1 21:39:42 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 01 May 2006 15:39:42 -0600 Subject: [Fedora-directory-users] replicating configuration directotry (NetscapeRoot) In-Reply-To: <696934990605011413k355cc4cbl133e0dc0fea4ddbe@mail.gmail.com> References: <696934990604271935r53646904xd64d928c847fcc93@mail.gmail.com> <445226B9.1020201@redhat.com> <696934990604280801v3d924cecvb0505c7f24757717@mail.gmail.com> <4452340D.20205@redhat.com> <696934990604280833w48492228q4c634fb02cbacee0@mail.gmail.com> <696934990605011413k355cc4cbl133e0dc0fea4ddbe@mail.gmail.com> Message-ID: <4456801E.3060600@redhat.com> Linux Admin wrote: > Richard, > I have tried disabling the pass-through on server 2 and unfortunately > I still can not replicate from 2 to 1. > Replications from 1 to 2 works fine. I had to manually create > NetscapeRoot on 2 initially, could be it that is created with > different set of attributes then on 1. > The error is 3. Permission denied. Make sure the user you are using as your supplier DN on server 1 exists on server 1 (and likewise for server 2). Try using ldapsearch from the command line - bind with your supplier DN and password - to see if you can use those credentials to search the suffix on both servers. > What else could it be. > Thanks for all your help. > > > > On 4/28/06, *Linux Admin* > wrote: > > Richard, > Thanks, let me try. I am surprised there is no documentation at > all on NetScape root replication. > You help is very much appricated > > > > > On 4/28/06, * Richard Megginson* > wrote: > > Linux Admin wrote: > > Richard, > > Thanks, this is very good. > > I do not want to really disable it right now, > I think you may need to disable it on the replica in order to make > replication work. > > I just want to have 2 way replication between Server 1 and > Server 2, > > and used authenticate against server1. I would then setup in > pluging > > authentication against both 1 and 2. Is this right way? > > Thank your very much for your time and advice. > > > > > > On 4/28/06, *Richard Megginson* < rmeggins at redhat.com > > > >> > wrote: > > > > Linux Admin wrote: > > > Folks, > > > Is it possible to set up multi-master replication of > NetscapeRoot > > > configuration directory. > > > I have tried and I can successfully initialize > subscribers from the > > > current configuration directory server. > > > However initialization of replication in opposite > direction fails. > > > > > > Server 1 current conf dir -> Server 2: rplication sucsfull > > > o=NetscapeRoot is populated > > > Server 1 current conf dir <- Server 2: rplication > failes with error: > > > Permission denied. Error code 3 > > Part of the problem is that, when you set up a second > instance, the > > installer automatically enables pass through > authentication for the > > console admin user, which allows that user to login as > > uid=admin,.....,o=NetscapeRoot on machines which do not have > > o=NetscapeRoot. So the first thing you need to do is to > disable the > > pass through auth plugin (console -> directory console -> > > Configuration > > -> Plug-ins -> Pass Through -> uncheck the Enable box - then > > restart the > > server. > > > > > > on Server 2 I had to manully create NetscapeRoot database. > > > What am I missing?. Is it "idiot prrof" feature? > > > > > > Thanks in advance for any help > > > SysLin > > > > > > > > > ------------------------------------------------------------------------ > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > ------------------------------------------------------------------------ > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From sysadmin.linux at gmail.com Mon May 1 23:24:29 2006 From: sysadmin.linux at gmail.com (Linux Admin) Date: Mon, 1 May 2006 18:24:29 -0500 Subject: [Fedora-directory-users] replicating configuration directotry (NetscapeRoot) In-Reply-To: <4456801E.3060600@redhat.com> References: <696934990604271935r53646904xd64d928c847fcc93@mail.gmail.com> <445226B9.1020201@redhat.com> <696934990604280801v3d924cecvb0505c7f24757717@mail.gmail.com> <4452340D.20205@redhat.com> <696934990604280833w48492228q4c634fb02cbacee0@mail.gmail.com> <696934990605011413k355cc4cbl133e0dc0fea4ddbe@mail.gmail.com> <4456801E.3060600@redhat.com> Message-ID: <696934990605011624wac3c121ue66480876965378f@mail.gmail.com> both servers has this enty in dse.ldif under /opt/fedora-ds//config dn: cn=replication manager,cn=config objectClass: inetorgperson objectClass: person objectClass: top objectClass: organizationalPerson cn: replication manager sn: RM userPassword: passwordExpirationTime: 20380119031407Z Is this sufficent? On 5/1/06, Richard Megginson wrote: > > Linux Admin wrote: > > Richard, > > I have tried disabling the pass-through on server 2 and unfortunately > > I still can not replicate from 2 to 1. > > Replications from 1 to 2 works fine. I had to manually create > > NetscapeRoot on 2 initially, could be it that is created with > > different set of attributes then on 1. > > The error is 3. Permission denied. > Make sure the user you are using as your supplier DN on server 1 exists > on server 1 (and likewise for server 2). Try using ldapsearch from the > command line - bind with your supplier DN and password - to see if you > can use those credentials to search the suffix on both servers. > > What else could it be. > > Thanks for all your help. > > > > > > > > On 4/28/06, *Linux Admin* > > wrote: > > > > Richard, > > Thanks, let me try. I am surprised there is no documentation at > > all on NetScape root replication. > > You help is very much appricated > > > > > > > > > > On 4/28/06, * Richard Megginson* > > wrote: > > > > Linux Admin wrote: > > > Richard, > > > Thanks, this is very good. > > > I do not want to really disable it right now, > > I think you may need to disable it on the replica in order to > make > > replication work. > > > I just want to have 2 way replication between Server 1 and > > Server 2, > > > and used authenticate against server1. I would then setup in > > pluging > > > authentication against both 1 and 2. Is this right way? > > > Thank your very much for your time and advice. > > > > > > > > > On 4/28/06, *Richard Megginson* < rmeggins at redhat.com > > > > > >> > > wrote: > > > > > > Linux Admin wrote: > > > > Folks, > > > > Is it possible to set up multi-master replication of > > NetscapeRoot > > > > configuration directory. > > > > I have tried and I can successfully initialize > > subscribers from the > > > > current configuration directory server. > > > > However initialization of replication in opposite > > direction fails. > > > > > > > > Server 1 current conf dir -> Server 2: rplication > sucsfull > > > > o=NetscapeRoot is populated > > > > Server 1 current conf dir <- Server 2: rplication > > failes with error: > > > > Permission denied. Error code 3 > > > Part of the problem is that, when you set up a second > > instance, the > > > installer automatically enables pass through > > authentication for the > > > console admin user, which allows that user to login as > > > uid=admin,.....,o=NetscapeRoot on machines which do not > have > > > o=NetscapeRoot. So the first thing you need to do is to > > disable the > > > pass through auth plugin (console -> directory console -> > > > Configuration > > > -> Plug-ins -> Pass Through -> uncheck the Enable box - > then > > > restart the > > > server. > > > > > > > > on Server 2 I had to manully create NetscapeRoot > database. > > > > What am I missing?. Is it "idiot prrof" feature? > > > > > > > > Thanks in advance for any help > > > > SysLin > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > -- > > > > Fedora-directory-users mailing list > > > > Fedora-directory-users at redhat.com > > > > > > > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sysadmin.linux at gmail.com Mon May 1 23:27:01 2006 From: sysadmin.linux at gmail.com (Linux Admin) Date: Mon, 1 May 2006 18:27:01 -0500 Subject: [Fedora-directory-users] replicating configuration directotry (NetscapeRoot) In-Reply-To: <4456801E.3060600@redhat.com> References: <696934990604271935r53646904xd64d928c847fcc93@mail.gmail.com> <445226B9.1020201@redhat.com> <696934990604280801v3d924cecvb0505c7f24757717@mail.gmail.com> <4452340D.20205@redhat.com> <696934990604280833w48492228q4c634fb02cbacee0@mail.gmail.com> <696934990605011413k355cc4cbl133e0dc0fea4ddbe@mail.gmail.com> <4456801E.3060600@redhat.com> Message-ID: <696934990605011627v3b0f8cb0jac5ab4c255e02da@mail.gmail.com> Richard, Here is more detail error message [01/May/2006:18:21:38 -0500] NSMMReplicationPlugin - agmt="cn=F04T02NET" (serve01:1389): Unable to acquire replica: permission denied. The bind dn "cn=replication manager,cn=config" does not have permission to supply replication updates to the replica. Will retry later On 5/1/06, Richard Megginson wrote: > > Linux Admin wrote: > > Richard, > > I have tried disabling the pass-through on server 2 and unfortunately > > I still can not replicate from 2 to 1. > > Replications from 1 to 2 works fine. I had to manually create > > NetscapeRoot on 2 initially, could be it that is created with > > different set of attributes then on 1. > > The error is 3. Permission denied. > Make sure the user you are using as your supplier DN on server 1 exists > on server 1 (and likewise for server 2). Try using ldapsearch from the > command line - bind with your supplier DN and password - to see if you > can use those credentials to search the suffix on both servers. > > What else could it be. > > Thanks for all your help. > > > > > > > > On 4/28/06, *Linux Admin* > > wrote: > > > > Richard, > > Thanks, let me try. I am surprised there is no documentation at > > all on NetScape root replication. > > You help is very much appricated > > > > > > > > > > On 4/28/06, * Richard Megginson* > > wrote: > > > > Linux Admin wrote: > > > Richard, > > > Thanks, this is very good. > > > I do not want to really disable it right now, > > I think you may need to disable it on the replica in order to > make > > replication work. > > > I just want to have 2 way replication between Server 1 and > > Server 2, > > > and used authenticate against server1. I would then setup in > > pluging > > > authentication against both 1 and 2. Is this right way? > > > Thank your very much for your time and advice. > > > > > > > > > On 4/28/06, *Richard Megginson* < rmeggins at redhat.com > > > > > >> > > wrote: > > > > > > Linux Admin wrote: > > > > Folks, > > > > Is it possible to set up multi-master replication of > > NetscapeRoot > > > > configuration directory. > > > > I have tried and I can successfully initialize > > subscribers from the > > > > current configuration directory server. > > > > However initialization of replication in opposite > > direction fails. > > > > > > > > Server 1 current conf dir -> Server 2: rplication > sucsfull > > > > o=NetscapeRoot is populated > > > > Server 1 current conf dir <- Server 2: rplication > > failes with error: > > > > Permission denied. Error code 3 > > > Part of the problem is that, when you set up a second > > instance, the > > > installer automatically enables pass through > > authentication for the > > > console admin user, which allows that user to login as > > > uid=admin,.....,o=NetscapeRoot on machines which do not > have > > > o=NetscapeRoot. So the first thing you need to do is to > > disable the > > > pass through auth plugin (console -> directory console -> > > > Configuration > > > -> Plug-ins -> Pass Through -> uncheck the Enable box - > then > > > restart the > > > server. > > > > > > > > on Server 2 I had to manully create NetscapeRoot > database. > > > > What am I missing?. Is it "idiot prrof" feature? > > > > > > > > Thanks in advance for any help > > > > SysLin > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > -- > > > > Fedora-directory-users mailing list > > > > Fedora-directory-users at redhat.com > > > > > > > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue May 2 01:35:27 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 01 May 2006 19:35:27 -0600 Subject: [Fedora-directory-users] replicating configuration directotry (NetscapeRoot) In-Reply-To: <696934990605011624wac3c121ue66480876965378f@mail.gmail.com> References: <696934990604271935r53646904xd64d928c847fcc93@mail.gmail.com> <445226B9.1020201@redhat.com> <696934990604280801v3d924cecvb0505c7f24757717@mail.gmail.com> <4452340D.20205@redhat.com> <696934990604280833w48492228q4c634fb02cbacee0@mail.gmail.com> <696934990605011413k355cc4cbl133e0dc0fea4ddbe@mail.gmail.com> <4456801E.3060600@redhat.com> <696934990605011624wac3c121ue66480876965378f@mail.gmail.com> Message-ID: <4456B75F.4060003@redhat.com> Linux Admin wrote: > both servers has this enty in dse.ldif under > /opt/fedora-ds//config > > dn: cn=replication manager,cn=config > objectClass: inetorgperson > objectClass: person > objectClass: top > objectClass: organizationalPerson > cn: replication manager > sn: RM > userPassword: > passwordExpirationTime: 20380119031407Z > > Is this sufficent? That's necessary, but perhaps not sufficient. Now, try ldapsearch to bind and search each directory server using the cn=replication manager,cn=config user. Then, verify that in your Replica configuration you have specified cn=replication manager,cn=config as the supplier DN. > > On 5/1/06, *Richard Megginson* > wrote: > > Linux Admin wrote: > > Richard, > > I have tried disabling the pass-through on server 2 and > unfortunately > > I still can not replicate from 2 to 1. > > Replications from 1 to 2 works fine. I had to manually create > > NetscapeRoot on 2 initially, could be it that is created with > > different set of attributes then on 1. > > The error is 3. Permission denied. > Make sure the user you are using as your supplier DN on server 1 > exists > on server 1 (and likewise for server 2). Try using ldapsearch > from the > command line - bind with your supplier DN and password - to see if you > can use those credentials to search the suffix on both servers. > > What else could it be. > > Thanks for all your help. > > > > > > > > On 4/28/06, *Linux Admin* > > >> wrote: > > > > Richard, > > Thanks, let me try. I am surprised there is no documentation at > > all on NetScape root replication. > > You help is very much appricated > > > > > > > > > > On 4/28/06, * Richard Megginson* > > >> > wrote: > > > > Linux Admin wrote: > > > Richard, > > > Thanks, this is very good. > > > I do not want to really disable it right now, > > I think you may need to disable it on the replica in > order to make > > replication work. > > > I just want to have 2 way replication between Server 1 and > > Server 2, > > > and used authenticate against server1. I would then > setup in > > pluging > > > authentication against both 1 and 2. Is this right way? > > > Thank your very much for your time and advice. > > > > > > > > > On 4/28/06, *Richard Megginson* < rmeggins at redhat.com > > > > > > > >>> > > wrote: > > > > > > Linux Admin wrote: > > > > Folks, > > > > Is it possible to set up multi-master replication of > > NetscapeRoot > > > > configuration directory. > > > > I have tried and I can successfully initialize > > subscribers from the > > > > current configuration directory server. > > > > However initialization of replication in opposite > > direction fails. > > > > > > > > Server 1 current conf dir -> Server 2: > rplication sucsfull > > > > o=NetscapeRoot is populated > > > > Server 1 current conf dir <- Server 2: rplication > > failes with error: > > > > Permission denied. Error code 3 > > > Part of the problem is that, when you set up a second > > instance, the > > > installer automatically enables pass through > > authentication for the > > > console admin user, which allows that user to login as > > > uid=admin,.....,o=NetscapeRoot on machines which > do not have > > > o=NetscapeRoot. So the first thing you need to do > is to > > disable the > > > pass through auth plugin (console -> directory > console -> > > > Configuration > > > -> Plug-ins -> Pass Through -> uncheck the Enable > box - then > > > restart the > > > server. > > > > > > > > on Server 2 I had to manully create NetscapeRoot > database. > > > > What am I missing?. Is it "idiot prrof" feature? > > > > > > > > Thanks in advance for any help > > > > SysLin > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > -- > > > > Fedora-directory-users mailing list > > > > Fedora-directory-users at redhat.com > > > > > > > > > >> > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > < > https://www.redhat.com/mailman/listinfo/fedora-directory-users> > > > > > > > > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > > > > > >> > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue May 2 01:36:06 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 01 May 2006 19:36:06 -0600 Subject: [Fedora-directory-users] replicating configuration directotry (NetscapeRoot) In-Reply-To: <696934990605011627v3b0f8cb0jac5ab4c255e02da@mail.gmail.com> References: <696934990604271935r53646904xd64d928c847fcc93@mail.gmail.com> <445226B9.1020201@redhat.com> <696934990604280801v3d924cecvb0505c7f24757717@mail.gmail.com> <4452340D.20205@redhat.com> <696934990604280833w48492228q4c634fb02cbacee0@mail.gmail.com> <696934990605011413k355cc4cbl133e0dc0fea4ddbe@mail.gmail.com> <4456801E.3060600@redhat.com> <696934990605011627v3b0f8cb0jac5ab4c255e02da@mail.gmail.com> Message-ID: <4456B786.7090804@redhat.com> Linux Admin wrote: > Richard, Here is more detail error message > [01/May/2006:18:21:38 -0500] NSMMReplicationPlugin - > agmt="cn=F04T02NET" (serve01:1389): Unable to acquire replica: > permission denied. The bind dn "cn=replication manager,cn=config" does > not have permission to supply replication updates to the replica. Will > retry later This usually means there is no supplier DN given in the replica config, or there is a spelling error in the supplier DN name. > > > > On 5/1/06, *Richard Megginson* > wrote: > > Linux Admin wrote: > > Richard, > > I have tried disabling the pass-through on server 2 and > unfortunately > > I still can not replicate from 2 to 1. > > Replications from 1 to 2 works fine. I had to manually create > > NetscapeRoot on 2 initially, could be it that is created with > > different set of attributes then on 1. > > The error is 3. Permission denied. > Make sure the user you are using as your supplier DN on server 1 > exists > on server 1 (and likewise for server 2). Try using ldapsearch > from the > command line - bind with your supplier DN and password - to see if you > can use those credentials to search the suffix on both servers. > > What else could it be. > > Thanks for all your help. > > > > > > > > On 4/28/06, *Linux Admin* > > >> wrote: > > > > Richard, > > Thanks, let me try. I am surprised there is no documentation at > > all on NetScape root replication. > > You help is very much appricated > > > > > > > > > > On 4/28/06, * Richard Megginson* > > >> > wrote: > > > > Linux Admin wrote: > > > Richard, > > > Thanks, this is very good. > > > I do not want to really disable it right now, > > I think you may need to disable it on the replica in > order to make > > replication work. > > > I just want to have 2 way replication between Server 1 and > > Server 2, > > > and used authenticate against server1. I would then > setup in > > pluging > > > authentication against both 1 and 2. Is this right way? > > > Thank your very much for your time and advice. > > > > > > > > > On 4/28/06, *Richard Megginson* < rmeggins at redhat.com > > > > > > > >>> > > wrote: > > > > > > Linux Admin wrote: > > > > Folks, > > > > Is it possible to set up multi-master replication of > > NetscapeRoot > > > > configuration directory. > > > > I have tried and I can successfully initialize > > subscribers from the > > > > current configuration directory server. > > > > However initialization of replication in opposite > > direction fails. > > > > > > > > Server 1 current conf dir -> Server 2: > rplication sucsfull > > > > o=NetscapeRoot is populated > > > > Server 1 current conf dir <- Server 2: rplication > > failes with error: > > > > Permission denied. Error code 3 > > > Part of the problem is that, when you set up a second > > instance, the > > > installer automatically enables pass through > > authentication for the > > > console admin user, which allows that user to login as > > > uid=admin,.....,o=NetscapeRoot on machines which > do not have > > > o=NetscapeRoot. So the first thing you need to do > is to > > disable the > > > pass through auth plugin (console -> directory > console -> > > > Configuration > > > -> Plug-ins -> Pass Through -> uncheck the Enable > box - then > > > restart the > > > server. > > > > > > > > on Server 2 I had to manully create NetscapeRoot > database. > > > > What am I missing?. Is it "idiot prrof" feature? > > > > > > > > Thanks in advance for any help > > > > SysLin > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > -- > > > > Fedora-directory-users mailing list > > > > Fedora-directory-users at redhat.com > > > > > > > > > >> > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > < > https://www.redhat.com/mailman/listinfo/fedora-directory-users> > > > > > > > > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > > > > > >> > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From hariharan at lantana.tenet.res.in Tue May 2 04:07:47 2006 From: hariharan at lantana.tenet.res.in (Hariharan R) Date: Tue, 2 May 2006 09:37:47 +0530 (IST) Subject: [Fedora-directory-users] Fedora directory Server 7.1 with BDB/MySQL Backend In-Reply-To: References: Message-ID: Hai, Fedora DS 7.1 by default supports LDBM database as a backend data store. I want to change the backend database to BDB or MySQL. How i can make the Fedora DS 7.1 to interface with BDB or MySQL database? Is there is any documentation for doing it? Please anyone advice me on this.I am in an urgent need ... Thanks in advance. --- Regards, Hariharan.R From david_list at boreham.org Tue May 2 04:18:59 2006 From: david_list at boreham.org (David Boreham) Date: Mon, 01 May 2006 22:18:59 -0600 Subject: [Fedora-directory-users] Fedora directory Server 7.1 with BDB/MySQL Backend In-Reply-To: References: Message-ID: <4456DDB3.2020901@boreham.org> Hariharan R wrote: > Fedora DS 7.1 by default supports LDBM database as a backend data > store. > > I want to change the backend database to BDB or MySQL. > > How i can make the Fedora DS 7.1 to interface with BDB or MySQL > database? Well let's see... 1. The LDBM/BDB thing is an OpenLDAP-ism. OpenLDAP created the 'BDB' backend as the new transacted store, leaving the older LDBM code as it was. FDS is not OpenLDAP. It forked from the UMich code in 1995. In FDS the name of the files is still 'ldbm' but the functionality is roughly similar to that of the 'BDB' backend in OpenLDAP (at least as far as having ACID properties and using transactions in BekeleyDB goes). So you need do absolutely nothing to get 'BDB'. 2. There is no SQL back end for FDS at present. So to change to a MySQL backend database you'd need to write code. From hariharan at lantana.tenet.res.in Tue May 2 11:09:13 2006 From: hariharan at lantana.tenet.res.in (Hariharan R) Date: Tue, 2 May 2006 16:39:13 +0530 (IST) Subject: [Fedora-directory-users] Fedora directory Server 7.1 with BDB/MySQL Backend Message-ID: Hai, Fedora DS 7.1 by default supports LDBM database as a backend data store. I want to change the backend database to BDB or MySQL. How i can make the Fedora DS 7.1 to interface with BDB or MySQL database? Is there is any documentation for doing it? Please anyone advice me on this.I am in an urgent need ... Thanks in advance. --- Regards, Hariharan.R From magobin at gmail.com Tue May 2 11:20:49 2006 From: magobin at gmail.com (Alex aka Magobin) Date: Tue, 02 May 2006 13:20:49 +0200 Subject: [Fedora-directory-users] gid number in posix account! Message-ID: <1146568849.11590.13.camel@localhost.localdomain> hi at all,for migration of groups and users from files to Fedora DS I used LdapImport...it exports groups,passwd and shadow files; I have all users and groups in my DS...now I have a question: When I create a new account, in posix tab I have to enter uid and gid number for new user...is it possible to use name such as "mail" for gid and is it possible to have an uid number automatically?...more or less in the same way when you create a new account with adduser; It would be very useful...in this way I haven't to remember last uid used and number for that group. thanks in advance! Alex From rmeggins at redhat.com Tue May 2 14:05:48 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 02 May 2006 08:05:48 -0600 Subject: [Fedora-directory-users] gid number in posix account! In-Reply-To: <1146568849.11590.13.camel@localhost.localdomain> References: <1146568849.11590.13.camel@localhost.localdomain> Message-ID: <4457673C.10300@redhat.com> Alex aka Magobin wrote: > hi at all,for migration of groups and users from files to Fedora DS I > used LdapImport...it exports groups,passwd and shadow files; I have all > users and groups in my DS...now I have a question: > > When I create a new account, in posix tab I have to enter uid and gid > number for new user...is it possible to use name such as "mail" for gid > No, I think it has to be a number. > and is it possible to have an uid number automatically?...more or less > in the same way when you create a new account with adduser; It would be > very useful...in this way I haven't to remember last uid used and number > for that group. > Right. It's on our wishlist - I don't know when we'll get around to it. http://directory.fedora.redhat.com/wiki/Wishlist > thanks in advance! > > Alex > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From magobin at gmail.com Tue May 2 14:16:35 2006 From: magobin at gmail.com (Alex aka Magobin) Date: Tue, 02 May 2006 16:16:35 +0200 Subject: [Fedora-directory-users] gid number in posix account! In-Reply-To: <4457673C.10300@redhat.com> References: <1146568849.11590.13.camel@localhost.localdomain> <4457673C.10300@redhat.com> Message-ID: <1146579395.12591.3.camel@localhost.localdomain> > No, I think it has to be a number. > Right. It's on our wishlist - I don't know when we'll get around to it. > http://directory.fedora.redhat.com/wiki/Wishlist uhm, so can you confirm me that to create a new account I have to specify uid and gid in numerical way ? And in this way if mail is 4 example 501 any user with gid 501 is member of mail group? thanks Alex From rmeggins at redhat.com Tue May 2 14:21:22 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 02 May 2006 08:21:22 -0600 Subject: [Fedora-directory-users] gid number in posix account! In-Reply-To: <1146579395.12591.3.camel@localhost.localdomain> References: <1146568849.11590.13.camel@localhost.localdomain> <4457673C.10300@redhat.com> <1146579395.12591.3.camel@localhost.localdomain> Message-ID: <44576AE2.9010102@redhat.com> Alex aka Magobin wrote: >> No, I think it has to be a number. >> > > >> Right. It's on our wishlist - I don't know when we'll get around to it. >> http://directory.fedora.redhat.com/wiki/Wishlist >> > > > uhm, so can you confirm me that to create a new account I have to > specify uid and gid in numerical way ? > In the Posix fields, yes. The fields uidNumber and gidNumber have to be an integer. > And in this way if mail is 4 example 501 any user with gid 501 is member > of mail group? > Yes. > thanks > Alex > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From hariharan at lantana.tenet.res.in Wed May 3 04:41:03 2006 From: hariharan at lantana.tenet.res.in (Hariharan R) Date: Wed, 3 May 2006 10:11:03 +0530 (IST) Subject: [Fedora-directory-users] Fedora directory Server 7.1 with BDB/MySQL Backend Message-ID: Hai, Can any one configured Fedora Directory server7.1 (or any version) with MySQL as backend? Is there is any documentation for dong it? Can anyone pls advise me in this regard.I am in an urgent need of it. Regards, Hariharan R Well let's see... 1. The LDBM/BDB thing is an OpenLDAP-ism. OpenLDAP created the 'BDB' backend as the new transacted store, leaving the older LDBM code as it was. FDS is not OpenLDAP. It forked from the UMich code in 1995. In FDS the name of the files is still 'ldbm' but the functionality is roughly similar to that of the 'BDB' backend in OpenLDAP (at least as far as having ACID properties and using transactions in BekeleyDB goes). So you need do absolutely nothing to get 'BDB'. 2. There is no SQL back end for FDS at present. So to change to a MySQL backend database you'd need to write code. ------------------- Fedora DS 7.1 by default supports LDBM database as a backend data store. I want to change the backend database to BDB or MySQL. How i can make the Fedora DS 7.1 to interface with BDB or MySQL database? --- Hariharan.R From francois.beretti at gmail.com Wed May 3 10:14:19 2006 From: francois.beretti at gmail.com (=?ISO-8859-1?Q?Fran=E7ois_Beretti?=) Date: Wed, 3 May 2006 12:14:19 +0200 Subject: [Fedora-directory-users] plugin programming Message-ID: <85d6be850605030314k14072c9bp346dddbf04926303@mail.gmail.com> Hi, I have read the plugin API documentation, but I am not sure I can write the plugin I want : I want two things : 1) to be able to get the groups of a user by reading an attribute of the user 2) to be able to get the groups of the groups of a user by reading an attribute of the user I am not sure I can replace totally an ldap search (matching some criteria) result with a custom value. Thank you very much Regards, Fran?ois From francois.beretti at gmail.com Wed May 3 10:18:10 2006 From: francois.beretti at gmail.com (=?ISO-8859-1?Q?Fran=E7ois_Beretti?=) Date: Wed, 3 May 2006 12:18:10 +0200 Subject: [Fedora-directory-users] Host name resolution when connecting to administration server Message-ID: <85d6be850605030318s5ce66b92o68191fbba10dc6ee@mail.gmail.com> Hi, when you connect with the console to a remote administration server, the server does a host name based access control. If you want to give access to any host, you can set the host name mask to "*". But if the host name DNS resolution fails, even if the mask is "*", the authorization fails (HTTP 401: authorization required). In my environment it is a problem to put every client host in the DNS system used by the server. How can I bypass the hostname verification of the administration server ? Thank you Fran?ois From david_list at boreham.org Wed May 3 13:09:18 2006 From: david_list at boreham.org (David Boreham) Date: Wed, 03 May 2006 07:09:18 -0600 Subject: [Fedora-directory-users] plugin programming In-Reply-To: <85d6be850605030314k14072c9bp346dddbf04926303@mail.gmail.com> References: <85d6be850605030314k14072c9bp346dddbf04926303@mail.gmail.com> Message-ID: <4458AB7E.9000400@boreham.org> Fran?ois Beretti wrote: > > I want two things : > 1) to be able to get the groups of a user by reading an attribute of > the user > 2) to be able to get the groups of the groups of a user by reading an > attribute of the user > > I am not sure I can replace totally an ldap search (matching some > criteria) result with a custom value. This sounds quite like 'roles'. You might take a look at that code and see if it'll work for you, or work with some minor modifications. From rmeggins at redhat.com Wed May 3 14:48:16 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 03 May 2006 08:48:16 -0600 Subject: [Fedora-directory-users] Fedora directory Server 7.1 with BDB/MySQL Backend In-Reply-To: References: Message-ID: <4458C2B0.10303@redhat.com> Hariharan R wrote: > > Hai, > Can any one configured Fedora Directory server7.1 (or any version) with > MySQL as backend? There's no "pre-canned" back-sql. You will have to write a considerable amount of plug-in code in order to support this. > Is there is any documentation for dong it? http://directory.fedora.redhat.com/wiki/FAQ#Can_I_replace_Sleepycat_with_Oracle.2C_or_Postgres.2C_etc..3F > > Can anyone pls advise me in this regard.I am in an urgent need of it. > > Regards, > Hariharan R > > Well let's see... > > 1. The LDBM/BDB thing is an OpenLDAP-ism. OpenLDAP created the 'BDB' > backend > > as the new transacted store, leaving the older LDBM code as it was. > FDS is not OpenLDAP. It forked from the UMich code in 1995. In FDS the > name of the files is still 'ldbm' but the functionality is roughly > similar to that of the 'BDB' backend in OpenLDAP (at least > > as far as having ACID properties and using transactions in BekeleyDB > goes). > So you need do absolutely nothing to get 'BDB'. > > 2. There is no SQL back end for FDS at present. So to change to a MySQL > backend database you'd need to write code. > > > ------------------- > Fedora DS 7.1 by default supports LDBM database as a backend data store. > > I want to change the backend database to BDB or MySQL. > > > How i can make the Fedora DS 7.1 to interface with BDB or MySQL database? > > > --- > Hariharan.R > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From elias at hi.is Wed May 3 15:02:19 2006 From: elias at hi.is (=?ISO-8859-1?Q?El=EDas_Halld=F3r_=C1g=FAstsson?=) Date: Wed, 03 May 2006 15:02:19 +0000 Subject: [Fedora-directory-users] FDS to AD sync weirdness ... CN changes, unique constraints. In-Reply-To: <44525FD2.60704@broadcom.com> References: <4452308A.6070200@hi.is> <44525FD2.60704@broadcom.com> Message-ID: <4458C5FB.30904@hi.is> > I believe that CN is a multivalued attribute (at least in FDS). So, if > it's any help, you could have unique CNs that are used in the entries' > DNs, and optionally have additional CNs that may not be unique. That works well in FDS, but not in AD and entryDNs with multivalued CNs won't sync over. -- El?as Halld?r ?g?stsson | Elias Halldor Agustsson Unix Kerfisstj?ri | Unix Systems Administrator Reiknistofnun H?sk?la ?slands | University of Iceland Computing Services http://elias.rhi.hi.is/ | +354 525 4903 From kimmo.koivisto at surfeu.fi Wed May 3 15:31:33 2006 From: kimmo.koivisto at surfeu.fi (Kimmo Koivisto) Date: Wed, 3 May 2006 18:31:33 +0300 Subject: [Fedora-directory-users] Host name resolution when connecting to administration server In-Reply-To: <85d6be850605030318s5ce66b92o68191fbba10dc6ee@mail.gmail.com> References: <85d6be850605030318s5ce66b92o68191fbba10dc6ee@mail.gmail.com> Message-ID: <200605031831.33340.kimmo.koivisto@surfeu.fi> Fran?ois Beretti kirjoitti viestiss??n (l?hetysaika Wednesday 03 May 2006 13:18): > Hi, > > How can I bypass the hostname verification of the administration server ? > Hi There is a bug in 1.0.2 related to this (address matching is reversed). If you need to allow administration from anywhere, you need to set nsAdminAccessAddresses=something you don't have nsAdminAccessHosts=empty I have used limited broadcast address (255.255.255.255) as nsAdminAccessAddresses and it seems to work. I do my access control with IPsec. When next version comes and this is fixed, you might not be able to connect before you change that nsAdminAccessAddresses back to what it really should be (can be done from command line with ldapmodify). Best Regards Kimmo Koivisto From logastellus at yahoo.com Wed May 3 19:14:38 2006 From: logastellus at yahoo.com (Susan) Date: Wed, 3 May 2006 12:14:38 -0700 (PDT) Subject: [Fedora-directory-users] gid number in posix account! In-Reply-To: <44576AE2.9010102@redhat.com> Message-ID: <20060503191438.91529.qmail@web52905.mail.yahoo.com> --- Richard Megginson wrote: > In the Posix fields, yes. The fields uidNumber and gidNumber have to be > an integer. what's really strange is that if you're adding a person to multiple groups (really, listing multiple memberuid attributes in a posixgroup) you MUST use the text name of the person. Even though the attr is called member*uid*, if you put the uid in there, it won't work. Text string must be specified. I know it's not FDS's fault but as my kids would say, "that's just whack." __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From mj at sci.fi Wed May 3 19:18:02 2006 From: mj at sci.fi (mj at sci.fi) Date: Wed, 3 May 2006 22:18:02 +0300 (EEST) Subject: [Fedora-directory-users] gid number in posix account! Message-ID: <32006593.685901146683882775.JavaMail.mj@sci.fi> > > what's really strange is that if you're adding a person to multiple groups (really, listing > multiple memberuid attributes in a posixgroup) you MUST use the text name of the person. Even > though the attr is called member*uid*, if you put the uid in there, it won't work. Text string > must be specified. I know it's not FDS's fault but as my kids would say, "that's just whack." > uid is a text string username. uidNumber is an integer user id number. -- mike From sam.sharpe at imperial.ac.uk Wed May 3 19:24:24 2006 From: sam.sharpe at imperial.ac.uk (Sharpe, Sam J) Date: Wed, 3 May 2006 20:24:24 +0100 Subject: [Fedora-directory-users] gid number in posix account! In-Reply-To: <32006593.685901146683882775.JavaMail.mj@sci.fi> References: <32006593.685901146683882775.JavaMail.mj@sci.fi> Message-ID: On 3 May 2006, at 20:18, mj at sci.fi wrote: > >> what's really strange is that if you're adding a person to >> multiple groups (really, listing >> multiple memberuid attributes in a posixgroup) you MUST use the >> text name of the person. Even >> though the attr is called member*uid*, if you put the uid in >> there, it won't work. Text string >> must be specified. I know it's not FDS's fault but as my kids >> would say, "that's just whack." > > uid is a text string username. > uidNumber is an integer user id number. Yes, but Susan's point was that the generally accepted use of the term "uid" ( in systems and operating systems terms ) is a *number* that uniquely describes the user. LDAP is different from the norm, and "that's just whack". From logastellus at yahoo.com Wed May 3 19:24:48 2006 From: logastellus at yahoo.com (Susan) Date: Wed, 3 May 2006 12:24:48 -0700 (PDT) Subject: [Fedora-directory-users] gid number in posix account! In-Reply-To: <32006593.685901146683882775.JavaMail.mj@sci.fi> Message-ID: <20060503192448.96109.qmail@web52905.mail.yahoo.com> --- mj at sci.fi wrote: > > > > > what's really strange is that if you're adding a person to multiple groups (really, listing > > multiple memberuid attributes in a posixgroup) you MUST use the text name of the person. Even > > though the attr is called member*uid*, if you put the uid in there, it won't work. Text > string > > must be specified. I know it's not FDS's fault but as my kids would say, "that's just whack." > > > > uid is a text string username. > > uidNumber is an integer user id number. only in this context. 99.9999% of the time, when people say UID, they mean the number, not the text username. In fact, the man page is clear on this: The name field is the login name of a user, it is up to 8 letters or numbers long starting with a letter. The login name must be unique. The password field is either empty (no password), a 13 character encrypted password as returned by crypt(3), or a login name preceded by two number signs (#) to index the shadow password file. Anything else (usually *) is invalid. The uid and gid fields are two numbers indicating the users user-id and group-id. ^^^^^^^^^^^^^^^^ __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From mj at sci.fi Wed May 3 20:07:43 2006 From: mj at sci.fi (mj at sci.fi) Date: Wed, 3 May 2006 23:07:43 +0300 (EEST) Subject: [Fedora-directory-users] gid number in posix account! Message-ID: <30435156.701411146686863868.JavaMail.mj@sci.fi> > Yes, but Susan's point was that the generally accepted use of the > term "uid" ( in systems and operating systems terms ) is a *number* > that uniquely describes the user. LDAP is different from the norm, > and "that's just whack". Maybe. But we are discussing LDAP here :-) It has it's own jargon and methods, a lot of them inherited from X.500... -- mike From francois.beretti at gmail.com Thu May 4 07:42:32 2006 From: francois.beretti at gmail.com (=?ISO-8859-1?Q?Fran=E7ois_Beretti?=) Date: Thu, 4 May 2006 09:42:32 +0200 Subject: [Fedora-directory-users] Host name resolution when connecting to administration server In-Reply-To: <200605031831.33340.kimmo.koivisto@surfeu.fi> References: <85d6be850605030318s5ce66b92o68191fbba10dc6ee@mail.gmail.com> <200605031831.33340.kimmo.koivisto@surfeu.fi> Message-ID: <85d6be850605040042y3dc6bcpedc5fd4b3494bc75@mail.gmail.com> 2006/5/3, Kimmo Koivisto : > There is a bug in 1.0.2 related to this (address matching is reversed). If you > need to allow administration from anywhere, you need to set > nsAdminAccessAddresses=something you don't have > nsAdminAccessHosts=empty Hi, by "empty" do you mean "no value" or "an empty string" ? Fran?ois From hariharan at lantana.tenet.res.in Thu May 4 12:01:08 2006 From: hariharan at lantana.tenet.res.in (Hariharan R) Date: Thu, 4 May 2006 17:31:08 +0530 (IST) Subject: [Fedora-directory-users] FDS- Adding New attribute and object class? Message-ID: Hai, I want to add a new (user defined) attribute and object class to the Fedora directory server without using the console? How i can do it? I tried to add new attribute/object class through schema/00core.ldif file. After that i restarted my directory server,fine, my FDS recognizes the new attribute and object class. Is it the correct way of doing it? Is there is any formal method to adding it(without using FDS console)? Pls advice me. ---- Regards, Hariharan.R From womble at zaniyah.org Thu May 4 13:28:39 2006 From: womble at zaniyah.org (Jess) Date: Thu, 4 May 2006 14:28:39 +0100 (BST) Subject: [Fedora-directory-users] How do you reset the Directory Manager's password? Message-ID: How does one reset the Directory Manager's password (without using startconsole)? Is there a file somewhere similar to slapd.conf for openldap? Also, if anyone knows how or if you can set up ACL's (I want the same behaviour as the slapd.access of openldap) I would appreciate it. Thanks Jess From mj at sci.fi Thu May 4 13:36:38 2006 From: mj at sci.fi (mj at sci.fi) Date: Thu, 4 May 2006 16:36:38 +0300 (EEST) Subject: [Fedora-directory-users] FDS- Adding New attribute and object class? Message-ID: <15800208.162281146749798415.JavaMail.mj@sci.fi> > Hai, > I want to add a new (user defined) attribute and object class to the > Fedora directory server without using the console? > > How i can do it? > > I tried to add new attribute/object class through schema/00core.ldif file. > After that i restarted my directory server,fine, my FDS recognizes the > new attribute and object class. > > Is it the correct way of doing it? You should make your own files, instead of adding to existing files. Also, you should use your own OID namespace, instead of using the ones in existing files. You can apply for an OID namespace for your organization, at iana.org. BR, Mike From rmeggins at redhat.com Thu May 4 14:07:36 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 04 May 2006 08:07:36 -0600 Subject: [Fedora-directory-users] How do you reset the Directory Manager's password? In-Reply-To: References: Message-ID: <445A0AA8.4020208@redhat.com> Jess wrote: > > How does one reset the Directory Manager's password (without using > startconsole)? Is there a file somewhere similar to slapd.conf for > openldap? http://directory.fedora.redhat.com/wiki/Howto:ResetDirMgrPassword > > Also, if anyone knows how or if you can set up ACL's (I want the same > behaviour as the slapd.access of openldap) I would appreciate it. http://www.redhat.com/docs/manuals/dir-server/ag/7.1/acl.html#997355 > > Thanks > > Jess > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From kimmo.koivisto at surfeu.fi Thu May 4 15:42:33 2006 From: kimmo.koivisto at surfeu.fi (Kimmo Koivisto) Date: Thu, 4 May 2006 18:42:33 +0300 Subject: [Fedora-directory-users] Host name resolution when connecting to administration server In-Reply-To: <85d6be850605040042y3dc6bcpedc5fd4b3494bc75@mail.gmail.com> References: <85d6be850605030318s5ce66b92o68191fbba10dc6ee@mail.gmail.com> <200605031831.33340.kimmo.koivisto@surfeu.fi> <85d6be850605040042y3dc6bcpedc5fd4b3494bc75@mail.gmail.com> Message-ID: <200605041842.33594.kimmo.koivisto@surfeu.fi> Fran?ois Beretti kirjoitti viestiss??n (l?hetysaika Thursday 04 May 2006 10:42): > 2006/5/3, Kimmo Koivisto : > > There is a bug in 1.0.2 related to this (address matching is reversed). > > If you need to allow administration from anywhere, you need to set > > nsAdminAccessAddresses=something you don't have > > nsAdminAccessHosts=empty > > Hi, > > by "empty" do you mean "no value" or "an empty string" ? > I guess it's "an empty string" if you do it with FDS console, I have just used it to remove default values. BR Kimmo From mikael.kermorgant at gmail.com Fri May 5 08:55:01 2006 From: mikael.kermorgant at gmail.com (Mikael Kermorgant) Date: Fri, 5 May 2006 10:55:01 +0200 Subject: [Fedora-directory-users] cleartext password Message-ID: <9711147e0605050155l52d01144i158c1a519c4e993b@mail.gmail.com> Hello, Is there be a way to store a "clear version" of the passwords in an external storage (sql db, text file...) while turning on encryption on the directory server ? Thanks in advance, -- Mikael Kermorgant From hariharan at lantana.tenet.res.in Fri May 5 12:13:30 2006 From: hariharan at lantana.tenet.res.in (Hariharan R) Date: Fri, 5 May 2006 17:43:30 +0530 (IST) Subject: [Fedora-directory-users] UserPassword value in backend? Message-ID: Hai, How the value of 'userpassword' is stored in the database(BDB)? I added an entry by specifying the following attributes, dn: uid=exuser,ou=People, dc=example,dc=com uid: exuser uid: 100 givenName: exuser userPassword: exuser123 objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson cn: exuser sn: exuser The user is added to the database succefully.I can able to see the encrypted password while retrieving it (but i am adding it using the clear text format). I want to know how the password is actually stored in the database? Pls advice me. --- Regards, Hariharan.R From david_list at boreham.org Fri May 5 13:04:44 2006 From: david_list at boreham.org (David Boreham) Date: Fri, 05 May 2006 07:04:44 -0600 Subject: [Fedora-directory-users] UserPassword value in backend? In-Reply-To: References: Message-ID: <445B4D6C.1040802@boreham.org> > > > The user is added to the database succefully.I can able to see the > encrypted password while retrieving it (but i am adding it using the > clear text format). > > I want to know how the password is actually stored in the database? The hashed value is stored (much the same as /etc/passwd). You can dump the database using db_dump -p (get the right version for the version of BDB used in your FDS). The primary index is the file id2entry.db4. That'll show you exactly what's stored. From david_list at boreham.org Fri May 5 13:07:24 2006 From: david_list at boreham.org (David Boreham) Date: Fri, 05 May 2006 07:07:24 -0600 Subject: [Fedora-directory-users] cleartext password In-Reply-To: <9711147e0605050155l52d01144i158c1a519c4e993b@mail.gmail.com> References: <9711147e0605050155l52d01144i158c1a519c4e993b@mail.gmail.com> Message-ID: <445B4E0C.3080902@boreham.org> Mikael Kermorgant wrote: > Is there be a way to store a "clear version" of the passwords in an > external storage (sql db, text file...) while turning on encryption > on the directory server ? Yes there is. It might be useful to know more about what you are trying to achieve, because there are a few ways to skin this cat. But to start, there is a magic attribute added to the entry during processing inside the server that holds the un-hashed password value (for operations that modify or add the password attribute). This is used for example to propagate cleartext password values in replication and for Windows sync. You can pick up that attribute in a plugin and salt it away somewhere. From mikael.kermorgant at gmail.com Fri May 5 14:40:58 2006 From: mikael.kermorgant at gmail.com (Mikael Kermorgant) Date: Fri, 5 May 2006 16:40:58 +0200 Subject: [Fedora-directory-users] cleartext password In-Reply-To: <445B4E0C.3080902@boreham.org> References: <9711147e0605050155l52d01144i158c1a519c4e993b@mail.gmail.com> <445B4E0C.3080902@boreham.org> Message-ID: <9711147e0605050740q5b96ed59h792bd3b49f3a9a8b@mail.gmail.com> > Yes there is. It might be useful to know more about what you are > trying to achieve, because there are a few ways to skin this cat. My goal is to create a "welcome" letter for each new student with account informations. Being able to create a mailing from a source like a spreadsheet or a database is what I'm looking for. > But to start, there is a magic attribute added to the entry during > processing > inside the server that holds the un-hashed password value (for > operations that modify or add the password attribute). This is used > for example to propagate cleartext password values in replication > and for Windows sync. You can pick up that attribute in a plugin > and salt it away somewhere. That's good and bad news for me ! Good news is it's possible, bad news is that writing a plugin is something too complicated for my computing skills :( Still any hope for my situation ? Thanks, -- Mikael Kermorgant From david_list at boreham.org Fri May 5 14:53:21 2006 From: david_list at boreham.org (David Boreham) Date: Fri, 05 May 2006 08:53:21 -0600 Subject: [Fedora-directory-users] cleartext password In-Reply-To: <9711147e0605050740q5b96ed59h792bd3b49f3a9a8b@mail.gmail.com> References: <9711147e0605050155l52d01144i158c1a519c4e993b@mail.gmail.com> <445B4E0C.3080902@boreham.org> <9711147e0605050740q5b96ed59h792bd3b49f3a9a8b@mail.gmail.com> Message-ID: <445B66E1.1060800@boreham.org> > > That's good and bad news for me ! > Good news is it's possible, bad news is that writing a plugin is > something too complicated for my computing skills :( > Still any hope for my situation ? I'm thinking that the password in question will be auto-generated from some script that creates new users , no ? If so then I'd simply have that script dump the plaintext password into the external database and generate letters from that. Mailing the plaintext password that a user selects themselves seems not useful, hence my assumption that this is a computer generated password. From mikael.kermorgant at gmail.com Fri May 5 15:11:59 2006 From: mikael.kermorgant at gmail.com (Mikael Kermorgant) Date: Fri, 5 May 2006 17:11:59 +0200 Subject: [Fedora-directory-users] cleartext password In-Reply-To: <445B66E1.1060800@boreham.org> References: <9711147e0605050155l52d01144i158c1a519c4e993b@mail.gmail.com> <445B4E0C.3080902@boreham.org> <9711147e0605050740q5b96ed59h792bd3b49f3a9a8b@mail.gmail.com> <445B66E1.1060800@boreham.org> Message-ID: <9711147e0605050811h1c27573eqc399bb63b5e9390f@mail.gmail.com> 2006/5/5, David Boreham : > > > > > That's good and bad news for me ! > > Good news is it's possible, bad news is that writing a plugin is > > something too complicated for my computing skills :( > > Still any hope for my situation ? > > I'm thinking that the password in question will be auto-generated > from some script that creates new users , no ? If so then I'd simply > have that script dump the plaintext password into the external > database and generate letters from that. Yes, I think I'll use that solution. Just a last question : if I create a user wia DSGW, will I be able to catch the password to put it in my database with something different of a plugin ? Thanks ! -- Mikael Kermorgant From rmeggins at redhat.com Fri May 5 15:17:47 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 05 May 2006 09:17:47 -0600 Subject: [Fedora-directory-users] cleartext password In-Reply-To: <9711147e0605050811h1c27573eqc399bb63b5e9390f@mail.gmail.com> References: <9711147e0605050155l52d01144i158c1a519c4e993b@mail.gmail.com> <445B4E0C.3080902@boreham.org> <9711147e0605050740q5b96ed59h792bd3b49f3a9a8b@mail.gmail.com> <445B66E1.1060800@boreham.org> <9711147e0605050811h1c27573eqc399bb63b5e9390f@mail.gmail.com> Message-ID: <445B6C9B.8060004@redhat.com> Mikael Kermorgant wrote: > 2006/5/5, David Boreham : >> >> > >> > That's good and bad news for me ! >> > Good news is it's possible, bad news is that writing a plugin is >> > something too complicated for my computing skills :( >> > Still any hope for my situation ? >> >> I'm thinking that the password in question will be auto-generated >> from some script that creates new users , no ? If so then I'd simply >> have that script dump the plaintext password into the external >> database and generate letters from that. > > Yes, I think I'll use that solution. > Just a last question : if I create a user wia DSGW, will I be able to > catch the password to put it in my database with something different > of a plugin ? Well, it's a bit of a hack, but what you could do is rename the binary clients/dsgw/bin/newentry to be newentry.bin, and create a shell script newentry, and have it dump out stdin to a file before passing it to newentry.bin > > Thanks ! > -- > Mikael Kermorgant > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From womble at zaniyah.org Sat May 6 13:41:30 2006 From: womble at zaniyah.org (Womble) Date: Sat, 06 May 2006 14:41:30 +0100 Subject: [Fedora-directory-users] How do you reset the Directory Manager's password? In-Reply-To: <445A0AA8.4020208@redhat.com> References: <445A0AA8.4020208@redhat.com> Message-ID: <445CA78A.40205@zaniyah.org> Thank you, I don't know why I couldn't find them using the search! Richard Megginson wrote: > Jess wrote: > >> >> How does one reset the Directory Manager's password (without using >> startconsole)? Is there a file somewhere similar to slapd.conf for >> openldap? > > http://directory.fedora.redhat.com/wiki/Howto:ResetDirMgrPassword > >> >> Also, if anyone knows how or if you can set up ACL's (I want the same >> behaviour as the slapd.access of openldap) I would appreciate it. > > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/acl.html#997355 > >> >> Thanks >> >> Jess >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From francois.beretti at gmail.com Mon May 8 21:58:18 2006 From: francois.beretti at gmail.com (=?ISO-8859-1?Q?Fran=E7ois_Beretti?=) Date: Mon, 8 May 2006 23:58:18 +0200 Subject: [Fedora-directory-users] plugin programming In-Reply-To: <4458AB7E.9000400@boreham.org> References: <85d6be850605030314k14072c9bp346dddbf04926303@mail.gmail.com> <4458AB7E.9000400@boreham.org> Message-ID: <85d6be850605081458o16a8827eg17ad7e81860d4ef9@mail.gmail.com> Thank you very much David, with roles and nested roles I can do everything I describe in my mail. Now I want one more thing. I have a hardware appliance who authorize users by testing if they belong to one given group, by retrieving the lists of the members of the group. But in our data model, authorization are given through an intermediary group belonging to several authorization groups.. I want that when getting the list of the members, the operation get the users members of the groups members of this group. Is it possible to write or use some plugin to do this ? Thank you, Fran?ois 2006/5/3, David Boreham : > Fran?ois Beretti wrote: > > > > > I want two things : > > 1) to be able to get the groups of a user by reading an attribute of > > the user > > 2) to be able to get the groups of the groups of a user by reading an > > attribute of the user > > > > I am not sure I can replace totally an ldap search (matching some > > criteria) result with a custom value. > > This sounds quite like 'roles'. You might take a look at that code > and see if it'll work for you, or work with some minor modifications. > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From prowley at redhat.com Mon May 8 22:49:52 2006 From: prowley at redhat.com (Pete Rowley) Date: Mon, 08 May 2006 15:49:52 -0700 Subject: [Fedora-directory-users] plugin programming In-Reply-To: <85d6be850605081458o16a8827eg17ad7e81860d4ef9@mail.gmail.com> References: <85d6be850605030314k14072c9bp346dddbf04926303@mail.gmail.com> <4458AB7E.9000400@boreham.org> <85d6be850605081458o16a8827eg17ad7e81860d4ef9@mail.gmail.com> Message-ID: <445FCB10.8090907@redhat.com> Fran?ois Beretti wrote: > Thank you very much David, with roles and nested roles I can do > everything I describe in my mail. > > Now I want one more thing. > > I have a hardware appliance who authorize users by testing if they > belong to one given group, by retrieving the lists of the members of > the group. But in our data model, authorization are given through an > intermediary group belonging to several authorization groups.. > > I want that when getting the list of the members, the operation get > the users members of the groups members of this group. > > Is it possible to write or use some plugin to do this ? Can this application use a dynamic group? If so you can create a dynamic group that uses a role query in its filter. -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From dean.plant at roke.co.uk Tue May 9 13:58:55 2006 From: dean.plant at roke.co.uk (Plant, Dean) Date: Tue, 9 May 2006 14:58:55 +0100 Subject: [Fedora-directory-users] Samba/Posix password sync problem Message-ID: <2181C5F19DD0254692452BFF3EAF1D6801527BA1@rsys005a.comm.ad.roke.co.uk> Hello list, I am fairly new to FDS and my head is starting to hurt trying to get things working correctly. I am having a problem syncing passwords using FDS from Samba to the posix password on Centos 3. When I change the password on my XP sp2 test machine I get "The username or old password is incorrect. Letters in passwords must be typed using the correct case". The password change is successful in samba, as I can logoff and the use the new password. The password change does not propagate into the Posix account details. SSL is configured and seems to be working. "ldapsearch -x -ZZ uid=test" returns the test user information. I have used Authconfig to configure LDAP with TLS on the test server to test the Posix account details. I am using the IdealX scripts, the /opt/IDEALX/sbin/smbldap-passwd works without TLS but I think I have a problem when enabling TLS within these scripts as smbldap-passwd fails to run. Below is my TLS settings from the /etc/opt/IDEALX/smbldap-tools/smbldap.conf Do this look correct? If anyone can give me a kick in the right direction I would appreciate the help. # Use TLS for LDAP # If set to 1, this option will use start_tls for connection # (you should also used the port 389) # If not defined, parameter is set to "1" #ldapTLS="0" ldapTLS="1" # How to verify the server's certificate (none, optional or require) # see "man Net::LDAP" in start_tls section for more details verify="" # CA certificate # see "man Net::LDAP" in start_tls section for more details cafile="/opt/fedora-ds/alias/cacert.asc" # certificate to use to connect to the ldap server # see "man Net::LDAP" in start_tls section for more details clientcert="/opt/fedora-ds/alias/slapd-myhost-cert8.db" # key certificate to use to connect to the ldap server # see "man Net::LDAP" in start_tls section for more details clientkey="/opt/fedora-ds/alias/slapd-myhost-key3.db" The samba log for the XP connection shows 2006/05/09 09:53:08, 0] passdb/pdb_ldap.c:ldapsam_modify_entry(1587) ldapsam_modify_entry: LDAP Password could not be changed for user test: Confidentiality required Operation requires a secure connection. [2006/05/09 09:53:08, 0] passdb/pdb_ldap.c:ldapsam_update_sam_account(1731) ldapsam_update_sam_account: failed to modify user with uid = test, error: Operation requires a secure connection. (Success) [2006/05/09 09:53:08, 0] libsmb/smbencrypt.c:decode_pw_buffer(539) decode_pw_buffer: incorrect password length (1600733334). [2006/05/09 09:53:08, 0] libsmb/smbencrypt.c:decode_pw_buffer(540) decode_pw_buffer: check that 'encrypt passwords = yes' The directory server logs show [09/May/2006:09:53:07 +0100] conn=247 fd=67 slot=67 connection from 127.0.0.1 to 127.0.0.1 [09/May/2006:09:53:07 +0100] conn=247 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [09/May/2006:09:53:07 +0100] conn=247 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [09/May/2006:09:53:07 +0100] conn=247 op=1 SRCH base="dc=roke,dc=co,dc=uk" scope=2 filter="(&(uid=test)(objectClass=sambaSamAccount))" attrs="uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp" [09/May/2006:09:53:07 +0100] conn=247 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [09/May/2006:09:53:07 +0100] conn=248 fd=71 slot=71 connection from 127.0.0.1 to 127.0.0.1 [09/May/2006:09:53:07 +0100] conn=246 op=4 UNBIND [09/May/2006:09:53:07 +0100] conn=246 op=4 fd=68 closed - U1 [09/May/2006:09:53:07 +0100] conn=248 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [09/May/2006:09:53:07 +0100] conn=248 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [09/May/2006:09:53:07 +0100] conn=248 SSL 256-bit AES [09/May/2006:09:53:07 +0100] conn=248 op=1 BIND dn="" method=128 version=3 [09/May/2006:09:53:07 +0100] conn=248 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [09/May/2006:09:53:07 +0100] conn=248 op=2 SRCH base="dc=roke,dc=co,dc=uk" scope=2 filter="(&(objectClass=posixAccount)(uid=test))" attrs="uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass" [09/May/2006:09:53:07 +0100] conn=248 op=2 RESULT err=0 tag=101 nentries=1 etime=0 [09/May/2006:09:53:07 +0100] conn=249 fd=68 slot=68 connection from 127.0.0.1 to 127.0.0.1 [09/May/2006:09:53:07 +0100] conn=248 op=3 UNBIND [09/May/2006:09:53:07 +0100] conn=248 op=3 fd=71 closed - U1 [09/May/2006:09:53:07 +0100] conn=249 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [09/May/2006:09:53:07 +0100] conn=249 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [09/May/2006:09:53:07 +0100] conn=249 SSL 256-bit AES [09/May/2006:09:53:07 +0100] conn=249 op=1 BIND dn="" method=128 version=3 [09/May/2006:09:53:07 +0100] conn=249 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [09/May/2006:09:53:07 +0100] conn=249 op=2 SRCH base="dc=roke,dc=co,dc=uk" scope=2 filter="(uid=test)" attrs=ALL [09/May/2006:09:53:07 +0100] conn=249 op=2 RESULT err=0 tag=101 nentries=1 etime=0 [09/May/2006:09:53:07 +0100] conn=249 op=3 SRCH base="dc=roke,dc=co,dc=uk" scope=2 filter="(&(objectClass=posixGroup)(|(memberUid=test)(uniqueMember=uid=te st,ou=People,dc=roke,dc=co,dc=uk)))" attrs="cn userPassword memberUid uniqueMember gidNumber" [09/May/2006:09:53:07 +0100] conn=249 op=3 RESULT err=0 tag=101 nentries=1 etime=0 [09/May/2006:09:53:07 +0100] conn=247 op=2 SRCH base="dc=roke,dc=co,dc=uk" scope=2 filter="(&(uid=test)(objectClass=sambaSamAccount))" attrs="uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp" [09/May/2006:09:53:07 +0100] conn=247 op=2 RESULT err=0 tag=101 nentries=1 etime=0 [09/May/2006:09:53:07 +0100] conn=249 op=4 SRCH base="dc=roke,dc=co,dc=uk" scope=2 filter="(&(objectClass=posixAccount)(uid=test))" attrs="uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass" [09/May/2006:09:53:07 +0100] conn=249 op=4 RESULT err=0 tag=101 nentries=1 etime=0 [09/May/2006:09:53:07 +0100] conn=247 op=3 MOD dn="uid=test,ou=People,dc=roke,dc=co,dc=uk" [09/May/2006:09:53:07 +0100] conn=247 op=3 RESULT err=0 tag=103 nentries=0 etime=0 [09/May/2006:09:53:07 +0100] conn=247 op=4 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedExtension" [09/May/2006:09:53:08 +0100] conn=247 op=4 RESULT err=0 tag=101 nentries=1 etime=1 [09/May/2006:09:53:08 +0100] conn=247 op=5 EXT oid="1.3.6.1.4.1.4203.1.11.1" name="passwd_modify_extop" [09/May/2006:09:53:08 +0100] conn=247 op=5 RESULT err=13 tag=120 nentries=0 etime=0 [09/May/2006:09:53:08 +0100] conn=247 op=6 SRCH base="dc=roke,dc=co,dc=uk" scope=2 filter="(&(uid=test)(objectClass=sambaSamAccount))" attrs="uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp" [09/May/2006:09:53:08 +0100] conn=247 op=6 RESULT err=0 tag=101 nentries=1 etime=0 My smb.conf [global] workgroup = TEST security = user passdb backend = ldapsam:ldap://localhost ldap admin dn = cn=Directory Manager ldap suffix = dc=roke,dc=co,dc=uk ldap user suffix = ou=People ldap machine suffix = ou=Computers ldap group suffix = ou=Groups encrypt passwords = yes log file = /var/log/samba/%m.log socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 os level = 33 domain logons = yes domain master = yes local master = yes preferred master = yes wins support = yes logon home = \\%L\%U\profiles logon path = \\%L\profiles\%U logon drive = H: template shell = /bin/false winbind use default domain = no #ldap ssl = yes ldap passwd sync = Yes add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u" ldap delete dn = Yes delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u" add machine script = /opt/IDEALX/sbin/smbldap-useradd -t 5 -w "%u" add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g" delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g" add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u" [netlogon] path = /var/lib/samba/netlogon read only = yes browsable = no [profiles] path = /var/lib/samba/profiles read only = no create mask = 0600 directory mask = 0700 [homes] browsable = no writable = yes Thanks Dean Plant From jo.de.troy at gmail.com Wed May 10 09:58:02 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Wed, 10 May 2006 11:58:02 +0200 Subject: [Fedora-directory-users] Directory Server Gateway Message-ID: Hello all, how feasable is it to have the Gateway display a separate window/tab to allow the users to change their password? Without showing them all the other details (manager/room number, etc). Any idea when the next release will be avaiable? Kind Regards, Jo -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed May 10 13:42:11 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 10 May 2006 07:42:11 -0600 Subject: [Fedora-directory-users] Directory Server Gateway In-Reply-To: References: Message-ID: <4461EDB3.5020501@redhat.com> Jo De Troy wrote: > Hello all, > > how feasable is it to have the Gateway display a separate window/tab > to allow the users to change their password? > Without showing them all the other details (manager/room number, etc). Probably not without some hacking of the C code and the HTML templates. So if you're looking for just a simple config file change, it's not feasible. However, you should submit an enhancement request to bugzilla.redhat.com > Any idea when the next release will be avaiable? Probably not for a couple of months. > > Kind Regards, > Jo > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rajkumars at asianetindia.com Wed May 10 14:16:11 2006 From: rajkumars at asianetindia.com (Rajkumar S) Date: Wed, 10 May 2006 19:46:11 +0530 Subject: [Fedora-directory-users] ACI, userattr question Message-ID: <4461F5AB.1000403@asianetindia.com> Hi, My server has a structure like: o=isp o=domain1,o=isp uid=user1,o=domain1,o=isp uid=user2,o=domain1,o=isp uid=user3,o=domain1,o=isp uid=user4,o=domain1,o=isp o=domain2,o=isp uid=user1,o=domain2,o=isp uid=user2,o=domain2,o=isp uid=user3,o=domain2,o=isp uid=user4,o=domain2,o=isp each domain has an attribute administrator (taken from phpQLAdmin, I am using ldap for qmail-ldap) which has full dn of a uid. For example say the administrator of o=domain1,o=isp is uid=user1,o=domain1,o=isp, and that of o=domain2,o=isp is uid=user1,o=domain2,o=isp Now when I bind as uid=user1,o=domain1,o=isp I must have full write permission for domain1 and all users under it, and if I bind as uid=user1,o=domain2,o=isp I must have write access to domain2 and so on. I am looking for a minimum aci that can do this, Preferably one that is applied at o=isp. I have played with aci and userattr, but seems it's not working. The one I tried is aci: (target="ldap:///o=*,o=isp")(targetattr=*) (version 3.0;acl "manager-write"; allow (all) userattr = "administrator#USERDN";) I have taken this from the examples in docs, but this is not working as expected. Thanks for your help, regards, raj From ndbecker2 at gmail.com Wed May 10 17:51:22 2006 From: ndbecker2 at gmail.com (Neal Becker) Date: Wed, 10 May 2006 13:51:22 -0400 Subject: [Fedora-directory-users] ./startconsole fails (FC5 x86_64) Message-ID: <200605101351.22667.ndbecker2@gmail.com> Newbie here. Just installed FC5 x86_64 rpm. Completed setup. Then: ./startconsole -a http://nbecker3.md.hnsnet:10000 GC Warning: Out of Memory! Returning NIL! GC Warning: Out of Memory! Returning NIL! GC Warning: Out of Memory! Returning NIL! Exception in thread "main" java.lang.OutOfMemoryError <> From logastellus at yahoo.com Wed May 10 18:42:50 2006 From: logastellus at yahoo.com (Susan) Date: Wed, 10 May 2006 11:42:50 -0700 (PDT) Subject: [Fedora-directory-users] forcing users to change passwords on next login Message-ID: <20060510184250.7136.qmail@web52913.mail.yahoo.com> Hi, all. Any idea how to force a user to go through a password change on the next login? I checked the box in the main config "user must change password after reset", then changed the user's password from the UI but that doesn't seem to be doing anything. The user just logs in with the new password as usual. I want a prompt saying (after the newly reset password has been entered) "Your password has now expired, please enter a new password." Anyway to do that? I've UseLogin set to yes in sshd_config, if that helps any... __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From mj at sci.fi Wed May 10 19:09:16 2006 From: mj at sci.fi (mj at sci.fi) Date: Wed, 10 May 2006 22:09:16 +0300 (EEST) Subject: [Fedora-directory-users] forcing users to change passwords on next login Message-ID: <18649711.927701147288156492.JavaMail.mj@sci.fi> > Hi, all. > > Any idea how to force a user to go through a password change on the next login? I checked the box > in the main config "user must change password after reset", then changed the user's password from > the UI but that doesn't seem to be doing anything. The user just logs in with the new password as > usual. I want a prompt saying (after the newly reset password has been entered) > > "Your password has now expired, please enter a new password." > > Anyway to do that? I've UseLogin set to yes in sshd_config, if that helps any... 1. The pam_ldap module doesn't support Netscape password policies anymore IIRC, so you will never see that notice on a pam_ldap enabled machine. 2. The bind should just fail, nonetheless. If it really doesn't, then this is a bug somewhere... -- mike From mj at sci.fi Wed May 10 19:16:49 2006 From: mj at sci.fi (mj at sci.fi) Date: Wed, 10 May 2006 22:16:49 +0300 (EEST) Subject: [Fedora-directory-users] forcing users to change passwords on next login Message-ID: <19198305.930441147288609808.JavaMail.mj@sci.fi> > > 1. The pam_ldap module doesn't support Netscape password policies anymore IIRC, so you will never see that notice on a pam_ldap enabled machine. Or maybe it does. Still, I remembered reading something like that before, somewhere... -- mike From rcritten at redhat.com Wed May 10 19:25:24 2006 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 10 May 2006 15:25:24 -0400 Subject: [Fedora-directory-users] ./startconsole fails (FC5 x86_64) In-Reply-To: <200605101351.22667.ndbecker2@gmail.com> References: <200605101351.22667.ndbecker2@gmail.com> Message-ID: <44623E24.4050402@redhat.com> Neal Becker wrote: > Newbie here. Just installed FC5 x86_64 rpm. Completed setup. Then: > ./startconsole -a http://nbecker3.md.hnsnet:10000 > GC Warning: Out of Memory! Returning NIL! > GC Warning: Out of Memory! Returning NIL! > GC Warning: Out of Memory! Returning NIL! > Exception in thread "main" java.lang.OutOfMemoryError > <> > gcj can't currently run the console. You'll need to install a JRE (or JDK) from either Sun or IBM. Be sure that startconsole is running the proper 'java' too. It uses the one in your path via `which java`. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From logastellus at yahoo.com Wed May 10 19:12:48 2006 From: logastellus at yahoo.com (Susan) Date: Wed, 10 May 2006 12:12:48 -0700 (PDT) Subject: [Fedora-directory-users] forcing users to change passwords on next login In-Reply-To: <18649711.927701147288156492.JavaMail.mj@sci.fi> Message-ID: <20060510191248.99606.qmail@web52908.mail.yahoo.com> --- mj at sci.fi wrote: > 2. The bind should just fail, nonetheless. If it really doesn't, then this is a bug somewhere... why would the bind fail? the user is supplying the correct password...? __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From mj at sci.fi Wed May 10 20:21:02 2006 From: mj at sci.fi (mj at sci.fi) Date: Wed, 10 May 2006 23:21:02 +0300 (EEST) Subject: [Fedora-directory-users] forcing users to change passwords on next login Message-ID: <22804001.949221147292462876.JavaMail.mj@sci.fi> > > > --- mj at sci.fi wrote: > > 2. The bind should just fail, nonetheless. If it really doesn't, then this is a bug somewhere... > > why would the bind fail? the user is supplying the correct password...? > Because the policy is supposed to enforce that the user doesn't get a successful bind until he changes his password. -- mike From logastellus at yahoo.com Wed May 10 20:27:28 2006 From: logastellus at yahoo.com (Susan) Date: Wed, 10 May 2006 13:27:28 -0700 (PDT) Subject: [Fedora-directory-users] forcing users to change passwords on next login In-Reply-To: <22804001.949221147292462876.JavaMail.mj@sci.fi> Message-ID: <20060510202728.48794.qmail@web52913.mail.yahoo.com> --- mj at sci.fi wrote: > > > > > > --- mj at sci.fi wrote: > > > 2. The bind should just fail, nonetheless. If it really doesn't, then this is a bug > somewhere... > > > > why would the bind fail? the user is supplying the correct password...? > > > > Because the policy is supposed to enforce that the user doesn't get a successful bind until he > changes his password. ah, well, that's not working then. The user logins no problem, with the newly reset password. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From wiskbroom at hotmail.com Thu May 11 15:44:35 2006 From: wiskbroom at hotmail.com (Vadim Pushkin) Date: Thu, 11 May 2006 15:44:35 +0000 Subject: [Fedora-directory-users] Are DOcs Available For Download? Message-ID: Hello; I would like to know if the FDS docs are available for downlaod? I have only seen the online doc. Thank you, .vp From mj at sci.fi Thu May 11 16:35:51 2006 From: mj at sci.fi (mj at sci.fi) Date: Thu, 11 May 2006 19:35:51 +0300 (EEST) Subject: [Fedora-directory-users] Are DOcs Available For Download? Message-ID: <32944315.1077861147365351371.JavaMail.mj@sci.fi> > Hello; > > I would like to know if the FDS docs are available for downlaod? I have > only seen the online doc. They are here, and apply mostly to FDS, except for the features in FDS which are newer than those in the last RHDS release: http://www.redhat.com/docs/manuals/dir-server/ -- mike From Michael.Sangrey at highmark.com Thu May 11 16:44:07 2006 From: Michael.Sangrey at highmark.com (Michael.Sangrey at highmark.com) Date: Thu, 11 May 2006 12:44:07 -0400 Subject: [Fedora-directory-users] Add/Change/Delete values in another attribute Message-ID: <200605111645.k4BGj5aE007946@igate.highmark.com> I apologize if this is a frequently asked question (I checked and scanned LOTs of documents), but... Is there a way to add/change/delete one attribute when another attribute is added/changed/deleted? The real question is a little more complicated. The idea is to add/change/delete a 'memberOf' (a group) attribute for a uid when the uid is added/changed/deleted to a 'group'. Can anyone help? Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu May 11 16:55:56 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 11 May 2006 10:55:56 -0600 Subject: [Fedora-directory-users] Add/Change/Delete values in another attribute In-Reply-To: <200605111645.k4BGj5aE007946@igate.highmark.com> References: <200605111645.k4BGj5aE007946@igate.highmark.com> Message-ID: <44636C9C.7000504@redhat.com> Michael.Sangrey at highmark.com wrote: > > I apologize if this is a frequently asked question (I checked and > scanned LOTs of documents), but... > > Is there a way to add/change/delete one attribute when another > attribute is added/changed/deleted? You mean, like a trigger in the RDBMS world? You could write a post-op plug-in, but I don't think that's the answer you're looking for. > > The real question is a little more complicated. The idea is to > add/change/delete a 'memberOf' (a group) attribute for a uid when the > uid is added/changed/deleted to a 'group'. You might want to investigate the Roles http://www.redhat.com/docs/manuals/dir-server/ag/7.1/roles.html#1115402 and Class of Service http://www.redhat.com/docs/manuals/dir-server/ag/7.1/roles.html#1115605 features. > > Can anyone help? > > Thanks! > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From Michael.Sangrey at highmark.com Thu May 11 17:52:05 2006 From: Michael.Sangrey at highmark.com (Michael.Sangrey at highmark.com) Date: Thu, 11 May 2006 13:52:05 -0400 Subject: [Fedora-directory-users] Add/Change/Delete values in another attribute In-Reply-To: <44636C9C.7000504@redhat.com> Message-ID: <200605111753.k4BHr7aE029494@igate.highmark.com> fedora-directory-users-bounces at redhat.com wrote on 05/11/2006 12:55:56 PM: > Michael.Sangrey at highmark.com wrote: > > > > I apologize if this is a frequently asked question (I checked and > > scanned LOTs of documents), but... > > > > Is there a way to add/change/delete one attribute when another > > attribute is added/changed/deleted? > You mean, like a trigger in the RDBMS world? You could write a post-op > plug-in, but I don't think that's the answer you're looking for. I think you're right; I'd like something simpler. But, it might be what it is. Has anyone on list written a post-op that deals with add/change/modify to a multi-valued attribute value when another attribute value changes? Would you be willing to share the code? > > > > The real question is a little more complicated. The idea is to > > add/change/delete a 'memberOf' (a group) attribute for a uid when the > > uid is added/changed/deleted to a 'group'. > You might want to investigate the Roles > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/roles.html#1115402 The apps are already in place. If I understand roles correctly, it appears the apps would have to be changed to make use of 'roles'. > and Class of Service > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/roles.html#1115605 > features. This looked very interesting. However, Class of Service precludes multi-valued attributes. If a person is in multiple groups, then 'memberOf' would be multi-valued, right? > > > > Can anyone help? > > > > Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu May 11 17:57:52 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 11 May 2006 11:57:52 -0600 Subject: [Fedora-directory-users] Add/Change/Delete values in another attribute In-Reply-To: <200605111753.k4BHr7aE029494@igate.highmark.com> References: <200605111753.k4BHr7aE029494@igate.highmark.com> Message-ID: <44637B20.2090601@redhat.com> Michael.Sangrey at highmark.com wrote: > > > fedora-directory-users-bounces at redhat.com wrote on 05/11/2006 12:55:56 PM: > > > Michael.Sangrey at highmark.com wrote: > > > > > > I apologize if this is a frequently asked question (I checked and > > > scanned LOTs of documents), but... > > > > > > Is there a way to add/change/delete one attribute when another > > > attribute is added/changed/deleted? > > You mean, like a trigger in the RDBMS world? You could write a post-op > > plug-in, but I don't think that's the answer you're looking for. > > I think you're right; I'd like something simpler. But, it might be > what it is. Has anyone on list written a post-op that deals with > add/change/modify to a multi-valued attribute value when another > attribute value changes? Would you be willing to share the code? We already have some in the source code. For example, the referential integrity plug-in - when a user is removed, we search for groups to which that user may be a member of, and remove that user from those groups. > > > > > > > The real question is a little more complicated. The idea is to > > > add/change/delete a 'memberOf' (a group) attribute for a uid when the > > > uid is added/changed/deleted to a 'group'. > > > You might want to investigate the Roles > > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/roles.html#1115402 > > The apps are already in place. If I understand roles correctly, it > appears the apps would have to be changed to make use of 'roles'. > > > and Class of Service > > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/roles.html#1115605 > > features. > > This looked very interesting. However, Class of Service precludes > multi-valued attributes. If a person is in multiple groups, then > 'memberOf' would be multi-valued, right? Right. So, perhaps this wouldn't work for you. > > > > > > > Can anyone help? > > > > > > Thanks! > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu May 11 17:59:31 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 11 May 2006 11:59:31 -0600 Subject: [Fedora-directory-users] ACI, userattr question In-Reply-To: <4461F5AB.1000403@asianetindia.com> References: <4461F5AB.1000403@asianetindia.com> Message-ID: <44637B83.8060008@redhat.com> Rajkumar S wrote: > Hi, > > My server has a structure like: > > o=isp > o=domain1,o=isp > uid=user1,o=domain1,o=isp > uid=user2,o=domain1,o=isp > uid=user3,o=domain1,o=isp > uid=user4,o=domain1,o=isp > o=domain2,o=isp > uid=user1,o=domain2,o=isp > uid=user2,o=domain2,o=isp > uid=user3,o=domain2,o=isp > uid=user4,o=domain2,o=isp > > each domain has an attribute administrator (taken from phpQLAdmin, I > am using ldap for qmail-ldap) which has full dn of a uid. For example > say the administrator of o=domain1,o=isp is uid=user1,o=domain1,o=isp, > and that of o=domain2,o=isp is uid=user1,o=domain2,o=isp > > Now when I bind as uid=user1,o=domain1,o=isp I must have full write > permission for domain1 and all users under it, and if I bind as > uid=user1,o=domain2,o=isp I must have write access to domain2 and so on. > > I am looking for a minimum aci that can do this, Preferably one that > is applied at o=isp. Try the Macro ACI feature - http://www.redhat.com/docs/manuals/dir-server/ag/7.1/acl.html#1195760 > > I have played with aci and userattr, but seems it's not working. The > one I tried is > > aci: (target="ldap:///o=*,o=isp")(targetattr=*) (version 3.0;acl > "manager-write"; allow (all) userattr = "administrator#USERDN";) > > I have taken this from the examples in docs, but this is not working > as expected. > > Thanks for your help, > > regards, > > raj > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From wiskbroom at hotmail.com Thu May 11 18:55:34 2006 From: wiskbroom at hotmail.com (Vadim Pushkin) Date: Thu, 11 May 2006 18:55:34 +0000 Subject: [Fedora-directory-users] Are DOcs Available For Download? In-Reply-To: <32944315.1077861147365351371.JavaMail.mj@sci.fi> Message-ID: Thank you Mike, that was what I needed! Vadim Anatoly Pushkin -- The Ukranian Stallion -- > >>Hello; >> >>I would like to know if the FDS docs are available for downlaod? I have >>only seen the online doc. > > >They are here, and apply mostly to FDS, except for the features in FDS >which are newer than those in the last RHDS release: > >http://www.redhat.com/docs/manuals/dir-server/ > > >-- >mike From ABliss at preferredcare.org Thu May 11 19:20:21 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Thu, 11 May 2006 15:20:21 -0400 Subject: [Fedora-directory-users] Question on server log monitoring Message-ID: I'm attempting to monitor fds logs for things such as password changes, and so forth; I'm assuming that the log file that I should be looking for is the access logfile under my slapd directory; does anyone know the operation number (op=?) that I should be looking for to check for successful password changes (assuming of course that fds is recording this information and that I'm looking in the proper logfile? Thanks very much. Aaron Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From mj at sci.fi Thu May 11 19:36:43 2006 From: mj at sci.fi (mj at sci.fi) Date: Thu, 11 May 2006 22:36:43 +0300 (EEST) Subject: [Fedora-directory-users] Question on server log monitoring Message-ID: <23692865.1092611147376203565.JavaMail.mj@sci.fi> > I'm attempting to monitor fds logs for things such as password changes, > and so forth; I'm assuming that the log file that I should be looking > for is the access logfile under my slapd directory; does anyone know the > operation number (op=?) that I should be looking for to check for > successful password changes (assuming of course that fds is recording > this information and that I'm looking in the proper logfile? FDS logs don't report attribute level modifications, at least not at reasonable log levels. What you want to do is a persistent search. -- mike From rmeggins at redhat.com Thu May 11 20:01:25 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 11 May 2006 14:01:25 -0600 Subject: [Fedora-directory-users] Question on server log monitoring In-Reply-To: References: Message-ID: <44639815.4030105@redhat.com> Bliss, Aaron wrote: > I'm attempting to monitor fds logs for things such as password changes, > and so forth; I'm assuming that the log file that I should be looking > for is the access logfile under my slapd directory; does anyone know the > operation number (op=?) that I should be looking for to check for > successful password changes (assuming of course that fds is recording > this information and that I'm looking in the proper logfile? Thanks > very much. > Regular logging doesn't record this level of detail. The access log records that a MOD operation occurred to a certain DN, but it doesn't tell you what attrs were modified. You can enable audit logging - this will log all writes to the file audit in the logs directory. If you want this information to be available via ldap, you could try enabling the Retro Changelog program, which will give you a suffix cn=changelog which will hold the changes. > Aaron > > Confidentiality Notice: > The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rinconsystems at yahoo.com Fri May 12 00:18:01 2006 From: rinconsystems at yahoo.com (Scott Gilbert) Date: Thu, 11 May 2006 17:18:01 -0700 (PDT) Subject: [Fedora-directory-users] best practice for uid provisioning? Message-ID: <20060512001801.4150.qmail@web34104.mail.mud.yahoo.com> I inherited an ldap with odd design. It has a custom attribute as the rdn in the dn for all entries. The rdn is not the uid. People entries are provisioned automatically and users choose a uid after their entry has been created for login purposes. The custom attribute for the rdn serves as a unique identifier. The uid is also unique. I found that getting products to work with this ldap is difficult because they expect the uid to be in the dn. Comments? Should I put the uid back in the dn? Seems like it would make my life a lot simpler. And what methods are best to create entries for users without a uid? Maybe assign a temp and have them change it? Or just assign them which is always the easiest. Thanks. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From rmeggins at redhat.com Fri May 12 00:29:47 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 11 May 2006 18:29:47 -0600 Subject: [Fedora-directory-users] best practice for uid provisioning? In-Reply-To: <20060512001801.4150.qmail@web34104.mail.mud.yahoo.com> References: <20060512001801.4150.qmail@web34104.mail.mud.yahoo.com> Message-ID: <4463D6FB.7020503@redhat.com> Scott Gilbert wrote: > I inherited an ldap with odd design. It has a custom > attribute as the rdn in the dn for all entries. The > rdn is not the uid. People entries are provisioned > automatically and users choose a uid after their entry > has been created for login purposes. The custom > attribute for the rdn serves as a unique identifier. > The uid is also unique. > > I found that getting products to work with this ldap > is difficult because they expect the uid to be in the > dn. Which products have problems? > Comments? Should I put the uid back in the dn? > Seems like it would make my life a lot simpler. > Sure. A simple modrdn when the uid is assigned. > And what methods are best to create entries for users > without a uid? Maybe assign a temp and have them > change it? Or just assign them which is always the > easiest. Thanks. > Either way, but the former sounds like more work. > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From magobin at gmail.com Fri May 12 08:43:50 2006 From: magobin at gmail.com (Alex aka Magobin) Date: Fri, 12 May 2006 10:43:50 +0200 Subject: [Fedora-directory-users] How to extend schema for missing object! Message-ID: <1147423431.8251.7.camel@localhost.localdomain> Hi at all, I'm configuring Postfix with Fedora DS, but reading documentation, I need two object in all ldap entry: MailMessageStore MailAlternateAddress I know some workaround but, for my skill and to avoid problems in future I would to know how can I extend schema or import this objects for all my entry!... thanks in advance Alex From hagen at rz.uni-karlsruhe.de Fri May 12 12:34:59 2006 From: hagen at rz.uni-karlsruhe.de (Patrick von der Hagen) Date: Fri, 12 May 2006 14:34:59 +0200 Subject: [Fedora-directory-users] best practice for uid provisioning? In-Reply-To: <20060512001801.4150.qmail@web34104.mail.mud.yahoo.com> References: <20060512001801.4150.qmail@web34104.mail.mud.yahoo.com> Message-ID: <446480F3.5000602@rz.uni-karlsruhe.de> Scott Gilbert schrieb: [...] > I found that getting products to work with this ldap > is difficult because they expect the uid to be in the > dn. Comments? Should I put the uid back in the dn? I don't know of any decent LDAP-aware software that has such requirements. Can you give examples? -- CU, Patrick. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 7485 bytes Desc: S/MIME Cryptographic Signature URL: From rinconsystems at yahoo.com Fri May 12 18:53:51 2006 From: rinconsystems at yahoo.com (Scott) Date: Fri, 12 May 2006 11:53:51 -0700 (PDT) Subject: [Fedora-directory-users] best practice for uid provisioning? In-Reply-To: <446480F3.5000602@rz.uni-karlsruhe.de> Message-ID: <20060512185351.54617.qmail@web34112.mail.mud.yahoo.com> Keyword is "decent" :) It is an issue of authentication. The user submits uid, the entry is searched and the dn is retrieved for authn but the rdn doesnt match the uid. Some apps dont expect this. And it is an issue of a unique identifier for entries. Apps expect uid to be unique, expect it to be in the dn which is available anonymously. I have had programmers write code in various languages like .NET to authenticate to ldap and have issues. And code examples or scripts they use assume uid is in the dn. Sometimes it works but usually it breaks and I have to explain to them that the uid is not in the dn. Out of the box, products expect uid to be in the dn for authentication and unique identifier purposes. They will work but you have to modify them to use a different attribute as the rdn. Some network appliances that supposedly go against an ldap, fail, and are difficult to customize. And depending on the scope of the product, like the Sun Java Enterprise System, this issue can cause a rippling effect of customization. Their whole suite expects uid to be in the dn. IMHO using a custom attribute may be an issue compared to a standard attribute in that the app needs to know the custom schema. --- Patrick von der Hagen wrote: > Scott Gilbert schrieb: > [...] > > I found that getting products to work with this > ldap > > is difficult because they expect the uid to be in > the > > dn. Comments? Should I put the uid back in the dn? > I don't know of any decent LDAP-aware software that > has such > requirements. Can you give examples? > > -- > CU, > Patrick. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From ando at sys-net.it Fri May 12 19:22:05 2006 From: ando at sys-net.it (Pierangelo Masarati) Date: Fri, 12 May 2006 21:22:05 +0200 Subject: [Fedora-directory-users] best practice for uid provisioning? In-Reply-To: <20060512185351.54617.qmail@web34112.mail.mud.yahoo.com> References: <20060512185351.54617.qmail@web34112.mail.mud.yahoo.com> Message-ID: <1147461725.3373.21.camel@ando> On Fri, 2006-05-12 at 11:53 -0700, Scott wrote: > Keyword is "decent" :) It is an issue of > authentication. The user submits uid, the entry is > searched and the dn is retrieved for authn but the rdn > doesnt match the uid. Some apps dont expect this. And > it is an issue of a unique identifier for entries. > Apps expect uid to be unique, expect it to be in the > dn which is available anonymously. > > I have had programmers write code in various languages > like .NET to authenticate to ldap and have issues. And > code examples or scripts they use assume uid is in the > dn. Sometimes it works but usually it breaks and I > have to explain to them that the uid is not in the dn. > > Out of the box, products expect uid to be in the dn > for authentication and unique identifier purposes. > They will work but you have to modify them to use a > different attribute as the rdn. Some network > appliances that supposedly go against an ldap, fail, > and are difficult to customize. And depending on the > scope of the product, like the Sun Java Enterprise > System, this issue can cause a rippling effect of > customization. Their whole suite expects uid to be in > the dn. > > IMHO using a custom attribute may be an issue compared > to a standard attribute in that the app needs to know > the custom schema. Custom attributes in the DN are actually discouraged by ; this is not a good reason to assume that knowledge from an entry can be safely inferred from the DN. I think those applications are just broken, and designing a DIT to take care of those broken clients does not put enough pressure on implementors and maintainers to fix them. The typical silly requirement for uid in the DN is to "speedup" authentication, so that the DN is build as "uid=" + uid + ",ou=People,dc=example,dc=com" or, even worse, the uid is extracted from the DN by a regex like "^uid=([^,]+),ou=People,dc=example,dc=com$" Note that in Section 5.1 highlights that a DN could inadvertently disclose sensitive information. For example, putting the uid in the DN of a publicly accessible DSA would allow anonymous to know the uid of all users if the uid is protected by ACLs but the DN is not. The uid is half of one's credentials. p. Ing. Pierangelo Masarati Responsabile Open Solution OpenLDAP Core Team SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati at sys-net.it ------------------------------------------ From kmk_pk at yahoo.com Sat May 13 08:48:55 2006 From: kmk_pk at yahoo.com (Khalid Mehmood Khan) Date: Sat, 13 May 2006 01:48:55 -0700 (PDT) Subject: [Fedora-directory-users] MS Outlook sorting problems? Message-ID: <20060513084855.83603.qmail@web37001.mail.mud.yahoo.com> I've tried everything but failed to make MS outlook sort properly with FDS. I have added displayname attribute with each group and user entry but it still wouldn't work. Any help would be greatly appreciated. Thanks KMK --------------------------------- Yahoo! Mail goes everywhere you do. Get it on your phone. -------------- next part -------------- An HTML attachment was scrubbed... URL: From blaqb0x at silenceisdefeat.org Sun May 14 01:37:01 2006 From: blaqb0x at silenceisdefeat.org (Jose Guevarra) Date: Sat, 13 May 2006 20:37:01 -0500 (CDT) Subject: [Fedora-directory-users] mounting openafs/nfs home dirs Message-ID: Hi, I just started using FDS. I've got my linux box authenticating to FDS but, when I login the user's home directory isn't there. I know that the home directories can be nfs(openafs?). How do you set this up? Can you mount openafs home directories? Any useful tuts/links would be appreciated. Thanks. From prowley at redhat.com Sun May 14 04:46:30 2006 From: prowley at redhat.com (Pete Rowley) Date: Sat, 13 May 2006 21:46:30 -0700 Subject: [Fedora-directory-users] mounting openafs/nfs home dirs In-Reply-To: References: Message-ID: <4466B626.7@redhat.com> Jose Guevarra wrote: > Hi, > > I just started using FDS. I've got my linux box authenticating to FDS > but, when I login the user's home directory isn't there. I know that the > home directories can be nfs(openafs?). How do you set this up? Can you > mount openafs home directories? > > Any useful tuts/links would be appreciated. > > The directory server is not responsible for that stuff, though it might contain the needed information. Investigate pam_mount. -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From phil.lembo at gmail.com Sun May 14 14:59:15 2006 From: phil.lembo at gmail.com (Phil Lembo) Date: Sun, 14 May 2006 10:59:15 -0400 Subject: [Fedora-directory-users] best practice for uid Message-ID: Pierangelo has it exactly right. The place to fix this is at the application that's attempting to authenticate. A few years ago, I had to push back on a certain vendor of portfolio/project management software and got their development team to admit they'd hardcoded their LDAP config to work with a certain fixed DIT scheme. My response to them was that they should be ashamed of themselves for such shoddy programming. Subsequent versions of the same software now do The Right Thing (TM) and allow you to define the user ID attribute to be used and then do a search on LDAP to pull back the dn of the corresponding entry before attempting to authenticate. As others have said on this thread, which you could use a custom attribute for the user ID, down the road you'll regret it because you're inevitably going to have integration problems with COTS applications you may need to integrate with. The scheme I've found most useful is to assign a unique identifier to each user. Something completely meaningless, like a lowercase letter followed by a bunch of digits (that pattern will work as an ID in most NOS or non directory systems like AD, NDS, Unix, NT SAM, etc). Just increment the numeric suffix as you assign each new ID. Using e-mail like aliases is generally a pain because it requires you to change the ID every time you have a name change. Same is true for IDs that are tied to a user's role (like using different letter prefixes for employees and temps). It's usually pretty easy to build a routine into your user provisioning software that will increment the ID value automatically. Any provisioning software that won't let you do this should get rejected out of hand (with a pointed memo to the vendor giving the reason for the rejection). Getting any enterprise, especially one where system administration is decentralized, to adopt a common ID scheme is almost always difficult and usually requires considerable effort on the 8th layer of the OSI model -- Politics. Phil Lembo -------------- next part -------------- An HTML attachment was scrubbed... URL: From ABliss at preferredcare.org Sun May 14 16:01:23 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Sun, 14 May 2006 12:01:23 -0400 Subject: [Fedora-directory-users] mounting openafs/nfs home dirs Message-ID: If your goal is just to have the box create home dirs for your users (default action of useradd), then put this in your /etc/pam.d/sshd and Login files: session required pam_mkhomedir.so skel=/etc/skel/ umask=0007 If your using redhat es 4, you will also need that entry in system-auth as well. Don't forget to define where your users home directory is for each user you have in fds (POSIX info tab). Aaron -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Pete Rowley Sent: Sunday, May 14, 2006 12:47 AM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] mounting openafs/nfs home dirs Jose Guevarra wrote: > Hi, > > I just started using FDS. I've got my linux box authenticating to > FDS but, when I login the user's home directory isn't there. I know > that the home directories can be nfs(openafs?). How do you set this > up? Can you mount openafs home directories? > > Any useful tuts/links would be appreciated. > > The directory server is not responsible for that stuff, though it might contain the needed information. Investigate pam_mount. -- Pete Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From yirgach at gmail.com Mon May 15 04:32:36 2006 From: yirgach at gmail.com (foo foo) Date: Sun, 14 May 2006 21:32:36 -0700 Subject: [Fedora-directory-users] fedora-ds-1.0.2-1 Server Group Administration Server Unable to Configure Message-ID: <188715d20605142132h3733fc4fn70dc0b924e491758@mail.gmail.com> Hi There, This is a new install on FC5 - nothing imported. The problem is that in the console, the Administration Server Icon is blank. There is no "Configuration Tab". Also, until I created a new instance of the Directory Server, that icon was blank also. It now appears in the console, but I am unable to open it. This is hard to describe, but basically I can't configure any of the server attributes from the console. A direct connection to the web page (ie firefox http://localhost:19939) allows browsing and editing. The java admin console appears to be somehow unuseable. Any thoughts would be appreciated. BTW, when I startconsole and login: [Sun May 14 16:17:09 2006] [notice] Apache/2.2 configured -- resuming normal operations [Sun May 14 16:17:48 2006] [notice] [client 127.0.0.1] admserv_check_authz(): passing [/admin-serv/authenticate] to the userauth handler So that looks OK. Thanx, Chris -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon May 15 13:40:50 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 15 May 2006 07:40:50 -0600 Subject: [Fedora-directory-users] fedora-ds-1.0.2-1 Server Group Administration Server Unable to Configure In-Reply-To: <188715d20605142132h3733fc4fn70dc0b924e491758@mail.gmail.com> References: <188715d20605142132h3733fc4fn70dc0b924e491758@mail.gmail.com> Message-ID: <446884E2.7090203@redhat.com> foo foo wrote: > Hi There, > > This is a new install on FC5 - nothing imported. The problem is that > in the console, the Administration Server Icon is blank. There is no > "Configuration Tab". > Also, until I created a new instance of the Directory Server, that > icon was blank also. It now appears in the console, but I am unable to > open it. This is hard to describe, but basically I can't configure any > of the server attributes from the console. A direct connection to the > web page (ie firefox http://localhost:19939) allows browsing and > editing. The java admin console appears to be somehow unuseable. Any > thoughts would be appreciated. > BTW, when I startconsole and login: > [Sun May 14 16:17:09 2006] [notice] Apache/2.2 configured -- resuming > normal operations > [Sun May 14 16:17:48 2006] [notice] [client 127.0.0.1 > ] admserv_check_authz(): passing > [/admin-serv/authenticate] to the userauth handler > > So that looks OK. The console is not really usable with the java that's included with FC5. You will need to download and install either the Sun or IBM JRE. See http://directory.fedora.redhat.com/wiki/Howto:JavaOnFedoraCore and http://directory.fedora.redhat.com/wiki/Install_Guide#Java_is_required_for_the_console for more information. > > Thanx, > > Chris > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From yirgach at gmail.com Mon May 15 14:44:43 2006 From: yirgach at gmail.com (foo foo) Date: Mon, 15 May 2006 07:44:43 -0700 Subject: [Fedora-directory-users] fedora-ds-1.0.2-1 Server Group Administration Server Unable to Configure In-Reply-To: <446884E2.7090203@redhat.com> References: <188715d20605142132h3733fc4fn70dc0b924e491758@mail.gmail.com> <446884E2.7090203@redhat.com> Message-ID: <188715d20605150744i1ca5651ei5758aec3eec5770@mail.gmail.com> Thank you, the new java from Sun did the trick... I just edited startconsole and changed java to point at /usr/java/jdk1.5.0_06/bin/java Console works fine now. On 5/15/06, Richard Megginson wrote: > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rinconsystems at yahoo.com Mon May 15 17:17:57 2006 From: rinconsystems at yahoo.com (Scott) Date: Mon, 15 May 2006 10:17:57 -0700 (PDT) Subject: [Fedora-directory-users] best practice for uid In-Reply-To: Message-ID: <20060515171757.14575.qmail@web34107.mail.mud.yahoo.com> Thanks Phil. From my experience its a good idea to have a userid "and" a unique identifier for all entries in the ldap. We use a uuid, and thats our rdn. At some point in the netscape/iplanet/sun/aol directory server road to red hat, it began assigning a uuid as an operational attribute for internal purposes. Same thing really but since its operational its not easy to work with. Like you, I have had mixed results with COTS. Some work and some dont have any flexibility. Hopefully we can instill in vendors and their developers that we are going to have a unique identifier other than the uid and hey, what a surprise, it might be in the DN. --- Phil Lembo wrote: > Pierangelo has it exactly right. The place to fix > this is at the application > that's attempting to authenticate. A few years ago, > I had to push back on a > certain vendor of portfolio/project management > software and got their > development team to admit they'd hardcoded their > LDAP config to work with a > certain fixed DIT scheme. My response to them was > that they should be > ashamed of themselves for such shoddy programming. > Subsequent versions of > the same software now do The Right Thing (TM) and > allow you to define the > user ID attribute to be used and then do a search on > LDAP to pull back the > dn of the corresponding entry before attempting to > authenticate. As others > have said on this thread, which you could use a > custom attribute for the > user ID, down the road you'll regret it because > you're inevitably going to > have integration problems with COTS applications you > may need to integrate > with. > > The scheme I've found most useful is to assign a > unique identifier to each > user. Something completely meaningless, like a > lowercase letter followed by > a bunch of digits (that pattern will work as an ID > in most NOS or non > directory systems like AD, NDS, Unix, NT SAM, etc). > Just increment the > numeric suffix as you assign each new ID. Using > e-mail like aliases is > generally a pain because it requires you to change > the ID every time you > have a name change. Same is true for IDs that are > tied to a user's role > (like using different letter prefixes for employees > and temps). It's usually > pretty easy to build a routine into your user > provisioning software that > will increment the ID value automatically. Any > provisioning software that > won't let you do this should get rejected out of > hand (with a pointed memo > to the vendor giving the reason for the rejection). > Getting any enterprise, > especially one where system administration is > decentralized, to adopt a > common ID scheme is almost always difficult and > usually requires > considerable effort on the 8th layer of the OSI > model -- Politics. > > Phil Lembo > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From pengle at rice.edu Mon May 15 20:27:16 2006 From: pengle at rice.edu (Paul Engle) Date: Mon, 15 May 2006 15:27:16 -0500 Subject: [Fedora-directory-users] Trouble setting up pam passthru plugin Message-ID: <4CDAC9ABAE827E84782670F8@nueces.is.rice.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all, I'm trying to set up our FDS 1.0.2 server to do the PAM passthrough authentication for simple binds so that we don't have to store passwords in the DS. I'm new to FDS, but not to LDAP or kerberos. Something is wonky, though, and I'm at a loss. I've compiled the pam-passthru-plugin.so library, and configured it according to the README doc for that plugin. The plugin is showing as loaded, and the response I'm getting back indicates that it is trying to do the check, so I don't think it's a config issue with the plugin. However, I'm getting conflicting log entries as to the success of the authentication. The slapd error logs are showing: [15/May/2006:14:22:49 -0500] pam_passthru-plugin - Expired PAM password for user id [pengle], bind DN [uid=pengle,ou=people,dc=rice,dc=edu]: reset required But, /var/log/messages is reporting: May 15 14:22:49 ldap1 ns-slapd: pam_krb5[1832]: authentication succeeds for 'pengle' (pengle at RICE.EDU) So, it looks like the kerberos auth is working, but whatever response the ldap server is getting isn't being interpreted as a success. I'm not a pam guru, so my /etc/pam.d/ldapserver is very basic: #%PAM-1.0 auth required /lib/security/$ISA/pam_krb5.so debug no_user_check In case it's an issue, this is a RHEL4 box. And the command I'm testing with is /usr/bin/ldapsearch -x -W -H 'ldaps://ldap1.rice.edu:636' -D "uid=pengle,ou=People,dc=rice,dc=edu" -b "ou=People,dc=rice,dc=edu" '(uid=pengle)' Have I done something obviously wrong? If anyone has gotten this to work and can give me some pointers, I'd be very grateful. As far as I know, our kerberos repository doesn't do password aging, so I don't understand the error. Thanks for your time, -paul - -- Paul D. Engle | Rice University Sr. Systems Administrator | Information Technology - MS119 (713) 348-4702 | P.O. Box 1892 pengle at rice.edu | Houston, TX 77251-1892 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFEaOQkCpkISWtyHNsRAuW0AKC43a0i+Uo9+Cz30wMRLVWPPXCgJQCg6iZo a8KZSegBSrE4vajTSp10UO4= =efIA -----END PGP SIGNATURE----- From kmk_pk at yahoo.com Tue May 16 05:49:33 2006 From: kmk_pk at yahoo.com (Khalid Mehmood Khan) Date: Mon, 15 May 2006 22:49:33 -0700 (PDT) Subject: [Fedora-directory-users] Still struggling with MS Outlook sorting issue Message-ID: <20060516054933.62313.qmail@web37011.mail.mud.yahoo.com> Any one out there running this thing successfully with FDS? Is there any pre-requisite, some OID to make this shit work properly with FDS? I'm running nut in here :( --------------------------------- Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+ countries) for 2?/min or less. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jo.de.troy at gmail.com Tue May 16 15:19:11 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Tue, 16 May 2006 17:19:11 +0200 Subject: [Fedora-directory-users] Solaris9 client problems / questions Message-ID: Hello, I have setup a Solaris9 server as LDAP client to FedoraDS 1.0.2 on CentOS4. (I have followed the Solaris client howto and the documentation on http://web.singnet.com.sg/~garyttt/ ) Every few minutes the proxyagent, that is used to connect from Solaris to the LDAP server, gets locked out, I have a global pwdpolicy that enables lockouts after 3 login failures. After this account gets locked out I cannot connect any more [ldaplist returns Object not found (Session error no available conn.) ] If I delete the accountunlocktime attribute of the proxyagent I'm back in business. Is there a way to stop the locking of this account? I've tried to setup a special pwdpolicy for the proxyagent, without success. Secondly I don't see how I can get TLS working, in the Solaris client howto document it's written to start up netscape and connect to http://ldapserver:636 to somehow get the certifcates for the Solaris client. I must be doing something wrong, since this just doesn't work. Is there another way of getting the required certificates on the Solaris client? I guess I only need the CA certificates on the Solaris client or not? Best Regards, Jo -------------- next part -------------- An HTML attachment was scrubbed... URL: From Gary_Tay at platts.com Tue May 16 16:52:13 2006 From: Gary_Tay at platts.com (Tay, Gary) Date: Wed, 17 May 2006 00:52:13 +0800 Subject: [Fedora-directory-users] Solaris9 client problems / questions Message-ID: # cd config/schema # grep -i passwordexpirationtime * 00core.ldif:attributeTypes: ( 2.16.840.1.113730.3.1.91 NAME 'passwordExpirationTime' DESC 'Sun ONE defined password policy attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE USAGE directoryOperation X-DS-USE 'internal' X-ORIGIN 'Sun ONE Directory Server' ) 00core.ldif:objectClasses: ( 2.16.840.1.113730.3.2.12 NAME 'passwordObject' DESC 'Sun ONE defined password policy objectclass' SUP top AUXILIARY MAY ( passwordExpirationTime $ passwordExpWarned $ passwordRetryCount $ retryCountResetTime $ accountUnlockTime $ passwordHistory $ passwordAllowChangeTime ) X-DS-USE 'internal' X-ORIGIN 'Sun ONE Directory Server' ) # I am not sure if FDS 1.0.2 provides the "passwordexpirationtime" attribute, just like SUN DS5.2, if so, pls read: http://docs.sun.com/app/docs/doc/817-0962/6mgnp4m9s?a=view ... Configuring the Directory Server to Enable Password Management See the ?User Account Management? chapter in the Sun ONE Directory Server 5.1 Administrator's Guide for how to use the Directory Server Console or ldapmodify to configure the password management policy for the LDAP directory. In order for pam_ldap to work properly, the password and account lockout policy must be properly configured on the server. Passwords for proxy users should never be allowed to expire. If proxy passwords expire, clients using the proxy credential level cannot retrieve naming service information from the server. To ensure that proxy users have passwords that do not expire, modify the proxy accounts with the following script. # ldapmodify -h ldapserver ?D administrator DN \ -w administrator password < From minfrin at sharp.fm Tue May 16 19:54:30 2006 From: minfrin at sharp.fm (Graham Leggett) Date: Tue, 16 May 2006 21:54:30 +0200 Subject: [Fedora-directory-users] Solaris 10 build - has anybody done it? Message-ID: <446A2DF6.5050804@sharp.fm> Hi all, I have just given a FDS v1.0.2 build another try under Solaris 10, and again I get build failures all over the show. The machine I have has both SUNWspro installed, and gcc installed. In this case, the build seems to arbitrarily build with cc, then gcc. Eventually the build breaks as below. I tried removing /usr/ccs/bin, the SUN compiler and /usr/ucb from the path, but the build then broke complaining that it could not find cc. Has anybody got FDS to build on Solaris 10? gcc -shared -Wl,-soname -Wl,libldap50.so -o libldap50.so ./abandon.o ./add.o ./bind.o ./cache.o ./charray.o ./charset.o ./compare.o ./compat.o ./control.o ./countvalues.o ./delete.o ./disptmpl.o ./dsparse.o ./error.o ./extendop.o ./free.o ./freevalues.o ./friendly.o ./getattr.o ./getdn.o ./getdxbyname.o ./getentry.o ./getfilter.o ./getoption.o ./getvalues.o ./memcache.o ./message.o ./modify.o ./open.o ./os-ip.o ./proxyauthctrl.o ./psearch.o ./referral.o ./regex.o ./rename.o ./request.o ./reslist.o ./result.o ./saslbind.o ./sbind.o ./search.o ./setoption.o ./sort.o ./sortctrl.o ./srchpref.o ./tmplout.o ./ufn.o ./unbind.o ./unescape.o ./url.o ./utf8.o ./vlistctrl.o -L../../../../../dist/lib -llber50ld: warning: option -o appears more than once, first setting taken ld: fatal: file libldap50.so: unknown file type ld: fatal: File processing errors. No output written to libldap50.so collect2: ld returned 1 exit status Regards, Graham -- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3220 bytes Desc: S/MIME Cryptographic Signature URL: From mj at sci.fi Tue May 16 20:02:52 2006 From: mj at sci.fi (mj at sci.fi) Date: Tue, 16 May 2006 23:02:52 +0300 (EEST) Subject: [Fedora-directory-users] Solaris 10 build - has anybody done it? Message-ID: <28877951.78591147809772167.JavaMail.mj@sci.fi> As far as Solaris goes, FDS 7.1 runs just fine; I have deployed it recently. Solaris builds probably aren't working until autoconf support is added. -- mike From rcritten at redhat.com Tue May 16 20:08:42 2006 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 16 May 2006 16:08:42 -0400 Subject: [Fedora-directory-users] Solaris 10 build - has anybody done it? In-Reply-To: <446A2DF6.5050804@sharp.fm> References: <446A2DF6.5050804@sharp.fm> Message-ID: <446A314A.4090703@redhat.com> Graham Leggett wrote: > Hi all, > > I have just given a FDS v1.0.2 build another try under Solaris 10, and > again I get build failures all over the show. > > The machine I have has both SUNWspro installed, and gcc installed. > > In this case, the build seems to arbitrarily build with cc, then gcc. > Eventually the build breaks as below. > > I tried removing /usr/ccs/bin, the SUN compiler and /usr/ucb from the > path, but the build then broke complaining that it could not find cc. > > Has anybody got FDS to build on Solaris 10? > > gcc -shared -Wl,-soname -Wl,libldap50.so -o libldap50.so ./abandon.o > ./add.o ./bind.o ./cache.o ./charray.o ./charset.o ./compare.o > ./compat.o ./control.o ./countvalues.o ./delete.o ./disptmpl.o > ./dsparse.o ./error.o ./extendop.o ./free.o ./freevalues.o ./friendly.o > ./getattr.o ./getdn.o ./getdxbyname.o ./getentry.o ./getfilter.o > ./getoption.o ./getvalues.o ./memcache.o ./message.o ./modify.o ./open.o > ./os-ip.o ./proxyauthctrl.o ./psearch.o ./referral.o ./regex.o > ./rename.o ./request.o ./reslist.o ./result.o ./saslbind.o ./sbind.o > ./search.o ./setoption.o ./sort.o ./sortctrl.o ./srchpref.o ./tmplout.o > ./ufn.o ./unbind.o ./unescape.o ./url.o ./utf8.o ./vlistctrl.o > -L../../../../../dist/lib -llber50ld: warning: option -o appears more > than once, first setting taken > ld: fatal: file libldap50.so: unknown file type > ld: fatal: File processing errors. No output written to libldap50.so > collect2: ld returned 1 exit status Is this x86 or sparc? Are you using dsbuild or building by hand? dsbuild currently assumes one is building on Linux. To set the compiler you have to pass in some extra variables (NS_USE_GCC=1) to gmake for some of the components. There may be other gotchas as well. It builds fine on Solaris 9 sparc so it is probably just a matter of getting the build arguments correct. I tried to build it on Solaris 10 x86 last summer but ran into trouble and out of time and never got back to it. IIRC there are a bunch of x86 Solaris make targets in FDS that haven't been updated in eons and are currently broken. They are leftovers from when we supported a gazillion platforms. There are references to AIX, OSF and others as well. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From logastellus at yahoo.com Tue May 16 20:31:52 2006 From: logastellus at yahoo.com (Susan) Date: Tue, 16 May 2006 13:31:52 -0700 (PDT) Subject: [Fedora-directory-users] Still struggling with MS Outlook sorting issue In-Reply-To: <20060516054933.62313.qmail@web37011.mail.mud.yahoo.com> Message-ID: <20060516203152.55584.qmail@web52902.mail.yahoo.com> --- Khalid Mehmood Khan wrote: > Any one out there running this thing successfully with FDS? Is there any pre-requisite, some > OID to make this shit work properly with FDS? I'm running nut in here :( > hehe.. that's a pretty funny post. Sorry. Anyway, what are you trying to do exactly? Retreive the address book from FDS or what? __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From logastellus at yahoo.com Tue May 16 20:37:22 2006 From: logastellus at yahoo.com (Susan) Date: Tue, 16 May 2006 13:37:22 -0700 (PDT) Subject: [Fedora-directory-users] Solaris9 client problems / questions In-Reply-To: Message-ID: <20060516203722.63863.qmail@web52915.mail.yahoo.com> --- Jo De Troy wrote: > Secondly I don't see how I can get TLS working, in the Solaris client howto > document it's written to start up netscape and connect to > http://ldapserver:636 to somehow get the certifcates for the Solaris client. > I must be doing something wrong, since this just doesn't work. Is there > another way of getting the required certificates on the Solaris client? I > guess I only need the CA certificates on the Solaris client or not? > Yep. Somebody posted this procedure (I'm sorry, I forgot the gentleman's name) but the following worked for me. Solaris 10 client config * Download the nspr, and nss packages for Solaris 9 here (http://sourceforge.net/project/showfiles.php?group_id=19386) and install them. * Get Sun one Resource Kit here: http://www.sun.com/download/products.xml?id=3f74a0db and install it. * Next run this command to setup your certificate database: # LD_LIBRARY_PATH=/usr/lib:/usr/local/lib ; export LD_LIBRARY_PATH # /opt/sunone/lib/nss/bin/certutil -N -d /var/ldap * Add hosts entry to /etc/hosts for Ldap server, matching the certificate name * Get CA cert from directory using these commands: [root at corporate-ds alias]# pwd /opt/fedora-ds/alias [root at corporate-ds alias]# ../shared/bin/certutil -L -d . -n "CA certificate" -r > /root/cert.der * Copy it to the solaris server, and import it with this: /opt/sunone/lib/nss/bin/certutil -A -n "CA certificate" -i /export/home/mmont/cert.der -t "CTu,u,u" -d /var/ldap/ * Run this command to set ldap client settings on the machine: ldapclient -v manual -a authenticationMethod=tls:simple -a credentialLevel=proxy -a defaultSearchBase="dc=cors,dc=cy,dc=com" \ -a domainName=cors.cy.com -a followReferrals=false \ -a serviceSearchDescriptor="netgroup: ou=netgroup,dc=cors,dc=cy,dc=com" \ -a preferredServerList=119.15.70.17 -a serviceAuthenticationMethod=pam_ldap:tls:simple \ -a proxyPassword=password -a proxyDn=cn=proxyagent,ou=profile,dc=cors,dc=cy,dc=com * Restart ldap.client: # /etc/init.d/ldap.client stop ; sleep 2 ; /etc/init.d/ldap.client start That should do it. Test settings with id, getent, or ldaplist: (You must be root, or sudo to use ldaplist) __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From strong.s at crwash.org Tue May 16 19:49:52 2006 From: strong.s at crwash.org (Steve Strong) Date: Tue, 16 May 2006 14:49:52 -0500 Subject: [Fedora-directory-users] migration linux users, groups, hosts to fedora directory Message-ID: <446A2CE0.9000702@crwash.org> I'm having trouble migrating users to fedora directory. I've used LdapImport and the users don't show up in the directory. I've tried the migration scripts for RedHat directory 7.1 and they about with a file not found error I've tried adding a user to the directory from the console and entering their home directory, UID and GID and they can't authenticate from a client. Is there a clear description of how to do this somewhere? steve -- Steve Strong Math and Computer Science Washington High School 2205 Forest Dr. SE Cedar Rapids, IA 52403 http://crwash.org mailto:strong.s at crwash.org From magobin at gmail.com Wed May 17 08:43:09 2006 From: magobin at gmail.com (Alex aka Magobin) Date: Wed, 17 May 2006 10:43:09 +0200 Subject: [Fedora-directory-users] Unknown attribute syntax OID... Message-ID: <1147855389.8208.23.camel@localhost.localdomain> Hi at all, I'm trying to import qmail.schema in Fedora DS, but during importation it says: [17/May/2006:10:09:53 +0000] dse - The entry cn=schema in file /opt/fedora-ds/slapd-nodo1/config/schema/55ns-qmail.ldif is invalid, errorcode 21 (Invalid syntax) - attribute type qmailUID: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.36" [17/May/2006:10:09:53 +0000] dse - Please edit the file to correct the reported problems and then restart the server. I used ol-schema-migrate.pl to convert qmail.schema for fedoraDS according with in www.qmail-ldap.org wiki page Thanks in advance! Alex Below my 55ns-qmail.ldif: [root at nodo1 ~] #./ol-schema-migrate.pl -b /opt/fedora-ds/slapd-nodo1/config/schema/55ns-qmail.ldif # ################################################################################ # dn: cn=schema # ################################################################################ # attributeTypes: ( 1.3.6.1.4.1.7914.1.2.1.1 NAME 'qmailUID' DESC 'UID of the user on the mailsystem' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 SINGLE-VALUE ) # ################################################################################ # attributeTypes: ( 1.3.6.1.4.1.7914.1.2.1.2 NAME 'qmailGID' DESC 'GID of the user on the mailsystem' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 SINGLE-VALUE ) # ################################################################################ # attributeTypes: ( 1.3.6.1.4.1.7914.1.2.1.3 NAME 'mailMessageStore' DESC 'Path to the maildir/mbox on the mail system' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) # ################################################################################ # attributeTypes: ( 1.3.6.1.4.1.7914.1.2.1.4 NAME 'mailAlternateAddress' DESC 'Secondary (alias) mailaddresses for the same user' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) # ################################################################################ # attributeTypes: ( 1.3.6.1.4.1.7914.1.2.1.5 NAME 'mailQuota' DESC 'The amount of space the user can use until all further messages get bounced.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 SINGLE-VALUE ) # ################################################################################ # attributeTypes: ( 1.3.6.1.4.1.7914.1.2.1.6 NAME 'mailHost' DESC 'On which qmail server the messagestore of this user is located.' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 SINGLE-VALUE ) # ################################################################################ # attributeTypes: ( 1.3.6.1.4.1.7914.1.2.1.7 NAME 'mailForwardingAddress' DESC 'Address(es) to forward all incoming messages to.' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) # ################################################################################ # attributeTypes: ( 1.3.6.1.4.1.7914.1.2.1.8 NAME 'deliveryProgramPath' DESC 'Program to execute for all incoming mails.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) # ################################################################################ # attributeTypes: ( 1.3.6.1.4.1.7914.1.2.1.9 NAME 'qmailDotMode' DESC 'Interpretation of .qmail files: both, dotonly, ldaponly, ldapwithprog, none' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 SINGLE-VALUE ) # ################################################################################ # attributeTypes: ( 1.3.6.1.4.1.7914.1.2.1.10 NAME 'deliveryMode' DESC 'multi field entries of: normal, forwardonly, nombox, localdelivery, reply, echo' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 ) # ################################################################################ # attributeTypes: ( 1.3.6.1.4.1.7914.1.2.1.11 NAME 'mailReplyText' DESC 'A reply text for every incoming message' SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{4096} SINGLE-VALUE ) # ################################################################################ # attributeTypes: ( 1.3.6.1.4.1.7914.1.2.1.12 NAME 'accountStatus' DESC 'The status of a user account: active, nopop, disabled' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 SINGLE-VALUE ) # ################################################################################ # objectClasses: ( 1.3.6.1.4.1.7914.1.2.2.1 NAME 'qmailUser' DESC 'QMail-LDAP User' SUP top AUXILIARY MUST ( mail $ uid ) MAY ( mailMessageStore $ homeDirectory $ userPassword $ mailAlternateAddress $ qmailUID $ qmailGID $ mailQuota $ mailHost $ mailForwardingAddress $ deliveryProgramPath $ qmailDotMode $ deliveryMode $ mailReplyText $ accountStatus ) ) # ################################################################################ # From del at babel.com.au Wed May 17 10:30:33 2006 From: del at babel.com.au (Del) Date: Wed, 17 May 2006 20:30:33 +1000 Subject: [Fedora-directory-users] migration linux users, groups, hosts to fedora directory In-Reply-To: <446A2CE0.9000702@crwash.org> References: <446A2CE0.9000702@crwash.org> Message-ID: <446AFB49.30008@babel.com.au> Steve Strong wrote: > I'm having trouble migrating users to fedora directory. > > I've used LdapImport and the users don't show up in the directory. Have a look in the LdapImport.log file and you'll find the reason. The log file is fairly extensive. -- Del From jo.de.troy at gmail.com Wed May 17 11:46:23 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Wed, 17 May 2006 13:46:23 +0200 Subject: [Fedora-directory-users] Solaris9 client problems / questions Message-ID: Hello, in the wiki it's written to use http://ldapserver:636 to get the certificates, it should be https://ldapserver:636 I managed to get the certificate on an old Solaris box using netscape. Wrt the locking of the proxy DN used by the Solaris client, I already had added an entry for the passwordexpirationtime. I have the impression that it's not expiration that's the problem but it's locking, due to failed logins. So I'm not sure that setting the passwordexpiration attribute of the proxyDN to 20380119031407Z will solve the problem. But of course I will try. Do I actually need a proxyDN or can I setup a solaris LDAP client without it? Best Regards, Jo -------------- next part -------------- An HTML attachment was scrubbed... URL: From jo.de.troy at gmail.com Wed May 17 12:45:44 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Wed, 17 May 2006 14:45:44 +0200 Subject: [Fedora-directory-users] Solaris9 client problems / questions Message-ID: Hello all, I disabled the account lockout mechanism on a global level (basedn level) and not I don't seem get the ldaplist: Object not found (Session error no available conn.) after a while. Is this a bug in the password policy implementation or is this a problem of the native Solaris client? I didn't even try have the Solaris client use an SSL profile yet. I didn't even try to modify pam.conf yet. Best Regards, Jo -------------- next part -------------- An HTML attachment was scrubbed... URL: From mikael.kermorgant at gmail.com Wed May 17 16:12:25 2006 From: mikael.kermorgant at gmail.com (Mikael Kermorgant) Date: Wed, 17 May 2006 18:12:25 +0200 Subject: [Fedora-directory-users] force password change from web apps Message-ID: <9711147e0605170912x75f162dcpd4138f217c573206@mail.gmail.com> Hello, I'm testing FDS as authentication backend for some apps like squirrelmail, plone, ... I'd like to use "Password Change after Reset" for newly created users but they should be able to modify this password via squirrelmail or plone. Is it possible to use the "passwordgracelimit" in order to let them connect for the first time ? What parameter could I use from these apps to know I have to force the logged user to change his password ? Is it passwordexpirationtime ? Thanks in advance, -- Mikael Kermorgant From rob at rsee.net Wed May 17 20:13:50 2006 From: rob at rsee.net (Rob See) Date: Wed, 17 May 2006 16:13:50 -0400 Subject: [Fedora-directory-users] SASL Mappings Message-ID: <446B83FE.9070808@rsee.net> Hi, I'm working on getting SASL up and running with FDS 1.0.2 and have run into some problems. It seems that the SASL Mappings are being completely ignored. Here is my setup: Kerberos domain of SUB.BLAH.EDU Ldap entry for uid=rob,ou=People,dc=sub,dc=blah,dc=edu This is the map entry (the only map entry that I have): # map1, mapping, sasl, config dn: cn=map1,cn=mapping,cn=sasl,cn=config objectClass: top objectClass: nsSaslMapping cn: map1 nsSaslMapRegexString: (.*)/admin at .* nsSaslMapBaseDNTemplate: uid=\1,ou=People,dc=sub,dc=blah,dc=edu nsSaslMapFilterTemplate: (objectclass=*) I've restarted the service which doesn't seem to fix it. When I kinit with rob/admin, running ldapsearch -Y GSSAPI gets the following error: SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-14): authorization failure: when I kinit with rob, it works without a problem Does anyone have any suggestions, or have I run into a bug of some sort ? Also is there any way to turn up the log level to get more info ? Thanks, -Rob From strong.s at crwash.org Wed May 17 20:38:00 2006 From: strong.s at crwash.org (Steve Strong) Date: Wed, 17 May 2006 15:38:00 -0500 Subject: [Fedora-directory-users] migration linux users, groups, hosts to fedora directory In-Reply-To: <446AFB49.30008@babel.com.au> References: <446A2CE0.9000702@crwash.org> <446AFB49.30008@babel.com.au> Message-ID: <446B89A8.2080003@crwash.org> good suggestions, but i'm still having trouble: the logs reported errors adding users because of "no such object" so, i removed fedora directory and re-installed it, ran the setup script and then tried using LdapImport.pl to migrate the users. All of the users, including all of their information was added (linux uid, gid and md5 hashed password, etc.), but they are in the UserPreferences ou in NetscapeRoot (that's the default) and all of the groups got added to the TopologyManagement ou in NetscapeRoot. The Groups and People ou's in my ou are empty and I can't search Users and Groups to find any of them and I can't use LDAP to authenticate at a client. steve Del wrote: > Steve Strong wrote: >> I'm having trouble migrating users to fedora directory. >> >> I've used LdapImport and the users don't show up in the directory. > > Have a look in the LdapImport.log file and you'll find the reason. > The log file is fairly extensive. > -- Steve Strong Math and Computer Science Washington High School 2205 Forest Dr. SE Cedar Rapids, IA 52403 http://crwash.org mailto:strong.s at crwash.org From mj at sci.fi Wed May 17 20:43:41 2006 From: mj at sci.fi (mj at sci.fi) Date: Wed, 17 May 2006 23:43:41 +0300 (EEST) Subject: [Fedora-directory-users] migration linux users, groups, hosts to fedora directory Message-ID: <8959406.162101147898621481.JavaMail.mj@sci.fi> > good suggestions, but i'm still having trouble: > > the logs reported errors adding users because of "no such object" > > so, i removed fedora directory and re-installed it, ran the setup script > and then tried using LdapImport.pl to migrate the users. All of the > users, including all of their information was added (linux uid, gid and > md5 hashed password, etc.), but they are in the UserPreferences ou in > NetscapeRoot The netscapeRoot database is for server internal data, not for end-user data. You want to have all end-user data in the userRoot database. -- mike From rmeggins at redhat.com Wed May 17 20:51:52 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 17 May 2006 14:51:52 -0600 Subject: [Fedora-directory-users] SASL Mappings In-Reply-To: <446B83FE.9070808@rsee.net> References: <446B83FE.9070808@rsee.net> Message-ID: <446B8CE8.4030801@redhat.com> Rob See wrote: > Hi, > > I'm working on getting SASL up and running with FDS 1.0.2 and have > run into some problems. It seems that the SASL Mappings are being > completely ignored. > > Here is my setup: > > Kerberos domain of SUB.BLAH.EDU > Ldap entry for uid=rob,ou=People,dc=sub,dc=blah,dc=edu > > This is the map entry (the only map entry that I have): > > # map1, mapping, sasl, config > dn: cn=map1,cn=mapping,cn=sasl,cn=config > objectClass: top > objectClass: nsSaslMapping > cn: map1 > nsSaslMapRegexString: (.*)/admin at .* > nsSaslMapBaseDNTemplate: uid=\1,ou=People,dc=sub,dc=blah,dc=edu > nsSaslMapFilterTemplate: (objectclass=*) > > I've restarted the service which doesn't seem to fix it. > > When I kinit with rob/admin, running ldapsearch -Y GSSAPI gets the > following error: > SASL/GSSAPI authentication started > ldap_sasl_interactive_bind_s: Invalid credentials (49) > additional info: SASL(-14): authorization failure: > > when I kinit with rob, it works without a problem > > Does anyone have any suggestions, or have I run into a bug of some sort ? Does this help? - http://directory.fedora.redhat.com/wiki/Howto:Kerberos > > Also is there any way to turn up the log level to get more info ? Sure. You can use the TRACE level in the error log. > > Thanks, > -Rob > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From strong.s at crwash.org Wed May 17 23:11:00 2006 From: strong.s at crwash.org (Steve Strong) Date: Wed, 17 May 2006 18:11:00 -0500 Subject: [Fedora-directory-users] migration linux users, groups, hosts to fedora directory In-Reply-To: <8959406.162101147898621481.JavaMail.mj@sci.fi> References: <8959406.162101147898621481.JavaMail.mj@sci.fi> Message-ID: <446BAD84.1090102@crwash.org> that makes sense, but I've tried to do that and haven't been successful. When the script asks me for the DN to store the users it suggests: ou=UserPreferences,ou=myserver,o=NetscapeRoot what should I enter instead? steve mj at sci.fi wrote: >> good suggestions, but i'm still having trouble: >> >> the logs reported errors adding users because of "no such object" >> >> so, i removed fedora directory and re-installed it, ran the setup >> script and then tried using LdapImport.pl to migrate the users. All >> of the users, including all of their information was added (linux uid, >> gid and md5 hashed password, etc.), but they are in the >> UserPreferences ou in NetscapeRoot > > The netscapeRoot database is for server internal data, not for end-user > data. You want to have all end-user data in the userRoot database. > > -- > mike > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -- Steve Strong Math and Computer Science Teacher Washington High School 2205 Forest Dr. SE Cedar Rapids, IA 52403 http://crwash.org From rmeggins at redhat.com Wed May 17 23:14:59 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 17 May 2006 17:14:59 -0600 Subject: [Fedora-directory-users] migration linux users, groups, hosts to fedora directory In-Reply-To: <446BAD84.1090102@crwash.org> References: <8959406.162101147898621481.JavaMail.mj@sci.fi> <446BAD84.1090102@crwash.org> Message-ID: <446BAE73.5010401@redhat.com> Steve Strong wrote: > that makes sense, but I've tried to do that and haven't been > successful. When the script asks me for the DN to store the users it > suggests: > ou=UserPreferences,ou=myserver,o=NetscapeRoot > > what should I enter instead? Whatever your base suffix is e.g. ou=People,dc=crwash, dc=org > steve > > mj at sci.fi wrote: >>> good suggestions, but i'm still having trouble: >>> >>> the logs reported errors adding users because of "no such object" >>> >>> so, i removed fedora directory and re-installed it, ran the setup >>> script and then tried using LdapImport.pl to migrate the users. All >>> of the users, including all of their information was added (linux >>> uid, gid and md5 hashed password, etc.), but they are in the >>> UserPreferences ou in NetscapeRoot >> >> The netscapeRoot database is for server internal data, not for >> end-user data. You want to have all end-user data in the userRoot >> database. >> >> -- >> mike >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rob at rsee.net Thu May 18 00:37:04 2006 From: rob at rsee.net (Rob See) Date: Wed, 17 May 2006 20:37:04 -0400 Subject: [Fedora-directory-users] SASL Mappings In-Reply-To: <446B8CE8.4030801@redhat.com> References: <446B83FE.9070808@rsee.net> <446B8CE8.4030801@redhat.com> Message-ID: <446BC1B0.10409@rsee.net> In case someone ends up with the same problem in the future, it appears that in the regex string you must escape the ( and ) with \, and the realm should be excluded from the regex if both the server and client are using the same realm... example: make the regex \(.*\)/admin not \(.*\)/admin at .* -Rob Richard Megginson wrote: > Rob See wrote: >> Hi, >> >> I'm working on getting SASL up and running with FDS 1.0.2 and have >> run into some problems. It seems that the SASL Mappings are being >> completely ignored. >> >> Here is my setup: >> >> Kerberos domain of SUB.BLAH.EDU >> Ldap entry for uid=rob,ou=People,dc=sub,dc=blah,dc=edu >> >> This is the map entry (the only map entry that I have): >> >> # map1, mapping, sasl, config >> dn: cn=map1,cn=mapping,cn=sasl,cn=config >> objectClass: top >> objectClass: nsSaslMapping >> cn: map1 >> nsSaslMapRegexString: (.*)/admin at .* >> nsSaslMapBaseDNTemplate: uid=\1,ou=People,dc=sub,dc=blah,dc=edu >> nsSaslMapFilterTemplate: (objectclass=*) >> >> I've restarted the service which doesn't seem to fix it. >> >> When I kinit with rob/admin, running ldapsearch -Y GSSAPI gets the >> following error: >> SASL/GSSAPI authentication started >> ldap_sasl_interactive_bind_s: Invalid credentials (49) >> additional info: SASL(-14): authorization failure: >> >> when I kinit with rob, it works without a problem >> >> Does anyone have any suggestions, or have I run into a bug of some >> sort ? > Does this help? - http://directory.fedora.redhat.com/wiki/Howto:Kerberos >> >> Also is there any way to turn up the log level to get more info ? > Sure. You can use the TRACE level in the error log. >> >> Thanks, >> -Rob >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > !DSPAM:446b8cb0247181471131949! > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > !DSPAM:446b8cb0247181471131949! > From jo.de.troy at gmail.com Thu May 18 10:15:05 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Thu, 18 May 2006 12:15:05 +0200 Subject: [Fedora-directory-users] account lockout and proxy DN Solaris Message-ID: Hello all, apparently when I enable the account lockout feature of password policy in FedoraDS the proxyagent gets locked out. When I disable the account lockout feature everything works fine (ldaplist keeps working fine). Is this a bug in FedoraDS or is it one in the native LDAP client of Solaris9? When account lockouts are enabled after I while the proxy DN entry is updated by cn=servers,cn=plugins,cn=config and the accountunlocktime, passwordretrycount and retrycountresetime are added. Once passwordretrycount gets to the valued specified in the config iop the passwordpolicy the ldaplist command fails to connect. Best Regards, Jo -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu May 18 13:11:28 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 18 May 2006 07:11:28 -0600 Subject: [Fedora-directory-users] account lockout and proxy DN Solaris In-Reply-To: References: Message-ID: <446C7280.5050007@redhat.com> Jo De Troy wrote: > Hello all, > > apparently when I enable the account lockout feature of password > policy in FedoraDS the proxyagent gets locked out. > When I disable the account lockout feature everything works fine > (ldaplist keeps working fine). > Is this a bug in FedoraDS or is it one in the native LDAP client of > Solaris9? > When account lockouts are enabled after I while the proxy DN entry is > updated by cn=servers,cn=plugins,cn=config > and the accountunlocktime, passwordretrycount and retrycountresetime > are added. Once passwordretrycount gets to the valued specified in the > config iop the passwordpolicy the ldaplist command fails to connect. Why is the proxy user using the wrong password over and over again? > > > Best Regards, > Jo > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu May 18 14:24:48 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 18 May 2006 08:24:48 -0600 Subject: [Fedora-directory-users] Trouble setting up pam passthru plugin In-Reply-To: <4CDAC9ABAE827E84782670F8@nueces.is.rice.edu> References: <4CDAC9ABAE827E84782670F8@nueces.is.rice.edu> Message-ID: <446C83B0.4060304@redhat.com> Paul Engle wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > Hi all, > I'm trying to set up our FDS 1.0.2 server to do the PAM passthrough > authentication for simple binds so that we don't have to store passwords in > the DS. I'm new to FDS, but not to LDAP or kerberos. Something is wonky, > though, and I'm at a loss. > > I've compiled the pam-passthru-plugin.so library, and configured it > according to the README doc for that plugin. The plugin is showing as > loaded, and the response I'm getting back indicates that it is trying to do > the check, so I don't think it's a config issue with the plugin. > > However, I'm getting conflicting log entries as to the success of the > authentication. The slapd error logs are showing: > > [15/May/2006:14:22:49 -0500] pam_passthru-plugin - Expired PAM password for > user id [pengle], bind DN [uid=pengle,ou=people,dc=rice,dc=edu]: reset > required > > But, /var/log/messages is reporting: > > May 15 14:22:49 ldap1 ns-slapd: pam_krb5[1832]: authentication succeeds for > 'pengle' (pengle at RICE.EDU) > > So, it looks like the kerberos auth is working, but whatever response the > ldap server is getting isn't being interpreted as a success. > > I'm not a pam guru, so my /etc/pam.d/ldapserver is very basic: > > #%PAM-1.0 > auth required /lib/security/$ISA/pam_krb5.so debug no_user_check > > In case it's an issue, this is a RHEL4 box. And the command I'm testing > with is > > /usr/bin/ldapsearch -x -W -H 'ldaps://ldap1.rice.edu:636' -D > "uid=pengle,ou=People,dc=rice,dc=edu" -b "ou=People,dc=rice,dc=edu" > '(uid=pengle)' > > Have I done something obviously wrong? If anyone has gotten this to work > and can give me some pointers, I'd be very grateful. As far as I know, our > kerberos repository doesn't do password aging, so I don't understand the > error. > I'm not really sure. # You can enable plug-in debug logging which may give some more indication of the problem, but this will slow down the server. So if you need to run with logging on in production, do so only for a short period of time. http://directory.fedora.redhat.com/wiki/FAQ#Troubleshooting # pam_passthru-plugin also allows for some thing called "exclude suffix". So you can create a suffix dc=local and have a user called uid=test and see if that succeeds. # Are there any 8 bit characters in your password? > Thanks for your time, > -paul > > - -- > Paul D. Engle | Rice University > Sr. Systems Administrator | Information Technology - MS119 > (713) 348-4702 | P.O. Box 1892 > pengle at rice.edu | Houston, TX 77251-1892 > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.6 (GNU/Linux) > > iD8DBQFEaOQkCpkISWtyHNsRAuW0AKC43a0i+Uo9+Cz30wMRLVWPPXCgJQCg6iZo > a8KZSegBSrE4vajTSp10UO4= > =efIA > -----END PGP SIGNATURE----- > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From logastellus at yahoo.com Thu May 18 15:43:40 2006 From: logastellus at yahoo.com (Susan) Date: Thu, 18 May 2006 08:43:40 -0700 (PDT) Subject: [Fedora-directory-users] missing info in the Solaris Client wiki Message-ID: <20060518154340.83304.qmail@web52909.mail.yahoo.com> The DUAConfigProfile Schema referenced here: http://directory.fedora.redhat.com/wiki/Howto:SolarisClient says to copy & paste it, saying it's a working config but there are entries in there that read "1.3.6.1.4." which obviously render the schema useless. can somebody with write access to the wiki please fix it? for that matter, why not make the wiki world writable, liki wikipedia? That way we could all fix problems. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From rspencer at auspicecorp.com Thu May 18 20:12:48 2006 From: rspencer at auspicecorp.com (Roger Spencer) Date: Thu, 18 May 2006 16:12:48 -0400 Subject: [Fedora-directory-users] Samba/Posix password sync problem In-Reply-To: <2181C5F19DD0254692452BFF3EAF1D6801527BA1@rsys005a.comm.ad.roke.co.uk> References: <2181C5F19DD0254692452BFF3EAF1D6801527BA1@rsys005a.comm.ad.roke.co.uk> Message-ID: <446CD540.9010003@auspicecorp.com> The only way I could get a password change from Windows to also sync the posix password was to add the following to smb.conf: unix password sync = Yes passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n" It can be debugged by adding: passwd chat debug = Yes This only handles the password change coming from Windows. If someone changes their password from a shell prompt using passwd, then only the posix password is updated and the samba one is out of sync. Plant, Dean wrote: > Hello list, > > I am fairly new to FDS and my head is starting to hurt trying to get > things working correctly. I am having a problem syncing passwords using > FDS from Samba to the posix password on Centos 3. When I change the > password on my XP sp2 test machine I get "The username or old password > is incorrect. Letters in passwords must be typed using the correct > case". The password change is successful in samba, as I can logoff and > the use the new password. The password change does not propagate into > the Posix account details. > > SSL is configured and seems to be working. "ldapsearch -x -ZZ uid=test" > returns the test user information. > > I have used Authconfig to configure LDAP with TLS on the test server to > test the Posix account details. > > I am using the IdealX scripts, the /opt/IDEALX/sbin/smbldap-passwd works > without TLS but I think I have a problem when enabling TLS within these > scripts as smbldap-passwd fails to run. Below is my TLS settings from > the /etc/opt/IDEALX/smbldap-tools/smbldap.conf Do this look correct? > > If anyone can give me a kick in the right direction I would appreciate > the help. > > # Use TLS for LDAP > # If set to 1, this option will use start_tls for connection > # (you should also used the port 389) > # If not defined, parameter is set to "1" > #ldapTLS="0" > ldapTLS="1" > > # How to verify the server's certificate (none, optional or require) > # see "man Net::LDAP" in start_tls section for more details > verify="" > > # CA certificate > # see "man Net::LDAP" in start_tls section for more details > cafile="/opt/fedora-ds/alias/cacert.asc" > > # certificate to use to connect to the ldap server > # see "man Net::LDAP" in start_tls section for more details > clientcert="/opt/fedora-ds/alias/slapd-myhost-cert8.db" > > # key certificate to use to connect to the ldap server > # see "man Net::LDAP" in start_tls section for more details > clientkey="/opt/fedora-ds/alias/slapd-myhost-key3.db" > > > The samba log for the XP connection shows > > 2006/05/09 09:53:08, 0] passdb/pdb_ldap.c:ldapsam_modify_entry(1587) > ldapsam_modify_entry: LDAP Password could not be changed for user > test: Confidentiality required > Operation requires a secure connection. > > [2006/05/09 09:53:08, 0] > passdb/pdb_ldap.c:ldapsam_update_sam_account(1731) > ldapsam_update_sam_account: failed to modify user with uid = test, > error: Operation requires a secure connection. > (Success) > [2006/05/09 09:53:08, 0] libsmb/smbencrypt.c:decode_pw_buffer(539) > decode_pw_buffer: incorrect password length (1600733334). > [2006/05/09 09:53:08, 0] libsmb/smbencrypt.c:decode_pw_buffer(540) > decode_pw_buffer: check that 'encrypt passwords = yes' > > The directory server logs show > > [09/May/2006:09:53:07 +0100] conn=247 fd=67 slot=67 connection from > 127.0.0.1 to 127.0.0.1 > [09/May/2006:09:53:07 +0100] conn=247 op=0 BIND dn="cn=Directory > Manager" method=128 version=3 > [09/May/2006:09:53:07 +0100] conn=247 op=0 RESULT err=0 tag=97 > nentries=0 etime=0 dn="cn=directory manager" > [09/May/2006:09:53:07 +0100] conn=247 op=1 SRCH > base="dc=roke,dc=co,dc=uk" scope=2 > filter="(&(uid=test)(objectClass=sambaSamAccount))" attrs="uid uidNumber > gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange > sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn > displayName sambaHomeDrive sambaHomePath sambaLogonScript > sambaProfilePath description sambaUserWorkstations sambaSID > sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName > objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount > sambaBadPasswordTime sambaPasswordHistory modifyTimestamp > sambaLogonHours modifyTimestamp" > [09/May/2006:09:53:07 +0100] conn=247 op=1 RESULT err=0 tag=101 > nentries=1 etime=0 > [09/May/2006:09:53:07 +0100] conn=248 fd=71 slot=71 connection from > 127.0.0.1 to 127.0.0.1 > [09/May/2006:09:53:07 +0100] conn=246 op=4 UNBIND > [09/May/2006:09:53:07 +0100] conn=246 op=4 fd=68 closed - U1 > [09/May/2006:09:53:07 +0100] conn=248 op=0 EXT > oid="1.3.6.1.4.1.1466.20037" name="startTLS" > [09/May/2006:09:53:07 +0100] conn=248 op=0 RESULT err=0 tag=120 > nentries=0 etime=0 > [09/May/2006:09:53:07 +0100] conn=248 SSL 256-bit AES > [09/May/2006:09:53:07 +0100] conn=248 op=1 BIND dn="" method=128 > version=3 > [09/May/2006:09:53:07 +0100] conn=248 op=1 RESULT err=0 tag=97 > nentries=0 etime=0 dn="" > [09/May/2006:09:53:07 +0100] conn=248 op=2 SRCH > base="dc=roke,dc=co,dc=uk" scope=2 > filter="(&(objectClass=posixAccount)(uid=test))" attrs="uid userPassword > uidNumber gidNumber cn homeDirectory loginShell gecos description > objectClass" > [09/May/2006:09:53:07 +0100] conn=248 op=2 RESULT err=0 tag=101 > nentries=1 etime=0 > [09/May/2006:09:53:07 +0100] conn=249 fd=68 slot=68 connection from > 127.0.0.1 to 127.0.0.1 > [09/May/2006:09:53:07 +0100] conn=248 op=3 UNBIND > [09/May/2006:09:53:07 +0100] conn=248 op=3 fd=71 closed - U1 > [09/May/2006:09:53:07 +0100] conn=249 op=0 EXT > oid="1.3.6.1.4.1.1466.20037" name="startTLS" > [09/May/2006:09:53:07 +0100] conn=249 op=0 RESULT err=0 tag=120 > nentries=0 etime=0 > [09/May/2006:09:53:07 +0100] conn=249 SSL 256-bit AES > [09/May/2006:09:53:07 +0100] conn=249 op=1 BIND dn="" method=128 > version=3 > [09/May/2006:09:53:07 +0100] conn=249 op=1 RESULT err=0 tag=97 > nentries=0 etime=0 dn="" > [09/May/2006:09:53:07 +0100] conn=249 op=2 SRCH > base="dc=roke,dc=co,dc=uk" scope=2 filter="(uid=test)" attrs=ALL > [09/May/2006:09:53:07 +0100] conn=249 op=2 RESULT err=0 tag=101 > nentries=1 etime=0 > [09/May/2006:09:53:07 +0100] conn=249 op=3 SRCH > base="dc=roke,dc=co,dc=uk" scope=2 > filter="(&(objectClass=posixGroup)(|(memberUid=test)(uniqueMember=uid=te > st,ou=People,dc=roke,dc=co,dc=uk)))" attrs="cn userPassword memberUid > uniqueMember gidNumber" > [09/May/2006:09:53:07 +0100] conn=249 op=3 RESULT err=0 tag=101 > nentries=1 etime=0 > [09/May/2006:09:53:07 +0100] conn=247 op=2 SRCH > base="dc=roke,dc=co,dc=uk" scope=2 > filter="(&(uid=test)(objectClass=sambaSamAccount))" attrs="uid uidNumber > gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange > sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn > displayName sambaHomeDrive sambaHomePath sambaLogonScript > sambaProfilePath description sambaUserWorkstations sambaSID > sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName > objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount > sambaBadPasswordTime sambaPasswordHistory modifyTimestamp > sambaLogonHours modifyTimestamp" > [09/May/2006:09:53:07 +0100] conn=247 op=2 RESULT err=0 tag=101 > nentries=1 etime=0 > [09/May/2006:09:53:07 +0100] conn=249 op=4 SRCH > base="dc=roke,dc=co,dc=uk" scope=2 > filter="(&(objectClass=posixAccount)(uid=test))" attrs="uid userPassword > uidNumber gidNumber cn homeDirectory loginShell gecos description > objectClass" > [09/May/2006:09:53:07 +0100] conn=249 op=4 RESULT err=0 tag=101 > nentries=1 etime=0 > [09/May/2006:09:53:07 +0100] conn=247 op=3 MOD > dn="uid=test,ou=People,dc=roke,dc=co,dc=uk" > [09/May/2006:09:53:07 +0100] conn=247 op=3 RESULT err=0 tag=103 > nentries=0 etime=0 > [09/May/2006:09:53:07 +0100] conn=247 op=4 SRCH base="" scope=0 > filter="(objectClass=*)" attrs="supportedExtension" > [09/May/2006:09:53:08 +0100] conn=247 op=4 RESULT err=0 tag=101 > nentries=1 etime=1 > [09/May/2006:09:53:08 +0100] conn=247 op=5 EXT > oid="1.3.6.1.4.1.4203.1.11.1" name="passwd_modify_extop" > [09/May/2006:09:53:08 +0100] conn=247 op=5 RESULT err=13 tag=120 > nentries=0 etime=0 > [09/May/2006:09:53:08 +0100] conn=247 op=6 SRCH > base="dc=roke,dc=co,dc=uk" scope=2 > filter="(&(uid=test)(objectClass=sambaSamAccount))" attrs="uid uidNumber > gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange > sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn > displayName sambaHomeDrive sambaHomePath sambaLogonScript > sambaProfilePath description sambaUserWorkstations sambaSID > sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName > objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount > sambaBadPasswordTime sambaPasswordHistory modifyTimestamp > sambaLogonHours modifyTimestamp" > [09/May/2006:09:53:08 +0100] conn=247 op=6 RESULT err=0 tag=101 > nentries=1 etime=0 > > My smb.conf > > [global] > workgroup = TEST > security = user > passdb backend = ldapsam:ldap://localhost > ldap admin dn = cn=Directory Manager > ldap suffix = dc=roke,dc=co,dc=uk > ldap user suffix = ou=People > ldap machine suffix = ou=Computers > ldap group suffix = ou=Groups > encrypt passwords = yes > > log file = /var/log/samba/%m.log > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > > os level = 33 > domain logons = yes > domain master = yes > local master = yes > preferred master = yes > > wins support = yes > > logon home = \\%L\%U\profiles > logon path = \\%L\profiles\%U > logon drive = H: > > template shell = /bin/false > winbind use default domain = no > > #ldap ssl = yes > ldap passwd sync = Yes > > add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u" > ldap delete dn = Yes > delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u" > add machine script = /opt/IDEALX/sbin/smbldap-useradd -t 5 -w "%u" > add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g" > delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g" > add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" > "%g" > delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x > "%u" "%g" > set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u" > > [netlogon] > path = /var/lib/samba/netlogon > read only = yes > browsable = no > > [profiles] > path = /var/lib/samba/profiles > read only = no > create mask = 0600 > directory mask = 0700 > > [homes] > browsable = no > writable = yes > > Thanks > > Dean Plant > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From magobin at gmail.com Fri May 19 09:34:55 2006 From: magobin at gmail.com (Alex aka Magobin) Date: Fri, 19 May 2006 11:34:55 +0200 Subject: [Fedora-directory-users] New User....fields! Message-ID: <1148031295.7906.17.camel@localhost.localdomain> Hello, when I setup a new user with console..I have in left panel default object class (User,Languages,NT User, Posix User). Now that I have imported qmail.schema how can I setup for all new entry my default windows?.. Is it possible that when I have to setup a new entry I have a window with on the left qmailgroup too...so that I have not to click on 'Advanced mode' and, for every user add qmailgroup value and AlternateMailAddress attribute. Alex From jo.de.troy at gmail.com Fri May 19 09:00:16 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Fri, 19 May 2006 11:00:16 +0200 Subject: [Fedora-directory-users] account lockout and proxy DN Solaris Message-ID: Hi Rich, I'm pretty sure the proxyDN is using the correct password. Could the password enryption scheme be the problem? I've selected MD5 in the directory. When doing an ldap bind as proxyDN I use the same password as I specified when setting up the Solaris client using ldapinit. If the password would be wrong, would I not always get the "Object not found (Session error no available conn)" error instead of only after a few minutes? Best Regards, Jo -------------- next part -------------- An HTML attachment was scrubbed... URL: From jrussler at helix.nih.gov Fri May 19 13:35:37 2006 From: jrussler at helix.nih.gov (Jason Russler) Date: Fri, 19 May 2006 09:35:37 -0400 Subject: [Fedora-directory-users] Shadow account vs. password policy Message-ID: <446DC9A9.7000603@helix.nih.gov> Hi all, I imported our Unix/Linux password and shadow files into FDS recently (using LdapImport.pl) and I'm trying to figure out the difference or conflicts between the shadowaccount object class attributes (shdowmax, shadowwarning etc.) and the passwordexpiriationtime and passwordexpiredwarned etc. attributes that I assume come from the Password policy settings features of the directory. I'm having trouble getting inconsistent results when expiring accounts to test whether or not the PAM ldap client (on RedHat Enterprise 4 systems) weighs one set of attributes more more over the other or even cares about them at all. Does anyone have experience with the PAM clients and the directory's password policy settings vs. the shadowaccount attributes? Should I quit using the password and password expiration features and just use the shadowaccount attributes or ditch the shadowaccount object class altogether? If PAM will honor the password expiration policy then I may just write a little something to set the policy attributes from the shadow attributes of the imported files and then remove shadowaccount OC altogether. Any thoughts? From rmeggins at redhat.com Fri May 19 14:16:15 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 19 May 2006 08:16:15 -0600 Subject: [Fedora-directory-users] account lockout and proxy DN Solaris In-Reply-To: References: Message-ID: <446DD32F.4000304@redhat.com> Jo De Troy wrote: > Hi Rich, > > I'm pretty sure the proxyDN is using the correct password. Could the > password enryption scheme be the problem? I don't know. /etc/ldap.conf has to have the cleartext password in order to bind to the directory. > I've selected MD5 in the directory. > When doing an ldap bind as proxyDN I use the same password as I > specified when setting up the Solaris client using ldapinit. > If the password would be wrong, would I not always get the "Object not > found (Session error no available conn)" error instead of only after a > few minutes? I don't know, but you only get account lockout if you provide the incorrect password. One way to find out for sure - go to the access log on the directory server and look for the BIND requests for the proxyDN from the clients in question. > > > Best Regards, > Jo > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri May 19 14:17:22 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 19 May 2006 08:17:22 -0600 Subject: [Fedora-directory-users] New User....fields! In-Reply-To: <1148031295.7906.17.camel@localhost.localdomain> References: <1148031295.7906.17.camel@localhost.localdomain> Message-ID: <446DD372.9000600@redhat.com> Alex aka Magobin wrote: > Hello, > when I setup a new user with console..I have in left panel default > object class (User,Languages,NT User, Posix User). > Now that I have imported qmail.schema how can I setup for all new entry > my default windows?.. > You can't. You have to use the advanced editor. > Is it possible that when I have to setup a new entry I have a window > with on the left qmailgroup too...so that I have not to click on > 'Advanced mode' and, for every user add qmailgroup value and > AlternateMailAddress attribute. > There is currently no easy way to provide UI for new schema, unless you want to hack some java code. > Alex > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri May 19 14:18:29 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 19 May 2006 08:18:29 -0600 Subject: [Fedora-directory-users] Shadow account vs. password policy In-Reply-To: <446DC9A9.7000603@helix.nih.gov> References: <446DC9A9.7000603@helix.nih.gov> Message-ID: <446DD3B5.1030902@redhat.com> Jason Russler wrote: > Hi all, > I imported our Unix/Linux password and shadow files into FDS recently > (using LdapImport.pl) and I'm trying to figure out the difference or > conflicts between the shadowaccount object class attributes (shdowmax, > shadowwarning etc.) and the passwordexpiriationtime and > passwordexpiredwarned etc. attributes that I assume come from the > Password policy settings features of the directory. > > I'm having trouble getting inconsistent results when expiring accounts > to test whether or not the PAM ldap client (on RedHat Enterprise 4 > systems) weighs one set of attributes more more over the other or even > cares about them at all. Does anyone have experience with the PAM > clients and the directory's password policy settings vs. the > shadowaccount attributes? Should I quit using the password and > password expiration features and just use the shadowaccount attributes > or ditch the shadowaccount object class altogether? > > If PAM will honor the password expiration policy then I may just write > a little something to set the policy attributes from the shadow > attributes of the imported files and then remove shadowaccount OC > altogether. Any thoughts? PAM should honor the Fedora DS password policy, so I don't think you need the shadow stuff anymore. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From strong.s at crwash.org Fri May 19 16:41:18 2006 From: strong.s at crwash.org (Steve Strong) Date: Fri, 19 May 2006 11:41:18 -0500 Subject: [Fedora-directory-users] adding users Message-ID: <446DF52E.9020109@crwash.org> OK, I'm a newbie, but it seems that now that I've migrated all of my users that I need to learn how to add users (ya think?) There must be an underlying unix account, right? how do you add one unix account to the fedora ldap directory? steve -- Steve Strong Math and Computer Science Washington High School 2205 Forest Dr. SE Cedar Rapids, IA 52403 http://crwash.org mailto:strong.s at crwash.org From gholbert at broadcom.com Fri May 19 16:46:13 2006 From: gholbert at broadcom.com (George Holbert) Date: Fri, 19 May 2006 09:46:13 -0700 Subject: [Fedora-directory-users] Shadow account vs. password policy In-Reply-To: <446DD3B5.1030902@redhat.com> References: <446DC9A9.7000603@helix.nih.gov> <446DD3B5.1030902@redhat.com> Message-ID: <446DF655.3080006@broadcom.com> > PAM should honor the Fedora DS password policy, so I don't think you > need the shadow stuff anymore. I agree with Rich. Also, in my testing I found that Solaris 8 native LDAP clients ignore the shadow attributes, which meant the shadow method is useless for my particular situation. Richard Megginson wrote: > Jason Russler wrote: >> Hi all, >> I imported our Unix/Linux password and shadow files into FDS recently >> (using LdapImport.pl) and I'm trying to figure out the difference or >> conflicts between the shadowaccount object class attributes >> (shdowmax, shadowwarning etc.) and the passwordexpiriationtime and >> passwordexpiredwarned etc. attributes that I assume come from the >> Password policy settings features of the directory. >> >> I'm having trouble getting inconsistent results when expiring >> accounts to test whether or not the PAM ldap client (on RedHat >> Enterprise 4 systems) weighs one set of attributes more more over the >> other or even cares about them at all. Does anyone have experience >> with the PAM clients and the directory's password policy settings vs. >> the shadowaccount attributes? Should I quit using the password and >> password expiration features and just use the shadowaccount >> attributes or ditch the shadowaccount object class altogether? >> >> If PAM will honor the password expiration policy then I may just >> write a little something to set the policy attributes from the shadow >> attributes of the imported files and then remove shadowaccount OC >> altogether. Any thoughts? > PAM should honor the Fedora DS password policy, so I don't think you > need the shadow stuff anymore. >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From prowley at redhat.com Fri May 19 18:22:56 2006 From: prowley at redhat.com (Pete Rowley) Date: Fri, 19 May 2006 11:22:56 -0700 Subject: [Fedora-directory-users] adding users In-Reply-To: <446DF52E.9020109@crwash.org> References: <446DF52E.9020109@crwash.org> Message-ID: <446E0D00.70708@redhat.com> Steve Strong wrote: > OK, I'm a newbie, but it seems that now that I've migrated all of my > users that I need to learn how to add users (ya think?) There must be > an underlying unix account, right? how do you add one unix account to > the fedora ldap directory? > In the console create a new user, once you have filled out the default tab, click on the posix tab. -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From strong.s at crwash.org Fri May 19 18:33:58 2006 From: strong.s at crwash.org (Steve Strong) Date: Fri, 19 May 2006 13:33:58 -0500 Subject: [Fedora-directory-users] adding users In-Reply-To: <446E0D00.70708@redhat.com> References: <446DF52E.9020109@crwash.org> <446E0D00.70708@redhat.com> Message-ID: <446E0F96.6080005@crwash.org> hmmm, this sounds a lot like copy all of the information over by hand ... how about writing a shell script to add the user to the unix side and then copy the associated information (including the new group) into fedora directory? is there some way to create an ldif file programatically and then use ldapadd? has anyone done this already? steve Pete Rowley wrote: > Steve Strong wrote: >> OK, I'm a newbie, but it seems that now that I've migrated all of my >> users that I need to learn how to add users (ya think?) There must >> be an underlying unix account, right? how do you add one unix >> account to the fedora ldap directory? >> > In the console create a new user, once you have filled out the default > tab, click on the posix tab. > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Steve Strong Math and Computer Science Washington High School 2205 Forest Dr. SE Cedar Rapids, IA 52403 http://crwash.org mailto:strong.s at crwash.org From gholbert at broadcom.com Fri May 19 19:09:36 2006 From: gholbert at broadcom.com (George Holbert) Date: Fri, 19 May 2006 12:09:36 -0700 Subject: [Fedora-directory-users] adding users In-Reply-To: <446E0F96.6080005@crwash.org> References: <446DF52E.9020109@crwash.org> <446E0D00.70708@redhat.com> <446E0F96.6080005@crwash.org> Message-ID: <446E17F0.4050000@broadcom.com> > is there some way to create an ldif file programatically and then use > ldapadd? Absolutely. The simplest case might be just a shell script that prompts for each value that constitutes a new user, then prints that to stdout in LDIF format, which could be piped to ldapmodify. Steve Strong wrote: > hmmm, this sounds a lot like copy all of the information over by hand ... > > how about writing a shell script to add the user to the unix side and > then copy the associated information (including the new group) into > fedora directory? is there some way to create an ldif file > programatically and then use ldapadd? has anyone done this already? > steve > > Pete Rowley wrote: >> Steve Strong wrote: >>> OK, I'm a newbie, but it seems that now that I've migrated all of my >>> users that I need to learn how to add users (ya think?) There must >>> be an underlying unix account, right? how do you add one unix >>> account to the fedora ldap directory? >>> >> In the console create a new user, once you have filled out the >> default tab, click on the posix tab. >> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > From oscar.valdez at duraflex-politex.com Fri May 19 22:09:02 2006 From: oscar.valdez at duraflex-politex.com (Oscar A. Valdez) Date: Fri, 19 May 2006 16:09:02 -0600 Subject: [Fedora-directory-users] adding users In-Reply-To: <446E0F96.6080005@crwash.org> References: <446DF52E.9020109@crwash.org> <446E0D00.70708@redhat.com> <446E0F96.6080005@crwash.org> Message-ID: <1148076542.2129.15.camel@wzowski.duraflex-politex.com> El vie, 19-05-2006 a las 13:33 -0500, Steve Strong escribi?: > how about writing a shell script to add the user to the unix side and > then copy the associated information (including the new group) into > fedora directory? is there some way to create an ldif file > programatically and then use ldapadd? has anyone done this already? I don't add the user to the unix side. I have a script that creates an ldif file for new users, then just upload it into the DS with the ldapmodify command: dn: uid=jdoe,ou=People,dc=duraflex,dc=com,dc=sv changetype: add uid: oswaldof cn: John Doe givenName: John sn: Doe objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: account objectClass: shadowAccount userPassword: {crypt}$1$PTSfaHrm$lo4r6RXB9rBB15SPX1e.O1 shadowLastChange: 13246 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 589 gidNumber: 589 homeDirectory: /home/jdoe gecos: John Doe -- Oscar A. Valdez Industrias Duraflex, S.A. de C.V. From strong.s at crwash.org Sat May 20 00:17:07 2006 From: strong.s at crwash.org (Steve Strong) Date: Fri, 19 May 2006 19:17:07 -0500 Subject: [Fedora-directory-users] adding users In-Reply-To: <1148076542.2129.15.camel@wzowski.duraflex-politex.com> References: <446DF52E.9020109@crwash.org> <446E0D00.70708@redhat.com> <446E0F96.6080005@crwash.org> <1148076542.2129.15.camel@wzowski.duraflex-politex.com> Message-ID: <446E6003.9040002@crwash.org> interesting, what about group membership that gives them access to data on the server? how do you handle that? and, even with this script, their home directories would have to be made, yes? why not add the user to the unix side and then use the ldif you show here? am I missing something? steve Oscar A. Valdez wrote: > El vie, 19-05-2006 a las 13:33 -0500, Steve Strong escribi?: > >> how about writing a shell script to add the user to the unix side and >> then copy the associated information (including the new group) into >> fedora directory? is there some way to create an ldif file >> programatically and then use ldapadd? has anyone done this already? >> > > I don't add the user to the unix side. I have a script that creates an > ldif file for new users, then just upload it into the DS with the > ldapmodify command: > > dn: uid=jdoe,ou=People,dc=duraflex,dc=com,dc=sv > changetype: add > uid: oswaldof > cn: John Doe > givenName: John > sn: Doe > objectClass: person > objectClass: organizationalPerson > objectClass: inetOrgPerson > objectClass: posixAccount > objectClass: top > objectClass: account > objectClass: shadowAccount > userPassword: {crypt}$1$PTSfaHrm$lo4r6RXB9rBB15SPX1e.O1 > shadowLastChange: 13246 > shadowMax: 99999 > shadowWarning: 7 > loginShell: /bin/bash > uidNumber: 589 > gidNumber: 589 > homeDirectory: /home/jdoe > gecos: John Doe > From mikael.kermorgant at gmail.com Sat May 20 14:21:27 2006 From: mikael.kermorgant at gmail.com (Mikael Kermorgant) Date: Sat, 20 May 2006 16:21:27 +0200 Subject: [Fedora-directory-users] New User....fields! In-Reply-To: <446DD372.9000600@redhat.com> References: <1148031295.7906.17.camel@localhost.localdomain> <446DD372.9000600@redhat.com> Message-ID: <9711147e0605200721s41a9dbd4t23ad2ac21abda583@mail.gmail.com> 2006/5/19, Richard Megginson : > Alex aka Magobin wrote: > > Hello, > > when I setup a new user with console..I have in left panel default > > object class (User,Languages,NT User, Posix User). > > Now that I have imported qmail.schema how can I setup for all new entry > > my default windows?.. > > > You can't. You have to use the advanced editor. It might be worth to mention the directory server gateway which you can customize relatively easely by modifying html files. Regards, Mikael From mikael.kermorgant at gmail.com Sun May 21 16:03:00 2006 From: mikael.kermorgant at gmail.com (Mikael Kermorgant) Date: Sun, 21 May 2006 18:03:00 +0200 Subject: [Fedora-directory-users] Re: force password change from web apps In-Reply-To: <9711147e0605170912x75f162dcpd4138f217c573206@mail.gmail.com> References: <9711147e0605170912x75f162dcpd4138f217c573206@mail.gmail.com> Message-ID: <9711147e0605210903r56518c2foa6ea0de8c5875ba5@mail.gmail.com> I could formulate my question this way : Which attribute would be best suited to indicate a third application that the user who logs in must change his password ? Does such an attribute exist ? Best regards, -- Mikael Kermorgant From triswimjoe at hotmail.com Sun May 21 23:10:29 2006 From: triswimjoe at hotmail.com (Joe Sheehan) Date: Sun, 21 May 2006 19:10:29 -0400 Subject: [Fedora-directory-users] Command Line Question - Regarding Admin Passwords Message-ID: Is there anyway to change the admin and directory manager password via a command line script or utility instead of going through the Console? Thanks Joe From gholbert at broadcom.com Mon May 22 00:05:34 2006 From: gholbert at broadcom.com (George Holbert) Date: Sun, 21 May 2006 17:05:34 -0700 Subject: [Fedora-directory-users] Command Line Question - Regarding Admin Passwords In-Reply-To: References: Message-ID: <4471004E.2050904@broadcom.com> *For directory manager: # ldapmodify -h -D "cn=Directory Manager" -w dn: cn=config changetype: modify replace: nsslapd-rootpw nsslapd-rootpw: For console admin: **# ldapmodify -h -D "cn=Directory Manager" -w dn: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot changetype: modify replace: userPassword userPassword: * Joe Sheehan wrote: > Is there anyway to change the admin and directory manager password > via a command line script or utility instead of going through the > Console? > > Thanks > > Joe > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From triswimjoe at hotmail.com Mon May 22 14:29:33 2006 From: triswimjoe at hotmail.com (Joe Sheehan) Date: Mon, 22 May 2006 10:29:33 -0400 Subject: [Fedora-directory-users] Command Line Question - RegardingAdmin Passwords In-Reply-To: <4471004E.2050904@broadcom.com> Message-ID: Thanks - Unfortunately I've ldapmodify just hangs on me. I've used the following line ./ldapsearch -b o=netscaperoot -D "cn=directory manager" -w password "objectclass=nsAdminConfig" -p 1389 -v Just to make sure I could connect at all. Any reason ldapmodify would just sit there on the "init" Thanks Joe >From: "George Holbert" >Reply-To: "General discussion list for the Fedora Directory server >project." >To: "General discussion list for the Fedora Directory server project." > >Subject: Re: [Fedora-directory-users] Command Line Question - >RegardingAdmin Passwords >Date: Sun, 21 May 2006 17:05:34 -0700 > >*For directory manager: > ># ldapmodify -h -D "cn=Directory Manager" -w >dn: cn=config >changetype: modify >replace: nsslapd-rootpw >nsslapd-rootpw: > > >For console admin: > >**# ldapmodify -h -D "cn=Directory Manager" -w >dn: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot >changetype: modify >replace: userPassword >userPassword: * > > >Joe Sheehan wrote: >>Is there anyway to change the admin and directory manager password >>via a command line script or utility instead of going through the Console? >> >>Thanks >> >>Joe >> >> >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users From rmeggins at redhat.com Mon May 22 14:34:50 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 22 May 2006 08:34:50 -0600 Subject: [Fedora-directory-users] Re: force password change from web apps In-Reply-To: <9711147e0605210903r56518c2foa6ea0de8c5875ba5@mail.gmail.com> References: <9711147e0605170912x75f162dcpd4138f217c573206@mail.gmail.com> <9711147e0605210903r56518c2foa6ea0de8c5875ba5@mail.gmail.com> Message-ID: <4471CC0A.1060908@redhat.com> Mikael Kermorgant wrote: > I could formulate my question this way : > > Which attribute would be best suited to indicate a third application > that the user who logs in must change his password ? Does such an > attribute exist ? If the password has expired, you could check for the operational attribute passwordExpirationTime. If your clocks are closely sync'ed, you can determine if passwordExpirationTime > now. If you have enabled "grace" logins (allow the user to bind and change the password after the expiration time), you can check for the presence of the operational attribute passwordGraceUserTime. If you are using a minimum password age, you can check the operational attribute passwordAllowChangeTime to find out when the user is allowed to change the password. > > Best regards, -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon May 22 14:36:27 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 22 May 2006 08:36:27 -0600 Subject: [Fedora-directory-users] Command Line Question - RegardingAdmin Passwords In-Reply-To: References: Message-ID: <4471CC6B.3000404@redhat.com> Joe Sheehan wrote: > Thanks - Unfortunately I've ldapmodify just hangs on me. > > I've used the following line > ./ldapsearch -b o=netscaperoot -D "cn=directory manager" -w password > "objectclass=nsAdminConfig" -p 1389 -v > > Just to make sure I could connect at all. > > Any reason ldapmodify would just sit there on the "init" ldapmodify is an interactive application. It is waiting for you to type in the command dn: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot changetype: modify replace: userPassword userPassword: followed by Ctrl-D > > Thanks > > Joe > > > > > >> From: "George Holbert" >> Reply-To: "General discussion list for the Fedora Directory server >> project." >> To: "General discussion list for the Fedora Directory server >> project." >> Subject: Re: [Fedora-directory-users] Command Line Question - >> RegardingAdmin Passwords >> Date: Sun, 21 May 2006 17:05:34 -0700 >> >> *For directory manager: >> >> # ldapmodify -h -D "cn=Directory Manager" -w >> dn: cn=config >> changetype: modify >> replace: nsslapd-rootpw >> nsslapd-rootpw: >> >> >> For console admin: >> >> **# ldapmodify -h -D "cn=Directory Manager" -w >> dn: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot >> changetype: modify >> replace: userPassword >> userPassword: * >> >> >> Joe Sheehan wrote: >>> Is there anyway to change the admin and directory manager password >>> via a command line script or utility instead of going through the >>> Console? >>> >>> Thanks >>> >>> Joe >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From triswimjoe at hotmail.com Mon May 22 15:08:17 2006 From: triswimjoe at hotmail.com (Joe Sheehan) Date: Mon, 22 May 2006 11:08:17 -0400 Subject: [Fedora-directory-users] Command Line Question - RegardingAdminPasswords In-Reply-To: <4471CC6B.3000404@redhat.com> Message-ID: Thanks - that's what I thought but I went to the -f option - Now the problem is my directory manager password isn't changing using the ldapmodify but my admin password using ldapmodify works great. Using the command below ldapmodify comes back with complete but the password still hasn't changed - double checking the command I'm using ldapmodify -h -D "cn=Directory Manager" -w -f /tmp/joe /tmp/joe dn: cn=config changetype: modify replace: nsslapd-rootpw nsslapd-rootpw: Thanks Again for the Help - Much appreciated. Joe >From: Richard Megginson >Reply-To: "General discussion list for the Fedora Directory server >project." >To: "General discussion list for the Fedora Directory server project." > >Subject: Re: [Fedora-directory-users] Command Line Question - >RegardingAdminPasswords >Date: Mon, 22 May 2006 08:36:27 -0600 > >Joe Sheehan wrote: >>Thanks - Unfortunately I've ldapmodify just hangs on me. >> >>I've used the following line >>./ldapsearch -b o=netscaperoot -D "cn=directory manager" -w password >>"objectclass=nsAdminConfig" -p 1389 -v >> >>Just to make sure I could connect at all. >> >>Any reason ldapmodify would just sit there on the "init" >ldapmodify is an interactive application. It is waiting for you to type in >the command >dn: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot >changetype: modify >replace: userPassword >userPassword: > >followed by Ctrl-D >> >>Thanks >> >>Joe >> >> >> >> >> >>>From: "George Holbert" >>>Reply-To: "General discussion list for the Fedora Directory server >>>project." >>>To: "General discussion list for the Fedora Directory server project." >>> >>>Subject: Re: [Fedora-directory-users] Command Line Question - >>>RegardingAdmin Passwords >>>Date: Sun, 21 May 2006 17:05:34 -0700 >>> >>>*For directory manager: >>> >>># ldapmodify -h -D "cn=Directory Manager" -w >>>dn: cn=config >>>changetype: modify >>>replace: nsslapd-rootpw >>>nsslapd-rootpw: >>> >>> >>>For console admin: >>> >>>**# ldapmodify -h -D "cn=Directory Manager" -w >>>dn: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot >>>changetype: modify >>>replace: userPassword >>>userPassword: * >>> >>> >>>Joe Sheehan wrote: >>>>Is there anyway to change the admin and directory manager password >>>>via a command line script or utility instead of going through the >>>>Console? >>>> >>>>Thanks >>>> >>>>Joe >>>> >>>> >>>>-- >>>>Fedora-directory-users mailing list >>>>Fedora-directory-users at redhat.com >>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> >>> >>>-- >>>Fedora-directory-users mailing list >>>Fedora-directory-users at redhat.com >>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users ><< smime.p7s >> >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users From DDeMarco at seisint.com Mon May 22 18:10:56 2006 From: DDeMarco at seisint.com (DeMarco, Dennis) Date: Mon, 22 May 2006 14:10:56 -0400 Subject: [Fedora-directory-users] pam-ldap / multiple ldap servers Bug? or Feature with pam_ldap? Message-ID: <6787F2E069C33C4982195219A7DF54D76EA632@seisintmx02.seisint.inc> I've ran into an interesting pam_ldap issue. In my /etc/ldap.conf for pam I have two servers: uri ldaps://ldap04.example.com ldaps://ldap03.example.com ldap04.example.com ran out of file descriptors, we had cron restart services at night, and cron ulimit was 1024, even though /etc/sercurity/limits.conf had been raised. The problem pam_ldap did not fail over to ldap03.example.com. LDAP04 still answered, even though it replied with Not listening for new connections - too many fds open then closed connection. Pam ldap was still trying to pin against this server. Does anyone have any suggestions of a 'fix' for this feature? Thanks, Dennis This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. From gholbert at broadcom.com Mon May 22 22:06:15 2006 From: gholbert at broadcom.com (George Holbert) Date: Mon, 22 May 2006 15:06:15 -0700 Subject: [Fedora-directory-users] consumer replica without update referrals? Message-ID: <447235D7.3080003@broadcom.com> I'd like to set up a read-only consumer that never returns referrals to a writable master server. Basically, any write requests that aren't replication updates would just be dropped. It doesn't look like there is an analogous setting for this in the suffix-level "nsslapd-state" variable. The closest thing is "referral on update" (default consumer behavior). Then there is the "nsslapd-readonly" attribute, but I think this would also disable updates from the master replica. One way would be to set a bogus suffix referral, so that client updates are referred to a non-existent server. Does anyone have a more elegant solution? Thank you! -- George From Paul.Clayton at intecbilling.com Tue May 23 11:50:54 2006 From: Paul.Clayton at intecbilling.com (Paul Clayton) Date: Tue, 23 May 2006 13:50:54 +0200 Subject: [Fedora-directory-users] Replication problems Message-ID: I have one server running FD core 5 and the other FD core 4 Each server has the recommended product installed, and at this point there is no issue. What I am having is a replication problem. Initially I set server A as the master and server B as a dedicated consumer. The initialization worked fine from A to B and replication worked fine. I then set both servers as multi masters, and created the necessary agreements. Server A to B replication worked but not from B to A. It failed with a permissions issue. I later tracked this down to the passwod expiration being missing, bu then I hit another issue, in that neither server would accept the replication issueing a an error code 1 saying incremental failed, and no such replica. Extract from the log on the Server A [23/May/2006:13:39:31 +0200] NSMMReplicationPlugin - agmt="cn=Keeper" (keeper:389): Unable to acquire replica: there is no replicated area "dc=domain,dc =com" on the consumer server. Replication is aborting. [23/May/2006:13:39:31 +0200] NSMMReplicationPlugin - agmt="cn=Keeper" (keeper:389): Incremental update failed and requires administrator action Extract from log on Server B [23/May/2006:13:36:18 +0200] NSMMReplicationPlugin - conn=8 op=3 replica="unknown": Unable to acquire replica: error: no such replica I remember seeing this same problem on iPlanet some years back, and the only fix was to clear all replication agreements, and re-install the secondary. Seems the same issue is still around. I have read the manual from top to bottom on replication, and cannot find anything wrong. Anyone come across this. Regards Paul Clayton -------------------------------------------------------- This e-mail and any attachments are confidential and may also be legally privileged and/or copyright material of Intec Telecom Systems PLC (or its affiliated companies). If you are not an intended or authorised recipient of this e-mail or have received it in error, please delete it immediately and notify the sender by e-mail. In such a case, reading, reproducing, printing or further dissemination of this e-mail or its contents is strictly prohibited and may be unlawful. Intec Telecom Systems PLC does not represent or warrant that an attachment hereto is free from computer viruses or other defects. The opinions expressed in this e-mail and any attachments may be those of the author and are not necessarily those of Intec Telecom Systems PLC. -------------- next part -------------- An HTML attachment was scrubbed... URL: From blaze at elewise.com Tue May 23 13:20:59 2006 From: blaze at elewise.com (Pavel 'Blaze' Vinogradov) Date: Tue, 23 May 2006 18:20:59 +0500 Subject: [Fedora-directory-users] Custom forms Message-ID: <772495365.20060523182059@elewise.com> Hello fedora-directory-users, I try to find more information about creating and use custon forms for Fedora Directory Console. Example of this form we see in "Edit user forms". They templates is stored in /clients/dswg/html... But no useful documentation about their customization can be found. Can anyone give me more information about this? -- Best regards, Pavel mailto:blaze at elewise.com From rmeggins at redhat.com Tue May 23 14:10:49 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 23 May 2006 08:10:49 -0600 Subject: [Fedora-directory-users] Custom forms In-Reply-To: <772495365.20060523182059@elewise.com> References: <772495365.20060523182059@elewise.com> Message-ID: <447317E9.3010603@redhat.com> Pavel 'Blaze' Vinogradov wrote: > Hello fedora-directory-users, > > I try to find more information about creating and use custon forms > for Fedora Directory Console. In the console or in the phonebook/gateway web app? With the former, it is difficult without writing some Java code. With the latter, it is easier to edit the html templates under clients/dsgw/html. But realize the console and the phonebook/gateway are two completely different apps. > Example of this form we see in "Edit > user forms". They templates is stored in /clients/dswg/html... > But no useful documentation about their customization can be > found. > > Can anyone give me more information about this? > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From david_list at boreham.org Tue May 23 14:16:00 2006 From: david_list at boreham.org (David Boreham) Date: Tue, 23 May 2006 08:16:00 -0600 Subject: [Fedora-directory-users] Replication problems In-Reply-To: References: Message-ID: <44731920.4020008@boreham.org> Paul Clayton wrote: > I have one server running FD core 5 and the other FD core 4 > > Each server has the recommended product installed, and at this point > there is no issue. > > What I am having is a replication problem. Initially I set server A as > the master and server B as a dedicated consumer. > A 'dedicated consumer' can't replicate to another server (hence the 'dedicated' part). Both servers need to be masters if you want two-way replication. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Paul.Clayton at intecbilling.com Tue May 23 14:41:56 2006 From: Paul.Clayton at intecbilling.com (Paul Clayton) Date: Tue, 23 May 2006 16:41:56 +0200 Subject: [Fedora-directory-users] Replication problems Message-ID: David Boreham wROTE: A 'dedicated consumer' can't replicate to another server (hence the 'dedicated' part). Both servers need to be masters if you want two-way replication. I am aware of that and if you had read the email I sent, it was specified as such. I did finally get it working. I believe the problem may have been the passwordexpirationtime attribute not being present. cheers ________________________________ From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of David Boreham Sent: 23 May 2006 04:16 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Replication problems Paul Clayton wrote: I have one server running FD core 5 and the other FD core 4 Each server has the recommended product installed, and at this point there is no issue. What I am having is a replication problem. Initially I set server A as the master and server B as a dedicated consumer. A 'dedicated consumer' can't replicate to another server (hence the 'dedicated' part). Both servers need to be masters if you want two-way replication. -------------------------------------------------------- This e-mail and any attachments are confidential and may also be legally privileged and/or copyright material of Intec Telecom Systems PLC (or its affiliated companies). If you are not an intended or authorised recipient of this e-mail or have received it in error, please delete it immediately and notify the sender by e-mail. In such a case, reading, reproducing, printing or further dissemination of this e-mail or its contents is strictly prohibited and may be unlawful. Intec Telecom Systems PLC does not represent or warrant that an attachment hereto is free from computer viruses or other defects. The opinions expressed in this e-mail and any attachments may be those of the author and are not necessarily those of Intec Telecom Systems PLC. -------------- next part -------------- An HTML attachment was scrubbed... URL: From blaze at elewise.com Tue May 23 14:44:30 2006 From: blaze at elewise.com (Pavel 'Blaze' Vinogradov) Date: Tue, 23 May 2006 19:44:30 +0500 Subject: [Fedora-directory-users] Custom forms In-Reply-To: <447317E9.3010603@redhat.com> References: <772495365.20060523182059@elewise.com> <447317E9.3010603@redhat.com> Message-ID: <765653721.20060523194430@elewise.com> Hello Richard, Tuesday, May 23, 2006, 7:10:49 PM, you wrote: >> I try to find more information about creating and use custon forms >> for Fedora Directory Console. > In the console or in the phonebook/gateway web app? With the former, it > is difficult without writing some Java code. With the latter, it is > easier to edit the html templates under clients/dsgw/html. But realize > the console and the phonebook/gateway are two completely different apps. We want to migrate out user DB to FDS. And try to find way for use Fedora Directory Console to manage all user data. Now we integrate our proxy, domain, mail and devel subsystems to storage their data in FDS (More info get from FDS wiki, and i have some contribute and corrections - and search way to put it back). And now we need visaul tool for manage this data. If we can customize and add form which FDS get to us in Admin Console - we build good tool. Now we need to create analogue for "Posix login; NT user" and similar form... to manage mail info, squid info etc.. How can we do this? -- Best regards, Pavel mailto:blaze at elewise.com From felipe.alfaro at gmail.com Tue May 23 14:49:08 2006 From: felipe.alfaro at gmail.com (Felipe Alfaro Solana) Date: Tue, 23 May 2006 16:49:08 +0200 Subject: [Fedora-directory-users] Fedora Directory Server Console on Mac OS X Message-ID: <6f6293f10605230749s388606fbxad438d936daa5eb1@mail.gmail.com> Hi! Has anyone been able to make Fedora Directory Server console run on Mac OS X 10.4? I copied the entire /opt/fedora-ds tree to my Mac, then ran ./startconsole. The login wndow comes up but, after entering the admin credentials, it just hangs while trying to authenticate against the admin service. Curiously, while sniffing traffic, I can see a DNS query for the admin service machine, but no more traffic just comes in or out from the machine. I've tried using JRE 1.4.2 and JRE 1.5.0 with no success. Any ideas? From david_list at boreham.org Tue May 23 14:51:40 2006 From: david_list at boreham.org (David Boreham) Date: Tue, 23 May 2006 08:51:40 -0600 Subject: [Fedora-directory-users] Replication problems In-Reply-To: References: Message-ID: <4473217C.2030209@boreham.org> Paul Clayton wrote: > > I am aware of that and if you had read the email I sent, it was > specified as such. Yes, but it seemed that you attempted to 'upgrade' the consumer to a master after installation and configuration. It may be that this doesn't work. Hence my comment. -------------- next part -------------- An HTML attachment was scrubbed... URL: From strong.s at crwash.org Tue May 23 23:51:35 2006 From: strong.s at crwash.org (Steve Strong) Date: Tue, 23 May 2006 18:51:35 -0500 Subject: [Fedora-directory-users] Re: [WebCore] great meeting!!! In-Reply-To: <1216.12.217.202.27.1148423780.squirrel@crwash.org> References: <1216.12.217.202.27.1148423780.squirrel@crwash.org> Message-ID: <4473A007.4030301@crwash.org> Troy: Do you want to change your email address on the list serve? I didn't think you were using that address any more. steve ps: ?Let's edit the page before Strong goes bald -- right? pps: stop laughing From Paul.Clayton at intecbilling.com Wed May 24 06:43:03 2006 From: Paul.Clayton at intecbilling.com (Paul Clayton) Date: Wed, 24 May 2006 08:43:03 +0200 Subject: [Fedora-directory-users] Fedora Directory Server Console on Mac OS X Message-ID: Felipe, We had the same issue here were our DNS kept on dropping the entry (microsoft sucks)for some obscure reason. Check that your DNS is working properly otherwise odd things happen, or in your case don't happen. regards -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Felipe Alfaro Solana Sent: 23 May 2006 04:49 PM To: fedora-directory-users at redhat.com Subject: [Fedora-directory-users] Fedora Directory Server Console on Mac OS X Hi! Has anyone been able to make Fedora Directory Server console run on Mac OS X 10.4? I copied the entire /opt/fedora-ds tree to my Mac, then ran ./startconsole. The login wndow comes up but, after entering the admin credentials, it just hangs while trying to authenticate against the admin service. Curiously, while sniffing traffic, I can see a DNS query for the admin service machine, but no more traffic just comes in or out from the machine. I've tried using JRE 1.4.2 and JRE 1.5.0 with no success. Any ideas? -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------------------------------------------------- This e-mail and any attachments are confidential and may also be legally privileged and/or copyright material of Intec Telecom Systems PLC (or its affiliated companies). If you are not an intended or authorised recipient of this e-mail or have received it in error, please delete it immediately and notify the sender by e-mail. In such a case, reading, reproducing, printing or further dissemination of this e-mail or its contents is strictly prohibited and may be unlawful. Intec Telecom Systems PLC does not represent or warrant that an attachment hereto is free from computer viruses or other defects. The opinions expressed in this e-mail and any attachments may be those of the author and are not necessarily those of Intec Telecom Systems PLC. From felipe.alfaro at gmail.com Wed May 24 14:39:43 2006 From: felipe.alfaro at gmail.com (Felipe Alfaro Solana) Date: Wed, 24 May 2006 16:39:43 +0200 Subject: [Fedora-directory-users] Fedora Directory Server Console on Mac OS X In-Reply-To: References: Message-ID: <6f6293f10605240739s3249c40bwb97417d5a8113267@mail.gmail.com> > We had the same issue here were our DNS kept on dropping the entry > (microsoft sucks)for some obscure reason. Check that your DNS is > working properly otherwise odd things happen, or in your case don't > happen. I guess is not a problem with the DNS, since tcpdump clearly shows my Mac asking DNS queries and the responses coming back. Also, we are not using a Microsoft DNS, but a standard ISC BIND 9. From justin at dubble-vee.com Wed May 24 20:36:11 2006 From: justin at dubble-vee.com (Justin Jones) Date: Wed, 24 May 2006 14:36:11 -0600 Subject: [Fedora-directory-users] dsbuild install error on Engarde Linux Message-ID: <53B6E00D-A76D-41F0-B2A4-A297C0B0DEAF@dubble-vee.com> I'm trying to build Fedora Directory Server on Engarde Linux (rapier) using dsbuild. I've worked my way through most of the dependency issues, but i'm stuck with this error: gmake[6]: Leaving directory `/root/dsbuild-fds102/ds/ldapserver/work/ fedora-ds-1.0.2/ldap/servers/slapd' /usr/bin/gcc -c -Wall -DNO_DBM -DLINUX -DLINUX2_2 -DLINUX2_4 -fPIC - D_REENTRANT -DNO_NODELOCK -DDEBUG -DNO_LIBLCACHE -DXP_UNIX -DLinux - DMCC_DEBUG -g -DMCC_HTTPD -DNS_DOMESTIC -DNET_SSL -DCLIENT_AUTH - DSERVER_BUILD -DNSPR20 -DNS_DS -DSPAPI20 -DBUILD_NUM=\"2006.144.2028 \" -DUPGRADEDB -DLINUX -DLINUX2_0 -DLINUX2_2 -DLinux - DLDAP_DEBUG -DLDAP_REFERRALS -DLDAP_LDBM -DLDAP_LDIF - DLDBM_USE_DBBTREE -DSLAPD_PASSWD_SHA1 -DLDAP_SSLIO_HOOKS - D__DBINTERFACE_PRIVATE -DNO_LIBLCACHE -DNS_DIRECTORY -g -I../../../ ldap/include -I../../../built/Linux2.6_x86_glibc_PTH_DBG.OBJ/include -I/root/dsbuild-fds102/ds/db/work/db-4.2.52.NC/built -I. -I../../../ include/libaccess -I../../../lib -DLDAP_DONT_USE_SMARTHEAP -I../../../ include -I../../../include -I/root/dsbuild-fds102/ds/mozilla/work/ mozilla/dist/DBG.OBJ/include -I/root/dsbuild-fds102/ds/mozilla/work/ mozilla/dist/public/dbm -I/root/dsbuild-fds102/ds/mozilla/work/ mozilla/dist/public/nss -I/root/dsbuild-fds102/ds/mozilla/work/ mozilla/dist/public/svrcore -I/root/dsbuild-fds102/ds/mozilla/work/ mozilla/dist/public/ldap -I/usr/include/sasl bind.c -o ../../../built/ Linux2.6_x86_glibc_PTH_DBG.OBJ/servers/obj/bind.o bind.c:62:18: sasl.h: No such file or directory bind.c: In function `do_bind': bind.c:322: error: `SASL_MECHNAMEMAX' undeclared (first use in this function) bind.c:322: error: (Each undeclared identifier is reported only once bind.c:322: error: for each function it appears in.) I'm simply running "make DEBUG=full NOJAVA=1". Does anyone have any idea what it may be looking for or what's hanging it up? Thanks! Justin From prowley at redhat.com Wed May 24 20:48:53 2006 From: prowley at redhat.com (Pete Rowley) Date: Wed, 24 May 2006 13:48:53 -0700 Subject: [Fedora-directory-users] dsbuild install error on Engarde Linux In-Reply-To: <53B6E00D-A76D-41F0-B2A4-A297C0B0DEAF@dubble-vee.com> References: <53B6E00D-A76D-41F0-B2A4-A297C0B0DEAF@dubble-vee.com> Message-ID: <4474C6B5.1040109@redhat.com> Justin Jones wrote: > bind.c:62:18: sasl.h: No such file or directory > bind.c: In function `do_bind': > bind.c:322: error: `SASL_MECHNAMEMAX' undeclared (first use in this > function) > bind.c:322: error: (Each undeclared identifier is reported only once > bind.c:322: error: for each function it appears in.) > > I'm simply running "make DEBUG=full NOJAVA=1". Does anyone have any > idea what it may be looking for or what's hanging it up? You need the cyrus sasl development package. -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed May 24 21:51:28 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 24 May 2006 15:51:28 -0600 Subject: [Fedora-directory-users] Custom forms In-Reply-To: <765653721.20060523194430@elewise.com> References: <772495365.20060523182059@elewise.com> <447317E9.3010603@redhat.com> <765653721.20060523194430@elewise.com> Message-ID: <4474D560.60501@redhat.com> Pavel 'Blaze' Vinogradov wrote: > Hello Richard, > > Tuesday, May 23, 2006, 7:10:49 PM, you wrote: > > >>> I try to find more information about creating and use custon forms >>> for Fedora Directory Console. >>> >> In the console or in the phonebook/gateway web app? With the former, it >> is difficult without writing some Java code. With the latter, it is >> easier to edit the html templates under clients/dsgw/html. But realize >> the console and the phonebook/gateway are two completely different apps. >> > We want to migrate out user DB to FDS. And try to find way for use > Fedora Directory Console to manage all user data. Now we integrate > our proxy, domain, mail and devel subsystems to storage their data > in FDS (More info get from FDS wiki, and i have some contribute and > corrections - and search way to put it back). > If you have any corrections to the wiki, please file a bug at http://bugzilla.redhat.com/ for Fedora Directory Server, category wiki. > And now we need visaul tool for manage this data. If we can > customize and add form which FDS get to us in Admin Console - we > build good tool. Now we need to create analogue for "Posix login; NT > user" and similar form... to manage mail info, squid info etc.. > Right. There is no simple template system to create new forms. You have to write some new Java code for the console to implement support for new forms. > How can we do this? > You can use the Advanced... editor. It's not very pretty but it works. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From felipe.alfaro at gmail.com Thu May 25 09:56:04 2006 From: felipe.alfaro at gmail.com (Felipe Alfaro Solana) Date: Thu, 25 May 2006 11:56:04 +0200 Subject: [Fedora-directory-users] Custom forms In-Reply-To: <4474D560.60501@redhat.com> References: <772495365.20060523182059@elewise.com> <447317E9.3010603@redhat.com> <765653721.20060523194430@elewise.com> <4474D560.60501@redhat.com> Message-ID: <6f6293f10605250256r73cfebf0x2dee751b08458cb@mail.gmail.com> > You can use the Advanced... editor. It's not very pretty but it works. I'm having problems using the Advanced... editor: I add mailRecipient as a new value to the objectClass attribute, then select a view of all attributes, but cannot manage to add a value to the mailRoutingAddress attribute: right clicking on it then clicking in the Add Value button tries to add a value to the objectClass attribute instead. I had to revert to using ldapmodify, which simply works. From jrussler at helix.nih.gov Thu May 25 12:48:40 2006 From: jrussler at helix.nih.gov (Jason Russler) Date: Thu, 25 May 2006 08:48:40 -0400 Subject: [Fedora-directory-users] Custom forms In-Reply-To: <4474D560.60501@redhat.com> References: <772495365.20060523182059@elewise.com> <447317E9.3010603@redhat.com> <765653721.20060523194430@elewise.com> <4474D560.60501@redhat.com> Message-ID: <4475A7A8.40005@helix.nih.gov> You can write simple scripts or web-apps to do this, any language you want will likely suffice, that's the beauty of LDAP. I manage our directory with a web app written in PHP and some command line scripts written in Perl. It's pretty simple in both languages. Or you can write a Java small app, no real need to make it part of the console. > Right. There is no simple template system to create new forms. You > have to write some new Java code for the console to implement support > for new forms. > From rmeggins at redhat.com Thu May 25 14:07:53 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 25 May 2006 08:07:53 -0600 Subject: [Fedora-directory-users] Custom forms In-Reply-To: <6f6293f10605250256r73cfebf0x2dee751b08458cb@mail.gmail.com> References: <772495365.20060523182059@elewise.com> <447317E9.3010603@redhat.com> <765653721.20060523194430@elewise.com> <4474D560.60501@redhat.com> <6f6293f10605250256r73cfebf0x2dee751b08458cb@mail.gmail.com> Message-ID: <4475BA39.5020507@redhat.com> Felipe Alfaro Solana wrote: >> You can use the Advanced... editor. It's not very pretty but it works. > > I'm having problems using the Advanced... editor: I add mailRecipient > as a new value to the objectClass attribute, then select a view of all > attributes, but cannot manage to add a value to the mailRoutingAddress > attribute: right clicking on it then clicking in the Add Value button > tries to add a value to the objectClass attribute instead. Try doing a left click on the field you want to add the value to, then right click on it to add the value (or use the Add Value button in the right hand pane). > > I had to revert to using ldapmodify, which simply works. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From pengle at rice.edu Thu May 25 14:17:08 2006 From: pengle at rice.edu (Paul Engle) Date: Thu, 25 May 2006 09:17:08 -0500 Subject: [Fedora-directory-users] Securing the Pam Passthru plugin Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all, I've installed and configured the pam passthru plugin so that we can do simple binds without having to store passwords in the directory. It's working, but I can't seem to get the pamSecure attribute to take effect. My entry in dse.ldif for the plugin is: dn: cn=PAM Pass Through Auth,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject objectClass: pamConfig cn: PAM Pass Through Auth nsslapd-pluginPath: /opt/fedora-ds/lib/pam-passthru-plugin.so nsslapd-pluginInitfunc: pam_passthruauth_init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on nsslapd-pluginloadglobal: true nsslapd-plugin-depends-on-type: database pamMissingSuffix: ALLOW pamExcludeSuffix: o=NetscapeRoot pamExcludeSuffix: cn=config pamMapMethod: RDN pamFallback: FALSE pamSecure: TRUE pamService: ldapserver nsslapd-pluginId: pam_passthruauth nsslapd-pluginVersion: 1.0.2 nsslapd-pluginVendor: Fedora Project nsslapd-pluginDescription: PAM pass through authentication plugin That's pretty much a cut & paste from the README that comes with the plugin source. Docs are sketchy, but I thought that pamSecure was supposed to prevent a non-SSL connection from being able to do the passthru bind? Even though I have it set to true, I can bind to port 389 of my server with no error. Obviously, that's not acceptable. Am I misunderstanding the purpose of this attribute? If so, is there any other way to enforce TLS for simple binds? Also, is there any plan to include this plugin in the default build of FDS? It's included with the source, but it's commented out of the Makefile, at least for version 1.0.2. Thanks, -paul - -- Paul D. Engle | Rice University Sr. Systems Administrator | Information Technology - MS119 (713) 348-4702 | P.O. Box 1892 pengle at rice.edu | Houston, TX 77251-1892 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFEdbxkCpkISWtyHNsRApDyAKDoSSB0omRek5XhAdbsBJJ+ioP8DgCfWRsG LClbobetOFgcM/U8gBFoOyQ= =tgjh -----END PGP SIGNATURE----- From rmeggins at redhat.com Thu May 25 14:34:08 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 25 May 2006 08:34:08 -0600 Subject: [Fedora-directory-users] Securing the Pam Passthru plugin In-Reply-To: References: Message-ID: <4475C060.6030805@redhat.com> Paul Engle wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > Hello all, > > I've installed and configured the pam passthru plugin so that we can do > simple binds without having to store passwords in the directory. It's > working, but I can't seem to get the pamSecure attribute to take effect. My > entry in dse.ldif for the plugin is: > > dn: cn=PAM Pass Through Auth,cn=plugins,cn=config > objectClass: top > objectClass: nsSlapdPlugin > objectClass: extensibleObject > objectClass: pamConfig > cn: PAM Pass Through Auth > nsslapd-pluginPath: /opt/fedora-ds/lib/pam-passthru-plugin.so > nsslapd-pluginInitfunc: pam_passthruauth_init > nsslapd-pluginType: preoperation > nsslapd-pluginEnabled: on > nsslapd-pluginloadglobal: true > nsslapd-plugin-depends-on-type: database > pamMissingSuffix: ALLOW > pamExcludeSuffix: o=NetscapeRoot > pamExcludeSuffix: cn=config > pamMapMethod: RDN > pamFallback: FALSE > pamSecure: TRUE > Looks like these two fields are not expecting a boolean value, rather an integer value. So, use 1 instead of TRUE and 0 instead of FALSE. > pamService: ldapserver > nsslapd-pluginId: pam_passthruauth > nsslapd-pluginVersion: 1.0.2 > nsslapd-pluginVendor: Fedora Project > nsslapd-pluginDescription: PAM pass through authentication plugin > > That's pretty much a cut & paste from the README that comes with the plugin > source. Docs are sketchy, but I thought that pamSecure was supposed to > prevent a non-SSL connection from being able to do the passthru bind? Even > though I have it set to true, I can bind to port 389 of my server with no > error. Obviously, that's not acceptable. Am I misunderstanding the purpose > of this attribute? If so, is there any other way to enforce TLS for simple > binds? > > Also, is there any plan to include this plugin in the default build of FDS? > It's included with the source, but it's commented out of the Makefile, at > least for version 1.0.2. > No plans yet. We're still trying to evaluate the general usefulness of it as well as its testability. > Thanks, > -paul > > - -- > Paul D. Engle | Rice University > Sr. Systems Administrator | Information Technology - MS119 > (713) 348-4702 | P.O. Box 1892 > pengle at rice.edu | Houston, TX 77251-1892 > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.6 (GNU/Linux) > > iD8DBQFEdbxkCpkISWtyHNsRApDyAKDoSSB0omRek5XhAdbsBJJ+ioP8DgCfWRsG > LClbobetOFgcM/U8gBFoOyQ= > =tgjh > -----END PGP SIGNATURE----- > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From pengle at rice.edu Thu May 25 14:39:03 2006 From: pengle at rice.edu (Paul Engle) Date: Thu, 25 May 2006 09:39:03 -0500 Subject: [Fedora-directory-users] Securing the Pam Passthru plugin In-Reply-To: <4475C060.6030805@redhat.com> References: <4475C060.6030805@redhat.com> Message-ID: <6F1EDD0304D2EDFD6635DB3F@nueces.is.rice.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --On Thursday, May 25, 2006 08:34:08 AM -0600 Richard Megginson wrote: >> pamFallback: FALSE >> pamSecure: TRUE >> > Looks like these two fields are not expecting a boolean value, rather an > integer value. So, use 1 instead of TRUE and 0 instead of FALSE. Excellent! That works like a charm. I think we're about ready to go production with this baby. Thanks! -paul - -- Paul D. Engle | Rice University Sr. Systems Administrator | Information Technology - MS119 (713) 348-4702 | P.O. Box 1892 pengle at rice.edu | Houston, TX 77251-1892 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFEdcGHCpkISWtyHNsRAnzgAKD5EAfTvOVkvoAEWxkrqwss51m8MQCg6iR1 J1wJK7GboYJlkSaDOUoQ58M= =Ezcn -----END PGP SIGNATURE----- From rmeggins at redhat.com Thu May 25 14:43:54 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 25 May 2006 08:43:54 -0600 Subject: [Fedora-directory-users] Securing the Pam Passthru plugin In-Reply-To: <6F1EDD0304D2EDFD6635DB3F@nueces.is.rice.edu> References: <4475C060.6030805@redhat.com> <6F1EDD0304D2EDFD6635DB3F@nueces.is.rice.edu> Message-ID: <4475C2AA.8040103@redhat.com> Paul Engle wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > - --On Thursday, May 25, 2006 08:34:08 AM -0600 Richard Megginson > wrote: > > > >>> pamFallback: FALSE >>> pamSecure: TRUE >>> >>> >> Looks like these two fields are not expecting a boolean value, rather an >> integer value. So, use 1 instead of TRUE and 0 instead of FALSE. >> > > Excellent! That works like a charm. I think we're about ready to go > production with this baby. > Please let us know how it works, what problems there are, enhancement requests. This will help us to determine if it should be enabled by default (or at least built/packaged). BTW, I fixed the problem you reported - if you grab the latest version of ldapserver/ldap/servers/plugins/pam_passthru/pam_ptconfig.c from CVS you will be able to use boolean values (e.g. true, yes, on) instead of just 0 and 1. > Thanks! > -paul > > - -- > Paul D. Engle | Rice University > Sr. Systems Administrator | Information Technology - MS119 > (713) 348-4702 | P.O. Box 1892 > pengle at rice.edu | Houston, TX 77251-1892 > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.6 (GNU/Linux) > > iD8DBQFEdcGHCpkISWtyHNsRAnzgAKD5EAfTvOVkvoAEWxkrqwss51m8MQCg6iR1 > J1wJK7GboYJlkSaDOUoQ58M= > =Ezcn > -----END PGP SIGNATURE----- > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From strong.s at crwash.org Thu May 25 14:56:56 2006 From: strong.s at crwash.org (Steve Strong) Date: Thu, 25 May 2006 09:56:56 -0500 Subject: [Fedora-directory-users] password aging Message-ID: <4475C5B8.1000305@crwash.org> I'm having some trouble with students who use my lab being forced to change their password every time they log in. I should say that to create the user accounts in fedora directory, I used LdapImport and used /etc/passwd and /etc/shadow to create the new accounts. In addition, we've been using NIS to authenticate prior to the import of user accounts, so there probably was some difference in passwords. I thought that they could change their password and that the aging of the password would be updated correctly, but this doesn't seem to be happening. any help would be greatly appreciated. steve -- Steve Strong Math and Computer Science Washington High School 2205 Forest Dr. SE Cedar Rapids, IA 52403 http://crwash.org mailto:strong.s at crwash.org From felipe.alfaro at gmail.com Thu May 25 16:19:59 2006 From: felipe.alfaro at gmail.com (Felipe Alfaro Solana) Date: Thu, 25 May 2006 18:19:59 +0200 Subject: [Fedora-directory-users] Custom forms In-Reply-To: <4475BA39.5020507@redhat.com> References: <772495365.20060523182059@elewise.com> <447317E9.3010603@redhat.com> <765653721.20060523194430@elewise.com> <4474D560.60501@redhat.com> <6f6293f10605250256r73cfebf0x2dee751b08458cb@mail.gmail.com> <4475BA39.5020507@redhat.com> Message-ID: <6f6293f10605250919l6d90dc4i8b7dc26e55148618@mail.gmail.com> > Try doing a left click on the field you want to add the value to, then > right click on it to add the value (or use the Add Value button in the > right hand pane). I haven't been able to manage it to work: left clicking the attribute name does nothing. However, I chose not to show all attributes, then clicked on Add Attribute and selected mailRoutingAddress from the listbox. It seems to work fine. From robert.sanders at ipov.net Thu May 25 17:18:01 2006 From: robert.sanders at ipov.net (Robert r. Sanders) Date: Thu, 25 May 2006 12:18:01 -0500 Subject: [Fedora-directory-users] SSHA Seed? Message-ID: <4475E6C9.6000806@ipov.net> We are attempting to sync (via ldap copy) the usernames and passwords of our FDS LDAP users with an OpenLDAP server. The issue we are running into is we are fairly new to FDS and can't figure out how to determine the SSHA Seed value (which we could then set as the seed on the OpenLDAP server). I've been searching this morning and have failed to discover anything; any info would be very useful. Thanks, -- Robert r. Sanders Chief Technologist iPOV (334) 821-5412 www.ipov.net -------------- next part -------------- An HTML attachment was scrubbed... URL: From mj at sci.fi Thu May 25 17:49:43 2006 From: mj at sci.fi (Mike Jackson) Date: Thu, 25 May 2006 20:49:43 +0300 Subject: [Fedora-directory-users] SSHA Seed? In-Reply-To: <4475E6C9.6000806@ipov.net> References: <4475E6C9.6000806@ipov.net> Message-ID: <4475EE37.2060007@sci.fi> Robert r. Sanders wrote: > We are attempting to sync (via ldap copy) the usernames and passwords of > our FDS LDAP users with an OpenLDAP server. The issue we are running > into is we are fairly new to FDS and can't figure out how to determine > the SSHA Seed value (which we could then set as the seed on the OpenLDAP > server). > > I've been searching this morning and have failed to discover anything; > any info would be very useful. Hi, I don't think it matters what you set for a SSHA salt (seed) value on the OL side. SHA salts only serve the purpose of ensuring that two hashes of identical data yield different output. Validating two hashes of identical data will succeed, even if they were generated with different salts, and thus look different. BR, -- mike From robert.sanders at ipov.net Thu May 25 18:24:30 2006 From: robert.sanders at ipov.net (Robert r. Sanders) Date: Thu, 25 May 2006 13:24:30 -0500 Subject: [Fedora-directory-users] SSHA Seed? In-Reply-To: <4475EE37.2060007@sci.fi> References: <4475E6C9.6000806@ipov.net> <4475EE37.2060007@sci.fi> Message-ID: <4475F65E.8040900@ipov.net> Yeah, but what I want to do is copy the HASH from one server to the other. Mike Jackson wrote: > Robert r. Sanders wrote: >> We are attempting to sync (via ldap copy) the usernames and passwords >> of our FDS LDAP users with an OpenLDAP server. The issue we are >> running into is we are fairly new to FDS and can't figure out how to >> determine the SSHA Seed value (which we could then set as the seed on >> the OpenLDAP server). >> >> I've been searching this morning and have failed to discover >> anything; any info would be very useful. > > Hi, > I don't think it matters what you set for a SSHA salt (seed) value on > the OL side. > > SHA salts only serve the purpose of ensuring that two hashes of > identical data yield different output. Validating two hashes of > identical data will succeed, even if they were generated with > different salts, and thus look different. > > BR, > -- > mike > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Robert r. Sanders Chief Technologist iPOV (334) 821-5412 www.ipov.net -------------- next part -------------- An HTML attachment was scrubbed... URL: From mj at sci.fi Thu May 25 18:21:25 2006 From: mj at sci.fi (Mike Jackson) Date: Thu, 25 May 2006 21:21:25 +0300 Subject: [Fedora-directory-users] SSHA Seed? In-Reply-To: <4475F65E.8040900@ipov.net> References: <4475E6C9.6000806@ipov.net> <4475EE37.2060007@sci.fi> <4475F65E.8040900@ipov.net> Message-ID: <4475F5A5.5020407@sci.fi> Robert r. Sanders wrote: > Yeah, but what I want to do is copy the HASH from one server to the other. > > In that case, you don't need to do anything. If you have FDS set to do hashing in SSHA, and you send a cleartext string as a userPassword modify, then FDS SSHA hashes it for you. If you send a string prefixed with {SSHA} as a userPassword modify, FDS does not hash it for you. -- mike From robert.sanders at ipov.net Thu May 25 18:53:34 2006 From: robert.sanders at ipov.net (Robert r. Sanders) Date: Thu, 25 May 2006 13:53:34 -0500 Subject: [Fedora-directory-users] SSHA Seed? In-Reply-To: <4475F5A5.5020407@sci.fi> References: <4475E6C9.6000806@ipov.net> <4475EE37.2060007@sci.fi> <4475F65E.8040900@ipov.net> <4475F5A5.5020407@sci.fi> Message-ID: <4475FD2E.5030208@ipov.net> That sounds reasonable; but it doesn't appear to work. Let me go into the details a little more: 1. FDS + Samba3 on one server with user's passwords stored as SSHA Hashed values. 2. New OpenLDAP install on a different server (used by other services on that machine, and no they won't play nice w/ external ldap server); this server is also setup (already) to store passwords using SSHA. 3. We want to copy the hashed password value from FDS and put in it into the OpenLDAP server as the userPassword attribute for the users; however the other server is using a different sha seed, therefore when it tries to compare the value entered by the user to the stored value it fails (as it is using its own seed to re-hash the password and do the comparison). So that's where we stand. Currently have been told to simply set all users in the OpenLDAP to a default value and make them reset their passwords on that server if they want to. Mike Jackson wrote: > Robert r. Sanders wrote: >> Yeah, but what I want to do is copy the HASH from one server to the >> other. >> >> > > In that case, you don't need to do anything. > > If you have FDS set to do hashing in SSHA, and you send a cleartext > string as a userPassword modify, then FDS SSHA hashes it for you. > > If you send a string prefixed with {SSHA} as a userPassword modify, > FDS does not hash it for you. > > -- > mike > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Robert r. Sanders Chief Technologist iPOV (334) 821-5412 www.ipov.net -------------- next part -------------- An HTML attachment was scrubbed... URL: From blaze at elewise.com Fri May 26 07:30:55 2006 From: blaze at elewise.com (Pavel 'Blaze' Vinogradov) Date: Fri, 26 May 2006 12:30:55 +0500 Subject: [Fedora-directory-users] View all groups of choosen user Message-ID: <1265838551.20060526123055@elewise.com> Hello General, How in Admin console view all Group which contain current user. In case of static group i can do it with simple query with filter on uniquemember field, but how do it with dynamic group? And how i can show result for Admin Console user? -- Best regards, Pavel mailto:blaze at elewise.com From triswimjoe at hotmail.com Fri May 26 11:28:08 2006 From: triswimjoe at hotmail.com (Joe Sheehan) Date: Fri, 26 May 2006 07:28:08 -0400 Subject: [Fedora-directory-users] /etc/init.d startup script issues on reboot Message-ID: We are using the startup script for Fedora as shown below with the corresponding /etc/sysconfig/ns-slapd The problem is during a reboot ns-slapd doesn't start. (the run levels are set to 3,4,5). >From the command line though using this script it starts. In the /var/log/messages for a reboot we see sql_select option missing auxpropfunc error no mechanism available ns-slapd failed For a command line start we see sql_select option missing auxpropfunc error no mechanism available ns-slapd started successfully. Those two errors seem to be consist with a permission problem similar to openldap but we haven't had any luck with that yet BUT is there a way to figure out why during a reboot it doesn't start besides getting a "ns-slapd failed". Thanks (scripts below) Joe # Source function library. . /etc/init.d/functions SLAPD_HOST=`hostname -a` SLAPD_DIR=/opt/fedora-ds/bin/slapd/server PIDFILE=$SLAPD_DIR/logs/pid STARTPIDFILE=$SLAPD_DIR/logs/startpid if [ -f /etc/sysconfig/ns-slapd ]; then . /etc/sysconfig/ns-slapd fi start() { echo -n "Starting Fedora Directory Server: " if [ -f $STARTPIDFILE ]; then PID=`cat $STARTPIDFILE` echo ns-slapd already running: $PID exit 2; elif [ -f $PIDFILE ]; then PID=`cat $PIDFILE` echo ns-slapd already running: $PID exit 2; else echo Here we go... cd $SLAPD_DIR daemon ./ns-slapd $OPTIONS RETVAL=$? echo [ $RETVAL -eq 0 ] && touch /var/lock/subsys/ns-slapd return $RETVAL fi } stop() { echo -n "Shutting down Fedora Directory Server: " echo killproc ns-slapd echo rm -f /var/lock/subsys/ns-slapd return 0 } case "$1" in start) start ;; stop) stop ;; status) status ns-slapd ;; restart) stop start ;; *) echo "Usage: {start|stop|status|restart}" exit 1 ;; esac exit $? From Paul.Clayton at intecbilling.com Fri May 26 11:58:51 2006 From: Paul.Clayton at intecbilling.com (Paul Clayton) Date: Fri, 26 May 2006 13:58:51 +0200 Subject: [Fedora-directory-users] /etc/init.d startup script issues on reboot Message-ID: Have tried running the command as ./slapd-`hostname` in your /opt/fedora_ds directory. -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Joe Sheehan Sent: 26 May 2006 01:28 PM To: fedora-directory-users at redhat.com Subject: [Fedora-directory-users] /etc/init.d startup script issues on reboot We are using the startup script for Fedora as shown below with the corresponding /etc/sysconfig/ns-slapd The problem is during a reboot ns-slapd doesn't start. (the run levels are set to 3,4,5). >From the command line though using this script it starts. In the /var/log/messages for a reboot we see sql_select option missing auxpropfunc error no mechanism available ns-slapd failed For a command line start we see sql_select option missing auxpropfunc error no mechanism available ns-slapd started successfully. Those two errors seem to be consist with a permission problem similar to openldap but we haven't had any luck with that yet BUT is there a way to figure out why during a reboot it doesn't start besides getting a "ns-slapd failed". Thanks (scripts below) Joe # Source function library. . /etc/init.d/functions SLAPD_HOST=`hostname -a` SLAPD_DIR=/opt/fedora-ds/bin/slapd/server PIDFILE=$SLAPD_DIR/logs/pid STARTPIDFILE=$SLAPD_DIR/logs/startpid if [ -f /etc/sysconfig/ns-slapd ]; then . /etc/sysconfig/ns-slapd fi start() { echo -n "Starting Fedora Directory Server: " if [ -f $STARTPIDFILE ]; then PID=`cat $STARTPIDFILE` echo ns-slapd already running: $PID exit 2; elif [ -f $PIDFILE ]; then PID=`cat $PIDFILE` echo ns-slapd already running: $PID exit 2; else echo Here we go... cd $SLAPD_DIR daemon ./ns-slapd $OPTIONS RETVAL=$? echo [ $RETVAL -eq 0 ] && touch /var/lock/subsys/ns-slapd return $RETVAL fi } stop() { echo -n "Shutting down Fedora Directory Server: " echo killproc ns-slapd echo rm -f /var/lock/subsys/ns-slapd return 0 } case "$1" in start) start ;; stop) stop ;; status) status ns-slapd ;; restart) stop start ;; *) echo "Usage: {start|stop|status|restart}" exit 1 ;; esac exit $? -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------------------------------------------------- This e-mail and any attachments are confidential and may also be legally privileged and/or copyright material of Intec Telecom Systems PLC (or its affiliated companies). If you are not an intended or authorised recipient of this e-mail or have received it in error, please delete it immediately and notify the sender by e-mail. In such a case, reading, reproducing, printing or further dissemination of this e-mail or its contents is strictly prohibited and may be unlawful. Intec Telecom Systems PLC does not represent or warrant that an attachment hereto is free from computer viruses or other defects. The opinions expressed in this e-mail and any attachments may be those of the author and are not necessarily those of Intec Telecom Systems PLC. From triswimjoe at hotmail.com Fri May 26 13:23:41 2006 From: triswimjoe at hotmail.com (Joe Sheehan) Date: Fri, 26 May 2006 09:23:41 -0400 Subject: [Fedora-directory-users] /etc/init.d startup script issues onreboot In-Reply-To: Message-ID: Little confused - do you mean in the directory /opt/fedora-ds/slapd-'hostname' - run ./start-slapd If so I've done that and it works on command line - I still receive a failure during reboot using that command within my startup script. Trying to get more info out of the ldap during reboot but all I receive is a failure statment. >From: "Paul Clayton" >Reply-To: "General discussion list for the Fedora Directory server >project." >To: "General discussion list for the Fedora Directory server project." > >Subject: RE: [Fedora-directory-users] /etc/init.d startup script issues >onreboot >Date: Fri, 26 May 2006 13:58:51 +0200 > >Have tried running the command as ./slapd-`hostname` in your >/opt/fedora_ds directory. > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Joe >Sheehan >Sent: 26 May 2006 01:28 PM >To: fedora-directory-users at redhat.com >Subject: [Fedora-directory-users] /etc/init.d startup script issues on >reboot > >We are using the startup script for Fedora as shown below with the >corresponding /etc/sysconfig/ns-slapd The problem is during a reboot >ns-slapd doesn't start. (the run levels are set to 3,4,5). > >From the command line though using this script it starts. > >In the /var/log/messages for a reboot we see >sql_select option missing >auxpropfunc error no mechanism available >ns-slapd failed > >For a command line start we see >sql_select option missing >auxpropfunc error no mechanism available >ns-slapd started successfully. > >Those two errors seem to be consist with a permission problem similar to > >openldap >but we haven't had any luck with that yet BUT is there a way to figure >out >why during a reboot it doesn't start besides getting a "ns-slapd >failed". > >Thanks (scripts below) > >Joe ># Source function library. >. /etc/init.d/functions > >SLAPD_HOST=`hostname -a` >SLAPD_DIR=/opt/fedora-ds/bin/slapd/server >PIDFILE=$SLAPD_DIR/logs/pid >STARTPIDFILE=$SLAPD_DIR/logs/startpid > >if [ -f /etc/sysconfig/ns-slapd ]; then > . /etc/sysconfig/ns-slapd >fi > > >start() { > echo -n "Starting Fedora Directory Server: " > if [ -f $STARTPIDFILE ]; then > PID=`cat $STARTPIDFILE` > echo ns-slapd already running: $PID > exit 2; > elif [ -f $PIDFILE ]; then > PID=`cat $PIDFILE` > echo ns-slapd already running: $PID > exit 2; > else > echo Here we go... > cd $SLAPD_DIR > daemon ./ns-slapd $OPTIONS > RETVAL=$? > echo > [ $RETVAL -eq 0 ] && touch /var/lock/subsys/ns-slapd > return $RETVAL > fi > >} > >stop() { > echo -n "Shutting down Fedora Directory Server: " > echo > killproc ns-slapd > echo > rm -f /var/lock/subsys/ns-slapd > return 0 >} > >case "$1" in > start) > start > ;; > stop) > stop > ;; > status) > status ns-slapd > ;; > restart) > stop > start > ;; > *) > echo "Usage: {start|stop|status|restart}" > exit 1 > ;; >esac >exit $? > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users >-------------------------------------------------------- > >This e-mail and any attachments are confidential and may also be legally >privileged and/or copyright material of Intec Telecom Systems PLC (or its >affiliated companies). If you are not an intended or authorised recipient >of this e-mail or have received it in error, please delete it immediately >and notify the sender by e-mail. In such a case, reading, reproducing, >printing or further dissemination of this e-mail or its contents is >strictly >prohibited and may be unlawful. >Intec Telecom Systems PLC does not represent or warrant that an attachment >hereto is free from computer viruses or other defects. The opinions >expressed in this e-mail and any attachments may be those of the author and >are not necessarily those of Intec Telecom Systems PLC. > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users From Paul.Clayton at intecbilling.com Fri May 26 13:28:24 2006 From: Paul.Clayton at intecbilling.com (Paul Clayton) Date: Fri, 26 May 2006 15:28:24 +0200 Subject: [Fedora-directory-users] /etc/init.d startup script issuesonreboot Message-ID: Apologies, blonde moment here. That was what I meant. Have you thought of simplyfing your script. Do you see any messages that your script is being acted upon. By this I mean taking out variables and putting in full paths to where you want to go. cheers -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Joe Sheehan Sent: 26 May 2006 03:24 PM To: fedora-directory-users at redhat.com Subject: RE: [Fedora-directory-users] /etc/init.d startup script issuesonreboot Little confused - do you mean in the directory /opt/fedora-ds/slapd-'hostname' - run ./start-slapd If so I've done that and it works on command line - I still receive a failure during reboot using that command within my startup script. Trying to get more info out of the ldap during reboot but all I receive is a failure statment. >From: "Paul Clayton" >Reply-To: "General discussion list for the Fedora Directory server >project." >To: "General discussion list for the Fedora Directory server project." > >Subject: RE: [Fedora-directory-users] /etc/init.d startup script issues >onreboot >Date: Fri, 26 May 2006 13:58:51 +0200 > >Have tried running the command as ./slapd-`hostname` in your >/opt/fedora_ds directory. > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Joe >Sheehan >Sent: 26 May 2006 01:28 PM >To: fedora-directory-users at redhat.com >Subject: [Fedora-directory-users] /etc/init.d startup script issues on >reboot > >We are using the startup script for Fedora as shown below with the >corresponding /etc/sysconfig/ns-slapd The problem is during a reboot >ns-slapd doesn't start. (the run levels are set to 3,4,5). > >From the command line though using this script it starts. > >In the /var/log/messages for a reboot we see sql_select option missing >auxpropfunc error no mechanism available ns-slapd failed > >For a command line start we see >sql_select option missing >auxpropfunc error no mechanism available ns-slapd started successfully. > >Those two errors seem to be consist with a permission problem similar >to > >openldap >but we haven't had any luck with that yet BUT is there a way to figure >out why during a reboot it doesn't start besides getting a "ns-slapd >failed". > >Thanks (scripts below) > >Joe ># Source function library. >. /etc/init.d/functions > >SLAPD_HOST=`hostname -a` >SLAPD_DIR=/opt/fedora-ds/bin/slapd/server >PIDFILE=$SLAPD_DIR/logs/pid >STARTPIDFILE=$SLAPD_DIR/logs/startpid > >if [ -f /etc/sysconfig/ns-slapd ]; then > . /etc/sysconfig/ns-slapd >fi > > >start() { > echo -n "Starting Fedora Directory Server: " > if [ -f $STARTPIDFILE ]; then > PID=`cat $STARTPIDFILE` > echo ns-slapd already running: $PID > exit 2; > elif [ -f $PIDFILE ]; then > PID=`cat $PIDFILE` > echo ns-slapd already running: $PID > exit 2; > else > echo Here we go... > cd $SLAPD_DIR > daemon ./ns-slapd $OPTIONS > RETVAL=$? > echo > [ $RETVAL -eq 0 ] && touch /var/lock/subsys/ns-slapd > return $RETVAL > fi > >} > >stop() { > echo -n "Shutting down Fedora Directory Server: " > echo > killproc ns-slapd > echo > rm -f /var/lock/subsys/ns-slapd > return 0 >} > >case "$1" in > start) > start > ;; > stop) > stop > ;; > status) > status ns-slapd > ;; > restart) > stop > start > ;; > *) > echo "Usage: {start|stop|status|restart}" > exit 1 > ;; >esac >exit $? > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users >-------------------------------------------------------- > >This e-mail and any attachments are confidential and may also be >legally privileged and/or copyright material of Intec Telecom Systems >PLC (or its affiliated companies). If you are not an intended or >authorised recipient of this e-mail or have received it in error, >please delete it immediately and notify the sender by e-mail. In such a >case, reading, reproducing, printing or further dissemination of this >e-mail or its contents is strictly prohibited and may be unlawful. >Intec Telecom Systems PLC does not represent or warrant that an >attachment hereto is free from computer viruses or other defects. The >opinions expressed in this e-mail and any attachments may be those of >the author and are not necessarily those of Intec Telecom Systems PLC. > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From logastellus at yahoo.com Fri May 26 14:07:56 2006 From: logastellus at yahoo.com (Susan) Date: Fri, 26 May 2006 07:07:56 -0700 (PDT) Subject: [Fedora-directory-users] View all groups of choosen user In-Reply-To: <1265838551.20060526123055@elewise.com> Message-ID: <20060526140757.36969.qmail@web52901.mail.yahoo.com> what if you do this: ldapsearch -b ou=groups,dc=company,dc=com memberuid=joeshmoe dn ? --- Pavel 'Blaze' Vinogradov wrote: > Hello General, > > How in Admin console view all Group which contain current user. In > case of static group i can do it with simple query with filter on > uniquemember field, but how do it with dynamic group? > And how i can show result for Admin Console user? > > -- > Best regards, > Pavel mailto:blaze at elewise.com > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From triswimjoe at hotmail.com Fri May 26 14:31:05 2006 From: triswimjoe at hotmail.com (Joe Sheehan) Date: Fri, 26 May 2006 10:31:05 -0400 Subject: [Fedora-directory-users] /etc/init.d startup script issuesonreboot In-Reply-To: Message-ID: Yeah, I'm now going through the methodical approach of taking everything out of the script except the echos and then putting it back together piece by piece - just strange that using the same script via the command line would give me the same failure. Joe >From: "Paul Clayton" >Reply-To: "General discussion list for the Fedora Directory server >project." >To: "General discussion list for the Fedora Directory server project." > >Subject: RE: [Fedora-directory-users] /etc/init.d startup script >issuesonreboot >Date: Fri, 26 May 2006 15:28:24 +0200 > >Apologies, blonde moment here. That was what I meant. Have you thought >of simplyfing your script. Do you see any messages that your script is >being acted upon. By this I mean taking out variables and putting in >full paths to where you want to go. > >cheers > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Joe >Sheehan >Sent: 26 May 2006 03:24 PM >To: fedora-directory-users at redhat.com >Subject: RE: [Fedora-directory-users] /etc/init.d startup script >issuesonreboot > >Little confused - do you mean in the directory >/opt/fedora-ds/slapd-'hostname' - run ./start-slapd If so I've done that >and it works on command line - I still receive a failure during reboot >using that command within my startup script. Trying to get more info out >of the ldap during reboot but all I receive is a failure statment. > > > >From: "Paul Clayton" > >Reply-To: "General discussion list for the Fedora Directory server > >project." > >To: "General discussion list for the Fedora Directory server project." > > > >Subject: RE: [Fedora-directory-users] /etc/init.d startup script issues > > >onreboot > >Date: Fri, 26 May 2006 13:58:51 +0200 > > > >Have tried running the command as ./slapd-`hostname` in your > >/opt/fedora_ds directory. > > > >-----Original Message----- > >From: fedora-directory-users-bounces at redhat.com > >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Joe > >Sheehan > >Sent: 26 May 2006 01:28 PM > >To: fedora-directory-users at redhat.com > >Subject: [Fedora-directory-users] /etc/init.d startup script issues on > >reboot > > > >We are using the startup script for Fedora as shown below with the > >corresponding /etc/sysconfig/ns-slapd The problem is during a reboot > >ns-slapd doesn't start. (the run levels are set to 3,4,5). > > >From the command line though using this script it starts. > > > >In the /var/log/messages for a reboot we see sql_select option missing > >auxpropfunc error no mechanism available ns-slapd failed > > > >For a command line start we see > >sql_select option missing > >auxpropfunc error no mechanism available ns-slapd started successfully. > > > >Those two errors seem to be consist with a permission problem similar > >to > > > >openldap > >but we haven't had any luck with that yet BUT is there a way to figure > >out why during a reboot it doesn't start besides getting a "ns-slapd > >failed". > > > >Thanks (scripts below) > > > >Joe > ># Source function library. > >. /etc/init.d/functions > > > >SLAPD_HOST=`hostname -a` > >SLAPD_DIR=/opt/fedora-ds/bin/slapd/server > >PIDFILE=$SLAPD_DIR/logs/pid > >STARTPIDFILE=$SLAPD_DIR/logs/startpid > > > >if [ -f /etc/sysconfig/ns-slapd ]; then > > . /etc/sysconfig/ns-slapd > >fi > > > > > >start() { > > echo -n "Starting Fedora Directory Server: " > > if [ -f $STARTPIDFILE ]; then > > PID=`cat $STARTPIDFILE` > > echo ns-slapd already running: $PID > > exit 2; > > elif [ -f $PIDFILE ]; then > > PID=`cat $PIDFILE` > > echo ns-slapd already running: $PID > > exit 2; > > else > > echo Here we go... > > cd $SLAPD_DIR > > daemon ./ns-slapd $OPTIONS > > RETVAL=$? > > echo > > [ $RETVAL -eq 0 ] && touch /var/lock/subsys/ns-slapd > > return $RETVAL > > fi > > > >} > > > >stop() { > > echo -n "Shutting down Fedora Directory Server: " > > echo > > killproc ns-slapd > > echo > > rm -f /var/lock/subsys/ns-slapd > > return 0 > >} > > > >case "$1" in > > start) > > start > > ;; > > stop) > > stop > > ;; > > status) > > status ns-slapd > > ;; > > restart) > > stop > > start > > ;; > > *) > > echo "Usage: {start|stop|status|restart}" > > exit 1 > > ;; > >esac > >exit $? > > > > > >-- > >Fedora-directory-users mailing list > >Fedora-directory-users at redhat.com > >https://www.redhat.com/mailman/listinfo/fedora-directory-users > >-------------------------------------------------------- > > > >This e-mail and any attachments are confidential and may also be > >legally privileged and/or copyright material of Intec Telecom Systems > >PLC (or its affiliated companies). If you are not an intended or > >authorised recipient of this e-mail or have received it in error, > >please delete it immediately and notify the sender by e-mail. In such a > > >case, reading, reproducing, printing or further dissemination of this > >e-mail or its contents is strictly prohibited and may be unlawful. > >Intec Telecom Systems PLC does not represent or warrant that an > >attachment hereto is free from computer viruses or other defects. The > >opinions expressed in this e-mail and any attachments may be those of > >the author and are not necessarily those of Intec Telecom Systems PLC. > > > >-- > >Fedora-directory-users mailing list > >Fedora-directory-users at redhat.com > >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users From Paul.Clayton at intecbilling.com Fri May 26 14:32:58 2006 From: Paul.Clayton at intecbilling.com (Paul Clayton) Date: Fri, 26 May 2006 16:32:58 +0200 Subject: [Fedora-directory-users] /etc/init.d startup script issuesonreboot Message-ID: Something rings a bell here that the DAEMON command might be your problem. I recall have some similar issue, but don't know what I did to fix it. Does the startup script not have to be registered as an active available script. -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Joe Sheehan Sent: 26 May 2006 04:31 PM To: fedora-directory-users at redhat.com Subject: RE: [Fedora-directory-users] /etc/init.d startup script issuesonreboot Yeah, I'm now going through the methodical approach of taking everything out of the script except the echos and then putting it back together piece by piece - just strange that using the same script via the command line would give me the same failure. Joe >From: "Paul Clayton" >Reply-To: "General discussion list for the Fedora Directory server >project." >To: "General discussion list for the Fedora Directory server project." > >Subject: RE: [Fedora-directory-users] /etc/init.d startup script >issuesonreboot >Date: Fri, 26 May 2006 15:28:24 +0200 > >Apologies, blonde moment here. That was what I meant. Have you thought >of simplyfing your script. Do you see any messages that your script is >being acted upon. By this I mean taking out variables and putting in >full paths to where you want to go. > >cheers > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Joe >Sheehan >Sent: 26 May 2006 03:24 PM >To: fedora-directory-users at redhat.com >Subject: RE: [Fedora-directory-users] /etc/init.d startup script >issuesonreboot > >Little confused - do you mean in the directory >/opt/fedora-ds/slapd-'hostname' - run ./start-slapd If so I've done >that and it works on command line - I still receive a failure during >reboot using that command within my startup script. Trying to get more >info out of the ldap during reboot but all I receive is a failure statment. > > > >From: "Paul Clayton" > >Reply-To: "General discussion list for the Fedora Directory server > >project." > >To: "General discussion list for the Fedora Directory server project." > > > >Subject: RE: [Fedora-directory-users] /etc/init.d startup script > >issues > > >onreboot > >Date: Fri, 26 May 2006 13:58:51 +0200 > > > >Have tried running the command as ./slapd-`hostname` in your > >/opt/fedora_ds directory. > > > >-----Original Message----- > >From: fedora-directory-users-bounces at redhat.com > >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Joe > >Sheehan > >Sent: 26 May 2006 01:28 PM > >To: fedora-directory-users at redhat.com > >Subject: [Fedora-directory-users] /etc/init.d startup script issues > >on reboot > > > >We are using the startup script for Fedora as shown below with the > >corresponding /etc/sysconfig/ns-slapd The problem is during a reboot > >ns-slapd doesn't start. (the run levels are set to 3,4,5). > > >From the command line though using this script it starts. > > > >In the /var/log/messages for a reboot we see sql_select option > >missing auxpropfunc error no mechanism available ns-slapd failed > > > >For a command line start we see > >sql_select option missing > >auxpropfunc error no mechanism available ns-slapd started successfully. > > > >Those two errors seem to be consist with a permission problem similar > >to > > > >openldap > >but we haven't had any luck with that yet BUT is there a way to > >figure out why during a reboot it doesn't start besides getting a > >"ns-slapd failed". > > > >Thanks (scripts below) > > > >Joe > ># Source function library. > >. /etc/init.d/functions > > > >SLAPD_HOST=`hostname -a` > >SLAPD_DIR=/opt/fedora-ds/bin/slapd/server > >PIDFILE=$SLAPD_DIR/logs/pid > >STARTPIDFILE=$SLAPD_DIR/logs/startpid > > > >if [ -f /etc/sysconfig/ns-slapd ]; then > > . /etc/sysconfig/ns-slapd > >fi > > > > > >start() { > > echo -n "Starting Fedora Directory Server: " > > if [ -f $STARTPIDFILE ]; then > > PID=`cat $STARTPIDFILE` > > echo ns-slapd already running: $PID > > exit 2; > > elif [ -f $PIDFILE ]; then > > PID=`cat $PIDFILE` > > echo ns-slapd already running: $PID > > exit 2; > > else > > echo Here we go... > > cd $SLAPD_DIR > > daemon ./ns-slapd $OPTIONS > > RETVAL=$? > > echo > > [ $RETVAL -eq 0 ] && touch /var/lock/subsys/ns-slapd > > return $RETVAL > > fi > > > >} > > > >stop() { > > echo -n "Shutting down Fedora Directory Server: " > > echo > > killproc ns-slapd > > echo > > rm -f /var/lock/subsys/ns-slapd > > return 0 > >} > > > >case "$1" in > > start) > > start > > ;; > > stop) > > stop > > ;; > > status) > > status ns-slapd > > ;; > > restart) > > stop > > start > > ;; > > *) > > echo "Usage: {start|stop|status|restart}" > > exit 1 > > ;; > >esac > >exit $? > > > > > >-- > >Fedora-directory-users mailing list > >Fedora-directory-users at redhat.com > >https://www.redhat.com/mailman/listinfo/fedora-directory-users > >-------------------------------------------------------- > > > >This e-mail and any attachments are confidential and may also be > >legally privileged and/or copyright material of Intec Telecom Systems > >PLC (or its affiliated companies). If you are not an intended or > >authorised recipient of this e-mail or have received it in error, > >please delete it immediately and notify the sender by e-mail. In such > >a > > >case, reading, reproducing, printing or further dissemination of this > >e-mail or its contents is strictly prohibited and may be unlawful. > >Intec Telecom Systems PLC does not represent or warrant that an > >attachment hereto is free from computer viruses or other defects. The > >opinions expressed in this e-mail and any attachments may be those of > >the author and are not necessarily those of Intec Telecom Systems PLC. > > > >-- > >Fedora-directory-users mailing list > >Fedora-directory-users at redhat.com > >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From sam.smith at ece.gatech.edu Fri May 26 14:52:53 2006 From: sam.smith at ece.gatech.edu (Sam Smith) Date: Fri, 26 May 2006 10:52:53 -0400 Subject: [Fedora-directory-users] solaris, dtlogin, and FDS In-Reply-To: References: Message-ID: <44771645.4090401@ece.gatech.edu> I have a bunch of fully patched and up-to-date Solaris 2.9 machines, using an FDS ldap server. I just converted them over from NIS, thanks to the help from the documentation on the web site. I can login at the command line, I can ssh to them, I thought everything was working great. But when I sit down in front of the console, and try to login with dtlogin to CDE (the gui), it kicks me out. It's using the "other" lines from my pam.conf, which look like this: # # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authentication # other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth binding pam_unix_auth.so.1 server_policy other auth required pam_ldap.so.1 If I look at the log file in the FDS server ("access"), everything looks fine. Has anyone else had a problem with dtlogin? Thanks for any help, Sam From Paul.Clayton at intecbilling.com Fri May 26 14:56:23 2006 From: Paul.Clayton at intecbilling.com (Paul Clayton) Date: Fri, 26 May 2006 16:56:23 +0200 Subject: [Fedora-directory-users] solaris, dtlogin, and FDS Message-ID: Yep. Busy with it right now. Got the same issue. Seems telnet,ftp rlogin work ok, but not dtlogin. I am thinking maybe dtlogin needs a special authetnciation section in the pam.conf file. -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Sam Smith Sent: 26 May 2006 04:53 PM To: General discussion list for the Fedora Directory server project. Subject: [Fedora-directory-users] solaris, dtlogin, and FDS I have a bunch of fully patched and up-to-date Solaris 2.9 machines, using an FDS ldap server. I just converted them over from NIS, thanks to the help from the documentation on the web site. I can login at the command line, I can ssh to them, I thought everything was working great. But when I sit down in front of the console, and try to login with dtlogin to CDE (the gui), it kicks me out. It's using the "other" lines from my pam.conf, which look like this: # # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authentication # other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth binding pam_unix_auth.so.1 server_policy other auth required pam_ldap.so.1 If I look at the log file in the FDS server ("access"), everything looks fine. Has anyone else had a problem with dtlogin? Thanks for any help, Sam -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------------------------------------------------- This e-mail and any attachments are confidential and may also be legally privileged and/or copyright material of Intec Telecom Systems PLC (or its affiliated companies). If you are not an intended or authorised recipient of this e-mail or have received it in error, please delete it immediately and notify the sender by e-mail. In such a case, reading, reproducing, printing or further dissemination of this e-mail or its contents is strictly prohibited and may be unlawful. Intec Telecom Systems PLC does not represent or warrant that an attachment hereto is free from computer viruses or other defects. The opinions expressed in this e-mail and any attachments may be those of the author and are not necessarily those of Intec Telecom Systems PLC. From logastellus at yahoo.com Fri May 26 15:06:41 2006 From: logastellus at yahoo.com (Susan) Date: Fri, 26 May 2006 08:06:41 -0700 (PDT) Subject: [Fedora-directory-users] solaris, dtlogin, and FDS In-Reply-To: <44771645.4090401@ece.gatech.edu> Message-ID: <20060526150641.66048.qmail@web52904.mail.yahoo.com> I have this and my dtlogin works fine: # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authentication # other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_unix_auth.so.1 other auth required pam_ldap.so.1 # --- Sam Smith wrote: > I have a bunch of fully patched and up-to-date Solaris 2.9 machines, > using an FDS ldap server. I just converted them over from NIS, thanks to > the help from the documentation on the web site. > > I can login at the command line, I can ssh to them, I thought everything > was working great. > > But when I sit down in front of the console, and try to login with > dtlogin to CDE (the gui), it kicks me out. > > It's using the "other" lines from my pam.conf, which look like this: > > # > # Default definitions for Authentication management > # Used when service name is not explicitly mentioned for authentication > # > other auth requisite pam_authtok_get.so.1 > other auth required pam_dhkeys.so.1 > other auth binding pam_unix_auth.so.1 server_policy > other auth required pam_ldap.so.1 > > If I look at the log file in the FDS server ("access"), everything looks > fine. > > Has anyone else had a problem with dtlogin? > > Thanks for any help, > Sam > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From Paul.Clayton at intecbilling.com Fri May 26 15:17:02 2006 From: Paul.Clayton at intecbilling.com (Paul Clayton) Date: Fri, 26 May 2006 17:17:02 +0200 Subject: [Fedora-directory-users] solaris, dtlogin, and FDS Message-ID: But can you use files based users with this method 'cause I can't. -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Susan Sent: 26 May 2006 05:07 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] solaris, dtlogin, and FDS I have this and my dtlogin works fine: # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authentication # other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_unix_auth.so.1 other auth required pam_ldap.so.1 # --- Sam Smith wrote: > I have a bunch of fully patched and up-to-date Solaris 2.9 machines, > using an FDS ldap server. I just converted them over from NIS, thanks > to the help from the documentation on the web site. > > I can login at the command line, I can ssh to them, I thought > everything was working great. > > But when I sit down in front of the console, and try to login with > dtlogin to CDE (the gui), it kicks me out. > > It's using the "other" lines from my pam.conf, which look like this: > > # > # Default definitions for Authentication management # Used when > service name is not explicitly mentioned for authentication # > other auth requisite pam_authtok_get.so.1 > other auth required pam_dhkeys.so.1 > other auth binding pam_unix_auth.so.1 server_policy > other auth required pam_ldap.so.1 > > If I look at the log file in the FDS server ("access"), everything > looks fine. > > Has anyone else had a problem with dtlogin? > > Thanks for any help, > Sam > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------------------------------------------------- This e-mail and any attachments are confidential and may also be legally privileged and/or copyright material of Intec Telecom Systems PLC (or its affiliated companies). If you are not an intended or authorised recipient of this e-mail or have received it in error, please delete it immediately and notify the sender by e-mail. In such a case, reading, reproducing, printing or further dissemination of this e-mail or its contents is strictly prohibited and may be unlawful. Intec Telecom Systems PLC does not represent or warrant that an attachment hereto is free from computer viruses or other defects. The opinions expressed in this e-mail and any attachments may be those of the author and are not necessarily those of Intec Telecom Systems PLC. From Paul.Clayton at intecbilling.com Fri May 26 15:33:40 2006 From: Paul.Clayton at intecbilling.com (Paul Clayton) Date: Fri, 26 May 2006 17:33:40 +0200 Subject: [Fedora-directory-users] solaris, dtlogin, and FDS Message-ID: Try this option on the pam.conf file. dtlogin auth sufficient pam_unix.so.1 try_first_pass dtlogin auth sufficient pam_ldap.so.1 dtlogin account requisite pam_roles.so.1 dtlogin account sufficient pam_projects.so.1 dtlogin account sufficient pam_unix.so.1 try_first_pass dtlogin account sufficient pam_ldap.so.1 -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Paul Clayton Sent: 26 May 2006 05:17 PM To: General discussion list for the Fedora Directory server project. Subject: RE: [Fedora-directory-users] solaris, dtlogin, and FDS But can you use files based users with this method 'cause I can't. -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Susan Sent: 26 May 2006 05:07 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] solaris, dtlogin, and FDS I have this and my dtlogin works fine: # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authentication # other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_unix_auth.so.1 other auth required pam_ldap.so.1 # --- Sam Smith wrote: > I have a bunch of fully patched and up-to-date Solaris 2.9 machines, > using an FDS ldap server. I just converted them over from NIS, thanks > to the help from the documentation on the web site. > > I can login at the command line, I can ssh to them, I thought > everything was working great. > > But when I sit down in front of the console, and try to login with > dtlogin to CDE (the gui), it kicks me out. > > It's using the "other" lines from my pam.conf, which look like this: > > # > # Default definitions for Authentication management # Used when > service name is not explicitly mentioned for authentication # > other auth requisite pam_authtok_get.so.1 > other auth required pam_dhkeys.so.1 > other auth binding pam_unix_auth.so.1 server_policy > other auth required pam_ldap.so.1 > > If I look at the log file in the FDS server ("access"), everything > looks fine. > > Has anyone else had a problem with dtlogin? > > Thanks for any help, > Sam > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------------------------------------------------- This e-mail and any attachments are confidential and may also be legally privileged and/or copyright material of Intec Telecom Systems PLC (or its affiliated companies). If you are not an intended or authorised recipient of this e-mail or have received it in error, please delete it immediately and notify the sender by e-mail. In such a case, reading, reproducing, printing or further dissemination of this e-mail or its contents is strictly prohibited and may be unlawful. Intec Telecom Systems PLC does not represent or warrant that an attachment hereto is free from computer viruses or other defects. The opinions expressed in this e-mail and any attachments may be those of the author and are not necessarily those of Intec Telecom Systems PLC. -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From logastellus at yahoo.com Fri May 26 15:42:10 2006 From: logastellus at yahoo.com (Susan) Date: Fri, 26 May 2006 08:42:10 -0700 (PDT) Subject: [Fedora-directory-users] solaris, dtlogin, and FDS In-Reply-To: Message-ID: <20060526154210.9865.qmail@web52902.mail.yahoo.com> yes -- root. --- Paul Clayton wrote: > But can you use files based users with this method 'cause I can't. > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Susan > Sent: 26 May 2006 05:07 PM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] solaris, dtlogin, and FDS > > I have this and my dtlogin works fine: > > > # Default definitions for Authentication management # Used when service > name is not explicitly mentioned for authentication # > other auth requisite pam_authtok_get.so.1 > other auth required pam_dhkeys.so.1 > other auth required pam_unix_cred.so.1 > other auth sufficient pam_unix_auth.so.1 > other auth required pam_ldap.so.1 > # > > > --- Sam Smith wrote: > > > I have a bunch of fully patched and up-to-date Solaris 2.9 machines, > > using an FDS ldap server. I just converted them over from NIS, thanks > > to the help from the documentation on the web site. > > > > I can login at the command line, I can ssh to them, I thought > > everything was working great. > > > > But when I sit down in front of the console, and try to login with > > dtlogin to CDE (the gui), it kicks me out. > > > > It's using the "other" lines from my pam.conf, which look like this: > > > > # > > # Default definitions for Authentication management # Used when > > service name is not explicitly mentioned for authentication # > > other auth requisite pam_authtok_get.so.1 > > other auth required pam_dhkeys.so.1 > > other auth binding pam_unix_auth.so.1 server_policy > > other auth required pam_ldap.so.1 > > > > If I look at the log file in the FDS server ("access"), everything > > looks fine. > > > > Has anyone else had a problem with dtlogin? > > > > Thanks for any help, > > Sam > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------------------------------------------------- > > This e-mail and any attachments are confidential and may also be legally > privileged and/or copyright material of Intec Telecom Systems PLC (or its > affiliated companies). If you are not an intended or authorised recipient > of this e-mail or have received it in error, please delete it immediately > and notify the sender by e-mail. In such a case, reading, reproducing, > printing or further dissemination of this e-mail or its contents is strictly > prohibited and may be unlawful. > Intec Telecom Systems PLC does not represent or warrant that an attachment > hereto is free from computer viruses or other defects. The opinions > expressed in this e-mail and any attachments may be those of the author and > are not necessarily those of Intec Telecom Systems PLC. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From triswimjoe at hotmail.com Fri May 26 15:45:34 2006 From: triswimjoe at hotmail.com (Joe Sheehan) Date: Fri, 26 May 2006 11:45:34 -0400 Subject: [Fedora-directory-users] /etc/init.d startup script issuesonreboot In-Reply-To: Message-ID: Its seems to be narrowing down to the daemon command - if you can think of anything please let me know - curious why it doesn't effect syslog etc. Joe >From: "Paul Clayton" >Reply-To: "General discussion list for the Fedora Directory server >project." >To: "General discussion list for the Fedora Directory server project." > >Subject: RE: [Fedora-directory-users] /etc/init.d startup script >issuesonreboot >Date: Fri, 26 May 2006 16:32:58 +0200 > >Something rings a bell here that the DAEMON command might be your >problem. I recall have some similar issue, but don't know what I did to >fix it. Does the startup script not have to be registered as an active >available script. > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Joe >Sheehan >Sent: 26 May 2006 04:31 PM >To: fedora-directory-users at redhat.com >Subject: RE: [Fedora-directory-users] /etc/init.d startup script >issuesonreboot > >Yeah, I'm now going through the methodical approach of taking everything >out of the script except the echos and then putting it back together >piece by piece - just strange that using the same script via the command >line would give me the same failure. > >Joe > > > >From: "Paul Clayton" > >Reply-To: "General discussion list for the Fedora Directory server > >project." > >To: "General discussion list for the Fedora Directory server project." > > > >Subject: RE: [Fedora-directory-users] /etc/init.d startup script > >issuesonreboot > >Date: Fri, 26 May 2006 15:28:24 +0200 > > > >Apologies, blonde moment here. That was what I meant. Have you thought > >of simplyfing your script. Do you see any messages that your script is > >being acted upon. By this I mean taking out variables and putting in > >full paths to where you want to go. > > > >cheers > > > >-----Original Message----- > >From: fedora-directory-users-bounces at redhat.com > >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Joe > >Sheehan > >Sent: 26 May 2006 03:24 PM > >To: fedora-directory-users at redhat.com > >Subject: RE: [Fedora-directory-users] /etc/init.d startup script > >issuesonreboot > > > >Little confused - do you mean in the directory > >/opt/fedora-ds/slapd-'hostname' - run ./start-slapd If so I've done > >that and it works on command line - I still receive a failure during > >reboot using that command within my startup script. Trying to get more > >info out of the ldap during reboot but all I receive is a failure >statment. > > > > > > >From: "Paul Clayton" > > >Reply-To: "General discussion list for the Fedora Directory server > > >project." > > >To: "General discussion list for the Fedora Directory server >project." > > > > > >Subject: RE: [Fedora-directory-users] /etc/init.d startup script > > >issues > > > > >onreboot > > >Date: Fri, 26 May 2006 13:58:51 +0200 > > > > > >Have tried running the command as ./slapd-`hostname` in your > > >/opt/fedora_ds directory. > > > > > >-----Original Message----- > > >From: fedora-directory-users-bounces at redhat.com > > >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Joe > > >Sheehan > > >Sent: 26 May 2006 01:28 PM > > >To: fedora-directory-users at redhat.com > > >Subject: [Fedora-directory-users] /etc/init.d startup script issues > > >on reboot > > > > > >We are using the startup script for Fedora as shown below with the > > >corresponding /etc/sysconfig/ns-slapd The problem is during a reboot > > >ns-slapd doesn't start. (the run levels are set to 3,4,5). > > > >From the command line though using this script it starts. > > > > > >In the /var/log/messages for a reboot we see sql_select option > > >missing auxpropfunc error no mechanism available ns-slapd failed > > > > > >For a command line start we see > > >sql_select option missing > > >auxpropfunc error no mechanism available ns-slapd started >successfully. > > > > > >Those two errors seem to be consist with a permission problem similar > > > >to > > > > > >openldap > > >but we haven't had any luck with that yet BUT is there a way to > > >figure out why during a reboot it doesn't start besides getting a > > >"ns-slapd failed". > > > > > >Thanks (scripts below) > > > > > >Joe > > ># Source function library. > > >. /etc/init.d/functions > > > > > >SLAPD_HOST=`hostname -a` > > >SLAPD_DIR=/opt/fedora-ds/bin/slapd/server > > >PIDFILE=$SLAPD_DIR/logs/pid > > >STARTPIDFILE=$SLAPD_DIR/logs/startpid > > > > > >if [ -f /etc/sysconfig/ns-slapd ]; then > > > . /etc/sysconfig/ns-slapd > > >fi > > > > > > > > >start() { > > > echo -n "Starting Fedora Directory Server: " > > > if [ -f $STARTPIDFILE ]; then > > > PID=`cat $STARTPIDFILE` > > > echo ns-slapd already running: $PID > > > exit 2; > > > elif [ -f $PIDFILE ]; then > > > PID=`cat $PIDFILE` > > > echo ns-slapd already running: $PID > > > exit 2; > > > else > > > echo Here we go... > > > cd $SLAPD_DIR > > > daemon ./ns-slapd $OPTIONS > > > RETVAL=$? > > > echo > > > [ $RETVAL -eq 0 ] && touch /var/lock/subsys/ns-slapd > > > return $RETVAL > > > fi > > > > > >} > > > > > >stop() { > > > echo -n "Shutting down Fedora Directory Server: " > > > echo > > > killproc ns-slapd > > > echo > > > rm -f /var/lock/subsys/ns-slapd > > > return 0 > > >} > > > > > >case "$1" in > > > start) > > > start > > > ;; > > > stop) > > > stop > > > ;; > > > status) > > > status ns-slapd > > > ;; > > > restart) > > > stop > > > start > > > ;; > > > *) > > > echo "Usage: {start|stop|status|restart}" > > > exit 1 > > > ;; > > >esac > > >exit $? > > > > > > > > >-- > > >Fedora-directory-users mailing list > > >Fedora-directory-users at redhat.com > > >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > >-------------------------------------------------------- > > > > > >This e-mail and any attachments are confidential and may also be > > >legally privileged and/or copyright material of Intec Telecom Systems > > > >PLC (or its affiliated companies). If you are not an intended or > > >authorised recipient of this e-mail or have received it in error, > > >please delete it immediately and notify the sender by e-mail. In such > > > >a > > > > >case, reading, reproducing, printing or further dissemination of this > > > >e-mail or its contents is strictly prohibited and may be unlawful. > > >Intec Telecom Systems PLC does not represent or warrant that an > > >attachment hereto is free from computer viruses or other defects. The > > > >opinions expressed in this e-mail and any attachments may be those of > > > >the author and are not necessarily those of Intec Telecom Systems >PLC. > > > > > >-- > > >Fedora-directory-users mailing list > > >Fedora-directory-users at redhat.com > > >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > >-- > >Fedora-directory-users mailing list > >Fedora-directory-users at redhat.com > >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > >-- > >Fedora-directory-users mailing list > >Fedora-directory-users at redhat.com > >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users From triswimjoe at hotmail.com Fri May 26 17:20:02 2006 From: triswimjoe at hotmail.com (Joe Sheehan) Date: Fri, 26 May 2006 13:20:02 -0400 Subject: [Fedora-directory-users] /etc/init.d startup script issuesonreboot In-Reply-To: Message-ID: If within the startup script I just have /opt/fedora-ds/slapd-mysystem/start-slapd & - everything works great - once I put the daemon command back in - nothing There another system with the same problem BUT there is one system it works great on - this system is "supposedly" installed in regards to the OS, directory server etc installed the same way. If anyway, has any ideas it would be greatly appreciated. Thanks Joe >From: "Paul Clayton" >Reply-To: "General discussion list for the Fedora Directory server >project." >To: "General discussion list for the Fedora Directory server project." > >Subject: RE: [Fedora-directory-users] /etc/init.d startup script >issuesonreboot >Date: Fri, 26 May 2006 16:32:58 +0200 > >Something rings a bell here that the DAEMON command might be your >problem. I recall have some similar issue, but don't know what I did to >fix it. Does the startup script not have to be registered as an active >available script. > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Joe >Sheehan >Sent: 26 May 2006 04:31 PM >To: fedora-directory-users at redhat.com >Subject: RE: [Fedora-directory-users] /etc/init.d startup script >issuesonreboot > >Yeah, I'm now going through the methodical approach of taking everything >out of the script except the echos and then putting it back together >piece by piece - just strange that using the same script via the command >line would give me the same failure. > >Joe > > > >From: "Paul Clayton" > >Reply-To: "General discussion list for the Fedora Directory server > >project." > >To: "General discussion list for the Fedora Directory server project." > > > >Subject: RE: [Fedora-directory-users] /etc/init.d startup script > >issuesonreboot > >Date: Fri, 26 May 2006 15:28:24 +0200 > > > >Apologies, blonde moment here. That was what I meant. Have you thought > >of simplyfing your script. Do you see any messages that your script is > >being acted upon. By this I mean taking out variables and putting in > >full paths to where you want to go. > > > >cheers > > > >-----Original Message----- > >From: fedora-directory-users-bounces at redhat.com > >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Joe > >Sheehan > >Sent: 26 May 2006 03:24 PM > >To: fedora-directory-users at redhat.com > >Subject: RE: [Fedora-directory-users] /etc/init.d startup script > >issuesonreboot > > > >Little confused - do you mean in the directory > >/opt/fedora-ds/slapd-'hostname' - run ./start-slapd If so I've done > >that and it works on command line - I still receive a failure during > >reboot using that command within my startup script. Trying to get more > >info out of the ldap during reboot but all I receive is a failure >statment. > > > > > > >From: "Paul Clayton" > > >Reply-To: "General discussion list for the Fedora Directory server > > >project." > > >To: "General discussion list for the Fedora Directory server >project." > > > > > >Subject: RE: [Fedora-directory-users] /etc/init.d startup script > > >issues > > > > >onreboot > > >Date: Fri, 26 May 2006 13:58:51 +0200 > > > > > >Have tried running the command as ./slapd-`hostname` in your > > >/opt/fedora_ds directory. > > > > > >-----Original Message----- > > >From: fedora-directory-users-bounces at redhat.com > > >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Joe > > >Sheehan > > >Sent: 26 May 2006 01:28 PM > > >To: fedora-directory-users at redhat.com > > >Subject: [Fedora-directory-users] /etc/init.d startup script issues > > >on reboot > > > > > >We are using the startup script for Fedora as shown below with the > > >corresponding /etc/sysconfig/ns-slapd The problem is during a reboot > > >ns-slapd doesn't start. (the run levels are set to 3,4,5). > > > >From the command line though using this script it starts. > > > > > >In the /var/log/messages for a reboot we see sql_select option > > >missing auxpropfunc error no mechanism available ns-slapd failed > > > > > >For a command line start we see > > >sql_select option missing > > >auxpropfunc error no mechanism available ns-slapd started >successfully. > > > > > >Those two errors seem to be consist with a permission problem similar > > > >to > > > > > >openldap > > >but we haven't had any luck with that yet BUT is there a way to > > >figure out why during a reboot it doesn't start besides getting a > > >"ns-slapd failed". > > > > > >Thanks (scripts below) > > > > > >Joe > > ># Source function library. > > >. /etc/init.d/functions > > > > > >SLAPD_HOST=`hostname -a` > > >SLAPD_DIR=/opt/fedora-ds/bin/slapd/server > > >PIDFILE=$SLAPD_DIR/logs/pid > > >STARTPIDFILE=$SLAPD_DIR/logs/startpid > > > > > >if [ -f /etc/sysconfig/ns-slapd ]; then > > > . /etc/sysconfig/ns-slapd > > >fi > > > > > > > > >start() { > > > echo -n "Starting Fedora Directory Server: " > > > if [ -f $STARTPIDFILE ]; then > > > PID=`cat $STARTPIDFILE` > > > echo ns-slapd already running: $PID > > > exit 2; > > > elif [ -f $PIDFILE ]; then > > > PID=`cat $PIDFILE` > > > echo ns-slapd already running: $PID > > > exit 2; > > > else > > > echo Here we go... > > > cd $SLAPD_DIR > > > daemon ./ns-slapd $OPTIONS > > > RETVAL=$? > > > echo > > > [ $RETVAL -eq 0 ] && touch /var/lock/subsys/ns-slapd > > > return $RETVAL > > > fi > > > > > >} > > > > > >stop() { > > > echo -n "Shutting down Fedora Directory Server: " > > > echo > > > killproc ns-slapd > > > echo > > > rm -f /var/lock/subsys/ns-slapd > > > return 0 > > >} > > > > > >case "$1" in > > > start) > > > start > > > ;; > > > stop) > > > stop > > > ;; > > > status) > > > status ns-slapd > > > ;; > > > restart) > > > stop > > > start > > > ;; > > > *) > > > echo "Usage: {start|stop|status|restart}" > > > exit 1 > > > ;; > > >esac > > >exit $? > > > > > > > > >-- > > >Fedora-directory-users mailing list > > >Fedora-directory-users at redhat.com > > >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > >-------------------------------------------------------- > > > > > >This e-mail and any attachments are confidential and may also be > > >legally privileged and/or copyright material of Intec Telecom Systems > > > >PLC (or its affiliated companies). If you are not an intended or > > >authorised recipient of this e-mail or have received it in error, > > >please delete it immediately and notify the sender by e-mail. In such > > > >a > > > > >case, reading, reproducing, printing or further dissemination of this > > > >e-mail or its contents is strictly prohibited and may be unlawful. > > >Intec Telecom Systems PLC does not represent or warrant that an > > >attachment hereto is free from computer viruses or other defects. The > > > >opinions expressed in this e-mail and any attachments may be those of > > > >the author and are not necessarily those of Intec Telecom Systems >PLC. > > > > > >-- > > >Fedora-directory-users mailing list > > >Fedora-directory-users at redhat.com > > >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > >-- > >Fedora-directory-users mailing list > >Fedora-directory-users at redhat.com > >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > >-- > >Fedora-directory-users mailing list > >Fedora-directory-users at redhat.com > >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users From sam.smith at ece.gatech.edu Fri May 26 17:37:24 2006 From: sam.smith at ece.gatech.edu (Sam Smith) Date: Fri, 26 May 2006 13:37:24 -0400 Subject: [Fedora-directory-users] solaris, dtlogin, and FDS In-Reply-To: <20060526150641.66048.qmail@web52904.mail.yahoo.com> References: <20060526150641.66048.qmail@web52904.mail.yahoo.com> Message-ID: <44773CD4.4060701@ece.gatech.edu> Susan wrote: >I have this and my dtlogin works fine: > > ># Default definitions for Authentication management ># Used when service name is not explicitly mentioned for authentication ># >other auth requisite pam_authtok_get.so.1 >other auth required pam_dhkeys.so.1 >other auth required pam_unix_cred.so.1 >other auth sufficient pam_unix_auth.so.1 >other auth required pam_ldap.so.1 ># > > > Doesn't work for me. I don't have pam_unix_cred, since we never used kerberos here. Anyway all the docs say not to use it with LDAP. I tried what you had, without the pam_unix_cred, and no joy.. Sam From prowley at redhat.com Fri May 26 18:45:41 2006 From: prowley at redhat.com (Pete Rowley) Date: Fri, 26 May 2006 11:45:41 -0700 Subject: [Fedora-directory-users] /etc/init.d startup script issues on reboot In-Reply-To: References: Message-ID: <44774CD5.5020200@redhat.com> log? Joe Sheehan wrote: > We are using the startup script for Fedora as > shown below with the corresponding /etc/sysconfig/ns-slapd > The problem is during a reboot ns-slapd doesn't start. (the run levels > are set to 3,4,5). >> From the command line though using this script it starts. > > In the /var/log/messages for a reboot we see > sql_select option missing > auxpropfunc error no mechanism available > ns-slapd failed > > For a command line start we see > sql_select option missing > auxpropfunc error no mechanism available > ns-slapd started successfully. > > Those two errors seem to be consist with a permission problem similar > to openldap > but we haven't had any luck with that yet BUT is there a way to figure > out > why during a reboot it doesn't start besides getting a "ns-slapd failed". > > Thanks (scripts below) > > Joe > # Source function library. > . /etc/init.d/functions > > SLAPD_HOST=`hostname -a` > SLAPD_DIR=/opt/fedora-ds/bin/slapd/server > PIDFILE=$SLAPD_DIR/logs/pid > STARTPIDFILE=$SLAPD_DIR/logs/startpid > > if [ -f /etc/sysconfig/ns-slapd ]; then > . /etc/sysconfig/ns-slapd > fi > > > start() { > echo -n "Starting Fedora Directory Server: " > if [ -f $STARTPIDFILE ]; then > PID=`cat $STARTPIDFILE` > echo ns-slapd already running: $PID > exit 2; > elif [ -f $PIDFILE ]; then > PID=`cat $PIDFILE` > echo ns-slapd already running: $PID > exit 2; > else > echo Here we go... > cd $SLAPD_DIR > daemon ./ns-slapd $OPTIONS > RETVAL=$? > echo > [ $RETVAL -eq 0 ] && touch /var/lock/subsys/ns-slapd > return $RETVAL > fi > > } > > stop() { > echo -n "Shutting down Fedora Directory Server: " > echo > killproc ns-slapd > echo > rm -f /var/lock/subsys/ns-slapd > return 0 > } > > case "$1" in > start) > start > ;; > stop) > stop > ;; > status) > status ns-slapd > ;; > restart) > stop > start > ;; > *) > echo "Usage: {start|stop|status|restart}" > exit 1 > ;; > esac > exit $? > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From vsingh at gmu.edu Fri May 26 20:06:03 2006 From: vsingh at gmu.edu (Paul Singh) Date: Fri, 26 May 2006 16:06:03 -0400 Subject: [Fedora-directory-users] CPanel + FedoraDS Message-ID: <8307AC74-EE08-4303-93FF-A832DB32A247@gmu.edu> Hi all, I've got 10 CPanel servers that I administrate now and I'm bringing on some additional support staff to begin helping with that. The problem here is that I don't want to go into every machine and create an individual account on each box for the admins. I started working with FedoraDS and was able to successfully get the machines to pull data from the LDAP server. The problem is, it seems to check every hosting account username too and this slows the machines down quite a bit since it's looking for accounts that are not in LDAP at all. When looking in /etc/nssswitch.conf, I thought that the system would read left to write so I have: passwd: files ldap shadow: files ldap group: files ldap Shouldn't that read left to right? If an account is found in the local files, the system should not be going to ldap to confirm. Does anyone know how to make this work the way I would like it to? Thanks in advance. --Paul From sam.smith at ece.gatech.edu Fri May 26 20:49:08 2006 From: sam.smith at ece.gatech.edu (Sam Smith) Date: Fri, 26 May 2006 16:49:08 -0400 Subject: [Fedora-directory-users] solaris, dtlogin, and FDS In-Reply-To: <20060526150641.66048.qmail@web52904.mail.yahoo.com> References: <20060526150641.66048.qmail@web52904.mail.yahoo.com> Message-ID: <447769C4.5090402@ece.gatech.edu> Susan wrote: >I have this and my dtlogin works fine: > > ># Default definitions for Authentication management ># Used when service name is not explicitly mentioned for authentication ># >other auth requisite pam_authtok_get.so.1 >other auth required pam_dhkeys.so.1 >other auth required pam_unix_cred.so.1 >other auth sufficient pam_unix_auth.so.1 >other auth required pam_ldap.so.1 ># > > > Susan, I'm pretty sure now that authentication is not the problem - it seems to authenticate fine and then die. What other lines for "other" do you have in your pam.conf? Sam From blaze at elewise.com Sat May 27 09:06:44 2006 From: blaze at elewise.com (Pavel 'Blaze' Vinogradov) Date: Sat, 27 May 2006 14:06:44 +0500 Subject: [Fedora-directory-users] View all groups of choosen user In-Reply-To: <20060526140757.36969.qmail@web52901.mail.yahoo.com> References: <1265838551.20060526123055@elewise.com> <20060526140757.36969.qmail@web52901.mail.yahoo.com> Message-ID: <17710489275.20060527140644@elewise.com> Hello Susan, Friday, May 26, 2006, 7:07:56 PM, you wrote: I get nothing, because when i create static group with Admin console - group member add as full dn in uniquemember attribute . With dynamic group their member added as ldap-query in memberurl attribute (example: ldap:///ou=People,dc=local,dc=elewise,dc=com??sub?(&(|(objectclass=person)(objectclass=groupofuniquenames))(cn=*))). And if i can write ldapsearch for static group i don't know how to write filter for work with dynamic group. > what if you do this: > ldapsearch -b ou=groups,dc=company,dc=com memberuid=joeshmoe dn > ? >> How in Admin console view all Group which contain current user. In >> case of static group i can do it with simple query with filter on >> uniquemember field, but how do it with dynamic group? >> And how i can show result for Admin Console user? -- Best regards, Pavel mailto:blaze at elewise.com From Paul.Clayton at intecbilling.com Mon May 29 09:46:24 2006 From: Paul.Clayton at intecbilling.com (Paul Clayton) Date: Mon, 29 May 2006 11:46:24 +0200 Subject: [Fedora-directory-users] solaris, dtlogin, and FDS Message-ID: Hi, After some experimentaion, I came up with another pam configuration for desk top login. This would override the settings "other", as the application has been marked specifically as "dtlogin". Seems what you have to do is experiment with the configuration to get something workable. My system is basic ldap and no kerberos at this stage. ------------------------------------------------------------------------ ------------------------- dtlogin auth sufficient pam_unix.so.1 dtlogin auth required pam_ldap.so.1 try_first_pass dtlogin account sufficient pam_unix.so.1 dtlogin account requisite pam_roles.so.1 dtlogin account required pam_projects.so.1 dtlogin account sufficient pam_unix_account.so.1 dtlogin account required pam_ldap.so.1 try_first_pass dtlogin session sufficient pam_unix_session.so.1 dtlogin session required pam_ldap.so.1 try_first_pass ------------------------------------------------------------------------ ------------------------- cheers -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Sam Smith Sent: 26 May 2006 10:49 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] solaris, dtlogin, and FDS Susan wrote: >I have this and my dtlogin works fine: > > ># Default definitions for Authentication management # Used when service >name is not explicitly mentioned for authentication # >other auth requisite pam_authtok_get.so.1 >other auth required pam_dhkeys.so.1 >other auth required pam_unix_cred.so.1 >other auth sufficient pam_unix_auth.so.1 >other auth required pam_ldap.so.1 ># > > > Susan, I'm pretty sure now that authentication is not the problem - it seems to authenticate fine and then die. What other lines for "other" do you have in your pam.conf? Sam -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------------------------------------------------- This e-mail and any attachments are confidential and may also be legally privileged and/or copyright material of Intec Telecom Systems PLC (or its affiliated companies). If you are not an intended or authorised recipient of this e-mail or have received it in error, please delete it immediately and notify the sender by e-mail. In such a case, reading, reproducing, printing or further dissemination of this e-mail or its contents is strictly prohibited and may be unlawful. Intec Telecom Systems PLC does not represent or warrant that an attachment hereto is free from computer viruses or other defects. The opinions expressed in this e-mail and any attachments may be those of the author and are not necessarily those of Intec Telecom Systems PLC. From ben.steeves at gmail.com Mon May 29 17:38:40 2006 From: ben.steeves at gmail.com (Ben Steeves) Date: Mon, 29 May 2006 14:38:40 -0300 Subject: [Fedora-directory-users] Multiple database links (chaining) Message-ID: <7ebb24d10605291038w11c66ee4gf9f982f05a3ce28b@mail.gmail.com> Hi Folks, I'm having a problem that I'm going to go bald trying to solve, it seems... I've been tasked with creating a single searchable suffix for two different trees (dc=one,dc=com and dc=two,dc=com for arguments sake). The application that needs this suffix doesn't deal with referals, so my first (and the obvious, I thought) solution won't work. I delved into the Administrator's Guide and discovered the section on chained suffixes (ie., Directory Links), and it seems good. The problem? I can't make it work right. On a test server, I've set up a "master" suffix, "dc=com", and created directory links to "dc=one,dc=com" and "dc=two,dc=com". I've added the proxy ACI on the One and Two LDAP directories. When I search the test server, I can successfully find objects in the One tree, so it's half working -- but the Two tree doesn't work. I've check and re-checked and everything appears kosher. Am I barking up the wrong tree? Is there an easier way to do this? Should I give up and take up basket weaving as a nice, harmless job, and forget systems administration altogether? Any help or suggestions would be appreciated. -- _ Ben Steeves bcs at metacon.ca ( ) The ASCII ribbon campaign ben.steeves at unb.ca X against HTML e-mail GPG ID: 0xB3EBF1D9 / \ http://www.metacon.ca/ascii Yahoo Messenger: ben_steeves From rmeggins at redhat.com Mon May 29 20:53:00 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 29 May 2006 14:53:00 -0600 Subject: [Fedora-directory-users] Multiple database links (chaining) In-Reply-To: <7ebb24d10605291038w11c66ee4gf9f982f05a3ce28b@mail.gmail.com> References: <7ebb24d10605291038w11c66ee4gf9f982f05a3ce28b@mail.gmail.com> Message-ID: <447B5F2C.9080405@redhat.com> Ben Steeves wrote: > Hi Folks, > > I'm having a problem that I'm going to go bald trying to solve, it > seems... > > I've been tasked with creating a single searchable suffix for two > different trees (dc=one,dc=com and dc=two,dc=com for arguments sake). > The application that needs this suffix doesn't deal with referals, so > my first (and the obvious, I thought) solution won't work. > > I delved into the Administrator's Guide and discovered the section on > chained suffixes (ie., Directory Links), and it seems good. The > problem? I can't make it work right. > > On a test server, I've set up a "master" suffix, "dc=com", and created > directory links to "dc=one,dc=com" and "dc=two,dc=com". I've added > the proxy ACI on the One and Two LDAP directories. When I search the > test server, I can successfully find objects in the One tree, so it's > half working -- but the Two tree doesn't work. I've check and > re-checked and everything appears kosher. Does the other LDAP server have dc=com and two sub suffixes dc=one,dc=com and dc=two,dc=com? Each with their own "real" database? > > Am I barking up the wrong tree? Is there an easier way to do this? > Should I give up and take up basket weaving as a nice, harmless job, > and forget systems administration altogether? It's difficult to say for sure without reviewing all of your configuration. > > Any help or suggestions would be appreciated. > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From triswimjoe at hotmail.com Tue May 30 13:18:19 2006 From: triswimjoe at hotmail.com (Joe Sheehan) Date: Tue, 30 May 2006 09:18:19 -0400 Subject: [Fedora-directory-users] /etc/init.d startup script issues onreboot In-Reply-To: <44774CD5.5020200@redhat.com> Message-ID: Log - the only thing I see within the message log is sql_select option missing auxpropfunc error no mechanism available ns-slapd failed Is there a way I could get more info when I reboot the system? If I take out "daemon" within the script below and just have /opt/fedora-ds/slapd-'hostname'/start-slapd & for start - not problem during a reboot. Thanks >From: Pete Rowley >Reply-To: "General discussion list for the Fedora Directory server >project." >To: "General discussion list for the Fedora Directory server project." > >Subject: Re: [Fedora-directory-users] /etc/init.d startup script issues >onreboot >Date: Fri, 26 May 2006 11:45:41 -0700 > >log? > >Joe Sheehan wrote: >>We are using the startup script for Fedora as >>shown below with the corresponding /etc/sysconfig/ns-slapd >>The problem is during a reboot ns-slapd doesn't start. (the run levels are >>set to 3,4,5). >>>From the command line though using this script it starts. >> >>In the /var/log/messages for a reboot we see >>sql_select option missing >>auxpropfunc error no mechanism available >>ns-slapd failed >> >>For a command line start we see >>sql_select option missing >>auxpropfunc error no mechanism available >>ns-slapd started successfully. >> >>Those two errors seem to be consist with a permission problem similar to >>openldap >>but we haven't had any luck with that yet BUT is there a way to figure out >>why during a reboot it doesn't start besides getting a "ns-slapd failed". >> >>Thanks (scripts below) >> >>Joe >># Source function library. >>. /etc/init.d/functions >> >>SLAPD_HOST=`hostname -a` >>SLAPD_DIR=/opt/fedora-ds/bin/slapd/server >>PIDFILE=$SLAPD_DIR/logs/pid >>STARTPIDFILE=$SLAPD_DIR/logs/startpid >> >>if [ -f /etc/sysconfig/ns-slapd ]; then >> . /etc/sysconfig/ns-slapd >>fi >> >> >>start() { >> echo -n "Starting Fedora Directory Server: " >> if [ -f $STARTPIDFILE ]; then >> PID=`cat $STARTPIDFILE` >> echo ns-slapd already running: $PID >> exit 2; >> elif [ -f $PIDFILE ]; then >> PID=`cat $PIDFILE` >> echo ns-slapd already running: $PID >> exit 2; >> else >> echo Here we go... >> cd $SLAPD_DIR >> daemon ./ns-slapd $OPTIONS >> RETVAL=$? >> echo >> [ $RETVAL -eq 0 ] && touch /var/lock/subsys/ns-slapd >> return $RETVAL >> fi >> >>} >> >>stop() { >> echo -n "Shutting down Fedora Directory Server: " >> echo >> killproc ns-slapd >> echo >> rm -f /var/lock/subsys/ns-slapd >> return 0 >>} >> >>case "$1" in >> start) >> start >> ;; >> stop) >> stop >> ;; >> status) >> status ns-slapd >> ;; >> restart) >> stop >> start >> ;; >> *) >> echo "Usage: {start|stop|status|restart}" >> exit 1 >> ;; >>esac >>exit $? >> >> >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users > > >-- >Pete > ><< smime.p7s >> >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users From Paul.Clayton at intecbilling.com Tue May 30 13:37:04 2006 From: Paul.Clayton at intecbilling.com (Paul Clayton) Date: Tue, 30 May 2006 15:37:04 +0200 Subject: [Fedora-directory-users] /etc/init.d startup script issuesonreboot Message-ID: Joe, Question is do you really need the daemon function if it works without it. If startup and shutdown are all you need, why make it to complex. cheers -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Joe Sheehan Sent: 30 May 2006 03:18 PM To: fedora-directory-users at redhat.com Subject: Re: [Fedora-directory-users] /etc/init.d startup script issuesonreboot Log - the only thing I see within the message log is sql_select option missing auxpropfunc error no mechanism available ns-slapd failed Is there a way I could get more info when I reboot the system? If I take out "daemon" within the script below and just have /opt/fedora-ds/slapd-'hostname'/start-slapd & for start - not problem during a reboot. Thanks >From: Pete Rowley >Reply-To: "General discussion list for the Fedora Directory server >project." >To: "General discussion list for the Fedora Directory server project." > >Subject: Re: [Fedora-directory-users] /etc/init.d startup script issues >onreboot >Date: Fri, 26 May 2006 11:45:41 -0700 > >log? > >Joe Sheehan wrote: >>We are using the startup script for Fedora as shown below with the >>corresponding /etc/sysconfig/ns-slapd The problem is during a reboot >>ns-slapd doesn't start. (the run levels are set to 3,4,5). >>>From the command line though using this script it starts. >> >>In the /var/log/messages for a reboot we see sql_select option missing >>auxpropfunc error no mechanism available ns-slapd failed >> >>For a command line start we see >>sql_select option missing >>auxpropfunc error no mechanism available ns-slapd started >>successfully. >> >>Those two errors seem to be consist with a permission problem similar >>to openldap but we haven't had any luck with that yet BUT is there a >>way to figure out why during a reboot it doesn't start besides getting >>a "ns-slapd failed". >> >>Thanks (scripts below) >> >>Joe >># Source function library. >>. /etc/init.d/functions >> >>SLAPD_HOST=`hostname -a` >>SLAPD_DIR=/opt/fedora-ds/bin/slapd/server >>PIDFILE=$SLAPD_DIR/logs/pid >>STARTPIDFILE=$SLAPD_DIR/logs/startpid >> >>if [ -f /etc/sysconfig/ns-slapd ]; then >> . /etc/sysconfig/ns-slapd >>fi >> >> >>start() { >> echo -n "Starting Fedora Directory Server: " >> if [ -f $STARTPIDFILE ]; then >> PID=`cat $STARTPIDFILE` >> echo ns-slapd already running: $PID >> exit 2; >> elif [ -f $PIDFILE ]; then >> PID=`cat $PIDFILE` >> echo ns-slapd already running: $PID >> exit 2; >> else >> echo Here we go... >> cd $SLAPD_DIR >> daemon ./ns-slapd $OPTIONS >> RETVAL=$? >> echo >> [ $RETVAL -eq 0 ] && touch /var/lock/subsys/ns-slapd >> return $RETVAL >> fi >> >>} >> >>stop() { >> echo -n "Shutting down Fedora Directory Server: " >> echo >> killproc ns-slapd >> echo >> rm -f /var/lock/subsys/ns-slapd >> return 0 >>} >> >>case "$1" in >> start) >> start >> ;; >> stop) >> stop >> ;; >> status) >> status ns-slapd >> ;; >> restart) >> stop >> start >> ;; >> *) >> echo "Usage: {start|stop|status|restart}" >> exit 1 >> ;; >>esac >>exit $? >> >> >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users > > >-- >Pete > ><< smime.p7s >> >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------------------------------------------------- This e-mail and any attachments are confidential and may also be legally privileged and/or copyright material of Intec Telecom Systems PLC (or its affiliated companies). If you are not an intended or authorised recipient of this e-mail or have received it in error, please delete it immediately and notify the sender by e-mail. In such a case, reading, reproducing, printing or further dissemination of this e-mail or its contents is strictly prohibited and may be unlawful. Intec Telecom Systems PLC does not represent or warrant that an attachment hereto is free from computer viruses or other defects. The opinions expressed in this e-mail and any attachments may be those of the author and are not necessarily those of Intec Telecom Systems PLC. From logastellus at yahoo.com Tue May 30 14:28:24 2006 From: logastellus at yahoo.com (Susan) Date: Tue, 30 May 2006 07:28:24 -0700 (PDT) Subject: [Fedora-directory-users] solaris, dtlogin, and FDS In-Reply-To: <447769C4.5090402@ece.gatech.edu> Message-ID: <20060530142824.34362.qmail@web52903.mail.yahoo.com> -bash-3.00# uname -a SunOS unknown 5.10 Generic_118822-27 sun4u sparc SUNW,Ultra-5_10 -bash-3.00# grep other /etc/pam.conf other auth requisite pam_authtok_get.so.1 debug other auth required pam_dhkeys.so.1 debug other auth required pam_unix_cred.so.1 debug other auth sufficient pam_unix_auth.so.1 debug other auth required pam_ldap.so.1 debug other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 other session required pam_unix_session.so.1 other password required pam_dhkeys.so.1 debug other password requisite pam_authtok_get.so.1 debug other password requisite pam_authtok_check.so.1 debug other password required pam_authtok_store.so.1 server_policy debug -bash-3.00# if it goes through and THEN dies then something is wrong with your X setup. Did you look in messages for any X problems? dead font servers, read/write permissions for .Xauth files, etc...? --- Sam Smith wrote: > Susan wrote: > > >I have this and my dtlogin works fine: > > > > > ># Default definitions for Authentication management > ># Used when service name is not explicitly mentioned for authentication > ># > >other auth requisite pam_authtok_get.so.1 > >other auth required pam_dhkeys.so.1 > >other auth required pam_unix_cred.so.1 > >other auth sufficient pam_unix_auth.so.1 > >other auth required pam_ldap.so.1 > ># > > > > > > > Susan, I'm pretty sure now that authentication is not the problem - it > seems to authenticate fine and then die. What other lines for "other" do > you have in your pam.conf? > > Sam > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From triswimjoe at hotmail.com Tue May 30 15:48:57 2006 From: triswimjoe at hotmail.com (Joe Sheehan) Date: Tue, 30 May 2006 11:48:57 -0400 Subject: [Fedora-directory-users] /etc/init.d startup script issuesonreboot In-Reply-To: Message-ID: Probably don't need it but was curious why the recommended script works on some systems but not others - wanted to make sure there wasn't an issue I could be masking. Joe >From: "Paul Clayton" >Reply-To: "General discussion list for the Fedora Directory server >project." >To: "General discussion list for the Fedora Directory server project." > >Subject: RE: [Fedora-directory-users] /etc/init.d startup script >issuesonreboot >Date: Tue, 30 May 2006 15:37:04 +0200 > >Joe, > >Question is do you really need the daemon function if it works without >it. If startup and shutdown are all you need, why make it to complex. > >cheers > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Joe >Sheehan >Sent: 30 May 2006 03:18 PM >To: fedora-directory-users at redhat.com >Subject: Re: [Fedora-directory-users] /etc/init.d startup script >issuesonreboot > >Log - the only thing >I see within the message log >is >sql_select option missing >auxpropfunc error no mechanism available ns-slapd failed > >Is there a way I could get more info when I reboot the system? >If I take out "daemon" within the script below and just have >/opt/fedora-ds/slapd-'hostname'/start-slapd & for start - not problem >during a reboot. >Thanks > > > >From: Pete Rowley > >Reply-To: "General discussion list for the Fedora Directory server > >project." > >To: "General discussion list for the Fedora Directory server project." > > > >Subject: Re: [Fedora-directory-users] /etc/init.d startup script issues > > >onreboot > >Date: Fri, 26 May 2006 11:45:41 -0700 > > > >log? > > > >Joe Sheehan wrote: > >>We are using the startup script for Fedora as shown below with the > >>corresponding /etc/sysconfig/ns-slapd The problem is during a reboot > >>ns-slapd doesn't start. (the run levels are set to 3,4,5). > >>>From the command line though using this script it starts. > >> > >>In the /var/log/messages for a reboot we see sql_select option missing > > >>auxpropfunc error no mechanism available ns-slapd failed > >> > >>For a command line start we see > >>sql_select option missing > >>auxpropfunc error no mechanism available ns-slapd started > >>successfully. > >> > >>Those two errors seem to be consist with a permission problem similar > >>to openldap but we haven't had any luck with that yet BUT is there a > >>way to figure out why during a reboot it doesn't start besides getting > > >>a "ns-slapd failed". > >> > >>Thanks (scripts below) > >> > >>Joe > >># Source function library. > >>. /etc/init.d/functions > >> > >>SLAPD_HOST=`hostname -a` > >>SLAPD_DIR=/opt/fedora-ds/bin/slapd/server > >>PIDFILE=$SLAPD_DIR/logs/pid > >>STARTPIDFILE=$SLAPD_DIR/logs/startpid > >> > >>if [ -f /etc/sysconfig/ns-slapd ]; then > >> . /etc/sysconfig/ns-slapd > >>fi > >> > >> > >>start() { > >> echo -n "Starting Fedora Directory Server: " > >> if [ -f $STARTPIDFILE ]; then > >> PID=`cat $STARTPIDFILE` > >> echo ns-slapd already running: $PID > >> exit 2; > >> elif [ -f $PIDFILE ]; then > >> PID=`cat $PIDFILE` > >> echo ns-slapd already running: $PID > >> exit 2; > >> else > >> echo Here we go... > >> cd $SLAPD_DIR > >> daemon ./ns-slapd $OPTIONS > >> RETVAL=$? > >> echo > >> [ $RETVAL -eq 0 ] && touch /var/lock/subsys/ns-slapd > >> return $RETVAL > >> fi > >> > >>} > >> > >>stop() { > >> echo -n "Shutting down Fedora Directory Server: " > >> echo > >> killproc ns-slapd > >> echo > >> rm -f /var/lock/subsys/ns-slapd > >> return 0 > >>} > >> > >>case "$1" in > >> start) > >> start > >> ;; > >> stop) > >> stop > >> ;; > >> status) > >> status ns-slapd > >> ;; > >> restart) > >> stop > >> start > >> ;; > >> *) > >> echo "Usage: {start|stop|status|restart}" > >> exit 1 > >> ;; > >>esac > >>exit $? > >> > >> > >>-- > >>Fedora-directory-users mailing list > >>Fedora-directory-users at redhat.com > >>https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > >-- > >Pete > > > > > ><< smime.p7s >> > > > > > >-- > >Fedora-directory-users mailing list > >Fedora-directory-users at redhat.com > >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users >-------------------------------------------------------- > >This e-mail and any attachments are confidential and may also be legally >privileged and/or copyright material of Intec Telecom Systems PLC (or its >affiliated companies). If you are not an intended or authorised recipient >of this e-mail or have received it in error, please delete it immediately >and notify the sender by e-mail. In such a case, reading, reproducing, >printing or further dissemination of this e-mail or its contents is >strictly >prohibited and may be unlawful. >Intec Telecom Systems PLC does not represent or warrant that an attachment >hereto is free from computer viruses or other defects. The opinions >expressed in this e-mail and any attachments may be those of the author and >are not necessarily those of Intec Telecom Systems PLC. > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users From danhawker at wessexmc.org.uk Wed May 31 15:41:49 2006 From: danhawker at wessexmc.org.uk (Dan Hawker) Date: Wed, 31 May 2006 16:41:49 +0100 (BST) Subject: [Fedora-directory-users] Mult-Master Replication Message-ID: <59558.194.203.13.71.1149090109.squirrel@www.gradwell.com> Hi All, Just about to start experimenting with multi-master replication for our organisation and was looking at the page on the wiki. The script that is recommended doesn't seem to be available anymore (get a 403 forbidden error). Wondered if anyone had a link to said script that actually works. Thanks Dan From mj at sci.fi Wed May 31 15:40:19 2006 From: mj at sci.fi (Mike Jackson) Date: Wed, 31 May 2006 18:40:19 +0300 Subject: [Fedora-directory-users] Mult-Master Replication In-Reply-To: <59558.194.203.13.71.1149090109.squirrel@www.gradwell.com> References: <59558.194.203.13.71.1149090109.squirrel@www.gradwell.com> Message-ID: <447DB8E3.8070009@sci.fi> Dan Hawker wrote: > Hi All, > > Just about to start experimenting with multi-master replication for our > organisation and was looking at the page on the wiki. > > The script that is recommended doesn't seem to be available anymore (get a > 403 forbidden error). Wondered if anyone had a link to said script that > actually works. Hi Dan, I am redoing my fileserver at the moment. I will put it back online soon. Just wait for a day or two. Sorry. BR, Mike From jsummers at bachman.cs.ou.edu Wed May 31 15:46:15 2006 From: jsummers at bachman.cs.ou.edu (Jim Summers) Date: Wed, 31 May 2006 10:46:15 -0500 Subject: [Fedora-directory-users] Solaris Client Message-ID: <447DBA47.2080304@cs.ou.edu> Hello List, I am currently in the process of switching from a Sun iPlanet ldap to FDS. All has gone well except for my one remaining solaris client. I was using the Solaris Client Howto as a reference. It mentions using netscape and browsing to the 636 port of my server to get the necessary certs. I did that and the cp'd and chmod'd the files. After running ldapclient successfully, I can not issue a successful id command and see the following in the FDS server log files: [31/May/2006:10:33:12 -0500] conn=129250 fd=238 slot=238 SSL connection from 129.15.55.135 to 129.15.55.33 [31/May/2006:10:33:12 -0500] conn=129250 op=-1 fd=238 closed - SSL peer cannot verify your certificate. Not sure what I have overlooked, or a Solaris parameter that would not require the verification? I built the certs using the SSL howto. Which all is working great on my linuxes and OS/X machines. Ideas / Suggestions? Many Thanks -- Jim Summers School of Computer Science-University of Oklahoma ------------------------------------------------- From danhawker at wessexmc.org.uk Wed May 31 16:06:32 2006 From: danhawker at wessexmc.org.uk (Dan Hawker) Date: Wed, 31 May 2006 17:06:32 +0100 (BST) Subject: [Fedora-directory-users] Mult-Master Replication In-Reply-To: <447DB8E3.8070009@sci.fi> References: <59558.194.203.13.71.1149090109.squirrel@www.gradwell.com> <447DB8E3.8070009@sci.fi> Message-ID: <8084.194.203.13.71.1149091592.squirrel@www.gradwell.com> On Wed, May 31, 2006 4:40 pm, Mike Jackson wrote: > Dan Hawker wrote: > >> Hi All, >> >> >> Just about to start experimenting with multi-master replication for our >> organisation and was looking at the page on the wiki. >> >> The script that is recommended doesn't seem to be available anymore >> (get a >> 403 forbidden error). Wondered if anyone had a link to said script that >> actually works. > > Hi Dan, > I am redoing my fileserver at the moment. I will put it back online > soon. Just wait for a day or two. > > Sorry. > > > BR, > Mike Hi Mike, Ah well, we all have to do it sometime :) Nevermind, as said am still at the experimentation stage, so will hang on a few days. Thanks Dan From ben.steeves at gmail.com Wed May 31 16:51:08 2006 From: ben.steeves at gmail.com (Ben Steeves) Date: Wed, 31 May 2006 13:51:08 -0300 Subject: [Fedora-directory-users] Multiple database links (chaining) In-Reply-To: <447B5F2C.9080405@redhat.com> References: <7ebb24d10605291038w11c66ee4gf9f982f05a3ce28b@mail.gmail.com> <447B5F2C.9080405@redhat.com> Message-ID: <7ebb24d10605310951r7f64796el942e6f6634129bc8@mail.gmail.com> On 5/29/06, Richard Megginson wrote: > > On a test server, I've set up a "master" suffix, "dc=com", and created > > directory links to "dc=one,dc=com" and "dc=two,dc=com". I've added > > the proxy ACI on the One and Two LDAP directories. When I search the > > test server, I can successfully find objects in the One tree, so it's > > half working -- but the Two tree doesn't work. I've check and > > re-checked and everything appears kosher. > Does the other LDAP server have dc=com and two sub suffixes > dc=one,dc=com and dc=two,dc=com? Each with their own "real" database? Thanks for taking the time to reply, Richard... The server with the real databases has two suffixes: "dc=one,dc=com" and "dc=two,dc=com". "dc=com" doesn't exist. Both suffixes have real databaes and work if I query them individually. I wouldn't be so frustrated if nothing was working, but the fact that searching with a base of "dc=com" for a UID that appears in "dc=one,dc=com" works but searching for a UID that appears in "dc=two,dc=com" doesn't is what's really bugging me. I went so far as deleting the "dc=one,dc=com" link, but the Two link still doesn't work, even if it's the only one. The root ACIs on One and Two are exactly the same (with the obvious changes for the different suffixes of course). > > > > Am I barking up the wrong tree? Is there an easier way to do this? > > Should I give up and take up basket weaving as a nice, harmless job, > > and forget systems administration altogether? > It's difficult to say for sure without reviewing all of your configuration. Anything semi-specific you'd be curious about? -- _ Ben Steeves bcs at metacon.ca ( ) The ASCII ribbon campaign ben.steeves at unb.ca X against HTML e-mail GPG ID: 0xB3EBF1D9 / \ http://www.metacon.ca/ascii Yahoo Messenger: ben_steeves From rmeggins at redhat.com Wed May 31 17:11:55 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 31 May 2006 11:11:55 -0600 Subject: [Fedora-directory-users] Multiple database links (chaining) In-Reply-To: <7ebb24d10605310951r7f64796el942e6f6634129bc8@mail.gmail.com> References: <7ebb24d10605291038w11c66ee4gf9f982f05a3ce28b@mail.gmail.com> <447B5F2C.9080405@redhat.com> <7ebb24d10605310951r7f64796el942e6f6634129bc8@mail.gmail.com> Message-ID: <447DCE5B.900@redhat.com> Ben Steeves wrote: > On 5/29/06, Richard Megginson wrote: > >> > On a test server, I've set up a "master" suffix, "dc=com", and created >> > directory links to "dc=one,dc=com" and "dc=two,dc=com". I've added >> > the proxy ACI on the One and Two LDAP directories. When I search the >> > test server, I can successfully find objects in the One tree, so it's >> > half working -- but the Two tree doesn't work. I've check and >> > re-checked and everything appears kosher. >> Does the other LDAP server have dc=com and two sub suffixes >> dc=one,dc=com and dc=two,dc=com? Each with their own "real" database? > > Thanks for taking the time to reply, Richard... > > The server with the real databases has two suffixes: "dc=one,dc=com" > and "dc=two,dc=com". "dc=com" doesn't exist. Both suffixes have real > databaes and work if I query them individually. > > I wouldn't be so frustrated if nothing was working, but the fact that > searching with a base of "dc=com" for a UID that appears in > "dc=one,dc=com" works but searching for a UID that appears in > "dc=two,dc=com" doesn't is what's really bugging me. I went so far as > deleting the "dc=one,dc=com" link, but the Two link still doesn't > work, even if it's the only one. The root ACIs on One and Two are > exactly the same (with the obvious changes for the different suffixes > of course). You could try enabling the trace level logging and the plugin level logging for the error log - perhaps there is a clue in the error log. > >> > >> > Am I barking up the wrong tree? Is there an easier way to do this? >> > Should I give up and take up basket weaving as a nice, harmless job, >> > and forget systems administration altogether? >> It's difficult to say for sure without reviewing all of your >> configuration. > > Anything semi-specific you'd be curious about? > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: