From ABliss at preferredcare.org Wed Nov 1 02:52:03 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Tue, 31 Oct 2006 21:52:03 -0500 Subject: [Fedora-directory-users] Trouble getting windows to talk to fds In-Reply-To: Message-ID: This is a little scary; in testing in getting fds to talk to ad (were running ad 2003, fds 1.0.2 on 2 redhat 4 boxes), sometimes (2 of 5 times so far) when changing a users password from the fds console, it actually deletes the user from the active directory box !!! Has anyone else seen this behavior? What can I do to troubleshoot this? Thanks again. Aaron -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Bliss, Aaron Sent: Tuesday, October 31, 2006 5:51 PM To: General discussion list for the Fedora Directory server project. Subject: RE: [Fedora-directory-users] Trouble getting windows to talk to fds Thanks very much for your explanations; they have cleared up a lot of grey area for me. Aaron -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Nathan Kinder Sent: Tuesday, October 31, 2006 5:49 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Trouble getting windows to talk to fds Bliss, Aaron wrote: > That makes perfect sense, as I noticed that the replication agreement I > created was a supplier/consumer agreement between fds and ad; now I have > another question, if a new user is created in ad, since the fds box is > the supplier, how will that uid be replicated to fds? > When FDS connects to AD, it will send the dirsync control. This control contains a cookie of sorts. This basically tells AD to give us all modifications since the last time we sent the dirsync control (which it knows from the cookie we are sending). Ad then gives us the modifications along with a new cookie to use next time. You can think of this as pull-style replication in the AD->FDS direction. FDS pushes it's changes to AD while pulling changes from AD to itself. -NGK > Aaron > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Nathan > Kinder > Sent: Tuesday, October 31, 2006 4:44 PM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Trouble getting windows to talk to > fds > > Bliss, Aaron wrote: > >> I'm a little confused here; what is the purpose of the passsync >> > service > >> (I've successfully created a replication agreement over ssl via fds >> > and > >> ad). Thanks again. >> >> > The PassSync service is only responsible for sending password changes > initiated on the AD side to FDS. Any password that is changed on the > FDS side will be sent to AD over the synchronization agreement along > with other user & group changes. The synchronization agreement will > also pull changes that happened on the AD side over to FDS. > > The problem is that AD hashes the password differently than FDS does, so > > FDS needs access to the clear-text password. The only way for this to > happen when a password change is initiated on the AD side is to have a > password plug-in installed on the domain controller to get a copy of the > > clear-text password. This is exactly what the PassSync service does. > It installs a plugin (passhook.dll) that receives the clear-text > password which passsync.exe sends across to FDS over LDAPS. > > Hopefully that clears things up. > > -NGK > >> Aaron >> >> >> > > > > Confidentiality Notice: > The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From bachelor_junaid at yahoo.com Wed Nov 1 04:14:28 2006 From: bachelor_junaid at yahoo.com (Junaid) Date: Tue, 31 Oct 2006 20:14:28 -0800 (PST) Subject: [Fedora-directory-users] I need some help Message-ID: <20061101041428.93423.qmail@web51406.mail.yahoo.com> Hi, I m Student and doing my graduation in CS, i am working on my project Fedora Directory Server, can u help me how to authanticate Window XP client from Fedora Directory Sever.is there any extra configuration of software we required Thankx I m waiting for ur reply --------------------------------- Check out the New Yahoo! Mail - Fire up a more powerful email and get things done faster. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mikael.kermorgant at gmail.com Wed Nov 1 12:37:44 2006 From: mikael.kermorgant at gmail.com (Mikael Kermorgant) Date: Wed, 1 Nov 2006 13:37:44 +0100 Subject: [Fedora-directory-users] I need some help In-Reply-To: <20061101041428.93423.qmail@web51406.mail.yahoo.com> References: <20061101041428.93423.qmail@web51406.mail.yahoo.com> Message-ID: <9711147e0611010437q313ca0d5p2bbda36067972758@mail.gmail.com> 2006/11/1, Junaid : > Hi, > I m Student and doing my graduation in CS, i am working on my project > Fedora Directory Server, can u help me how to authanticate Window XP client > from Fedora Directory Sever.is there any extra configuration of software we > required You could have a look at this : http://sourceforge.net/projects/pgina/ -- Mikael Kermorgant From kylet at panix.com Wed Nov 1 13:25:33 2006 From: kylet at panix.com (Kyle Tucker) Date: Wed, 1 Nov 2006 08:25:33 -0500 (EST) Subject: [Fedora-directory-users] Linux password change/expiration issue Message-ID: <200611011325.kA1DPXU17778@panix1.panix.com> Hi, I am trying to get password expiration to work on FC5/FDS 1.0.2 and having mixed results. I have set a user's shadowAccount attributes as expired using the following values (with today being 13452): shadowFlag: 0 shadowExpire: -1 shadowInactive: -1 shadowWarning: 0 shadowMax: 1 shadowMin: 1 shadowLastChange: 13452 All seems well when I log in. You are required to change your LDAP password immediately. Last login: Wed Nov 1 07:51:14 2006 from lin1000 WARNING: Your password has expired. You must change your password now and login again! Changing password for user fjones. Enter login(LDAP) password: New UNIX password: Retype new UNIX password: LDAP password information changed for fjones passwd: all authentication tokens updated successfully. Connection to lin2600 closed. Except I get booted off and this is the /var/log/secure Nov 1 07:55:18 lin2600 passwd: pam_unix(passwd:chauthtok): user "fjones" does not exist in /etc/passwd Nov 1 07:55:29 lin2600 passwd: pam_unix(passwd:chauthtok): user "fjones" does not exist in /etc/passwd Nov 1 07:55:29 lin2600 sshd[17557]: pam_unix(sshd:session): session closed for user fjones Attempts to log in again accept the new password, which has changed in LDAP, but I am asked to go through the same loop of changing the password again. The shadow* attributes are NOT changed however. So that's either my culprit or maybe the PAM password entries are not right. That looks like this: password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so Finally, at the end of this document: (http://directory.fedora.redhat.com/wiki/Howto:PAM) It says to add the following to enable password expirations. dn: cn=config changetype: modify add: passwordExp passwordExp: on - add: passwordMaxAge passwordMaxAge: 8640000 But my other tests seem to indicate some parts of expiration in fact work. Is the above entry neccessary? Thanks so much. -- - Kyle --------------------------------------------- kylet at panix.com http://www.panix.com/~kylet --------------------------------------------- From jo.de.troy at gmail.com Wed Nov 1 13:50:14 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Wed, 1 Nov 2006 14:50:14 +0100 Subject: [Fedora-directory-users] Linux password change/expiration issue Message-ID: Hi Kyle, as far as I understand you should not be using the shadowAccount objectClass attributes to get this behaviour but you should be configuring the password policies instead. Best Regards, Jo From aaron.cline at gmail.com Wed Nov 1 14:49:21 2006 From: aaron.cline at gmail.com (Aaron Cline) Date: Wed, 1 Nov 2006 09:49:21 -0500 Subject: [Fedora-directory-users] Console can't connect or get status of Directory Server Message-ID: <2f8a29cb0611010649r54ff7c1djfef826ae37072c1c@mail.gmail.com> Hi folks: I've been playing with FDS and somehow I think I broke my setup. My console can no longer get the correct "status" of my directory server. It says that the DS is stopped though I can still query it so I don't think it is. Also, when I try to open a DS window, the console tells me it can't connect. I think the error is related to this: [01/Nov/2006:10:42:40 +0000] conn=84 fd=66 slot=66 SSL connection from 192.168.225.240 to 192.168.225.240 [01/Nov/2006:10:42:40 +0000] conn=84 op=-1 fd=66 closed - No certificate authority is trusted for SSL client authentication. I'm using a Cert signed by Verisign so I'm not sure why this wouldn't work. Can anyone shed some light? Maybe this is just a PKI problem that I don't understand. Also, I don't think I want SSL client authentication... I think I just want SSL Server authentication. Did I turn something on that I shouldn't? Thanks for any help. Aaron -------------- next part -------------- An HTML attachment was scrubbed... URL: From johngw at msi.umn.edu Wed Nov 1 15:13:52 2006 From: johngw at msi.umn.edu (John Griffin-Wiesner) Date: Wed, 1 Nov 2006 09:13:52 -0600 Subject: [Fedora-directory-users] Need a replica on sles10 Message-ID: <20061101151351.GB32675@fog.msi.umn.edu> Hello. I need to set up a replica server for a SLES10 environment which will connect to a FDS master. I would prefer to do this one of two ways: 1) Build/install FDS on SLES10; or 2) Have openldap's slurpd talk to the master FDS, and then use openldap slapd on the SLES10 box to serve ldap. I've seen in the archives that someone had dsbuild working on SLES9 last December, but then he was unable to get it to setup/run properly. Has anyone succeded with this on either SLES9 or SLES10? I haven't given slurpd a try yet. Does anyone know if it is compatible with FDS? Thanks in advance. -- John Griffin-Wiesner Linux Cluster/Unix Systems Administrator Univ. MN Supercomputing Institute http://www.msi.umn.edu From rmeggins at redhat.com Wed Nov 1 15:39:59 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 01 Nov 2006 08:39:59 -0700 Subject: [Fedora-directory-users] Need a replica on sles10 In-Reply-To: <20061101151351.GB32675@fog.msi.umn.edu> References: <20061101151351.GB32675@fog.msi.umn.edu> Message-ID: <4548BFCF.2060309@redhat.com> John Griffin-Wiesner wrote: > Hello. > > I need to set up a replica server for a SLES10 environment which > will connect to a FDS master. I would prefer to do this one of > two ways: > > 1) Build/install FDS on SLES10; or > 2) Have openldap's slurpd talk to the master FDS, and then use > openldap slapd on the SLES10 box to serve ldap. > > > I've seen in the archives that someone had dsbuild working on > SLES9 last December, but then he was unable to get it to > setup/run properly. Has anyone succeded with this on either > SLES9 or SLES10? > Have you tried it with fds103 - http://directory.fedora.redhat.com/sources/dsbuild-fds103.tar.gz First, read the Building page, and make sure you have all of the pre-requisites installed. There are a lot of them . . . > I haven't given slurpd a try yet. Does anyone know if it is > compatible with FDS? > It just might work. slurpd is a push model (not the pull model of syncrepl in newer openldap's), and if it just uses plain old ldap add/mod/del operations to push the changes, then it just might work. > Thanks in advance. > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Nov 1 15:41:21 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 01 Nov 2006 08:41:21 -0700 Subject: [Fedora-directory-users] Console can't connect or get status of Directory Server In-Reply-To: <2f8a29cb0611010649r54ff7c1djfef826ae37072c1c@mail.gmail.com> References: <2f8a29cb0611010649r54ff7c1djfef826ae37072c1c@mail.gmail.com> Message-ID: <4548C021.5010800@redhat.com> Aaron Cline wrote: > Hi folks: > > I've been playing with FDS and somehow I think I broke my setup. My > console can no longer get the correct "status" of my directory > server. It says that the DS is stopped though I can still query it so > I don't think it is. Also, when I try to open a DS window, the > console tells me it can't connect. > > I think the error is related to this: > > [01/Nov/2006:10:42:40 +0000] conn=84 fd=66 slot=66 SSL connection from > 192.168.225.240 to 192.168.225.240 > > [01/Nov/2006:10:42:40 +0000] conn=84 op=-1 fd=66 closed - No > certificate authority is trusted for SSL client authentication. > > I'm using a Cert signed by Verisign so I'm not sure why this wouldn't > work. Can anyone shed some light? Maybe this is just a PKI problem > that I don't understand. Looks like it's missing the CA cert from Verisign. > > Also, I don't think I want SSL client authentication... I think I just > want SSL Server authentication. Did I turn something on that I shouldn't? > > Thanks for any help. > > Aaron > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From aaron.cline at gmail.com Wed Nov 1 16:06:54 2006 From: aaron.cline at gmail.com (Aaron Cline) Date: Wed, 1 Nov 2006 11:06:54 -0500 Subject: [Fedora-directory-users] Console can't connect or get status of Directory Server In-Reply-To: <4548C021.5010800@redhat.com> References: <2f8a29cb0611010649r54ff7c1djfef826ae37072c1c@mail.gmail.com> <4548C021.5010800@redhat.com> Message-ID: <2f8a29cb0611010806yb7171a8rc2ec71a1f8df9491@mail.gmail.com> I see several "verisign" certs under the CA area in Certificate Management. Do I have to enable certain trusts on one of them? I thought they were trusted by default. Thanks, Aaron C. On 11/1/06, Richard Megginson wrote: > > Aaron Cline wrote: > > Hi folks: > > > > I've been playing with FDS and somehow I think I broke my setup. My > > console can no longer get the correct "status" of my directory > > server. It says that the DS is stopped though I can still query it so > > I don't think it is. Also, when I try to open a DS window, the > > console tells me it can't connect. > > > > I think the error is related to this: > > > > [01/Nov/2006:10:42:40 +0000] conn=84 fd=66 slot=66 SSL connection from > > 192.168.225.240 to 192.168.225.240 > > > > [01/Nov/2006:10:42:40 +0000] conn=84 op=-1 fd=66 closed - No > > certificate authority is trusted for SSL client authentication. > > > > I'm using a Cert signed by Verisign so I'm not sure why this wouldn't > > work. Can anyone shed some light? Maybe this is just a PKI problem > > that I don't understand. > Looks like it's missing the CA cert from Verisign. > > > > Also, I don't think I want SSL client authentication... I think I just > > want SSL Server authentication. Did I turn something on that I > shouldn't? > > > > Thanks for any help. > > > > Aaron > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Nov 1 16:13:31 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 01 Nov 2006 09:13:31 -0700 Subject: [Fedora-directory-users] Console can't connect or get status of Directory Server In-Reply-To: <2f8a29cb0611010806yb7171a8rc2ec71a1f8df9491@mail.gmail.com> References: <2f8a29cb0611010649r54ff7c1djfef826ae37072c1c@mail.gmail.com> <4548C021.5010800@redhat.com> <2f8a29cb0611010806yb7171a8rc2ec71a1f8df9491@mail.gmail.com> Message-ID: <4548C7AB.20801@redhat.com> Aaron Cline wrote: > I see several "verisign" certs under the CA area in Certificate > Management. Do I have to enable certain trusts on one of them? I > thought they were trusted by default. They should be. It looks like you need to turn off ssl client authentication. > > Thanks, > > Aaron C. > > On 11/1/06, *Richard Megginson* > wrote: > > Aaron Cline wrote: > > Hi folks: > > > > I've been playing with FDS and somehow I think I broke my setup. My > > console can no longer get the correct "status" of my directory > > server. It says that the DS is stopped though I can still query > it so > > I don't think it is. Also, when I try to open a DS window, the > > console tells me it can't connect. > > > > I think the error is related to this: > > > > [01/Nov/2006:10:42:40 +0000] conn=84 fd=66 slot=66 SSL > connection from > > 192.168.225.240 > to 192.168.225.240 > > < http://192.168.225.240> > > [01/Nov/2006:10:42:40 +0000] conn=84 op=-1 fd=66 closed - No > > certificate authority is trusted for SSL client authentication. > > > > I'm using a Cert signed by Verisign so I'm not sure why this > wouldn't > > work. Can anyone shed some light? Maybe this is just a PKI problem > > that I don't understand. > Looks like it's missing the CA cert from Verisign. > > > > Also, I don't think I want SSL client authentication... I think > I just > > want SSL Server authentication. Did I turn something on that I > shouldn't? > > > > Thanks for any help. > > > > Aaron > > > ------------------------------------------------------------------------ > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From kylet at panix.com Wed Nov 1 16:29:56 2006 From: kylet at panix.com (Kyle Tucker) Date: Wed, 1 Nov 2006 11:29:56 -0500 (EST) Subject: [Fedora-directory-users] Linux password change/expiration issue In-Reply-To: Message-ID: <200611011629.kA1GTut00414@panix1.panix.com> > as far as I understand you should not be using the shadowAccount > objectClass attributes to get this behaviour Thanks. This goes against a lot of the documentation out there. > but you should be > configuring the password policies instead. Are the PADL PAM modules written to be aware of these policies as well as the shadowAccount attributes? -- - Kyle --------------------------------------------- kylet at panix.com http://www.panix.com/~kylet --------------------------------------------- From johngw at msi.umn.edu Wed Nov 1 16:36:40 2006 From: johngw at msi.umn.edu (John Griffin-Wiesner) Date: Wed, 1 Nov 2006 10:36:40 -0600 Subject: [Fedora-directory-users] Need a replica on sles10 In-Reply-To: <4548BFCF.2060309@redhat.com> References: <20061101151351.GB32675@fog.msi.umn.edu> <4548BFCF.2060309@redhat.com> Message-ID: <20061101163640.GE32675@fog.msi.umn.edu> On Wed, Nov 01, 2006 at 08:39:59AM -0700, Richard Megginson wrote: > John Griffin-Wiesner wrote: > >Hello. > > > >I need to set up a replica server for a SLES10 environment which > >will connect to a FDS master. I would prefer to do this one of > >two ways: > > > >1) Build/install FDS on SLES10; or > >2) Have openldap's slurpd talk to the master FDS, and then use > >openldap slapd on the SLES10 box to serve ldap. > > > > > >I've seen in the archives that someone had dsbuild working on > >SLES9 last December, but then he was unable to get it to > >setup/run properly. Has anyone succeded with this on either > >SLES9 or SLES10? > > > Have you tried it with fds103 - > http://directory.fedora.redhat.com/sources/dsbuild-fds103.tar.gz Yes. Just yesterday. > First, read the Building page, and make sure you have all of the > pre-requisites installed. There are a lot of them . . . > >I haven't given slurpd a try yet. Does anyone know if it is > >compatible with FDS? > > > It just might work. slurpd is a push model (not the pull model of > syncrepl in newer openldap's), and if it just uses plain old ldap > add/mod/del operations to push the changes, then it just might work. If I happen to get lucky with this I'll let you know. > >Thanks in advance. > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- John Griffin-Wiesner Linux Cluster/Unix Systems Administrator Univ. MN Supercomputing Institute http://www.msi.umn.edu johngw at msi.umn.edu From johngw at msi.umn.edu Wed Nov 1 17:24:23 2006 From: johngw at msi.umn.edu (John Griffin-Wiesner) Date: Wed, 1 Nov 2006 11:24:23 -0600 Subject: [Fedora-directory-users] Need a replica on sles10 In-Reply-To: <4548BFCF.2060309@redhat.com> References: <20061101151351.GB32675@fog.msi.umn.edu> <4548BFCF.2060309@redhat.com> Message-ID: <20061101172423.GF32675@fog.msi.umn.edu> On Wed, Nov 01, 2006 at 08:39:59AM -0700, Richard Megginson wrote: > John Griffin-Wiesner wrote: > >I haven't given slurpd a try yet. Does anyone know if it is > >compatible with FDS? > > > It just might work. slurpd is a push model (not the pull model of > syncrepl in newer openldap's), and if it just uses plain old ldap > add/mod/del operations to push the changes, then it just might work. > >Thanks in advance. Any thoughts on what logs from FDS would be slurp-able, or if FDS supports writing that kind of replication log? > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- John Griffin-Wiesner Linux Cluster/Unix Systems Administrator Univ. MN Supercomputing Institute http://www.msi.umn.edu johngw at msi.umn.edu From rmeggins at redhat.com Wed Nov 1 17:34:30 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 01 Nov 2006 10:34:30 -0700 Subject: [Fedora-directory-users] Need a replica on sles10 In-Reply-To: <20061101172423.GF32675@fog.msi.umn.edu> References: <20061101151351.GB32675@fog.msi.umn.edu> <4548BFCF.2060309@redhat.com> <20061101172423.GF32675@fog.msi.umn.edu> Message-ID: <4548DAA6.6080301@redhat.com> John Griffin-Wiesner wrote: > On Wed, Nov 01, 2006 at 08:39:59AM -0700, Richard Megginson wrote: > >> John Griffin-Wiesner wrote: >> > > >>> I haven't given slurpd a try yet. Does anyone know if it is >>> compatible with FDS? >>> >>> >> It just might work. slurpd is a push model (not the pull model of >> syncrepl in newer openldap's), and if it just uses plain old ldap >> add/mod/del operations to push the changes, then it just might work. >> >>> Thanks in advance. >>> > > Any thoughts on what logs from FDS would be slurp-able, or if FDS > supports writing that kind of replication log? > I don't know. FDS has an audit log (off by default) that might be usable by slurpd. > > >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From seriv at omniti.com Wed Nov 1 20:39:55 2006 From: seriv at omniti.com (Sergey Ivanov) Date: Wed, 01 Nov 2006 15:39:55 -0500 Subject: [Fedora-directory-users] one problem with upgrade from 1.0.2 to 1.0.3 Message-ID: <4549061B.5020601@omniti.com> I'm trying to upgrade from fedora-ds-1.0.2 to fedora-ds-1.0.3 at fc-3 x86_64. The machine has different network interfaces pointing one to local network and another to global, with real IP. The slapd-/config/dse.ldif file contains lines bindind ns-slapd to local IP in dn: cn=config section, like: --- nsslapd-listenhost: nsslapd-securelistenhost: --- It was working with fedora-ds-1.0.2 But at upgrade to 1.0.3 server can not be started, I'm getting message: --- [01/Nov/2006:23:09:53 +0300] createprlistensocket - PR_Bind() on 10.0.0. port 389 failed: Netscape Portable Runtime error -5967 (TCP file descriptor is already bound.) --- It happens even if there is no binding to 389 port at any interface of this host. In strace I see the lines: --- 26036 socket(PF_INET6, SOCK_STREAM, IPPROTO_IP) = 6 26036 fcntl(6, F_GETFL) = 0x2 (flags O_RDWR) 26036 fcntl(6, F_SETFL, O_RDWR|O_NONBLOCK) = 0 26036 setsockopt(6, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0 26036 bind(6, {sa_family=AF_INET, sin_port=htons(389), sin_addr=inet_addr("10.0.0.")}, 16) = -1 EINVAL (Invalid argument) --- Please, help me, how to fix this problem. -- Sergey. From seriv at omniti.com Wed Nov 1 20:54:21 2006 From: seriv at omniti.com (Sergey Ivanov) Date: Wed, 01 Nov 2006 15:54:21 -0500 Subject: [Fedora-directory-users] one problem with upgrade from 1.0.2 to 1.0.3 In-Reply-To: <4549061B.5020601@omniti.com> References: <4549061B.5020601@omniti.com> Message-ID: <4549097D.7020503@omniti.com> Sergey Ivanov wrote: Here is a workaround: %s/listenhost: /listenhost: ::ffff:10.0.0./ in dse.ldif, and now can start directory server. -- Sergey. > I'm trying to upgrade from fedora-ds-1.0.2 to fedora-ds-1.0.3 at fc-3 > x86_64. > The machine has different network interfaces pointing one to local > network and another to global, with real IP. > The slapd-/config/dse.ldif file contains lines bindind ns-slapd to > local IP in dn: cn=config section, like: > --- > nsslapd-listenhost: > nsslapd-securelistenhost: > > --- > It was working with fedora-ds-1.0.2 > But at upgrade to 1.0.3 server can not be started, I'm getting message: > --- > [01/Nov/2006:23:09:53 +0300] createprlistensocket - PR_Bind() on > 10.0.0. port 389 failed: Netscape Portable Runtime error -5967 (TCP > file descriptor is already bound.) > --- > It happens even if there is no binding to 389 port at any interface of > this host. > In strace I see the lines: > --- > 26036 socket(PF_INET6, SOCK_STREAM, IPPROTO_IP) = 6 > 26036 fcntl(6, F_GETFL) = 0x2 (flags O_RDWR) > 26036 fcntl(6, F_SETFL, O_RDWR|O_NONBLOCK) = 0 > 26036 setsockopt(6, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0 > 26036 bind(6, {sa_family=AF_INET, sin_port=htons(389), > sin_addr=inet_addr("10.0.0.")}, 16) = -1 EINVAL (Invalid argument) > --- From ABliss at preferredcare.org Wed Nov 1 21:06:45 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Wed, 1 Nov 2006 16:06:45 -0500 Subject: [Fedora-directory-users] Checking password syntax issue with fds 1.0.2 Message-ID: Hi everyone, I have a global password policy setup defined as follows: Minimum length 8 Min required digits 1 Min required upper case 1 Min required lower case 1 Min required special 1 Min required char categories 3 What I've found though is that fds seems to be ignoring the minimum required character categories, as it will only accept passwords that meet all of the above criteria; has anyone else seen this issue? Is there anything else I can do to troubleshoot this? Thanks very much. Aaron Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. -------------- next part -------------- An HTML attachment was scrubbed... URL: From prowley at redhat.com Wed Nov 1 21:25:48 2006 From: prowley at redhat.com (Pete Rowley) Date: Wed, 01 Nov 2006 13:25:48 -0800 Subject: [Fedora-directory-users] Checking password syntax issue with fds 1.0.2 In-Reply-To: References: Message-ID: <454910DC.70205@redhat.com> Bliss, Aaron wrote: > > Hi everyone, > I have a global password policy setup defined as follows: > Minimum length 8 > Min required digits 1 > Min required upper case 1 > Min required lower case 1 > Min required special 1 > > Min required char categories 3 > > What I've found though is that fds seems to be ignoring the minimum > required character categories, as it will only accept passwords that > meet all of the above criteria; has anyone else seen this issue? Is > there anything else I can do to troubleshoot this? Thanks very much. > If the behavior you want is just minimum categories those 1's should be zeros. Think of the individual categories as an AND, so you could say min cats = 3 AND at least 2 digits. -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From GCopeland at efjohnson.com Wed Nov 1 21:49:44 2006 From: GCopeland at efjohnson.com (Greg Copeland) Date: Wed, 1 Nov 2006 15:49:44 -0600 Subject: [Fedora-directory-users] Upgrade confirmation? Message-ID: <273A72C669F45B4996896A031B88CCEF3266FF@EFJDFWMX01.EFJDFW.local> Can anyone confirm an "rpm -Uvh" with the 1.0.3 release, from a 1.0.2 release, works as designed? Best Regards, Greg Copeland -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Nov 1 21:58:18 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 01 Nov 2006 14:58:18 -0700 Subject: [Fedora-directory-users] Upgrade confirmation? In-Reply-To: <273A72C669F45B4996896A031B88CCEF3266FF@EFJDFWMX01.EFJDFW.local> References: <273A72C669F45B4996896A031B88CCEF3266FF@EFJDFWMX01.EFJDFW.local> Message-ID: <4549187A.20502@redhat.com> Greg Copeland wrote: > > Can anyone confirm an ?rpm ?Uvh? with the 1.0.3 release, from a 1.0.2 > release, works as designed? > So far we've had 3 people who had problems with files/directories (slapd-instance/config) changing ownership from "nobody" to "root" after rpm -U and setup. And one of those 3 only had the problem on 1 of their machines. Several other people have had no problems. > > Best Regards, > > Greg Copeland > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From kylet at panix.com Thu Nov 2 01:39:02 2006 From: kylet at panix.com (Kyle Tucker) Date: Wed, 1 Nov 2006 20:39:02 -0500 (EST) Subject: [Fedora-directory-users] Linux password change/expiration issue In-Reply-To: Message-ID: <200611020139.kA21d2V23394@panix1.panix.com> > > as far as I understand you should not be using the shadowAccount > objectClass attributes to get this behaviour but you should be > configuring the password policies instead. Okay, I have spent a couple hours with DS's password policy and do not like it. Why are shadowAccount attributes in the schema and allowed if not to be used? It seems OpenLDAP supports them. -- - Kyle --------------------------------------------- kylet at panix.com http://www.panix.com/~kylet --------------------------------------------- From ABliss at preferredcare.org Thu Nov 2 02:41:20 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Wed, 1 Nov 2006 21:41:20 -0500 Subject: [Fedora-directory-users] Trouble getting windows to talk to fds In-Reply-To: Message-ID: I've found that by not mixing the old fds directory users with current ad users (i.e. doing a full sync for the users ou in ad to the People ou in fds and then manually fixing missing host attributes of the ad objects, that this issue has been resolved); I have however found something else; I've found that some ad users didn't come over with the initial sync, turns out these accounts in ad don't have first or last names; after fixing these attributes, is there an easy way to make the users appear as new users to the fds synchronization mechanism so that those objects that were not originally synchronized will be brought over? Thanks again. Aaron -----Original Message----- From: Bliss, Aaron Sent: Tuesday, October 31, 2006 9:52 PM To: Bliss, Aaron; General discussion list for the Fedora Directory server project. Subject: RE: [Fedora-directory-users] Trouble getting windows to talk to fds This is a little scary; in testing in getting fds to talk to ad (were running ad 2003, fds 1.0.2 on 2 redhat 4 boxes), sometimes (2 of 5 times so far) when changing a users password from the fds console, it actually deletes the user from the active directory box !!! Has anyone else seen this behavior? What can I do to troubleshoot this? Thanks again. Aaron -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Bliss, Aaron Sent: Tuesday, October 31, 2006 5:51 PM To: General discussion list for the Fedora Directory server project. Subject: RE: [Fedora-directory-users] Trouble getting windows to talk to fds Thanks very much for your explanations; they have cleared up a lot of grey area for me. Aaron -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Nathan Kinder Sent: Tuesday, October 31, 2006 5:49 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Trouble getting windows to talk to fds Bliss, Aaron wrote: > That makes perfect sense, as I noticed that the replication agreement I > created was a supplier/consumer agreement between fds and ad; now I have > another question, if a new user is created in ad, since the fds box is > the supplier, how will that uid be replicated to fds? > When FDS connects to AD, it will send the dirsync control. This control contains a cookie of sorts. This basically tells AD to give us all modifications since the last time we sent the dirsync control (which it knows from the cookie we are sending). Ad then gives us the modifications along with a new cookie to use next time. You can think of this as pull-style replication in the AD->FDS direction. FDS pushes it's changes to AD while pulling changes from AD to itself. -NGK > Aaron > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Nathan > Kinder > Sent: Tuesday, October 31, 2006 4:44 PM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Trouble getting windows to talk to > fds > > Bliss, Aaron wrote: > >> I'm a little confused here; what is the purpose of the passsync >> > service > >> (I've successfully created a replication agreement over ssl via fds >> > and > >> ad). Thanks again. >> >> > The PassSync service is only responsible for sending password changes > initiated on the AD side to FDS. Any password that is changed on the > FDS side will be sent to AD over the synchronization agreement along > with other user & group changes. The synchronization agreement will > also pull changes that happened on the AD side over to FDS. > > The problem is that AD hashes the password differently than FDS does, so > > FDS needs access to the clear-text password. The only way for this to > happen when a password change is initiated on the AD side is to have a > password plug-in installed on the domain controller to get a copy of the > > clear-text password. This is exactly what the PassSync service does. > It installs a plugin (passhook.dll) that receives the clear-text > password which passsync.exe sends across to FDS over LDAPS. > > Hopefully that clears things up. > > -NGK > >> Aaron >> >> >> > > > > Confidentiality Notice: > The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From deighton at gmail.com Thu Nov 2 14:21:27 2006 From: deighton at gmail.com (Dan Deighton) Date: Thu, 2 Nov 2006 09:21:27 -0500 Subject: [Fedora-directory-users] Problem accessing Configuration Directory after upgrade to 1.0.3 Message-ID: <2717b73b0611020621l444ba03bvd29ed5c9d02b822d@mail.gmail.com> With FDS 1.0.2, I had setup a Secure Connection under the Configuration DS in the Admin Console. Everything was going fine until I updated to 1.0.3. After that, the Directory Server would start, but the Admin Server would not. I thought it may have been a problem with the upgrade, so I did a fresh install of FDS 1.0.3. As soon as I enabled a Secure Connection for the Configuration DS. The problem was back. I had no problem setting up encryption for the Admin Server and the User DS. It only happens with the Configuration DS. Has anyone else seen this problem? Am I missing something obvious that changed with 1.0.3? Any help would be appreciated. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Nov 2 15:09:35 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 02 Nov 2006 08:09:35 -0700 Subject: [Fedora-directory-users] Problem accessing Configuration Directory after upgrade to 1.0.3 In-Reply-To: <2717b73b0611020621l444ba03bvd29ed5c9d02b822d@mail.gmail.com> References: <2717b73b0611020621l444ba03bvd29ed5c9d02b822d@mail.gmail.com> Message-ID: <454A0A2F.9010502@redhat.com> Dan Deighton wrote: > With FDS 1.0.2, I had setup a Secure Connection under the > Configuration DS in the Admin Console. Everything was going fine > until I updated to 1.0.3. After that, the Directory Server would > start, but the Admin Server would not. > > I thought it may have been a problem with the upgrade, so I did a > fresh install of FDS 1.0.3. As soon as I enabled a Secure Connection > for the Configuration DS. The problem was back. Can you post the error log from your admin server? admin-serv/logs/error If that doesn't have much information in it, try doing start-admin -e debug > > I had no problem setting up encryption for the Admin Server and the > User DS. It only happens with the Configuration DS. > > Has anyone else seen this problem? Am I missing something obvious > that changed with 1.0.3? > > Any help would be appreciated. > > Thanks > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Nov 2 15:32:35 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 02 Nov 2006 08:32:35 -0700 Subject: [Fedora-directory-users] one problem with upgrade from 1.0.2 to 1.0.3 In-Reply-To: <4549097D.7020503@omniti.com> References: <4549061B.5020601@omniti.com> <4549097D.7020503@omniti.com> Message-ID: <454A0F93.7000707@redhat.com> Sergey Ivanov wrote: > Sergey Ivanov wrote: > Here is a workaround: > %s/listenhost: /listenhost: ::ffff:10.0.0./ > in dse.ldif, and now can start directory server. > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=213626 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From deighton at gmail.com Thu Nov 2 15:39:25 2006 From: deighton at gmail.com (Dan Deighton) Date: Thu, 2 Nov 2006 10:39:25 -0500 Subject: [Fedora-directory-users] Problem accessing Configuration Directory after upgrade to 1.0.3 Message-ID: <2717b73b0611020739p6d13c834qfcfb6aa18f9226c8@mail.gmail.com> On Thu, 2006-11-02 at 08:09 -0700, Richard Megginson wrote: Dan Deighton wrote: > With FDS 1.0.2, I had setup a Secure Connection under the > Configuration DS in the Admin Console. Everything was going fine > until I updated to 1.0.3. After that, the Directory Server would > start, but the Admin Server would not. > > I thought it may have been a problem with the upgrade, so I did a > fresh install of FDS 1.0.3. As soon as I enabled a Secure Connection > for the Configuration DS. The problem was back. Can you post the error log from your admin server? admin-serv/logs/error If that doesn't have much information in it, try doing start-admin -e debug > > I had no problem setting up encryption for the Admin Server and the > User DS. It only happens with the Configuration DS. > > Has anyone else seen this problem? Am I missing something obvious > that changed with 1.0.3? > > Any help would be appreciated. > > Thanks > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users Without debug: -------------- admin-serv/logs/error: --- [Thu Nov 02 10:27:11 2006] [warn] NSSProtocols not set; using: SSLv3 and TLSv1 [Thu Nov 02 10:27:12 2006] [crit] mod_admserv_post_config(): unable to build user/group LDAP server info: unable to set User/Group baseDN Configuration Failed --- -------------- With debug: -------------- admin-serv/logs/error --- [Thu Nov 02 10:31:34 2006] [info] done Init: Initializing NSS library [Thu Nov 02 10:31:34 2006] [warn] NSSProtocols not set; using: SSLv3 and TLSv1 [Thu Nov 02 10:31:35 2006] [debug] mod_admserv.c(760): sslinit: mod_nss has been started and initialized [Thu Nov 02 10:31:35 2006] [crit] mod_admserv_post_config(): unable to build user/group LDAP server info: unable to set User/Group baseDN Configuration Failed --- STDOUT: --- ./start-admin -e debug [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module access_module [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module auth_module [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module log_config_module [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module env_module [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module mime_magic_module [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module expires_module [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module deflate_module [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module headers_module [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module unique_id_module [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module setenvif_module [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module mime_module [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module vhost_alias_module [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module negotiation_module [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module dir_module [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module actions_module [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module alias_module [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module rewrite_module [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module cache_module [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module disk_cache_module [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module file_cache_module [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module mem_cache_module [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module cgi_module [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module restartd_module [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module nss_module [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module admserv_module [Thu Nov 02 10:31:29 2006] [debug] mod_admserv.c(2382): [22117] create_server_config [0x9f09370] for (null) [Thu Nov 02 10:31:29 2006] [debug] mod_admserv.c(2370): [22117] create_config [0x9f09380] for (null) [Thu Nov 02 10:31:29 2006] [debug] mod_admserv.c(2431): [22117] Set [0x9f09370] [ADMCacheLifeTime] to 600 [Thu Nov 02 10:31:29 2006] [debug] mod_admserv.c(2449): [22117] Set [0x9f09370] [ADMServerVersionString] to Fedora-Administrator/1.0.3 [Thu Nov 02 10:31:29 2006] [debug] mod_admserv.c(2370): [22117] create_config [0x9f38f88] for /opt/fedora-ds/clients/dsgw/bin/ [Thu Nov 02 10:31:29 2006] [debug] mod_admserv.c(2370): [22117] create_config [0x9f3a2b0] for /*/[tT]asks/[Oo]peration/* [Thu Nov 02 10:31:29 2006] [debug] mod_admserv.c(2370): [22117] create_config [0x9f38878] for /*/[tT]asks/[Cc]onfiguration/* [Thu Nov 02 10:31:29 2006] [debug] mod_admserv.c(2370): [22117] create_config [0x9f3b8e0] for /*/[tT]asks/[Oo]peration/(?i:stop|start|restart|startconfigds|create)$ Please enter password for "internal" token: --- -------------- From rmeggins at redhat.com Thu Nov 2 16:31:44 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 02 Nov 2006 09:31:44 -0700 Subject: [Fedora-directory-users] Problem accessing Configuration Directory after upgrade to 1.0.3 In-Reply-To: <2717b73b0611020739p6d13c834qfcfb6aa18f9226c8@mail.gmail.com> References: <2717b73b0611020739p6d13c834qfcfb6aa18f9226c8@mail.gmail.com> Message-ID: <454A1D70.3010704@redhat.com> Dan Deighton wrote: > On Thu, 2006-11-02 at 08:09 -0700, Richard Megginson wrote: > Dan Deighton wrote: >> With FDS 1.0.2, I had setup a Secure Connection under the >> Configuration DS in the Admin Console. Everything was going fine >> until I updated to 1.0.3. After that, the Directory Server would >> start, but the Admin Server would not. >> >> I thought it may have been a problem with the upgrade, so I did a >> fresh install of FDS 1.0.3. As soon as I enabled a Secure Connection >> for the Configuration DS. The problem was back. > Can you post the error log from your admin server? admin-serv/logs/error > If that doesn't have much information in it, try doing start-admin -e > debug Thanks. The last line of error output is odd: > Please enter password for "internal" token: Are you using a pin file for the admin server ssl password? If not, did you type in the password on the command line? >> >> I had no problem setting up encryption for the Admin Server and the >> User DS. It only happens with the Configuration DS. >> >> Has anyone else seen this problem? Am I missing something obvious >> that changed with 1.0.3? >> >> Any help would be appreciated. >> >> Thanks >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > Without debug: > -------------- > > admin-serv/logs/error: > --- > [Thu Nov 02 10:27:11 2006] [warn] NSSProtocols not set; using: SSLv3 > and TLSv1 > [Thu Nov 02 10:27:12 2006] [crit] mod_admserv_post_config(): unable to > build user/group LDAP server info: unable to set User/Group baseDN > Configuration Failed > --- > > -------------- > > > > With debug: > -------------- > > admin-serv/logs/error > --- > > [Thu Nov 02 10:31:34 2006] [info] done Init: Initializing NSS library > [Thu Nov 02 10:31:34 2006] [warn] NSSProtocols not set; using: SSLv3 > and TLSv1 > [Thu Nov 02 10:31:35 2006] [debug] mod_admserv.c(760): sslinit: > mod_nss has been started and initialized > [Thu Nov 02 10:31:35 2006] [crit] mod_admserv_post_config(): unable to > build user/group LDAP server info: unable to set User/Group baseDN > Configuration Failed > > --- > > STDOUT: > --- > ./start-admin -e debug > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module > access_module > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module > auth_module > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module > log_config_module > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module > env_module > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module > mime_magic_module > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module > expires_module > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module > deflate_module > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module > headers_module > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module > unique_id_module > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module > setenvif_module > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module > mime_module > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module > vhost_alias_module > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module > negotiation_module > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module > dir_module > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module > actions_module > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module > alias_module > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module > rewrite_module > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module > cache_module > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module > disk_cache_module > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module > file_cache_module > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module > mem_cache_module > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module > cgi_module > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module > restartd_module > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module > nss_module > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module > admserv_module > [Thu Nov 02 10:31:29 2006] [debug] mod_admserv.c(2382): [22117] > create_server_config [0x9f09370] for (null) > [Thu Nov 02 10:31:29 2006] [debug] mod_admserv.c(2370): [22117] > create_config [0x9f09380] for (null) > [Thu Nov 02 10:31:29 2006] [debug] mod_admserv.c(2431): [22117] Set > [0x9f09370] [ADMCacheLifeTime] to 600 > [Thu Nov 02 10:31:29 2006] [debug] mod_admserv.c(2449): [22117] Set > [0x9f09370] [ADMServerVersionString] to Fedora-Administrator/1.0.3 > [Thu Nov 02 10:31:29 2006] [debug] mod_admserv.c(2370): [22117] > create_config [0x9f38f88] for /opt/fedora-ds/clients/dsgw/bin/ > [Thu Nov 02 10:31:29 2006] [debug] mod_admserv.c(2370): [22117] > create_config [0x9f3a2b0] for /*/[tT]asks/[Oo]peration/* > [Thu Nov 02 10:31:29 2006] [debug] mod_admserv.c(2370): [22117] > create_config [0x9f38878] for /*/[tT]asks/[Cc]onfiguration/* > [Thu Nov 02 10:31:29 2006] [debug] mod_admserv.c(2370): [22117] > create_config [0x9f3b8e0] for > /*/[tT]asks/[Oo]peration/(?i:stop|start|restart|startconfigds|create)$ > Please enter password for "internal" token: > > --- > > -------------- > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From seriv at omniti.com Thu Nov 2 17:20:37 2006 From: seriv at omniti.com (Sergey Ivanov) Date: Thu, 02 Nov 2006 12:20:37 -0500 Subject: [Fedora-directory-users] Problems Setting up 1.0.3 In-Reply-To: <4547BE4F.80407@redhat.com> References: <1162320912.9441.21.camel@houuc8> <45479BF4.7050707@sci.fi> <4547B4A5.5060700@omniti.com> <4547BE4F.80407@redhat.com> Message-ID: <454A28E5.5010405@omniti.com> Richard Megginson wrote: > Sergey Ivanov wrote: >> For me it was a problem with ownership of directories in >> /opt/fedora-ds/slapd-/ tree. logs, locks and config ownership was >> changed by upgrade process to root. So the ns-slpad process was unable >> to start. Also the file >> /opt/fedora-ds/slapd-/config/dse.ldif.startOK was there in the >> way, being unable to deleted, - lack of permissions. >> > Very odd. It doesn't appear that setup does this, the chown is done in > the server itself: > main.c: > fix_ownership() > { > struct passwd* pw=NULL; > char dirname[MAXPATHLEN + 1]; > > slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); > > > if ( slapdFrontendConfig->localuser != NULL ) { > if ( (pw = getpwnam( slapdFrontendConfig->localuser )) == NULL ) > return; > localuser should be "nobody" or the uid of the server user. So one > possible problem is that if this is set to "root" for some reason. > } > else { > return; > } > > /* The instance directory needs to be owned by the local user */ > slapd_chown_if_not_owner( slapdFrontendConfig->instancedir, > pw->pw_uid, -1 ); > instancedir is "/opt/fedora-ds/slapd-instance" > > PR_snprintf(dirname,sizeof(dirname),"%s/config",slapdFrontendConfig->instancedir); > > chown_dir_files(dirname, pw, PR_FALSE); /* config directory */ > chown_dir_files(slapdFrontendConfig->accesslog, pw, PR_TRUE); /* do > access log directory */ > chown_dir_files(slapdFrontendConfig->auditlog, pw, PR_TRUE); /* do > audit log directory */ > chown_dir_files(slapdFrontendConfig->errorlog, pw, PR_TRUE); /* do > error log directory */ > > chown_dir_files chowns the directory and all of the files in it (does > not recurse). If given a file name, it will strip off the file name > (PR_TRUE). > > It would appear that the only way this can happen is if either > slapdFrontendConfig->localuser is "root" or getpwnam( > slapdFrontendConfig->localuser ) returns uid 0. If someone can come up > with a reproducible test case, please let me know. So far, I've just > done simple fds102 install followed by upgrade to fds103 on RHEL4 using > the default values. I cannot reproduce this problem. > > } > > Hi Richard, I have upgraded yesterday the last of my ldap servers. The most difficult problem there is described in https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=213626 And this problem with ownership and permission denied was reproduced once more. I have screenlog of the session, and logs of admin and ldap servers. Also I see a file /opt/fedora-ds/setup/myinstall.inf with the following contents: --- [General] FullMachineName= SuiteSpotUserID= root SuitespotGroup= root ServerRoot= /opt/fedora-ds ConfigDirectoryLdapURL= \ ldap://.:389/o=NetscapeRoot ConfigDirectoryAdminID= admin AdminDomain= ConfigDirectoryAdminPwd= [admin] ServerAdminID= admin ServerAdminPwd= SysUser= root Port= 18080 ServerIpAddress= --- Is this 'root' in [admin] part of this file connected to the problem? I also attach a snippet from screen session log, with ip addresses, passwords and host/domain names replaced. -- With best regards, Sergey Ivanov. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: log.txt URL: From deighton at gmail.com Thu Nov 2 17:25:23 2006 From: deighton at gmail.com (Dan Deighton) Date: Thu, 2 Nov 2006 12:25:23 -0500 Subject: [Fedora-directory-users] Problem accessing Configuration Directory after upgrade to 1.0.3 Message-ID: <2717b73b0611020925u5c17fe13q2845078f2a38ef6d@mail.gmail.com> On Thu, 2006-11-02 at 09:31 -0700, Richard Megginson wrote: Dan Deighton wrote: > > On Thu, 2006-11-02 at 08:09 -0700, Richard Megginson wrote: > > Dan Deighton wrote: > >> With FDS 1.0.2, I had setup a Secure Connection under the > >> Configuration DS in the Admin Console. Everything was going fine > >> until I updated to 1.0.3. After that, the Directory Server would > >> start, but the Admin Server would not. > >> > >> I thought it may have been a problem with the upgrade, so I did a > >> fresh install of FDS 1.0.3. As soon as I enabled a Secure Connection > >> for the Configuration DS. The problem was back. > > Can you post the error log from your admin server? admin-serv/logs/error > > If that doesn't have much information in it, try doing start-admin -e > > debug > Thanks. The last line of error output is odd: > > Please enter password for "internal" token: > Are you using a pin file for the admin server ssl password? No If not, did > you type in the password on the command line? Yes, I typed in the password. This password was created when I first managed the certificate for the Admin Server. I am prompted for this password as soon as SSL is enabled for the Admin Server. This works fine if the configuration DS is not using SSL. As soon as a secure connection is used for the Configuration DS it fails. > >> > >> I had no problem setting up encryption for the Admin Server and the > >> User DS. It only happens with the Configuration DS. > >> > >> Has anyone else seen this problem? Am I missing something obvious > >> that changed with 1.0.3? > >> > >> Any help would be appreciated. > >> > >> Thanks > >> > >> ------------------------------------------------------------------------ > >> > >> -- > >> Fedora-directory-users mailing list > >> Fedora-directory-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > Without debug: > > -------------- > > > > admin-serv/logs/error: > > --- > > [Thu Nov 02 10:27:11 2006] [warn] NSSProtocols not set; using: SSLv3 > > and TLSv1 > > [Thu Nov 02 10:27:12 2006] [crit] mod_admserv_post_config(): unable to > > build user/group LDAP server info: unable to set User/Group baseDN > > Configuration Failed > > --- > > > > -------------- > > > > > > > > With debug: > > -------------- > > > > admin-serv/logs/error > > --- > > > > [Thu Nov 02 10:31:34 2006] [info] done Init: Initializing NSS library > > [Thu Nov 02 10:31:34 2006] [warn] NSSProtocols not set; using: SSLv3 > > and TLSv1 > > [Thu Nov 02 10:31:35 2006] [debug] mod_admserv.c(760): sslinit: > > mod_nss has been started and initialized > > [Thu Nov 02 10:31:35 2006] [crit] mod_admserv_post_config(): unable to > > build user/group LDAP server info: unable to set User/Group baseDN > > Configuration Failed > > > > --- > > > > STDOUT: > > --- > > ./start-admin -e debug > > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module > > access_module > > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module > > auth_module > > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module > > log_config_module > > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module > > env_module > > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module > > mime_magic_module > > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module > > expires_module > > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module > > deflate_module > > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module > > headers_module > > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module > > unique_id_module > > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module > > setenvif_module > > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module > > mime_module > > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module > > vhost_alias_module > > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module > > negotiation_module > > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module > > dir_module > > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module > > actions_module > > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module > > alias_module > > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module > > rewrite_module > > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module > > cache_module > > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module > > disk_cache_module > > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module > > file_cache_module > > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module > > mem_cache_module > > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module > > cgi_module > > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module > > restartd_module > > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module > > nss_module > > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module > > admserv_module > > [Thu Nov 02 10:31:29 2006] [debug] mod_admserv.c(2382): [22117] > > create_server_config [0x9f09370] for (null) > > [Thu Nov 02 10:31:29 2006] [debug] mod_admserv.c(2370): [22117] > > create_config [0x9f09380] for (null) > > [Thu Nov 02 10:31:29 2006] [debug] mod_admserv.c(2431): [22117] Set > > [0x9f09370] [ADMCacheLifeTime] to 600 > > [Thu Nov 02 10:31:29 2006] [debug] mod_admserv.c(2449): [22117] Set > > [0x9f09370] [ADMServerVersionString] to Fedora-Administrator/1.0.3 > > [Thu Nov 02 10:31:29 2006] [debug] mod_admserv.c(2370): [22117] > > create_config [0x9f38f88] for /opt/fedora-ds/clients/dsgw/bin/ > > [Thu Nov 02 10:31:29 2006] [debug] mod_admserv.c(2370): [22117] > > create_config [0x9f3a2b0] for /*/[tT]asks/[Oo]peration/* > > [Thu Nov 02 10:31:29 2006] [debug] mod_admserv.c(2370): [22117] > > create_config [0x9f38878] for /*/[tT]asks/[Cc]onfiguration/* > > [Thu Nov 02 10:31:29 2006] [debug] mod_admserv.c(2370): [22117] > > create_config [0x9f3b8e0] for > > /*/[tT]asks/[Oo]peration/(?i:stop|start|restart|startconfigds|create)$ > > Please enter password for "internal" token: > > > > --- > > > > -------------- > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From rmeggins at redhat.com Thu Nov 2 17:45:50 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 02 Nov 2006 10:45:50 -0700 Subject: [Fedora-directory-users] Problems Setting up 1.0.3 In-Reply-To: <454A28E5.5010405@omniti.com> References: <1162320912.9441.21.camel@houuc8> <45479BF4.7050707@sci.fi> <4547B4A5.5060700@omniti.com> <4547BE4F.80407@redhat.com> <454A28E5.5010405@omniti.com> Message-ID: <454A2ECE.9030104@redhat.com> Sergey Ivanov wrote: > Richard Megginson wrote: > >> Sergey Ivanov wrote: >> >>> For me it was a problem with ownership of directories in >>> /opt/fedora-ds/slapd-/ tree. logs, locks and config ownership was >>> changed by upgrade process to root. So the ns-slpad process was unable >>> to start. Also the file >>> /opt/fedora-ds/slapd-/config/dse.ldif.startOK was there in the >>> way, being unable to deleted, - lack of permissions. >>> >>> >> Very odd. It doesn't appear that setup does this, the chown is done in >> the server itself: >> main.c: >> fix_ownership() >> { >> struct passwd* pw=NULL; >> char dirname[MAXPATHLEN + 1]; >> >> slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); >> >> >> if ( slapdFrontendConfig->localuser != NULL ) { >> if ( (pw = getpwnam( slapdFrontendConfig->localuser )) == NULL ) >> return; >> localuser should be "nobody" or the uid of the server user. So one >> possible problem is that if this is set to "root" for some reason. >> } >> else { >> return; >> } >> >> /* The instance directory needs to be owned by the local user */ >> slapd_chown_if_not_owner( slapdFrontendConfig->instancedir, >> pw->pw_uid, -1 ); >> instancedir is "/opt/fedora-ds/slapd-instance" >> >> PR_snprintf(dirname,sizeof(dirname),"%s/config",slapdFrontendConfig->instancedir); >> >> chown_dir_files(dirname, pw, PR_FALSE); /* config directory */ >> chown_dir_files(slapdFrontendConfig->accesslog, pw, PR_TRUE); /* do >> access log directory */ >> chown_dir_files(slapdFrontendConfig->auditlog, pw, PR_TRUE); /* do >> audit log directory */ >> chown_dir_files(slapdFrontendConfig->errorlog, pw, PR_TRUE); /* do >> error log directory */ >> >> chown_dir_files chowns the directory and all of the files in it (does >> not recurse). If given a file name, it will strip off the file name >> (PR_TRUE). >> >> It would appear that the only way this can happen is if either >> slapdFrontendConfig->localuser is "root" or getpwnam( >> slapdFrontendConfig->localuser ) returns uid 0. If someone can come up >> with a reproducible test case, please let me know. So far, I've just >> done simple fds102 install followed by upgrade to fds103 on RHEL4 using >> the default values. I cannot reproduce this problem. >> >> } >> >> >> > Hi Richard, > I have upgraded yesterday the last of my ldap servers. The most > difficult problem there is described in > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=213626 > And this problem with ownership and permission denied was reproduced > once more. I have screenlog of the session, and logs of admin and ldap > servers. Also I see a file /opt/fedora-ds/setup/myinstall.inf with the > following contents: > --- > [General] > FullMachineName= > SuiteSpotUserID= root > SuitespotGroup= root > This is a great clue. The setup script uses the following command to determine these values: suitespotuser=`ls -l /opt/fedora-ds/slapd-instance/config/dse.ldif | awk '{print $3}'` suitespotgroup=`ls -l /opt/fedora-ds/slapd-instance/config/dse.ldif | awk '{print $4}'` So somehow the ownership of dse.ldif was changed from nobody:nobody to root:root. Either that, or the above command is not working. Is it possible that it is not using /bin/ls? > ServerRoot= /opt/fedora-ds > ConfigDirectoryLdapURL= \ ldap://.:389/o=NetscapeRoot > ConfigDirectoryAdminID= admin > AdminDomain= > ConfigDirectoryAdminPwd= > > [admin] > ServerAdminID= admin > ServerAdminPwd= > SysUser= root > Port= 18080 > ServerIpAddress= > --- > Is this 'root' in [admin] part of this file connected to the problem? > > I also attach a snippet from screen session log, with ip addresses, > passwords and host/domain names replaced. > > ------------------------------------------------------------------------ > > [root@ fedora-ds]# netstat -tlpn |grep 636 > tcp 0 0 ::ffff:10.0.0.:636 :::* LISTEN 15481/ns-slapd > [root@ fedora-ds]# netstat -tlpn |grep 389 > tcp 0 0 ::ffff:10.0.0.:389 :::* LISTEN 15481/ns-slapd > [root@ opt]# rpm -Uvh /data/users/seriv/fedora-ds/downloads/fedora-ds-1.0.3-1.RHEL4.x86_64.opt.rpm > Preparing... ########################################### [100%] > package fedora-ds-1.0.3-1.RHEL4 is already installed > [root@ opt]# rpm -Uvh /data/users/seriv/fedora-ds/downloads/fedora-ds-1.0.3-1.RHEL4.x86_64.opt.rpm --force > Preparing... ########################################### [100%] > 1:fedora-ds ########################################### [100%] > > Upgrade finished. Please run /opt/fedora-ds/setup/setup to complete the upgrade. > [root@ opt]# netstat -tlpn |grep 636 > [root@ opt]# netstat -tlpn |grep 389 > [root@ opt]# pwd > /opt > [root@ opt]# cd fedora-ds > [root@ fedora-ds]# setup/setup > INFO Begin Setup . . . > > > > LICENSE AGREEMENT AND LIMITED PRODUCT WARRANTY > FEDORA(TM) DIRECTORY SERVER > [contents skipped] > > Do you accept the license terms? (yes/no) yes > ======================================================================= > Fedora Directory Server 1.0.3 > ======================================================================= > > The Fedora Directory Server is subject to the terms detailed in the > license agreement file called LICENSE.txt. > > Late-breaking news and information on the Fedora Directory Server is > available at the following location: > > http://directory.fedora.redhat.com > > Continue? (yes/no) yes > No ns-slapd PID file found. Server is probably not running > /opt/fedora-ds/slapd-/config/dse.ldif: SSL off ... > In order to reconfigure your installation, the Configuration Directory > Administrator password is required. Here is your current information: > > Configuration Directory: ldap://.:389/o=NetscapeRoot > Configuration Administrator ID: admin > > At the prompt, please enter the password for the Configuration Administrator. > > administrator ID: admin > Password: > Converting slapd- to new format password file . . . > Copying new schema ldiffiles . . . > Starting slapd- . . . > > [slapd-]: starting up server ... > [slapd-]: [01/Nov/2006:22:36:26 -0500] - Fedora-Directory/1.0.3 B2006.303.1845 starting up > [slapd-]: [01/Nov/2006:22:36:26 -0500] NSMMReplicationPlugin - agmt="cn=ballexta" (:389): Simple bind failed, LDAP sdk error 91 (Can't connect to the LDAP server), Netscape Portable Runtime error -5961 (TCP connection reset by peer.) > [slapd-]: [01/Nov/2006:22:36:26 -0500] - slapd started. Listening on 10.0.0. port 389 for LDAP requests > > NMC_Status: 0 > NMC_Description: Success! The server has been started. > > Start Slapd Starting Slapd server reconfiguration. > Fatal Slapd ERROR: Could not find Directory Server Configuration > URL ldap://.:389/o=NetscapeRoot user id admin DN cn=., ou=, o=NetscapeRoot (153:Unknown error) > Configuring Administration Server... > InstallInfo: Apache Directory "ApacheDir" is missing. > /opt/fedora-ds/slapd-/config/dse.ldif: SSL on ... > Restarting Directory Server: /opt/fedora-ds/slapd-/start-slapd > Server failed to start !!! Please check errors log for problems > > You can now use the console. Here is the command to use to start the console: > cd /opt/fedora-ds > ./startconsole -u admin -a http://.:18080/ > > INFO Finished with setup, logfile is setup/setup.log > [root@ fedora-ds]# netstat -tlpn |grep 636 > [root@ fedora-ds]# netstat -tlpn |grep 389 > [root@ fedora-ds]# slapd-/restart-slapd > No ns-slapd PID file found. Server is probably not running > Server failed to start !!! Please check errors log for problems > [root@ fedora-ds]# tail -n 22 slapd-/logs/errors > [01/Nov/2006:22:34:31 -0500] - slapd shutting down - closing down internal subsystems and plugins > [01/Nov/2006:22:34:35 -0500] - Waiting for 4 database threads to stop > [01/Nov/2006:22:34:36 -0500] - All database threads now stopped > [01/Nov/2006:22:34:38 -0500] - slapd stopped. > [01/Nov/2006:22:36:26 -0500] - Fedora-Directory/1.0.3 B2006.303.1845 starting up > [01/Nov/2006:22:36:26 -0500] NSMMReplicationPlugin - agmt="cn=ballexta" (:389): Simple bind failed, LDAP sdk error 91 (Can't connect to the LDAP server), Net > scape Portable Runtime error -5961 (TCP connection reset by peer.) > [01/Nov/2006:22:36:26 -0500] - slapd started. Listening on 10.0.0. port 389 for LDAP requests > [01/Nov/2006:22:36:27 -0500] - slapd shutting down - signaling operation threads > [01/Nov/2006:22:36:27 -0500] - slapd shutting down - waiting for 29 threads to terminate > [01/Nov/2006:22:36:27 -0500] - slapd shutting down - closing down internal subsystems and plugins > [01/Nov/2006:22:36:27 -0500] dse - Cannot open temporary DSE file "/opt/fedora-ds/slapd-/config/dse.ldif.tmp" for update: OS error 13 (Permission denied) > [01/Nov/2006:22:36:28 -0500] dse - Cannot open temporary DSE file "/opt/fedora-ds/slapd-/config/dse.ldif.tmp" for update: OS error 13 (Permission denied) > [01/Nov/2006:22:36:29 -0500] dse - Cannot open temporary DSE file "/opt/fedora-ds/slapd-/config/dse.ldif.tmp" for update: OS error 13 (Permission denied) > [01/Nov/2006:22:36:30 -0500] dse - Cannot open temporary DSE file "/opt/fedora-ds/slapd-/config/dse.ldif.tmp" for update: OS error 13 (Permission denied) > [01/Nov/2006:22:36:31 -0500] dse - Cannot open temporary DSE file "/opt/fedora-ds/slapd-/config/dse.ldif.tmp" for update: OS error 13 (Permission denied) > [01/Nov/2006:22:36:32 -0500] dse - Cannot open temporary DSE file "/opt/fedora-ds/slapd-/config/dse.ldif.tmp" for update: OS error 13 (Permission denied) > [01/Nov/2006:22:36:32 -0500] - Waiting for 4 database threads to stop > [01/Nov/2006:22:36:33 -0500] - All database threads now stopped > [01/Nov/2006:22:36:33 -0500] - slapd stopped. > [01/Nov/2006:22:36:34 -0500] - Fedora-Directory/1.0.3 B2006.303.1845 starting up > [01/Nov/2006:22:36:34 -0500] dse - Cannot copy DSE file "/opt/fedora-ds/slapd-/config/dse.ldif" to "/opt/fedora-ds/slapd-/config/dse.ldif.startOK" OS > error 17 (File exists) > [01/Nov/2006:22:37:08 -0500] - Fedora-Directory/1.0.3 B2006.303.1845 starting up > [01/Nov/2006:22:37:08 -0500] dse - Cannot copy DSE file "/opt/fedora-ds/slapd-/config/dse.ldif" to "/opt/fedora-ds/slapd-/config/dse.ldif.startOK" OS > error 17 (File exists) > [root@ fedora-ds]# ls -al slapd-/config/ > total 424 > drwxr-xr-x 4 root root 4096 Nov 1 22:37 . > drwxr-xr-x 12 nobody root 4096 Nov 1 22:37 .. > -rw-r--r-- 1 nobody root 57967 Nov 1 22:36 dse.ldif > -rw-r--r-- 2 nobody root 57969 Nov 1 22:36 dse.ldif.bak > -rw-r--r-- 2 nobody root 57969 Nov 1 22:36 dse.ldif.startOK > -rw------- 1 nobody root 33781 Aug 29 11:17 dse_original.ldif > drwxr-xr-x 2 nobody root 4096 Nov 1 22:37 schema > drwxr-xr-x 2 nobody root 4096 Nov 1 01:43 schema-bak > -rw-r--r-- 1 nobody root 5400 Aug 29 11:17 slapd-collations.conf > [root@ fedora-ds]# chown nobody slapd-/config > [root@ fedora-ds]# mv slapd-/config/dse.ldif.startOK . > [root@ fedora-ds]# slapd-/restart-slapd > No ns-slapd PID file found. Server is probably not running > Server failed to start !!! Please check errors log for problems > [root@ fedora-ds]# tail -n 22 slapd-/logs/errors > [01/Nov/2006:22:36:26 -0500] - Fedora-Directory/1.0.3 B2006.303.1845 starting up > [01/Nov/2006:22:36:26 -0500] NSMMReplicationPlugin - agmt="cn=ballexta" (:389): Simple bind failed, LDAP sdk error 91 (Can't connect to the LDAP server), Net > scape Portable Runtime error -5961 (TCP connection reset by peer.) > [01/Nov/2006:22:36:26 -0500] - slapd started. Listening on 10.0.0. port 389 for LDAP requests > [01/Nov/2006:22:36:27 -0500] - slapd shutting down - signaling operation threads > [01/Nov/2006:22:36:27 -0500] - slapd shutting down - waiting for 29 threads to terminate > [01/Nov/2006:22:36:27 -0500] - slapd shutting down - closing down internal subsystems and plugins > [01/Nov/2006:22:36:27 -0500] dse - Cannot open temporary DSE file "/opt/fedora-ds/slapd-/config/dse.ldif.tmp" for update: OS error 13 (Permission denied) > [01/Nov/2006:22:36:28 -0500] dse - Cannot open temporary DSE file "/opt/fedora-ds/slapd-/config/dse.ldif.tmp" for update: OS error 13 (Permission denied) > [01/Nov/2006:22:36:29 -0500] dse - Cannot open temporary DSE file "/opt/fedora-ds/slapd-/config/dse.ldif.tmp" for update: OS error 13 (Permission denied) > [01/Nov/2006:22:36:30 -0500] dse - Cannot open temporary DSE file "/opt/fedora-ds/slapd-/config/dse.ldif.tmp" for update: OS error 13 (Permission denied) > [01/Nov/2006:22:36:31 -0500] dse - Cannot open temporary DSE file "/opt/fedora-ds/slapd-/config/dse.ldif.tmp" for update: OS error 13 (Permission denied) > [01/Nov/2006:22:36:32 -0500] dse - Cannot open temporary DSE file "/opt/fedora-ds/slapd-/config/dse.ldif.tmp" for update: OS error 13 (Permission denied) > [01/Nov/2006:22:36:32 -0500] - Waiting for 4 database threads to stop > [01/Nov/2006:22:36:33 -0500] - All database threads now stopped > [01/Nov/2006:22:36:33 -0500] - slapd stopped. > [01/Nov/2006:22:36:34 -0500] - Fedora-Directory/1.0.3 B2006.303.1845 starting up > [01/Nov/2006:22:36:34 -0500] dse - Cannot copy DSE file "/opt/fedora-ds/slapd-/config/dse.ldif" to "/opt/fedora-ds/slapd-/config/dse.ldif.startOK" OS > error 17 (File exists) > [01/Nov/2006:22:37:08 -0500] - Fedora-Directory/1.0.3 B2006.303.1845 starting up > [01/Nov/2006:22:37:08 -0500] dse - Cannot copy DSE file "/opt/fedora-ds/slapd-/config/dse.ldif" to "/opt/fedora-ds/slapd-/config/dse.ldif.startOK" OS > error 17 (File exists) > [01/Nov/2006:22:38:49 -0500] - Fedora-Directory/1.0.3 B2006.303.1845 starting up > [root@ fedora-ds]# netstat -tlpn |grep 389 > [root@ fedora-ds]# netstat -tlpn |grep 636 > [root@ fedora-ds]# ls -al slapd-/logs/ > total 32468 > drwx------ 2 root root 4096 Nov 1 22:36 . > drwxr-xr-x 12 nobody root 4096 Nov 1 22:38 .. > -rw------- 1 nobody root 33124743 Nov 1 22:36 access > -rw------- 1 nobody root 63 Oct 31 23:40 access.rotationinfo > -rw------- 1 nobody root 0 Oct 31 23:40 audit > -rw------- 1 nobody root 63 Oct 31 23:40 audit.rotationinfo > -rw------- 1 nobody root 18211 Nov 1 22:38 errors > -rw------- 1 nobody root 63 Oct 31 23:40 errors.rotationinfo > -rw-r--r-- 1 nobody nobody 1952 Nov 1 22:36 slapd.stats > [root@ fedora-ds]# chown nobody:nobody slapd-/logs > [root@ fedora-ds]# chown nobody:nobody slapd-/logs/* > [root@ fedora-ds]# slapd-/restart-slapd > No ns-slapd PID file found. Server is probably not running > [root@ fedora-ds]# netstat -tlpn |grep 636 > tcp 0 0 ::ffff:10.0.0.:636 :::* LISTEN 15481/ns-slapd > [root@ fedora-ds]# netstat -tlpn |grep 389 > tcp 0 0 ::ffff:10.0.0.:389 :::* LISTEN 15481/ns-slapd > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Nov 2 17:49:50 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 02 Nov 2006 10:49:50 -0700 Subject: [Fedora-directory-users] Problem accessing Configuration Directory after upgrade to 1.0.3 In-Reply-To: <2717b73b0611020925u5c17fe13q2845078f2a38ef6d@mail.gmail.com> References: <2717b73b0611020925u5c17fe13q2845078f2a38ef6d@mail.gmail.com> Message-ID: <454A2FBE.6020003@redhat.com> Dan Deighton wrote: > On Thu, 2006-11-02 at 09:31 -0700, Richard Megginson wrote: > Dan Deighton wrote: >> > On Thu, 2006-11-02 at 08:09 -0700, Richard Megginson wrote: >> > Dan Deighton wrote: >> >> With FDS 1.0.2, I had setup a Secure Connection under the >> >> Configuration DS in the Admin Console. Everything was going fine >> >> until I updated to 1.0.3. After that, the Directory Server would >> >> start, but the Admin Server would not. >> >> >> >> I thought it may have been a problem with the upgrade, so I did a >> >> fresh install of FDS 1.0.3. As soon as I enabled a Secure Connection >> >> for the Configuration DS. The problem was back. >> > Can you post the error log from your admin server? >> admin-serv/logs/error >> > If that doesn't have much information in it, try doing start-admin -e >> > debug > >> Thanks. The last line of error output is odd: >> > Please enter password for "internal" token: >> Are you using a pin file for the admin server ssl password? No > > If not, did >> you type in the password on the command line? > > Yes, I typed in the password. This password was created when I first > managed the certificate for the Admin Server. I am prompted for this > password as soon as SSL is enabled for the Admin Server. This works > fine if the configuration DS is not using SSL. As soon as a secure > connection is used for the Configuration DS it fails. Can you post your admin-serv/config/adm.conf, admin-serv/config/local.conf, admin-serv/config/console.conf, and shared/config/dbswitch.conf, being careful to remove or obscure any sensitive information first? > >> >> >> >> I had no problem setting up encryption for the Admin Server and the >> >> User DS. It only happens with the Configuration DS. >> >> >> >> Has anyone else seen this problem? Am I missing something obvious >> >> that changed with 1.0.3? >> >> >> >> Any help would be appreciated. >> >> >> >> Thanks >> >> >> >> >> ------------------------------------------------------------------------ >> >> >> >> -- >> >> Fedora-directory-users mailing list >> >> Fedora-directory-users at redhat.com >> >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> > -- >> > Fedora-directory-users mailing list >> > Fedora-directory-users at redhat.com >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > >> > >> > >> > Without debug: >> > -------------- >> > >> > admin-serv/logs/error: >> > --- >> > [Thu Nov 02 10:27:11 2006] [warn] NSSProtocols not set; using: SSLv3 >> > and TLSv1 >> > [Thu Nov 02 10:27:12 2006] [crit] mod_admserv_post_config(): unable to >> > build user/group LDAP server info: unable to set User/Group baseDN >> > Configuration Failed >> > --- >> > >> > -------------- >> > >> > >> > >> > With debug: >> > -------------- >> > >> > admin-serv/logs/error >> > --- >> > >> > [Thu Nov 02 10:31:34 2006] [info] done Init: Initializing NSS library >> > [Thu Nov 02 10:31:34 2006] [warn] NSSProtocols not set; using: SSLv3 >> > and TLSv1 >> > [Thu Nov 02 10:31:35 2006] [debug] mod_admserv.c(760): sslinit: >> > mod_nss has been started and initialized >> > [Thu Nov 02 10:31:35 2006] [crit] mod_admserv_post_config(): unable to >> > build user/group LDAP server info: unable to set User/Group baseDN >> > Configuration Failed >> > >> > --- >> > >> > STDOUT: >> > --- >> > ./start-admin -e debug >> > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module >> > access_module >> > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module >> > auth_module >> > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module >> > log_config_module >> > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module >> > env_module >> > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module >> > mime_magic_module >> > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module >> > expires_module >> > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module >> > deflate_module >> > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module >> > headers_module >> > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module >> > unique_id_module >> > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module >> > setenvif_module >> > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module >> > mime_module >> > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module >> > vhost_alias_module >> > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module >> > negotiation_module >> > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module >> > dir_module >> > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module >> > actions_module >> > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module >> > alias_module >> > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module >> > rewrite_module >> > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module >> > cache_module >> > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module >> > disk_cache_module >> > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module >> > file_cache_module >> > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module >> > mem_cache_module >> > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module >> > cgi_module >> > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module >> > restartd_module >> > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module >> > nss_module >> > [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module >> > admserv_module >> > [Thu Nov 02 10:31:29 2006] [debug] mod_admserv.c(2382): [22117] >> > create_server_config [0x9f09370] for (null) >> > [Thu Nov 02 10:31:29 2006] [debug] mod_admserv.c(2370): [22117] >> > create_config [0x9f09380] for (null) >> > [Thu Nov 02 10:31:29 2006] [debug] mod_admserv.c(2431): [22117] Set >> > [0x9f09370] [ADMCacheLifeTime] to 600 >> > [Thu Nov 02 10:31:29 2006] [debug] mod_admserv.c(2449): [22117] Set >> > [0x9f09370] [ADMServerVersionString] to Fedora-Administrator/1.0.3 >> > [Thu Nov 02 10:31:29 2006] [debug] mod_admserv.c(2370): [22117] >> > create_config [0x9f38f88] for /opt/fedora-ds/clients/dsgw/bin/ >> > [Thu Nov 02 10:31:29 2006] [debug] mod_admserv.c(2370): [22117] >> > create_config [0x9f3a2b0] for /*/[tT]asks/[Oo]peration/* >> > [Thu Nov 02 10:31:29 2006] [debug] mod_admserv.c(2370): [22117] >> > create_config [0x9f38878] for /*/[tT]asks/[Cc]onfiguration/* >> > [Thu Nov 02 10:31:29 2006] [debug] mod_admserv.c(2370): [22117] >> > create_config [0x9f3b8e0] for >> > /*/[tT]asks/[Oo]peration/(?i:stop|start|restart|startconfigds|create)$ >> > Please enter password for "internal" token: >> > >> > --- >> > >> > -------------- >> > >> > -- >> > Fedora-directory-users mailing list >> > Fedora-directory-users at redhat.com >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Thu Nov 2 17:56:18 2006 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 02 Nov 2006 12:56:18 -0500 Subject: [Fedora-directory-users] Problem accessing Configuration Directory after upgrade to 1.0.3 In-Reply-To: <454A1D70.3010704@redhat.com> References: <2717b73b0611020739p6d13c834qfcfb6aa18f9226c8@mail.gmail.com> <454A1D70.3010704@redhat.com> Message-ID: <454A3142.70007@redhat.com> I don't think that the password thing is necessarily a problem depending on how mod_nss is configured. I'm more curious what is logged on the LDAP side. Is the admin server attempting to open a connection? If so, how is it failing? rob Richard Megginson wrote: > Dan Deighton wrote: >> On Thu, 2006-11-02 at 08:09 -0700, Richard Megginson wrote: >> Dan Deighton wrote: >>> With FDS 1.0.2, I had setup a Secure Connection under the >>> Configuration DS in the Admin Console. Everything was going fine >>> until I updated to 1.0.3. After that, the Directory Server would >>> start, but the Admin Server would not. >>> >>> I thought it may have been a problem with the upgrade, so I did a >>> fresh install of FDS 1.0.3. As soon as I enabled a Secure Connection >>> for the Configuration DS. The problem was back. >> Can you post the error log from your admin server? admin-serv/logs/error >> If that doesn't have much information in it, try doing start-admin -e >> debug > Thanks. The last line of error output is odd: > > Please enter password for "internal" token: > Are you using a pin file for the admin server ssl password? If not, did > you type in the password on the command line? >>> >>> I had no problem setting up encryption for the Admin Server and the >>> User DS. It only happens with the Configuration DS. >>> >>> Has anyone else seen this problem? Am I missing something obvious >>> that changed with 1.0.3? >>> >>> Any help would be appreciated. >>> >>> Thanks >>> >>> ------------------------------------------------------------------------ >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> Without debug: >> -------------- >> >> admin-serv/logs/error: >> --- >> [Thu Nov 02 10:27:11 2006] [warn] NSSProtocols not set; using: SSLv3 >> and TLSv1 >> [Thu Nov 02 10:27:12 2006] [crit] mod_admserv_post_config(): unable to >> build user/group LDAP server info: unable to set User/Group baseDN >> Configuration Failed >> --- >> >> -------------- >> >> >> >> With debug: >> -------------- >> >> admin-serv/logs/error >> --- >> >> [Thu Nov 02 10:31:34 2006] [info] done Init: Initializing NSS library >> [Thu Nov 02 10:31:34 2006] [warn] NSSProtocols not set; using: SSLv3 >> and TLSv1 >> [Thu Nov 02 10:31:35 2006] [debug] mod_admserv.c(760): sslinit: >> mod_nss has been started and initialized >> [Thu Nov 02 10:31:35 2006] [crit] mod_admserv_post_config(): unable to >> build user/group LDAP server info: unable to set User/Group baseDN >> Configuration Failed >> >> --- >> >> STDOUT: >> --- >> ./start-admin -e debug >> [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module >> access_module >> [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module >> auth_module >> [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module >> log_config_module >> [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module >> env_module >> [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module >> mime_magic_module >> [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module >> expires_module >> [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module >> deflate_module >> [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module >> headers_module >> [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module >> unique_id_module >> [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module >> setenvif_module >> [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module >> mime_module >> [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module >> vhost_alias_module >> [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module >> negotiation_module >> [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module >> dir_module >> [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module >> actions_module >> [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module >> alias_module >> [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module >> rewrite_module >> [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module >> cache_module >> [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module >> disk_cache_module >> [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module >> file_cache_module >> [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module >> mem_cache_module >> [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module >> cgi_module >> [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module >> restartd_module >> [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module >> nss_module >> [Thu Nov 02 10:31:29 2006] [debug] mod_so.c(247): loaded module >> admserv_module >> [Thu Nov 02 10:31:29 2006] [debug] mod_admserv.c(2382): [22117] >> create_server_config [0x9f09370] for (null) >> [Thu Nov 02 10:31:29 2006] [debug] mod_admserv.c(2370): [22117] >> create_config [0x9f09380] for (null) >> [Thu Nov 02 10:31:29 2006] [debug] mod_admserv.c(2431): [22117] Set >> [0x9f09370] [ADMCacheLifeTime] to 600 >> [Thu Nov 02 10:31:29 2006] [debug] mod_admserv.c(2449): [22117] Set >> [0x9f09370] [ADMServerVersionString] to Fedora-Administrator/1.0.3 >> [Thu Nov 02 10:31:29 2006] [debug] mod_admserv.c(2370): [22117] >> create_config [0x9f38f88] for /opt/fedora-ds/clients/dsgw/bin/ >> [Thu Nov 02 10:31:29 2006] [debug] mod_admserv.c(2370): [22117] >> create_config [0x9f3a2b0] for /*/[tT]asks/[Oo]peration/* >> [Thu Nov 02 10:31:29 2006] [debug] mod_admserv.c(2370): [22117] >> create_config [0x9f38878] for /*/[tT]asks/[Cc]onfiguration/* >> [Thu Nov 02 10:31:29 2006] [debug] mod_admserv.c(2370): [22117] >> create_config [0x9f3b8e0] for >> /*/[tT]asks/[Oo]peration/(?i:stop|start|restart|startconfigds|create)$ >> Please enter password for "internal" token: >> >> --- >> >> -------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From deighton at gmail.com Thu Nov 2 18:08:17 2006 From: deighton at gmail.com (Dan Deighton) Date: Thu, 2 Nov 2006 13:08:17 -0500 Subject: [Fedora-directory-users] Problem accessing Configuration Directory after upgrade to 1.0.3 Message-ID: <2717b73b0611021008t2e4991eeh26f870f4934f1763@mail.gmail.com> > Can you post your admin-serv/config/adm.conf, > admin-serv/config/local.conf, admin-serv/config/console.conf, and > shared/config/dbswitch.conf, being careful to remove or obscure any > sensitive information first? I have attached the requested files. -------------- next part -------------- A non-text attachment was scrubbed... Name: adm.conf Type: application/octet-stream Size: 536 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: console.conf Type: application/octet-stream Size: 3718 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: dbswitch.conf Type: application/octet-stream Size: 63 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: local.conf Type: application/octet-stream Size: 19142 bytes Desc: not available URL: From seriv at omniti.com Thu Nov 2 18:34:41 2006 From: seriv at omniti.com (Sergey Ivanov) Date: Thu, 02 Nov 2006 13:34:41 -0500 Subject: [Fedora-directory-users] Problems Setting up 1.0.3 In-Reply-To: <454A2ECE.9030104@redhat.com> References: <1162320912.9441.21.camel@houuc8> <45479BF4.7050707@sci.fi> <4547B4A5.5060700@omniti.com> <4547BE4F.80407@redhat.com> <454A28E5.5010405@omniti.com> <454A2ECE.9030104@redhat.com> Message-ID: <454A3A41.20406@omniti.com> Richard Megginson wrote: > Sergey Ivanov wrote: [skip] >> Hi Richard, >> I have upgraded yesterday the last of my ldap servers. The most >> difficult problem there is described in >> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=213626 >> And this problem with ownership and permission denied was reproduced >> once more. I have screenlog of the session, and logs of admin and ldap >> servers. Also I see a file /opt/fedora-ds/setup/myinstall.inf with the >> following contents: >> --- >> [General] >> FullMachineName= >> SuiteSpotUserID= root >> SuitespotGroup= root >> > This is a great clue. The setup script uses the following command to > determine these values: > suitespotuser=`ls -l > /opt/fedora-ds/slapd-instance/config/dse.ldif | awk '{print $3}'` > suitespotgroup=`ls -l > /opt/fedora-ds/slapd-instance/config/dse.ldif | awk '{print $4}'` > So somehow the ownership of dse.ldif was changed from nobody:nobody to > root:root. Either that, or the above command is not working. Is it > possible that it is not using /bin/ls? Not looking like this. I did at this host: --- # which ls alias ls='ls --color=tty' /bin/ls # ls -l /opt/fedora-ds/slapd-instance/config/dse.ldif | awk '{print $3}' nobody # ls -l /opt/fedora-ds/slapd-instance/config/dse.ldif | awk '{print $4}' nobody May be, ownership was changed to root's in rpm -Uvh or in the very first steps of setup/setup. -- Sergey. [skip] From deighton at gmail.com Thu Nov 2 19:40:36 2006 From: deighton at gmail.com (Dan Deighton) Date: Thu, 2 Nov 2006 14:40:36 -0500 Subject: [Fedora-directory-users] Problem accessing Configuration Directory after upgrade to 1.0.3 Message-ID: <2717b73b0611021140j7e8fb2d5jd9bf4578f1b9e913@mail.gmail.com> On Thu, 2006-11-02 at 12:56 -0500, Rob Crittenden wrote: I don't think that the password thing is necessarily a problem depending > on how mod_nss is configured. I'm more curious what is logged on the > LDAP side. Is the admin server attempting to open a connection? If so, > how is it failing? > > rob > The admin server is attempting to open a connection. From the access log: --- [02/Nov/2006:14:20:02 -0500] conn=5 fd=64 slot=64 SSL connection from 192.168.55.1 to 192.168.55.1 [02/Nov/2006:14:20:02 -0500] conn=5 SSL 128-bit RC4 [02/Nov/2006:14:20:02 -0500] conn=5 op=0 BIND dn="cn=admin-serv-ldap, cn=Fedora Administration Server, cn=Server Group, cn=ldap.example.net, ou=example.net, o=NetscapeRoot" method=128 version=2 [02/Nov/2006:14:20:02 -0500] conn=5 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [02/Nov/2006:14:20:02 -0500] conn=5 op=1 SRCH base="cn=configuration, cn=admin-serv-ldap, cn=Fedora Administration Server, cn=Server Group, cn=ldap.example.net, ou=example.net, o=NetscapeRoot" scope=0 filter="(objectClass=nsDirectoryInfo)" attrs=ALL [02/Nov/2006:14:20:02 -0500] conn=5 op=1 RESULT err=0 tag=101 nentries=0 etime=0 [02/Nov/2006:14:20:02 -0500] conn=5 op=2 UNBIND [02/Nov/2006:14:20:02 -0500] conn=5 op=2 fd=64 closed - U1 --- I ran the same query manually and this is successful: --- [02/Nov/2006:14:22:55 -0500] conn=7 fd=64 slot=64 SSL connection from 192.168.55.1 to 192.168.55.1 [02/Nov/2006:14:22:55 -0500] conn=7 SSL 128-bit RC4 [02/Nov/2006:14:22:55 -0500] conn=7 op=0 BIND dn="cn=admin-serv-ldap, cn=Fedora Administration Server, cn=Server Group, cn=ldap.example.net, ou=example.net, o=NetscapeRoot" method=128 version=3 [02/Nov/2006:14:22:55 -0500] conn=7 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=admin-serv-ldap,cn=fedora administration server,cn=server group,cn=ldap.example.net,ou=example.net,o=netscaperoot" [02/Nov/2006:14:22:55 -0500] conn=7 op=1 SRCH base="cn=configuration, cn=admin-serv-ldap, cn=Fedora Administration Server, cn=Server Group, cn=ldap.example.net, ou=example.net, o=NetscapeRoot" scope=0 filter="(objectClass=nsDirectoryInfo)" attrs=ALL [02/Nov/2006:14:22:55 -0500] conn=7 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [02/Nov/2006:14:22:55 -0500] conn=7 op=2 UNBIND [02/Nov/2006:14:22:55 -0500] conn=7 op=2 fd=64 closed - U1 --- I notice 2 differences. The BIND is using version 2 when trying to start the admin server. That shouldn't matter. The problem seems to be with the BIND'ing. When trying to start the admin server, the RESULT to the BIND contains an empty dn. When run manually, the dn is correct. It seems like it is not authenticating properly with FDS 1.0.3. From rmeggins at redhat.com Thu Nov 2 22:14:52 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 02 Nov 2006 15:14:52 -0700 Subject: [Fedora-directory-users] Problems Setting up 1.0.3 In-Reply-To: <454A28E5.5010405@omniti.com> References: <1162320912.9441.21.camel@houuc8> <45479BF4.7050707@sci.fi> <4547B4A5.5060700@omniti.com> <4547BE4F.80407@redhat.com> <454A28E5.5010405@omniti.com> Message-ID: <454A6DDC.10105@redhat.com> It appears that the permission problem only happens with servers that were configured to use SSL in fds102 and upgraded to fds103. Can anyone confirm the problem occurred in a system not using SSL? -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From Diana.Shepard at cusys.edu Thu Nov 2 22:10:33 2006 From: Diana.Shepard at cusys.edu (Diana Shepard) Date: Thu, 2 Nov 2006 15:10:33 -0700 Subject: [Fedora-directory-users] temp. disable replica Message-ID: <7315857F21D51B449CC55ADE3A56831802332A22@ex2k3.ad.cusys.edu> Is there a way to temporarily disable replication without deleting an entire replication agreement? I see the "Enable Replica" on the "Replica Settings" screen via the GUI. Don't see any documentation about what this actually does if I uncheck it with a multi-master replication agreement in effect. If I uncheck it on both the multi-master Supplier/Supplier, will it temporarily disable replication without deleting the replication agreements? Diana Shepard University of Colorado -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Nov 2 22:27:31 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 02 Nov 2006 15:27:31 -0700 Subject: [Fedora-directory-users] temp. disable replica In-Reply-To: <7315857F21D51B449CC55ADE3A56831802332A22@ex2k3.ad.cusys.edu> References: <7315857F21D51B449CC55ADE3A56831802332A22@ex2k3.ad.cusys.edu> Message-ID: <454A70D3.1090600@redhat.com> Diana Shepard wrote: > > Is there a way to temporarily disable replication > without deleting an entire replication agreement? > Yes. An easy way to do this is to change the replication schedule. Step 1: Find the DN of your replication agreement ldapsearch -x -D "cn=directory manager" -w password -b cn=config "(objectclass=nsds5ReplicationAgreement)" dn cn Step 2: Change the replication schedule window to some bogus time ldapmodify -x -D "cn=directory manager" -w password dn: dn from Step 1 changetype: modify replace: nsds5replicaupdateschedule nsds5replicaupdateschedule: 2358-2359 0 This tells the server to only replicate between 11:58pm and 11:59pm on Sunday. Schedule changes take effect quickly, so it should stop replicating soon after getting this request. Step 3: Restart replication ldapmodify -x -D "cn=directory manager" -w password dn: dn from Step 1 changetype: modify replace: nsds5replicaupdateschedule nsds5replicaupdateschedule: 0000-2359 0123456 That turns the schedule back to all day, every day, and it should take effect immediately, sending over all of the changes it had stored while replication was stopped. > > I see the "Enable Replica" on the "Replica Settings" > screen via the GUI. Don't see any documentation about > what this actually does if I uncheck it with a multi-master > replication agreement in effect. If I uncheck it on both > the multi-master Supplier/Supplier, will it temporarily disable > replication without deleting the replication agreements? > > Diana Shepard > University of Colorado > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From pkime at Shopzilla.com Fri Nov 3 01:25:32 2006 From: pkime at Shopzilla.com (Philip Kime) Date: Thu, 2 Nov 2006 17:25:32 -0800 Subject: [Fedora-directory-users] Alternatives to Windows sync? Message-ID: <9C0091F428E697439E7A773FFD083427435B18@szexchange.Shopzilla.inc> I've been trying to get Windows sync installed but it's going to be impossibel as it means enabling password complexity policies in a large domain and that isn't going to happen. Does anyone know of any alternatives to this? I know this is desperate since you have to have the plain-text password in order to do this right? PK -- Philip Kime NOPS Systems Architect 310 401 0407 -------------- next part -------------- An HTML attachment was scrubbed... URL: From david_list at boreham.org Fri Nov 3 01:51:16 2006 From: david_list at boreham.org (David Boreham) Date: Thu, 02 Nov 2006 18:51:16 -0700 Subject: [Fedora-directory-users] Alternatives to Windows sync? In-Reply-To: <9C0091F428E697439E7A773FFD083427435B18@szexchange.Shopzilla.inc> References: <9C0091F428E697439E7A773FFD083427435B18@szexchange.Shopzilla.inc> Message-ID: <454AA094.8060003@boreham.org> Philip Kime wrote: > I've been trying to get Windows sync installed but it's going to be > impossibel as it means enabling password complexity policies in a > large domain and that isn't going to happen. Does anyone know of any > alternatives to this? I know this is desperate since you have to have > the plain-text password in order to do this right? Right. There are products that get around this issue by not sync'ing passwords. Instead they proxy failed bind requests to AD and if the bind succeeds they come to the conclusion that the password has changed and store the new value. It's possible however that someone has a patent on this technique. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ABliss at preferredcare.org Fri Nov 3 02:49:10 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Thu, 2 Nov 2006 21:49:10 -0500 Subject: [Fedora-directory-users] Windows sync on more than 1 domain controller Message-ID: Hi everyone, I'm sure like most shops out there, we have multiple domain controllers in our 2003 ad environment; is it necessary to install the pass sync service on each domain controller (as I understand ad's multimaster environment to work, there is no guarantee which domain controller a user will hit when they change their password); please advise and thanks. Aaron Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ABliss at preferredcare.org Fri Nov 3 04:18:17 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Thu, 2 Nov 2006 23:18:17 -0500 Subject: [Fedora-directory-users] So close to having windows psync working Message-ID: Hi everyone, I think that I'm very, very close to having this wrapped up; when initiating a password change from windows, I'm receiving "Insufficient access" error in the psync logfile; I created a new user in fds outside of the database -> uid=psync,cn=config ; how do I give this user the necessary access to modify user passwords? Thanks very much. Aaron Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. -------------- next part -------------- An HTML attachment was scrubbed... URL: From stpierre at NebrWesleyan.edu Fri Nov 3 13:39:06 2006 From: stpierre at NebrWesleyan.edu (Chris St. Pierre) Date: Fri, 3 Nov 2006 07:39:06 -0600 (CST) Subject: [Fedora-directory-users] Problems Setting up 1.0.3 In-Reply-To: <454A6DDC.10105@redhat.com> References: <1162320912.9441.21.camel@houuc8> <45479BF4.7050707@sci.fi> <4547B4A5.5060700@omniti.com> <4547BE4F.80407@redhat.com> <454A28E5.5010405@omniti.com> <454A6DDC.10105@redhat.com> Message-ID: Rich-- As I mentioned on IRC, I got about 90% of the way through the SSL setup before my deadline hit and I had to go live without SSL fully working. My machines are all listening on port 636, but don't do SSL properly. As far as I can tell/remember, I provisioned the boxes identically, so they all should be equally far along in the SSL-enabling process, but only one of them demonstrated the permissions problem. I guess you did say, though, that the problem _only_ happens to SSL-enabled machines, not that it _always_ happens to SSL-enabled machines. Still, hope this helps you root out the problem. Good luck! Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University On Thu, 2 Nov 2006, Richard Megginson wrote: > It appears that the permission problem only happens with servers that were > configured to use SSL in fds102 and upgraded to fds103. Can anyone confirm the > problem occurred in a system not using SSL? > From mj at sci.fi Fri Nov 3 13:44:47 2006 From: mj at sci.fi (mj at sci.fi) Date: Fri, 3 Nov 2006 15:44:47 +0200 (EET) Subject: [Fedora-directory-users] Problems Setting up 1.0.3 Message-ID: <24203724.763511162561488614.JavaMail.mj@sci.fi> "Chris St. Pierre" kirjoitti: > > I guess you did say, though, that the problem _only_ happens to > SSL-enabled machines, not that it _always_ happens to SSL-enabled > machines. Still, hope this helps you root out the problem. > > On Thu, 2 Nov 2006, Richard Megginson wrote: > > > It appears that the permission problem only happens with servers that were > > configured to use SSL in fds102 and upgraded to fds103. Can anyone confirm the > > problem occurred in a system not using SSL? My server (laptop) had not ever been configured to use SSL. -- mike From stpierre at NebrWesleyan.edu Fri Nov 3 14:59:10 2006 From: stpierre at NebrWesleyan.edu (Chris St. Pierre) Date: Fri, 3 Nov 2006 08:59:10 -0600 (CST) Subject: [Fedora-directory-users] Problems Setting up 1.0.3 In-Reply-To: <24203724.763511162561488614.JavaMail.mj@sci.fi> References: <24203724.763511162561488614.JavaMail.mj@sci.fi> Message-ID: After the update from 1.0.2 to 1.0.3, I had some replication problems, and it appears that one of my four servers was no longer properly replicating to the others. I recreated the replication agreements and reinitialized the replications, but now I'm getting some strange errors in the error logs of the borked server: [03/Nov/2006:08:54:23 -0600] NSMMReplicationPlugin - Total update aborted: Replication agreement for "agmt="cn="Replication to zeppo.nebrwesleyan.edu"" (zeppo:389)" can not be updated while the replica is disabled [03/Nov/2006:08:54:23 -0600] NSMMReplicationPlugin - (If the suffix is disabledyou must enable it then restart the server for replication to take place). This happens right after I try to re-init the replication agreements. I'm hoping that the fix is as simple as enabling the replication agreements; how do I do that (w/o console)? Also, it says I have to restart "the server"; which server? Consumer or producer? Thanks! Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University From rmeggins at redhat.com Fri Nov 3 15:46:53 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 03 Nov 2006 08:46:53 -0700 Subject: [Fedora-directory-users] Problems Setting up 1.0.3 In-Reply-To: References: <24203724.763511162561488614.JavaMail.mj@sci.fi> Message-ID: <454B646D.8070101@redhat.com> Chris St. Pierre wrote: > After the update from 1.0.2 to 1.0.3, I had some replication problems, > and it appears that one of my four servers was no longer properly > replicating to the others. I recreated the replication agreements and > reinitialized the replications, but now I'm getting some strange > errors in the error logs of the borked server: > > [03/Nov/2006:08:54:23 -0600] NSMMReplicationPlugin - Total update > aborted: Replication agreement for "agmt="cn="Replication to > zeppo.nebrwesleyan.edu"" (zeppo:389)" can not be updated while the > replica is disabled > [03/Nov/2006:08:54:23 -0600] NSMMReplicationPlugin - (If the suffix is > disabledyou must enable it then restart the server for replication to > take place). > > This happens right after I try to re-init the replication agreements. > > I'm hoping that the fix is as simple as enabling the replication > agreements; how do I do that (w/o console)? > > Also, it says I have to restart "the server"; which server? Consumer > or producer? > The consumer. The supplier thinks the consumer suffix is disabled. It might be as simple a fix as restarting the consumer. > Thanks! > > Chris St. Pierre > Unix Systems Administrator > Nebraska Wesleyan University > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From david_list at boreham.org Fri Nov 3 15:44:10 2006 From: david_list at boreham.org (David Boreham) Date: Fri, 03 Nov 2006 08:44:10 -0700 Subject: [Fedora-directory-users] Need a replica on sles10 In-Reply-To: <20061101172423.GF32675@fog.msi.umn.edu> References: <20061101151351.GB32675@fog.msi.umn.edu> <4548BFCF.2060309@redhat.com> <20061101172423.GF32675@fog.msi.umn.edu> Message-ID: <454B63CA.2040606@boreham.org> >Any thoughts on what logs from FDS would be slurp-able, or if FDS >supports writing that kind of replication log? > > Originally the two came from the same code. Netscape Directory Server 1.x used a replication mechanism that was derived from slurpd (but the slurp functionality was included in the main server). That code used the older slurp-compatible logging. The present day FDS has multi-master replication that is entirely different and uses quite different logging. However, for backwards compatibility reasons (with older Netscape 4.x servers and before), the old log format was preserved as a configurable option. Hence the thought that possibly slurpd is still compabible with that legacy changelog format. However, my personal recommendation would be that you get FDS to build and run on SLES. My belief is that will be easier/quicker/cheaper to do than to figure out if slurpd/FDS will work together. There are just so many things that can go wrong, and proving that it works properly is a non-trivial project. From deighton at gmail.com Fri Nov 3 16:30:40 2006 From: deighton at gmail.com (Dan) Date: Fri, 03 Nov 2006 11:30:40 -0500 Subject: [Fedora-directory-users] Problem accessing Configuration Directory after upgrade to 1.0.3 In-Reply-To: <2717b73b0611021140j7e8fb2d5jd9bf4578f1b9e913@mail.gmail.com> References: <2717b73b0611021140j7e8fb2d5jd9bf4578f1b9e913@mail.gmail.com> Message-ID: <1162571440.7120.10.camel@whatever> > > I notice 2 differences. The BIND is using version 2 when trying to > start the admin server. That shouldn't matter. > > The problem seems to be with the BIND'ing. When trying to start the > admin server, the RESULT to the BIND contains an empty dn. When run > manually, the dn is correct. > > It seems like it is not authenticating properly with FDS 1.0.3. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > Any ideas on why the admin user is not binding properly when starting the admin server? The password has not changed. It is still stored in the admpw file as a SHA hash. The only difference is that SSL was enabled for the Configuration DS. Also, has anyone else had this problem after upgrading to 1.0.3? From rmeggins at redhat.com Fri Nov 3 16:44:33 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 03 Nov 2006 09:44:33 -0700 Subject: [Fedora-directory-users] Problem accessing Configuration Directory after upgrade to 1.0.3 In-Reply-To: <1162571440.7120.10.camel@whatever> References: <2717b73b0611021140j7e8fb2d5jd9bf4578f1b9e913@mail.gmail.com> <1162571440.7120.10.camel@whatever> Message-ID: <454B71F1.60409@redhat.com> Dan wrote: >> I notice 2 differences. The BIND is using version 2 when trying to >> start the admin server. That shouldn't matter. >> >> The problem seems to be with the BIND'ing. When trying to start the >> admin server, the RESULT to the BIND contains an empty dn. When run >> manually, the dn is correct. >> >> It seems like it is not authenticating properly with FDS 1.0.3. >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > Any ideas on why the admin user is not binding properly when starting > the admin server? The password has not changed. It is still stored in > the admpw file as a SHA hash. The only difference is that SSL was > enabled for the Configuration DS. > > Also, has anyone else had this problem after upgrading to 1.0.3? > Yep. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=213788 It works if the admin server uses ldap: to talk to the config ds, but fails if the admin server uses ldaps: to talk to the config ds. Try this: edit shared/config/dbswitch.conf - change the ldaps: url to ldap: and change the port from the secure port to the non-secure port. You should be able to restart admin server. > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From stpierre at NebrWesleyan.edu Fri Nov 3 17:25:42 2006 From: stpierre at NebrWesleyan.edu (Chris St. Pierre) Date: Fri, 3 Nov 2006 11:25:42 -0600 (CST) Subject: [Fedora-directory-users] Problems Setting up 1.0.3 In-Reply-To: <454B646D.8070101@redhat.com> References: <24203724.763511162561488614.JavaMail.mj@sci.fi> <454B646D.8070101@redhat.com> Message-ID: On Fri, 3 Nov 2006, Richard Megginson wrote: > The consumer. The supplier thinks the consumer suffix is disabled. It might > be as simple a fix as restarting the consumer. That changed the error message. [03/Nov/2006:11:21:24 -0600] NSMMReplicationPlugin - agmt="cn="Replication to chico.nebrwesleyan.edu"" (chico:389): Replica has a different generation ID than the local data. I get that every 3-5 seconds WRT replication to the same host. When I restarted the problematic host, it reinitialized all of its replication agreements; do I need to reinitialize the agreement the other way, too? Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University From nkinder at redhat.com Fri Nov 3 17:40:37 2006 From: nkinder at redhat.com (Nathan Kinder) Date: Fri, 03 Nov 2006 09:40:37 -0800 Subject: [Fedora-directory-users] Windows sync on more than 1 domain controller In-Reply-To: References: Message-ID: <454B7F15.6000801@redhat.com> Bliss, Aaron wrote: > > Hi everyone, > I'm sure like most shops out there, we have multiple domain > controllers in our 2003 ad environment; is it necessary to install the > pass sync service on each domain controller (as I understand ad's > multimaster environment to work, there is no guarantee which domain > controller a user will hit when they change their password); please > advise and thanks. > PassSync only needs to be installed on a single domain controller. -NGK > > Aaron > > Confidentiality Notice: > The information contained in this electronic message is intended for > the exclusive use of the individual or entity named above and may > contain privileged or confidential information. If the reader of this > message is not the intended recipient or the employee or agent > responsible to deliver it to the intended recipient, you are hereby > notified that dissemination, distribution or copying of this > information is prohibited. If you have received this communication in > error, please notify the sender immediately by telephone and destroy > the copies you received. > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Nov 3 19:12:12 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 03 Nov 2006 12:12:12 -0700 Subject: [Fedora-directory-users] Problems Setting up 1.0.3 In-Reply-To: References: <24203724.763511162561488614.JavaMail.mj@sci.fi> <454B646D.8070101@redhat.com> Message-ID: <454B948C.6010002@redhat.com> Chris St. Pierre wrote: > On Fri, 3 Nov 2006, Richard Megginson wrote: > > >> The consumer. The supplier thinks the consumer suffix is disabled. It might >> be as simple a fix as restarting the consumer. >> > > That changed the error message. > > [03/Nov/2006:11:21:24 -0600] NSMMReplicationPlugin - > agmt="cn="Replication to chico.nebrwesleyan.edu"" (chico:389): Replica > has a different generation ID than the local data. > > I get that every 3-5 seconds WRT replication to the same host. When I > restarted the problematic host, it reinitialized all of its > replication agreements; do I need to reinitialize the agreement the > other way, too? > You should not need to, but that is what the error message is telling you. Different generation ID means that the replica needs to be reinitialized. > Chris St. Pierre > Unix Systems Administrator > Nebraska Wesleyan University > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From stpierre at NebrWesleyan.edu Fri Nov 3 19:11:03 2006 From: stpierre at NebrWesleyan.edu (Chris St. Pierre) Date: Fri, 3 Nov 2006 13:11:03 -0600 (CST) Subject: [Fedora-directory-users] Problems Setting up 1.0.3 In-Reply-To: References: <24203724.763511162561488614.JavaMail.mj@sci.fi> <454B646D.8070101@redhat.com> Message-ID: I went ahead and re-inited pretty much all of my replication agreements, and now I'm getting the error below on the other three servers, but not on the one that originally had the problem. Do I just need to keep re-initing agreements until I hit the magic combination? Is there a better solution? (Please say yes!) Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University On Fri, 3 Nov 2006, Chris St. Pierre wrote: >On Fri, 3 Nov 2006, Richard Megginson wrote: > >> The consumer. The supplier thinks the consumer suffix is disabled. It might >> be as simple a fix as restarting the consumer. > >That changed the error message. > >[03/Nov/2006:11:21:24 -0600] NSMMReplicationPlugin - >agmt="cn="Replication to chico.nebrwesleyan.edu"" (chico:389): Replica >has a different generation ID than the local data. > >I get that every 3-5 seconds WRT replication to the same host. When I >restarted the problematic host, it reinitialized all of its >replication agreements; do I need to reinitialize the agreement the >other way, too? > >Chris St. Pierre >Unix Systems Administrator >Nebraska Wesleyan University > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Fri Nov 3 19:16:46 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 03 Nov 2006 12:16:46 -0700 Subject: [Fedora-directory-users] Problems Setting up 1.0.3 In-Reply-To: References: <24203724.763511162561488614.JavaMail.mj@sci.fi> <454B646D.8070101@redhat.com> Message-ID: <454B959E.4000907@redhat.com> Chris St. Pierre wrote: > I went ahead and re-inited pretty much all of my replication > agreements, and now I'm getting the error below on the other three > servers, but not on the one that originally had the problem. Do I > just need to keep re-initing agreements until I hit the magic > combination? Is there a better solution? (Please say yes!) > Once you reinitialize one, you have to reinitialize the others. I'm afraid I can't offer a better solution because I don't understand why this happened in the first place. > Chris St. Pierre > Unix Systems Administrator > Nebraska Wesleyan University > > On Fri, 3 Nov 2006, Chris St. Pierre wrote: > > >> On Fri, 3 Nov 2006, Richard Megginson wrote: >> >> >>> The consumer. The supplier thinks the consumer suffix is disabled. It might >>> be as simple a fix as restarting the consumer. >>> >> That changed the error message. >> >> [03/Nov/2006:11:21:24 -0600] NSMMReplicationPlugin - >> agmt="cn="Replication to chico.nebrwesleyan.edu"" (chico:389): Replica >> has a different generation ID than the local data. >> >> I get that every 3-5 seconds WRT replication to the same host. When I >> restarted the problematic host, it reinitialized all of its >> replication agreements; do I need to reinitialize the agreement the >> other way, too? >> >> Chris St. Pierre >> Unix Systems Administrator >> Nebraska Wesleyan University >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From minfrin at sharp.fm Sat Nov 4 13:29:04 2006 From: minfrin at sharp.fm (Graham Leggett) Date: Sat, 04 Nov 2006 15:29:04 +0200 Subject: [Fedora-directory-users] Infinite loop during installation process Message-ID: <454C95A0.2080407@sharp.fm> Hi all, I am trying to set up a new FDS v1.0.3 install under RHEL4, adding this server to an existing configuration domain. About half way through the install, I am asked if I would like to add sample entries to my server. I say "No". The screen clears. After a while I press "enter" to see if there is any progress on the install. The screen clears again and the same "Do you want to install the sample entries?" appears. I say "No". Rinse repeat. Has anyone encountered this before? Is there a workaround for this? So far it seems the installer is terminally broken. Regards, Graham -- From minfrin at sharp.fm Sat Nov 4 13:54:01 2006 From: minfrin at sharp.fm (Graham Leggett) Date: Sat, 04 Nov 2006 15:54:01 +0200 Subject: [Fedora-directory-users] v1.0.3 not available in Bugzilla Message-ID: <454C9B79.2000000@sharp.fm> Hi all, v1.0.3 is not available as a version in Bugzilla. Regards, Graham -- From bachelor_junaid at yahoo.com Sat Nov 4 15:35:31 2006 From: bachelor_junaid at yahoo.com (Junaid) Date: Sat, 4 Nov 2006 07:35:31 -0800 (PST) Subject: [Fedora-directory-users] I need Help in FDS warnings & Connection with Samba Message-ID: <20061104153531.32786.qmail@web51411.mail.yahoo.com> Hi all, i have installed Fedora Directory server.when i do ./startconsole -u admin -a http://localhost.localdomain:786/ , it gives warning that GC warning: Out of memory Returning NIL! GC warning: Out of memory Returning NIL! GC warning: Out of memory Returning NIL! ***catastropic failure while handling uncaught exceptions. i wana ask that does this command works even the warning are comming? and how can i configure samba with FDS so that the Samba Primary Domain Server can authanticate from FDS. Please guide me.Thankx --------------------------------- Access over 1 million songs - Yahoo! Music Unlimited Try it today. -------------- next part -------------- An HTML attachment was scrubbed... URL: From kylet at panix.com Sat Nov 4 19:11:28 2006 From: kylet at panix.com (Kyle Tucker) Date: Sat, 4 Nov 2006 14:11:28 -0500 Subject: [Fedora-directory-users] Linux password change/expiration issue In-Reply-To: References: Message-ID: <20061104191128.GB24964@panix.com> On Wed, Nov 01, 2006 at 02:50:14PM +0100, Jo De Troy wrote: > > as far as I understand you should not be using the shadowAccount > objectClass attributes to get this behaviour but you should be > configuring the password policies instead. Hi all, Sorry to be a pest with this, but I am so close. I went back to using shadowAccount and have it all behaving just as I need with one acception. When a client uses successfully changes their password, the userPassword attribute is changed in LDAP, but the shadowLastChange is not updated to the current day, and the password is still being interpreted as expired. This occurs with FDS 1.0.2 and 1.0.3. So I am not chasing an unattainable goal, should shadowLastChange be getting updated at the same time and procedure as is userPassword? Thanks. -- - Kyle --------------------------------------------- kylet at panix.com http://www.panix.com/~kylet --------------------------------------------- From gholbert at broadcom.com Sat Nov 4 21:28:08 2006 From: gholbert at broadcom.com (George Holbert) Date: Sat, 4 Nov 2006 13:28:08 -0800 Subject: [Fedora-directory-users] Linux password change/expiration issue References: <20061104191128.GB24964@panix.com> Message-ID: <009a01c70058$61cc4ed0$a5fdf00a@chunky> One possible issue: Does your ACI set allow shadowLastChange to be written? To test, you could add a very permissive ACI that allows anyone to write shadowLastChange. If that helps, then hone down the ACI. I think all you should need is self-write for shadowLastChange, but I'm not 100% sure. ----- Original Message ----- From: "Kyle Tucker" To: "General discussion list for the Fedora Directory server project." Sent: Saturday, November 04, 2006 11:11 AM Subject: Re: [Fedora-directory-users] Linux password change/expiration issue > Hi all, > Sorry to be a pest with this, but I am so close. I went back > to using shadowAccount and have it all behaving just as I need with > one acception. When a client uses successfully changes their password, > the userPassword attribute is changed in LDAP, but the shadowLastChange > is not updated to the current day, and the password is still being > interpreted as expired. This occurs with FDS 1.0.2 and 1.0.3. So I am > not chasing an unattainable goal, should shadowLastChange be getting > updated at the same time and procedure as is userPassword? Thanks. > > -- > - Kyle > --------------------------------------------- > kylet at panix.com http://www.panix.com/~kylet > --------------------------------------------- From kylet at panix.com Sun Nov 5 04:04:55 2006 From: kylet at panix.com (Kyle Tucker) Date: Sat, 4 Nov 2006 23:04:55 -0500 (EST) Subject: [Fedora-directory-users] Linux password change/expiration issue In-Reply-To: <009a01c70058$61cc4ed0$a5fdf00a@chunky> Message-ID: <200611050404.kA544tw09718@panix3.panix.com> Bingo. In the admin console, I manually edited the top domain in the Directory tab using Set Access Permissions and Enable self write for common attributes, and added shadowLastChange and it updates fine along with userPassword now. Thanks so much. aci: (targetattr = "carLicense ||description ||displayName ||facsimileTelephon eNumber ||homePhone ||homePostalAddress ||initials ||jpegPhoto ||labeledURL | |mail ||mobile ||pager ||photo ||postOfficeBox ||postalAddress ||postalCode | |preferredDeliveryMethod ||preferredLanguage ||registeredAddress ||roomNumber ||secretary ||seeAlso ||st ||street ||telephoneNumber ||telexNumber ||title ||userCertificate ||userPassword ||shadowLastChange ||userSMIMECertificate || x500UniqueIdentifier") (version 3.0;acl "Enable self write for common attribu tes";allow (write)(userdn = "ldap:///self");) > One possible issue: > Does your ACI set allow shadowLastChange to be written? > To test, you could add a very permissive ACI that allows anyone to write > shadowLastChange. If that helps, then hone down the ACI. I think all you > should need is self-write for shadowLastChange, but I'm not 100% sure. > > > ----- Original Message ----- > From: "Kyle Tucker" > To: "General discussion list for the Fedora Directory server project." > > Sent: Saturday, November 04, 2006 11:11 AM > Subject: Re: [Fedora-directory-users] Linux password change/expiration issue > > > Hi all, > > Sorry to be a pest with this, but I am so close. I went back > > to using shadowAccount and have it all behaving just as I need with > > one acception. When a client uses successfully changes their password, > > the userPassword attribute is changed in LDAP, but the shadowLastChange > > is not updated to the current day, and the password is still being > > interpreted as expired. This occurs with FDS 1.0.2 and 1.0.3. So I am > > not chasing an unattainable goal, should shadowLastChange be getting > > updated at the same time and procedure as is userPassword? Thanks. > > > > -- > > - Kyle > > --------------------------------------------- > > kylet at panix.com http://www.panix.com/~kylet > > --------------------------------------------- > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- - Kyle --------------------------------------------- kylet at panix.com http://www.panix.com/~kylet --------------------------------------------- From rmeggins at redhat.com Mon Nov 6 02:21:06 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Sun, 05 Nov 2006 19:21:06 -0700 Subject: [Fedora-directory-users] v1.0.3 not available in Bugzilla In-Reply-To: <454C9B79.2000000@sharp.fm> References: <454C9B79.2000000@sharp.fm> Message-ID: <454E9C12.5050802@redhat.com> Graham Leggett wrote: > Hi all, > > v1.0.3 is not available as a version in Bugzilla. Just put the version in the body of the bug report for now. We're working on it. > > Regards, > Graham > -- > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Nov 6 02:21:49 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Sun, 05 Nov 2006 19:21:49 -0700 Subject: [Fedora-directory-users] Infinite loop during installation process In-Reply-To: <454C95A0.2080407@sharp.fm> References: <454C95A0.2080407@sharp.fm> Message-ID: <454E9C3D.8080605@redhat.com> Graham Leggett wrote: > Hi all, > > I am trying to set up a new FDS v1.0.3 install under RHEL4, adding > this server to an existing configuration domain. > > About half way through the install, I am asked if I would like to add > sample entries to my server. Choose Typical installation mode instead of Advanced or Express. Then you should not get this question. > > I say "No". The screen clears. After a while I press "enter" to see if > there is any progress on the install. The screen clears again and the > same "Do you want to install the sample entries?" appears. > > I say "No". Rinse repeat. > > Has anyone encountered this before? Is there a workaround for this? So > far it seems the installer is terminally broken. > > Regards, > Graham > -- > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From minfrin at sharp.fm Mon Nov 6 08:02:19 2006 From: minfrin at sharp.fm (Graham Leggett) Date: Mon, 6 Nov 2006 10:02:19 +0200 (SAST) Subject: [Fedora-directory-users] Infinite loop during installation process In-Reply-To: <454E9C3D.8080605@redhat.com> References: <454C95A0.2080407@sharp.fm> <454E9C3D.8080605@redhat.com> Message-ID: <33056.196.8.104.27.1162800139.squirrel@www.sharp.fm> On Mon, November 6, 2006 4:21 am, Richard Megginson wrote: >> About half way through the install, I am asked if I would like to add >> sample entries to my server. > Choose Typical installation mode instead of Advanced or Express. Then > you should not get this question. I would if I could. "Typical" installation mode assumes the name of the admin domain is the domain part of the machine name. If it's not (in this case, it is not), then setup goes through an infinite loop, asking for the configuration directory details over and over again, rather than doing the most obvious thing - ask for the name of the admin domain. The only workaround at this point is to choose "advanced", but then you cannot get past the sample entries part. As I said, seems the installer is terminally broken. Regards, Graham -- From minfrin at sharp.fm Sat Nov 4 13:36:46 2006 From: minfrin at sharp.fm (Graham Leggett) Date: Sat, 04 Nov 2006 15:36:46 +0200 Subject: [Fedora-directory-users] Second infinite loop during installation process Message-ID: <454C976E.4040804@sharp.fm> Hi all, Another infinite loop - if typical install is chosen, and the config is being added to an existing server, the machine name, port, username and password is requested. The error message "Could not find the Admin Domain domain.com in the server" is shown. This message is correct - the admin domain is not "domain.com" in this case. At this point, the most logical course of action is to ask the user for the name of the admin domain. Instead, the setup loops round asking for the name of the machine, port, username and password as if the domain is going to be any different this time. Rinse repeat. If the information is entered again, random characters start to appear behind the printed machine name. This can be worked around by choosing "custom installation", but custom installation is broken due to the previously mentioned infinite loop while (not) adding sample entries. Regards, Graham -- From jrussler at helix.nih.gov Mon Nov 6 16:36:06 2006 From: jrussler at helix.nih.gov (Jason Russler) Date: Mon, 06 Nov 2006 11:36:06 -0500 Subject: [Fedora-directory-users] Version numbers Message-ID: <454F6476.7050207@helix.nih.gov> This is, in a way, entirely inconsequential from a functional stand-point but: I performed an upgrade from 1.0.2 to1.0.3. The upgrade went fine (except the permissions on ~/slapd-blah/config and ~/slapd-blah/logs had to be changed back to what they were suppose to be) but when I start the console it shows a directory server version number of 1.0.2. Where is it getting that? /opt/fedora-ds/bin/slapd/server/ns-slapd showes Fedora-Directory/1.0.3 B2006.303.1845. From aackumey at yahoo.com Mon Nov 6 16:23:34 2006 From: aackumey at yahoo.com (aku ackumey) Date: Mon, 6 Nov 2006 08:23:34 -0800 (PST) Subject: [Fedora-directory-users] help Message-ID: <20061106162335.87747.qmail@web51006.mail.yahoo.com> hi i'm new in fedora-ds and have followed instructions but when i want to start the admin server i get this error httpd.worker: Syntax error on line 128 of /opt/fedora-ds/admin-serv/config/httpd.conf: Cannot load /etc/httpd/modules/mod_access.so into server: /etc/httpd/modules/mod_access.so: cannot open shared object file: No such file or directory please help me thanks in advance. ____________________________________________________________________________________ Yahoo! Music Unlimited Access over 1 million songs. http://music.yahoo.com/unlimited From rmeggins at redhat.com Mon Nov 6 16:54:30 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 06 Nov 2006 09:54:30 -0700 Subject: [Fedora-directory-users] Version numbers In-Reply-To: <454F6476.7050207@helix.nih.gov> References: <454F6476.7050207@helix.nih.gov> Message-ID: <454F68C6.4060303@redhat.com> Jason Russler wrote: > This is, in a way, entirely inconsequential from a functional > stand-point but: > I performed an upgrade from 1.0.2 to1.0.3. The upgrade went fine > (except the permissions on ~/slapd-blah/config and ~/slapd-blah/logs > had to be changed back to what they were suppose to be) but when I > start the console it shows a directory server version number of > 1.0.2. Where is it getting that? > /opt/fedora-ds/bin/slapd/server/ns-slapd showes > Fedora-Directory/1.0.3 B2006.303.1845. I think it's because when you get the permission problem during setup (are you using SSL at all?), the upgrade process doesn't upgrade the ds version that the console uses. The authoritative version is the one reported by ns-slapd. > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Nov 6 16:55:55 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 06 Nov 2006 09:55:55 -0700 Subject: [Fedora-directory-users] help In-Reply-To: <20061106162335.87747.qmail@web51006.mail.yahoo.com> References: <20061106162335.87747.qmail@web51006.mail.yahoo.com> Message-ID: <454F691B.3010006@redhat.com> aku ackumey wrote: > hi i'm new in fedora-ds and have followed instructions > but when i want to start the admin server i get this > error httpd.worker: Syntax error on line 128 of > /opt/fedora-ds/admin-serv/config/httpd.conf: Cannot > load /etc/httpd/modules/mod_access.so into server: > /etc/httpd/modules/mod_access.so: cannot open shared > object file: No such file or directory please help me > What is your OS and version? Have you installed the latest updates? What version of Apache are you using? What version of Fedora DS? 1.0.3? > thanks in advance. > > > > > > ____________________________________________________________________________________ > Yahoo! Music Unlimited > Access over 1 million songs. > http://music.yahoo.com/unlimited > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From prowley at redhat.com Mon Nov 6 19:05:21 2006 From: prowley at redhat.com (Pete Rowley) Date: Mon, 06 Nov 2006 11:05:21 -0800 Subject: [Fedora-directory-users] Linux password change/expiration issue In-Reply-To: <200611050404.kA544tw09718@panix3.panix.com> References: <200611050404.kA544tw09718@panix3.panix.com> Message-ID: <454F8771.70403@redhat.com> Kyle Tucker wrote: > Bingo. In the admin console, I manually edited the top domain in the > Directory tab using Set Access Permissions and Enable self write for > common attributes, and added shadowLastChange and it updates fine > along with userPassword now. Thanks so much. > > aci: (targetattr = "carLicense ||description ||displayName ||facsimileTelephon > eNumber ||homePhone ||homePostalAddress ||initials ||jpegPhoto ||labeledURL | > |mail ||mobile ||pager ||photo ||postOfficeBox ||postalAddress ||postalCode | > |preferredDeliveryMethod ||preferredLanguage ||registeredAddress ||roomNumber > ||secretary ||seeAlso ||st ||street ||telephoneNumber ||telexNumber ||title > ||userCertificate ||userPassword ||shadowLastChange ||userSMIMECertificate || > x500UniqueIdentifier") (version 3.0;acl "Enable self write for common attribu > tes";allow (write)(userdn = "ldap:///self");) > Good to see you got this working, could I per chance persuade you to write this up for the wiki? :) -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From minfrin at sharp.fm Mon Nov 6 19:33:25 2006 From: minfrin at sharp.fm (Graham Leggett) Date: Mon, 06 Nov 2006 21:33:25 +0200 Subject: [Fedora-directory-users] Cannot uninstall fedora-ds v1.0.2 Message-ID: <454F8E05.40603@sharp.fm> Hi all, In an attempt to bring my new server back to some semblance of operation, I try to uninstall fedora-ds v1.0.2. This is because no option exists to reconfigure the server once configured. This attempt hangs. When ctl-c is used to break, fedora-ds fails like so: [root at rachel ~]# rpm -e fedora-ds Interrupt [2]. Uninstallation aborts. /var/tmp/rpm-tmp.10197: line 8: 6168 Segmentation fault ./uninstall -s -force error: %preun(fedora-ds-1.0.2-1.RHEL4.i386) scriptlet failed, exit status 139 Regards, Graham -- From rmeggins at redhat.com Mon Nov 6 19:45:37 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 06 Nov 2006 12:45:37 -0700 Subject: [Fedora-directory-users] Cannot uninstall fedora-ds v1.0.2 In-Reply-To: <454F8E05.40603@sharp.fm> References: <454F8E05.40603@sharp.fm> Message-ID: <454F90E1.70900@redhat.com> Graham Leggett wrote: > Hi all, > > In an attempt to bring my new server back to some semblance of > operation, I try to uninstall fedora-ds v1.0.2. > > This is because no option exists to reconfigure the server once > configured. I'm not sure what you mean. The configuration options provided during setup are just for convenience. All of that configuration and more can be done after setup using the console, command line, or editing config files. What sort of configuration do you need to do? > > This attempt hangs. When ctl-c is used to break, fedora-ds fails like so: > > [root at rachel ~]# rpm -e fedora-ds > > > Interrupt [2]. Uninstallation aborts. > /var/tmp/rpm-tmp.10197: line 8: 6168 Segmentation fault ./uninstall > -s -force > error: %preun(fedora-ds-1.0.2-1.RHEL4.i386) scriptlet failed, exit > status 139 I'm not sure what the problem is, unless it's just horked from successive setup+remove attempts. Just make sure you servers are shut down, then do rpm -e --noscripts fedora-ds > > Regards, > Graham > -- > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Nov 6 20:02:09 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 06 Nov 2006 13:02:09 -0700 Subject: [Fedora-directory-users] Infinite loop during installation process In-Reply-To: <33056.196.8.104.27.1162800139.squirrel@www.sharp.fm> References: <454C95A0.2080407@sharp.fm> <454E9C3D.8080605@redhat.com> <33056.196.8.104.27.1162800139.squirrel@www.sharp.fm> Message-ID: <454F94C1.5040601@redhat.com> Graham Leggett wrote: > On Mon, November 6, 2006 4:21 am, Richard Megginson wrote: > > >>> About half way through the install, I am asked if I would like to add >>> sample entries to my server. >>> >> Choose Typical installation mode instead of Advanced or Express. Then >> you should not get this question. >> > > I would if I could. > > "Typical" installation mode assumes the name of the admin domain is the > domain part of the machine name. If it's not (in this case, it is not), > then setup goes through an infinite loop, asking for the configuration > directory details over and over again, rather than doing the most obvious > thing - ask for the name of the admin domain. > > The only workaround at this point is to choose "advanced", but then you > cannot get past the sample entries part. > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214243 This will be fixed in FDS 1.0.4 The installer is written such that in Typical mode, the admin domain is hard coded. So you have to use Custom/Advanced mode to enter it. > As I said, seems the installer is terminally broken. > The last resort is to just create a silent install file and just use setup -s -f silent.inf - see http://directory.fedora.redhat.com/wiki/Install_Guide#inf_File_Format_for_core_directory_server_installation > Regards, > Graham > -- > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From EMLiberman at ra.rockwell.com Mon Nov 6 19:09:39 2006 From: EMLiberman at ra.rockwell.com (Eugene M Liberman) Date: Mon, 6 Nov 2006 14:09:39 -0500 Subject: [Fedora-directory-users] Multi Master replication In-Reply-To: <454F68C6.4060303@redhat.com> Message-ID: I am testing a multi master replication. The replication agreements between host a and b are setup. When I add an entry to a replicated subtree from host a the new entry is also visible on host b when I browse host b. This works as I expect, however, when I delete this entry from host b login, the entry is not visible on host b, but it is still visible in host a. I am running FDS 1.0.2 and Fedora 5. Should the entry be removed from both servers? Thank you in advance, Gene Liberman -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Nov 6 20:56:20 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 06 Nov 2006 13:56:20 -0700 Subject: [Fedora-directory-users] Multi Master replication In-Reply-To: References: Message-ID: <454FA174.90103@redhat.com> Eugene M Liberman wrote: > > I am testing a multi master replication. The replication agreements > between host a and b are setup. When I add an entry to a replicated > subtree from host a the new entry is also visible on host b when I > browse host b. This works as I expect, however, when I delete this > entry from host b login, the entry is not visible on host b, but it is > still visible in host a. I am running FDS 1.0.2 and Fedora 5. What are you using to verify visibility? Note that the console may not refresh immediately. > > Should the entry be removed from both servers? > > Thank you in advance, > > Gene Liberman > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From minfrin at sharp.fm Mon Nov 6 20:54:16 2006 From: minfrin at sharp.fm (Graham Leggett) Date: Mon, 06 Nov 2006 22:54:16 +0200 Subject: [Fedora-directory-users] Infinite loop during installation process In-Reply-To: <454F94C1.5040601@redhat.com> References: <454C95A0.2080407@sharp.fm> <454E9C3D.8080605@redhat.com> <33056.196.8.104.27.1162800139.squirrel@www.sharp.fm> <454F94C1.5040601@redhat.com> Message-ID: <454FA0F8.5080703@sharp.fm> Richard Megginson wrote: > The last resort is to just create a silent install file and just use > setup -s -f silent.inf - see > http://directory.fedora.redhat.com/wiki/Install_Guide#inf_File_Format_for_core_directory_server_installation A workaround I found was to roll back to v1.0.2, this at the very least gets the server installed. The admin server on the new DS is toast though - it's up and running (confirmed with telnet) but according to the console, the admin server is down. No explanation is given for how the admin console reaches this conclusion, so troubleshooting options are limited. The trouble started when an attempt was made to install the security certificates on the machine, something that cannot be done during setup. Keep getting this message: org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-5938) Encountered end of file. No idea what it means :( Regards, Graham -- From rmeggins at redhat.com Mon Nov 6 21:10:29 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 06 Nov 2006 14:10:29 -0700 Subject: [Fedora-directory-users] Infinite loop during installation process In-Reply-To: <454FA0F8.5080703@sharp.fm> References: <454C95A0.2080407@sharp.fm> <454E9C3D.8080605@redhat.com> <33056.196.8.104.27.1162800139.squirrel@www.sharp.fm> <454F94C1.5040601@redhat.com> <454FA0F8.5080703@sharp.fm> Message-ID: <454FA4C5.5040606@redhat.com> Graham Leggett wrote: > Richard Megginson wrote: > >> The last resort is to just create a silent install file and just use >> setup -s -f silent.inf - see >> http://directory.fedora.redhat.com/wiki/Install_Guide#inf_File_Format_for_core_directory_server_installation > > > A workaround I found was to roll back to v1.0.2, this at the very > least gets the server installed. > > The admin server on the new DS is toast though - it's up and running > (confirmed with telnet) but according to the console, the admin server > is down. No explanation is given for how the admin console reaches > this conclusion, so troubleshooting options are limited. Can you confirm with your web browser? Try both http:// and https:// The admin server, unlike the DS, will only speak one protocol at a time, either http or https. > > The trouble started when an attempt was made to install the security > certificates on the machine, something that cannot be done during setup. > > Keep getting this message: > > org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: > (-5938) Encountered end of file. When you attempt to start the console? > > No idea what it means :( > > Regards, > Graham > -- > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From minfrin at sharp.fm Mon Nov 6 21:32:43 2006 From: minfrin at sharp.fm (Graham Leggett) Date: Mon, 06 Nov 2006 23:32:43 +0200 Subject: [Fedora-directory-users] Infinite loop during installation process In-Reply-To: <454FA4C5.5040606@redhat.com> References: <454C95A0.2080407@sharp.fm> <454E9C3D.8080605@redhat.com> <33056.196.8.104.27.1162800139.squirrel@www.sharp.fm> <454F94C1.5040601@redhat.com> <454FA0F8.5080703@sharp.fm> <454FA4C5.5040606@redhat.com> Message-ID: <454FA9FB.9070106@sharp.fm> Richard Megginson wrote: > Can you confirm with your web browser? Try both http:// and https:// > The admin server, unlike the DS, will only speak one protocol at a time, > either http or https. The admin server was configured http. >> org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: >> (-5938) Encountered end of file. > When you attempt to start the console? It appears when an attempt is made to select "manage certificates", and a number of other places. The cert8.db and key3.db files have been created successfully using certutil and pk12util (manage certificates refuses to run until these files are created manually, with the correct names, and certificates added manually to them). It also happens when you click on the "encryption" tab inside the directory server configuration (after the server was reinstalled from scratch, and the cn=server.domain.com,o=NetscapeRoot had been manually deleted). Regards, Graham -- From rmeggins at redhat.com Mon Nov 6 22:04:19 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 06 Nov 2006 15:04:19 -0700 Subject: [Fedora-directory-users] Infinite loop during installation process In-Reply-To: <454FA9FB.9070106@sharp.fm> References: <454C95A0.2080407@sharp.fm> <454E9C3D.8080605@redhat.com> <33056.196.8.104.27.1162800139.squirrel@www.sharp.fm> <454F94C1.5040601@redhat.com> <454FA0F8.5080703@sharp.fm> <454FA4C5.5040606@redhat.com> <454FA9FB.9070106@sharp.fm> Message-ID: <454FB163.3040902@redhat.com> Graham Leggett wrote: > Richard Megginson wrote: > >> Can you confirm with your web browser? Try both http:// and >> https:// The admin server, unlike the DS, will only speak one >> protocol at a time, either http or https. > > The admin server was configured http. > >>> org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: >>> (-5938) Encountered end of file. >> When you attempt to start the console? > > It appears when an attempt is made to select "manage certificates", > and a number of other places. I think this means it's trying to talk SSL. It could be attempting to open an https connection to the admin server which is only listening to http. You could try starting the console using startconsole -D 9 > file 2>&1 to capture the detailed debug log to file. This should give us more information about what it's doing when it gets that exception. > > The cert8.db and key3.db files have been created successfully using > certutil and pk12util (manage certificates refuses to run until these > files are created manually, with the correct names, and certificates > added manually to them). > > It also happens when you click on the "encryption" tab inside the > directory server configuration (after the server was reinstalled from > scratch, and the cn=server.domain.com,o=NetscapeRoot had been manually > deleted). > > Regards, > Graham > -- > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From minfrin at sharp.fm Mon Nov 6 22:09:55 2006 From: minfrin at sharp.fm (Graham Leggett) Date: Tue, 07 Nov 2006 00:09:55 +0200 Subject: [Fedora-directory-users] Infinite loop during installation process In-Reply-To: <454FB163.3040902@redhat.com> References: <454C95A0.2080407@sharp.fm> <454E9C3D.8080605@redhat.com> <33056.196.8.104.27.1162800139.squirrel@www.sharp.fm> <454F94C1.5040601@redhat.com> <454FA0F8.5080703@sharp.fm> <454FA4C5.5040606@redhat.com> <454FA9FB.9070106@sharp.fm> <454FB163.3040902@redhat.com> Message-ID: <454FB2B3.5030509@sharp.fm> Richard Megginson wrote: >> It appears when an attempt is made to select "manage certificates", >> and a number of other places. > I think this means it's trying to talk SSL. It could be attempting to > open an https connection to the admin server which is only listening to > http. You could try starting the console using > startconsole -D 9 > file 2>&1 > to capture the detailed debug log to file. This should give us more > information about what it's doing when it gets that exception. Using tcplow to sniff the admin console port, the admin server is definitely trying to talk ssl. Is there a method of telling the admin server _not_ to use SSL? I have searched high and low inside the directory, and all the config I can find has the admin server defined with SSL disabled. Alternatively, is there a way to switch SSL on on the admin server without using the console? Regards, Graham -- From Justin.Crawford at cusys.edu Mon Nov 6 22:16:38 2006 From: Justin.Crawford at cusys.edu (Justin Crawford) Date: Mon, 6 Nov 2006 15:16:38 -0700 Subject: [Fedora-directory-users] Password Attributes in MM replication In-Reply-To: <454FB163.3040902@redhat.com> Message-ID: <7315857F21D51B449CC55ADE3A5683182BFF1B@ex2k3.ad.cusys.edu> Is "passwordRetryCount" replicated in a multimaster setup? Or, when replication copies a "userPassword" change, is "passwordRetryCount" reset to 0 in the consumer, by the consumer? I just helped a user whose retry count was 0 on one of our replicated LDAPs, but stuck at maximum on the other, *after* multiple password changes. I didn't think that would be possible! Thanks, Justin From rmeggins at redhat.com Mon Nov 6 22:24:12 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 06 Nov 2006 15:24:12 -0700 Subject: [Fedora-directory-users] Password Attributes in MM replication In-Reply-To: <7315857F21D51B449CC55ADE3A5683182BFF1B@ex2k3.ad.cusys.edu> References: <7315857F21D51B449CC55ADE3A5683182BFF1B@ex2k3.ad.cusys.edu> Message-ID: <454FB60C.2090409@redhat.com> Justin Crawford wrote: > Is "passwordRetryCount" replicated in a multimaster setup? Or, when > replication copies a "userPassword" change, is "passwordRetryCount" > reset to 0 in the consumer, by the consumer? > > I just helped a user whose retry count was 0 on one of our replicated > LDAPs, but stuck at maximum on the other, *after* multiple password > changes. I didn't think that would be possible! > Are these read-only replicas or masters? If you want password attempts to a read-only replica to be forwarded to other servers, you must use something like chaining of bind requests. See http://directory.fedora.redhat.com/wiki/Howto:ChainOnUpdate > Thanks, > Justin > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Nov 6 22:29:08 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 06 Nov 2006 15:29:08 -0700 Subject: [Fedora-directory-users] Infinite loop during installation process In-Reply-To: <454FB2B3.5030509@sharp.fm> References: <454C95A0.2080407@sharp.fm> <454E9C3D.8080605@redhat.com> <33056.196.8.104.27.1162800139.squirrel@www.sharp.fm> <454F94C1.5040601@redhat.com> <454FA0F8.5080703@sharp.fm> <454FA4C5.5040606@redhat.com> <454FA9FB.9070106@sharp.fm> <454FB163.3040902@redhat.com> <454FB2B3.5030509@sharp.fm> Message-ID: <454FB734.6080307@redhat.com> Graham Leggett wrote: > Richard Megginson wrote: > >>> It appears when an attempt is made to select "manage certificates", >>> and a number of other places. >> I think this means it's trying to talk SSL. It could be attempting >> to open an https connection to the admin server which is only >> listening to http. You could try starting the console using >> startconsole -D 9 > file 2>&1 >> to capture the detailed debug log to file. This should give us more >> information about what it's doing when it gets that exception. > > Using tcplow to sniff the admin console port, the admin server is > definitely trying to talk ssl. > > Is there a method of telling the admin server _not_ to use SSL? I have > searched high and low inside the directory, and all the config I can > find has the admin server defined with SSL disabled. > > Alternatively, is there a way to switch SSL on on the admin server > without using the console? 1) edit admin-serv/config/console.conf and change NSSEngine from "on" to "off" 2) find the cn=configuration entry for the admin server: ldapsearch -x -D "cn=directory manager" -w password -s sub -b o=netscaperoot "nsserversecurity=on" 3) If this returns the config entry for the admin server, use ldapmodify to turn security off: ldapmodify -x -D "cn=directory manager" -w password dn: dn returned above changetype: modify replace: nsServerSecurity nsServerSecurity: off 4) restart admin server - restart-admin This should cause admin server to use http instead of https. > > Regards, > Graham > -- > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From Justin.Crawford at cusys.edu Mon Nov 6 22:48:41 2006 From: Justin.Crawford at cusys.edu (Justin Crawford) Date: Mon, 6 Nov 2006 15:48:41 -0700 Subject: [Fedora-directory-users] Password Attributes in MM replication In-Reply-To: <454FB60C.2090409@redhat.com> Message-ID: <7315857F21D51B449CC55ADE3A5683182BFF1E@ex2k3.ad.cusys.edu> > > Justin Crawford wrote: > > Is "passwordRetryCount" replicated in a multimaster setup? > Or, when > > replication copies a "userPassword" change, is "passwordRetryCount" > > reset to 0 in the consumer, by the consumer? > > > > I just helped a user whose retry count was 0 on one of our > replicated > > LDAPs, but stuck at maximum on the other, *after* multiple password > > changes. I didn't think that would be possible! > > > Are these read-only replicas or masters? These are both masters in a multimaster setup. Changing the password on ldap1 changes the password and passwordExpirationTime on ldap2. But passwordRetryCount on ldap2 remains unchanged. I've usually seen passwordRetryCount reset to 0 when userPassword changes, no matter how the password change occurs. Is it different with multimaster replication? From minfrin at sharp.fm Mon Nov 6 22:52:30 2006 From: minfrin at sharp.fm (Graham Leggett) Date: Tue, 07 Nov 2006 00:52:30 +0200 Subject: [Fedora-directory-users] Infinite loop during installation process In-Reply-To: <454FB734.6080307@redhat.com> References: <454C95A0.2080407@sharp.fm> <454E9C3D.8080605@redhat.com> <33056.196.8.104.27.1162800139.squirrel@www.sharp.fm> <454F94C1.5040601@redhat.com> <454FA0F8.5080703@sharp.fm> <454FA4C5.5040606@redhat.com> <454FA9FB.9070106@sharp.fm> <454FB163.3040902@redhat.com> <454FB2B3.5030509@sharp.fm> <454FB734.6080307@redhat.com> Message-ID: <454FBCAE.9070702@sharp.fm> Richard Megginson wrote: > 1) edit admin-serv/config/console.conf and change NSSEngine from "on" to > "off" > 2) find the cn=configuration entry for the admin server: > ldapsearch -x -D "cn=directory manager" -w password -s sub -b > o=netscaperoot "nsserversecurity=on" > 3) If this returns the config entry for the admin server, use ldapmodify > to turn security off: > ldapmodify -x -D "cn=directory manager" -w password > dn: dn returned above > changetype: modify > replace: nsServerSecurity > nsServerSecurity: off > > 4) restart admin server - restart-admin > > This should cause admin server to use http instead of https. In this case the admin server was already http. I tried to switch the admin server SSL on, by manually editing the directory. Now the admin server won't start at all, and no error message is logged to the console or error log. A couple of questions at this point: - How does the console know whether to contact the admin server using SSL or clear? - How do you reset the state of the console entirely? In the case of the admin server: - Which files in the config directory can be edited by a human and have an actual effect? - How do you refresh the files in the config directory, so that they reflect changes you've made in the directory itself? - How do you completely and entirely flush a server out of the directory and the console so that you can start the process from scratch yet again? Regards, Graham -- From rmeggins at redhat.com Mon Nov 6 23:02:16 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 06 Nov 2006 16:02:16 -0700 Subject: [Fedora-directory-users] Password Attributes in MM replication In-Reply-To: <7315857F21D51B449CC55ADE3A5683182BFF1E@ex2k3.ad.cusys.edu> References: <7315857F21D51B449CC55ADE3A5683182BFF1E@ex2k3.ad.cusys.edu> Message-ID: <454FBEF8.50603@redhat.com> Justin Crawford wrote: >> Justin Crawford wrote: >> >>> Is "passwordRetryCount" replicated in a multimaster setup? >>> >> Or, when >> >>> replication copies a "userPassword" change, is "passwordRetryCount" >>> reset to 0 in the consumer, by the consumer? >>> >>> I just helped a user whose retry count was 0 on one of our >>> >> replicated >> >>> LDAPs, but stuck at maximum on the other, *after* multiple password >>> changes. I didn't think that would be possible! >>> >>> >> Are these read-only replicas or masters? >> > > These are both masters in a multimaster setup. Changing the password on > ldap1 changes the password and passwordExpirationTime on ldap2. But > passwordRetryCount on ldap2 remains unchanged. I've usually seen > passwordRetryCount reset to 0 when userPassword changes, no matter how > the password change occurs. Is it different with multimaster > replication? > Yes. You have to enable global password policy. By default, password policy is local to each host. You have to enable global password policy to replicate the password policy op attrs. In the entry cn=config, set the attribute passwordisglobalpolicy to the value "on". > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Nov 6 23:10:33 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 06 Nov 2006 16:10:33 -0700 Subject: [Fedora-directory-users] Infinite loop during installation process In-Reply-To: <454FBCAE.9070702@sharp.fm> References: <454C95A0.2080407@sharp.fm> <454E9C3D.8080605@redhat.com> <33056.196.8.104.27.1162800139.squirrel@www.sharp.fm> <454F94C1.5040601@redhat.com> <454FA0F8.5080703@sharp.fm> <454FA4C5.5040606@redhat.com> <454FA9FB.9070106@sharp.fm> <454FB163.3040902@redhat.com> <454FB2B3.5030509@sharp.fm> <454FB734.6080307@redhat.com> <454FBCAE.9070702@sharp.fm> Message-ID: <454FC0E9.3020709@redhat.com> Graham Leggett wrote: > Richard Megginson wrote: > >> 1) edit admin-serv/config/console.conf and change NSSEngine from "on" >> to "off" >> 2) find the cn=configuration entry for the admin server: >> ldapsearch -x -D "cn=directory manager" -w password -s sub -b >> o=netscaperoot "nsserversecurity=on" >> 3) If this returns the config entry for the admin server, use >> ldapmodify to turn security off: >> ldapmodify -x -D "cn=directory manager" -w password >> dn: dn returned above >> changetype: modify >> replace: nsServerSecurity >> nsServerSecurity: off >> >> 4) restart admin server - restart-admin >> >> This should cause admin server to use http instead of https. > > In this case the admin server was already http. > > I tried to switch the admin server SSL on, by manually editing the > directory. > > Now the admin server won't start at all, and no error message is > logged to the console or error log. There's more to making it use ssl than disabling ssl. The easiest way is to use the script at http://directory.fedora.redhat.com/wiki/Howto:SSL to generate the keys/certs, then use the console. You first have to go to Directory->Configuration->Data->Security and check the button that tells the console to use SSL. Then, go to Admin Server->Configuration->Security and tell Admin Server to use SSL. > > A couple of questions at this point: > > - How does the console know whether to contact the admin server using > SSL or clear? It should go off the url you specify when using startconsole, either http or https. > > - How do you reset the state of the console entirely? > > In the case of the admin server: > > - Which files in the config directory can be edited by a human and > have an actual effect? Only local.conf is read-only. It is basically a cache of the information under the admin server instance entry under o=NetscapeRoot. http://directory.fedora.redhat.com/wiki/AdminServer#Admin_Server_Config_Files > > - How do you refresh the files in the config directory, so that they > reflect changes you've made in the directory itself? The surest way to make the Admin Server refresh its config based on changes made in the DS is to restart the admin server. > > - How do you completely and entirely flush a server out of the > directory and the console so that you can start the process from > scratch yet again? > > Regards, > Graham > -- > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From minfrin at sharp.fm Mon Nov 6 23:40:16 2006 From: minfrin at sharp.fm (Graham Leggett) Date: Tue, 07 Nov 2006 01:40:16 +0200 Subject: [Fedora-directory-users] Infinite loop during installation process In-Reply-To: <454FC0E9.3020709@redhat.com> References: <454C95A0.2080407@sharp.fm> <454E9C3D.8080605@redhat.com> <33056.196.8.104.27.1162800139.squirrel@www.sharp.fm> <454F94C1.5040601@redhat.com> <454FA0F8.5080703@sharp.fm> <454FA4C5.5040606@redhat.com> <454FA9FB.9070106@sharp.fm> <454FB163.3040902@redhat.com> <454FB2B3.5030509@sharp.fm> <454FB734.6080307@redhat.com> <454FBCAE.9070702@sharp.fm> <454FC0E9.3020709@redhat.com> Message-ID: <454FC7E0.8040209@sharp.fm> Richard Megginson wrote: >> Now the admin server won't start at all, and no error message is >> logged to the console or error log. > There's more to making it use ssl than disabling ssl. The easiest way > is to use the script at > http://directory.fedora.redhat.com/wiki/Howto:SSL to generate the > keys/certs, then use the console. You first have to go to > Directory->Configuration->Data->Security and check the button that tells > the console to use SSL. Then, go to Admin > Server->Configuration->Security and tell Admin Server to use SSL. Trouble is, if you've made the smallest config error, the console is left in a corrupt state. There seems to be no way to correct an error once its been made. I managed to get this right once, then made a config error somewhere, and the directory config for this member of the cluster has been corrupt ever since. >> A couple of questions at this point: >> >> - How does the console know whether to contact the admin server using >> SSL or clear? > It should go off the url you specify when using startconsole, either > http or https. Ok... the URL I used in startconsole pointed at the configuration directory's admin server, not the new admin server I am trying to set up. Is the startconsole somehow assuming that because the admin server belonging to the configuration directory is secure, then all other admin servers are secure too? Should I point startconsole at the new admin server, rather than the configuration admin server, when I want to edit the new admin server? >> - Which files in the config directory can be edited by a human and >> have an actual effect? > Only local.conf is read-only. It is basically a cache of the > information under the admin server instance entry under o=NetscapeRoot. > > http://directory.fedora.redhat.com/wiki/AdminServer#Admin_Server_Config_Files If I delete all the files in the admin server config directory, will the restart-admin script rebuild these files from the directory? >> - How do you refresh the files in the config directory, so that they >> reflect changes you've made in the directory itself? > The surest way to make the Admin Server refresh its config based on > changes made in the DS is to restart the admin server. The behaviour I was seeing was that after modifying the directory and restarting the admin server, the only file that changed was local.conf. All other files remained untouched, meaning that despite the directory having been modified, the admin server did not pick up the changes. Regards, Graham -- From rmeggins at redhat.com Tue Nov 7 01:46:10 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 06 Nov 2006 18:46:10 -0700 Subject: [Fedora-directory-users] Infinite loop during installation process In-Reply-To: <454FC7E0.8040209@sharp.fm> References: <454C95A0.2080407@sharp.fm> <454E9C3D.8080605@redhat.com> <33056.196.8.104.27.1162800139.squirrel@www.sharp.fm> <454F94C1.5040601@redhat.com> <454FA0F8.5080703@sharp.fm> <454FA4C5.5040606@redhat.com> <454FA9FB.9070106@sharp.fm> <454FB163.3040902@redhat.com> <454FB2B3.5030509@sharp.fm> <454FB734.6080307@redhat.com> <454FBCAE.9070702@sharp.fm> <454FC0E9.3020709@redhat.com> <454FC7E0.8040209@sharp.fm> Message-ID: <454FE562.8030000@redhat.com> Graham Leggett wrote: > Richard Megginson wrote: > >>> Now the admin server won't start at all, and no error message is >>> logged to the console or error log. >> There's more to making it use ssl than disabling ssl. The easiest >> way is to use the script at >> http://directory.fedora.redhat.com/wiki/Howto:SSL to generate the >> keys/certs, then use the console. You first have to go to >> Directory->Configuration->Data->Security and check the button that >> tells the console to use SSL. Then, go to Admin >> Server->Configuration->Security and tell Admin Server to use SSL. > > Trouble is, if you've made the smallest config error, the console is > left in a corrupt state. There seems to be no way to correct an error > once its been made. Yes, this is poorly documented, and scattered about in a half dozen config files, as well as several entries under o=netscaperoot > > I managed to get this right once, then made a config error somewhere, > and the directory config for this member of the cluster has been > corrupt ever since. > >>> A couple of questions at this point: >>> >>> - How does the console know whether to contact the admin server >>> using SSL or clear? >> It should go off the url you specify when using startconsole, either >> http or https. > > Ok... the URL I used in startconsole pointed at the configuration > directory's admin server, not the new admin server I am trying to set up. > > Is the startconsole somehow assuming that because the admin server > belonging to the configuration directory is secure, then all other > admin servers are secure too? No, once it uses the url you type in to bootstrap, it reads the security settings for the other servers from the config ds o=netscaperoot. > > Should I point startconsole at the new admin server, rather than the > configuration admin server, when I want to edit the new admin server? You could try that. > >>> - Which files in the config directory can be edited by a human and >>> have an actual effect? >> Only local.conf is read-only. It is basically a cache of the >> information under the admin server instance entry under o=NetscapeRoot. >> >> http://directory.fedora.redhat.com/wiki/AdminServer#Admin_Server_Config_Files > > > If I delete all the files in the admin server config directory, will > the restart-admin script rebuild these files from the directory? No. Only local.conf will be rebuilt. > >>> - How do you refresh the files in the config directory, so that they >>> reflect changes you've made in the directory itself? >> The surest way to make the Admin Server refresh its config based on >> changes made in the DS is to restart the admin server. > > The behaviour I was seeing was that after modifying the directory and > restarting the admin server, the only file that changed was local.conf. Right. console.conf, adm.conf, and shared/config/dbswitch.conf are modified via console operations, via CGI programs. They are not modified via LDAP operations, and the admin server + console code has to jump through some hoops to keep the data stored in LDAP in sync with the corresponding data in those config files. > > All other files remained untouched, meaning that despite the directory > having been modified, the admin server did not pick up the changes. > > Regards, > Graham > -- > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From bmathieu at siris.sorbonne.fr Tue Nov 7 12:20:22 2006 From: bmathieu at siris.sorbonne.fr (basile) Date: Tue, 07 Nov 2006 13:20:22 +0100 Subject: [Fedora-directory-users] {CRYPT} or {crypt} Message-ID: <45507A06.4080401@siris.sorbonne.fr> hi we have a fedora directory server in which there are stored password {CRYPT}hdfflkdf and others {crypt}bqbqsbqsd no problem for ldap but there is a radius server which authenticate users through ldap and which is case sensitive is there recommandation to use CRYPT or crypt thanks basile From EMLiberman at ra.rockwell.com Tue Nov 7 14:50:16 2006 From: EMLiberman at ra.rockwell.com (Eugene M Liberman) Date: Tue, 7 Nov 2006 09:50:16 -0500 Subject: [Fedora-directory-users] Multi Master replication In-Reply-To: <454FA174.90103@redhat.com> Message-ID: fedora-directory-users-bounces at redhat.com wrote on 11/06/2006 03:56:20 PM: > Eugene M Liberman wrote: > > > > I am testing a multi master replication. The replication agreements > > between host a and b are setup. When I add an entry to a replicated > > subtree from host a the new entry is also visible on host b when I > > browse host b. This works as I expect, however, when I delete this > > entry from host b login, the entry is not visible on host b, but it is > > still visible in host a. I am running FDS 1.0.2 and Fedora 5. > What are you using to verify visibility? Note that the console may not > refresh immediately. I use JXplorer. I logged out and logged back on again. It never updated. The error log contains this: [06/Nov/2006:13:46:27 -0500] - Fedora-Directory/1.0.2 B2006.101.2016 starting up [06/Nov/2006:13:46:27 -0500] - I'm resizing my cache now...cache was 20000000 and is now 8388608 [06/Nov/2006:13:46:29 -0500] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: data for replica dc=Multi Master For 389 and 10389 was reloaded and it no longer matches the data in the changelog (replica data > changelog). Recreating the changelog file. This could affect replication with replica's consumers in which case the consumers should be reinitialized. [06/Nov/2006:13:46:29 -0500] NSMMReplicationPlugin - agmt="cn="Replication to 10.88.52.110"" (10:389): Replica has a different generation ID than the local data. [06/Nov/2006:13:46:29 -0500] - slapd started. Listening on All Interfaces port 389 for LDAP requests [06/Nov/2006:13:46:32 -0500] NSMMReplicationPlugin - agmt="cn="Replication to 10.88.52.110"" (10:389): Replica has a different generation ID than the local data. [06/Nov/2006:13:46:36 -0500] NSMMReplicationPlugin - agmt="cn="Replication to 10.88.52.110"" (10:389): Replica has a different generation ID than the local data. . . . . [06/Nov/2006:14:01:57 -0500] NSMMReplicationPlugin - agmt="cn="Replication to 10.88.52.110"" (10:389): Replica has a different generation ID than the local data. [06/Nov/2006:14:01:58 -0500] agmt="cn=Multi Master From 389 to 10389" (10:10389) - Can't locate CSN 454f77240000000a0000 in the changelog (DB rc=-30990). The consumer may need to be reinitialized. [06/Nov/2006:14:02:00 -0500] NSMMReplicationPlugin - agmt="cn="Replication to 10.88.52.110"" (10:389): Replica has a different generation ID than the local data. > > > > Should the entry be removed from both servers? > > > > Thank you in advance, > > > > Gene Liberman > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > [attachment "smime.p7s" deleted by Eugene M > Liberman/NorthAmerica/RA/Rockwell] -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From gordon.may at gmail.com Tue Nov 7 14:39:08 2006 From: gordon.may at gmail.com (Gordon May) Date: Tue, 7 Nov 2006 09:39:08 -0500 Subject: [Fedora-directory-users] Trouble upgrading to Fedora Directory Server 1.0.3 Message-ID: Hi, Has anyone successfully upgraded their version of FDS to ver. 1.0.3? I tried upgrading to the newest version yesterday afternoon and halfway through the upgrade process got the following errors: Fatal Slapd ERROR: Could not update Directory Server Instance
URL ldap://ldap.example.com:389/o=NetscapeRoot user id admin DN cn=slapd-example,cn=Fedora Directory Server,cn=Server Group,cn=ldap.example.com,ou=example.com,o=NetscapeRoot (19:Constraint violation) Configuring Administration Server... InstallInfo: Apache Directory "ApacheDir" is missing. Restarting Directory Server: /opt/fedora-ds/slapd-example/start-slapd Server failed to start !!! Please check errors log for problems After the upgrade failed I was able to get the sldap server running again by changing the owner of the config and logs directories to the ldap user. However, I'm unable to get the admin console working and believe the cause of the problem is related to the above errors. The steps I used to upgrade the server are as follows: 1. rpm -Uvh fedora-ds-1.0.3-1.FC5.i386.opt.rpm 2. Then I ran /opt/fedora-ds/setup/setup Any help would be appreciated. Gord -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Nov 7 15:19:49 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 07 Nov 2006 08:19:49 -0700 Subject: [Fedora-directory-users] Multi Master replication In-Reply-To: References: Message-ID: <4550A415.6000800@redhat.com> Eugene M Liberman wrote: > > > fedora-directory-users-bounces at redhat.com wrote on 11/06/2006 03:56:20 PM: > > > Eugene M Liberman wrote: > > > > > > I am testing a multi master replication. The replication agreements > > > between host a and b are setup. When I add an entry to a replicated > > > subtree from host a the new entry is also visible on host b when I > > > browse host b. This works as I expect, however, when I delete this > > > entry from host b login, the entry is not visible on host b, but > it is > > > still visible in host a. I am running FDS 1.0.2 and Fedora 5. > > What are you using to verify visibility? Note that the console may not > > refresh immediately. Did you perform a replica initialization from host a to host b? The error log messages indicate that the initial sync hasn't been done. > I use JXplorer. I logged out and logged back on again. It never > updated. The error log contains this: It's possible that JXplorer is automatically following a referral from b to a or vice versa if the replica hasn't been initialized. > > [06/Nov/2006:13:46:27 -0500] - Fedora-Directory/1.0.2 B2006.101.2016 > starting up > [06/Nov/2006:13:46:27 -0500] - I'm resizing my cache now...cache was > 20000000 and is now 8388608 > [06/Nov/2006:13:46:29 -0500] NSMMReplicationPlugin - > replica_check_for_data_reload: Warning: data for replica dc=Multi > Master For 389 and 10389 was reloaded and it no longer matches the > data in the changelog (replica data > changelog). Recreating the > changelog file. This could affect replication with replica's consumers > in which case the consumers should be reinitialized. > [06/Nov/2006:13:46:29 -0500] NSMMReplicationPlugin - > agmt="cn="Replication to 10.88.52.110"" (10:389): Replica has a > different generation ID than the local data. > [06/Nov/2006:13:46:29 -0500] - slapd started. Listening on All > Interfaces port 389 for LDAP requests > [06/Nov/2006:13:46:32 -0500] NSMMReplicationPlugin - > agmt="cn="Replication to 10.88.52.110"" (10:389): Replica has a > different generation ID than the local data. > [06/Nov/2006:13:46:36 -0500] NSMMReplicationPlugin - > agmt="cn="Replication to 10.88.52.110"" (10:389): Replica has a > different generation ID than the local data. > . > . > . > . > [06/Nov/2006:14:01:57 -0500] NSMMReplicationPlugin - > agmt="cn="Replication to 10.88.52.110"" (10:389): Replica has a > different generation ID than the local data. > [06/Nov/2006:14:01:58 -0500] agmt="cn=Multi Master From 389 to 10389" > (10:10389) - Can't locate CSN 454f77240000000a0000 in the changelog > (DB rc=-30990). The consumer may need to be reinitialized. > [06/Nov/2006:14:02:00 -0500] NSMMReplicationPlugin - > agmt="cn="Replication to 10.88.52.110"" (10:389): Replica has a > different generation ID than the local data. > > > > > > > Should the entry be removed from both servers? > > > > > > Thank you in advance, > > > > > > Gene Liberman > > > > ------------------------------------------------------------------------ > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > [attachment "smime.p7s" deleted by Eugene M > > Liberman/NorthAmerica/RA/Rockwell] -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Nov 7 15:34:55 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 07 Nov 2006 08:34:55 -0700 Subject: [Fedora-directory-users] Trouble upgrading to Fedora Directory Server 1.0.3 In-Reply-To: References: Message-ID: <4550A79F.9020606@redhat.com> Gordon May wrote: > Hi, > > Has anyone successfully upgraded their version of FDS to ver. 1.0.3? I > tried upgrading to the newest version yesterday afternoon and halfway > through the upgrade process got the following errors: > > Fatal Slapd ERROR: Could not update Directory Server Instance
URL ldap://ldap.example.com:389/o=NetscapeRoot user id admin DN > cn=slapd-example,cn=Fedora Directory Server,cn=Server Group,cn= > ldap.example.com ,ou=example.com ,o=NetscapeRoot (19:Constraint violation) I'm not sure what is the cause of this. Do you have password syntax checking enabled? > > > Configuring Administration Server... > > InstallInfo: Apache Directory "ApacheDir" is missing. > > Restarting Directory Server: /opt/fedora-ds/slapd-example/start-slapd > Server failed to start !!! Please check errors log for problems > > > After the upgrade failed I was able to get the sldap server running > again by changing the owner of the config and logs directories to the > ldap user. However, I'm unable to get the admin console working and > believe the cause of the problem is related to the above errors. Are you or have you attempted to use SSL/TLS with FDS 1.0.2? If so (and perhaps even if not) this looks like https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=213786 This problem will be fixed in fds 1.0.4 which should be available shortly. > > The steps I used to upgrade the server are as follows: > > 1. rpm -Uvh fedora-ds-1.0.3-1.FC5.i386.opt.rpm > 2. Then I ran /opt/fedora-ds/setup/setup > > Any help would be appreciated. > > Gord > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From aaron.cline at gmail.com Tue Nov 7 18:18:04 2006 From: aaron.cline at gmail.com (Aaron Cline) Date: Tue, 7 Nov 2006 13:18:04 -0500 Subject: [Fedora-directory-users] Windows Sync Account Disabling? Message-ID: <2f8a29cb0611071018i4b4a876em5cded1f46d878b80@mail.gmail.com> Hello: Has anyone found a way to sync when account gets disabled in Windows so that it gets disabled in Fedora DS? This would be a nice feature and I'm curious to know if someone has done this. Thanks, Aaron -------------- next part -------------- An HTML attachment was scrubbed... URL: From gholbert at broadcom.com Tue Nov 7 19:45:48 2006 From: gholbert at broadcom.com (George Holbert) Date: Tue, 07 Nov 2006 11:45:48 -0800 Subject: [Fedora-directory-users] {CRYPT} or {crypt} In-Reply-To: <45507A06.4080401@siris.sorbonne.fr> References: <45507A06.4080401@siris.sorbonne.fr> Message-ID: <4550E26C.3070709@broadcom.com> As you say, this doesn't matter as far as LDAP is concerned. It looks to me like FDS uses {crypt} (lowercase) when hashing passwords on your behalf, so it probably makes sense to go with lowercase. It really shouldn't be the radius server's business to care about this, but I understand that may be out of your control. basile wrote: > hi > we have a fedora directory server in which there are stored password > {CRYPT}hdfflkdf and others {crypt}bqbqsbqsd > no problem for ldap but there is a radius server which authenticate > users through ldap and which is case > sensitive > is there recommandation to use CRYPT or crypt > thanks > basile > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From oscar.valdez at duraflex-politex.com Tue Nov 7 23:55:09 2006 From: oscar.valdez at duraflex-politex.com (Oscar A. Valdez) Date: Tue, 07 Nov 2006 17:55:09 -0600 Subject: [Fedora-directory-users] Discretely packaged version Message-ID: <1162943719.2339.23.camel@wzowski.duraflex.com.sv> According to http://directory.fedora.redhat.com/wiki/Discrete_Packaging, "the next version of the Directory Server ... will be split into discrete packages": DS Core, DS Devel, DS Admin, etc. Is there an estimated release date for this version? Having used DS 1.0.1 and 1.0.2 for some time, I would prefer upgrading to this dscretely packaged version, rather than to 1.0.3 -- Oscar A. Valdez From rmeggins at redhat.com Wed Nov 8 01:19:05 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 07 Nov 2006 18:19:05 -0700 Subject: [Fedora-directory-users] Discretely packaged version In-Reply-To: <1162943719.2339.23.camel@wzowski.duraflex.com.sv> References: <1162943719.2339.23.camel@wzowski.duraflex.com.sv> Message-ID: <45513089.2010800@redhat.com> Oscar A. Valdez wrote: > According to http://directory.fedora.redhat.com/wiki/Discrete_Packaging, > "the next version of the Directory Server ... will be split into > discrete packages": DS Core, DS Devel, DS Admin, etc. > > Is there an estimated release date for this version? Having used DS > 1.0.1 and 1.0.2 for some time, I would prefer upgrading to this > dscretely packaged version, rather than to 1.0.3 > No estimated release date yet, I'm still hoping to have a beta by the end of the year. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From gordon.may at gmail.com Wed Nov 8 02:55:48 2006 From: gordon.may at gmail.com (Gordon May) Date: Tue, 7 Nov 2006 21:55:48 -0500 Subject: [Fedora-directory-users] Trouble upgrading to Fedora Directory Server 1.0.3 Message-ID: I apologize if you've already received this message but I wasn't sure if it actually got sent out. Hi, Has anyone successfully upgraded their version of FDS to ver. 1.0.3? I tried upgrading to the newest version yesterday afternoon and halfway through the upgrade process got the following errors: Fatal Slapd ERROR: Could not update Directory Server Instance
URL ldap://ldap.example.com:389/o=NetscapeRoot user id admin DN cn=slapd-example,cn=Fedora Directory Server,cn=Server Group,cn= ldap.example.com,ou=example.com,o=NetscapeRoot (19:Constraint violation) Configuring Administration Server... InstallInfo: Apache Directory "ApacheDir" is missing. Restarting Directory Server: /opt/fedora-ds/slapd-example/start-slapd Server failed to start !!! Please check errors log for problems After the upgrade failed I was able to get the sldap server running again by changing the owner of the config and logs directories to the ldap user. However, I'm unable to get the admin console working and believe the cause of the problem is related to the above errors. The steps I used to upgrade the server are as follows: 1. rpm -Uvh fedora-ds-1.0.3-1.FC5.i386.opt.rpm 2. Then I ran /opt/fedora-ds/setup/setup Any help would be appreciated. Gord From rmeggins at redhat.com Wed Nov 8 03:17:43 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 07 Nov 2006 20:17:43 -0700 Subject: [Fedora-directory-users] Trouble upgrading to Fedora Directory Server 1.0.3 In-Reply-To: References: Message-ID: <45514C57.6070607@redhat.com> Gordon May wrote: > I apologize if you've already received this message but I wasn't sure > if it actually got sent out. > > Hi, > > Has anyone successfully upgraded their version of FDS to ver. 1.0.3? I > tried upgrading to the newest version yesterday afternoon and halfway > through the upgrade process got the following errors: > > > Fatal Slapd ERROR: Could not update Directory Server Instance
URL > ldap://ldap.example.com:389/o=NetscapeRoot user id admin DN > cn=slapd-example,cn=Fedora Directory Server,cn=Server Group,cn= > ldap.example.com,ou=example.com,o=NetscapeRoot (19:Constraint > violation) Are you using password syntax checking? > > Configuring Administration Server... > InstallInfo: Apache Directory "ApacheDir" is missing. > > Restarting Directory Server: /opt/fedora-ds/slapd-example/start-slapd > Server failed to start !!! Please check errors log for problems > > After the upgrade failed I was able to get the sldap server running > again by changing the owner of the config and logs directories to the > ldap user. Are you using SSL? I believe this is https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=213786 which will be fixed when fds 1.0.4 is released, very soon now. > However, I'm unable to get the admin console working and > believe the cause of the problem is related to the above errors. > > The steps I used to upgrade the server are as follows: > > 1. rpm -Uvh fedora-ds-1.0.3-1.FC5.i386.opt.rpm > 2. Then I ran /opt/fedora-ds/setup/setup > > Any help would be appreciated. > > Gord > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From gordon.may at gmail.com Wed Nov 8 03:29:25 2006 From: gordon.may at gmail.com (Gordon May) Date: Tue, 7 Nov 2006 22:29:25 -0500 Subject: [Fedora-directory-users] Trouble upgrading to Fedora Directory Server 1.0.3 In-Reply-To: <45514C57.6070607@redhat.com> References: <45514C57.6070607@redhat.com> Message-ID: Richard, I am using password syntax checking and SSL. Should password syntax checking be turned off? Is it related to the bug where the minimum password length needs to greater then 9 characters? Also the bugzilla link you provided is the problem I'm seeing with file permissions. When you say 1.0.4 will be released soon... How soon is soon? Thanks for the help! Gordon On 11/7/06, Richard Megginson wrote: > Gordon May wrote: > > I apologize if you've already received this message but I wasn't sure > > if it actually got sent out. > > > > Hi, > > > > Has anyone successfully upgraded their version of FDS to ver. 1.0.3? I > > tried upgrading to the newest version yesterday afternoon and halfway > > through the upgrade process got the following errors: > > > > > > Fatal Slapd ERROR: Could not update Directory Server Instance
URL > > ldap://ldap.example.com:389/o=NetscapeRoot user id admin DN > > cn=slapd-example,cn=Fedora Directory Server,cn=Server Group,cn= > > ldap.example.com,ou=example.com,o=NetscapeRoot (19:Constraint > > violation) > Are you using password syntax checking? > > > > Configuring Administration Server... > > InstallInfo: Apache Directory "ApacheDir" is missing. > > > > Restarting Directory Server: /opt/fedora-ds/slapd-example/start-slapd > > Server failed to start !!! Please check errors log for problems > > > > After the upgrade failed I was able to get the sldap server running > > again by changing the owner of the config and logs directories to the > > ldap user. > Are you using SSL? > > I believe this is > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=213786 > which will be fixed when fds 1.0.4 is released, very soon now. > > However, I'm unable to get the admin console working and > > believe the cause of the problem is related to the above errors. > > > > The steps I used to upgrade the server are as follows: > > > > 1. rpm -Uvh fedora-ds-1.0.3-1.FC5.i386.opt.rpm > > 2. Then I ran /opt/fedora-ds/setup/setup > > > > Any help would be appreciated. > > > > Gord > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > From rmeggins at redhat.com Wed Nov 8 03:34:51 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 07 Nov 2006 20:34:51 -0700 Subject: [Fedora-directory-users] Trouble upgrading to Fedora Directory Server 1.0.3 In-Reply-To: References: <45514C57.6070607@redhat.com> Message-ID: <4551505B.3030207@redhat.com> Gordon May wrote: > Richard, > > I am using password syntax checking and SSL. Should password syntax > checking be turned off? Is it related to the bug where the minimum > password length needs to greater then 9 characters? It could be. setup does something funny with the password. You could turn off password syntax checking before running setup, then turn it on again afterwards. > Also the bugzilla > link you provided is the problem I'm seeing with file permissions. > When you say 1.0.4 will be released soon... How soon is soon? Next day or two. > > Thanks for the help! > > Gordon > > > On 11/7/06, Richard Megginson wrote: >> Gordon May wrote: >> > I apologize if you've already received this message but I wasn't sure >> > if it actually got sent out. >> > >> > Hi, >> > >> > Has anyone successfully upgraded their version of FDS to ver. 1.0.3? I >> > tried upgrading to the newest version yesterday afternoon and halfway >> > through the upgrade process got the following errors: >> > >> > >> > Fatal Slapd ERROR: Could not update Directory Server Instance
URL >> > ldap://ldap.example.com:389/o=NetscapeRoot user id admin DN >> > cn=slapd-example,cn=Fedora Directory Server,cn=Server Group,cn= >> > ldap.example.com,ou=example.com,o=NetscapeRoot (19:Constraint >> > violation) >> Are you using password syntax checking? >> > >> > Configuring Administration Server... >> > InstallInfo: Apache Directory "ApacheDir" is missing. >> > >> > Restarting Directory Server: /opt/fedora-ds/slapd-example/start-slapd >> > Server failed to start !!! Please check errors log for problems >> > >> > After the upgrade failed I was able to get the sldap server running >> > again by changing the owner of the config and logs directories to the >> > ldap user. >> Are you using SSL? >> >> I believe this is >> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=213786 >> which will be fixed when fds 1.0.4 is released, very soon now. >> > However, I'm unable to get the admin console working and >> > believe the cause of the problem is related to the above errors. >> > >> > The steps I used to upgrade the server are as follows: >> > >> > 1. rpm -Uvh fedora-ds-1.0.3-1.FC5.i386.opt.rpm >> > 2. Then I ran /opt/fedora-ds/setup/setup >> > >> > Any help would be appreciated. >> > >> > Gord >> > >> > -- >> > Fedora-directory-users mailing list >> > Fedora-directory-users at redhat.com >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From gordon.may at gmail.com Wed Nov 8 03:49:54 2006 From: gordon.may at gmail.com (Gordon May) Date: Tue, 7 Nov 2006 22:49:54 -0500 Subject: [Fedora-directory-users] Trouble upgrading to Fedora Directory Server 1.0.3 In-Reply-To: <4551505B.3030207@redhat.com> References: <45514C57.6070607@redhat.com> <4551505B.3030207@redhat.com> Message-ID: Okay, how do I disable password syntax checking without using the admin console? On 11/7/06, Richard Megginson wrote: > Gordon May wrote: > > Richard, > > > > I am using password syntax checking and SSL. Should password syntax > > checking be turned off? Is it related to the bug where the minimum > > password length needs to greater then 9 characters? > It could be. setup does something funny with the password. You could > turn off password syntax checking before running setup, then turn it on > again afterwards. > > Also the bugzilla > > link you provided is the problem I'm seeing with file permissions. > > When you say 1.0.4 will be released soon... How soon is soon? > Next day or two. > > > > Thanks for the help! > > > > Gordon > > > > > > On 11/7/06, Richard Megginson wrote: > >> Gordon May wrote: > >> > I apologize if you've already received this message but I wasn't sure > >> > if it actually got sent out. > >> > > >> > Hi, > >> > > >> > Has anyone successfully upgraded their version of FDS to ver. 1.0.3? I > >> > tried upgrading to the newest version yesterday afternoon and halfway > >> > through the upgrade process got the following errors: > >> > > >> > > >> > Fatal Slapd ERROR: Could not update Directory Server Instance
URL > >> > ldap://ldap.example.com:389/o=NetscapeRoot user id admin DN > >> > cn=slapd-example,cn=Fedora Directory Server,cn=Server Group,cn= > >> > ldap.example.com,ou=example.com,o=NetscapeRoot (19:Constraint > >> > violation) > >> Are you using password syntax checking? > >> > > >> > Configuring Administration Server... > >> > InstallInfo: Apache Directory "ApacheDir" is missing. > >> > > >> > Restarting Directory Server: /opt/fedora-ds/slapd-example/start-slapd > >> > Server failed to start !!! Please check errors log for problems > >> > > >> > After the upgrade failed I was able to get the sldap server running > >> > again by changing the owner of the config and logs directories to the > >> > ldap user. > >> Are you using SSL? > >> > >> I believe this is > >> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=213786 > >> which will be fixed when fds 1.0.4 is released, very soon now. > >> > However, I'm unable to get the admin console working and > >> > believe the cause of the problem is related to the above errors. > >> > > >> > The steps I used to upgrade the server are as follows: > >> > > >> > 1. rpm -Uvh fedora-ds-1.0.3-1.FC5.i386.opt.rpm > >> > 2. Then I ran /opt/fedora-ds/setup/setup > >> > > >> > Any help would be appreciated. > >> > > >> > Gord > >> > > >> > -- > >> > Fedora-directory-users mailing list > >> > Fedora-directory-users at redhat.com > >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > >> > >> -- > >> Fedora-directory-users mailing list > >> Fedora-directory-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > >> > >> > >> > > > From rmeggins at redhat.com Wed Nov 8 04:01:12 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 07 Nov 2006 21:01:12 -0700 Subject: [Fedora-directory-users] Trouble upgrading to Fedora Directory Server 1.0.3 In-Reply-To: References: <45514C57.6070607@redhat.com> <4551505B.3030207@redhat.com> Message-ID: <45515688.7040401@redhat.com> Gordon May wrote: > Okay, how do I disable password syntax checking without using the > admin console? ldapmodify -x -D "cn=directory manager" -W dn: cn=config changetype: modify replace: passwordCheckSyntax passwordCheckSyntax: off > > On 11/7/06, Richard Megginson wrote: >> Gordon May wrote: >> > Richard, >> > >> > I am using password syntax checking and SSL. Should password syntax >> > checking be turned off? Is it related to the bug where the minimum >> > password length needs to greater then 9 characters? >> It could be. setup does something funny with the password. You could >> turn off password syntax checking before running setup, then turn it on >> again afterwards. >> > Also the bugzilla >> > link you provided is the problem I'm seeing with file permissions. >> > When you say 1.0.4 will be released soon... How soon is soon? >> Next day or two. >> > >> > Thanks for the help! >> > >> > Gordon >> > >> > >> > On 11/7/06, Richard Megginson wrote: >> >> Gordon May wrote: >> >> > I apologize if you've already received this message but I wasn't >> sure >> >> > if it actually got sent out. >> >> > >> >> > Hi, >> >> > >> >> > Has anyone successfully upgraded their version of FDS to ver. >> 1.0.3? I >> >> > tried upgrading to the newest version yesterday afternoon and >> halfway >> >> > through the upgrade process got the following errors: >> >> > >> >> > >> >> > Fatal Slapd ERROR: Could not update Directory Server >> Instance
URL >> >> > ldap://ldap.example.com:389/o=NetscapeRoot user id admin DN >> >> > cn=slapd-example,cn=Fedora Directory Server,cn=Server Group,cn= >> >> > ldap.example.com,ou=example.com,o=NetscapeRoot (19:Constraint >> >> > violation) >> >> Are you using password syntax checking? >> >> > >> >> > Configuring Administration Server... >> >> > InstallInfo: Apache Directory "ApacheDir" is missing. >> >> > >> >> > Restarting Directory Server: >> /opt/fedora-ds/slapd-example/start-slapd >> >> > Server failed to start !!! Please check errors log for problems >> >> > >> >> > After the upgrade failed I was able to get the sldap server running >> >> > again by changing the owner of the config and logs directories >> to the >> >> > ldap user. >> >> Are you using SSL? >> >> >> >> I believe this is >> >> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=213786 >> >> which will be fixed when fds 1.0.4 is released, very soon now. >> >> > However, I'm unable to get the admin console working and >> >> > believe the cause of the problem is related to the above errors. >> >> > >> >> > The steps I used to upgrade the server are as follows: >> >> > >> >> > 1. rpm -Uvh fedora-ds-1.0.3-1.FC5.i386.opt.rpm >> >> > 2. Then I ran /opt/fedora-ds/setup/setup >> >> > >> >> > Any help would be appreciated. >> >> > >> >> > Gord >> >> > >> >> > -- >> >> > Fedora-directory-users mailing list >> >> > Fedora-directory-users at redhat.com >> >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> >> >> -- >> >> Fedora-directory-users mailing list >> >> Fedora-directory-users at redhat.com >> >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> >> >> >> >> >> >> >> -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From ankur_agwal at yahoo.com Wed Nov 8 12:17:16 2006 From: ankur_agwal at yahoo.com (Ankur Agarwal) Date: Wed, 8 Nov 2006 04:17:16 -0800 (PST) Subject: [Fedora-directory-users] Referal/Chaining question Message-ID: <20061108121716.76258.qmail@web54102.mail.yahoo.com> Hi, We have 2 existing directory services set-up with different schemas: 1) Active Directory 2) iPlanet LDAP Now we want to introduce a third one (Fedora LDAP) where we want to use referal/chaining features to send requests to these already existing servers. Would really appreciate your answers on: 1) Can we modify/update active directory data and iPlanet data with application interfacing only with new Fedora LDAP which will dispatch requests to these servers? Or can referal/chaining be used only for querying other LDAP servers? 2) Can Referal/Chaning be set-up across ActiveDirectory and Fedora with them having different schemas? Similarly between iPlanet and Fedora? 3) If we want to migrate data from iPlanet to Fedora (having diff schema on Fedora) then any issues we must be aware of and any best practices? Thanks, Ankur --------------------------------- Sponsored Link Degrees online in as fast as 1 Yr - MBA, Bachelor's, Master's, Associate - Click now to apply -------------- next part -------------- An HTML attachment was scrubbed... URL: From ankur_agwal at yahoo.com Wed Nov 8 12:10:08 2006 From: ankur_agwal at yahoo.com (Ankur Agarwal) Date: Wed, 8 Nov 2006 04:10:08 -0800 (PST) Subject: [Fedora-directory-users] Questions on Referal/Chaning features Message-ID: <20061108121008.73262.qmail@web54102.mail.yahoo.com> Hi, We have 2 existing directory services set-up with different schemas: 1) Active Directory 2) iPlanet LDAP Now we want to introduce a third one (Fedora LDAP) where we want to use referal/chaining features to send requests to these already existing servers. Would really appreciate your answers on: 1) Can we modify/update active directory data and iPlanet data with application interfacing only with new Fedora LDAP which will dispatch requests to these servers? Or can referal/chaining be used only for querying other LDAP servers? 2) Can Referal/Chaning be set-up across ActiveDirectory and Fedora with them having different schemas? Similarly between iPlanet and Fedora? 3) If we want to migrate data from iPlanet to Fedora (having diff schema on Fedora) then any issues we must be aware of and any best practices? Thanks, Ankur --------------------------------- Sponsored Link Talk more and pay less. Vonage can save you up to $300 a year on your phone bill. Sign up now. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gordon.may at gmail.com Wed Nov 8 13:50:57 2006 From: gordon.may at gmail.com (Gordon May) Date: Wed, 8 Nov 2006 08:50:57 -0500 Subject: [Fedora-directory-users] Trouble upgrading to Fedora Directory Server 1.0.3 In-Reply-To: <45515688.7040401@redhat.com> References: <45514C57.6070607@redhat.com> <4551505B.3030207@redhat.com> <45515688.7040401@redhat.com> Message-ID: Richard, Thanks for all your help. I've gotten the Admin server somewhat working but I still can't browse my LDAP directory. I'm pretty sure that the problem is related to SSL settings. The admin server is trying to connect to the LDAP server on port 636 but after the upgrade something happened and SSL was disabled. I backed up my database so I think I might just restart from scratch. It'll probably take less time that way. Gordon On 11/7/06, Richard Megginson wrote: > > Gordon May wrote: > > Okay, how do I disable password syntax checking without using the > > admin console? > ldapmodify -x -D "cn=directory manager" -W > dn: cn=config > changetype: modify > replace: passwordCheckSyntax > passwordCheckSyntax: off > > > > On 11/7/06, Richard Megginson wrote: > >> Gordon May wrote: > >> > Richard, > >> > > >> > I am using password syntax checking and SSL. Should password syntax > >> > checking be turned off? Is it related to the bug where the minimum > >> > password length needs to greater then 9 characters? > >> It could be. setup does something funny with the password. You could > >> turn off password syntax checking before running setup, then turn it on > >> again afterwards. > >> > Also the bugzilla > >> > link you provided is the problem I'm seeing with file permissions. > >> > When you say 1.0.4 will be released soon... How soon is soon? > >> Next day or two. > >> > > >> > Thanks for the help! > >> > > >> > Gordon > >> > > >> > > >> > On 11/7/06, Richard Megginson wrote: > >> >> Gordon May wrote: > >> >> > I apologize if you've already received this message but I wasn't > >> sure > >> >> > if it actually got sent out. > >> >> > > >> >> > Hi, > >> >> > > >> >> > Has anyone successfully upgraded their version of FDS to ver. > >> 1.0.3? I > >> >> > tried upgrading to the newest version yesterday afternoon and > >> halfway > >> >> > through the upgrade process got the following errors: > >> >> > > >> >> > > >> >> > Fatal Slapd ERROR: Could not update Directory Server > >> Instance
URL > >> >> > ldap://ldap.example.com:389/o=NetscapeRoot user id admin DN > >> >> > cn=slapd-example,cn=Fedora Directory Server,cn=Server Group,cn= > >> >> > ldap.example.com,ou=example.com,o=NetscapeRoot (19:Constraint > >> >> > violation) > >> >> Are you using password syntax checking? > >> >> > > >> >> > Configuring Administration Server... > >> >> > InstallInfo: Apache Directory "ApacheDir" is missing. > >> >> > > >> >> > Restarting Directory Server: > >> /opt/fedora-ds/slapd-example/start-slapd > >> >> > Server failed to start !!! Please check errors log for problems > >> >> > > >> >> > After the upgrade failed I was able to get the sldap server > running > >> >> > again by changing the owner of the config and logs directories > >> to the > >> >> > ldap user. > >> >> Are you using SSL? > >> >> > >> >> I believe this is > >> >> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=213786 > >> >> which will be fixed when fds 1.0.4 is released, very soon now. > >> >> > However, I'm unable to get the admin console working and > >> >> > believe the cause of the problem is related to the above errors. > >> >> > > >> >> > The steps I used to upgrade the server are as follows: > >> >> > > >> >> > 1. rpm -Uvh fedora-ds-1.0.3-1.FC5.i386.opt.rpm > >> >> > 2. Then I ran /opt/fedora-ds/setup/setup > >> >> > > >> >> > Any help would be appreciated. > >> >> > > >> >> > Gord > >> >> > > >> >> > -- > >> >> > Fedora-directory-users mailing list > >> >> > Fedora-directory-users at redhat.com > >> >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> >> > >> >> > >> >> -- > >> >> Fedora-directory-users mailing list > >> >> Fedora-directory-users at redhat.com > >> >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> >> > >> >> > >> >> > >> >> > >> > >> > >> > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Nov 8 14:31:31 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 08 Nov 2006 07:31:31 -0700 Subject: [Fedora-directory-users] Questions on Referal/Chaning features In-Reply-To: <20061108121008.73262.qmail@web54102.mail.yahoo.com> References: <20061108121008.73262.qmail@web54102.mail.yahoo.com> Message-ID: <4551EA43.80706@redhat.com> Ankur Agarwal wrote: > Hi, > > We have 2 existing directory services set-up with different schemas: > 1) Active Directory > 2) iPlanet LDAP > > Now we want to introduce a third one (Fedora LDAP) where we want to > use referal/chaining features to send requests to these already > existing servers. Would really appreciate your answers on: > > 1) Can we modify/update active directory data and iPlanet data with > application interfacing only with new Fedora LDAP which will dispatch > requests to these servers? Or can referal/chaining be used only for > querying other LDAP servers? A chaining database is read-write - it looks just like a local db to clients. > > 2) Can Referal/Chaning be set-up across ActiveDirectory and Fedora > with them having different schemas? Similarly between iPlanet and Fedora? Not sure about AD. Some other people on the list have been trying to get chaining and pass through auth to work with AD, but I haven't seen any reports of success yet. iPlanet to Fedora should work just fine. > > 3) If we want to migrate data from iPlanet to Fedora (having diff > schema on Fedora) then any issues we must be aware of and any best > practices? Just make sure your customized schema is copied to Fedora. iPlanet and Fedora DS are very compatible. > > Thanks, > Ankur > > ------------------------------------------------------------------------ > Sponsored Link > > Talk more and pay less. Vonage can save you up to $300 a year on your > phone bill. Sign up now. > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From seriv at omniti.com Wed Nov 8 15:46:03 2006 From: seriv at omniti.com (Sergey Ivanov) Date: Wed, 08 Nov 2006 10:46:03 -0500 Subject: [Fedora-directory-users] fedora-ds-1.0.3 problem: too many fds open Message-ID: <4551FBBB.9010809@omniti.com> Hi, I have a new issue with fedora-ds today. The server is running 64-bit Redhat with kernel 2.6.9-1.681_FC3smp. It is used for network authentication and for another purposes, and today in the morning authentication was broken. I have restarted slapd-instance locally on the server, and everything works since that fine. In the logs: there was not records in access log from 08:04 till after restart. In the error log everything these lines repeated again and again, before them previous relates to an event 6 days before this: --- [08/Nov/2006:08:18:01 -0500] - Not listening for new connections - too many fds open [08/Nov/2006:08:18:01 -0500] - Listening for new connections again [08/Nov/2006:08:18:01 -0500] - Not listening for new connections - too many fds open [08/Nov/2006:08:18:01 -0500] - Listening for new connections again [08/Nov/2006:08:18:01 -0500] - Not listening for new connections - too many fds open [08/Nov/2006:08:18:01 -0500] - Listening for new connections again [08/Nov/2006:08:18:01 -0500] - Not listening for new connections - too many fds open [08/Nov/2006:08:18:01 -0500] - Listening for new connections again [08/Nov/2006:08:18:22 -0500] - Not listening for new connections - too many fds open [08/Nov/2006:08:18:23 -0500] - Listening for new connections again [08/Nov/2006:08:19:01 -0500] - Not listening for new connections - too many fds open [08/Nov/2006:08:19:01 -0500] - Listening for new connections again [08/Nov/2006:08:19:03 -0500] - Not listening for new connections - too many fds open [08/Nov/2006:08:19:03 -0500] - Listening for new connections again [08/Nov/2006:08:19:03 -0500] - Not listening for new connections - too many fds open [08/Nov/2006:08:19:03 -0500] - Listening for new connections again [08/Nov/2006:08:19:03 -0500] - Not listening for new connections - too many fds open [08/Nov/2006:08:19:03 -0500] - Listening for new connections again [08/Nov/2006:08:19:22 -0500] - Not listening for new connections - too many fds open ... ... --- # sysctl -a |grep fs\.file fs.file-max = 101314 fs.file-nr = 4695 0 101314 and no manually inserted adjustment for ulimit for fedora-ds. Nothing interesting I can find in /var/log/messages. Can anybody help to understand what is happened and prevent this in future? -- With best regards, Sergey From oscar.valdez at duraflex-politex.com Wed Nov 8 16:14:33 2006 From: oscar.valdez at duraflex-politex.com (Oscar A. Valdez) Date: Wed, 08 Nov 2006 10:14:33 -0600 Subject: [Fedora-directory-users] Trouble upgrading to Fedora Directory Server 1.0.3 In-Reply-To: <4551505B.3030207@redhat.com> References: <45514C57.6070607@redhat.com> <4551505B.3030207@redhat.com> Message-ID: <1163002473.2409.7.camel@woody.valdez-bicard.com.sv> El mar, 07-11-2006 a las 20:34 -0700, Richard Megginson escribi?: > Gordon May wrote: > > When you say 1.0.4 will be released soon... How soon is soon? > Next day or two. Asides from dealing with the problems reported with upgrading, will there be additional bugfixes or features in 1.0.4? Is there a roadmap for future FDS releases? --- Oscar A. Valdez From playactor at gmail.com Wed Nov 8 17:07:46 2006 From: playactor at gmail.com (Eric Brown) Date: Wed, 8 Nov 2006 11:07:46 -0600 Subject: [Fedora-directory-users] Missing Objectclasses in a Default install of 1.0.3 Message-ID: When I install 1.0.3, use the default values for setting it up, and start it, the following messages are displayed. [08/Nov/2006:10:51:44 -0600] - Entry "cn=encryption,cn=config" required attribute "objectclass" missing [08/Nov/2006:10:51:45 -0600] - Entry "cn=config" required attribute "objectclass" missing [08/Nov/2006:10:51:45 -0600] - Entry "cn=config" required attribute "objectclass" missing [08/Nov/2006:10:51:45 -0600] - Entry "cn=encryption,cn=config" required attribute "objectclass" missing I have not added or removed anything from the default schema files and I can't find a message that tells me what object classes are missing. Any ideas on where to look for more detailed information on these errors or why they are appearing in the first place. Thanks. From seriv at omniti.com Wed Nov 8 17:10:57 2006 From: seriv at omniti.com (Sergey Ivanov) Date: Wed, 08 Nov 2006 12:10:57 -0500 Subject: [Fedora-directory-users] fedora-ds-1.0.3 problem: too many fds open In-Reply-To: <4551FBBB.9010809@omniti.com> References: <4551FBBB.9010809@omniti.com> Message-ID: <45520FA1.10702@omniti.com> I saw in ds71cli.pdf two parameters which may could help in this case, one is nsslapd-maxdescriptors, and other is nsslapd-conntablesize, but in the example it is called another: "Example: nsslapd-ntconntablesize: 4093" on page 55 of this book. What is the correct name for this second parameter? -- Sergey. Sergey Ivanov wrote: > Hi, > I have a new issue with fedora-ds today. > The server is running 64-bit Redhat with kernel 2.6.9-1.681_FC3smp. It > is used for network authentication and for another purposes, and today > in the morning authentication was broken. I have restarted > slapd-instance locally on the server, and everything works since that > fine. In the logs: there was not records in access log from 08:04 till > after restart. In the error log everything these lines repeated again > and again, before them previous relates to an event 6 days before this: > --- > [08/Nov/2006:08:18:01 -0500] - Not listening for new connections - too > many fds open > [08/Nov/2006:08:18:01 -0500] - Listening for new connections again > [08/Nov/2006:08:18:01 -0500] - Not listening for new connections - too > many fds open > [08/Nov/2006:08:18:01 -0500] - Listening for new connections again > [08/Nov/2006:08:18:01 -0500] - Not listening for new connections - too > many fds open > [08/Nov/2006:08:18:01 -0500] - Listening for new connections again > [08/Nov/2006:08:18:01 -0500] - Not listening for new connections - too > many fds open > [08/Nov/2006:08:18:01 -0500] - Listening for new connections again > [08/Nov/2006:08:18:22 -0500] - Not listening for new connections - too > many fds open > [08/Nov/2006:08:18:23 -0500] - Listening for new connections again > [08/Nov/2006:08:19:01 -0500] - Not listening for new connections - too > many fds open > [08/Nov/2006:08:19:01 -0500] - Listening for new connections again > [08/Nov/2006:08:19:03 -0500] - Not listening for new connections - too > many fds open > [08/Nov/2006:08:19:03 -0500] - Listening for new connections again > [08/Nov/2006:08:19:03 -0500] - Not listening for new connections - too > many fds open > [08/Nov/2006:08:19:03 -0500] - Listening for new connections again > [08/Nov/2006:08:19:03 -0500] - Not listening for new connections - too > many fds open > [08/Nov/2006:08:19:03 -0500] - Listening for new connections again > [08/Nov/2006:08:19:22 -0500] - Not listening for new connections - too > many fds open > ... > ... > --- > # sysctl -a |grep fs\.file > fs.file-max = 101314 > fs.file-nr = 4695 0 101314 > and no manually inserted adjustment for ulimit for fedora-ds. > Nothing interesting I can find in /var/log/messages. > Can anybody help to understand what is happened and prevent this in future? From rmeggins at redhat.com Wed Nov 8 18:24:16 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 08 Nov 2006 11:24:16 -0700 Subject: [Fedora-directory-users] fedora-ds-1.0.3 problem: too many fds open In-Reply-To: <45520FA1.10702@omniti.com> References: <4551FBBB.9010809@omniti.com> <45520FA1.10702@omniti.com> Message-ID: <455220D0.90108@redhat.com> Sergey Ivanov wrote: > I saw in ds71cli.pdf two parameters which may could help in this case, > one is nsslapd-maxdescriptors, and other is nsslapd-conntablesize, but > in the example it is called another: > "Example: nsslapd-ntconntablesize: 4093" > on page 55 of this book. What is the correct name for this second parameter nsslapd-conntablesize - this is only for connections nsslapd-maxdescriptors is for all file descriptors used by the slapd process. nsslapd-conntablesize < nsslapd-maxdescriptors > ? > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Nov 8 18:34:43 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 08 Nov 2006 11:34:43 -0700 Subject: [Fedora-directory-users] Trouble upgrading to Fedora Directory Server 1.0.3 In-Reply-To: <1163002473.2409.7.camel@woody.valdez-bicard.com.sv> References: <45514C57.6070607@redhat.com> <4551505B.3030207@redhat.com> <1163002473.2409.7.camel@woody.valdez-bicard.com.sv> Message-ID: <45522343.1090007@redhat.com> Oscar A. Valdez wrote: > El mar, 07-11-2006 a las 20:34 -0700, Richard Megginson escribi?: > >> Gordon May wrote: >> >>> When you say 1.0.4 will be released soon... How soon is soon? >>> >> Next day or two. >> > > Asides from dealing with the problems reported with upgrading, will > there be additional bugfixes or features in 1.0.4? > Just a couple of bug fixes. The most glaring problem is the setup changing the file permissions. https://bugzilla.redhat.com/bugzilla/showdependencytree.cgi?id=213957 > Is there a roadmap for future FDS releases? > http://directory.fedora.redhat.com/wiki/Documentation#Proposed_New_Features We're primarily working on Discrete Packaging, FHS, init scripts, autotool-ization - things related to being more open source friendly. After that, we'll probably have some features related to Account Policy, better samba/nis integration. > --- > Oscar A. Valdez > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Nov 8 18:41:11 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 08 Nov 2006 11:41:11 -0700 Subject: [Fedora-directory-users] Missing Objectclasses in a Default install of 1.0.3 In-Reply-To: References: Message-ID: <455224C7.8090706@redhat.com> Eric Brown wrote: > When I install 1.0.3, use the default values for setting it up, and > start it, the following messages are displayed. > > [08/Nov/2006:10:51:44 -0600] - Entry "cn=encryption,cn=config" > required attribute "objectclass" missing > [08/Nov/2006:10:51:45 -0600] - Entry "cn=config" required attribute > "objectclass" missing > [08/Nov/2006:10:51:45 -0600] - Entry "cn=config" required attribute > "objectclass" missing > [08/Nov/2006:10:51:45 -0600] - Entry "cn=encryption,cn=config" > required attribute "objectclass" missing Type the following command: ls -al /opt/fedora-ds/slapd-yourinstance/config also ls -al /opt/fedora-ds/slapd-yourinstance/config/schema > > I have not added or removed anything from the default schema files and > I can't find a message that tells me what object classes are missing. > Any ideas on where to look for more detailed information on these > errors or why they are appearing in the first place. > > Thanks. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From seriv at omniti.com Wed Nov 8 20:12:06 2006 From: seriv at omniti.com (Sergey Ivanov) Date: Wed, 08 Nov 2006 15:12:06 -0500 Subject: [Fedora-directory-users] fedora-ds-1.0.3 problem: too many fds open In-Reply-To: <455220D0.90108@redhat.com> References: <4551FBBB.9010809@omniti.com> <45520FA1.10702@omniti.com> <455220D0.90108@redhat.com> Message-ID: <45523A16.4070207@omniti.com> Richard Megginson wrote: > Sergey Ivanov wrote: >> I saw in ds71cli.pdf two parameters which may could help in this case, >> one is nsslapd-maxdescriptors, and other is nsslapd-conntablesize, but >> in the example it is called another: >> "Example: nsslapd-ntconntablesize: 4093" >> on page 55 of this book. What is the correct name for this second >> parameter > nsslapd-conntablesize - this is only for connections > nsslapd-maxdescriptors is for all file descriptors used by the slapd > process. nsslapd-conntablesize < nsslapd-maxdescriptors Thank you. -- Sergey. From ckm at olliancegroup.com Wed Nov 8 20:24:35 2006 From: ckm at olliancegroup.com (Chris Maresca) Date: Wed, 08 Nov 2006 12:24:35 -0800 Subject: [Fedora-directory-users] PAM passthru questions and SecureID Message-ID: <45523D03.7040900@olliancegroup.com> All, I've been looking longingly at the PAM pass-through module as it would give us access to capabilities we've wanted for a while. I've looked at the README, but I still have a few questions. 1. Is it possible to specify PAM as the authentication on a per-account basis? 2. Is it possible to specify authentication escalation on failure on a per account basis? 3. Has anyone deployed it in a production environment? If so, what type(s) of PAM auth did you use? Also, if anyone has any successful examples of using two-factor authentication tokens (specifically either SecureID or CryptoCard, but also others), I would love to hear about them. It seems that none of the vendors providing token-based support LDAP as a primary user info repository directly, which is odd, to say the least. I'd like to add that compared to OpenLDAP, Fedora DS is a breath of fresh air. Thanks for making it available. Chris. -- Chris Maresca Olliance Group, LLC www.olliancegroup.com From rmeggins at redhat.com Wed Nov 8 19:38:19 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 08 Nov 2006 12:38:19 -0700 Subject: [Fedora-directory-users] PAM passthru questions and SecureID In-Reply-To: <45523D03.7040900@olliancegroup.com> References: <45523D03.7040900@olliancegroup.com> Message-ID: <4552322B.9040501@redhat.com> Chris Maresca wrote: > All, > > I've been looking longingly at the PAM pass-through module as it would > give us access to capabilities we've wanted for a while. I've looked > at the README, but I still have a few questions. > > 1. Is it possible to specify PAM as the authentication on a > per-account basis? No. > 2. Is it possible to specify authentication escalation on failure on a > per account basis? No. But these do seem like very interesting features - how would this work? via a special attribute in the user's entry? > > 3. Has anyone deployed it in a production environment? > If so, what type(s) of PAM auth did you use? Yes. We developed this and use this internally at Red Hat (dogfood, yum). We use it because we use Kerberos for internal authentication, but some older LDAP clients can't do SASL, so they do simple auth, and pass the credentials through to Kerberos via PAM. > > Also, if anyone has any successful examples of using two-factor > authentication tokens (specifically either SecureID or CryptoCard, but > also others), I would love to hear about them. It seems that none of > the vendors providing token-based support LDAP as a primary user info > repository directly, which is odd, to say the least. We used to do this at AOL. We had a proprietary plugin for this purpose. The password was passed as "password/securidtoken". The plug-in parsed out the password and the token and passed them off to our proprietary auth thingy. > I'd like to add that compared to OpenLDAP, Fedora DS is a breath of > fresh air. Thanks for making it available. > > Chris. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From ckm at olliancegroup.com Wed Nov 8 21:12:40 2006 From: ckm at olliancegroup.com (Chris Maresca) Date: Wed, 08 Nov 2006 13:12:40 -0800 Subject: [Fedora-directory-users] PAM passthru questions and SecureID In-Reply-To: <4552322B.9040501@redhat.com> References: <45523D03.7040900@olliancegroup.com> <4552322B.9040501@redhat.com> Message-ID: <45524848.4080709@olliancegroup.com> Richard Megginson wrote: >> 1. Is it possible to specify PAM as the authentication on a >> per-account basis? > No. >> 2. Is it possible to specify authentication escalation on failure on a >> per account basis? > No. Bummer. > But these do seem like very interesting features - how would this work? > via a special attribute in the user's entry? Yes, that's the idea. At least for authentication, you could just have another method in userPassword, like there is now (e.g. {crypt} {SSHA}), perhaps {PAM}uid:ldapauthentication, where uid is the userid attribute to be passed (could also be 'binddn' or something else like 'mail') and where ldapauthentication is your entry in pam.d. As we are planning on having different account profiles basically controlling access to different services/systems, it would be more useful to define this on the group level, but I don't know how that would work and it seems like it would be a lot more work than just adding another method to userPassword. The driving motivator for this is trying to deploy token-based two-factor authentication, where some profiles would require authentication through a token, while uid/password would be enough for others. That avoids deploying tokens to everyone, without splintering management into a lot of different LDAP trees. The other thing is that some accounts would need access no matter what (hence ques. 2) , although that would seem to defeat the purpose of tokens... I don't have an answer as to how to deal with that, but in the worst case, you could handle it at the PAM level. > We used to do this at AOL. We had a proprietary plugin for this > purpose. The password was passed as "password/securidtoken". The > plug-in parsed out the password and the token and passed them off to our > proprietary auth thingy. Ugh, I was afraid of that. I'm trying to avoid 'custom', 'proprietary' e.g. unsupport, unupdated stuff. I'm also very much hating all of the two-factor vendors out there as they seem very narrow minded. They have a single use-case and basically you're on your own (see 'custom' & 'proprietary') if you don't fit into it. Thanks for the info. Chris. -- Chris Maresca Olliance Group, LLC www.olliancegroup.com From rmeggins at redhat.com Wed Nov 8 21:21:43 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 08 Nov 2006 14:21:43 -0700 Subject: [Fedora-directory-users] PAM passthru questions and SecureID In-Reply-To: <45524848.4080709@olliancegroup.com> References: <45523D03.7040900@olliancegroup.com> <4552322B.9040501@redhat.com> <45524848.4080709@olliancegroup.com> Message-ID: <45524A67.5030503@redhat.com> Chris Maresca wrote: > > > Richard Megginson wrote: > >>> 1. Is it possible to specify PAM as the authentication on a >>> per-account basis? >> No. >>> 2. Is it possible to specify authentication escalation on failure on >>> a per account basis? >> No. > > Bummer. > >> But these do seem like very interesting features - how would this >> work? via a special attribute in the user's entry? > > Yes, that's the idea. At least for authentication, you could just > have another method in userPassword, like there is now (e.g. {crypt} > {SSHA}), perhaps {PAM}uid:ldapauthentication, where uid is the userid > attribute to be passed (could also be 'binddn' or something else like > 'mail') and where ldapauthentication is your entry in pam.d. > > As we are planning on having different account profiles basically > controlling access to different services/systems, it would be more > useful to define this on the group level, but I don't know how that > would work and it seems like it would be a lot more work than just > adding another method to userPassword. You mean like "every person who is a member of group A has to use {PAM}uid:groupAAuth"? I suppose we could use Class of Service to implement that. I just don't like overloading the userPassword {foo} syntax, but openldap has a history of doing something similar with {kerberos} and {sasl}, so there is precedent. > > The driving motivator for this is trying to deploy token-based > two-factor authentication, where some profiles would require > authentication through a token, while uid/password would be enough for > others. That avoids deploying tokens to everyone, without splintering > management into a lot of different LDAP trees. > > The other thing is that some accounts would need access no matter what > (hence ques. 2) , although that would seem to defeat the purpose of > tokens... I don't have an answer as to how to deal with that, but in > the worst case, you could handle it at the PAM level. Yeah, I'm not sure what that would look like. > >> We used to do this at AOL. We had a proprietary plugin for this >> purpose. The password was passed as "password/securidtoken". The >> plug-in parsed out the password and the token and passed them off to >> our proprietary auth thingy. > > Ugh, I was afraid of that. I'm trying to avoid 'custom', 'proprietary' > e.g. unsupport, unupdated stuff. I'm also very much hating all of the > two-factor vendors out there as they seem very narrow minded. They > have a single use-case and basically you're on your own (see 'custom' > & 'proprietary') if you don't fit into it. This sounds like a worthwhile project to work on. Have the token vendors provided SASL mechanisms for their products? That seems like the best way to enable authentication via their devices to a wide range of applications. > > Thanks for the info. > > Chris. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From ckm at olliancegroup.com Wed Nov 8 23:08:02 2006 From: ckm at olliancegroup.com (Chris Maresca) Date: Wed, 08 Nov 2006 15:08:02 -0800 Subject: [Fedora-directory-users] PAM passthru questions and SecureID In-Reply-To: <45524A67.5030503@redhat.com> References: <45523D03.7040900@olliancegroup.com> <4552322B.9040501@redhat.com> <45524848.4080709@olliancegroup.com> <45524A67.5030503@redhat.com> Message-ID: <45526352.9090109@olliancegroup.com> Richard Megginson wrote: > You mean like "every person who is a member of group A has to use > {PAM}uid:groupAAuth"? Yes, exactly. > I suppose we could use Class of Service to > implement that. That would be the best, architecturally and from a maintenance standpoint. It would a lot easier to change authentication sub-systems for a whole class of people rather than 1 by 1... I'm not sure how Class of Service works, but I'll look into it. Still learning a lot of the LDAP internals, it's been a pretty steep learning curve so far. > I just don't like overloading the userPassword {foo} syntax, but > openldap has a history of doing something similar with {kerberos} and > {sasl}, so there is precedent. I agree, it's somewhat of a hack, but it would seem to the quick way to get to more flexibility in handling authentication externally. Given the myriad of potential external auths, more flexibility would be better. Perhaps instead you could have {LOOKUP}(some filter that points elsewhere)? I don't know if that's possible at all. >> The other thing is that some accounts would need access no matter what >> (hence ques. 2) , although that would seem to defeat the purpose of >> tokens... I don't have an answer as to how to deal with that, but in >> the worst case, you could handle it at the PAM level. > Yeah, I'm not sure what that would look like. PAM has built in fallback when an auth method fails. However, if the alternative auth method was a password in LDAP, how would LDAP know that the first auth had failed? You could easily do it with an alternative password store (like unix passwords), but it might be difficult to do if you wanted to contain everything in LDAP. >> Ugh, I was afraid of that. I'm trying to avoid 'custom', 'proprietary' >> e.g. unsupport, unupdated stuff. I'm also very much hating all of the >> two-factor vendors out there as they seem very narrow minded. They >> have a single use-case and basically you're on your own (see 'custom' >> & 'proprietary') if you don't fit into it. > This sounds like a worthwhile project to work on. Have the token > vendors provided SASL mechanisms for their products? That seems like > the best way to enable authentication via their devices to a wide range > of applications. No. Most of them have their own proprietary auth protocols. Most provide RADIUS auth and some have PAM modules. When I was looking at using OpenLDAP, I worked out this crazy chained auth scheme involving LDAP -> SASL -> saslauthd -> pam_radius -> auth server. It gave me the willies as each piece of the chain represents yet another thing that can fail and another security hole. FedoraDS's PAM passthrough does away with a lot of that (well SASL mostly), which, IMHO, is a good thing. The other main issue is that most token vendors only support account lookup in a limited set of LDAP servers (usually AD and one other). I'm running into this now with CryptoCard, as their auth server can lookup accounts in AD, OpenLDAP and Mac OpenDirectory, but not Fedora (they have schemas in their configs for Sun and Novell as well, but they are 'not supported'). The alternative is to clone each account to the auth server and not have it do LDAP lookups, which is kinda stupid, but a usable workaround. All that said, I think that Fedora DS having pam passthrough makes it the open source LDAP server of choice (and potentially the only one on Linux that could do external auth against a token system) since OpenLDAP doesn't support this except through an complex/fragile SASL chain. The only other LDAP server that I know of that directly supports tokens is Novell's eDirectory + RSA tokens, but the auth module for RSA only runs on WinX and Netware.... Even on WinX, there are issues with AD integration, particularly at the desktop login level. Right now, I've got a copy of CryptoCard's (CC) server running on the same box as LDAP. It sees all the LDAP accounts fine, but CC's mappings don't recognize that the accounts are user accounts and I'm try to fix that. CC is being less than cooperative in explaining what is what (sigh). Supposedly RSA's server is a bit more flexible in account configuration and I might install that next. All I know is that I'd love to get this working. Right now, pam passthrough seems the fastest way to get there, if I can figure out the right incantations to get a token auth server to lookup LDAP accounts. (Sorry for the rant) Chris. -- Chris Maresca Olliance Group, LLC www.olliancegroup.com From radek at eadresa.cz Thu Nov 9 01:44:41 2006 From: radek at eadresa.cz (Radek Hladik) Date: Thu, 09 Nov 2006 02:44:41 +0100 Subject: [Fedora-directory-users] Question about account inactivation Message-ID: <45528809.5030601@eadresa.cz> I would like to ask one stupid question about account inactivation. When I use FDS console to deactivate user, it produces some "magic" with CoS to add operational attribute nsAccountLock to the specified user entry. Is there any reason why this is done so complicated? Why the nsAccountLock attribute can not be specified as optional attribute in for example posixAccount class? And is this approach possible in case I need only user account inactivation (I mean no groups or roles)? I need to provide our account administrators with some easy possibility to inactivate account via phpldapadmin and I would like to do it in as standard way as possible. Of course we could change the password hash specifier i.e. from {SSHA} to {SSHA-disabled} but I consider this as last resort option. Radek From prowley at redhat.com Thu Nov 9 01:55:22 2006 From: prowley at redhat.com (Pete Rowley) Date: Wed, 08 Nov 2006 17:55:22 -0800 Subject: [Fedora-directory-users] Question about account inactivation In-Reply-To: <45528809.5030601@eadresa.cz> References: <45528809.5030601@eadresa.cz> Message-ID: <45528A8A.2050708@redhat.com> Radek Hladik wrote: > I would like to ask one stupid question about account inactivation. > When I use FDS console to deactivate user, it produces some "magic" > with CoS to add operational attribute nsAccountLock to the specified > user entry. Is there any reason why this is done so complicated? It is done this way so that large numbers of accounts can be activated or deactivated with one single modification. > Why the nsAccountLock attribute can not be specified as optional > attribute in for example posixAccount class? And is this approach > possible in case I need only user account inactivation (I mean no > groups or roles)? You should not do that because it modifies standard schema, and no good will come of that. > I need to provide our account administrators with some easy > possibility to inactivate account via phpldapadmin and I would like to > do it in as standard way as possible. Of course we could change the > password hash specifier i.e. from {SSHA} to {SSHA-disabled} but I > consider this as last resort option. You can do that right now. Add nsAccountLock: true to an entry it will be locked. Operational attributes don't require that the entry have a particular objectclass to pass schema check. -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Nov 9 02:20:47 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 08 Nov 2006 19:20:47 -0700 Subject: [Fedora-directory-users] PAM passthru questions and SecureID In-Reply-To: <45526352.9090109@olliancegroup.com> References: <45523D03.7040900@olliancegroup.com> <4552322B.9040501@redhat.com> <45524848.4080709@olliancegroup.com> <45524A67.5030503@redhat.com> <45526352.9090109@olliancegroup.com> Message-ID: <4552907F.30301@redhat.com> Chris Maresca wrote: > > > Richard Megginson wrote: > >> You mean like "every person who is a member of group A has to use >> {PAM}uid:groupAAuth"? > > Yes, exactly. > > > I suppose we could use Class of Service to >> implement that. > > That would be the best, architecturally and from a maintenance > standpoint. It would a lot easier to change authentication > sub-systems for a whole class of people rather than 1 by 1... I'm not > sure how Class of Service works, but I'll look into it. Still learning > a lot of the LDAP internals, it's been a pretty steep learning curve > so far. > >> I just don't like overloading the userPassword {foo} syntax, but >> openldap has a history of doing something similar with {kerberos} and >> {sasl}, so there is precedent. > > I agree, it's somewhat of a hack, but it would seem to the quick way > to get to more flexibility in handling authentication externally. > Given the myriad of potential external auths, more flexibility would > be better. Perhaps instead you could have {LOOKUP}(some filter that > points elsewhere)? I don't know if that's possible at all. > >>> The other thing is that some accounts would need access no matter >>> what (hence ques. 2) , although that would seem to defeat the >>> purpose of tokens... I don't have an answer as to how to deal with >>> that, but in the worst case, you could handle it at the PAM level. >> Yeah, I'm not sure what that would look like. > > PAM has built in fallback when an auth method fails. However, if the > alternative auth method was a password in LDAP, how would LDAP know > that the first auth had failed? You could easily do it with an > alternative password store (like unix passwords), but it might be > difficult to do if you wanted to contain everything in LDAP. > >>> Ugh, I was afraid of that. I'm trying to avoid 'custom', >>> 'proprietary' e.g. unsupport, unupdated stuff. I'm also very much >>> hating all of the two-factor vendors out there as they seem very >>> narrow minded. They have a single use-case and basically you're on >>> your own (see 'custom' & 'proprietary') if you don't fit into it. >> This sounds like a worthwhile project to work on. Have the token >> vendors provided SASL mechanisms for their products? That seems like >> the best way to enable authentication via their devices to a wide >> range of applications. > > No. Most of them have their own proprietary auth protocols. Most > provide RADIUS auth and some have PAM modules. When I was looking at > using OpenLDAP, I worked out this crazy chained auth scheme involving > LDAP -> SASL -> saslauthd -> pam_radius -> auth server. It gave me > the willies as each piece of the chain represents yet another thing > that can fail and another security hole. FedoraDS's PAM passthrough > does away with a lot of that (well SASL mostly), which, IMHO, is a > good thing. But this is what SASL was designed to do - isolate applications from the authentication implementation details. Ideally, it would go like this: LDAP -> SASL -> sasl auth server plugin -> auth server Then you could just to an LDAP SASL BIND with a mechanism like "SASL-SECURID" or something like that, and pass in whatever credentials are required by the auth server in the sasl credentials field. You could even do multi stage and interactive steps with SASL e.g. if you wanted to first ask for the user name and password, then ask for the securid token in a separate step. Additionally, this authentication would be available to every other service that can use SASL for authentication. However, if it is more difficult to take the SASL plugin approach, or the vendors are just not going to make this happen, then we should figure out how to extend the PAM passthru plugin to handle cases like this. Would you be able to write up something for the Fedora DS wiki, like an informal software requirements doc? Or your own publicly accessible website or blog if you would prefer. This is a good idea and you should capture your ideas while they are still fresh. > > The other main issue is that most token vendors only support account > lookup in a limited set of LDAP servers (usually AD and one other). > I'm running into this now with CryptoCard, as their auth server can > lookup accounts in AD, OpenLDAP and Mac OpenDirectory, but not Fedora > (they have schemas in their configs for Sun and Novell as well, but > they are 'not supported'). The alternative is to clone each account > to the auth server and not have it do LDAP lookups, which is kinda > stupid, but a usable workaround. > > All that said, I think that Fedora DS having pam passthrough makes it > the open source LDAP server of choice (and potentially the only one on > Linux that could do external auth against a token system) since > OpenLDAP doesn't support this except through an complex/fragile SASL > chain. > > The only other LDAP server that I know of that directly supports > tokens is Novell's eDirectory + RSA tokens, but the auth module for > RSA only runs on WinX and Netware.... Even on WinX, there are issues > with AD integration, particularly at the desktop login level. > > Right now, I've got a copy of CryptoCard's (CC) server running on the > same box as LDAP. It sees all the LDAP accounts fine, but CC's > mappings don't recognize that the accounts are user accounts and I'm > try to fix that. CC is being less than cooperative in explaining what > is what (sigh). Supposedly RSA's server is a bit more flexible in > account configuration and I might install that next. > > All I know is that I'd love to get this working. Right now, pam > passthrough seems the fastest way to get there, if I can figure out > the right incantations to get a token auth server to lookup LDAP > accounts. > > (Sorry for the rant) > > Chris. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From ankur_agwal at yahoo.com Thu Nov 9 04:22:16 2006 From: ankur_agwal at yahoo.com (Ankur Agarwal) Date: Wed, 8 Nov 2006 20:22:16 -0800 (PST) Subject: [Fedora-directory-users] Questions on Referal/Chaning features In-Reply-To: <4551EA43.80706@redhat.com> Message-ID: <20061109042216.43383.qmail@web54103.mail.yahoo.com> Thanks Richard! Have a couple of follow-up questions : 1) iPlanet to Fedora chaining should work fine as you have mentioned. Does chaining require both of them to have exactly same schemas or chaining doesnt require that? 2) Client sends request to Fedora (with some authentication info) and then request gets dispatched to iPlanet/ActiveDirectory. How will this request be authenticated at iPlanet/ActiveDirectory. I believe authentication credentials will be different for all these LDAPs. regards, Ankur Richard Megginson wrote: Ankur Agarwal wrote: > Hi, > > We have 2 existing directory services set-up with different schemas: > 1) Active Directory > 2) iPlanet LDAP > > Now we want to introduce a third one (Fedora LDAP) where we want to > use referal/chaining features to send requests to these already > existing servers. Would really appreciate your answers on: > > 1) Can we modify/update active directory data and iPlanet data with > application interfacing only with new Fedora LDAP which will dispatch > requests to these servers? Or can referal/chaining be used only for > querying other LDAP servers? A chaining database is read-write - it looks just like a local db to clients. > > 2) Can Referal/Chaning be set-up across ActiveDirectory and Fedora > with them having different schemas? Similarly between iPlanet and Fedora? Not sure about AD. Some other people on the list have been trying to get chaining and pass through auth to work with AD, but I haven't seen any reports of success yet. iPlanet to Fedora should work just fine. > > 3) If we want to migrate data from iPlanet to Fedora (having diff > schema on Fedora) then any issues we must be aware of and any best > practices? Just make sure your customized schema is copied to Fedora. iPlanet and Fedora DS are very compatible. > > Thanks, > Ankur > > ------------------------------------------------------------------------ > Sponsored Link > > Talk more and pay less. Vonage can save you up to $300 a year on your > phone bill. Sign up now. > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users --------------------------------- Want to start your own business? Learn how on Yahoo! Small Business. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ckm at olliancegroup.com Thu Nov 9 09:14:49 2006 From: ckm at olliancegroup.com (Chris Maresca) Date: Thu, 09 Nov 2006 01:14:49 -0800 Subject: [Fedora-directory-users] PAM passthru questions and SecureID In-Reply-To: <4552907F.30301@redhat.com> References: <45523D03.7040900@olliancegroup.com> <4552322B.9040501@redhat.com> <45524848.4080709@olliancegroup.com> <45524A67.5030503@redhat.com> <45526352.9090109@olliancegroup.com> <4552907F.30301@redhat.com> Message-ID: <4552F189.9060001@olliancegroup.com> Richard Megginson wrote: > But this is what SASL was designed to do - isolate applications from the > authentication implementation details. Ideally, it would go like this: > LDAP -> SASL -> sasl auth server plugin -> auth server Yes, but there are a very limited number of SASL plugins, basically NTLM, Kerberos, GSS and SecurID. Non-plugin auths are done through the 'external' method, which uses saslauthd, a hack as it actually requires accounts to be created to work properly. Saslauthd also only handles passwords in plain text, communicates over an unsecure socket, runs as root and is single-threaded.... so the chain winds up being: LDAP -> SASL -> plaintext sockect connection -> saslauthd -> sasl-auth method -> auth server SASL is quite good, but saslauthd is not so great. It was never actually intended for this, but as a proxy to deal with apps that did not have SASL natively. > Then you could just to an LDAP SASL BIND with a mechanism like > "SASL-SECURID" or something like that, and pass in whatever credentials > are required by the auth server in the sasl credentials field. I don't disagree, but none of the vendors are providing this capability. The real world and the ideal situation are not really lining up.... > However, if it is more difficult to take the SASL plugin approach, or > the vendors are just not going to make this happen, then we should > figure out how to extend the PAM passthru plugin to handle cases like this. That's the way it is right now, so yeah, extending PAM passthru would be good. SASL may be the long term future, but right now, it's not deployable except for one vendor's mechanism. > Would you be able to write up something for the Fedora DS wiki, like an > informal software requirements doc? Sure, I can do that. I'd even offer to look at some code, but it's been years since I authored anything in C and I know nothing of the Fedora DS code.... Chris. -- Chris Maresca Founding Partner Olliance Group, LLC www.olliancegroup.com +1.650.331.1770 x201 From radek at eadresa.cz Thu Nov 9 17:02:03 2006 From: radek at eadresa.cz (Radek Hladik) Date: Thu, 09 Nov 2006 18:02:03 +0100 Subject: [Fedora-directory-users] Question about account inactivation In-Reply-To: <45528A8A.2050708@redhat.com> References: <45528809.5030601@eadresa.cz> <45528A8A.2050708@redhat.com> Message-ID: <45535F0B.4000608@eadresa.cz> Pete Rowley napsal(a): > Radek Hladik wrote: >> I would like to ask one stupid question about account inactivation. >> When I use FDS console to deactivate user, it produces some "magic" >> with CoS to add operational attribute nsAccountLock to the specified >> user entry. Is there any reason why this is done so complicated? > It is done this way so that large numbers of accounts can be activated > or deactivated with one single modification. >> Why the nsAccountLock attribute can not be specified as optional >> attribute in for example posixAccount class? And is this approach >> possible in case I need only user account inactivation (I mean no >> groups or roles)? > You should not do that because it modifies standard schema, and no good > will come of that. >> I need to provide our account administrators with some easy >> possibility to inactivate account via phpldapadmin and I would like to >> do it in as standard way as possible. Of course we could change the >> password hash specifier i.e. from {SSHA} to {SSHA-disabled} but I >> consider this as last resort option. > You can do that right now. Add nsAccountLock: true to an entry it will > be locked. Operational attributes don't require that the entry have a > particular objectclass to pass schema check. > Thanks, this works, but I have problem with displaying the operational attribute in phpldapadmin - in fact in other ldap browsers too, only Softerra can be configured which operational attributes it should include in entry. Phpldapadmin can show internal attributes and I could change source code to include nsAccountLock but it assumes that user do not need to change these attributes and thus does not allow user to modify them :( . I can (and probably will) code a piece of code into phpldapadmin to provide checkbox for this, but first I want to find more clean possibilities. Is it not possible to tell FDS somehow to include this attribute in all search results despite it is operational attribute? Radek From playactor at gmail.com Thu Nov 9 17:05:13 2006 From: playactor at gmail.com (Eric Brown) Date: Thu, 9 Nov 2006 11:05:13 -0600 Subject: [Fedora-directory-users] Re: Missing Objectclasses in a Default install of 1.0.3 Message-ID: Ok, here are the results of those commands. [root at host ~]# ls -al /opt/fedora-ds/slapd-instance/config total 224 drwxr-xr-x 3 ldap ldap 4096 Nov 9 00:27 . drwxr-xr-x 11 ldap root 4096 Nov 9 00:27 .. -rw------- 1 ldap ldap 50292 Nov 9 00:27 dse.ldif -rw------- 2 ldap ldap 50293 Nov 9 00:23 dse.ldif.bak -rw------- 2 ldap ldap 50293 Nov 9 00:23 dse.ldif.startOK -rw------- 1 ldap root 34182 Nov 8 15:51 dse_original.ldif drwxr-xr-x 2 ldap root 4096 Nov 9 00:27 schema -rw-r--r-- 1 ldap root 5400 Nov 8 15:51 slapd-collations.conf [root at host ~]# ls -al /opt/fedora-ds/slapd-instance/config/schema total 964 drwxr-xr-x 2 ldap root 4096 Nov 9 00:27 . drwxr-xr-x 3 ldap ldap 4096 Nov 9 00:27 .. -rw-r--r-- 1 root root 69313 Oct 2 12:31 00core.ldif -rw-r--r-- 1 root root 3832 Oct 2 12:31 05rfc2247.ldif -rw-r--r-- 1 root root 2620 Oct 2 12:31 05rfc2927.ldif -rw-r--r-- 1 root root 5204 Oct 2 12:31 10presence.ldif -rw-r--r-- 1 root root 9211 Oct 2 12:31 10rfc2307.ldif -rw-r--r-- 1 root root 6385 Oct 2 12:31 20subscriber.ldif -rw-r--r-- 1 root root 4624 Oct 2 12:31 25java-object.ldif -rw-r--r-- 1 root root 11532 Oct 2 12:31 28pilot.ldif -rw-r--r-- 1 root root 13376 Oct 2 12:31 30ns-common.ldif -rw-r--r-- 1 root root 8374 Oct 2 12:31 50ns-admin.ldif -rw-r--r-- 1 root root 8891 Oct 2 12:31 50ns-calendar.ldif -rw-r--r-- 1 root root 2866 Oct 2 12:31 50ns-certificate.ldif -rw-r--r-- 1 root root 13514 Oct 2 12:31 50ns-compass.ldif -rw-r--r-- 1 root root 8498 Oct 2 12:31 50ns-delegated-admin.ldif -rw-r--r-- 1 root root 18098 Oct 2 12:31 50ns-directory.ldif -rw-r--r-- 1 root root 2989 Oct 2 12:31 50ns-legacy.ldif -rw-r--r-- 1 root root 10576 Oct 2 12:31 50ns-mail.ldif -rw-r--r-- 1 root root 18969 Oct 2 12:31 50ns-mcd-browser.ldif -rw-r--r-- 1 root root 6452 Oct 2 12:31 50ns-mcd-config.ldif -rw-r--r-- 1 root root 4732 Oct 2 12:31 50ns-mcd-li.ldif -rw-r--r-- 1 root root 22790 Oct 2 12:31 50ns-mcd-mail.ldif -rw-r--r-- 1 root root 2392 Oct 2 12:31 50ns-media.ldif -rw-r--r-- 1 root root 9989 Oct 2 12:31 50ns-mlm.ldif -rw-r--r-- 1 root root 66775 Oct 2 12:31 50ns-msg.ldif -rw-r--r-- 1 root root 4648 Oct 2 12:31 50ns-netshare.ldif -rw-r--r-- 1 root root 3717 Oct 2 12:31 50ns-news.ldif -rw-r--r-- 1 root root 2392 Oct 2 12:31 50ns-proxy.ldif -rw-r--r-- 1 root root 4776 Oct 2 12:31 50ns-value.ldif -rw-r--r-- 1 root root 5207 Oct 2 12:31 50ns-wcal.ldif -rw-r--r-- 1 root root 2865 Oct 2 12:31 50ns-web.ldif -rw-r--r-- 1 root root 13355 Oct 2 12:31 51ns-calendar.ldif -rw-r--r-- 1 root root 4032 Oct 2 12:31 60pam-plugin.ldif -rw-r--r-- 1 root root 986 Oct 2 12:33 61ldapns.ldif -rw-r--r-- 1 root root 683 Oct 23 13:50 70ssl_enable.ldif -rw------- 1 nobody nobody 2568 Oct 25 10:51 99user.ldif Eric Brown wrote: > When I install 1.0.3, use the default values for setting it up, and > start it, the following messages are displayed. > > [08/Nov/2006:10:51:44 -0600] - Entry "cn=encryption,cn=config" > required attribute "objectclass" missing > [08/Nov/2006:10:51:45 -0600] - Entry "cn=config" required attribute > "objectclass" missing > [08/Nov/2006:10:51:45 -0600] - Entry "cn=config" required attribute > "objectclass" missing > [08/Nov/2006:10:51:45 -0600] - Entry "cn=encryption,cn=config" > required attribute "objectclass" missing Type the following command: ls -al /opt/fedora-ds/slapd-yourinstance/config also ls -al /opt/fedora-ds/slapd-yourinstance/config/schema > > I have not added or removed anything from the default schema files and > I can't find a message that tells me what object classes are missing. > Any ideas on where to look for more detailed information on these > errors or why they are appearing in the first place. > > Thanks. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From rmeggins at redhat.com Thu Nov 9 17:24:09 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 09 Nov 2006 10:24:09 -0700 Subject: [Fedora-directory-users] Re: Missing Objectclasses in a Default install of 1.0.3 In-Reply-To: References: Message-ID: <45536439.7040401@redhat.com> Eric Brown wrote: > Ok, here are the results of those commands. > > [root at host ~]# ls -al /opt/fedora-ds/slapd-instance/config > total 224 > drwxr-xr-x 3 ldap ldap 4096 Nov 9 00:27 . > drwxr-xr-x 11 ldap root 4096 Nov 9 00:27 .. > -rw------- 1 ldap ldap 50292 Nov 9 00:27 dse.ldif > -rw------- 2 ldap ldap 50293 Nov 9 00:23 dse.ldif.bak > -rw------- 2 ldap ldap 50293 Nov 9 00:23 dse.ldif.startOK > -rw------- 1 ldap root 34182 Nov 8 15:51 dse_original.ldif > drwxr-xr-x 2 ldap root 4096 Nov 9 00:27 schema > -rw-r--r-- 1 ldap root 5400 Nov 8 15:51 slapd-collations.conf > > [root at host ~]# ls -al /opt/fedora-ds/slapd-instance/config/schema > total 964 > drwxr-xr-x 2 ldap root 4096 Nov 9 00:27 . > drwxr-xr-x 3 ldap ldap 4096 Nov 9 00:27 .. > -rw-r--r-- 1 root root 69313 Oct 2 12:31 00core.ldif > -rw-r--r-- 1 root root 3832 Oct 2 12:31 05rfc2247.ldif > -rw-r--r-- 1 root root 2620 Oct 2 12:31 05rfc2927.ldif > -rw-r--r-- 1 root root 5204 Oct 2 12:31 10presence.ldif > -rw-r--r-- 1 root root 9211 Oct 2 12:31 10rfc2307.ldif > -rw-r--r-- 1 root root 6385 Oct 2 12:31 20subscriber.ldif > -rw-r--r-- 1 root root 4624 Oct 2 12:31 25java-object.ldif > -rw-r--r-- 1 root root 11532 Oct 2 12:31 28pilot.ldif > -rw-r--r-- 1 root root 13376 Oct 2 12:31 30ns-common.ldif > -rw-r--r-- 1 root root 8374 Oct 2 12:31 50ns-admin.ldif > -rw-r--r-- 1 root root 8891 Oct 2 12:31 50ns-calendar.ldif > -rw-r--r-- 1 root root 2866 Oct 2 12:31 50ns-certificate.ldif > -rw-r--r-- 1 root root 13514 Oct 2 12:31 50ns-compass.ldif > -rw-r--r-- 1 root root 8498 Oct 2 12:31 50ns-delegated-admin.ldif > -rw-r--r-- 1 root root 18098 Oct 2 12:31 50ns-directory.ldif > -rw-r--r-- 1 root root 2989 Oct 2 12:31 50ns-legacy.ldif > -rw-r--r-- 1 root root 10576 Oct 2 12:31 50ns-mail.ldif > -rw-r--r-- 1 root root 18969 Oct 2 12:31 50ns-mcd-browser.ldif > -rw-r--r-- 1 root root 6452 Oct 2 12:31 50ns-mcd-config.ldif > -rw-r--r-- 1 root root 4732 Oct 2 12:31 50ns-mcd-li.ldif > -rw-r--r-- 1 root root 22790 Oct 2 12:31 50ns-mcd-mail.ldif > -rw-r--r-- 1 root root 2392 Oct 2 12:31 50ns-media.ldif > -rw-r--r-- 1 root root 9989 Oct 2 12:31 50ns-mlm.ldif > -rw-r--r-- 1 root root 66775 Oct 2 12:31 50ns-msg.ldif > -rw-r--r-- 1 root root 4648 Oct 2 12:31 50ns-netshare.ldif > -rw-r--r-- 1 root root 3717 Oct 2 12:31 50ns-news.ldif > -rw-r--r-- 1 root root 2392 Oct 2 12:31 50ns-proxy.ldif > -rw-r--r-- 1 root root 4776 Oct 2 12:31 50ns-value.ldif > -rw-r--r-- 1 root root 5207 Oct 2 12:31 50ns-wcal.ldif > -rw-r--r-- 1 root root 2865 Oct 2 12:31 50ns-web.ldif > -rw-r--r-- 1 root root 13355 Oct 2 12:31 51ns-calendar.ldif > -rw-r--r-- 1 root root 4032 Oct 2 12:31 60pam-plugin.ldif > -rw-r--r-- 1 root root 986 Oct 2 12:33 61ldapns.ldif > -rw-r--r-- 1 root root 683 Oct 23 13:50 70ssl_enable.ldif > -rw------- 1 nobody nobody 2568 Oct 25 10:51 99user.ldif Is your directory server running as ldap:ldap? If so, the 99user.ldif file needs to be owned by ldap:ldap, not nobody:nobody. > > > > > Eric Brown wrote: >> When I install 1.0.3, use the default values for setting it up, and >> start it, the following messages are displayed. >> >> [08/Nov/2006:10:51:44 -0600] - Entry "cn=encryption,cn=config" >> required attribute "objectclass" missing >> [08/Nov/2006:10:51:45 -0600] - Entry "cn=config" required attribute >> "objectclass" missing >> [08/Nov/2006:10:51:45 -0600] - Entry "cn=config" required attribute >> "objectclass" missing >> [08/Nov/2006:10:51:45 -0600] - Entry "cn=encryption,cn=config" >> required attribute "objectclass" missing > Type the following command: > ls -al /opt/fedora-ds/slapd-yourinstance/config > also > ls -al /opt/fedora-ds/slapd-yourinstance/config/schema >> >> I have not added or removed anything from the default schema files and >> I can't find a message that tells me what object classes are missing. >> Any ideas on where to look for more detailed information on these >> errors or why they are appearing in the first place. >> >> Thanks. >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Nov 9 17:45:06 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 09 Nov 2006 10:45:06 -0700 Subject: [Fedora-directory-users] Questions on Referal/Chaning features In-Reply-To: <20061109042216.43383.qmail@web54103.mail.yahoo.com> References: <20061109042216.43383.qmail@web54103.mail.yahoo.com> Message-ID: <45536922.5010109@redhat.com> Ankur Agarwal wrote: > Thanks Richard! > > Have a couple of follow-up questions : > > 1) iPlanet to Fedora chaining should work fine as you have mentioned. > Does chaining require both of them to have exactly same schemas or > chaining doesnt require that? I don't think it matters. > > 2) Client sends request to Fedora (with some authentication info) and > then request gets dispatched to iPlanet/ActiveDirectory. How will this > request be authenticated at iPlanet/ActiveDirectory. I believe > authentication credentials will be different for all these LDAPs. I don't understand. If you send a simple BIND request with a dn and a password to Fedora acting as the chaining front end, it will simply pass this operation and the credentials to the LDAP server on the backend. The Fedora DS chaning backend can't figure out what sort of authentication to use and change it on the fly. > > regards, > Ankur > > */Richard Megginson /* wrote: > > Ankur Agarwal wrote: > > Hi, > > > > We have 2 existing directory services set-up with different schemas: > > 1) Active Directory > > 2) iPlanet LDAP > > > > Now we want to introduce a third one (Fedora LDAP) where we want to > > use referal/chaining features to send requests to these already > > existing servers. Would really appreciate your answers on: > > > > 1) Can we modify/update active directory data and iPlanet data with > > application interfacing only with new Fedora LDAP which will > dispatch > > requests to these servers? Or can referal/chaining be used only for > > querying other LDAP servers? > A chaining database is read-write - it looks just like a local db to > clients. > > > > 2) Can Referal/Chaning be set-up across ActiveDirectory and Fedora > > with them having different schemas? Similarly between iPlanet > and Fedora? > Not sure about AD. Some other people on the list have been trying to > get chaining and pass through auth to work with AD, but I haven't > seen > any reports of success yet. > > iPlanet to Fedora should work just fine. > > > > 3) If we want to migrate data from iPlanet to Fedora (having diff > > schema on Fedora) then any issues we must be aware of and any best > > practices? > Just make sure your customized schema is copied to Fedora. iPlanet > and > Fedora DS are very compatible. > > > > Thanks, > > Ankur > > > > > ------------------------------------------------------------------------ > > Sponsored Link > > > > Talk more and pay less. Vonage can save you up to $300 a year on > your > > phone bill. Sign up now. > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > Want to start your own business? Learn how on Yahoo! Small Business. > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From hyc at symas.com Thu Nov 9 17:47:42 2006 From: hyc at symas.com (Howard Chu) Date: Thu, 09 Nov 2006 09:47:42 -0800 Subject: [Fedora-directory-users] PAM passthru questions and SecureID In-Reply-To: <20061109170008.D178473A58@hormel.redhat.com> References: <20061109170008.D178473A58@hormel.redhat.com> Message-ID: <455369BE.4040407@symas.com> > From: Chris Maresca > Subject: Re: [Fedora-directory-users] PAM passthru questions and > SecureID > Message-ID: <4552F189.9060001 at olliancegroup.com> > Richard Megginson wrote: >> > But this is what SASL was designed to do - isolate applications from the >> > authentication implementation details. Ideally, it would go like this: >> > LDAP -> SASL -> sasl auth server plugin -> auth server > Yes, but there are a very limited number of SASL plugins, basically > NTLM, Kerberos, GSS and SecurID. Non-plugin auths are done through the > 'external' method, which uses saslauthd, a hack as it actually requires > accounts to be created to work properly. Saslauthd also only handles > passwords in plain text, communicates over an unsecure socket, runs as > root and is single-threaded.... Rich isn't recommending the use of saslauthd, and developing a SASL plugin for whatever purpose is pretty easy. > so the chain winds up being: > > LDAP -> SASL -> plaintext sockect connection -> saslauthd -> sasl-auth > method -> auth server > > SASL is quite good, but saslauthd is not so great. It was never > actually intended for this, but as a proxy to deal with apps that did > not have SASL natively. Agreed, saslauthd is junk. >> > Then you could just to an LDAP SASL BIND with a mechanism like >> > "SASL-SECURID" or something like that, and pass in whatever credentials >> > are required by the auth server in the sasl credentials field. > > I don't disagree, but none of the vendors are providing this capability. > The real world and the ideal situation are not really lining up.... >> > However, if it is more difficult to take the SASL plugin approach, or >> > the vendors are just not going to make this happen, then we should >> > figure out how to extend the PAM passthru plugin to handle cases like this. > > That's the way it is right now, so yeah, extending PAM passthru would be > good. SASL may be the long term future, but right now, it's not > deployable except for one vendor's mechanism. You've identified a shortcoming but you're going about fixing it the wrong way. Rich is trying to point you down the proper track; the right way is to get the desired SASL plugin written. >> > Would you be able to write up something for the Fedora DS wiki, like an >> > informal software requirements doc? > > Sure, I can do that. I'd even offer to look at some code, but it's been > years since I authored anything in C and I know nothing of the Fedora DS > code.... I work with both the OpenLDAP and Cyrus SASL Projects; my company Symas Corp. can easily develop what's needed here and submit it to Cyrus for you. Once you've got the requirements spelled out, come talk to us. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/ From deighton at gmail.com Thu Nov 9 17:51:28 2006 From: deighton at gmail.com (Dan) Date: Thu, 09 Nov 2006 12:51:28 -0500 Subject: [Fedora-directory-users] Macro ACI not working as expected Message-ID: <1163094688.7186.38.camel@whatever> I have set up a directory structure as follows: ou=Domains,dc=example,dc=net o=hostedDomain1.com mail=user1 at hostedDomain1.com mail=user2 at hostedDomain1.com mail=user3 at hostedDomain1.com o=hostedDomain2.net mail=user1 at hostedDomain2.net mail=user2 at hostedDomain2.net mail=user3 at hostedDomain2.net o=hostedDomain3.com ... I would like to allow any mail user to only read the attributes of the users within their domain. For example, user1 at hostedDomain1.com can see user2 at hostedDomain1.com, but not user2 at hostedDomain2.net. I am not allowing anonymous access. I have allowed access to the Domains OU with this aci entry (placed on the Domains OU): aci: (targetattr=*)(targetfilter=(ou=Domains)) (version 3.0;acl "Allow read access to Domains OU";allow (read,search) (userdn="ldap:///mail=*,o=*,ou=Domains,dc=example,dc=net");) I have placed the following macro aci on the Domains OU without success: aci: (targetattr!="userPassword") (target="ldap:///($dn),ou=Domains,dc=example,dc=net") (version 3.0;acl "Allow read access to Domain members";allow (read,search)(userdn="ldap:///mail=*,($dn),ou=Domains,dc=example,dc=net");) As I understand it, the second aci should allow read and search access to domain ($dn) and all entries below it. However, the behavior that I'm seeing is that the user can only see down to the domain with no access to the sub-entries. In other words, user1 at hostedDomain1.com can see o=hostedDomain1.com,ou=Domains,dc=example,dc=net, but can not see anything below. Am I missing something? How can I get this to work properly? Thanks in advance. From dellacod at newschool.edu Thu Nov 9 17:54:04 2006 From: dellacod at newschool.edu (Dave Della Costa) Date: Thu, 09 Nov 2006 12:54:04 -0500 Subject: [Fedora-directory-users] Problems with SSL, Pam/SSHD Authentication & FDS Message-ID: <45536B3C.4060500@newschool.edu> Hi folks, This isn't strictly a FDS question (I think!) but I'm hoping there are some people on the list who have significant experience and can offer advice. I've gotten FDS set up, I've generated the cert and imported it into my client machine's /etc/openldap/cacerts directory. When I run ldapsearch -ZZ ..on the client machine it works fine; this wasn't working correctly until I did a few tweaks in my /etc/openldap/ldap.conf directory (specifically, I had an IP address instead of hostname, so I was getting a 'host doesn't match cert' or something like that error). So, it seems like SSL is set up and working fine, BUT, I cannot do sshd authentication via SSL. As soon as I uncomment 'ssl on' I start getting this in my /var/log/messages: Nov 9 12:46:47 a sh: nss_ldap: failed to bind to LDAP server ldap://x.x.com: Can't contact LDAP server Nov 9 12:46:47 a last message repeated 3 times Nov 9 12:46:47 a sh: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)... Nov 9 12:46:51 a sh: nss_ldap: failed to bind to LDAP server ldap://x.x.com: Can't contact LDAP server Nov 9 12:46:51 a sh: nss_ldap: failed to bind to LDAP server ldap://x.x.com: Can't contact LDAP server Nov 9 12:46:51 a sh: nss_ldap: reconnecting to LDAP server (sleeping 8 seconds)... When I turn it back off, it binds to the regular (non-SSL) LDAP port on the FDS server and authentication happens just fine. Nov 9 12:47:01 a sshd[8390]: nss_ldap: reconnected to LDAP server ldap://x.x.com after 1 attempt Nov 9 12:47:03 a sshd(pam_unix)[8395]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=blap Nov 9 12:47:03 a sshd[8390]: Accepted keyboard-interactive/pam for blap from x.x.x.x port 48049 ssh2 Nov 9 12:47:03 a sshd(pam_unix)[8451]: session opened for user blap by (uid=0) Nov 9 12:47:03 a sshd[8390]: nss_ldap: reconnected to LDAP server ldap://x.x.com after 1 attempt (if you hadn't noticed, I changed all the IPs and hostnames in the above log examples...). What the heck could this be? I'm not sure what the proper options in the /etc/ldap.conf are that perhaps I'm screwing up or forgetting, but so far I've tried (in addition to 'ssl on') setting sslpath, "ssl start_tls," tls_cacertfile, and tls_cacertdir. Or is this something screwed up in my /etc/openldap/ldap.conf? I'm using the howto here: http://directory.fedora.redhat.com/wiki/Howto:SSL Any help would be greatly appreciated. Thanks! Dave D. From rmeggins at redhat.com Thu Nov 9 18:02:49 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 09 Nov 2006 11:02:49 -0700 Subject: [Fedora-directory-users] Problems with SSL, Pam/SSHD Authentication & FDS In-Reply-To: <45536B3C.4060500@newschool.edu> References: <45536B3C.4060500@newschool.edu> Message-ID: <45536D49.7090408@redhat.com> Dave Della Costa wrote: > Hi folks, > > This isn't strictly a FDS question (I think!) but I'm hoping there are > some people on the list who have significant experience and can offer > advice. > > I've gotten FDS set up, I've generated the cert and imported it into > my client machine's /etc/openldap/cacerts directory. When I run > > ldapsearch -ZZ > > ..on the client machine it works fine; this wasn't working correctly > until I did a few tweaks in my /etc/openldap/ldap.conf directory > (specifically, I had an IP address instead of hostname, so I was > getting a 'host doesn't match cert' or something like that error). > > So, it seems like SSL is set up and working fine, BUT, I cannot do > sshd authentication via SSL. As soon as I uncomment 'ssl on' I start > getting this in my /var/log/messages: > > Nov 9 12:46:47 a sh: nss_ldap: failed to bind to LDAP server > ldap://x.x.com: Can't contact LDAP server > Nov 9 12:46:47 a last message repeated 3 times > Nov 9 12:46:47 a sh: nss_ldap: reconnecting to LDAP server (sleeping > 4 seconds)... > Nov 9 12:46:51 a sh: nss_ldap: failed to bind to LDAP server > ldap://x.x.com: Can't contact LDAP server > Nov 9 12:46:51 a sh: nss_ldap: failed to bind to LDAP server > ldap://x.x.com: Can't contact LDAP server > Nov 9 12:46:51 a sh: nss_ldap: reconnecting to LDAP server (sleeping > 8 seconds)... > > When I turn it back off, it binds to the regular (non-SSL) LDAP port > on the FDS server and authentication happens just fine. > > Nov 9 12:47:01 a sshd[8390]: nss_ldap: reconnected to LDAP server > ldap://x.x.com after 1 attempt > Nov 9 12:47:03 a sshd(pam_unix)[8395]: authentication failure; > logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=blap > Nov 9 12:47:03 a sshd[8390]: Accepted keyboard-interactive/pam for > blap from x.x.x.x port 48049 ssh2 > Nov 9 12:47:03 a sshd(pam_unix)[8451]: session opened for user blap > by (uid=0) > Nov 9 12:47:03 a sshd[8390]: nss_ldap: reconnected to LDAP server > ldap://x.x.com after 1 attempt > > (if you hadn't noticed, I changed all the IPs and hostnames in the > above log examples...). > > What the heck could this be? I'm not sure what the proper options in > the /etc/ldap.conf are that perhaps I'm screwing up or forgetting, but > so far I've tried (in addition to 'ssl on') setting sslpath, "ssl > start_tls," tls_cacertfile, and tls_cacertdir. Or is this something > screwed up in my /etc/openldap/ldap.conf? I'm using the howto here: > http://directory.fedora.redhat.com/wiki/Howto:SSL Did you edit /etc/ssh/sshd_config and set UsePAM yes ? > > Any help would be greatly appreciated. Thanks! > > Dave D. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From david_list at boreham.org Thu Nov 9 18:06:52 2006 From: david_list at boreham.org (David Boreham) Date: Thu, 09 Nov 2006 11:06:52 -0700 Subject: [Fedora-directory-users] PAM passthru questions and SecureID In-Reply-To: <455369BE.4040407@symas.com> References: <20061109170008.D178473A58@hormel.redhat.com> <455369BE.4040407@symas.com> Message-ID: <45536E3C.9030507@boreham.org> I have also been researching two-factor token support in LDAP recently. What I found depressed me : other than RSA with Novell, there is no, repeat NO support for using centralized LDAP authentication with these things. The vendors will often mention LDAP, but when they do it's as a management database for their own proprietary authenciation service, not as a way to use LDAP for the actual authentication itself. I did see a general obsession with PAM, I suspect because it's a handy way to insert these mechanisms underneath Unix for terminal login. Same deal with RADIUS, presumably because that allows the vendors to check the 'VPN' checkbox. But there seems to be no general purpose 'put my two factor thing underneath my corporate LDAP authentication service' solution (other than the aforementioned Novell/RSA product). Not even for Active Directory. Because there is some PAM support from the vendors, providing a PAM proxy/passthrough path under the LDAP server does turn out to be the most expedient option. SASL would certainly be better, but I get the impression that the token vendors haven't heard of SASL yet. They don't seem to think in terms of general purpose mechanism, but rather along the lines of 'ok how do we make our token work for application X?' (and they've provided solutions for the top N popular applications where N is a small positive integer, and called it good). From ckm at olliancegroup.com Thu Nov 9 18:17:38 2006 From: ckm at olliancegroup.com (Chris Maresca) Date: Thu, 09 Nov 2006 10:17:38 -0800 Subject: [Fedora-directory-users] PAM passthru questions and SecureID In-Reply-To: <45536E3C.9030507@boreham.org> References: <20061109170008.D178473A58@hormel.redhat.com> <455369BE.4040407@symas.com> <45536E3C.9030507@boreham.org> Message-ID: <455370C2.5000509@olliancegroup.com> David Boreham wrote: > I have also been researching two-factor token support in LDAP recently. > What I found depressed me : other than RSA with Novell, there is > no, repeat NO support for using centralized LDAP authentication > with these things. And the RSA plugin only works on Win2k and Netware, neither of which would be my choice for a backend secure server. http://www.rsasecurity.com/node.asp?id=2569 Never that it has not been updated or supported in about 5 years. BTW, I have gotten CryptoCard to work with Fedora, and I'm just now working on PAM passthru. Hopefully I'll be able to write a howto in the next few weeks. Chris. -- Chris Maresca Founding Partner Olliance Group, LLC www.olliancegroup.com +1.650.331.1770 x201 From david_list at boreham.org Thu Nov 9 18:25:40 2006 From: david_list at boreham.org (David Boreham) Date: Thu, 09 Nov 2006 11:25:40 -0700 Subject: [Fedora-directory-users] PAM passthru questions and SecureID In-Reply-To: <455370C2.5000509@olliancegroup.com> References: <20061109170008.D178473A58@hormel.redhat.com> <455369BE.4040407@symas.com> <45536E3C.9030507@boreham.org> <455370C2.5000509@olliancegroup.com> Message-ID: <455372A4.5000301@boreham.org> Chris Maresca wrote: > BTW, I have gotten CryptoCard to work with Fedora, and I'm just now > working on PAM passthru. Hopefully I'll be able to write a howto in > the next few weeks. That'd be great. However in my experience it's SecurID that everyone wants support for :( From ckm at olliancegroup.com Thu Nov 9 18:27:44 2006 From: ckm at olliancegroup.com (Chris Maresca) Date: Thu, 09 Nov 2006 10:27:44 -0800 Subject: [Fedora-directory-users] PAM passthru questions and SecureID In-Reply-To: <455372A4.5000301@boreham.org> References: <20061109170008.D178473A58@hormel.redhat.com> <455369BE.4040407@symas.com> <45536E3C.9030507@boreham.org> <455370C2.5000509@olliancegroup.com> <455372A4.5000301@boreham.org> Message-ID: <45537320.1000104@olliancegroup.com> I'm trying to get an eval copy. It should be roughly the same and perhaps a little easier as they have more flexible LDAP support. The tricky bit is PAM passthrough that I'm just now getting to (after around 2 weeks of fighting with all this...). BTW, SASL has native SecurID support in it. Don't know if it works, 'tho. Chris. David Boreham wrote: > Chris Maresca wrote: > >> BTW, I have gotten CryptoCard to work with Fedora, and I'm just now >> working on PAM passthru. Hopefully I'll be able to write a howto in >> the next few weeks. > > That'd be great. However in my experience it's SecurID that everyone > wants support for :( > -- Chris Maresca Founding Partner Olliance Group, LLC www.olliancegroup.com +1.650.331.1770 x201 From hyc at symas.com Thu Nov 9 18:49:03 2006 From: hyc at symas.com (Howard Chu) Date: Thu, 09 Nov 2006 10:49:03 -0800 Subject: [Fedora-directory-users] PAM passthru questions and SecureID In-Reply-To: <20061109170008.D178473A58@hormel.redhat.com> References: <20061109170008.D178473A58@hormel.redhat.com> Message-ID: <4553781F.5020202@symas.com> > Date: Wed, 08 Nov 2006 15:08:02 -0800 > From: Chris Maresca > Richard Megginson wrote: >> I just don't like overloading the userPassword {foo} syntax, but >> openldap has a history of doing something similar with {kerberos} and >> {sasl}, so there is precedent. They're also strongly deprecated; {kerberos} is no longer supported. The only real need for them is old clients that only know how to do Simple Bind. Since that in itself is a security liability, it's better to get the clients updated. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/ From dellacod at newschool.edu Thu Nov 9 18:50:40 2006 From: dellacod at newschool.edu (Dave Della Costa) Date: Thu, 09 Nov 2006 13:50:40 -0500 Subject: [Fedora-directory-users] Problems with SSL, Pam/SSHD Authentication & FDS In-Reply-To: <45536D49.7090408@redhat.com> References: <45536B3C.4060500@newschool.edu> <45536D49.7090408@redhat.com> Message-ID: <45537880.1080308@newschool.edu> > Did you edit /etc/ssh/sshd_config and set > UsePAM yes > ? Yes, perhaps I wasn't clear when I said >> When I turn it back off, it binds to the regular (non-SSL) LDAP port >> on the FDS server and authentication happens just fine. --I meant by this that logging in via SSH Authentication by LDAP credentials is fine if I don't have SSL-enabled LDAP on. Thanks, Dave Richard Megginson wrote: > Dave Della Costa wrote: > >> Hi folks, >> >> This isn't strictly a FDS question (I think!) but I'm hoping there are >> some people on the list who have significant experience and can offer >> advice. >> >> I've gotten FDS set up, I've generated the cert and imported it into >> my client machine's /etc/openldap/cacerts directory. When I run >> >> ldapsearch -ZZ >> >> ..on the client machine it works fine; this wasn't working correctly >> until I did a few tweaks in my /etc/openldap/ldap.conf directory >> (specifically, I had an IP address instead of hostname, so I was >> getting a 'host doesn't match cert' or something like that error). >> >> So, it seems like SSL is set up and working fine, BUT, I cannot do >> sshd authentication via SSL. As soon as I uncomment 'ssl on' I start >> getting this in my /var/log/messages: >> >> Nov 9 12:46:47 a sh: nss_ldap: failed to bind to LDAP server >> ldap://x.x.com: Can't contact LDAP server >> Nov 9 12:46:47 a last message repeated 3 times >> Nov 9 12:46:47 a sh: nss_ldap: reconnecting to LDAP server (sleeping >> 4 seconds)... >> Nov 9 12:46:51 a sh: nss_ldap: failed to bind to LDAP server >> ldap://x.x.com: Can't contact LDAP server >> Nov 9 12:46:51 a sh: nss_ldap: failed to bind to LDAP server >> ldap://x.x.com: Can't contact LDAP server >> Nov 9 12:46:51 a sh: nss_ldap: reconnecting to LDAP server (sleeping >> 8 seconds)... >> >> When I turn it back off, it binds to the regular (non-SSL) LDAP port >> on the FDS server and authentication happens just fine. >> >> Nov 9 12:47:01 a sshd[8390]: nss_ldap: reconnected to LDAP server >> ldap://x.x.com after 1 attempt >> Nov 9 12:47:03 a sshd(pam_unix)[8395]: authentication failure; >> logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=blap >> Nov 9 12:47:03 a sshd[8390]: Accepted keyboard-interactive/pam for >> blap from x.x.x.x port 48049 ssh2 >> Nov 9 12:47:03 a sshd(pam_unix)[8451]: session opened for user blap >> by (uid=0) >> Nov 9 12:47:03 a sshd[8390]: nss_ldap: reconnected to LDAP server >> ldap://x.x.com after 1 attempt >> >> (if you hadn't noticed, I changed all the IPs and hostnames in the >> above log examples...). >> >> What the heck could this be? I'm not sure what the proper options in >> the /etc/ldap.conf are that perhaps I'm screwing up or forgetting, but >> so far I've tried (in addition to 'ssl on') setting sslpath, "ssl >> start_tls," tls_cacertfile, and tls_cacertdir. Or is this something >> screwed up in my /etc/openldap/ldap.conf? I'm using the howto here: >> http://directory.fedora.redhat.com/wiki/Howto:SSL > > Did you edit /etc/ssh/sshd_config and set > UsePAM yes > ? > >> >> Any help would be greatly appreciated. Thanks! >> >> Dave D. >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users From prowley at redhat.com Thu Nov 9 18:51:17 2006 From: prowley at redhat.com (Pete Rowley) Date: Thu, 09 Nov 2006 10:51:17 -0800 Subject: [Fedora-directory-users] Question about account inactivation In-Reply-To: <45535F0B.4000608@eadresa.cz> References: <45528809.5030601@eadresa.cz> <45528A8A.2050708@redhat.com> <45535F0B.4000608@eadresa.cz> Message-ID: <455378A5.80707@redhat.com> Radek Hladik wrote: > Is it not possible to tell FDS somehow to include this attribute in > all search results despite it is operational attribute? I guess if you modify schema to remove its operational directive. -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From radek at eadresa.cz Thu Nov 9 19:06:53 2006 From: radek at eadresa.cz (Radek Hladik) Date: Thu, 09 Nov 2006 20:06:53 +0100 Subject: [Fedora-directory-users] Question about account inactivation In-Reply-To: <455378A5.80707@redhat.com> References: <45528809.5030601@eadresa.cz> <45528A8A.2050708@redhat.com> <45535F0B.4000608@eadresa.cz> <455378A5.80707@redhat.com> Message-ID: <45537C4D.9030103@eadresa.cz> Pete Rowley napsal(a): > Radek Hladik wrote: >> Is it not possible to tell FDS somehow to include this attribute in >> all search results despite it is operational attribute? > I guess if you modify schema to remove its operational directive. > But would I not need to include the attribute in some objectClass then? Radek From prowley at redhat.com Thu Nov 9 19:16:07 2006 From: prowley at redhat.com (Pete Rowley) Date: Thu, 09 Nov 2006 11:16:07 -0800 Subject: [Fedora-directory-users] Question about account inactivation In-Reply-To: <45537C4D.9030103@eadresa.cz> References: <45528809.5030601@eadresa.cz> <45528A8A.2050708@redhat.com> <45535F0B.4000608@eadresa.cz> <455378A5.80707@redhat.com> <45537C4D.9030103@eadresa.cz> Message-ID: <45537E77.8050705@redhat.com> Radek Hladik wrote: > Pete Rowley napsal(a): >> Radek Hladik wrote: >>> Is it not possible to tell FDS somehow to include this attribute in >>> all search results despite it is operational attribute? >> I guess if you modify schema to remove its operational directive. >> > But would I not need to include the attribute in some objectClass then? > Yep. It is either operational or it is not. You could make the schema modification and either turn off schema checking or add the extensibleObject objectclass to the entries. Neither of those options is really recommended. Client modification is your best option. -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From playactor at gmail.com Thu Nov 9 19:20:17 2006 From: playactor at gmail.com (Eric Brown) Date: Thu, 9 Nov 2006 13:20:17 -0600 Subject: [Fedora-directory-users] Re: Re: Missing Objectclasses in a Default install of 1.0.3 Message-ID: Ok, I changed that, but I am still getting the errors. From: Richard Megginson Subject: Re: [Fedora-directory-users] Re: Missing Objectclasses in a Default install of 1.0.3 To: "General discussion list for the Fedora Directory server project." Message-ID: <45536439.7040401 at redhat.com> Content-Type: text/plain; charset="iso-8859-1" Eric Brown wrote: > Ok, here are the results of those commands. > > [root at host ~]# ls -al /opt/fedora-ds/slapd-instance/config > total 224 > drwxr-xr-x 3 ldap ldap 4096 Nov 9 00:27 . > drwxr-xr-x 11 ldap root 4096 Nov 9 00:27 .. > -rw------- 1 ldap ldap 50292 Nov 9 00:27 dse.ldif > -rw------- 2 ldap ldap 50293 Nov 9 00:23 dse.ldif.bak > -rw------- 2 ldap ldap 50293 Nov 9 00:23 dse.ldif.startOK > -rw------- 1 ldap root 34182 Nov 8 15:51 dse_original.ldif > drwxr-xr-x 2 ldap root 4096 Nov 9 00:27 schema > -rw-r--r-- 1 ldap root 5400 Nov 8 15:51 slapd-collations.conf > > [root at host ~]# ls -al /opt/fedora-ds/slapd-instance/config/schema > total 964 > drwxr-xr-x 2 ldap root 4096 Nov 9 00:27 . > drwxr-xr-x 3 ldap ldap 4096 Nov 9 00:27 .. > -rw-r--r-- 1 root root 69313 Oct 2 12:31 00core.ldif > -rw-r--r-- 1 root root 3832 Oct 2 12:31 05rfc2247.ldif > -rw-r--r-- 1 root root 2620 Oct 2 12:31 05rfc2927.ldif > -rw-r--r-- 1 root root 5204 Oct 2 12:31 10presence.ldif > -rw-r--r-- 1 root root 9211 Oct 2 12:31 10rfc2307.ldif > -rw-r--r-- 1 root root 6385 Oct 2 12:31 20subscriber.ldif > -rw-r--r-- 1 root root 4624 Oct 2 12:31 25java-object.ldif > -rw-r--r-- 1 root root 11532 Oct 2 12:31 28pilot.ldif > -rw-r--r-- 1 root root 13376 Oct 2 12:31 30ns-common.ldif > -rw-r--r-- 1 root root 8374 Oct 2 12:31 50ns-admin.ldif > -rw-r--r-- 1 root root 8891 Oct 2 12:31 50ns-calendar.ldif > -rw-r--r-- 1 root root 2866 Oct 2 12:31 50ns-certificate.ldif > -rw-r--r-- 1 root root 13514 Oct 2 12:31 50ns-compass.ldif > -rw-r--r-- 1 root root 8498 Oct 2 12:31 50ns-delegated-admin.ldif > -rw-r--r-- 1 root root 18098 Oct 2 12:31 50ns-directory.ldif > -rw-r--r-- 1 root root 2989 Oct 2 12:31 50ns-legacy.ldif > -rw-r--r-- 1 root root 10576 Oct 2 12:31 50ns-mail.ldif > -rw-r--r-- 1 root root 18969 Oct 2 12:31 50ns-mcd-browser.ldif > -rw-r--r-- 1 root root 6452 Oct 2 12:31 50ns-mcd-config.ldif > -rw-r--r-- 1 root root 4732 Oct 2 12:31 50ns-mcd-li.ldif > -rw-r--r-- 1 root root 22790 Oct 2 12:31 50ns-mcd-mail.ldif > -rw-r--r-- 1 root root 2392 Oct 2 12:31 50ns-media.ldif > -rw-r--r-- 1 root root 9989 Oct 2 12:31 50ns-mlm.ldif > -rw-r--r-- 1 root root 66775 Oct 2 12:31 50ns-msg.ldif > -rw-r--r-- 1 root root 4648 Oct 2 12:31 50ns-netshare.ldif > -rw-r--r-- 1 root root 3717 Oct 2 12:31 50ns-news.ldif > -rw-r--r-- 1 root root 2392 Oct 2 12:31 50ns-proxy.ldif > -rw-r--r-- 1 root root 4776 Oct 2 12:31 50ns-value.ldif > -rw-r--r-- 1 root root 5207 Oct 2 12:31 50ns-wcal.ldif > -rw-r--r-- 1 root root 2865 Oct 2 12:31 50ns-web.ldif > -rw-r--r-- 1 root root 13355 Oct 2 12:31 51ns-calendar.ldif > -rw-r--r-- 1 root root 4032 Oct 2 12:31 60pam-plugin.ldif > -rw-r--r-- 1 root root 986 Oct 2 12:33 61ldapns.ldif > -rw-r--r-- 1 root root 683 Oct 23 13:50 70ssl_enable.ldif > -rw------- 1 nobody nobody 2568 Oct 25 10:51 99user.ldif Is your directory server running as ldap:ldap? If so, the 99user.ldif file needs to be owned by ldap:ldap, not nobody:nobody. > > > > > Eric Brown wrote: >> When I install 1.0.3, use the default values for setting it up, and >> start it, the following messages are displayed. >> >> [08/Nov/2006:10:51:44 -0600] - Entry "cn=encryption,cn=config" >> required attribute "objectclass" missing >> [08/Nov/2006:10:51:45 -0600] - Entry "cn=config" required attribute >> "objectclass" missing >> [08/Nov/2006:10:51:45 -0600] - Entry "cn=config" required attribute >> "objectclass" missing >> [08/Nov/2006:10:51:45 -0600] - Entry "cn=encryption,cn=config" >> required attribute "objectclass" missing > Type the following command: > ls -al /opt/fedora-ds/slapd-yourinstance/config > also > ls -al /opt/fedora-ds/slapd-yourinstance/config/schema >> >> I have not added or removed anything from the default schema files and >> I can't find a message that tells me what object classes are missing. >> Any ideas on where to look for more detailed information on these >> errors or why they are appearing in the first place. >> >> Thanks. >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From gordon.may at gmail.com Thu Nov 9 19:19:18 2006 From: gordon.may at gmail.com (Gordon May) Date: Thu, 9 Nov 2006 14:19:18 -0500 Subject: [Fedora-directory-users] Macro ACI not working as expected In-Reply-To: <1163094688.7186.38.camel@whatever> References: <1163094688.7186.38.camel@whatever> Message-ID: Hey Dan, Try enclosing your target in brackets like this: aci:(targetattr!="userPassword")(target=(($dn),ou=Domains,dc=example,dc=net))(version 3.0;acl "Allow read access to Domain members";allow(read,search)(userdn="ldap:///mail=*,($dn),ou=Domains,dc=example,dc=net");) Let me know if that makes a difference. Gordon On 11/9/06, Dan wrote: > I have set up a directory structure as follows: > > ou=Domains,dc=example,dc=net > o=hostedDomain1.com > mail=user1 at hostedDomain1.com > mail=user2 at hostedDomain1.com > mail=user3 at hostedDomain1.com > o=hostedDomain2.net > mail=user1 at hostedDomain2.net > mail=user2 at hostedDomain2.net > mail=user3 at hostedDomain2.net > o=hostedDomain3.com > ... > > I would like to allow any mail user to only read the attributes of the > users within their domain. For example, user1 at hostedDomain1.com can see > user2 at hostedDomain1.com, but not user2 at hostedDomain2.net. > > I am not allowing anonymous access. > I have allowed access to the Domains OU with this aci entry (placed on > the Domains OU): > > aci: (targetattr=*)(targetfilter=(ou=Domains)) (version 3.0;acl "Allow > read access to Domains OU";allow (read,search) > (userdn="ldap:///mail=*,o=*,ou=Domains,dc=example,dc=net");) > > I have placed the following macro aci on the Domains OU without success: > > aci: > (targetattr!="userPassword") > (target="ldap:///($dn),ou=Domains,dc=example,dc=net") > (version 3.0;acl "Allow read access to Domain members";allow > (read,search)(userdn="ldap:///mail=*,($dn),ou=Domains,dc=example,dc=net");) > > > As I understand it, the second aci should allow read and search access > to domain ($dn) and all entries below it. However, the behavior that > I'm seeing is that the user can only see down to the domain with no > access to the sub-entries. In other words, user1 at hostedDomain1.com can > see o=hostedDomain1.com,ou=Domains,dc=example,dc=net, but can not see > anything below. > > Am I missing something? How can I get this to work properly? > > Thanks in advance. > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From ckm at olliancegroup.com Thu Nov 9 19:20:41 2006 From: ckm at olliancegroup.com (Chris Maresca) Date: Thu, 09 Nov 2006 11:20:41 -0800 Subject: [Fedora-directory-users] PAM passthru questions and SecureID In-Reply-To: <4553781F.5020202@symas.com> References: <20061109170008.D178473A58@hormel.redhat.com> <4553781F.5020202@symas.com> Message-ID: <45537F89.7010907@olliancegroup.com> Howard Chu wrote: > it's better to get the clients updated. Sure, that's a realistic option..... Chris. -- Chris Maresca Founding Partner Olliance Group, LLC www.olliancegroup.com +1.650.331.1770 x201 From rmeggins at redhat.com Thu Nov 9 19:51:36 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 09 Nov 2006 12:51:36 -0700 Subject: [Fedora-directory-users] Re: Re: Missing Objectclasses in a Default install of 1.0.3 In-Reply-To: References: Message-ID: <455386C8.7030704@redhat.com> Eric Brown wrote: > Ok, I changed that, but I am still getting the errors. try start-slapd -d 1 > output 2>&1 Post the file output to pastebin.com and post the link here. Be sure to scrub any sensitive data from the output file first. > > From: Richard Megginson > Subject: Re: [Fedora-directory-users] Re: Missing Objectclasses in a > Default install of 1.0.3 > To: "General discussion list for the Fedora Directory server project." > > Message-ID: <45536439.7040401 at redhat.com> > Content-Type: text/plain; charset="iso-8859-1" > > Eric Brown wrote: >> Ok, here are the results of those commands. >> >> [root at host ~]# ls -al /opt/fedora-ds/slapd-instance/config >> total 224 >> drwxr-xr-x 3 ldap ldap 4096 Nov 9 00:27 . >> drwxr-xr-x 11 ldap root 4096 Nov 9 00:27 .. >> -rw------- 1 ldap ldap 50292 Nov 9 00:27 dse.ldif >> -rw------- 2 ldap ldap 50293 Nov 9 00:23 dse.ldif.bak >> -rw------- 2 ldap ldap 50293 Nov 9 00:23 dse.ldif.startOK >> -rw------- 1 ldap root 34182 Nov 8 15:51 dse_original.ldif >> drwxr-xr-x 2 ldap root 4096 Nov 9 00:27 schema >> -rw-r--r-- 1 ldap root 5400 Nov 8 15:51 slapd-collations.conf >> >> [root at host ~]# ls -al /opt/fedora-ds/slapd-instance/config/schema >> total 964 >> drwxr-xr-x 2 ldap root 4096 Nov 9 00:27 . >> drwxr-xr-x 3 ldap ldap 4096 Nov 9 00:27 .. >> -rw-r--r-- 1 root root 69313 Oct 2 12:31 00core.ldif >> -rw-r--r-- 1 root root 3832 Oct 2 12:31 05rfc2247.ldif >> -rw-r--r-- 1 root root 2620 Oct 2 12:31 05rfc2927.ldif >> -rw-r--r-- 1 root root 5204 Oct 2 12:31 10presence.ldif >> -rw-r--r-- 1 root root 9211 Oct 2 12:31 10rfc2307.ldif >> -rw-r--r-- 1 root root 6385 Oct 2 12:31 20subscriber.ldif >> -rw-r--r-- 1 root root 4624 Oct 2 12:31 25java-object.ldif >> -rw-r--r-- 1 root root 11532 Oct 2 12:31 28pilot.ldif >> -rw-r--r-- 1 root root 13376 Oct 2 12:31 30ns-common.ldif >> -rw-r--r-- 1 root root 8374 Oct 2 12:31 50ns-admin.ldif >> -rw-r--r-- 1 root root 8891 Oct 2 12:31 50ns-calendar.ldif >> -rw-r--r-- 1 root root 2866 Oct 2 12:31 50ns-certificate.ldif >> -rw-r--r-- 1 root root 13514 Oct 2 12:31 50ns-compass.ldif >> -rw-r--r-- 1 root root 8498 Oct 2 12:31 >> 50ns-delegated-admin.ldif >> -rw-r--r-- 1 root root 18098 Oct 2 12:31 50ns-directory.ldif >> -rw-r--r-- 1 root root 2989 Oct 2 12:31 50ns-legacy.ldif >> -rw-r--r-- 1 root root 10576 Oct 2 12:31 50ns-mail.ldif >> -rw-r--r-- 1 root root 18969 Oct 2 12:31 50ns-mcd-browser.ldif >> -rw-r--r-- 1 root root 6452 Oct 2 12:31 50ns-mcd-config.ldif >> -rw-r--r-- 1 root root 4732 Oct 2 12:31 50ns-mcd-li.ldif >> -rw-r--r-- 1 root root 22790 Oct 2 12:31 50ns-mcd-mail.ldif >> -rw-r--r-- 1 root root 2392 Oct 2 12:31 50ns-media.ldif >> -rw-r--r-- 1 root root 9989 Oct 2 12:31 50ns-mlm.ldif >> -rw-r--r-- 1 root root 66775 Oct 2 12:31 50ns-msg.ldif >> -rw-r--r-- 1 root root 4648 Oct 2 12:31 50ns-netshare.ldif >> -rw-r--r-- 1 root root 3717 Oct 2 12:31 50ns-news.ldif >> -rw-r--r-- 1 root root 2392 Oct 2 12:31 50ns-proxy.ldif >> -rw-r--r-- 1 root root 4776 Oct 2 12:31 50ns-value.ldif >> -rw-r--r-- 1 root root 5207 Oct 2 12:31 50ns-wcal.ldif >> -rw-r--r-- 1 root root 2865 Oct 2 12:31 50ns-web.ldif >> -rw-r--r-- 1 root root 13355 Oct 2 12:31 51ns-calendar.ldif >> -rw-r--r-- 1 root root 4032 Oct 2 12:31 60pam-plugin.ldif >> -rw-r--r-- 1 root root 986 Oct 2 12:33 61ldapns.ldif >> -rw-r--r-- 1 root root 683 Oct 23 13:50 70ssl_enable.ldif >> -rw------- 1 nobody nobody 2568 Oct 25 10:51 99user.ldif > Is your directory server running as ldap:ldap? If so, the 99user.ldif > file needs to be owned by ldap:ldap, not nobody:nobody. >> >> >> >> >> Eric Brown wrote: >>> When I install 1.0.3, use the default values for setting it up, and >>> start it, the following messages are displayed. >>> >>> [08/Nov/2006:10:51:44 -0600] - Entry "cn=encryption,cn=config" >>> required attribute "objectclass" missing >>> [08/Nov/2006:10:51:45 -0600] - Entry "cn=config" required attribute >>> "objectclass" missing >>> [08/Nov/2006:10:51:45 -0600] - Entry "cn=config" required attribute >>> "objectclass" missing >>> [08/Nov/2006:10:51:45 -0600] - Entry "cn=encryption,cn=config" >>> required attribute "objectclass" missing >> Type the following command: >> ls -al /opt/fedora-ds/slapd-yourinstance/config >> also >> ls -al /opt/fedora-ds/slapd-yourinstance/config/schema >>> >>> I have not added or removed anything from the default schema files and >>> I can't find a message that tells me what object classes are missing. >>> Any ideas on where to look for more detailed information on these >>> errors or why they are appearing in the first place. >>> >>> Thanks. >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Nov 9 20:05:29 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 09 Nov 2006 13:05:29 -0700 Subject: [Fedora-directory-users] Fedora Directory Server 1.0.4 is released! Message-ID: <45538A09.4040206@redhat.com> This version is to address some problems with setup after an upgrade install, plus a couple of other bug fixes. http://directory.fedora.redhat.com/wiki/Release_Notes -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From hyc at symas.com Thu Nov 9 20:08:37 2006 From: hyc at symas.com (Howard Chu) Date: Thu, 09 Nov 2006 12:08:37 -0800 Subject: [Fedora-directory-users] PAM passthru questions and SecurID In-Reply-To: <20061109194824.15EB872F37@hormel.redhat.com> References: <20061109194824.15EB872F37@hormel.redhat.com> Message-ID: <45538AC5.40109@symas.com> > From: Chris Maresca > Howard Chu wrote: > >> > it's better to get the clients updated. > > Sure, that's a realistic option..... It's simple - either you care about security, or you don't. If you care about security, then you fix what needs to be fixed. If you don't, then don't. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/ From deighton at gmail.com Thu Nov 9 20:21:02 2006 From: deighton at gmail.com (Dan) Date: Thu, 09 Nov 2006 15:21:02 -0500 Subject: [Fedora-directory-users] Macro ACI not working as expected In-Reply-To: References: <1163094688.7186.38.camel@whatever> Message-ID: <1163103662.7186.48.camel@whatever> On Thu, 2006-11-09 at 14:19 -0500, Gordon May wrote: > Hey Dan, > > Try enclosing your target in brackets like this: > > aci:(targetattr!="userPassword")(target=(($dn),ou=Domains,dc=example,dc=net))(version > 3.0;acl "Allow read access to Domain > members";allow(read,search)(userdn="ldap:///mail=*,($dn),ou=Domains,dc=example,dc=net");) > > Let me know if that makes a difference. No Luck. I received a syntax error. As I understand it, the subject of a target keyword must be of the form "ldap:///distinguished_name". > > Gordon > > On 11/9/06, Dan wrote: > > I have set up a directory structure as follows: > > > > ou=Domains,dc=example,dc=net > > o=hostedDomain1.com > > mail=user1 at hostedDomain1.com > > mail=user2 at hostedDomain1.com > > mail=user3 at hostedDomain1.com > > o=hostedDomain2.net > > mail=user1 at hostedDomain2.net > > mail=user2 at hostedDomain2.net > > mail=user3 at hostedDomain2.net > > o=hostedDomain3.com > > ... > > > > I would like to allow any mail user to only read the attributes of the > > users within their domain. For example, user1 at hostedDomain1.com can see > > user2 at hostedDomain1.com, but not user2 at hostedDomain2.net. > > > > I am not allowing anonymous access. > > I have allowed access to the Domains OU with this aci entry (placed on > > the Domains OU): > > > > aci: (targetattr=*)(targetfilter=(ou=Domains)) (version 3.0;acl "Allow > > read access to Domains OU";allow (read,search) > > (userdn="ldap:///mail=*,o=*,ou=Domains,dc=example,dc=net");) > > > > I have placed the following macro aci on the Domains OU without success: > > > > aci: > > (targetattr!="userPassword") > > (target="ldap:///($dn),ou=Domains,dc=example,dc=net") > > (version 3.0;acl "Allow read access to Domain members";allow > > (read,search)(userdn="ldap:///mail=*,($dn),ou=Domains,dc=example,dc=net");) > > > > > > As I understand it, the second aci should allow read and search access > > to domain ($dn) and all entries below it. However, the behavior that > > I'm seeing is that the user can only see down to the domain with no > > access to the sub-entries. In other words, user1 at hostedDomain1.com can > > see o=hostedDomain1.com,ou=Domains,dc=example,dc=net, but can not see > > anything below. > > > > Am I missing something? How can I get this to work properly? > > > > Thanks in advance. > > > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From playactor at gmail.com Thu Nov 9 21:20:33 2006 From: playactor at gmail.com (Eric Brown) Date: Thu, 9 Nov 2006 15:20:33 -0600 Subject: [Fedora-directory-users] Re: Re: Re: Missing Objectclasses in a Default install of 1.0.3 Message-ID: While I was cleaning up the output from that start I noticed that the errors were occuring around some schema files that were added by someone else that I was working with. Those files had entries in them that modified the values for turning on and requiring SSLv3. When I asked about these files, we figured out that they entries were created by a script that was downloaded from the web documentation. When those entries were removed from the schema files, the directory server started just fine. Sorry for the trouble and thanks for your help. Date: Thu, 09 Nov 2006 12:51:36 -0700 From: Richard Megginson Subject: Re: [Fedora-directory-users] Re: Re: Missing Objectclasses in a Default install of 1.0.3 To: "General discussion list for the Fedora Directory server project." Message-ID: <455386C8.7030704 at redhat.com> Content-Type: text/plain; charset="iso-8859-1" Eric Brown wrote: > Ok, I changed that, but I am still getting the errors. try start-slapd -d 1 > output 2>&1 Post the file output to pastebin.com and post the link here. Be sure to scrub any sensitive data from the output file first. > > From: Richard Megginson > Subject: Re: [Fedora-directory-users] Re: Missing Objectclasses in a > Default install of 1.0.3 > To: "General discussion list for the Fedora Directory server project." > > Message-ID: <45536439.7040401 at redhat.com> > Content-Type: text/plain; charset="iso-8859-1" > > Eric Brown wrote: >> Ok, here are the results of those commands. >> >> [root at host ~]# ls -al /opt/fedora-ds/slapd-instance/config >> total 224 >> drwxr-xr-x 3 ldap ldap 4096 Nov 9 00:27 . >> drwxr-xr-x 11 ldap root 4096 Nov 9 00:27 .. >> -rw------- 1 ldap ldap 50292 Nov 9 00:27 dse.ldif >> -rw------- 2 ldap ldap 50293 Nov 9 00:23 dse.ldif.bak >> -rw------- 2 ldap ldap 50293 Nov 9 00:23 dse.ldif.startOK >> -rw------- 1 ldap root 34182 Nov 8 15:51 dse_original.ldif >> drwxr-xr-x 2 ldap root 4096 Nov 9 00:27 schema >> -rw-r--r-- 1 ldap root 5400 Nov 8 15:51 slapd-collations.conf >> >> [root at host ~]# ls -al /opt/fedora-ds/slapd-instance/config/schema >> total 964 >> drwxr-xr-x 2 ldap root 4096 Nov 9 00:27 . >> drwxr-xr-x 3 ldap ldap 4096 Nov 9 00:27 .. >> -rw-r--r-- 1 root root 69313 Oct 2 12:31 00core.ldif >> -rw-r--r-- 1 root root 3832 Oct 2 12:31 05rfc2247.ldif >> -rw-r--r-- 1 root root 2620 Oct 2 12:31 05rfc2927.ldif >> -rw-r--r-- 1 root root 5204 Oct 2 12:31 10presence.ldif >> -rw-r--r-- 1 root root 9211 Oct 2 12:31 10rfc2307.ldif >> -rw-r--r-- 1 root root 6385 Oct 2 12:31 20subscriber.ldif >> -rw-r--r-- 1 root root 4624 Oct 2 12:31 25java-object.ldif >> -rw-r--r-- 1 root root 11532 Oct 2 12:31 28pilot.ldif >> -rw-r--r-- 1 root root 13376 Oct 2 12:31 30ns-common.ldif >> -rw-r--r-- 1 root root 8374 Oct 2 12:31 50ns-admin.ldif >> -rw-r--r-- 1 root root 8891 Oct 2 12:31 50ns-calendar.ldif >> -rw-r--r-- 1 root root 2866 Oct 2 12:31 50ns-certificate.ldif >> -rw-r--r-- 1 root root 13514 Oct 2 12:31 50ns-compass.ldif >> -rw-r--r-- 1 root root 8498 Oct 2 12:31 >> 50ns-delegated-admin.ldif >> -rw-r--r-- 1 root root 18098 Oct 2 12:31 50ns-directory.ldif >> -rw-r--r-- 1 root root 2989 Oct 2 12:31 50ns-legacy.ldif >> -rw-r--r-- 1 root root 10576 Oct 2 12:31 50ns-mail.ldif >> -rw-r--r-- 1 root root 18969 Oct 2 12:31 50ns-mcd-browser.ldif >> -rw-r--r-- 1 root root 6452 Oct 2 12:31 50ns-mcd-config.ldif >> -rw-r--r-- 1 root root 4732 Oct 2 12:31 50ns-mcd-li.ldif >> -rw-r--r-- 1 root root 22790 Oct 2 12:31 50ns-mcd-mail.ldif >> -rw-r--r-- 1 root root 2392 Oct 2 12:31 50ns-media.ldif >> -rw-r--r-- 1 root root 9989 Oct 2 12:31 50ns-mlm.ldif >> -rw-r--r-- 1 root root 66775 Oct 2 12:31 50ns-msg.ldif >> -rw-r--r-- 1 root root 4648 Oct 2 12:31 50ns-netshare.ldif >> -rw-r--r-- 1 root root 3717 Oct 2 12:31 50ns-news.ldif >> -rw-r--r-- 1 root root 2392 Oct 2 12:31 50ns-proxy.ldif >> -rw-r--r-- 1 root root 4776 Oct 2 12:31 50ns-value.ldif >> -rw-r--r-- 1 root root 5207 Oct 2 12:31 50ns-wcal.ldif >> -rw-r--r-- 1 root root 2865 Oct 2 12:31 50ns-web.ldif >> -rw-r--r-- 1 root root 13355 Oct 2 12:31 51ns-calendar.ldif >> -rw-r--r-- 1 root root 4032 Oct 2 12:31 60pam-plugin.ldif >> -rw-r--r-- 1 root root 986 Oct 2 12:33 61ldapns.ldif >> -rw-r--r-- 1 root root 683 Oct 23 13:50 70ssl_enable.ldif >> -rw------- 1 nobody nobody 2568 Oct 25 10:51 99user.ldif > Is your directory server running as ldap:ldap? If so, the 99user.ldif > file needs to be owned by ldap:ldap, not nobody:nobody. >> >> >> >> >> Eric Brown wrote: >>> When I install 1.0.3, use the default values for setting it up, and >>> start it, the following messages are displayed. >>> >>> [08/Nov/2006:10:51:44 -0600] - Entry "cn=encryption,cn=config" >>> required attribute "objectclass" missing >>> [08/Nov/2006:10:51:45 -0600] - Entry "cn=config" required attribute >>> "objectclass" missing >>> [08/Nov/2006:10:51:45 -0600] - Entry "cn=config" required attribute >>> "objectclass" missing >>> [08/Nov/2006:10:51:45 -0600] - Entry "cn=encryption,cn=config" >>> required attribute "objectclass" missing >> Type the following command: >> ls -al /opt/fedora-ds/slapd-yourinstance/config >> also >> ls -al /opt/fedora-ds/slapd-yourinstance/config/schema >>> >>> I have not added or removed anything from the default schema files and >>> I can't find a message that tells me what object classes are missing. >>> Any ideas on where to look for more detailed information on these >>> errors or why they are appearing in the first place. >>> >>> Thanks. >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature Url : https://www.redhat.com/archives/fedora-directory-users/attachments/20061109/07190ce0/smime.bin ------------------------------ -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From ghetrick at minderaser.org Fri Nov 10 00:52:58 2006 From: ghetrick at minderaser.org (Greg Hetrick) Date: Thu, 9 Nov 2006 18:52:58 -0600 Subject: [Fedora-directory-users] FDS with TLS/SSL Port issue Message-ID: <20061109185258.te0ea51gm8ko40kk@www.minderaser.org> New to FDS/LDAP doing a proof of concept and I have FDS 1.0.4 installed with SSL enabled on the DS side, TLS enabled on a FC 6 client. In ldap config I have TLS_REQCERT required. Question is, should ldap traffic generated from the client to the server pass on port 636 or port 389, I am seeing traffic that is supposed to be encrypted passing on the regular ldap port (389). I am seeing what appears to be correct in the access logs during the communication indicating that the traffic is in fact encrypted. [09/Nov/2006:18:50:10 -0600] conn=3 fd=65 slot=65 connection from 151.148.60.67 to 151.148.218.175 [09/Nov/2006:18:50:10 -0600] conn=3 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [09/Nov/2006:18:50:10 -0600] conn=3 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [09/Nov/2006:18:50:10 -0600] conn=3 SSL 256-bit AES [09/Nov/2006:18:50:10 -0600] conn=3 op=1 BIND dn="" method=128 version=3 [09/Nov/2006:18:50:10 -0600] conn=3 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [09/Nov/2006:18:50:10 -0600] conn=3 op=2 SRCH base="ou=People,dc=example,dc=com" scope=2 filter="(uid=testuser)" attrs=ALL [09/Nov/2006:18:50:10 -0600] conn=3 op=2 RESULT err=0 tag=101 nentries=1 etime=0 [09/Nov/2006:18:50:10 -0600] conn=3 op=3 UNBIND [09/Nov/2006:18:50:10 -0600] conn=3 op=3 fd=65 closed - U1 Thanks, Greg From nattaponv at hotmail.com Fri Nov 10 10:27:29 2006 From: nattaponv at hotmail.com (nattapon viroonsri) Date: Fri, 10 Nov 2006 10:27:29 +0000 Subject: [Fedora-directory-users] disable bind with blank password Message-ID: Hi, Look like default fedora-ds policy is accept bind with blank password? i have tested with ldapsearch -x -D "uid=someone,ou=people,dc=example,dc=com" -w "" get same result as use correct password if i use wrong password i wil get ldap_bind: Invalid credentials (49) How can i disable bind with blank password ? Thanks Nattapon _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ From nattaponv at hotmail.com Fri Nov 10 10:20:06 2006 From: nattaponv at hotmail.com (nattapon viroonsri) Date: Fri, 10 Nov 2006 10:20:06 +0000 Subject: [Fedora-directory-users] Bind with Blank password Message-ID: Hi, Look like default fedora-ds accept bind without password. i have test with ldapsearch -x -D "uid=someuser,ou=people,dc=example,dc=com" -w "" has same result as use correct password if i use wrong password , output will returned ldap_bind: Invalid credentials (49) How can i disable bind with blank password ? Thanks Nattapon _________________________________________________________________ FREE pop-up blocking with the new MSN Toolbar - get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ From radek at eadresa.cz Fri Nov 10 12:31:56 2006 From: radek at eadresa.cz (Radek Hladik) Date: Fri, 10 Nov 2006 13:31:56 +0100 Subject: [Fedora-directory-users] disable bind with blank password In-Reply-To: References: Message-ID: <4554713C.8000004@eadresa.cz> nattapon viroonsri napsal(a): > Hi, > > Look like default fedora-ds policy is accept bind with blank password? > i have tested with > ldapsearch -x -D "uid=someone,ou=people,dc=example,dc=com" -w "" > get same result as use correct password > > if i use wrong password i wil get > ldap_bind: Invalid credentials (49) > > How can i disable bind with blank password ? > > Thanks > Nattapon > > _________________________________________________________________ > Express yourself instantly with MSN Messenger! Download today it's FREE! > http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users I'm not FDS expert but as I have noticed FDS will log you anonymously if you enter no password... Try to do some changes in FDS without password (i.e. change office number of user you have specified to bind). If you don't want this, you need to disable access for anonymous users. Feature to disable anonymous binding at all is in plan for future versions. In actual version all you need/can to do, is disable ACI for anonymous access. But be sure, that no other utility uses anonymous access to LDAP as i.e. pam and nss does in default. Radek From rmeggins at redhat.com Fri Nov 10 14:24:57 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 10 Nov 2006 07:24:57 -0700 Subject: [Fedora-directory-users] disable bind with blank password In-Reply-To: <4554713C.8000004@eadresa.cz> References: <4554713C.8000004@eadresa.cz> Message-ID: <45548BB9.1000803@redhat.com> Radek Hladik wrote: > nattapon viroonsri napsal(a): >> Hi, >> >> Look like default fedora-ds policy is accept bind with blank password? >> i have tested with >> ldapsearch -x -D "uid=someone,ou=people,dc=example,dc=com" -w "" >> get same result as use correct password >> >> if i use wrong password i wil get >> ldap_bind: Invalid credentials (49) >> >> How can i disable bind with blank password ? >> >> Thanks >> Nattapon >> >> _________________________________________________________________ >> Express yourself instantly with MSN Messenger! Download today it's >> FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > I'm not FDS expert but as I have noticed FDS will log you anonymously > if you enter no password... Try to do some changes in FDS without > password (i.e. change office number of user you have specified to bind). Note that this is LDAP standard behavior - BIND with empty password does an anonymous bind, even if a BIND DN was given. > If you don't want this, you need to disable access for anonymous users. Access control uses the special BIND subject ldap:///anyone to mean anonymous users. > Feature to disable anonymous binding at all is in plan for future > versions. In actual version all you need/can to do, is disable ACI for > anonymous access. But be sure, that no other utility uses anonymous > access to LDAP as i.e. pam and nss does in default. Yes, we will be adding some features to disallow anonymous binds to an upcoming version. > > Radek > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From hyc at symas.com Fri Nov 10 18:14:45 2006 From: hyc at symas.com (Howard Chu) Date: Fri, 10 Nov 2006 10:14:45 -0800 Subject: [Fedora-directory-users] FDS with TLS/SSL Port issue In-Reply-To: <20061110170005.7212373CE1@hormel.redhat.com> References: <20061110170005.7212373CE1@hormel.redhat.com> Message-ID: <4554C195.8090301@symas.com> > Date: Thu, 9 Nov 2006 18:52:58 -0600 > From: Greg Hetrick > New to FDS/LDAP doing a proof of concept and I have FDS 1.0.4 > installed with SSL enabled on the DS side, TLS enabled on a FC 6 > client. In ldap config I have TLS_REQCERT required. > > Question is, should ldap traffic generated from the client to the > server pass on port 636 or port 389, I am seeing traffic that is > supposed to be encrypted passing on the regular ldap port (389). ldaps:// uses port 636 by default. That's the non-standard method of using LDAP over SSL that was common with LDAPv2. The connection has SSL/TLS enabled on it from the moment the connection opens. LDAPv3 uses port 389 by default. Connections are always opened in the clear. Then the StartTLS Extended Operation is issued by the client, and an SSL/TLS layer is added to the connection. > I am seeing what appears to be correct in the access logs during the > communication indicating that the traffic is in fact encrypted. Your log clearly shows StartTLS being used, successfully. Looks normal. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/ From deighton at gmail.com Fri Nov 10 18:53:53 2006 From: deighton at gmail.com (Dan) Date: Fri, 10 Nov 2006 13:53:53 -0500 Subject: [Fedora-directory-users] Macro ACI not working as expected In-Reply-To: <1163103662.7186.48.camel@whatever> References: <1163094688.7186.38.camel@whatever> <1163103662.7186.48.camel@whatever> Message-ID: <1163184833.5367.6.camel@whatever> On Thu, 2006-11-09 at 15:21 -0500, Dan wrote: > On Thu, 2006-11-09 at 14:19 -0500, Gordon May wrote: > > Hey Dan, > > > > Try enclosing your target in brackets like this: > > > > aci:(targetattr!="userPassword")(target=(($dn),ou=Domains,dc=example,dc=net))(version > > 3.0;acl "Allow read access to Domain > > members";allow(read,search)(userdn="ldap:///mail=*,($dn),ou=Domains,dc=example,dc=net");) > > > > Let me know if that makes a difference. > > > No Luck. I received a syntax error. As I understand it, the subject of > a target keyword must be of the form "ldap:///distinguished_name". > > I was able to get this working by using the following aci: (targetattr!="userPassword") (target="ldap:///($dn),ou=Domains,dc=example,dc=net") (version 3.0;acl "Allow read access to Domain members";allow (read,search)(userdn="ldap:///mail=*,[$dn],ou=Domains,dc=example,dc=net");) I'm not sure why changing from ($dn) to [$dn] in the userdn bind rule fixed the problem, but it did the trick. I think it should have worked either way, but I'm just happy it is ok now. > > > > > > Gordon > > > > On 11/9/06, Dan wrote: > > > I have set up a directory structure as follows: > > > > > > ou=Domains,dc=example,dc=net > > > o=hostedDomain1.com > > > mail=user1 at hostedDomain1.com > > > mail=user2 at hostedDomain1.com > > > mail=user3 at hostedDomain1.com > > > o=hostedDomain2.net > > > mail=user1 at hostedDomain2.net > > > mail=user2 at hostedDomain2.net > > > mail=user3 at hostedDomain2.net > > > o=hostedDomain3.com > > > ... > > > > > > I would like to allow any mail user to only read the attributes of the > > > users within their domain. For example, user1 at hostedDomain1.com can see > > > user2 at hostedDomain1.com, but not user2 at hostedDomain2.net. > > > > > > I am not allowing anonymous access. > > > I have allowed access to the Domains OU with this aci entry (placed on > > > the Domains OU): > > > > > > aci: (targetattr=*)(targetfilter=(ou=Domains)) (version 3.0;acl "Allow > > > read access to Domains OU";allow (read,search) > > > (userdn="ldap:///mail=*,o=*,ou=Domains,dc=example,dc=net");) > > > > > > I have placed the following macro aci on the Domains OU without success: > > > > > > aci: > > > (targetattr!="userPassword") > > > (target="ldap:///($dn),ou=Domains,dc=example,dc=net") > > > (version 3.0;acl "Allow read access to Domain members";allow > > > (read,search)(userdn="ldap:///mail=*,($dn),ou=Domains,dc=example,dc=net");) > > > > > > > > > As I understand it, the second aci should allow read and search access > > > to domain ($dn) and all entries below it. However, the behavior that > > > I'm seeing is that the user can only see down to the domain with no > > > access to the sub-entries. In other words, user1 at hostedDomain1.com can > > > see o=hostedDomain1.com,ou=Domains,dc=example,dc=net, but can not see > > > anything below. > > > > > > Am I missing something? How can I get this to work properly? > > > > > > Thanks in advance. > > > > > > > > > > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From glenn at mail.txwes.edu Fri Nov 10 19:05:09 2006 From: glenn at mail.txwes.edu (Glenn) Date: Fri, 10 Nov 2006 13:05:09 -0600 Subject: [Fedora-directory-users] Unattended Admin Server Startup Message-ID: <20061110190405.M38582@mail.txwes.edu> I'm testing a new installation of Directory Server. I have both the directory server and the admin server using SSL. There are instructions for auto-starting the SSL-enabled directory server at boot time by putting the SSL password in a text file, and this works fine. But I can't seem to find any instructions for doing the same with the admin server, so the boot process stops at the password prompt for the admin server. Anyone have a clue how to get this done? The message prompt when the admin server tries to start is: "Please enter password for "NSS Certificate DB" token:" Thanks. -G. From rcritten at redhat.com Fri Nov 10 19:10:23 2006 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 10 Nov 2006 14:10:23 -0500 Subject: [Fedora-directory-users] Unattended Admin Server Startup In-Reply-To: <20061110190405.M38582@mail.txwes.edu> References: <20061110190405.M38582@mail.txwes.edu> Message-ID: <4554CE9F.10506@redhat.com> Glenn wrote: > I'm testing a new installation of Directory Server. I have both > the directory server and the admin server using SSL. There are instructions > for auto-starting the SSL-enabled directory server at boot time by putting > the SSL password in a text file, and this works fine. But I can't seem to > find any instructions for doing the same with the admin server, so the boot > process stops at the password prompt for the admin server. Anyone have a > clue how to get this done? > > The message prompt when the admin server tries to start is: > > "Please enter password for "NSS Certificate DB" token:" > What version of FDS are you using? There is a similar way to set up admin server with a password file but the name of the token here looks wrong. To do it for the admin server look in /opt/fedora-ds/admin-serv/config/nss.conf There will be an entry for NSSPassPhraseDialog. It should have the form: NSSPassPhraseDialog file:/opt/fedora-ds/alias/password.conf So /opt/fedora-ds/alias/password.conf holds the token password. The format of the file is: token_name:password The default token name is "internal". rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Nov 10 19:21:46 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 10 Nov 2006 12:21:46 -0700 Subject: [Fedora-directory-users] Unattended Admin Server Startup In-Reply-To: <20061110190405.M38582@mail.txwes.edu> References: <20061110190405.M38582@mail.txwes.edu> Message-ID: <4554D14A.1070709@redhat.com> Glenn wrote: > I'm testing a new installation of Directory Server. I have both > the directory server and the admin server using SSL. There are instructions > for auto-starting the SSL-enabled directory server at boot time by putting > the SSL password in a text file, and this works fine. But I can't seem to > find any instructions for doing the same with the admin server, so the boot > process stops at the password prompt for the admin server. Anyone have a > clue how to get this done? > http://directory.fedora.redhat.com/wiki/Howto:SSL#admin-serv.2Fconfig.2Fnss.conf > The message prompt when the admin server tries to start is: > > "Please enter password for "NSS Certificate DB" token:" > > Thanks. -G. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From deighton at gmail.com Fri Nov 10 21:53:15 2006 From: deighton at gmail.com (Dan) Date: Fri, 10 Nov 2006 16:53:15 -0500 Subject: [Fedora-directory-users] roleOccupant in ACI Message-ID: <1163195595.6566.11.camel@whatever> I am in the process of migrating ACLs from OpenLDAP to ACIs in FDS. I'm having trouble figuring out how to best convert from "group/organizationalRole/roleOccupant" bind rules to a comparable method in the Fedora Directory Server. Do I need to move the roleOccupant entries to uniquemember entries (which would require objectClass changes as well) then use a groupDN bind rule? I would rather not change the data. Is it possible to have the groupDN bind rule use an attribute other than uniquemember? Any help/thoughts would be appreciated. From pkime at Shopzilla.com Fri Nov 10 23:46:21 2006 From: pkime at Shopzilla.com (Philip Kime) Date: Fri, 10 Nov 2006 15:46:21 -0800 Subject: [Fedora-directory-users] password policy on FDS 1.0.2 - doesn't seem to work? Message-ID: <9C0091F428E697439E7A773FFD083427435B4F@szexchange.Shopzilla.inc> I have pam_lookup_policy yes and a user-local password policy for one user as a test. If I try to change the user's password, it updates fine in LDAP but does't warn me about the policy restrictions (set to min 8 chars but I can use 7 no problem, for example). I read that PAM needs anonymous bind access to the objectclass=passwordpolicy attrs? I tried that but it made no difference. The really odd thing is that the policy object lives in: cn=nspwpolicycontainer,ou=people,dc=blah,dc=com but if I ldapsearch on '(objectclass=passwordpolicy)' in the above container (or in the whole root DSE for that matter), I find nothing,even if I bind as Directory Manager. It's there - I can see the object in the GUI. PK -- Philip Kime NOPS Systems Architect 310 401 0407 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri Nov 10 23:57:21 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 10 Nov 2006 16:57:21 -0700 Subject: [Fedora-directory-users] password policy on FDS 1.0.2 - doesn't seem to work? In-Reply-To: <9C0091F428E697439E7A773FFD083427435B4F@szexchange.Shopzilla.inc> References: <9C0091F428E697439E7A773FFD083427435B4F@szexchange.Shopzilla.inc> Message-ID: <455511E1.6070107@redhat.com> Philip Kime wrote: > I have > > pam_lookup_policy yes > > and a user-local password policy for one user as a test. > > If I try to change the user's password, it updates fine in LDAP but > does't warn me about the policy restrictions (set to min 8 chars but I > can use 7 no problem, for example). I'm not sure what PAM is doing here. You can always verify that you are being properly restricted on password syntax by using ldapmodify or ldappasswd from the command line. > > I read that PAM needs anonymous bind access to the > objectclass=passwordpolicy attrs? I tried that but it made no difference. > The really odd thing is that the policy object lives in: > > cn=nspwpolicycontainer,ou=people,dc=blah,dc=com > > but if I ldapsearch on '(objectclass=passwordpolicy)' in the above > container (or in the whole root DSE for that matter), I find > nothing,even if I bind as Directory Manager. It's there - I can see > the object in the GUI. This entry has objectclass ldapSubEntry, which means it is hidden from normal searches. Try a search filter like (|(objectclass=*)(objectclass=ldapSubEntry)) to see these types of entries + normal entries. This is what the console does automatically, and you can verify this by looking at your access log. > > PK > > -- > Philip Kime > NOPS Systems Architect > 310 401 0407 > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From bart at schelstraete.org Sat Nov 11 12:21:55 2006 From: bart at schelstraete.org (Bart Schelstraete) Date: Sat, 11 Nov 2006 13:21:55 +0100 Subject: [Fedora-directory-users] deleting user -> deleting from group Message-ID: <9905faa50611110421n54fc0fa6h74e8278180f87004@mail.gmail.com> Hello, In the past I always used the 'older' Netscape 4.1 directory servers on our servers containing more then hundred thousands of users and groups. And the Netscape/i-planet mailservers, collabra servers, webservers, proxy servers, etc integrated perfectly with that. That's why I'm happy that Redhat now has the LDAP server from Netscape. I hope they (Redhat) will maybe also buy the mailserver etc, because then it will really be used in the enterprises. And now I tried the fedora-ds on my linux box, and it works fine. Now , I have a small question. In the past, when I deleted a user from LDAP, that user was automatically deleted from all groups. I did the same test with the fedora-ds, but he doesn't remove that users from the groups , so leaving the group in an unhealthy state. Did I forgot to configure something, or is this a known issue? rgrds, Bart -- Schelstraete Bart http://www.schelstraete.org bart at schelstraete.org From pkime at Shopzilla.com Sun Nov 12 00:17:04 2006 From: pkime at Shopzilla.com (Philip Kime) Date: Sat, 11 Nov 2006 16:17:04 -0800 Subject: [Fedora-directory-users] Re: password policy on FDS 1.0.2 - doesn't seem to work? Message-ID: <9C0091F428E697439E7A773FFD083427435B51@szexchange.Shopzilla.inc> Many thanks for the reply, helpful as always! > I'm not sure what PAM is doing here. You can always verify that you are being properly > restricted on password syntax by using ldapmodify or ldappasswd from the command line. It seems not - ldappasswd doesn't enforce the policy whether I bind with the user in question or Directory Manager. I've tried with subtree policies and also user-only policies. If I try to change the password in the GUI, the password policy works ok. > This entry has objectclass ldapSubEntry, which means it is hidden from normal searches. Hmm, I wonder if PAM and ldappasswd are not finding the policies as a result of this? There is nothing interesting in the access log - I can see the extop password operation line but it doesn't say anything about the filter used to look for password policy objects? Is there perhaps a way to include ldapSubEntry objects in normal searches? PK From david_list at boreham.org Sun Nov 12 01:29:45 2006 From: david_list at boreham.org (David Boreham) Date: Sat, 11 Nov 2006 18:29:45 -0700 Subject: [Fedora-directory-users] Re: password policy on FDS 1.0.2 - doesn't seem to work? In-Reply-To: <9C0091F428E697439E7A773FFD083427435B51@szexchange.Shopzilla.inc> References: <9C0091F428E697439E7A773FFD083427435B51@szexchange.Shopzilla.inc> Message-ID: <45567909.1010807@boreham.org> >Hmm, I wonder if PAM and ldappasswd are not finding the policies as a >result of this? There is nothing interesting in the access log - I can >see the extop password operation line but it doesn't say anything about >the filter used to look for password policy objects? Is there perhaps a >way to include ldapSubEntry objects in normal searches? > > The server enforces the policy internally, and (at least in theory) all the code paths that modify passwords should be calling the same policy checking function. So ldappasswd, ldapmodify and the GUI should see exactly the same policy. If you turn up the logging level you might see more interesting output (in the errors log, not the access log, which is always quite terse). From minfrin at sharp.fm Sun Nov 12 16:20:18 2006 From: minfrin at sharp.fm (Graham Leggett) Date: Sun, 12 Nov 2006 18:20:18 +0200 Subject: [Fedora-directory-users] v1.0.4 SSL: Could not open file slapd--cert8.db Message-ID: <455749C2.9050107@sharp.fm> Hi all, While trying to enable SSL on a v1.0.4 FDS directory instance, an attempt to click on "Manage Certificates" results in the above error message. In v1.0.2, the certificate database was in /opt/fedora-ds/alias, and in this case the database was created in this directory and is owned by ldap:ldap (the user running the ldap server). No indication is given as to why the file could not be opened, nor is an indication given of which path is being used to find the database. Does anyone have any ideas? Regards, Graham -- From gordon.may at gmail.com Sun Nov 12 16:29:46 2006 From: gordon.may at gmail.com (Gordon May) Date: Sun, 12 Nov 2006 11:29:46 -0500 Subject: [Fedora-directory-users] v1.0.4 SSL: Could not open file slapd--cert8.db In-Reply-To: <455749C2.9050107@sharp.fm> References: <455749C2.9050107@sharp.fm> Message-ID: Check the permissions on the folder. I've had problems where the file is owned by ldap but the folder isn't. Gordon On 11/12/06, Graham Leggett wrote: > Hi all, > > While trying to enable SSL on a v1.0.4 FDS directory instance, an > attempt to click on "Manage Certificates" results in the above error > message. > > In v1.0.2, the certificate database was in /opt/fedora-ds/alias, and in > this case the database was created in this directory and is owned by > ldap:ldap (the user running the ldap server). > > No indication is given as to why the file could not be opened, nor is an > indication given of which path is being used to find the database. > > Does anyone have any ideas? > > Regards, > Graham > -- > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From minfrin at sharp.fm Sun Nov 12 17:09:21 2006 From: minfrin at sharp.fm (Graham Leggett) Date: Sun, 12 Nov 2006 19:09:21 +0200 Subject: [Fedora-directory-users] v1.0.4 SSL: Could not open file slapd--cert8.db In-Reply-To: References: <455749C2.9050107@sharp.fm> Message-ID: <45575541.8070608@sharp.fm> Gordon May wrote: > Check the permissions on the folder. I've had problems where the file > is owned by ldap but the folder isn't. The alias folder in this case is owned by the ldap:ldap user/group, which in turn matches the user running the slapd server. The admin server is running as root, so should not have hassles (the admin server can see the admin server certificate database, it cannot however find the directory server certificate database). Regards, Graham -- From pkime at Shopzilla.com Sun Nov 12 19:51:29 2006 From: pkime at Shopzilla.com (Philip Kime) Date: Sun, 12 Nov 2006 11:51:29 -0800 Subject: [Fedora-directory-users] Re: Re: password policy on FDS 1.0.2 - doesn't seem to work? Message-ID: <9C0091F428E697439E7A773FFD083427435B55@szexchange.Shopzilla.inc> > The server enforces the policy internally, and (at least in theory) all the code paths > that modify passwords should be calling the same policy checking function. So > ldappasswd, ldapmodify and the GUI should see exactly the same policy. If you turn up > the logging level you might see more interesting output (in the errors log, not the > access log, which is always quite terse). I put "heavy logging on" but I can't see anything to do with password policies (below is the trace from one ldappaswd update operation which should have failed due to password policy). I also looked at the funtion traces and there are calls to get the DNs of the policy object but no errors or anything to say they were applied. [12/Nov/2006:11:45:03 -0800] - do_extended: oid (1.3.6.1.4.1.1466.20037-startTLS) [12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : userRoot [12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : userRoot [12/Nov/2006:11:45:03 -0800] - mapping tree release backend : userRoot [12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : userRoot [12/Nov/2006:11:45:03 -0800] - mapping tree release backend : userRoot [12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : userRoot [12/Nov/2006:11:45:03 -0800] - mapping tree release backend : userRoot [12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : userRoot [12/Nov/2006:11:45:03 -0800] - mapping tree release backend : userRoot [12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : userRoot [12/Nov/2006:11:45:03 -0800] - mapping tree release backend : userRoot [12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : userRoot [12/Nov/2006:11:45:03 -0800] - mapping tree release backend : userRoot [12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : userRoot [12/Nov/2006:11:45:03 -0800] - mapping tree release backend : userRoot [12/Nov/2006:11:45:03 -0800] - do_extended: oid (1.3.6.1.4.1.4203.1.11.1-passwd_modify_extop) [12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : userRoot [12/Nov/2006:11:45:03 -0800] - mapping tree release backend : userRoot [12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : userRoot [12/Nov/2006:11:45:03 -0800] - mapping tree release backend : userRoot [12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : userRoot [12/Nov/2006:11:45:03 -0800] - replace: userpassword [12/Nov/2006:11:45:03 -0800] - removing entire attribute userpassword [12/Nov/2006:11:45:03 -0800] - userpassword: {SSHA}W4FdKGuc/MmN3w8f98UgmtyMaWH0Hn1GMM/LhA== [12/Nov/2006:11:45:03 -0800] - - [12/Nov/2006:11:45:03 -0800] - replace: modifiersname [12/Nov/2006:11:45:03 -0800] - removing entire attribute modifiersname [12/Nov/2006:11:45:03 -0800] - modifiersname: cn=server,cn=plugins,cn=config [12/Nov/2006:11:45:03 -0800] - - [12/Nov/2006:11:45:03 -0800] - replace: modifytimestamp [12/Nov/2006:11:45:03 -0800] - removing entire attribute modifytimestamp [12/Nov/2006:11:45:03 -0800] - modifytimestamp: 20061112194503Z [12/Nov/2006:11:45:03 -0800] - - [12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : userRoot [12/Nov/2006:11:45:03 -0800] - replace: passwordgraceusertime [12/Nov/2006:11:45:03 -0800] - removing entire attribute passwordgraceusertime [12/Nov/2006:11:45:03 -0800] - passwordgraceusertime: 0 [12/Nov/2006:11:45:03 -0800] - - [12/Nov/2006:11:45:03 -0800] - replace: modifiersname [12/Nov/2006:11:45:03 -0800] - removing entire attribute modifiersname [12/Nov/2006:11:45:03 -0800] - modifiersname: cn=server,cn=plugins,cn=config [12/Nov/2006:11:45:03 -0800] - - [12/Nov/2006:11:45:03 -0800] - replace: modifytimestamp [12/Nov/2006:11:45:03 -0800] - removing entire attribute modifytimestamp [12/Nov/2006:11:45:03 -0800] - modifytimestamp: 20061112194503Z [12/Nov/2006:11:45:03 -0800] - - [12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - mapping tree release backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - mapping tree release backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - mapping tree release backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - mapping tree release backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - SRCH base="" scope=0 deref=0 sizelimit=0 timelimit=600 attrsonly=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension" [12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - mapping tree release backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - mapping tree release backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - mapping tree release backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - mapping tree release backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - mapping tree release backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - mapping tree release backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - SRCH base="" scope=0 deref=0 sizelimit=0 timelimit=600 attrsonly=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension" [12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - mapping tree release backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - mapping tree release backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - mapping tree release backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - mapping tree release backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - mapping tree release backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - mapping tree release backend : frontend-internal [12/Nov/2006:11:45:04 -0800] - do_extended: oid (2.16.840.1.113730.3.5.3-Netscape Replication Start Session) [12/Nov/2006:11:45:04 -0800] - mapping tree selected backend : frontend-internal [12/Nov/2006:11:45:04 -0800] - mapping tree release backend : frontend-internal [12/Nov/2006:11:45:04 -0800] - mapping tree selected backend : frontend-internal [12/Nov/2006:11:45:04 -0800] - mapping tree release backend : frontend-internal [12/Nov/2006:11:45:04 -0800] - mapping tree selected backend : frontend-internal [12/Nov/2006:11:45:04 -0800] - mapping tree release backend : frontend-internal [12/Nov/2006:11:45:04 -0800] - do_extended: oid (2.16.840.1.113730.3.5.5-Netscape Replication End Session) [12/Nov/2006:11:45:04 -0800] - mapping tree selected backend : userRoot [12/Nov/2006:11:45:04 -0800] - indextype: "eq" indexmask: 0x2 [12/Nov/2006:11:45:04 -0800] - nsds50ruv: {replicageneration} 44a5cc86000000010000 [12/Nov/2006:11:45:04 -0800] - nsds50ruv: {replica 1 ldap://hqldap01.blah.com:389} 44a5ce65000000010000 45577d66000100010000 [12/Nov/2006:11:45:04 -0800] - nsds50ruv: {replica 2 ldap://ldap001.bo1.blah.hou:389} 44a5f47e000000020000 4553f30e000000020000 [12/Nov/2006:11:45:04 -0800] - replace: nsds50ruv [12/Nov/2006:11:45:04 -0800] - - [12/Nov/2006:11:45:04 -0800] - nsruvReplicaLastModified: {replica 1 ldap://hqldap01.blah.com:389} 455779bf [12/Nov/2006:11:45:04 -0800] - nsruvReplicaLastModified: {replica 2 ldap://ldap001.bo1.blah.hou:389} 4553ef67 [12/Nov/2006:11:45:04 -0800] - replace: nsruvReplicaLastModified [12/Nov/2006:11:45:04 -0800] - - [12/Nov/2006:11:45:11 -0800] - do_modify: dn (cn=config) [12/Nov/2006:11:45:11 -0800] - modifications: [12/Nov/2006:11:45:11 -0800] - replace: nsslapd-errorlog-level [12/Nov/2006:11:45:11 -0800] - mapping tree selected backend : frontend-internal [12/Nov/2006:11:45:11 -0800] - mapping tree selected backend : frontend-internal [12/Nov/2006:11:45:11 -0800] - mapping tree release backend : frontend-internal [12/Nov/2006:11:45:11 -0800] - nsslapd-errorlog-level: 0 [12/Nov/2006:11:45:11 -0800] - replace: nsslapd-errorlog-level [12/Nov/2006:11:45:11 -0800] - - [12/Nov/2006:11:45:11 -0800] - modifiersname: cn=directory manager [12/Nov/2006:11:45:11 -0800] - replace: modifiersname [12/Nov/2006:11:45:11 -0800] - - [12/Nov/2006:11:45:11 -0800] - modifytimestamp: 20061112194511Z [12/Nov/2006:11:45:11 -0800] - replace: modifytimestamp [12/Nov/2006:11:45:11 -0800] - - From pkime at Shopzilla.com Sun Nov 12 20:12:51 2006 From: pkime at Shopzilla.com (Philip Kime) Date: Sun, 12 Nov 2006 12:12:51 -0800 Subject: [Fedora-directory-users] Re: Re: password policy on FDS 1.0.2 - doesn't seem to work? Message-ID: <9C0091F428E697439E7A773FFD083427435B56@szexchange.Shopzilla.inc> Hmm - If I enable password syntax checking globally, it works - ldappasswd applies the policy and so does PAM via pam_ldap. If it's a local policy on a subtree or user, it doesn't? I have checked and the cn=config "nsslapd-pwpolicy-local" is set to "on" so it should be applying local password policies. Do I have to enable the password syntax checking at a global level (possibly with no actual restrictions) and then overide it at the local level? PK From nkinder at redhat.com Mon Nov 13 02:23:38 2006 From: nkinder at redhat.com (Nathan Kinder) Date: Sun, 12 Nov 2006 18:23:38 -0800 Subject: [Fedora-directory-users] Re: Re: password policy on FDS 1.0.2 - doesn't seem to work? In-Reply-To: <9C0091F428E697439E7A773FFD083427435B56@szexchange.Shopzilla.inc> References: <9C0091F428E697439E7A773FFD083427435B56@szexchange.Shopzilla.inc> Message-ID: <4557D72A.600@redhat.com> Philip Kime wrote: > Hmm - If I enable password syntax checking globally, it works - > ldappasswd applies the policy and so does PAM via pam_ldap. If it's a > local policy on a subtree or user, it doesn't? I have checked and the > cn=config "nsslapd-pwpolicy-local" is set to "on" so it should be > applying local password policies. Do I have to enable the password > syntax checking at a global level (possibly with no actual restrictions) > and then overide it at the local level? > Yes. The global setting must be enabled to use any sort of password syntax checking. You can then override it at the subtree or user level. -NGK > PK > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From ebeda at udsm.ac.tz Mon Nov 13 12:56:29 2006 From: ebeda at udsm.ac.tz (Eric Beda) Date: Mon, 13 Nov 2006 15:56:29 +0300 (EAT) Subject: [Fedora-directory-users] Help with integrating POSTFIX, SAMBA and FEDORA DS Message-ID: <4998.196.44.161.199.1163422589.squirrel@www.uccmail.co.tz> Hi i'm very new to fedora ds and ldap in general, i just downloaded ldap a couple of weeks ago and i have been playing around with it for some time, i'm trying create an directory server and have postfix and samba users authenticate against it, i've been through tutorials on the net expecially fedora ds wiki, but every howto looks at it from a migraton scenario whereas i'm trying to build this from scratch anyway tried going through the tutorials but i get stuck when i try to add a user with ldapmodify -a i get an error uknown object class courierMailAlias tried searching for the objectclass on the net but to no avail... can anybody please shed some light thanks From rmeggins at redhat.com Mon Nov 13 16:42:32 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 13 Nov 2006 09:42:32 -0700 Subject: [Fedora-directory-users] Re: password policy on FDS 1.0.2 - doesn't seem to work? In-Reply-To: <9C0091F428E697439E7A773FFD083427435B51@szexchange.Shopzilla.inc> References: <9C0091F428E697439E7A773FFD083427435B51@szexchange.Shopzilla.inc> Message-ID: <4558A078.4030506@redhat.com> Philip Kime wrote: > Many thanks for the reply, helpful as always! > > >> I'm not sure what PAM is doing here. You can always verify that you >> > are being properly > restricted on password syntax by using ldapmodify > or ldappasswd from the command line. > > It seems not - ldappasswd doesn't enforce the policy whether I bind with > the user in question or Directory Manager. I've tried with subtree > policies and also user-only policies. If I try to change the password in > the GUI, the password policy works ok. > Check the access log for the server, and you may also need to turn on the trace level error logging. > >> This entry has objectclass ldapSubEntry, which means it is hidden from >> > normal searches. > > Hmm, I wonder if PAM and ldappasswd are not finding the policies as a > result of this? There is nothing interesting in the access log - I can > see the extop password operation line but it doesn't say anything about > the filter used to look for password policy objects? Is there perhaps a > way to include ldapSubEntry objects in normal searches? > No. The policy is supposed to be enforced on the server side. The client should not be attempting to use the policy settings on the server. > PK > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Nov 13 17:06:08 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 13 Nov 2006 10:06:08 -0700 Subject: [Fedora-directory-users] deleting user -> deleting from group In-Reply-To: <9905faa50611110421n54fc0fa6h74e8278180f87004@mail.gmail.com> References: <9905faa50611110421n54fc0fa6h74e8278180f87004@mail.gmail.com> Message-ID: <4558A600.8070800@redhat.com> Bart Schelstraete wrote: > Hello, > > In the past I always used the 'older' Netscape 4.1 directory servers > on our servers containing more then hundred thousands of users and > groups. And the Netscape/i-planet mailservers, collabra servers, > webservers, proxy servers, etc integrated perfectly with that. > > That's why I'm happy that Redhat now has the LDAP server from > Netscape. I hope they (Redhat) will maybe also buy the mailserver etc, > because then it will really be used in the enterprises. > > And now I tried the fedora-ds on my linux box, and it works fine. > Now , I have a small question. In the past, when I deleted a user from > LDAP, that user was automatically deleted from all groups. I did the > same test with the fedora-ds, but he doesn't remove that users from > the groups , so leaving the group in an unhealthy state. > Did I forgot to configure something, or is this a known issue? Yes. Older versions of the server had the referential integrity plug-in enabled by default. We found that this was a performance hit in most cases where it was not needed. Since you do need it, you need to enable it. Just make sure that the attributes that it requires to find the references are indexed. > > > rgrds, > Bart -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Nov 13 18:11:29 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 13 Nov 2006 11:11:29 -0700 Subject: [Fedora-directory-users] v1.0.4 SSL: Could not open file slapd--cert8.db In-Reply-To: <455749C2.9050107@sharp.fm> References: <455749C2.9050107@sharp.fm> Message-ID: <4558B551.8040104@redhat.com> Graham Leggett wrote: > Hi all, > > While trying to enable SSL on a v1.0.4 FDS directory instance, an > attempt to click on "Manage Certificates" results in the above error > message. Was this an upgrade install or a fresh install? I've tried to reproduce this with a fresh install of fds1.0.4. I did the setup with all of the defaults, including the default nobody:nobody (I didn't create an ldap user). After running the console, I went into the directory server console, ran Manage Certificates, entered the new password for the cert/key db, and pressed ok. I got no errors. This is what I had: ls -al /opt/fedora-ds/alias drwxrwxr-x 2 nobody nobody 4096 Nov 13 11:09 . drwxr-xr-x 15 root root 4096 Nov 13 11:09 .. -rwxr-xr-x 1 nobody nobody 239744 Nov 7 21:38 libnssckbi.so -rw------- 1 nobody nobody 16384 Nov 13 11:09 secmod.db -rw------- 1 nobody nobody 65536 Nov 13 11:09 slapd-localhost-cert8.db -rw------- 1 nobody nobody 16384 Nov 13 11:09 slapd-localhost-key3.db > > In v1.0.2, the certificate database was in /opt/fedora-ds/alias, and > in this case the database was created in this directory and is owned > by ldap:ldap (the user running the ldap server). > > No indication is given as to why the file could not be opened, nor is > an indication given of which path is being used to find the database. You can use startconsole -D to get more information. If the problem is with the admin server, you can use start-admin -e debug or edit admin-serv/config/httpd.conf and change LogLevel to debug. > > Does anyone have any ideas? > > Regards, > Graham > -- > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From radek at eadresa.cz Mon Nov 13 19:22:29 2006 From: radek at eadresa.cz (Radek Hladik) Date: Mon, 13 Nov 2006 20:22:29 +0100 Subject: [Fedora-directory-users] Auditing attribute changes Message-ID: <4558C5F5.6080707@eadresa.cz> Hi, is there any way how to log changes to selected attribute only? I would need to monitor changes of user password (users claim that their password sometimes stops working and I have to reset them). It would be enough to audit LDAP modifications on all attributes, I think that retro changelog plugin would help, but I do not know how to configure it... Is there any documentation for this plugin? Radek From rmeggins at redhat.com Mon Nov 13 19:42:02 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 13 Nov 2006 12:42:02 -0700 Subject: [Fedora-directory-users] Auditing attribute changes In-Reply-To: <4558C5F5.6080707@eadresa.cz> References: <4558C5F5.6080707@eadresa.cz> Message-ID: <4558CA8A.2070809@redhat.com> Radek Hladik wrote: > Hi, > is there any way how to log changes to selected attribute only? No. Both the retro changelog and the audit log contain every change to every attribute. > I would need to monitor changes of user password (users claim that > their password sometimes stops working and I have to reset them). It > would be enough to audit LDAP modifications on all attributes, I think > that retro changelog plugin would help, but I do not know how to > configure it... Is there any documentation for this plugin? http://www.redhat.com/docs/manuals/dir-server/ag/7.1/replicat.html#1107718 You might also want to investigate the audit log: http://www.redhat.com/docs/manuals/dir-server/ag/7.1/dsstats.html#1092377 > > > Radek > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From koippa at gmail.com Mon Nov 13 19:59:14 2006 From: koippa at gmail.com (Kimmo Koivisto) Date: Mon, 13 Nov 2006 21:59:14 +0200 Subject: [Fedora-directory-users] Questions about the referential integrity plug-in Message-ID: <200611132159.14468.koippa@gmail.com> Hello I tried the referential integrity plug-in and it worked as expected with single master environment and groupofnames and groupofuniquenames groups. I read the admin guide but there were some things that I did not fully understand: 1. How about multimaster environment, if I have servers A and B and I enable plug-in to server A. When change is done to the server B, server A shoud make deletions ar modifications to the directory. But what if the server A is down for maintenance and user is deleted from server B, what happends? Does the server A do anything when it is started after maintenance? 2. How to enable referential integrity to the memberUid attribute? I have user cn=user,c=fi that has uid=user and that user is added to group example so that there is attribute memberUid=user. When user is deleted, uid should be removed from example group. How to achieve this? I tried to add nsslapd-pluginarg7=memberUid to the plugin but it did not work. I'm testing this with FC4 and FDS 1.0.4. Best Regards Kimmo Koivisto From gordon.may at gmail.com Mon Nov 13 20:18:19 2006 From: gordon.may at gmail.com (Gordon May) Date: Mon, 13 Nov 2006 15:18:19 -0500 Subject: [Fedora-directory-users] Single Sign On Message-ID: Hello, I was wondering if anyone can help me with setting up a single sign on system. I want my users to be able to sign on once and have access to all areas of our site. Ie Forum, wiki, Trac, SVN, etc. From what I've read it looks like Kerberos will be needed for this. Is there a way to do this without Kerberos? Is there a single tool that I can use to manage user passwords and FDS? Ie User account creation, deletion, updating, password resets, etc. How do I force FDS to ask Kerberos if a user's passwords is correct? Thanks, Gordon -------------- next part -------------- An HTML attachment was scrubbed... URL: From radek at eadresa.cz Mon Nov 13 20:49:01 2006 From: radek at eadresa.cz (Radek Hladik) Date: Mon, 13 Nov 2006 21:49:01 +0100 Subject: [Fedora-directory-users] Auditing attribute changes In-Reply-To: <4558CA8A.2070809@redhat.com> References: <4558C5F5.6080707@eadresa.cz> <4558CA8A.2070809@redhat.com> Message-ID: <4558DA3D.5020204@eadresa.cz> Richard Megginson napsal(a): > Radek Hladik wrote: >> Hi, >> is there any way how to log changes to selected attribute only? > No. Both the retro changelog and the audit log contain every change to > every attribute. >> I would need to monitor changes of user password (users claim that >> their password sometimes stops working and I have to reset them). It >> would be enough to audit LDAP modifications on all attributes, I think >> that retro changelog plugin would help, but I do not know how to >> configure it... Is there any documentation for this plugin? > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/replicat.html#1107718 > > You might also want to investigate the audit log: > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/dsstats.html#1092377 >> I've already enabled both of them and it seems to me that audit log contains more detailed information. I would need the IP of the user performing the modification but I think that I will be able to look it up in the access log. Radek From rmeggins at redhat.com Mon Nov 13 21:20:34 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 13 Nov 2006 14:20:34 -0700 Subject: [Fedora-directory-users] Questions about the referential integrity plug-in In-Reply-To: <200611132159.14468.koippa@gmail.com> References: <200611132159.14468.koippa@gmail.com> Message-ID: <4558E1A2.5090804@redhat.com> Kimmo Koivisto wrote: > Hello > > I tried the referential integrity plug-in and it worked as expected with > single master environment and groupofnames and groupofuniquenames groups. > I read the admin guide but there were some things that I did not fully > understand: > > 1. How about multimaster environment, if I have servers A and B and I enable > plug-in to server A. When change is done to the server B, server A shoud make > deletions ar modifications to the directory. > No. The referint plug-in will not replicate changes. From referint.c: /* this plugin should only execute if the operation was successful and this is not a replicated op */ if(oprc != 0 || isrepop){ return( 0 ); } So you should enable the referint plug-in on all servers. > But what if the server A is down for maintenance and user is deleted from > server B, what happends? Does the server A do anything when it is started > after maintenance? > Once the server is restarted it will attempt to resync with the other server. Both the external deletion and the internal modification operation will be replicated to the other server. > 2. How to enable referential integrity to the memberUid attribute? > I have user cn=user,c=fi that has uid=user and that user is added to group > example so that there is attribute memberUid=user. > Is value of memberUid the full DN of the user or just the userid? I don't think it will work, in either case. If it is the full DN, then the syntax definition is not correct - memberUid has SYNTAX for case sensitive string, but it would need to have 1.3.6.1.4.1.1466.115.121.1.12 distinguished name in order for equality seaches to work correctly. If memberUid is just the user id, then referential integrity won't work because it was only designed to deal with DN valued attributes, such as member, uniquemember, owner, and seeAlso. I think you would have to change the referential integrity code to use attributes other than the DN to look up the entries to change the references to. > When user is deleted, uid should be removed from example group. How to achieve > this? > I tried to add nsslapd-pluginarg7=memberUid to the plugin but it did not work. > > I'm testing this with FC4 and FDS 1.0.4. > > Best Regards > Kimmo Koivisto > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From nhosoi at redhat.com Mon Nov 13 21:17:58 2006 From: nhosoi at redhat.com (Noriko Hosoi) Date: Mon, 13 Nov 2006 13:17:58 -0800 Subject: [Fedora-directory-users] Questions about the referential integrity plug-in In-Reply-To: <200611132159.14468.koippa@gmail.com> References: <200611132159.14468.koippa@gmail.com> Message-ID: <4558E106.6000309@redhat.com> This is what we recommend ... http://www.redhat.com/docs/manuals/dir-server/ag/7.1/modify.html How Referential Integrity Works When the Referential Integrity Plug-in (see "Referential Integrity Postoperation Plug-in," on page 510 ) is enabled, it performs integrity updates on specified attributes immediately after a delete or rename operation. By default, the Referential Integrity Plug-in is disabled. Note The Referential Integrity Plug-in should only be enabled on one supplier replica in a multi-master replication environment to avoid conflict resolution loops. When enabling the plug-in on servers issuing chaining requests, be sure to analyze your performance resource and time needs, as well as your integrity needs. Integrity checks can be time-consuming and draining on memory/CPU. Kimmo Koivisto wrote: >Hello > >I tried the referential integrity plug-in and it worked as expected with >single master environment and groupofnames and groupofuniquenames groups. >I read the admin guide but there were some things that I did not fully >understand: > >1. How about multimaster environment, if I have servers A and B and I enable >plug-in to server A. When change is done to the server B, server A shoud make >deletions ar modifications to the directory. > >But what if the server A is down for maintenance and user is deleted from >server B, what happends? Does the server A do anything when it is started >after maintenance? > >2. How to enable referential integrity to the memberUid attribute? >I have user cn=user,c=fi that has uid=user and that user is added to group >example so that there is attribute memberUid=user. >When user is deleted, uid should be removed from example group. How to achieve >this? >I tried to add nsslapd-pluginarg7=memberUid to the plugin but it did not work. > >I'm testing this with FC4 and FDS 1.0.4. > >Best Regards >Kimmo Koivisto > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3170 bytes Desc: S/MIME Cryptographic Signature URL: From pkime at Shopzilla.com Mon Nov 13 23:42:24 2006 From: pkime at Shopzilla.com (Philip Kime) Date: Mon, 13 Nov 2006 15:42:24 -0800 Subject: [Fedora-directory-users] Re: password policy on FDS 1.0.2 - doesn't seem to work? Message-ID: <9C0091F428E697439E7A773FFD083427435B65@szexchange.Shopzilla.inc> > Yes. The global setting must be enabled to use any sort of password syntax checking. > You can then override it at the subtree or user level. Hmm, doesn't seem to make any difference - I enabled password syntax checking at the global level and it works, if I try to override it with different checking at the subtree/user level, it's ignored, although the global settings are enforced. PK From nkinder at redhat.com Mon Nov 13 23:47:58 2006 From: nkinder at redhat.com (Nathan Kinder) Date: Mon, 13 Nov 2006 15:47:58 -0800 Subject: [Fedora-directory-users] Re: password policy on FDS 1.0.2 - doesn't seem to work? In-Reply-To: <9C0091F428E697439E7A773FFD083427435B65@szexchange.Shopzilla.inc> References: <9C0091F428E697439E7A773FFD083427435B65@szexchange.Shopzilla.inc> Message-ID: <4559042E.8020107@redhat.com> Philip Kime wrote: >> Yes. The global setting must be enabled to use any sort of password >> > syntax checking. > You can then override it at the subtree or user > level. > > Hmm, doesn't seem to make any difference - I enabled password syntax > checking at the global level and it works, if I try to override it with > different checking at the subtree/user level, it's ignored, although the > global settings are enforced. > On the same panel where the global option is, there is a checkbox for enabling file-grained policies. The server will not enforce fine-grained policies unless this box is checked. -NGK > PK > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From pkime at Shopzilla.com Mon Nov 13 23:57:23 2006 From: pkime at Shopzilla.com (Philip Kime) Date: Mon, 13 Nov 2006 15:57:23 -0800 Subject: [Fedora-directory-users] Re: password policy on FDS 1.0.2 - doesn't seem to work? Message-ID: <9C0091F428E697439E7A773FFD083427435B66@szexchange.Shopzilla.inc> > Check the access log for the server, and you may also need to turn on the trace level > error logging. Here's what I can find in the logs - it seems to find the OU policy but doesn't do anything with it? PK [13/Nov/2006:18:54:10 -0500] - => find_entry_internal (dn=cn="cn=nspwpolicyentry ,ou=people,dc=blah,dc=com",cn=nspwpolicycontainer,ou=people,dc=blah,dc =com) lock 0 [13/Nov/2006:18:54:10 -0500] - => dn2entry "cn="cn=nspwpolicyentry,ou=people,dc= blah,dc=com",cn=nspwpolicycontainer,ou=people,dc=blah,dc=com" [13/Nov/2006:18:54:10 -0500] - <= dn2entry d59d30 [13/Nov/2006:18:54:10 -0500] - <= find_entry_internal_dn found (cn="cn=nspwpolic yentry,ou=people,dc=blah,dc=com",cn=nspwpolicycontainer,ou=people,dc=sho pzi lla,dc=com) [13/Nov/2006:18:54:10 -0500] - candidate list has 1 ids [13/Nov/2006:18:54:10 -0500] - => id2entry( 500 ) [13/Nov/2006:18:54:10 -0500] - <= id2entry d59d30 (cache) [13/Nov/2006:18:54:10 -0500] - => send_ldap_search_entry (cn="cn=nsPwPolicyEntry ,ou=People,dc=blah,dc=com",cn=nsPwPolicyContainer,ou=People,dc=blah,dc =com) [13/Nov/2006:18:54:10 -0500] - <= send_ldap_search_entry [13/Nov/2006:18:54:10 -0500] - => send_ldap_result 0:: [13/Nov/2006:18:54:10 -0500] - <= send_ldap_result [13/Nov/2006:18:54:10 -0500] - => send_ldap_result 0:: [13/Nov/2006:18:54:10 -0500] - add_pb From david_list at boreham.org Tue Nov 14 14:18:14 2006 From: david_list at boreham.org (David Boreham) Date: Tue, 14 Nov 2006 07:18:14 -0700 Subject: [Fedora-directory-users] Single Sign On In-Reply-To: References: Message-ID: <4559D026.7010905@boreham.org> Gordon May wrote: > I was wondering if anyone can help me with setting up a single sign on > system. I want my users to be able to sign on once and have access to > all areas of our site. Ie Forum, wiki, Trac, SVN, etc. From what I've > read it looks like Kerberos will be needed for this. Hmm. What exactly do you mean by 'single sign on' ? Do you mean this : user approaches workstation, enters username and password. User then uses all the above apps for the remainder of the day without entering their username or password again. Or this: user uses various applications, supplying each with _the_same_ username and password ? When they want to change their password, they only need change it in one place. If you are looking for the former then this is SSO, and it does require Kerberos. (In theory you can use other technologies such as smart cards, thumb readers, retinal scanners etc but for most folk today SSO means kerberos). The reason I'm not sure if you are looking for 'real' SSO is that in your list of applications above you include quite a few where the client is a web browser. This would mean that you'd need kerberos support in the browser and also in the web server. This is hard to find today. Microsoft products are the only widely deployed solution that I am aware of. If all you're after is to have one password and a central authentication service for multiple applications then that doesn't need Kerberos, just LDAP. In that case you just need to LDAP enable all your apps (web servers etc). > Is there a way to do this without Kerberos? If you want SSO then no. > Is there a single tool that I can use to manage user passwords and > FDS? Ie User account creation, deletion, updating, password resets, etc. Yes. There are many choices. Here are a few: The FDS console (Java app), also http://phpldapadmin.sourceforge.net/ and http://www.jxplorer.org/ there is a simple web app designed to support user self service administration shipped with FDS too. > How do I force FDS to ask Kerberos if a user's passwords is correct? Hmm...this does not sound like SSO because in that case the LDAP server would never see a Kerberos password. First, FDS supports kerberized LDAP. But that's probably not what you want (it allows SSO to the _LDAP_ service, but not to any other kerberized service---that would be done directly using kerberos without any LDAP involvement). With the FDS PAM plugin I believe it is possible to support what I call 'proxied kerberos' where the user supplies their kerberos password to a regular basic auth client (e.g. web browser). This may be what you are looking for. The password is passed through as plain text (with ssl protection) to the LDAP server which then gives it to PAM and finally to GSSAPI for validation. This can be done with FDS although it might require some work to get all the necessary parts put together. Note that if you only ever deploy 'proxied kerberos' (and no real kerberized services) then there's really little point because basic auth to the ldap service would be much easier to configure and use, and would be just as secure. From gordon.may at gmail.com Tue Nov 14 15:25:27 2006 From: gordon.may at gmail.com (Gordon May) Date: Tue, 14 Nov 2006 10:25:27 -0500 Subject: [Fedora-directory-users] Single Sign On In-Reply-To: <4559D026.7010905@boreham.org> References: <4559D026.7010905@boreham.org> Message-ID: David, Thanks for all the info. When I say SSO I mean true SSO. User enters name and password once and has access to everything for the rest of the day. What I was thinking of was to use Kerberos as the password database and FDS as the user info database (ie name, address, company, etc) and thats why FDS will need to ask Kerberos if a user supplied the proper credentials. I dont want any passwords stored in FDS that way when a user changes there password it only needs to be done in one place. Last night I setup Kerberos and FDS SASL and everything seems to be working fine. I also tried setting up the PAM Passthrough Plugin but that failed. I might give it another try tonight. Its starting to look like it might be more trouble then its worth though. I've played with Phpldapadmin in the past but it not exactly the tool I'm looking for. I'm looking for something which can manage Kerberos and LDAP at the same time. I havent been able to find any such tool so I guess i'll either have to customize phpldapadmin or start from scratch. Gordon On 11/14/06, David Boreham wrote: > Gordon May wrote: > > > I was wondering if anyone can help me with setting up a single sign on > > system. I want my users to be able to sign on once and have access to > > all areas of our site. Ie Forum, wiki, Trac, SVN, etc. From what I've > > read it looks like Kerberos will be needed for this. > > Hmm. What exactly do you mean by 'single sign on' ? > Do you mean this : user approaches workstation, enters username and > password. User then uses all the above apps for the remainder of > the day without entering their username or password again. > > Or this: user uses various applications, supplying each with _the_same_ > username > and password ? When they want to change their password, they only need > change it in one place. > > If you are looking for the former then this is SSO, and it does > require Kerberos. (In theory you can use other technologies > such as smart cards, thumb readers, retinal scanners etc > but for most folk today SSO means kerberos). > > The reason I'm not sure if you are looking for 'real' SSO > is that in your list of applications above you include quite a > few where the client is a web browser. This would mean > that you'd need kerberos support in the browser and also > in the web server. This is hard to find today. Microsoft > products are the only widely deployed solution that I > am aware of. > > If all you're after is to have one password and a central > authentication service for multiple applications then that > doesn't need Kerberos, just LDAP. In that case you just > need to LDAP enable all your apps (web servers etc). > > > Is there a way to do this without Kerberos? > > If you want SSO then no. > > > Is there a single tool that I can use to manage user passwords and > > FDS? Ie User account creation, deletion, updating, password resets, etc. > > Yes. There are many choices. Here are a few: > The FDS console (Java app), also > http://phpldapadmin.sourceforge.net/ > and > http://www.jxplorer.org/ > there is a simple web app designed to support > user self service administration shipped with FDS too. > > > How do I force FDS to ask Kerberos if a user's passwords is correct? > > Hmm...this does not sound like SSO because in that case > the LDAP server would never see a Kerberos password. > First, FDS supports kerberized LDAP. But that's probably > not what you want (it allows SSO to the _LDAP_ service, > but not to any other kerberized service---that would be > done directly using kerberos without any LDAP involvement). > > With the FDS PAM plugin I believe it is possible to support what > I call 'proxied kerberos' where the user supplies their kerberos > password to a > regular basic auth client (e.g. web browser). This may be what > you are looking for. The password > is passed through as plain text (with ssl protection) to the > LDAP server which then gives it to PAM and finally to > GSSAPI for validation. This can be done with FDS > although it might require some work to get all the necessary parts > put together. > > Note that if you only ever deploy 'proxied kerberos' (and no > real kerberized services) then there's > really little point because basic auth to the ldap service would be > much easier to configure and use, and would be just as secure. > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From ghetrick at minderaser.org Tue Nov 14 16:36:31 2006 From: ghetrick at minderaser.org (Greg Hetrick) Date: Tue, 14 Nov 2006 10:36:31 -0600 Subject: [Fedora-directory-users] Host based ACI Message-ID: <20061114103631.5ksxmsekg488cgc8@www.minderaser.org> I am trying to implement host based ACI for either users or groups. Basic question can you acheive the same results as using the host ACI as you would with host attributes per user. I am trying to find a way not to specifically include each host in each user that needs access to every host or multiple hosts. Is it possible to add Host based ACI to a group and have the members of that group be granted access to only those specific hosts? Say for example having a group for admins with every host and adding users to that group thus giving them access to all hosts, same with a development group with only access to development hosts. Any direction that you can give would be much appreciated. I have attempted to setup ACIs for a particular user to a single host, but it doesn't appear that it is working, seems like I am missing either a client side LDAP setting or an Attribute on the user to handle the ACI. I was able to setup host based access using the host attribute per user, that just seems tedious. Thanks, Greg From rmeggins at redhat.com Tue Nov 14 16:49:15 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 14 Nov 2006 09:49:15 -0700 Subject: [Fedora-directory-users] Host based ACI In-Reply-To: <20061114103631.5ksxmsekg488cgc8@www.minderaser.org> References: <20061114103631.5ksxmsekg488cgc8@www.minderaser.org> Message-ID: <4559F38B.5050207@redhat.com> Greg Hetrick wrote: > I am trying to implement host based ACI for either users or groups. > Basic question can you acheive the same results as using the host ACI > as you would with host attributes per user. > > I am trying to find a way not to specifically include each host in > each user that needs access to every host or multiple hosts. > > Is it possible to add Host based ACI to a group and have the members > of that group be granted access to only those specific hosts? Say for > example having a group for admins with every host and adding users to > that group thus giving them access to all hosts, same with a > development group with only access to development hosts. > > Any direction that you can give would be much appreciated. I have > attempted to setup ACIs for a particular user to a single host, but it > doesn't appear that it is working, seems like I am missing either a > client side LDAP setting or an Attribute on the user to handle the > ACI. I was able to setup host based access using the host attribute > per user, that just seems tedious. I don't think you want to use ACIs for this. You need something that works on the client side - PAM/NSS/Posix - that the client side understands and enforces. ACIs are really only useful to enforce server side rules, unless the client has explicit knowledge that relationships modeled in LDAP apply to the client side as well (PAM/NSS do not). You could implement Role Based Attributes using the "host" attribute if the following criteria are met: 1) You can define your groups using the Roles feature, not e.g. posix groups. Fedora DS Role Based Attributes must use roles to define group membership. 2) PAM/NSS do not perform searches like (host=foo.bar.com) to determine user access. Instead, PAM must perform searches like uid=loginname and retrieve the host attribute of the user, and use that to determine access. See http://directory.fedora.redhat.com/wiki/Howto:ClassOfService for a description of how Class of Service works and how it can be used to implement Role Based Attributes. If all else fails, you will probably have to use Netgroups - http://directory.fedora.redhat.com/wiki/Howto:Netgroups > > Thanks, > Greg > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From joshkel at gmail.com Tue Nov 14 17:37:08 2006 From: joshkel at gmail.com (Josh Kelley) Date: Tue, 14 Nov 2006 12:37:08 -0500 Subject: [Fedora-directory-users] Single Sign On In-Reply-To: <4559D026.7010905@boreham.org> References: <4559D026.7010905@boreham.org> Message-ID: <97cbd1a90611140937p25e4a98egbce5ce1e6ed7eb2d@mail.gmail.com> On 11/14/06, David Boreham wrote: > The reason I'm not sure if you are looking for 'real' SSO > is that in your list of applications above you include quite a > few where the client is a web browser. This would mean > that you'd need kerberos support in the browser and also > in the web server. This is hard to find today. Microsoft > products are the only widely deployed solution that I > am aware of. It's not quite SSO (Double Sign On?), but there are several web apps that give SSO only for web apps (i.e., you log on once to a web page then can skip logging on to other web apps) without requiring Kerberos. CAS (http://www.ja-sig.org/products/cas/) appears to be the best known. Josh Kelley From pkime at Shopzilla.com Tue Nov 14 19:35:39 2006 From: pkime at Shopzilla.com (Philip Kime) Date: Tue, 14 Nov 2006 11:35:39 -0800 Subject: [Fedora-directory-users] Re: password policy on FDS 1.0.2 - doesn't seem to work? Message-ID: <9C0091F428E697439E7A773FFD083427435B6C@szexchange.Shopzilla.inc> > On the same panel where the global option is, there is a checkbox for enabling file- > grained policies. The server will not enforce fine-grained policies unless this box is > checked. Yes, this is turned on. We are talking about the same place I hope - the Config tab and the properties of the Data node? PK From nkinder at redhat.com Tue Nov 14 19:44:35 2006 From: nkinder at redhat.com (Nathan Kinder) Date: Tue, 14 Nov 2006 11:44:35 -0800 Subject: [Fedora-directory-users] Re: password policy on FDS 1.0.2 - doesn't seem to work? In-Reply-To: <9C0091F428E697439E7A773FFD083427435B6C@szexchange.Shopzilla.inc> References: <9C0091F428E697439E7A773FFD083427435B6C@szexchange.Shopzilla.inc> Message-ID: <455A1CA3.2090801@redhat.com> Philip Kime wrote: >> On the same panel where the global option is, there is a checkbox for >> > enabling file- > >> grained policies. The server will not enforce fine-grained policies >> > unless this box is > checked. > > Yes, this is turned on. We are talking about the same place I hope - the > Config tab and the properties of the Data node? > Yes, I'm referring to the "Configuration->Data->Passwords" tab. On this panel, you should have both the "Enable fine-grained password policy" and "Check password syntax" options checked. -NGK > PK > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From glenn at mail.txwes.edu Wed Nov 15 16:10:22 2006 From: glenn at mail.txwes.edu (Glenn) Date: Wed, 15 Nov 2006 10:10:22 -0600 Subject: [Fedora-directory-users] pk12util error Message-ID: <20061115155033.M29459@mail.txwes.edu> I'm trying to get Windows Sync working on an evaluation copy of Red Hat Directory Server 7.1 SP3. I am stuck at the step where you export the directory server's certificate to a file. I use this command: ./pk12util -d . -P slapd-myserver- -o servercert.pfx -n Server-Cert The response is: Enter Password or Pin for "NSS Certificate DB" After I enter the password, I get this error message: pk12util-bin: find user certs from nickname failed: security library: bad database. I have followed all the instructions for setting up SSL in the directory server and the admin server several times. The server and CA certificates have been requested and installed. Everything looks correct in the console screens. The slapd-myserver-cert8.db and slapd-myserver-key3.db files exist. I got tired of retyping the path to the pk12util file, so I copied it to the alias directory containing the certificates and databases. What are some things I can try to get pk12util working? Or is there another way to export the certificate and key so that I can import them into the Windows certificate store? Could this be an NSS problem? Should I look for an NSS update? I will try just about anything, but the boss is real keen on using Red Hat, as he believes the longer development cycle will make it easier to maintain in the long run. However, if Fedora Directory Server is the only option that works, I may be able to present it that way. I apologize for the off- topic question, but there doesn't seem to be any support for the evaluation of RHDS. Thanks. -Glenn. From rmeggins at redhat.com Wed Nov 15 16:19:19 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 15 Nov 2006 09:19:19 -0700 Subject: [Fedora-directory-users] pk12util error In-Reply-To: <20061115155033.M29459@mail.txwes.edu> References: <20061115155033.M29459@mail.txwes.edu> Message-ID: <455B3E07.5020401@redhat.com> Glenn wrote: > I'm trying to get Windows Sync working on an evaluation copy of Red Hat > Directory Server 7.1 SP3. I am stuck at the step where you export the > directory server's certificate to a file. I use this command: > > ./pk12util -d . -P slapd-myserver- -o servercert.pfx -n Server-Cert > > The response is: > > Enter Password or Pin for "NSS Certificate DB" > > After I enter the password, I get this error message: > > pk12util-bin: find user certs from nickname failed: security library: bad > database. > > I have followed all the instructions for setting up SSL in the directory > server and the admin server several times. The server and CA certificates > have been requested and installed. Everything looks correct in the console > screens. The slapd-myserver-cert8.db and slapd-myserver-key3.db files > exist. I got tired of retyping the path to the pk12util file, so I copied > it to the alias directory containing the certificates and databases. > > What are some things I can try to get pk12util working? Or is there another > way to export the certificate and key so that I can import them into the > Windows certificate store? Could this be an NSS problem? Should I look for > an NSS update? > I'm not sure what the problem is, but you can skip this step. This step is only to backup your private key material for archival purposes. It is not required to do this step in order to get TLS working. > I will try just about anything, but the boss is real keen on using Red Hat, > as he believes the longer development cycle will make it easier to maintain > in the long run. However, if Fedora Directory Server is the only option > that works, I may be able to present it that way. I apologize for the off- > topic question, but there doesn't seem to be any support for the evaluation > of RHDS. Thanks. -Glenn. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Nov 15 16:15:59 2006 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 15 Nov 2006 11:15:59 -0500 Subject: [Fedora-directory-users] pk12util error In-Reply-To: <20061115155033.M29459@mail.txwes.edu> References: <20061115155033.M29459@mail.txwes.edu> Message-ID: <455B3D3F.4050508@redhat.com> Glenn wrote: > I'm trying to get Windows Sync working on an evaluation copy of Red Hat > Directory Server 7.1 SP3. I am stuck at the step where you export the > directory server's certificate to a file. I use this command: > > ./pk12util -d . -P slapd-myserver- -o servercert.pfx -n Server-Cert > > The response is: > > Enter Password or Pin for "NSS Certificate DB" > > After I enter the password, I get this error message: > > pk12util-bin: find user certs from nickname failed: security library: bad > database. > > I have followed all the instructions for setting up SSL in the directory > server and the admin server several times. The server and CA certificates > have been requested and installed. Everything looks correct in the console > screens. The slapd-myserver-cert8.db and slapd-myserver-key3.db files > exist. I got tired of retyping the path to the pk12util file, so I copied > it to the alias directory containing the certificates and databases. > > What are some things I can try to get pk12util working? Or is there another > way to export the certificate and key so that I can import them into the > Windows certificate store? Could this be an NSS problem? Should I look for > an NSS update? > > I will try just about anything, but the boss is real keen on using Red Hat, > as he believes the longer development cycle will make it easier to maintain > in the long run. However, if Fedora Directory Server is the only option > that works, I may be able to present it that way. I apologize for the off- > topic question, but there doesn't seem to be any support for the evaluation > of RHDS. Thanks. -Glenn. You can try running: certutil -L -d . -P slapd-myserver- This will list the certificates and their nicknames. Or you can try: 'server-cert' as the nickname instead of 'Server-Cert' with pk21util. I believe nicknames are case sensitive. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From nkwan at redhat.com Wed Nov 15 16:23:59 2006 From: nkwan at redhat.com (Thomas Kwan) Date: Wed, 15 Nov 2006 08:23:59 -0800 Subject: [Fedora-directory-users] pk12util error In-Reply-To: <20061115155033.M29459@mail.txwes.edu> References: <20061115155033.M29459@mail.txwes.edu> Message-ID: <455B3F1F.7@redhat.com> are you sure you have the certificate (and key) named Server-Cert? You can check by doing a certutil -d . -P slapd-myserver- -L in the alias directory. I just created an empty security database, and did a pk12util. It correctly reported your error. --- [root at cseng tmp]# certutil -d . -N Enter a password which will be used to encrypt your keys. The password should be at least 8 characters long, and should contain at least one non-alphabetic character. Enter new password: Re-enter password: [root at cseng tmp]# pk12util -d . -o a.p12 -n Server-Cert Enter Password or Pin for "NSS Certificate DB": pk12util: find user certs from nickname failed: security library: bad database. --- thomas Glenn wrote: >I'm trying to get Windows Sync working on an evaluation copy of Red Hat >Directory Server 7.1 SP3. I am stuck at the step where you export the >directory server's certificate to a file. I use this command: > >./pk12util -d . -P slapd-myserver- -o servercert.pfx -n Server-Cert > >The response is: > >Enter Password or Pin for "NSS Certificate DB" > >After I enter the password, I get this error message: > >pk12util-bin: find user certs from nickname failed: security library: bad >database. > >I have followed all the instructions for setting up SSL in the directory >server and the admin server several times. The server and CA certificates >have been requested and installed. Everything looks correct in the console >screens. The slapd-myserver-cert8.db and slapd-myserver-key3.db files >exist. I got tired of retyping the path to the pk12util file, so I copied >it to the alias directory containing the certificates and databases. > >What are some things I can try to get pk12util working? Or is there another >way to export the certificate and key so that I can import them into the >Windows certificate store? Could this be an NSS problem? Should I look for >an NSS update? > >I will try just about anything, but the boss is real keen on using Red Hat, >as he believes the longer development cycle will make it easier to maintain >in the long run. However, if Fedora Directory Server is the only option >that works, I may be able to present it that way. I apologize for the off- >topic question, but there doesn't seem to be any support for the evaluation >of RHDS. Thanks. -Glenn. > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3233 bytes Desc: S/MIME Cryptographic Signature URL: From glenn at mail.txwes.edu Wed Nov 15 16:44:29 2006 From: glenn at mail.txwes.edu (Glenn) Date: Wed, 15 Nov 2006 10:44:29 -0600 Subject: [Fedora-directory-users] pk12util error In-Reply-To: <455B3F1F.7@redhat.com> References: <20061115155033.M29459@mail.txwes.edu> <455B3F1F.7@redhat.com> Message-ID: <20061115163246.M95637@mail.txwes.edu> Thanks to all for the quick replies. The problem was indeed that the correct nickname is "server-cert", not "Server-Cert". I am sure I tried this yesterday, but I guess that was yesterday. This command does not work: certutil -L -d . -P slapd-myserver- It returns this error: certutil-bin: NSS_Initialize failed: An I/O error occurred during security authorization. Part of the difficulty with certificates seems to be that the documentation for the utilities is so sparse. If I knew that the nickname referred to the name of a certificate rather than the name of the database file, this might have been helpful. I checked up2date, and it did download something called "nss-ldap", but this does not seem to have made a difference. I would like to be able to use certutil, so if you can think of any reasons why it is not working, please share. Thanks again for your help. -Glenn. ---------- Original Message ----------- From: Thomas Kwan To: "General discussion list for the Fedora Directory server project." Sent: Wed, 15 Nov 2006 08:23:59 -0800 Subject: Re: [Fedora-directory-users] pk12util error > are you sure you have the certificate (and key) named Server-Cert? > You can check by doing a certutil -d . -P slapd-myserver- -L in > the alias directory. > > I just created an empty security database, and did a pk12util. > It correctly reported your error. > > --- > [root at cseng tmp]# certutil -d . -N > Enter a password which will be used to encrypt your keys. > The password should be at least 8 characters long, > and should contain at least one non-alphabetic character. > > Enter new password: > Re-enter password: > [root at cseng tmp]# pk12util -d . -o a.p12 -n Server-Cert > Enter Password or Pin for "NSS Certificate DB": > pk12util: find user certs from nickname failed: security library: > bad database. > --- > > thomas > From rcritten at redhat.com Wed Nov 15 16:49:09 2006 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 15 Nov 2006 11:49:09 -0500 Subject: [Fedora-directory-users] pk12util error In-Reply-To: <20061115163246.M95637@mail.txwes.edu> References: <20061115155033.M29459@mail.txwes.edu> <455B3F1F.7@redhat.com> <20061115163246.M95637@mail.txwes.edu> Message-ID: <455B4505.7020004@redhat.com> Glenn wrote: > Thanks to all for the quick replies. The problem was indeed that the > correct nickname is "server-cert", not "Server-Cert". I am sure I tried > this yesterday, but I guess that was yesterday. This command does not work: > > certutil -L -d . -P slapd-myserver- > > It returns this error: > > certutil-bin: NSS_Initialize failed: An I/O error occurred during security > authorization. > > Part of the difficulty with certificates seems to be that the documentation > for the utilities is so sparse. If I knew that the nickname referred to the > name of a certificate rather than the name of the database file, this might > have been helpful. > > I checked up2date, and it did download something called "nss-ldap", but this > does not seem to have made a difference. > > I would like to be able to use certutil, so if you can think of any reasons > why it is not working, please share. Thanks again for your help. -Glenn. certutil is another NSS utility that ships with the directory server. It should be in the same place you found pk12util. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Nov 15 16:54:17 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 15 Nov 2006 09:54:17 -0700 Subject: [Fedora-directory-users] pk12util error In-Reply-To: <20061115163246.M95637@mail.txwes.edu> References: <20061115155033.M29459@mail.txwes.edu> <455B3F1F.7@redhat.com> <20061115163246.M95637@mail.txwes.edu> Message-ID: <455B4639.5050509@redhat.com> Glenn wrote: > Thanks to all for the quick replies. The problem was indeed that the > correct nickname is "server-cert", not "Server-Cert". I am sure I tried > this yesterday, but I guess that was yesterday. This command does not work: > > certutil -L -d . -P slapd-myserver- > > It returns this error: > > certutil-bin: NSS_Initialize failed: An I/O error occurred during security > authorization. > in the alias directory, do ls -al What do you see? If you have the files cert8.db and key3.db, try certutil -L -d . > Part of the difficulty with certificates seems to be that the documentation > for the utilities is so sparse. If I knew that the nickname referred to the > name of a certificate rather than the name of the database file, this might > have been helpful. > > I checked up2date, and it did download something called "nss-ldap", but this > does not seem to have made a difference. > > I would like to be able to use certutil, so if you can think of any reasons > why it is not working, please share. Thanks again for your help. -Glenn. > > > ---------- Original Message ----------- > From: Thomas Kwan > To: "General discussion list for the Fedora Directory server project." > > Sent: Wed, 15 Nov 2006 08:23:59 -0800 > Subject: Re: [Fedora-directory-users] pk12util error > > >> are you sure you have the certificate (and key) named Server-Cert? >> You can check by doing a certutil -d . -P slapd-myserver- -L in >> the alias directory. >> >> I just created an empty security database, and did a pk12util. >> It correctly reported your error. >> >> --- >> [root at cseng tmp]# certutil -d . -N >> Enter a password which will be used to encrypt your keys. >> The password should be at least 8 characters long, >> and should contain at least one non-alphabetic character. >> >> Enter new password: >> Re-enter password: >> [root at cseng tmp]# pk12util -d . -o a.p12 -n Server-Cert >> Enter Password or Pin for "NSS Certificate DB": >> pk12util: find user certs from nickname failed: security library: >> bad database. >> --- >> >> thomas >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From nkwan at redhat.com Wed Nov 15 16:58:59 2006 From: nkwan at redhat.com (Thomas Kwan) Date: Wed, 15 Nov 2006 08:58:59 -0800 Subject: [Fedora-directory-users] pk12util error In-Reply-To: <20061115163246.M95637@mail.txwes.edu> References: <20061115155033.M29459@mail.txwes.edu> <455B3F1F.7@redhat.com> <20061115163246.M95637@mail.txwes.edu> Message-ID: <455B4753.6000601@redhat.com> certutil is one of the utility from Mozilla's NSS project. Check this page out for certutil usage: http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html Regarding to your error, can you make sure you run certutil in your alias directory, and check if you have files named slapd-myserver-cert8.db, slapd-myserver-key3.db. -L specifies the directory where you have your security databases (cert8.db, key3.db, secmod.db) -P specifies the prefix to the security database files thomas Glenn wrote: >Thanks to all for the quick replies. The problem was indeed that the >correct nickname is "server-cert", not "Server-Cert". I am sure I tried >this yesterday, but I guess that was yesterday. This command does not work: > >certutil -L -d . -P slapd-myserver- > >It returns this error: > >certutil-bin: NSS_Initialize failed: An I/O error occurred during security >authorization. > >Part of the difficulty with certificates seems to be that the documentation >for the utilities is so sparse. If I knew that the nickname referred to the >name of a certificate rather than the name of the database file, this might >have been helpful. > >I checked up2date, and it did download something called "nss-ldap", but this >does not seem to have made a difference. > >I would like to be able to use certutil, so if you can think of any reasons >why it is not working, please share. Thanks again for your help. -Glenn. > > >---------- Original Message ----------- >From: Thomas Kwan >To: "General discussion list for the Fedora Directory server project." > >Sent: Wed, 15 Nov 2006 08:23:59 -0800 >Subject: Re: [Fedora-directory-users] pk12util error > > > >>are you sure you have the certificate (and key) named Server-Cert? >>You can check by doing a certutil -d . -P slapd-myserver- -L in >>the alias directory. >> >>I just created an empty security database, and did a pk12util. >>It correctly reported your error. >> >>--- >>[root at cseng tmp]# certutil -d . -N >>Enter a password which will be used to encrypt your keys. >>The password should be at least 8 characters long, >>and should contain at least one non-alphabetic character. >> >>Enter new password: >>Re-enter password: >>[root at cseng tmp]# pk12util -d . -o a.p12 -n Server-Cert >>Enter Password or Pin for "NSS Certificate DB": >>pk12util: find user certs from nickname failed: security library: >>bad database. >>--- >> >>thomas >> >> >> > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3233 bytes Desc: S/MIME Cryptographic Signature URL: From fochlere at grc.nia.nih.gov Wed Nov 15 17:00:13 2006 From: fochlere at grc.nia.nih.gov (Edward Fochler) Date: Wed, 15 Nov 2006 12:00:13 -0500 Subject: [Fedora-directory-users] multimaster-could not set referrals Message-ID: <9BB6F902-126B-4016-AA38-87EED5461FFE@grc.nia.nih.gov> I have upgraded 3 servers to 1.0.4, and multimaster syncing is simply not working for me. I've wiped everything, re-initialized repeatedly, and I still get no syncing or one-way syncing and a lot of logged errors about NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica ou=nia,o=nih,c=us: 1 I have had pretty bad luck with multimaster replication for the past year with the various versions of FDS. I had it working for about 6 months, until I rebooted one the the servers, and it hasn't worked since. I've reverted to single master syncing, but even then when I issue a modify to one of the replicas I get an error of: [Cannot save to directory server:] [netscape.ldap.LDAPException:error result (1); Mapping tree node for ou=nia,o=nih,c=us is set to return a referral, but no referral is configured for it; Operations error] The referrals option appears to be set automatically once the replica is initialized, and I've also tried setting it manually, but I get the same error either way. JXPlorer complains with the same message. Any tips on what to try next? My goal is multimaster syncing eventually. ED. From glenn at mail.txwes.edu Wed Nov 15 17:21:24 2006 From: glenn at mail.txwes.edu (Glenn) Date: Wed, 15 Nov 2006 11:21:24 -0600 Subject: [Fedora-directory-users] pk12util error In-Reply-To: <455B4753.6000601@redhat.com> References: <20061115155033.M29459@mail.txwes.edu> <455B3F1F.7@redhat.com> <20061115163246.M95637@mail.txwes.edu> <455B4753.6000601@redhat.com> Message-ID: <20061115171547.M88259@mail.txwes.edu> O.K., now I feel really dumb. I had certutil, certutil-bin, and all the database and certificate files in the alias directory. When I ran the command, I actually typed "myserver" instead of the name of the server! The command works fine when I type the correct server name. I've been at this too long, and I'm going for a cup of coffee now. Thanks again for your patient assistance. You guys are great! -Glenn. ---------- Original Message ----------- From: Thomas Kwan To: "General discussion list for the Fedora Directory server project." Sent: Wed, 15 Nov 2006 08:58:59 -0800 Subject: Re: [Fedora-directory-users] pk12util error > certutil is one of the utility from Mozilla's NSS project. > Check this page out for certutil usage: > > http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html > > Regarding to your error, can you make sure you run certutil in > your alias directory, and check if you have files named > slapd-myserver-cert8.db, slapd-myserver-key3.db. > > -L specifies the directory where you have your security databases > (cert8.db, key3.db, secmod.db) > -P specifies the prefix to the security database files > > thomas > > Glenn wrote: > > >Thanks to all for the quick replies. The problem was indeed that the > >correct nickname is "server-cert", not "Server-Cert". I am sure I tried > >this yesterday, but I guess that was yesterday. This command does not work: > > > >certutil -L -d . -P slapd-myserver- > > > >It returns this error: > > > >certutil-bin: NSS_Initialize failed: An I/O error occurred during security > >authorization. > > > >Part of the difficulty with certificates seems to be that the documentation > >for the utilities is so sparse. If I knew that the nickname referred to the > >name of a certificate rather than the name of the database file, this might > >have been helpful. > > > >I checked up2date, and it did download something called "nss-ldap", but this > >does not seem to have made a difference. > > > >I would like to be able to use certutil, so if you can think of any reasons > >why it is not working, please share. Thanks again for your help. - Glenn. > > > > > >---------- Original Message ----------- > >From: Thomas Kwan > >To: "General discussion list for the Fedora Directory server project." > > > >Sent: Wed, 15 Nov 2006 08:23:59 -0800 > >Subject: Re: [Fedora-directory-users] pk12util error > > > > > > > >>are you sure you have the certificate (and key) named Server-Cert? > >>You can check by doing a certutil -d . -P slapd-myserver- -L in > >>the alias directory. > >> > >>I just created an empty security database, and did a pk12util. > >>It correctly reported your error. > >> > >>--- > >>[root at cseng tmp]# certutil -d . -N > >>Enter a password which will be used to encrypt your keys. > >>The password should be at least 8 characters long, > >>and should contain at least one non-alphabetic character. > >> > >>Enter new password: > >>Re-enter password: > >>[root at cseng tmp]# pk12util -d . -o a.p12 -n Server-Cert > >>Enter Password or Pin for "NSS Certificate DB": > >>pk12util: find user certs from nickname failed: security library: > >>bad database. > >>--- > >> > >>thomas > >> > >> > >> > > > >-- > >Fedora-directory-users mailing list > >Fedora-directory-users at redhat.com > >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > ------- End of Original Message ------- From pkime at Shopzilla.com Wed Nov 15 18:48:33 2006 From: pkime at Shopzilla.com (Philip Kime) Date: Wed, 15 Nov 2006 10:48:33 -0800 Subject: [Fedora-directory-users] Re: password policy on FDS 1.0.2 - doesn't seem to work? Message-ID: <9C0091F428E697439E7A773FFD083427435B71@szexchange.Shopzilla.inc> > Yes, I'm referring to the "Configuration->Data->Passwords" tab. On this panel, you > should have both the "Enable fine-grained password policy" > and "Check password syntax" options checked. Yes, they are both checked. And when I check the same boxes on a user or OU and make the settings more restrictive than the global settings, the more restrictive settings are ignored and only the global settings are enforced. For example, if I set the minimum digits required to 2 globally and 3 locally on an OU or user, I can enter passwords with 2 digits without problems, but not with 1 digit. PK From johnsimcall at gmail.com Thu Nov 16 08:36:07 2006 From: johnsimcall at gmail.com (John Call) Date: Wed, 15 Nov 2006 22:36:07 -1000 Subject: [Fedora-directory-users] Mac OS X SASL auth problems Message-ID: <2f05bdbb0611160036w2ead0c79ndb5b80cb8370af8b@mail.gmail.com> Aloha list, I've run up against what Josh Kelley wrote about a few months ago ( http://www.redhat.com/archives/fedora-directory-users/2006-September/msg00063.html) where Mac OS X clients are not able to authenticate users due to CRAM-MD5. Has any progress been made on the feature request / bug he filed? ( https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=206053) Thus far I've been unsuccessful at working around the CRAM-MD5 as he suggested by removing the /usr/lib/sasl2/libcrammd5.so* files. Does anybody have any further insight on how I can get my Macs to auth against FDS? Thanks so much, Mahalo, John Call -------------- next part -------------- An HTML attachment was scrubbed... URL: From nattaponv at hotmail.com Thu Nov 16 09:06:26 2006 From: nattaponv at hotmail.com (nattapon viroonsri) Date: Thu, 16 Nov 2006 09:06:26 +0000 Subject: [Fedora-directory-users] ACI Allow users create own sub entry Message-ID: I try use following aci to allow user to create own subentry but result show insufficient access i try both type but still not work, anyone pls recommend correct aci to do this (target="ldap:///uid=xfs,ou=people,dc=icesolution,dc=com")(targetattr=*) (version 3.0; acl "Create Entry"; allow (add) userattr = "parent[0,1].owner#USERDN";) (target="ldap:///uid=xfs,ou=people,dc=icesolution,dc=com") (targattrfilters="add=objectClass:(objectClass=*)") (version 3.0; acl "Create Entry"; allow (add) (userdn= "ldap:///self") ;) Nattapon, Regards _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ From glenn at mail.txwes.edu Thu Nov 16 14:34:30 2006 From: glenn at mail.txwes.edu (Glenn) Date: Thu, 16 Nov 2006 08:34:30 -0600 Subject: [Fedora-directory-users] Windows Sync - Unable to contact Active Directory Message-ID: <20061116142541.M85886@mail.txwes.edu> I'm still trying to get Windows Sync working on my Red Hat Directory Server 7.1 SP3evaluation. I have followed all the instructions, including SSL and certificate setup. When I try to create a synchronization agreement, I fill out Windows Sync Server Info form and click Next, and a Warning window pops up with the message, "Unable to contact Active Directory server, continue?" There are two buttons, Yes and No. So far, I haven't clicked the Yes button, because I don't think synchronization will work if the Directory Server can't contact the Active Directory server. I can ping the Active Directory server by its host name and by its fully qualified domain name. What else should I be looking at? Thanks. -Glenn. From jean-baptiste.charpentier at businessdecision.com Thu Nov 16 14:39:07 2006 From: jean-baptiste.charpentier at businessdecision.com (Jean-Baptiste CHARPENTIER) Date: Thu, 16 Nov 2006 15:39:07 +0100 Subject: [Fedora-directory-users] PassSync on multi domain controler Message-ID: <000d01c7098c$f87b9ab0$4102000a@BETD.FR> Hi, I have install Pass Sync on one domain controller and Password is sync only when I changed password with Active Directory Browser but not when users change password . Any idea ? (In pass sync log it look they does see the event of user password change) I have install PassSync.msi (1777Ko) in June and I see a new version PassSync-1.msi (1844Ko) on Fedora Directory Website. What is change on this new version? Did it solve my problem? Thanks for your help. Jean-Baptiste CHARPENTIER -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Nov 16 14:47:18 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 16 Nov 2006 07:47:18 -0700 Subject: [Fedora-directory-users] Windows Sync - Unable to contact Active Directory In-Reply-To: <20061116142541.M85886@mail.txwes.edu> References: <20061116142541.M85886@mail.txwes.edu> Message-ID: <455C79F6.1030101@redhat.com> Glenn wrote: > I'm still trying to get Windows Sync working on my Red Hat Directory Server > 7.1 SP3evaluation. I have followed all the instructions, including SSL and > certificate setup. When I try to create a synchronization agreement, I fill > out Windows Sync Server Info form and click Next, and a Warning window pops > up with the message, "Unable to contact Active Directory server, continue?" > There are two buttons, Yes and No. So far, I haven't clicked the Yes > button, because I don't think synchronization will work if the Directory > Server can't contact the Active Directory server. > What is the full DN that you are using to BIND to AD? It's usually something like cn=Administrator,cn=Users,dc=yourdomain,dc=tld e.g. cn=Administrator,cn=Users,dc=redhat,dc=com > I can ping the Active Directory server by its host name and by its fully > qualified domain name. What else should I be looking at? Thanks. -Glenn. > Try the ldapsearch command line like this: /usr/bin/ldapsearch -x -h ADhost -D "cn=Administrator,cn=Users,dc=yourdomain,dc=tld" -W -s base -b "" > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From glenn at mail.txwes.edu Thu Nov 16 15:20:08 2006 From: glenn at mail.txwes.edu (Glenn) Date: Thu, 16 Nov 2006 09:20:08 -0600 Subject: [Fedora-directory-users] Windows Sync - Unable to contact Active Directory In-Reply-To: <455C79F6.1030101@redhat.com> References: <20061116142541.M85886@mail.txwes.edu> <455C79F6.1030101@redhat.com> Message-ID: <20061116151639.M2021@mail.txwes.edu> Thanks, Richard, you are correct -- I was not using the proper syntax for the "Bind as" person. Onward into the fog . . . . -G. ---------- Original Message ----------- From: Richard Megginson To: "General discussion list for the Fedora Directory server project." Sent: Thu, 16 Nov 2006 07:47:18 -0700 Subject: Re: [Fedora-directory-users] Windows Sync - Unable to contact Active Directory > Glenn wrote: > > I'm still trying to get Windows Sync working on my Red Hat Directory Server > > 7.1 SP3evaluation. I have followed all the instructions, including SSL and > > certificate setup. When I try to create a synchronization agreement, I fill > > out Windows Sync Server Info form and click Next, and a Warning window pops > > up with the message, "Unable to contact Active Directory server, continue?" > > There are two buttons, Yes and No. So far, I haven't clicked the Yes > > button, because I don't think synchronization will work if the Directory > > Server can't contact the Active Directory server. > > > What is the full DN that you are using to BIND to AD? It's usually > something like > cn=Administrator,cn=Users,dc=yourdomain,dc=tld e.g. > cn=Administrator,cn=Users,dc=redhat,dc=com > > I can ping the Active Directory server by its host name and by its fully > > qualified domain name. What else should I be looking at? Thanks. - Glenn. > > > Try the ldapsearch command line like this: > /usr/bin/ldapsearch -x -h ADhost -D > "cn=Administrator,cn=Users,dc=yourdomain,dc=tld" -W -s base -b "" From rmeggins at redhat.com Thu Nov 16 22:23:27 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 16 Nov 2006 15:23:27 -0700 Subject: [Fedora-directory-users] Mac OS X SASL auth problems In-Reply-To: <2f05bdbb0611160036w2ead0c79ndb5b80cb8370af8b@mail.gmail.com> References: <2f05bdbb0611160036w2ead0c79ndb5b80cb8370af8b@mail.gmail.com> Message-ID: <455CE4DF.8090109@redhat.com> John Call wrote: > Aloha list, > > I've run up against what Josh Kelley wrote about a few months ago > (http://www.redhat.com/archives/fedora-directory-users/2006-September/msg00063.html > ) > where Mac OS X clients are not able to authenticate users due to > CRAM-MD5. Has any progress been made on the feature request / bug he > filed? No, not yet. > (https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=206053 > ) Thus > far I've been unsuccessful at working around the CRAM-MD5 as he > suggested by removing the /usr/lib/sasl2/libcrammd5.so* files. Really? Did you restart FDS once you removed those files? Do you see cram-md5 bind attempts in the FDS access log? > > Does anybody have any further insight on how I can get my Macs to auth > against FDS? > > Thanks so much, > Mahalo, > John Call > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From lists at spider-security.net Thu Nov 16 22:42:42 2006 From: lists at spider-security.net (Nathaniel Hall) Date: Thu, 16 Nov 2006 16:42:42 -0600 Subject: [Fedora-directory-users] Nodes separated by Firewalls Message-ID: <455CE962.50305@spider-security.net> List, We currently have two master nodes and one read-only node. They are protected from the Internet by two firewalls. I would like to see about placing another read-only node in another location that is protected by a third firewall. Shown below: Master 1 --\ | | | | | | Master 2 -------|Firewall 1|------------|Firewall 2|--Internet--|Firewall 3|------Slave 2 Slave 1 ---/ | | | | | | Master 1, Master 2, and Slave 1 have private IPs th at are NATed before going to the Internet. Slave 2 has a public IP address. I need to know if this is possible without giving either master or Slave 1 a public IP address. Of course this will be over SSL, so that will help. Would Fedora Directory Server connect to Slave 2 or does Slave 2 have to connect to one of the Masters? -- Nathaniel Hall, GSEC GCFW GCIA GCIH GCFA From glenn at mail.txwes.edu Thu Nov 16 22:45:14 2006 From: glenn at mail.txwes.edu (Glenn) Date: Thu, 16 Nov 2006 16:45:14 -0600 Subject: [Fedora-directory-users] Replica has no update vector. Message-ID: <20061116222201.M26632@mail.txwes.edu> I'm still trying to get Windows Sync to work in my Red Hat DS 7.1SP3 evaluation. I have configured multi-master replication, because I want any changes made on either system to be replicated to the other system. As soon as I create the new Windows Sync Agreement, the DS error log begins to record this error message every few seconds: NSMMReplicationPlugin - agmt="cn=ldap-ad-5" (AD-servername:636): Replica has no update vector. It has never been initialized. So I figure, fine, I'll just initialize it, and I right-click the sync agreement in the DS console and click "Initiate Full Re-syncronization", because that's the only thing on the menu that resembles what the manual says should be there. Then the log reports: NSMMReplicationPlugin - Beginning total update of replica "agmt=cn=ldap-ad- 5" (AD-servername:636)". After this, the log continues to fill with the "no update vector" messages. There is no further mention of the initialization in the log, but the Replication Status window reports a "Last consumer init. update" message: Total update aborted LDAP error: Operations error. Error Code: 1 The status window also says the last consumer initialization ended 16 seconds after it began. I have tried redoing the sync agreement several times, and restarted the admin and ds servers and rebooted the machine. What else can I do? Thanks. -Glenn. From pkime at Shopzilla.com Fri Nov 17 00:16:21 2006 From: pkime at Shopzilla.com (Philip Kime) Date: Thu, 16 Nov 2006 16:16:21 -0800 Subject: [Fedora-directory-users] Subtree/user pw policy on 1.0.2? Message-ID: <9C0091F428E697439E7A773FFD083427435B84@szexchange.Shopzilla.inc> I'm thinking of upgrading to 1.0.4 to see if that fixes the problem I'm seeing with not being able to get subtree/user password policies working ( I notice there was a PWP ACI related bug fixed in 1.0.3). But first, does anyone have subtree/user password policies working in 1.0.2? Also, is there a reason where there are no RPMs on the website for Fedora Core 4 x86_64? PK From rmeggins at redhat.com Fri Nov 17 03:14:58 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 16 Nov 2006 20:14:58 -0700 Subject: [Fedora-directory-users] Subtree/user pw policy on 1.0.2? In-Reply-To: <9C0091F428E697439E7A773FFD083427435B84@szexchange.Shopzilla.inc> References: <9C0091F428E697439E7A773FFD083427435B84@szexchange.Shopzilla.inc> Message-ID: <455D2932.9030009@redhat.com> Philip Kime wrote: > > I'm thinking of upgrading to 1.0.4 to see if that fixes the problem I'm > seeing with not being able to get subtree/user password policies working > ( I notice there was a PWP ACI related bug fixed in 1.0.3). But first, > does anyone have subtree/user password policies working in 1.0.2? > I know some people have reported success - perhaps they will chime in. > Also, is there a reason where there are no RPMs on the website for > Fedora Core 4 x86_64? > Because I don't have a FC4 x86_64 machine to build FDS on. > PK > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From jean-baptiste.charpentier at businessdecision.com Thu Nov 16 14:29:14 2006 From: jean-baptiste.charpentier at businessdecision.com (Jean-Baptiste CHARPENTIER) Date: Thu, 16 Nov 2006 15:29:14 +0100 Subject: [Fedora-directory-users] PassSync on multi domain controler Message-ID: <000001c7098b$978c7fe0$4102000a@BETD.FR> Hi, I have install Pass Sync on one domain controller and Password is sync only when I changed password with Active Directory Browser but not when users change password . Any idea ? (In pass sync log it look they does see the event of user password change) I have install PassSync.msi (1777Ko) in June and I see a new version PassSync-1.msi (1844Ko) on Fedora Directory Website. What is change on this new version? Did it solve my problem? Thanks for your help. Jean-Baptiste CHARPENTIER -------------- next part -------------- An HTML attachment was scrubbed... URL: From jean-baptiste.charpentier at businessdecision.com Fri Nov 17 15:29:15 2006 From: jean-baptiste.charpentier at businessdecision.com (Jean-Baptiste CHARPENTIER) Date: Fri, 17 Nov 2006 16:29:15 +0100 Subject: [Fedora-directory-users] PassSync on multi domain controler In-Reply-To: <000001c7098b$978c7fe0$4102000a@BETD.FR> Message-ID: <006301c70a5d$23fe4090$4102000a@BETD.FR> More precisely, password changes on the first domain controller are detected but on the second. (They are in the same domain) The domain controller where pass sync is installed must have the global catalog ? Thanks. Jean-Baptiste CHARPENTIER _____ De : fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] De la part de Jean-Baptiste CHARPENTIER Envoy? : jeudi 16 novembre 2006 15:29 ? : fedora-directory-users at redhat.com Objet : [Fedora-directory-users] PassSync on multi domain controler Hi, I have install Pass Sync on one domain controller and Password is sync only when I changed password with Active Directory Browser but not when users change password Any idea ? (In pass sync log it look they does see the event of user password change) I have install PassSync.msi (1777Ko) in June and I see a new version PassSync-1.msi (1844Ko) on Fedora Directory Website. What is change on this new version? Did it solve my problem? Thanks for your help. Jean-Baptiste CHARPENTIER -------------- next part -------------- An HTML attachment was scrubbed... URL: From koniczynek at uaznia.net Fri Nov 17 17:37:26 2006 From: koniczynek at uaznia.net (koniczynek) Date: Fri, 17 Nov 2006 18:37:26 +0100 Subject: [Fedora-directory-users] SASL/Kerberos5 question Message-ID: <455DF356.10506@uaznia.net> Hello, I'm fairly new to the FDS (one week maybe). Earlier I've been using OpenLDAP and now I want to migrate from OL to FDS. Everything looks great (schema conversion and ldif transfer) but I have one problem. Old setup was constructed more or less that the passwords weren't stored in LDAP but in Kerberos and in 'userPassword' field in clear text was 'uid at REALM.INT' Now when using FDS I can't find any configuration option, that would make it possible to use Kerberos for storing passwords and still to use FDS to authenticate user. Maybe SASL Mappings are for that and you only have to configure them right. Is there anyone who knows how to do it? Thanks in advance. -- email/xmpp: koniczynek at uaznia.net From jrussler at helix.nih.gov Fri Nov 17 19:56:00 2006 From: jrussler at helix.nih.gov (Jason Russler) Date: Fri, 17 Nov 2006 14:56:00 -0500 Subject: [Fedora-directory-users] Nodes separated by Firewalls In-Reply-To: <455CE962.50305@spider-security.net> References: <455CE962.50305@spider-security.net> Message-ID: <455E13D0.3090600@helix.nih.gov> The Master(s) would need to be able to connect to Slave 2 in order to perform any replication. There are many other issues here though, such as referrals from behind FW3 to the master(s) etc - those are other questions though, Cheers, Jason > > Master 1 --\ | | | | | | > Master 2 -------|Firewall 1|------------|Firewall 2|--Internet--|Firewall 3|------Slave 2 > Slave 1 ---/ | | | | | | > > Master 1, Master 2, and Slave 1 have private IPs th at are NATed before going to the Internet. > Slave 2 has a public IP address. I need to know if this is possible without giving either master or > Slave 1 a public IP address. Of course this will be over SSL, so that will help. Would Fedora > Directory Server connect to Slave 2 or does Slave 2 have to connect to one of the Masters? > > > > From rmeggins at redhat.com Fri Nov 17 20:29:53 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 17 Nov 2006 13:29:53 -0700 Subject: [Fedora-directory-users] SASL/Kerberos5 question In-Reply-To: <455DF356.10506@uaznia.net> References: <455DF356.10506@uaznia.net> Message-ID: <455E1BC1.7020303@redhat.com> koniczynek wrote: > Hello, > I'm fairly new to the FDS (one week maybe). Earlier I've been using > OpenLDAP and now I want to migrate from OL to FDS. Everything looks > great (schema conversion and ldif transfer) but I have one problem. Old > setup was constructed more or less that the passwords weren't stored in > LDAP but in Kerberos and in 'userPassword' field in clear text was > 'uid at REALM.INT' > Now when using FDS I can't find any configuration option, that would > make it possible to use Kerberos for storing passwords and still to use > FDS to authenticate user. Maybe SASL Mappings are for that and you only > have to configure them right. Right. For clients that can do SASL/GSSAPI BIND (i.e. Kerberos), you just need to configure the SASL Mapping to find the user's DN based on the Kerberos principal. For clients that cannot use SASL but must use simple username/password bind, you can use the PAM passthrough plug-in. > Is there anyone who knows how to do it? > Thanks in advance. > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From pkime at Shopzilla.com Fri Nov 17 22:38:17 2006 From: pkime at Shopzilla.com (Philip Kime) Date: Fri, 17 Nov 2006 14:38:17 -0800 Subject: [Fedora-directory-users] Re: Subtree/user pw policy on 1.0.2? (Richard Megginson) Message-ID: <9C0091F428E697439E7A773FFD083427435B86@szexchange.Shopzilla.inc> > I know some people have reported success - perhaps they will chime in. I tried an upgrade to 1.0.4 but it didn't change anything - still can't have subtree/user policies enforced when I use ldappasswd. Now, this shouldn't be an ACI issue on the policy objects, correct? Since the policy in enforced internally, it should make no difference what permissions the bind DN has for the policy objects? I am assuming that this is right since it makes no difference even if I bind with DM. I'm clutching at straws now - a library issue somewhere? I just can't see why a global policy would work but nothing more local - the obvious reason would be that the nspasswdlocalpolicy attribute is not set in cn=config, but it is ... > Because I don't have a FC4 x86_64 machine to build FDS on. Sorry, I was being stupid, I meant RHEL4, which is certainly there. PK From david_list at boreham.org Sat Nov 18 01:33:33 2006 From: david_list at boreham.org (David Boreham) Date: Fri, 17 Nov 2006 18:33:33 -0700 Subject: [Fedora-directory-users] Re: Subtree/user pw policy on 1.0.2? (Richard Megginson) In-Reply-To: <9C0091F428E697439E7A773FFD083427435B86@szexchange.Shopzilla.inc> References: <9C0091F428E697439E7A773FFD083427435B86@szexchange.Shopzilla.inc> Message-ID: <455E62ED.1070005@boreham.org> Philip Kime wrote: >>I know some people have reported success - perhaps they will chime in. >> >> > >I tried an upgrade to 1.0.4 but it didn't change anything - still can't >have subtree/user policies enforced when I use ldappasswd. Now, this >shouldn't be an ACI issue on the policy objects, correct? Since the >policy in enforced internally, it should make no difference what >permissions the bind DN has for the policy objects? I am assuming that >this is right since it makes no difference even if I bind with DM. I'm >clutching at straws now - a library issue somewhere? I just can't see >why a global policy would work but nothing more local - the obvious >reason would be that the nspasswdlocalpolicy attribute is not set in >cn=config, but it is ... > > At this point probably single stepping through the code in the debugger is the best/quickest route to figure out what's wrong. UTSL and all that... -------------- next part -------------- An HTML attachment was scrubbed... URL: From koniczynek at uaznia.net Sat Nov 18 02:33:54 2006 From: koniczynek at uaznia.net (koniczynek) Date: Sat, 18 Nov 2006 03:33:54 +0100 Subject: [Fedora-directory-users] SASL/Kerberos5 question In-Reply-To: <455E1BC1.7020303@redhat.com> References: <455DF356.10506@uaznia.net> <455E1BC1.7020303@redhat.com> Message-ID: <455E7112.30904@uaznia.net> Richard Megginson, dnia 2006-11-17 21:29 napisal: > Right. For clients that can do SASL/GSSAPI BIND (i.e. Kerberos), you > just need to configure the SASL Mapping to find the user's DN based on > the Kerberos principal. My company runs a lot of software which can't use SASL/GSSAPI BIND, so this is definitely not for me. > For clients that cannot use SASL but must use simple username/password > bind, you can use the PAM passthrough plug-in. OK, where I can read about that? Doc and wiki seems to have no PAM in them. And is this equal to what I have configured with OpenLDAP? Because when migrating, FDS should support old authentication method (with 'uid at REALM.NET' in the 'userPassword' field and passwords in Kerberos). -- email/xmpp: koniczynek at uaznia.net From tuxkumar at gmail.com Sat Nov 18 12:44:33 2006 From: tuxkumar at gmail.com (Saravana Kumar) Date: Sat, 18 Nov 2006 18:14:33 +0530 Subject: [Fedora-directory-users] FDS - using one password for Samba and Linux accounts Message-ID: Hi List, I have FDS configured in the server. There are windows and Linux client in our network. Windows users also have Linux. Linux clients are authenticating to fds. Samba server is running in a different server and refers to the fds server(ldapbackend). For windows i had to create a separate password with smbpasswd -a username for each user which means samba password can be different from Linux password. Also the password policy doesn't apply to the smbpasswd i create. Is there a way to use one password for both windows and linux logins? TIA, SK From pkime at Shopzilla.com Sat Nov 18 22:24:07 2006 From: pkime at Shopzilla.com (Philip Kime) Date: Sat, 18 Nov 2006 14:24:07 -0800 Subject: [Fedora-directory-users] Re: Subtree/user pw policy on 1.0.2? Message-ID: <9C0091F428E697439E7A773FFD083427435B89@szexchange.Shopzilla.inc> > At this point probably single stepping through the code in the debugger > is the best/quickest route to figure out what's wrong. UTSL and all that... I feared you might say that ... but, for amusement, I tried changing passwords using ldapmodify and strangely, the subtree pwd policy *is* enforced but if I do exactly the same pwd mod with ldappasswd, it isn't enforced. Given that the pw policy is all done on the server side, any ideas how on earth I could be seeing this? PK From pkime at Shopzilla.com Sun Nov 19 05:11:34 2006 From: pkime at Shopzilla.com (Philip Kime) Date: Sat, 18 Nov 2006 21:11:34 -0800 Subject: [Fedora-directory-users] Re: password policy on FDS 1.0.2 - doesn't seem to work? Message-ID: <9C0091F428E697439E7A773FFD083427435B8A@szexchange.Shopzilla.inc> I think have have an idea about this now ... the problem seems to be the exop password modify request. Subtree and user policies are ignored from ldappasswd (which uses exop) PAM (when pam_password is set to "exop" in /etc/ldap.conf) But are ok from Ldapmodify PAM (when pam_password is set to "clear" in /etc/ldap.conf) So, the RFC 3062 password modification requests seem to bypass the subtree and user policies. I see this behaviour in 1.0.2 and 1.0.4. Now, am I right in thinking that I can use "clear" as long as I'm using SSL to the LDAP server? What about setting local non-LDAP passwords with this set to "clear" isn't that dangerous? I can't use "ssha" for pam_password as then password changes don't seem to work at all, which is why I changed to "exop". PK From gholbert at broadcom.com Sun Nov 19 06:39:55 2006 From: gholbert at broadcom.com (George Holbert) Date: Sat, 18 Nov 2006 22:39:55 -0800 Subject: [Fedora-directory-users] Re: password policy on FDS 1.0.2 - doesn't seem to work? References: <9C0091F428E697439E7A773FFD083427435B8A@szexchange.Shopzilla.inc> Message-ID: <001801c70ba5$86b3ace0$43fdf00a@chunky> > Now, am I right in thinking that I can use "clear" as long as I'm using > SSL to the LDAP server? Yes, sending un-hashed passwords over SSL is very safe. > What about setting local non-LDAP passwords with this set to "clear" > isn't that dangerous? No worries about this, pam_ldap password settings don't affect passwords stored locally in /etc/passwd. Your /etc/pam.d/system-auth password stack for Linux LDAP clients probably looks something like the below: password requisite /lib/security/$ISA/pam_cracklib.so retry=3 type= password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_ldap.so use_authtok password required /lib/security/$ISA/pam_deny.so When setting local passwords, the stack will never even invoke pam_ldap, since the pam_unix line is "sufficient". ----- Original Message ----- From: "Philip Kime" To: Sent: Saturday, November 18, 2006 9:11 PM Subject: [Fedora-directory-users] Re: password policy on FDS 1.0.2 - doesn't seem to work? I think have have an idea about this now ... the problem seems to be the exop password modify request. Subtree and user policies are ignored from ldappasswd (which uses exop) PAM (when pam_password is set to "exop" in /etc/ldap.conf) But are ok from Ldapmodify PAM (when pam_password is set to "clear" in /etc/ldap.conf) So, the RFC 3062 password modification requests seem to bypass the subtree and user policies. I see this behaviour in 1.0.2 and 1.0.4. Now, am I right in thinking that I can use "clear" as long as I'm using SSL to the LDAP server? What about setting local non-LDAP passwords with this set to "clear" isn't that dangerous? I can't use "ssha" for pam_password as then password changes don't seem to work at all, which is why I changed to "exop". PK -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From johnsimcall at gmail.com Sun Nov 19 09:13:02 2006 From: johnsimcall at gmail.com (John Call) Date: Sat, 18 Nov 2006 23:13:02 -1000 Subject: [Fedora-directory-users] Mac OS X SASL auth problems In-Reply-To: <455CE4DF.8090109@redhat.com> References: <2f05bdbb0611160036w2ead0c79ndb5b80cb8370af8b@mail.gmail.com> <455CE4DF.8090109@redhat.com> Message-ID: <2f05bdbb0611190113w7d1ffe43y4ede039e10bbd6e2@mail.gmail.com> Richard, thanks so much! It magically works now. For what its worth, I took another FDS instance and did the same; remove the /usr/lib/sasl*/*md5* libraries. With the ns-slapd still running I observed no change to the query of SASL types (ldapsearch -x -H ldap:// -LLL -s "base" -b "" supportedSASLMechanisms). So I restarted, and FDS still reports MD5. So I wait a few minutes, restart FDS again, no luck ... still reports MD5. I begin to close all applications and prepare for a reboot, but just before I issue the reboot command I check again. Viola! no more MD5. weird... I'm not sure what magic happened to remove the MD5 SASL auth types. A simple FDS restart didn't seem to do the trick right off the bat. End of story, my Mac's can now auth against my preferred directory server. something, something, something, happily every after... THE END! Thanks again Richard, and everybody else on the list! Mahalo nui loa, John On 11/16/06, Richard Megginson wrote: > > John Call wrote: > > Aloha list, > > > > I've run up against what Josh Kelley wrote about a few months ago > > ( > http://www.redhat.com/archives/fedora-directory-users/2006-September/msg00063.html > > < > http://www.redhat.com/archives/fedora-directory-users/2006-September/msg00063.html > >) > > where Mac OS X clients are not able to authenticate users due to > > CRAM-MD5. Has any progress been made on the feature request / bug he > > filed? > No, not yet. > > (https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=206053 > > ) Thus > > far I've been unsuccessful at working around the CRAM-MD5 as he > > suggested by removing the /usr/lib/sasl2/libcrammd5.so* files. > Really? Did you restart FDS once you removed those files? Do you see > cram-md5 bind attempts in the FDS access log? > > > > Does anybody have any further insight on how I can get my Macs to auth > > against FDS? > > > > Thanks so much, > > Mahalo, > > John Call > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sigidwu at gmail.com Mon Nov 20 04:28:11 2006 From: sigidwu at gmail.com (sigid@JINLab) Date: Mon, 20 Nov 2006 11:28:11 +0700 Subject: [Fedora-directory-users] Help with integrating POSTFIX, SAMBA and FEDORA DS In-Reply-To: <4998.196.44.161.199.1163422589.squirrel@www.uccmail.co.tz> References: <4998.196.44.161.199.1163422589.squirrel@www.uccmail.co.tz> Message-ID: <45612EDB.60108@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Eric Beda wrote: > Hi > i'm very new to fedora ds and ldap in general, i just downloaded ldap a > couple of weeks ago and i have been playing around with it for some time, > > i'm trying create an directory server and have postfix and samba users > authenticate against it, i've been through tutorials on the net expecially > fedora ds wiki, but every howto looks at it from a migraton scenario > whereas i'm trying to build this from scratch > > anyway tried going through the tutorials but i get stuck when i try to add > a user with ldapmodify -a i get an error uknown object class > courierMailAlias tried searching for the objectclass on the net but to no > avail... can anybody please shed some light i'm using http://directory.fedora.redhat.com/wiki/Howto:Postfix as a guidance. because i'm having trouble installing courier-imap on my fedora 5 therefore i use mailgroup object on FDS instead of courier schema. it seems to work properly on my system. now i'm in progess to integrate it with dovecot and squiremail. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFFYS7bqiPNNgPlDu0RAi8aAKCAEr0kLlnnsvE8z3romFKsR9bOhQCeNqT4 PzY3bougKrBhYClZJvJZ6m0= =vj0k -----END PGP SIGNATURE----- From ulf.weltman at hp.com Mon Nov 20 06:24:09 2006 From: ulf.weltman at hp.com (Ulf Weltman) Date: Sun, 19 Nov 2006 22:24:09 -0800 Subject: [Fedora-directory-users] Re: Subtree/user pw policy on 1.0.2? In-Reply-To: <9C0091F428E697439E7A773FFD083427435B89@szexchange.Shopzilla.inc> References: <9C0091F428E697439E7A773FFD083427435B89@szexchange.Shopzilla.inc> Message-ID: <45614A09.3010007@hp.com> Philip Kime wrote: >> At this point probably single stepping through the code in the >> > debugger > >> is the best/quickest route to figure out what's wrong. UTSL and all >> > that... > > I feared you might say that ... but, for amusement, I tried changing > passwords using ldapmodify and strangely, the subtree pwd policy *is* > enforced but if I do exactly the same pwd mod with ldappasswd, it isn't > enforced. Given that the pw policy is all done on the server side, any > ideas how on earth I could be seeing this? > > > Effective policy is determined by new_passwdPolicy() which considers the modification initiated by the password change extop to be internal and local policy is not retrieved. -------------- next part -------------- An HTML attachment was scrubbed... URL: From cino11 at gmail.com Mon Nov 20 08:52:54 2006 From: cino11 at gmail.com (A G) Date: Mon, 20 Nov 2006 10:52:54 +0200 Subject: [Fedora-directory-users] How to disable subtree level search? Message-ID: <408162380611200052r787c5e6s401353171a7b6630@mail.gmail.com> Hello; I have a question on LDAP search issue. I want to disable full search on the LDAP tree. Eg: My LDAP Tree is: c=US, o=Dept1, cn=John Smith c=US, o=Dept1, cn=Ann Adams I want to deny to read full listing of the tree but only allow when the search condition meets only the required person. In the example above I want nobody to be listed. But when the search criteria is "c=US, o=Dept1, cn=Ann Adams" this entry must be listed. When a search on "c=US" comes, nothing must be listed. What is the correct Access Control Information for this request?? Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: From koniczynek at uaznia.net Mon Nov 20 11:12:06 2006 From: koniczynek at uaznia.net (koniczynek) Date: Mon, 20 Nov 2006 12:12:06 +0100 Subject: [Fedora-directory-users] SASL/Kerberos5 question In-Reply-To: <455E7112.30904@uaznia.net> References: <455DF356.10506@uaznia.net> <455E1BC1.7020303@redhat.com> <455E7112.30904@uaznia.net> Message-ID: <45618D86.6050601@uaznia.net> koniczynek napisa?(a): > OK, where I can read about that? Doc and wiki seems to have no PAM in > them. And is this equal to what I have configured with OpenLDAP? Because > when migrating, FDS should support old authentication method (with > 'uid at REALM.NET' in the 'userPassword' field and passwords in Kerberos). ok, maybe this will give someone a clue on what do I need to configure. In my OpenLDAP configuration file (slapd.conf) I have the following lines: sasl-realm COMPANY.INT sasl_realm COMPANY.INT sasl-host ldap.company.int sasl_host ldap.company.int and in the 'userPassword' field is what I mentioned above. Could anybody help me? -- xmpp/email: koniczynek at uaznia.net xmpp/email: koniczynek at gmail.com From pkime at Shopzilla.com Mon Nov 20 16:08:17 2006 From: pkime at Shopzilla.com (Philip Kime) Date: Mon, 20 Nov 2006 08:08:17 -0800 Subject: [Fedora-directory-users] Windows Sync and pasword policies Message-ID: <9C0091F428E697439E7A773FFD083427435B90@szexchange.Shopzilla.inc> I just wanted to clarify this - * If you use Windows passync, you have to enable the password complexity policy on Windows * This policy isn't customisable on Windows without writing a custom passfilt.dll * So to avoid password policy conflicts, you have to implement password policies on FDS too and it really needs to be same as the Windows default password policy. Correct? -- Philip Kime NOPS Systems Architect 310 401 0407 -------------- next part -------------- An HTML attachment was scrubbed... URL: From nkinder at redhat.com Mon Nov 20 16:18:36 2006 From: nkinder at redhat.com (Nathan Kinder) Date: Mon, 20 Nov 2006 08:18:36 -0800 Subject: [Fedora-directory-users] Windows Sync and pasword policies In-Reply-To: <9C0091F428E697439E7A773FFD083427435B90@szexchange.Shopzilla.inc> References: <9C0091F428E697439E7A773FFD083427435B90@szexchange.Shopzilla.inc> Message-ID: <4561D55C.60305@redhat.com> Philip Kime wrote: > I just wanted to clarify this - > > * If you use Windows passync, you have to enable the password > complexity policy on Windows > * This policy isn't customisable on Windows without writing a custom > passfilt.dll > * So to avoid password policy conflicts, you have to implement > password policies on FDS too and it really needs to be same as the > Windows default password policy. > > Correct? Yes, that's correct. The default password syntax policies of FDS match those of Windows password complexity setting. -NGK > > -- > Philip Kime > NOPS Systems Architect > 310 401 0407 > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From koniczynek at uaznia.net Mon Nov 20 17:43:18 2006 From: koniczynek at uaznia.net (koniczynek) Date: Mon, 20 Nov 2006 18:43:18 +0100 Subject: [Fedora-directory-users] SASL/Kerberos5 question In-Reply-To: <45618D86.6050601@uaznia.net> References: <455DF356.10506@uaznia.net> <455E1BC1.7020303@redhat.com> <455E7112.30904@uaznia.net> <45618D86.6050601@uaznia.net> Message-ID: <4561E936.70600@uaznia.net> koniczynek napisa?(a): > koniczynek napisa?(a): >> OK, where I can read about that? Doc and wiki seems to have no PAM in >> them. And is this equal to what I have configured with OpenLDAP? Because >> when migrating, FDS should support old authentication method (with >> 'uid at REALM.NET' in the 'userPassword' field and passwords in Kerberos). > ok, maybe this will give someone a clue on what do I need to configure. > In my OpenLDAP configuration file (slapd.conf) I have the following lines: > > sasl-realm COMPANY.INT > sasl_realm COMPANY.INT > sasl-host ldap.company.int > sasl_host ldap.company.int > > and in the 'userPassword' field is what I mentioned above. Could anybody > help me? As somebody earlier mentioned PAM pass through plugin is the best way to accomplish this. And for people, who are looking for documentation for this plugin, it can be found in the README in the plugin source directory (in fedora directory server 1.0.4 for example). -- koniczynek From rmeggins at redhat.com Mon Nov 20 18:43:17 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 20 Nov 2006 11:43:17 -0700 Subject: [Fedora-directory-users] Mac OS X SASL auth problems In-Reply-To: <2f05bdbb0611190113w7d1ffe43y4ede039e10bbd6e2@mail.gmail.com> References: <2f05bdbb0611160036w2ead0c79ndb5b80cb8370af8b@mail.gmail.com> <455CE4DF.8090109@redhat.com> <2f05bdbb0611190113w7d1ffe43y4ede039e10bbd6e2@mail.gmail.com> Message-ID: <4561F745.8010002@redhat.com> John Call wrote: > Richard, > > thanks so much! It magically works now. For what its worth, I took > another FDS instance and did the same; remove the /usr/lib/sasl*/*md5* > libraries. With the ns-slapd still running I observed no change to > the query of SASL types (ldapsearch -x -H ldap:// -LLL -s "base" -b "" > supportedSASLMechanisms). So I restarted, and FDS still reports MD5. > So I wait a few minutes, restart FDS again, no luck ... still reports > MD5. I begin to close all applications and prepare for a reboot, but > just before I issue the reboot command I check again. Viola! no more > MD5. weird... That's really weird. It should take effect after a restart. > > I'm not sure what magic happened to remove the MD5 SASL auth types. A > simple FDS restart didn't seem to do the trick right off the bat. Hmm - you might want to run lsof to see what processes have a handle to those libraries. > > End of story, my Mac's can now auth against my preferred directory > server. something, something, something, happily every after... THE > END! > > Thanks again Richard, and everybody else on the list! > Mahalo nui loa, > John > > On 11/16/06, *Richard Megginson* < rmeggins at redhat.com > > wrote: > > John Call wrote: > > Aloha list, > > > > I've run up against what Josh Kelley wrote about a few months ago > > > (http://www.redhat.com/archives/fedora-directory-users/2006-September/msg00063.html > > < > http://www.redhat.com/archives/fedora-directory-users/2006-September/msg00063.html>) > > where Mac OS X clients are not able to authenticate users due to > > CRAM-MD5. Has any progress been made on the feature request / > bug he > > filed? > No, not yet. > > (https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=206053 > > < > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=206053>) Thus > > far I've been unsuccessful at working around the CRAM-MD5 as he > > suggested by removing the /usr/lib/sasl2/libcrammd5.so* files. > Really? Did you restart FDS once you removed those files? Do you see > cram-md5 bind attempts in the FDS access log? > > > > Does anybody have any further insight on how I can get my Macs > to auth > > against FDS? > > > > Thanks so much, > > Mahalo, > > John Call > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Nov 20 19:41:46 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 20 Nov 2006 12:41:46 -0700 Subject: [Fedora-directory-users] How to disable subtree level search? In-Reply-To: <408162380611200052r787c5e6s401353171a7b6630@mail.gmail.com> References: <408162380611200052r787c5e6s401353171a7b6630@mail.gmail.com> Message-ID: <456204FA.1050007@redhat.com> A G wrote: > Hello; > > I have a question on LDAP search issue. > I want to disable full search on the LDAP tree. > > Eg: > > My LDAP Tree is: > > c=US, o=Dept1, cn=John Smith > c=US, o=Dept1, cn=Ann Adams > > I want to deny to read full listing of the tree but only allow when > the search condition meets only the required person. > In the example above I want nobody to be listed. But when the search > criteria is "c=US, o=Dept1, cn=Ann Adams" this entry must be listed. > When a search on "c=US" comes, nothing must be listed. > > What is the correct Access Control Information for this request?? You also posted this question to the OpenLDAP list. Fedora DS and OpenLDAP have very different ACI models. What is your server vendor and version? > > Thanks. > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From pkime at Shopzilla.com Mon Nov 20 21:09:36 2006 From: pkime at Shopzilla.com (Philip Kime) Date: Mon, 20 Nov 2006 13:09:36 -0800 Subject: [Fedora-directory-users] Re: Subtree/user pw policy on 1.0.2? Message-ID: <9C0091F428E697439E7A773FFD083427435B92@szexchange.Shopzilla.inc> > Effective policy is determined by new_passwdPolicy() which considers the modification > initiated by the password change extop to be internal and local policy is not > retrieved. I suspected as much - this should probably go in the password policy section of the documentation as there are all sorts of recommendations flying round the Web for setting pam_password to "exop" to allow password changes to work properly. It does indeed work but as you say, it bypasses all password policies (except global ones it seems). PK From ulf.weltman at hp.com Mon Nov 20 22:36:30 2006 From: ulf.weltman at hp.com (Ulf Weltman) Date: Mon, 20 Nov 2006 14:36:30 -0800 Subject: [Fedora-directory-users] Re: Subtree/user pw policy on 1.0.2? In-Reply-To: <9C0091F428E697439E7A773FFD083427435B92@szexchange.Shopzilla.inc> References: <9C0091F428E697439E7A773FFD083427435B92@szexchange.Shopzilla.inc> Message-ID: <45622DEE.8040803@hp.com> Philip Kime wrote: >> Effective policy is determined by new_passwdPolicy() which considers >> > the modification > >> initiated by the password change extop to be internal and local policy >> > is not > >> retrieved. >> > > I suspected as much - this should probably go in the password policy > section of the documentation as there are all sorts of recommendations > flying round the Web for setting pam_password to "exop" to allow > password changes to work properly. It does indeed work but as you say, > it bypasses all password policies (except global ones it seems). > > I didn't mean to imply that it's intentional or that it should be this way, just giving you a hand with the analysis. I have some changes around this area of password policy that aren't committed and might complicate a potential fix, I've filed a bug for you to keep track: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=216522 -------------- next part -------------- An HTML attachment was scrubbed... URL: From ebeda at udsm.ac.tz Tue Nov 21 09:55:18 2006 From: ebeda at udsm.ac.tz (Eric Beda) Date: Tue, 21 Nov 2006 12:55:18 +0300 (EAT) Subject: [Fedora-directory-users] ./slapd-start segmentation fault Message-ID: <2368.82.206.143.69.1164102918.squirrel@www.uccmail.co.tz> Hi, i'm quite new to fedora ds,, recently i have been trying fedora ds with the Jamm schema, it worked fine for like half an hour then whenever i try to start fedora ds i get a segmentation fault error as follows slapd-servername/./start-slapd: line 33: 2526 Segmentation fault ./ns-slapd -D /opt/fedora-ds/slapd-servername -i /opt/fedora-ds/slapd-servername/logs/pid -w $STARTPIDFILE "$@" i was wondering if anybody knows whats going on From koniczynek at uaznia.net Tue Nov 21 10:18:04 2006 From: koniczynek at uaznia.net (koniczynek) Date: Tue, 21 Nov 2006 11:18:04 +0100 Subject: [Fedora-directory-users] ./slapd-start segmentation fault In-Reply-To: <2368.82.206.143.69.1164102918.squirrel@www.uccmail.co.tz> References: <2368.82.206.143.69.1164102918.squirrel@www.uccmail.co.tz> Message-ID: <4562D25C.1000800@uaznia.net> Eric Beda napisa?(a): > Hi, > i'm quite new to fedora ds,, recently i have been trying fedora ds with > the Jamm schema, it worked fine for like half an hour then whenever i try > to start fedora ds i get a segmentation fault error as follows > > slapd-servername/./start-slapd: line 33: 2526 Segmentation fault > ./ns-slapd -D /opt/fedora-ds/slapd-servername -i > /opt/fedora-ds/slapd-servername/logs/pid -w $STARTPIDFILE "$@" > > i was wondering if anybody knows whats going on maybe try to strace ns-slapd? -- koniczynek From ebeda at udsm.ac.tz Tue Nov 21 11:14:46 2006 From: ebeda at udsm.ac.tz (Eric Beda) Date: Tue, 21 Nov 2006 14:14:46 +0300 (EAT) Subject: [Fedora-directory-users] ./slapd-start segmentation fault In-Reply-To: <4562D25C.1000800@uaznia.net> References: <2368.82.206.143.69.1164102918.squirrel@www.uccmail.co.tz> <4562D25C.1000800@uaznia.net> Message-ID: <2758.82.206.143.69.1164107686.squirrel@www.uccmail.co.tz> below is the result from an strace command it doesn't make much sense to me, but it seems that it tries to locate the processes PID but to no avail xecve("slapd-mlimani/./start-slapd", ["slapd-mlimani/./start-slapd"], [/* 23 vars */]) = 0 uname({sys="Linux", node="mlimani.ac.tz", ...}) = 0 brk(0) = 0x80def34 open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=48065, ...}) = 0 old_mmap(NULL, 48065, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb75df000 close(3) = 0 open("/lib/libtermcap.so.2", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\340\r\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=11784, ...}) = 0 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb75de000 old_mmap(NULL, 14856, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xb75da000 old_mmap(0xb75dd000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x2000) = 0xb75dd000 close(3) = 0 open("/lib/libdl.so.2", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0P\32\0\000"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=14728, ...}) = 0 old_mmap(NULL, 12148, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xb75d7000 old_mmap(0xb75d9000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x1000) = 0xb75d9000 close(3) = 0 open("/lib/tls/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0000X\1\000"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=1563240, ...}) = 0 old_mmap(NULL, 1272460, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xb74a0000 old_mmap(0xb75d1000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x130000) = 0xb75d1000 old_mmap(0xb75d4000, 10892, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb75d4000 close(3) = 0 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb749f000 set_thread_area({entry_number:-1 -> 6, base_addr:0xb749f080, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 munmap(0xb75df000, 48065) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 open("/dev/tty", O_RDWR|O_NONBLOCK|O_LARGEFILE) = 3 close(3) = 0 brk(0) = 0x80def34 brk(0x80fff34) = 0x80fff34 brk(0) = 0x80fff34 brk(0x8100000) = 0x8100000 open("/usr/lib/locale/locale-archive", O_RDONLY|O_LARGEFILE) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=32148976, ...}) = 0 mmap2(NULL, 2097152, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb729f000 close(3) = 0 getuid32() = 0 getgid32() = 0 geteuid32() = 0 getegid32() = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 time(NULL) = 1164107910 open("/etc/mtab", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=270, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb729e000 read(3, "/dev/sda2 / ext3 rw 0 0\nnone /pr"..., 4096) = 270 close(3) = 0 munmap(0xb729e000, 4096) = 0 open("/proc/meminfo", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb729e000 read(3, " total: used: free:"..., 4096) = 729 close(3) = 0 munmap(0xb729e000, 4096) = 0 rt_sigaction(SIGCHLD, {SIG_DFL}, {SIG_DFL}, 8) = 0 rt_sigaction(SIGCHLD, {SIG_DFL}, {SIG_DFL}, 8) = 0 rt_sigaction(SIGINT, {SIG_DFL}, {SIG_DFL}, 8) = 0 rt_sigaction(SIGINT, {SIG_DFL}, {SIG_DFL}, 8) = 0 rt_sigaction(SIGQUIT, {SIG_DFL}, {SIG_DFL}, 8) = 0 rt_sigaction(SIGQUIT, {SIG_DFL}, {SIG_DFL}, 8) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 rt_sigaction(SIGQUIT, {SIG_IGN}, {SIG_DFL}, 8) = 0 uname({sys="Linux", node="mlimani.ac.tz", ...}) = 0 stat64("/opt/fedora-ds", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat64(".", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 getpid() = 2915 getppid() = 2914 getpgrp() = 2914 rt_sigaction(SIGCHLD, {0x8074f80, [], SA_RESTORER, 0xb74c7be8}, {SIG_DFL}, 8) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 open("slapd-mlimani/./start-slapd", O_RDONLY|O_LARGEFILE) = 3 ioctl(3, TCGETS, 0xbfffb5c8) = -1 ENOTTY (Inappropriate ioctl for device) _llseek(3, 0, [0], SEEK_CUR) = 0 read(3, "#!/bin/sh\n\nunset LD_LIBRARY_PATH"..., 80) = 80 _llseek(3, 0, [0], SEEK_SET) = 0 getrlimit(RLIMIT_NOFILE, {rlim_cur=1024, rlim_max=1024}) = 0 dup2(3, 255) = 255 close(3) = 0 fcntl64(255, F_SETFD, FD_CLOEXEC) = 0 fcntl64(255, F_GETFL) = 0x8000 (flags O_RDONLY|O_LARGEFILE) fstat64(255, {st_mode=S_IFREG|0755, st_size=1927, ...}) = 0 _llseek(255, 0, [0], SEEK_CUR) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 read(255, "#!/bin/sh\n\nunset LD_LIBRARY_PATH"..., 1927) = 1927 open("/usr/lib/gconv/gconv-modules.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=21436, ...}) = 0 mmap2(NULL, 21436, PROT_READ, MAP_SHARED, 3, 0) = 0xb7299000 close(3) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 stat64("/opt/fedora-ds/slapd-mlimani/logs/startpid", 0xbfffb470) = -1 ENOENT (No such file or directory) rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 stat64("/opt/fedora-ds/slapd-mlimani/logs/pid", 0xbfffb470) = -1 ENOENT (No such file or directory) rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 stat64("/opt", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat64("/opt/fedora-ds", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat64("/opt/fedora-ds/bin", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat64("/opt/fedora-ds/bin/slapd", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat64("/opt/fedora-ds/bin/slapd/server", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 chdir("/opt/fedora-ds/bin/slapd/server") = 0 rt_sigprocmask(SIG_BLOCK, [INT CHLD], [], 8) = 0 _llseek(255, -977, [950], SEEK_CUR) = 0 clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0xb749f0c8) = 2916 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0 rt_sigaction(SIGINT, {0x8074000, [], SA_RESTORER, 0xb74c7be8}, {SIG_DFL}, 8) = 0 waitpid(-1, [WIFSIGNALED(s) && WTERMSIG(s) == SIGSEGV], 0) = 2916 fstat64(2, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 1), ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7298000 open("/usr/share/locale/locale.alias", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=2601, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7297000 read(3, "# Locale name alias data base.\n#"..., 4096) = 2601 read(3, "", 4096) = 0 close(3) = 0 munmap(0xb7297000, 4096) = 0 open("/usr/share/locale/en_US.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en_US.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en_US/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) write(2, "slapd-mlimani/./start-slapd: lin"..., 174slapd-mlimani/./start-slapd: line 33: 2916 Segmentation fault ./ns-slapd -D /opt/fedora-ds/slapd-mlimani -i /opt/fedora-ds/slapd-mlimani/logs/pid -w $STARTPIDFILE "$@" ) = 174 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 --- SIGCHLD (Child exited) @ 0 (0) --- waitpid(-1, 0xbfffb15c, WNOHANG) = -1 ECHILD (No child processes) sigreturn() = ? (mask now []) rt_sigaction(SIGINT, {SIG_DFL}, {0x8074000, [], SA_RESTORER, 0xb74c7be8}, 8) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 read(255, "if [ $? -ne 0 ]; then\n exit 1"..., 1927) = 977 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 munmap(0xb7298000, 4096) = 0 exit_group(1) = ? > Eric Beda napisa??(a): >> Hi, >> i'm quite new to fedora ds,, recently i have been trying fedora ds with >> the Jamm schema, it worked fine for like half an hour then whenever i >> try >> to start fedora ds i get a segmentation fault error as follows >> >> slapd-servername/./start-slapd: line 33: 2526 Segmentation fault >> ./ns-slapd -D /opt/fedora-ds/slapd-servername -i >> /opt/fedora-ds/slapd-servername/logs/pid -w $STARTPIDFILE "$@" >> >> i was wondering if anybody knows whats going on > maybe try to strace ns-slapd? > > -- > koniczynek > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Tue Nov 21 14:02:51 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 21 Nov 2006 07:02:51 -0700 Subject: [Fedora-directory-users] ./slapd-start segmentation fault In-Reply-To: <2758.82.206.143.69.1164107686.squirrel@www.uccmail.co.tz> References: <2368.82.206.143.69.1164102918.squirrel@www.uccmail.co.tz> <4562D25C.1000800@uaznia.net> <2758.82.206.143.69.1164107686.squirrel@www.uccmail.co.tz> Message-ID: <4563070B.3030100@redhat.com> Eric Beda wrote: > below is the result from an strace command > it doesn't make much sense to me, but it seems that it tries to locate the > processes PID but to no avail > First, you don't want to strace the start-slapd shell script, you should instead edit the start-slapd shell script to put an strace -o trace.out before the ./ns-slapd ..... command. Second, before doing this, try doing start-slapd -d 1 - maybe slapd will tell us what's wrong. > > xecve("slapd-mlimani/./start-slapd", ["slapd-mlimani/./start-slapd"], [/* > 23 vars */]) = 0 > uname({sys="Linux", node="mlimani.ac.tz", ...}) = 0 > brk(0) = 0x80def34 > open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or > directory) > open("/etc/ld.so.cache", O_RDONLY) = 3 > fstat64(3, {st_mode=S_IFREG|0644, st_size=48065, ...}) = 0 > old_mmap(NULL, 48065, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb75df000 > close(3) = 0 > open("/lib/libtermcap.so.2", O_RDONLY) = 3 > read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\340\r\0"..., 512) > = 512 > fstat64(3, {st_mode=S_IFREG|0755, st_size=11784, ...}) = 0 > old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, > 0) = 0xb75de000 > old_mmap(NULL, 14856, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xb75da000 > old_mmap(0xb75dd000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, > 0x2000) = 0xb75dd000 > close(3) = 0 > open("/lib/libdl.so.2", O_RDONLY) = 3 > read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0P\32\0\000"..., > 512) = 512 > fstat64(3, {st_mode=S_IFREG|0755, st_size=14728, ...}) = 0 > old_mmap(NULL, 12148, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xb75d7000 > old_mmap(0xb75d9000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, > 0x1000) = 0xb75d9000 > close(3) = 0 > open("/lib/tls/libc.so.6", O_RDONLY) = 3 > read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0000X\1\000"..., > 512) = 512 > fstat64(3, {st_mode=S_IFREG|0755, st_size=1563240, ...}) = 0 > old_mmap(NULL, 1272460, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xb74a0000 > old_mmap(0xb75d1000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, > 3, 0x130000) = 0xb75d1000 > old_mmap(0xb75d4000, 10892, PROT_READ|PROT_WRITE, > MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb75d4000 > close(3) = 0 > old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, > 0) = 0xb749f000 > set_thread_area({entry_number:-1 -> 6, base_addr:0xb749f080, > limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, > limit_in_pages:1, seg_not_present:0, useable:1}) = 0 > munmap(0xb75df000, 48065) = 0 > rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 > open("/dev/tty", O_RDWR|O_NONBLOCK|O_LARGEFILE) = 3 > close(3) = 0 > brk(0) = 0x80def34 > brk(0x80fff34) = 0x80fff34 > brk(0) = 0x80fff34 > brk(0x8100000) = 0x8100000 > open("/usr/lib/locale/locale-archive", O_RDONLY|O_LARGEFILE) = 3 > fstat64(3, {st_mode=S_IFREG|0644, st_size=32148976, ...}) = 0 > mmap2(NULL, 2097152, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb729f000 > close(3) = 0 > getuid32() = 0 > getgid32() = 0 > geteuid32() = 0 > getegid32() = 0 > rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 > time(NULL) = 1164107910 > open("/etc/mtab", O_RDONLY) = 3 > fstat64(3, {st_mode=S_IFREG|0644, st_size=270, ...}) = 0 > mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) > = 0xb729e000 > read(3, "/dev/sda2 / ext3 rw 0 0\nnone /pr"..., 4096) = 270 > close(3) = 0 > munmap(0xb729e000, 4096) = 0 > open("/proc/meminfo", O_RDONLY) = 3 > fstat64(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0 > mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) > = 0xb729e000 > read(3, " total: used: free:"..., 4096) = 729 > close(3) = 0 > munmap(0xb729e000, 4096) = 0 > rt_sigaction(SIGCHLD, {SIG_DFL}, {SIG_DFL}, 8) = 0 > rt_sigaction(SIGCHLD, {SIG_DFL}, {SIG_DFL}, 8) = 0 > rt_sigaction(SIGINT, {SIG_DFL}, {SIG_DFL}, 8) = 0 > rt_sigaction(SIGINT, {SIG_DFL}, {SIG_DFL}, 8) = 0 > rt_sigaction(SIGQUIT, {SIG_DFL}, {SIG_DFL}, 8) = 0 > rt_sigaction(SIGQUIT, {SIG_DFL}, {SIG_DFL}, 8) = 0 > rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 > rt_sigaction(SIGQUIT, {SIG_IGN}, {SIG_DFL}, 8) = 0 > uname({sys="Linux", node="mlimani.ac.tz", ...}) = 0 > stat64("/opt/fedora-ds", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 > stat64(".", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 > getpid() = 2915 > getppid() = 2914 > getpgrp() = 2914 > rt_sigaction(SIGCHLD, {0x8074f80, [], SA_RESTORER, 0xb74c7be8}, {SIG_DFL}, > 8) = 0 > rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 > open("slapd-mlimani/./start-slapd", O_RDONLY|O_LARGEFILE) = 3 > ioctl(3, TCGETS, 0xbfffb5c8) = -1 ENOTTY (Inappropriate ioctl > for device) > _llseek(3, 0, [0], SEEK_CUR) = 0 > read(3, "#!/bin/sh\n\nunset LD_LIBRARY_PATH"..., 80) = 80 > _llseek(3, 0, [0], SEEK_SET) = 0 > getrlimit(RLIMIT_NOFILE, {rlim_cur=1024, rlim_max=1024}) = 0 > dup2(3, 255) = 255 > close(3) = 0 > fcntl64(255, F_SETFD, FD_CLOEXEC) = 0 > fcntl64(255, F_GETFL) = 0x8000 (flags O_RDONLY|O_LARGEFILE) > fstat64(255, {st_mode=S_IFREG|0755, st_size=1927, ...}) = 0 > _llseek(255, 0, [0], SEEK_CUR) = 0 > rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 > read(255, "#!/bin/sh\n\nunset LD_LIBRARY_PATH"..., 1927) = 1927 > open("/usr/lib/gconv/gconv-modules.cache", O_RDONLY) = 3 > fstat64(3, {st_mode=S_IFREG|0644, st_size=21436, ...}) = 0 > mmap2(NULL, 21436, PROT_READ, MAP_SHARED, 3, 0) = 0xb7299000 > close(3) = 0 > rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 > rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 > rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 > rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 > rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 > rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 > rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 > rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 > rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 > rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 > rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 > rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 > rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 > rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 > rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 > stat64("/opt/fedora-ds/slapd-mlimani/logs/startpid", 0xbfffb470) = -1 > ENOENT (No such file or directory) > rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 > rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 > rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 > stat64("/opt/fedora-ds/slapd-mlimani/logs/pid", 0xbfffb470) = -1 ENOENT > (No such file or directory) > rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 > rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 > stat64("/opt", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 > stat64("/opt/fedora-ds", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 > stat64("/opt/fedora-ds/bin", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 > stat64("/opt/fedora-ds/bin/slapd", {st_mode=S_IFDIR|0755, st_size=4096, > ...}) = 0 > stat64("/opt/fedora-ds/bin/slapd/server", {st_mode=S_IFDIR|0700, > st_size=4096, ...}) = 0 > chdir("/opt/fedora-ds/bin/slapd/server") = 0 > rt_sigprocmask(SIG_BLOCK, [INT CHLD], [], 8) = 0 > _llseek(255, -977, [950], SEEK_CUR) = 0 > clone(child_stack=0, > flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, > child_tidptr=0xb749f0c8) = 2916 > rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 > rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0 > rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 > rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0 > rt_sigaction(SIGINT, {0x8074000, [], SA_RESTORER, 0xb74c7be8}, {SIG_DFL}, > 8) = 0 > waitpid(-1, [WIFSIGNALED(s) && WTERMSIG(s) == SIGSEGV], 0) = 2916 > fstat64(2, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 1), ...}) = 0 > mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) > = 0xb7298000 > open("/usr/share/locale/locale.alias", O_RDONLY) = 3 > fstat64(3, {st_mode=S_IFREG|0644, st_size=2601, ...}) = 0 > mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) > = 0xb7297000 > read(3, "# Locale name alias data base.\n#"..., 4096) = 2601 > read(3, "", 4096) = 0 > close(3) = 0 > munmap(0xb7297000, 4096) = 0 > open("/usr/share/locale/en_US.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 > ENOENT (No such file or directory) > open("/usr/share/locale/en_US.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 > ENOENT (No such file or directory) > open("/usr/share/locale/en_US/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT > (No such file or directory) > open("/usr/share/locale/en.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 > ENOENT (No such file or directory) > open("/usr/share/locale/en.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 > ENOENT (No such file or directory) > open("/usr/share/locale/en/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No > such file or directory) > write(2, "slapd-mlimani/./start-slapd: lin"..., > 174slapd-mlimani/./start-slapd: line 33: 2916 Segmentation fault > ./ns-slapd -D /opt/fedora-ds/slapd-mlimani -i > /opt/fedora-ds/slapd-mlimani/logs/pid -w $STARTPIDFILE "$@" > ) = 174 > rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 > --- SIGCHLD (Child exited) @ 0 (0) --- > waitpid(-1, 0xbfffb15c, WNOHANG) = -1 ECHILD (No child processes) > sigreturn() = ? (mask now []) > rt_sigaction(SIGINT, {SIG_DFL}, {0x8074000, [], SA_RESTORER, 0xb74c7be8}, > 8) = 0 > rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 > read(255, "if [ $? -ne 0 ]; then\n exit 1"..., 1927) = 977 > rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 > rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 > rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 > munmap(0xb7298000, 4096) = 0 > exit_group(1) = ? > > > > > > > > > >> Eric Beda napisa??(a): >> >>> Hi, >>> i'm quite new to fedora ds,, recently i have been trying fedora ds with >>> the Jamm schema, it worked fine for like half an hour then whenever i >>> try >>> to start fedora ds i get a segmentation fault error as follows >>> >>> slapd-servername/./start-slapd: line 33: 2526 Segmentation fault >>> ./ns-slapd -D /opt/fedora-ds/slapd-servername -i >>> /opt/fedora-ds/slapd-servername/logs/pid -w $STARTPIDFILE "$@" >>> >>> i was wondering if anybody knows whats going on >>> >> maybe try to strace ns-slapd? >> >> -- >> koniczynek >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Nov 21 15:41:41 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 21 Nov 2006 08:41:41 -0700 Subject: [Fedora-directory-users] SASL/Kerberos5 question In-Reply-To: <4561E936.70600@uaznia.net> References: <455DF356.10506@uaznia.net> <455E1BC1.7020303@redhat.com> <455E7112.30904@uaznia.net> <45618D86.6050601@uaznia.net> <4561E936.70600@uaznia.net> Message-ID: <45631E35.3040607@redhat.com> koniczynek wrote: > koniczynek napisa?(a): >> koniczynek napisa?(a): >>> OK, where I can read about that? Doc and wiki seems to have no PAM in >>> them. And is this equal to what I have configured with OpenLDAP? >>> Because >>> when migrating, FDS should support old authentication method (with >>> 'uid at REALM.NET' in the 'userPassword' field and passwords in Kerberos). >> ok, maybe this will give someone a clue on what do I need to >> configure. In my OpenLDAP configuration file (slapd.conf) I have the >> following lines: >> >> sasl-realm COMPANY.INT >> sasl_realm COMPANY.INT >> sasl-host ldap.company.int >> sasl_host ldap.company.int >> >> and in the 'userPassword' field is what I mentioned above. Could >> anybody help me? > As somebody earlier mentioned PAM pass through plugin is the best way > to accomplish this. And for people, who are looking for documentation > for this plugin, it can be found in the README in the plugin source > directory (in fedora directory server 1.0.4 for example). And now that the server is back up, in cvs.fedora.redhat.com: README - http://cvs.fedora.redhat.com/viewcvs/ldapserver/ldap/servers/plugins/pam_passthru/README?root=dirsec&rev=1.5&view=auto config.ldif - http://cvs.fedora.redhat.com/viewcvs/ldapserver/ldap/servers/plugins/pam_passthru/config.ldif?root=dirsec&rev=1.5&view=auto -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From koniczynek at uaznia.net Tue Nov 21 15:46:41 2006 From: koniczynek at uaznia.net (koniczynek) Date: Tue, 21 Nov 2006 16:46:41 +0100 Subject: [Fedora-directory-users] SASL/Kerberos5 question In-Reply-To: <45631E35.3040607@redhat.com> References: <455DF356.10506@uaznia.net> <455E1BC1.7020303@redhat.com> <455E7112.30904@uaznia.net> <45618D86.6050601@uaznia.net> <4561E936.70600@uaznia.net> <45631E35.3040607@redhat.com> Message-ID: <45631F61.8050202@uaznia.net> Richard Megginson napisa?(a): >> As somebody earlier mentioned PAM pass through plugin is the best way >> to accomplish this. And for people, who are looking for documentation >> for this plugin, it can be found in the README in the plugin source >> directory (in fedora directory server 1.0.4 for example). > And now that the server is back up, in cvs.fedora.redhat.com: > README - > http://cvs.fedora.redhat.com/viewcvs/ldapserver/ldap/servers/plugins/pam_passthru/README?root=dirsec&rev=1.5&view=auto > config.ldif - > http://cvs.fedora.redhat.com/viewcvs/ldapserver/ldap/servers/plugins/pam_passthru/config.ldif?root=dirsec&rev=1.5&view=auto Yes, now it's possible, but yesterday it wasn't ;) -- koniczynek From rmeggins at redhat.com Tue Nov 21 17:19:15 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 21 Nov 2006 10:19:15 -0700 Subject: [Fedora-directory-users] FDS - using one password for Samba and Linux accounts In-Reply-To: References: Message-ID: <45633513.6000106@redhat.com> Saravana Kumar wrote: > Hi List, > > I have FDS configured in the server. There are windows and Linux client in > our network. Windows users also have Linux. > > Linux clients are authenticating to fds. Samba server is running in a > different server and refers to the fds server(ldapbackend). For windows i > had to create a separate password with smbpasswd -a username for each user > which means samba password can be different from Linux password. Also the > password policy doesn't apply to the smbpasswd i create. > > Is there a way to use one password for both windows and linux logins? > No. This has been on our wishlist for some time now. http://directory.fedora.redhat.com/wiki/Wishlist#Passwords > TIA, > SK > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From pkime at Shopzilla.com Tue Nov 21 19:33:44 2006 From: pkime at Shopzilla.com (Philip Kime) Date: Tue, 21 Nov 2006 11:33:44 -0800 Subject: [Fedora-directory-users] Re: Subtree/user pw policy on 1.0.2? Message-ID: <9C0091F428E697439E7A773FFD083427435B96@szexchange.Shopzilla.inc> > I didn't mean to imply that it's intentional or that it should be this > way, just giving you a hand with the analysis. I have some changes > around this area of password policy that aren't committed and might > complicate a potential fix, I've filed a bug for you to keep track: > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=216522 Ah, I see, thank you. You can see in the logs that an extop password change doesn't see non-global policies as you just see a high-level message that an extop operation was performed and that's all. From mjdshop at earthlink.net Tue Nov 21 19:56:04 2006 From: mjdshop at earthlink.net (MJD Shopping Account) Date: Tue, 21 Nov 2006 14:56:04 -0500 (GMT-05:00) Subject: [Fedora-directory-users] pass-thru questions Message-ID: <26721151.1164138964276.JavaMail.root@elwamui-rubis.atl.sa.earthlink.net> I'm reading with interest the many recent articles on the PAM passthru plugin. I'm hoping to implement it here and have a few questions. Do you have to add the dn: entry (example in the plugin README) by way of editing the dse.ldif, or can it also be added via an 'ldapadd -f .ldif' command? How does use of this plugin relate to setting the userPassword attribute to something like '{KERBEROS}user at REALM'? Is that a completely separate method for using kerberos? The default suggested setup is with pamIDMapMethod = RDN, so this should map to 'uid' for my users. I assume with pamFallback = FALSE that the userPassword attribute never gets used? I'm hoping to test the basic setup, but will eventually need to support users in different KerberosV realms. I am imagining in that case that I should use pamIDMapMethod = ENTRY with pamIDAttr set appropriately and filled with the full userprinciple name, ie user at REALM not just user. Yes? Last time I used PADL's MigrateTools scripts to parse flat passwd files into ldif files for user entries, it had the ability to add an attribute to a person's entry with these attributes: objectClass: kerberosSecurityObject krbName: user at realm This seems like a good candidate for the pamIDAttr value; I didn't use it at the time because I would need to find the right schema file to support this attribute. Any ideas where to find this? Once found, I assume it goes in serverroot/slapd-instance/config/schema, what would I call the file however? I don't know what the numbering on the filenames indicates. My setup: I'm testing on a FDS 1.0.4 install runing on RedHat 4; I am part of a network that uses Active Directory for Window authentication, and I can use pam_krb5.so in my PAM setup as long as I'm using only one realm. I think this passthrough module is a good match for what I need, if it gets me the cross-realm capability by way of the pamIDAttr. I do NOT think I can use straight SASL mapping to do this, because I do not have sufficient privileges to add the ldap server to the AD domain, so I can't get the ldap/@rREALM principle into place in AD. From GCopeland at efjohnson.com Tue Nov 21 20:16:50 2006 From: GCopeland at efjohnson.com (Greg Copeland) Date: Tue, 21 Nov 2006 14:16:50 -0600 Subject: [Fedora-directory-users] Is it possible to use events to createhomedirs when user entry is created or deleted? In-Reply-To: Message-ID: <273A72C669F45B4996896A031B88CCEF39B833@EFJDFWMX01.EFJDFW.local> Does this work with home directories which are located other than /home? Cheers, Greg Copeland > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory- > users-bounces at redhat.com] On Behalf Of gennaro.tortone at na.infn.it > Sent: Friday, October 27, 2006 2:29 AM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Is it possible to use events to > createhomedirs when user entry is created or deleted? > > > Hi, > take a look to pam_mkhomedir; it is a PAM module that create > (if it does not exist) the user home directory; > > Regards, > > On Fri, 27 Oct 2006, Kimmo Koivisto wrote: > > > Hello > > > > I have small environment with one FDS server and one application > > server, both RHEL4ES. FDS server provides ldap authentication and home > > directories for app server with ldap and nfs. > > > > I administrate users and groups with phpldapadmin or windows based > > ldapadmin, everything is working fine. > > > > When I add new user to the FDS, I have to create home directory for > > that user manually, set permissions and copy /etc/skel files. > > > > I would like to do home directory administration tasks automatically > > when user is added or deleted from FDS. > > > > One solution (I don't like this) is that I use some command line ldap > > capable adduser instead of ldapadmin or phpldapadmin. > > > > Does FDS have any event support that I could use or are there any > > existing solutions for this problem? > > > > > > Best Regards > > Kimmo Koivisto > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > Gennaro Tortone > INFN Napoli > Italy > tel: +39 81 676169 > > "Computer Science is no more about computers > than astronomy is about telescopes." > - Edsger Dijkstra > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From rmeggins at redhat.com Tue Nov 21 21:00:36 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 21 Nov 2006 14:00:36 -0700 Subject: [Fedora-directory-users] pass-thru questions In-Reply-To: <26721151.1164138964276.JavaMail.root@elwamui-rubis.atl.sa.earthlink.net> References: <26721151.1164138964276.JavaMail.root@elwamui-rubis.atl.sa.earthlink.net> Message-ID: <456368F4.5050409@redhat.com> MJD Shopping Account wrote: > I'm reading with interest the many recent articles on the PAM passthru plugin. I'm hoping to implement it here and have a few questions. > > Do you have to add the dn: entry (example in the plugin README) by way of editing the dse.ldif, or can it also be added via an 'ldapadd -f .ldif' command? > Either way is ok. But you still have to restart the server after adding the entry. > How does use of this plugin relate to setting the userPassword attribute to something like '{KERBEROS}user at REALM'? Is that a completely separate method for using kerberos? Yes. It is completely different and doesn't use a special userPassword value. > The default suggested setup is with pamIDMapMethod = RDN, so this should map to 'uid' for my users. I assume with pamFallback = FALSE that the userPassword attribute never gets used? > Correct. > I'm hoping to test the basic setup, but will eventually need to support users in different KerberosV realms. I am imagining in that case that I should use pamIDMapMethod = ENTRY with pamIDAttr set appropriately and filled with the full userprinciple name, ie user at REALM not just user. Yes? > Yes. > Last time I used PADL's MigrateTools scripts to parse flat passwd files into ldif files for user entries, it had the ability to add an attribute to a person's entry with these attributes: > objectClass: kerberosSecurityObject > krbName: user at realm > This seems like a good candidate for the pamIDAttr value; I didn't use it at the time because I would need to find the right schema file to support this attribute. Any ideas where to find this? Once found, I assume it goes in serverroot/slapd-instance/config/schema, what would I call the file however? I don't know what the numbering on the filenames indicates. > The numbering indicates the order in which it is loaded - 00 is first, 99 is last. Most of the schema shipped with the server is in the range 00-50. I suggest you use 60krb5.ldif or something like that. > My setup: I'm testing on a FDS 1.0.4 install runing on RedHat 4; I am part of a network that uses Active Directory for Window authentication, and I can use pam_krb5.so in my PAM setup as long as I'm using only one realm. I think this passthrough module is a good match for what I need, if it gets me the cross-realm capability by way of the pamIDAttr. I do NOT think I can use straight SASL mapping to do this, because I do not have sufficient privileges to add the ldap server to the AD domain, so I can't get the ldap/@rREALM principle into place in AD. > SASL mapping should work for SASL BINDs. The PAM passthru plugin should only be used in those cases where you have a client that only supports simple (i.e. username/password) BIND. > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From GCopeland at efjohnson.com Tue Nov 21 20:24:08 2006 From: GCopeland at efjohnson.com (Greg Copeland) Date: Tue, 21 Nov 2006 14:24:08 -0600 Subject: [Fedora-directory-users] Host based ACI In-Reply-To: <4559F38B.5050207@redhat.com> Message-ID: <273A72C669F45B4996896A031B88CCEF39B847@EFJDFWMX01.EFJDFW.local> I'm doing this by setting the pam_filter attribute on each server in my /etc/ldap.conf file. This means an entry like the following will only allow users which have a host attribute which contains either the server's name or a wildcard. Just don't forget that for authentication purposes, a user is invisible to a given host unless the account has both the host attribute and the proper server name. pam_filter |(host=server1)(host=\*) Cheers, Greg Copeland > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory- > users-bounces at redhat.com] On Behalf Of Richard Megginson > Sent: Tuesday, November 14, 2006 10:49 AM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Host based ACI > > Greg Hetrick wrote: > > I am trying to implement host based ACI for either users or groups. > > Basic question can you acheive the same results as using the host ACI > > as you would with host attributes per user. > > > > I am trying to find a way not to specifically include each host in > > each user that needs access to every host or multiple hosts. > > > > Is it possible to add Host based ACI to a group and have the members > > of that group be granted access to only those specific hosts? Say for > > example having a group for admins with every host and adding users to > > that group thus giving them access to all hosts, same with a > > development group with only access to development hosts. > > > > Any direction that you can give would be much appreciated. I have > > attempted to setup ACIs for a particular user to a single host, but it > > doesn't appear that it is working, seems like I am missing either a > > client side LDAP setting or an Attribute on the user to handle the > > ACI. I was able to setup host based access using the host attribute > > per user, that just seems tedious. > I don't think you want to use ACIs for this. You need something that > works on the client side - PAM/NSS/Posix - that the client side > understands and enforces. ACIs are really only useful to enforce server > side rules, unless the client has explicit knowledge that relationships > modeled in LDAP apply to the client side as well (PAM/NSS do not). > > You could implement Role Based Attributes using the "host" attribute if > the following criteria are met: > 1) You can define your groups using the Roles feature, not e.g. posix > groups. Fedora DS Role Based Attributes must use roles to define group > membership. > 2) PAM/NSS do not perform searches like (host=foo.bar.com) to determine > user access. Instead, PAM must perform searches like uid=loginname and > retrieve the host attribute of the user, and use that to determine access. > > See http://directory.fedora.redhat.com/wiki/Howto:ClassOfService for a > description of how Class of Service works and how it can be used to > implement Role Based Attributes. > > If all else fails, you will probably have to use Netgroups - > http://directory.fedora.redhat.com/wiki/Howto:Netgroups > > > > Thanks, > > Greg > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users From mjdshop at earthlink.net Tue Nov 21 21:42:53 2006 From: mjdshop at earthlink.net (MJD Shop Account) Date: Tue, 21 Nov 2006 16:42:53 -0500 (EST) Subject: [Fedora-directory-users] pass-thru questions Message-ID: <12210812.1164145373598.JavaMail.root@elwamui-rubis.atl.sa.earthlink.net> >> How does use of this plugin relate to setting the userPassword attribute to something like '{KERBEROS}user at REALM'? Is that a completely separate method for using kerberos? >Yes. It is completely different and doesn't use a special userPassword >value. Where would it be appropriate to use the {KERBEROS}user at REALM method? Any pointers to read up on it? I think an earlier message thread indicated it was deprecated... I'm not sure which is the best for my situation. If it required saslauthd, for instance, that would not work for me. >SASL mapping should work for SASL BINDs. The PAM passthru plugin should >only be used in those cases where you have a client that only supports >simple (i.e. username/password) BIND. I guess I'm not 100% sure how this will work for, say, someone logging in via a console. Right now, I have a pam modules stack with pam_ldap.so followed by pam_krb5.so. How would a login at a console terminal (either text or RH graphical Xwindows login) result in an SASL bind to LDAP? My /etc/ldap.conf is set for anonymous binds. Perhaps I should reverse the order and have krb5 before ldap, as I want krb5 to be used ultimately for authentication. Right now, the user might have an LDAP password and a separate krb5 password, if they log in with the krb5 password they get KerberosV credentials as shown by klist. To be clear again, I would still need the passthrough to support the cross-realm situation, I think. So maybe ldap before krb5 is just fine for that reason. Another more general question. As I want to use the passthrough module strictly to do the the Kerberos logins, I assume the 'ldapserver' pam file would only need pam_krb5.so and not, for example, pam_unix.so. Is that right? Thanks! Marty From rmeggins at redhat.com Tue Nov 21 21:49:43 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 21 Nov 2006 14:49:43 -0700 Subject: [Fedora-directory-users] pass-thru questions In-Reply-To: <12210812.1164145373598.JavaMail.root@elwamui-rubis.atl.sa.earthlink.net> References: <12210812.1164145373598.JavaMail.root@elwamui-rubis.atl.sa.earthlink.net> Message-ID: <45637477.5070405@redhat.com> MJD Shop Account wrote: >>> How does use of this plugin relate to setting the userPassword attribute to something like '{KERBEROS}user at REALM'? Is that a completely separate method for using kerberos? >>> >> Yes. It is completely different and doesn't use a special userPassword >> value. >> > > Where would it be appropriate to use the {KERBEROS}user at REALM method? Any pointers to read up on it? I think an earlier message thread indicated it was deprecated... I'm not sure which is the best for my situation. If it required saslauthd, for instance, that would not work for me. > Fedora DS does not support the {KERBEROS}user at REALM method in the userPassword attribute. That is an OpenLDAP only feature, AFAIK. > >> SASL mapping should work for SASL BINDs. The PAM passthru plugin should >> only be used in those cases where you have a client that only supports >> simple (i.e. username/password) BIND. >> > > I guess I'm not 100% sure how this will work for, say, someone logging in via a console. Right now, I have a pam modules stack with pam_ldap.so followed by pam_krb5.so. How would a login at a console terminal (either text or RH graphical Xwindows login) result in an SASL bind to LDAP? My /etc/ldap.conf is set for anonymous binds. Perhaps I should reverse the order and have krb5 before ldap, as I want krb5 to be used ultimately for authentication. Right now, the user might have an LDAP password and a separate krb5 password, if they log in with the krb5 password they get KerberosV credentials as shown by klist. > > To be clear again, I would still need the passthrough to support the cross-realm situation, I think. So maybe ldap before krb5 is just fine for that reason. > > Another more general question. As I want to use the passthrough module strictly to do the the Kerberos logins, I assume the 'ldapserver' pam file would only need pam_krb5.so and not, for example, pam_unix.so. Is that right? > I think so, but I'm not sure. You'll have to ask a PAM guru for that. > Thanks! > > Marty > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From mjdshop at earthlink.net Tue Nov 21 21:49:32 2006 From: mjdshop at earthlink.net (MJD Shop Account) Date: Tue, 21 Nov 2006 16:49:32 -0500 (EST) Subject: [Fedora-directory-users] pass-thru questions Message-ID: <9572211.1164145772301.JavaMail.root@elwamui-rubis.atl.sa.earthlink.net> >Fedora DS does not support the {KERBEROS}user at REALM method in the >userPassword attribute. That is an OpenLDAP only feature, AFAIK. Ah, well that makes my life easy! >> Another more general question. As I want to use the passthrough module strictly to do the the Kerberos logins, I assume the 'ldapserver' pam file would only need pam_krb5.so and not, for example, pam_unix.so. Is that right? >> >I think so, but I'm not sure. You'll have to ask a PAM guru for that. If anyone has pointers, please let me know. Thanks! Marty From patrick.morris at hp.com Tue Nov 21 23:11:18 2006 From: patrick.morris at hp.com (Morris, Patrick) Date: Tue, 21 Nov 2006 18:11:18 -0500 Subject: [Fedora-directory-users] Is it possible to use events tocreatehomedirs when user entry is created or deleted? In-Reply-To: <273A72C669F45B4996896A031B88CCEF39B833@EFJDFWMX01.EFJDFW.local> Message-ID: > Does this work with home directories which are located other > than /home? > > Cheers, > > Greg Copeland > > > -----Original Message----- > > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory- > > users-bounces at redhat.com] On Behalf Of gennaro.tortone at na.infn.it > > Sent: Friday, October 27, 2006 2:29 AM > > To: General discussion list for the Fedora Directory server project. > > Subject: Re: [Fedora-directory-users] Is it possible to use > events to > > createhomedirs when user entry is created or deleted? > > > > > > Hi, > > take a look to pam_mkhomedir; it is a PAM module that create (if it > > does not exist) the user home directory; Yes, it does. It will create whatever home directory is specified for the user. It does not, however, work at all with recent versions of OpenSSH. You can also look into make_home_dir, which does work with OpenSSH. http://www.trustsec.de/soft/oss From oscar.valdez at duraflex-politex.com Tue Nov 21 21:57:18 2006 From: oscar.valdez at duraflex-politex.com (Oscar A. Valdez) Date: Tue, 21 Nov 2006 15:57:18 -0600 Subject: [Fedora-directory-users] FDS - using one password for Samba and Linux accounts In-Reply-To: <45633513.6000106@redhat.com> References: <45633513.6000106@redhat.com> Message-ID: <1164146239.2332.47.camel@wzowski.duraflex.com.sv> El mar, 21-11-2006 a las 10:19 -0700, Richard Megginson escribi?: > Saravana Kumar wrote: > > Is there a way to use one password for both windows and linux logins? > > > No. This has been on our wishlist for some time now. > http://directory.fedora.redhat.com/wiki/Wishlist#Passwords Could the Perl Crypt-SmbHash module be useful? http://search.cpan.org/~bjkuit/Crypt-SmbHash-0.12/SmbHash.pm I'm experimenting with it to create ldif files with NT and LanMan passwords. -- Oscar A. Valdez From rmeggins at redhat.com Tue Nov 21 23:43:15 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 21 Nov 2006 16:43:15 -0700 Subject: [Fedora-directory-users] FDS - using one password for Samba and Linux accounts In-Reply-To: <1164146239.2332.47.camel@wzowski.duraflex.com.sv> References: <45633513.6000106@redhat.com> <1164146239.2332.47.camel@wzowski.duraflex.com.sv> Message-ID: <45638F13.1070603@redhat.com> Oscar A. Valdez wrote: > El mar, 21-11-2006 a las 10:19 -0700, Richard Megginson escribi?: > >> Saravana Kumar wrote: >> >>> Is there a way to use one password for both windows and linux logins? >>> >>> >> No. This has been on our wishlist for some time now. >> http://directory.fedora.redhat.com/wiki/Wishlist#Passwords >> > > Could the Perl Crypt-SmbHash module be useful? > Could be useful for generating the initial passwords, but not for keeping them in sync on the server side. > http://search.cpan.org/~bjkuit/Crypt-SmbHash-0.12/SmbHash.pm > > I'm experimenting with it to create ldif files with NT and LanMan > passwords. > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From tuxkumar at gmail.com Wed Nov 22 05:40:54 2006 From: tuxkumar at gmail.com (Saravana Kumar) Date: Wed, 22 Nov 2006 11:10:54 +0530 Subject: [Fedora-directory-users] Re: FDS - using one password for Samba and Linux accounts References: <45633513.6000106@redhat.com> <1164146239.2332.47.camel@wzowski.duraflex.com.sv> <45638F13.1070603@redhat.com> Message-ID: Richard Megginson wrote: > Oscar A. Valdez wrote: >> El mar, 21-11-2006 a las 10:19 -0700, Richard Megginson escribi?: >> >>> Saravana Kumar wrote: >>> >>>> Is there a way to use one password for both windows and linux logins? >>>> >>>> >>> No. This has been on our wishlist for some time now. >>> http://directory.fedora.redhat.com/wiki/Wishlist#Passwords >>> >> >> Could the Perl Crypt-SmbHash module be useful? >> > Could be useful for generating the initial passwords, but not for > keeping them in sync on the server side. >> http://search.cpan.org/~bjkuit/Crypt-SmbHash-0.12/SmbHash.pm >> >> I'm experimenting with it to create ldif files with NT and LanMan >> passwords. >> Thanks for the info Regds, SK From cino11 at gmail.com Wed Nov 22 08:41:05 2006 From: cino11 at gmail.com (A G) Date: Wed, 22 Nov 2006 10:41:05 +0200 Subject: [Fedora-directory-users] LDAP search issue. Message-ID: <408162380611220041t1a25724bsd8e66fe21f6c6f68@mail.gmail.com> Hello; I am using Fedora Directory Server 1.0.2. I have a question on LDAP search issue. I want to disable full search on the LDAP tree. Eg: My LDAP Tree is: cn=John Smith, o=Dept1, c=US cn=Ann Adams, o=Dept1, c=US I want to deny to read full listing of the tree but only allow when the search condition meets only the required person. In the example above I want nobody to be listed. But when the search criteria is "c=US, o=Dept1, cn=Ann Adams" this entry must be listed. When a search on "c=US" comes, nothing must be listed. What is the correct Access Control Information for this request?? >You also posted this question to the OpenLDAP list. Fedora DS and >OpenLDAP have very different ACI models. What is your server vendor and >version? Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ebeda at udsm.ac.tz Wed Nov 22 08:44:31 2006 From: ebeda at udsm.ac.tz (Eric Beda) Date: Wed, 22 Nov 2006 11:44:31 +0300 (EAT) Subject: [Fedora-directory-users] ldappasswd problem Message-ID: <4468.82.206.143.69.1164185071.squirrel@www.uccmail.co.tz> Hi, i am trying to set up virtual mailserver using postfix,dovecot and jamm, i'm walking through a tutorial that is based on openldap, i am required to make fedora ds use CRYPT password mechanism how do i set that up? also i seem to fail to change users passwords, whenever i issue the command ldappasswd -D "cn=manager,dc=example,dc=example" -x -w "secret" -s "secret" "mail=ebeda at somedomain,jvd=somename,dc=example,dc=example" i get the following error Result: Confidentiality required (13) Additional info: Operation requires a secure connection. note that my directory manager dn is "cn=manager,dc=example,dc=example" and i'm using fedora ds 7.1 please help From koniczynek at uaznia.net Wed Nov 22 09:28:49 2006 From: koniczynek at uaznia.net (koniczynek) Date: Wed, 22 Nov 2006 10:28:49 +0100 Subject: [Fedora-directory-users] ldappasswd problem In-Reply-To: <4468.82.206.143.69.1164185071.squirrel@www.uccmail.co.tz> References: <4468.82.206.143.69.1164185071.squirrel@www.uccmail.co.tz> Message-ID: <45641851.9090406@uaznia.net> Eric Beda napisa?(a): > i am trying to set up virtual mailserver using postfix,dovecot and jamm, > i'm walking through a tutorial that is based on openldap, i am required to > make fedora ds use CRYPT password mechanism how do i set that up? In the administration console there is option which specifies algorythm for user passwords. Choose CRYPT from there, should work. > also i seem to fail to change users passwords, whenever i issue the command > > ldappasswd -D "cn=manager,dc=example,dc=example" -x -w "secret" -s > "secret" "mail=ebeda at somedomain,jvd=somename,dc=example,dc=example" > > i get the following error > > Result: Confidentiality required (13) > Additional info: Operation requires a secure connection. > > note that my directory manager dn is "cn=manager,dc=example,dc=example" > and i'm using fedora ds 7.1 Secure connection - it means that you need to configure SSL for your DS and then change passwords over a SSL connection -- koniczynek From nicholas.byrne at quadriga.com Wed Nov 22 13:03:29 2006 From: nicholas.byrne at quadriga.com (Nicholas Byrne) Date: Wed, 22 Nov 2006 13:03:29 +0000 Subject: [Fedora-directory-users] AD problem Message-ID: <45644AA1.3040409@quadriga.com> A am fairly new to FDS, I am using fedora-ds-1.0.2-1.RHEL4 and my goal is to setup a syncronisation against a W2K3 based active directory domain controller. I've followed the Howto:SSL to setup SSL on the fedora server which works correctly and i've also followed the "Enabling SSL with Active Directory" section in Howto:WindowsSync using the TinyCA method. On the AD server I've imported the CA cert and AD server cert i created following the instructions in the howto. I've used ldp (running on the AD server) to query the AD system using SSL and it works after i create a connection on port 636, bind and run a search. Before complicating matters with PassSync i wanted to try remotely querying the server over SSL to see if that works (non-SSL queries work fine), so i can be sure that the standard sync agreement between FDS and AD will work. I've tried a number of methods, but i always get "ldap_bind: Can't contact LDAP server (-1)". On the system i'm making queries from, i've installed the my CA cert in /etc/openssl/cacerts and configured the following /etc/openldap/ldap.conf with: TLS_CACERTDIR /etc/openldap/cacerts/ TLS_REQCERT allow I'd be very grateful for some advice, it's driving me nutty... output of command below - ldapsearch -v -b dc=tech -s sub -H ldaps://w2k3virtual01.tech -x -W -LLL '(objectclass=user)' -D winsync at tech -d 9 ldap_initialize( ldaps://w2k3virtual01.tech ) ldap_create ldap_url_parse_ext(ldaps://w2k3virtual01.tech) Enter LDAP Password: ldap_bind ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP w2k3virtual01.tech:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.103.20.50:636 ldap_connect_timeout: fd: 3 tm: -1 async: 0 TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 1, err: 0, subject: /C=UK/ST=Berkshire/L=Reading/O=Quadriga/OU=Technology/CN=Quadriga Certificate Authority/emailAddress=sysadmin at quadriga.com, issuer: /C=UK/ST=Berkshire/L=Reading/O=Quadriga/OU=Technology/CN=Quadriga Certificate Authority/emailAddress=sysadmin at quadriga.com TLS certificate verification: depth: 0, err: 0, subject: /C=UK/ST=Berkshire/L=Reading/O=Quadriga/OU=Technology/CN=w2k3virtual01.tech, issuer: /C=UK/ST=Berkshire/L=Reading/O=Quadriga/OU=Technology/CN=Quadriga Certificate Authority/emailAddress=sysadmin at quadriga.com TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server certificate request A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client certificate A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL_connect:failed in SSLv3 read finished A TLS: can't connect. ldap_perror ldap_bind: Can't contact LDAP server (-1) This e-mail is the property of Quadriga Worldwide Ltd, intended for the addressee only and confidential. Any dissemination, copying or distribution of this message or any attachments is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer. Messages sent to and from Quadriga may be monitored. Quadriga cannot guarantee any message delivery method is secure or error-free. Information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. We do not accept responsibility for any errors or omissions in this message and/or attachment that arise as a result of transmission. You should carry out your own virus checks before opening any attachment. Any views or opinions presented are solely those of the author and do not necessarily represent those of Quadriga. From nicholas.byrne at quadriga.com Wed Nov 22 15:33:24 2006 From: nicholas.byrne at quadriga.com (Nicholas Byrne) Date: Wed, 22 Nov 2006 15:33:24 +0000 Subject: [Fedora-directory-users] AD problem In-Reply-To: <45644AA1.3040409@quadriga.com> References: <45644AA1.3040409@quadriga.com> Message-ID: <45646DC4.5080906@quadriga.com> I also attempted to use the ldp utility on another PC running windows XP to query the AD server using ldaps. But no luck here either. Since i can connect using ldp util when it is running on the AD server over ssl port 636 something must be stopping remote queries on that port, any ideas? Thanks Nick Nicholas Byrne wrote: > A am fairly new to FDS, I am using fedora-ds-1.0.2-1.RHEL4 and my goal > is to setup a syncronisation against a W2K3 based active directory > domain controller. I've followed the Howto:SSL to setup SSL on the > fedora server which works correctly and i've also followed the > "Enabling SSL with Active Directory" section in Howto:WindowsSync > using the TinyCA method. > > On the AD server I've imported the CA cert and AD server cert i > created following the instructions in the howto. I've used ldp > (running on the AD server) to query the AD system using SSL and it > works after i create a connection on port 636, bind and run a search. > > Before complicating matters with PassSync i wanted to try remotely > querying the server over SSL to see if that works (non-SSL queries > work fine), so i can be sure that the standard sync agreement between > FDS and AD will work. I've tried a number of methods, but i always get > "ldap_bind: Can't contact LDAP server (-1)". On the system i'm making > queries from, i've installed the my CA cert in /etc/openssl/cacerts > and configured the following /etc/openldap/ldap.conf with: > > TLS_CACERTDIR /etc/openldap/cacerts/ > TLS_REQCERT allow > > I'd be very grateful for some advice, it's driving me nutty... output > of command below - > > ldapsearch -v -b dc=tech -s sub -H ldaps://w2k3virtual01.tech -x -W > -LLL '(objectclass=user)' -D winsync at tech -d 9 > ldap_initialize( ldaps://w2k3virtual01.tech ) > ldap_create > ldap_url_parse_ext(ldaps://w2k3virtual01.tech) > Enter LDAP Password: > ldap_bind > ldap_simple_bind > ldap_sasl_bind > ldap_send_initial_request > ldap_new_connection 1 1 0 > ldap_int_open_connection > ldap_connect_to_host: TCP w2k3virtual01.tech:636 > ldap_new_socket: 3 > ldap_prepare_socket: 3 > ldap_connect_to_host: Trying 10.103.20.50:636 > ldap_connect_timeout: fd: 3 tm: -1 async: 0 > TLS trace: SSL_connect:before/connect initialization > TLS trace: SSL_connect:SSLv2/v3 write client hello A > TLS trace: SSL_connect:SSLv3 read server hello A > TLS certificate verification: depth: 1, err: 0, subject: > /C=UK/ST=Berkshire/L=Reading/O=Quadriga/OU=Technology/CN=Quadriga > Certificate Authority/emailAddress=sysadmin at quadriga.com, issuer: > /C=UK/ST=Berkshire/L=Reading/O=Quadriga/OU=Technology/CN=Quadriga > Certificate Authority/emailAddress=sysadmin at quadriga.com > TLS certificate verification: depth: 0, err: 0, subject: > /C=UK/ST=Berkshire/L=Reading/O=Quadriga/OU=Technology/CN=w2k3virtual01.tech, > issuer: > /C=UK/ST=Berkshire/L=Reading/O=Quadriga/OU=Technology/CN=Quadriga > Certificate Authority/emailAddress=sysadmin at quadriga.com > TLS trace: SSL_connect:SSLv3 read server certificate A > TLS trace: SSL_connect:SSLv3 read server certificate request A > TLS trace: SSL_connect:SSLv3 read server done A > TLS trace: SSL_connect:SSLv3 write client certificate A > TLS trace: SSL_connect:SSLv3 write client key exchange A > TLS trace: SSL_connect:SSLv3 write change cipher spec A > TLS trace: SSL_connect:SSLv3 write finished A > TLS trace: SSL_connect:SSLv3 flush data > TLS trace: SSL_connect:failed in SSLv3 read finished A > TLS: can't connect. > ldap_perror > ldap_bind: Can't contact LDAP server (-1) > > > > > This e-mail is the property of Quadriga Worldwide Ltd, intended for > the addressee only and confidential. Any dissemination, copying or > distribution of this message or any attachments is strictly prohibited. > > If you have received this message in error, please notify us > immediately by replying to the message and deleting it from your > computer. > > Messages sent to and from Quadriga may be monitored. > > Quadriga cannot guarantee any message delivery method is secure or > error-free. Information could be intercepted, corrupted, lost, > destroyed, arrive late or incomplete, or contain viruses. > > We do not accept responsibility for any errors or omissions in this > message and/or attachment that arise as a result of transmission. > > You should carry out your own virus checks before opening any attachment. > > Any views or opinions presented are solely those of the author and do > not necessarily represent those of Quadriga. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > This e-mail is the property of Quadriga Worldwide Ltd, intended for the addressee only and confidential. Any dissemination, copying or distribution of this message or any attachments is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer. Messages sent to and from Quadriga may be monitored. Quadriga cannot guarantee any message delivery method is secure or error-free. Information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. We do not accept responsibility for any errors or omissions in this message and/or attachment that arise as a result of transmission. You should carry out your own virus checks before opening any attachment. Any views or opinions presented are solely those of the author and do not necessarily represent those of Quadriga. From nkinder at redhat.com Wed Nov 22 16:33:44 2006 From: nkinder at redhat.com (Nathan Kinder) Date: Wed, 22 Nov 2006 08:33:44 -0800 Subject: [Fedora-directory-users] ldappasswd problem In-Reply-To: <45641851.9090406@uaznia.net> References: <4468.82.206.143.69.1164185071.squirrel@www.uccmail.co.tz> <45641851.9090406@uaznia.net> Message-ID: <45647BE8.2080905@redhat.com> koniczynek wrote: > Eric Beda napisa?(a): >> i am trying to set up virtual mailserver using postfix,dovecot and jamm, >> i'm walking through a tutorial that is based on openldap, i am >> required to >> make fedora ds use CRYPT password mechanism how do i set that up? > In the administration console there is option which specifies > algorythm for user passwords. Choose CRYPT from there, should work. > >> also i seem to fail to change users passwords, whenever i issue the >> command >> >> ldappasswd -D "cn=manager,dc=example,dc=example" -x -w "secret" -s >> "secret" "mail=ebeda at somedomain,jvd=somename,dc=example,dc=example" >> >> i get the following error >> >> Result: Confidentiality required (13) >> Additional info: Operation requires a secure connection. >> >> note that my directory manager dn is "cn=manager,dc=example,dc=example" >> and i'm using fedora ds 7.1 > Secure connection - it means that you need to configure SSL for your > DS and then change passwords over a SSL connection The password modify extended operation (which ldappasswd uses) is also allowed if you use a SASL mechanism that provides confidentiality such as DIGEST-MD5 or GSSAPI. These approaches conflict with your need to use crypt hashing for your passwords though, so you're stuck using SSL. -NGK -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From nicholas.byrne at quadriga.com Wed Nov 22 18:48:38 2006 From: nicholas.byrne at quadriga.com (Nicholas Byrne) Date: Wed, 22 Nov 2006 18:48:38 +0000 Subject: [Fedora-directory-users] AD problem In-Reply-To: <45646DC4.5080906@quadriga.com> References: <45644AA1.3040409@quadriga.com> <45646DC4.5080906@quadriga.com> Message-ID: <45649B86.7020803@quadriga.com> Just for the record, i still haven't got command line query to work against AD over SSL/port 636 however the good news is that i used the "New Windows Sync Agreement" in FDS and successfully syncronised over SSL and port 636 with a windows 2003 active directory server. Now for password sync! Nick Nicholas Byrne wrote: > I also attempted to use the ldp utility on another PC running windows > XP to query the AD server using ldaps. But no luck here either. Since > i can connect using ldp util when it is running on the AD server over > ssl port 636 something must be stopping remote queries on that port, > any ideas? > > Thanks > Nick > > Nicholas Byrne wrote: >> A am fairly new to FDS, I am using fedora-ds-1.0.2-1.RHEL4 and my >> goal is to setup a syncronisation against a W2K3 based active >> directory domain controller. I've followed the Howto:SSL to setup SSL >> on the fedora server which works correctly and i've also followed the >> "Enabling SSL with Active Directory" section in Howto:WindowsSync >> using the TinyCA method. >> >> On the AD server I've imported the CA cert and AD server cert i >> created following the instructions in the howto. I've used ldp >> (running on the AD server) to query the AD system using SSL and it >> works after i create a connection on port 636, bind and run a search. >> >> Before complicating matters with PassSync i wanted to try remotely >> querying the server over SSL to see if that works (non-SSL queries >> work fine), so i can be sure that the standard sync agreement between >> FDS and AD will work. I've tried a number of methods, but i always >> get "ldap_bind: Can't contact LDAP server (-1)". On the system i'm >> making queries from, i've installed the my CA cert in >> /etc/openssl/cacerts and configured the following >> /etc/openldap/ldap.conf with: >> >> TLS_CACERTDIR /etc/openldap/cacerts/ >> TLS_REQCERT allow >> >> I'd be very grateful for some advice, it's driving me nutty... output >> of command below - >> >> ldapsearch -v -b dc=tech -s sub -H ldaps://w2k3virtual01.tech -x -W >> -LLL '(objectclass=user)' -D winsync at tech -d 9 >> ldap_initialize( ldaps://w2k3virtual01.tech ) >> ldap_create >> ldap_url_parse_ext(ldaps://w2k3virtual01.tech) >> Enter LDAP Password: >> ldap_bind >> ldap_simple_bind >> ldap_sasl_bind >> ldap_send_initial_request >> ldap_new_connection 1 1 0 >> ldap_int_open_connection >> ldap_connect_to_host: TCP w2k3virtual01.tech:636 >> ldap_new_socket: 3 >> ldap_prepare_socket: 3 >> ldap_connect_to_host: Trying 10.103.20.50:636 >> ldap_connect_timeout: fd: 3 tm: -1 async: 0 >> TLS trace: SSL_connect:before/connect initialization >> TLS trace: SSL_connect:SSLv2/v3 write client hello A >> TLS trace: SSL_connect:SSLv3 read server hello A >> TLS certificate verification: depth: 1, err: 0, subject: >> /C=UK/ST=Berkshire/L=Reading/O=Quadriga/OU=Technology/CN=Quadriga >> Certificate Authority/emailAddress=sysadmin at quadriga.com, issuer: >> /C=UK/ST=Berkshire/L=Reading/O=Quadriga/OU=Technology/CN=Quadriga >> Certificate Authority/emailAddress=sysadmin at quadriga.com >> TLS certificate verification: depth: 0, err: 0, subject: >> /C=UK/ST=Berkshire/L=Reading/O=Quadriga/OU=Technology/CN=w2k3virtual01.tech, >> issuer: >> /C=UK/ST=Berkshire/L=Reading/O=Quadriga/OU=Technology/CN=Quadriga >> Certificate Authority/emailAddress=sysadmin at quadriga.com >> TLS trace: SSL_connect:SSLv3 read server certificate A >> TLS trace: SSL_connect:SSLv3 read server certificate request A >> TLS trace: SSL_connect:SSLv3 read server done A >> TLS trace: SSL_connect:SSLv3 write client certificate A >> TLS trace: SSL_connect:SSLv3 write client key exchange A >> TLS trace: SSL_connect:SSLv3 write change cipher spec A >> TLS trace: SSL_connect:SSLv3 write finished A >> TLS trace: SSL_connect:SSLv3 flush data >> TLS trace: SSL_connect:failed in SSLv3 read finished A >> TLS: can't connect. >> ldap_perror >> ldap_bind: Can't contact LDAP server (-1) >> >> >> >> >> This e-mail is the property of Quadriga Worldwide Ltd, intended for >> the addressee only and confidential. Any dissemination, copying or >> distribution of this message or any attachments is strictly prohibited. >> >> If you have received this message in error, please notify us >> immediately by replying to the message and deleting it from your >> computer. >> >> Messages sent to and from Quadriga may be monitored. >> >> Quadriga cannot guarantee any message delivery method is secure or >> error-free. Information could be intercepted, corrupted, lost, >> destroyed, arrive late or incomplete, or contain viruses. >> >> We do not accept responsibility for any errors or omissions in this >> message and/or attachment that arise as a result of transmission. >> >> You should carry out your own virus checks before opening any >> attachment. >> >> Any views or opinions presented are solely those of the author and do >> not necessarily represent those of Quadriga. >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > > > This e-mail is the property of Quadriga Worldwide Ltd, intended for > the addressee only and confidential. Any dissemination, copying or > distribution of this message or any attachments is strictly prohibited. > > If you have received this message in error, please notify us > immediately by replying to the message and deleting it from your > computer. > > Messages sent to and from Quadriga may be monitored. > > Quadriga cannot guarantee any message delivery method is secure or > error-free. Information could be intercepted, corrupted, lost, > destroyed, arrive late or incomplete, or contain viruses. > > We do not accept responsibility for any errors or omissions in this > message and/or attachment that arise as a result of transmission. > > You should carry out your own virus checks before opening any attachment. > > Any views or opinions presented are solely those of the author and do > not necessarily represent those of Quadriga. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > This e-mail is the property of Quadriga Worldwide Ltd, intended for the addressee only and confidential. Any dissemination, copying or distribution of this message or any attachments is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer. Messages sent to and from Quadriga may be monitored. Quadriga cannot guarantee any message delivery method is secure or error-free. Information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. We do not accept responsibility for any errors or omissions in this message and/or attachment that arise as a result of transmission. You should carry out your own virus checks before opening any attachment. Any views or opinions presented are solely those of the author and do not necessarily represent those of Quadriga. From prowley at redhat.com Wed Nov 22 19:10:41 2006 From: prowley at redhat.com (Pete Rowley) Date: Wed, 22 Nov 2006 11:10:41 -0800 Subject: [Fedora-directory-users] LDAP search issue. In-Reply-To: <408162380611220041t1a25724bsd8e66fe21f6c6f68@mail.gmail.com> References: <408162380611220041t1a25724bsd8e66fe21f6c6f68@mail.gmail.com> Message-ID: <4564A0B1.5050908@redhat.com> A G wrote: > Hello; > I am using Fedora Directory Server 1.0.2. > > I have a question on LDAP search issue. > I want to disable full search on the LDAP tree. > > Eg: > > My LDAP Tree is: > > cn=John Smith, o=Dept1, c=US > cn=Ann Adams, o=Dept1, c=US > > I want to deny to read full listing of the tree but only allow when > the search condition meets only the required person. > In the example above I want nobody to be listed. But when the search > criteria is "c=US, o=Dept1, cn=Ann Adams" this entry must be listed. > When a search on "c=US" comes, nothing must be listed. > > What is the correct Access Control Information for this request?? It is not possible to define this, you would need to write a custom pre-op plugin that failed non-base searches. -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From sigidwu at gmail.com Thu Nov 23 04:09:36 2006 From: sigidwu at gmail.com (sigid@JINLab) Date: Thu, 23 Nov 2006 11:09:36 +0700 Subject: [Fedora-directory-users] FDS - using one password for Samba and Linux accounts In-Reply-To: References: Message-ID: <45651F00.80208@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Saravana Kumar wrote: > Hi List, > > I have FDS configured in the server. There are windows and Linux client in > our network. Windows users also have Linux. > > Linux clients are authenticating to fds. Samba server is running in a > different server and refers to the fds server(ldapbackend). For windows i > had to create a separate password with smbpasswd -a username for each user > which means samba password can be different from Linux password. Also the > password policy doesn't apply to the smbpasswd i create. > > Is there a way to use one password for both windows and linux logins? it seems imposible. btw on my system (postfix+dovecot+squirrelmail+FDS+samba) i'm having the same problem. on sysadmin side that should be no problem at all because by using webmin the userPassword and sambaNTPassword+sambaLMPassword is always syncronized. the problem was on user side (windows user), when they change their password it only change sambaNTPassword and sambaLMPassword. this problem should be solved too by using option "unix password sync"+"passwd program"+"passwd chat" on samba so that userPassword can be sync. but i'm having error message "you do not have permission to change password". on samba guidance when "unix password sync" set to "yes" the "passwd program" must be run as root. but i can not find any guidance on how to run it with root permission. does anyone know how to solve this problem? thanks sigid -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFZR8AqiPNNgPlDu0RAk/TAKC6tZqbXwsSYtCFjosx2U0zb44Q6ACbBork NEXfN7uIYcMyiSxQH6LdWpc= =Mtcu -----END PGP SIGNATURE----- From jean-baptiste.charpentier at businessdecision.com Fri Nov 24 10:30:26 2006 From: jean-baptiste.charpentier at businessdecision.com (Jean-Baptiste CHARPENTIER) Date: Fri, 24 Nov 2006 11:30:26 +0100 Subject: [Fedora-directory-users] PassSync with Multi global catalog Message-ID: <002501c70fb3$8ea5ed70$4102000a@BETD.FR> Hello, I have three domain controllers. Each controller has global catalog but there are on the same domain. I use PassSync only to synchronise password from Active Directory to Fedora Directory. Syncro it's ok only when I deploy PassSync on each domain controller . Is it normal? Thanks for your help. Jean-Baptiste CHARPENTIER -------------- next part -------------- An HTML attachment was scrubbed... URL: From Darren.Paxton at mercer.com Fri Nov 24 14:56:07 2006 From: Darren.Paxton at mercer.com (Paxton, Darren) Date: Fri, 24 Nov 2006 14:56:07 -0000 Subject: [Fedora-directory-users] Extracting details from Active Directory to FDS Message-ID: <52F7C07B119CF4439B7EFBFE0FB3256B027CBA2D@eidwpexms06.mercer.com> Hi all, I've been tinkering with integrating our Linux devices into our AD domain for some time and I've hit a few brick walls, however I've recently discovered FDS and the synchronisation features with AD. I've managed to set up a few replication jobs, however due to the extensive nature of our AD, I've realised that the sync only takes the group and user objects from the OU or CN being specified. Is there any way I can specify that it should traverse all subtrees of an OU and extract all that information back into FDS? Thanks Darren -- Darren Paxton EMEA Tier2 Red Hat Certified Engineer VMware Certified Professional MGTI Centralised ops -------------- next part -------------- An HTML attachment was scrubbed... URL: From kylet at panix.com Sat Nov 25 01:39:13 2006 From: kylet at panix.com (Kyle Tucker) Date: Fri, 24 Nov 2006 20:39:13 -0500 (EST) Subject: [Fedora-directory-users] Replication credentials issue Message-ID: <200611250139.kAP1dDP03732@panix1.panix.com> Hi all, I've been all day trying to get simple single master to one consumer going on a pair of 1.0.4 FDS systems and I can't get past the authentication credentials. I've gone over this 20 times today from scratch, and it won't go. I've even redone my procedures on my test boxes and they work fine. Both the replication wizard and the consumer initialization fail (if I force the wizard to accept and go on). There is no firewall issue and tcpdump and ldapsearch gets to the consumer machine. Consumer is RHEL 4. Here's my LDIF's I used. Can I use ldapsearch to test binding to this netry to try an debug what's up? On an aside, the Redhat/Fedora documents for adding this entry are very vague and don't have any information about most of these attributes. It didn't appear one could even get this working *without* using LDIF files. Anyway, any help would be great. Thanks. dn: cn=replica, cn="dc=acme,dc=com", cn=mapping tree, cn=config changetype: add objectClass: nsDS5Replica objectClass: top cn: replica nsDS5ReplicaBindDN: cn=Replication Manager, cn=config nsDS5ReplicaRoot: dc=acme,dc=com nsDS5Flags: 0 nsDS5ReplicaType: 2 nsDS5ReplicaId: 1 dn: cn=Replication Manager, cn=config changetype: add cn: Replication Manager sn: replication objectClass: top objectClass: person userPassword: xxxxx -- - Kyle --------------------------------------------- kylet at panix.com http://www.panix.com/~kylet --------------------------------------------- From koniczynek at uaznia.net Sat Nov 25 07:21:16 2006 From: koniczynek at uaznia.net (koniczynek) Date: Sat, 25 Nov 2006 08:21:16 +0100 Subject: [Fedora-directory-users] Replication credentials issue In-Reply-To: <200611250139.kAP1dDP03732@panix1.panix.com> References: <200611250139.kAP1dDP03732@panix1.panix.com> Message-ID: <4567EEEC.8010206@uaznia.net> Kyle Tucker, dnia 2006-11-25 02:39 napisal: > dn: cn=Replication Manager, cn=config > changetype: add > cn: Replication Manager > sn: replication > objectClass: top > objectClass: person > userPassword: xxxxx 'userPassword' field should be clear text. So considering that you entered 'xxxxx' in this example, in the wizard you should provide 'xxxxx' as a password. Easiest way to do it: stop your replica, edit dse.ldif (can be found in ./slapd-hostname/config/) and type password in there in the userPassword. Start replica and run replication agreement wizard on the master. Initialization should go on without any problems. -- email/xmpp: koniczynek at uaznia.net From kylet at panix.com Sat Nov 25 13:28:59 2006 From: kylet at panix.com (Kyle Tucker) Date: Sat, 25 Nov 2006 08:28:59 -0500 (EST) Subject: [Fedora-directory-users] Replication credentials issue In-Reply-To: <4567EEEC.8010206@uaznia.net> Message-ID: <200611251328.kAPDSxr04486@panix1.panix.com> > Kyle Tucker, dnia 2006-11-25 02:39 napisal: > > dn: cn=Replication Manager, cn=config > > changetype: add > > cn: Replication Manager > > sn: replication > > objectClass: top > > objectClass: person > > userPassword: xxxxx > 'userPassword' field should be clear text. So considering that you > entered 'xxxxx' in this example, in the wizard you should provide > 'xxxxx' as a password. Easiest way to do it: stop your replica, edit > dse.ldif (can be found in ./slapd-hostname/config/) and type password in > there in the userPassword. Start replica and run replication agreement > wizard on the master. Initialization should go on without any problems. I put xxxxx in this just as an example. Oddly, on my working test servers (1.0.3 on FC5), I used a {SSHA} password in my LDIF and it worked without a hitch all 3 times I've set replication there. I did put in clear text in the non-working production sets. If it's of any help, here's the entries in the access logs, although I'd guess there's nothing revelational here. [24/Nov/2006:17:26:56 -0800] conn=23 fd=64 slot=64 connection from 10.1.100.186 to 10.1.109.203 [24/Nov/2006:17:26:56 -0800] conn=23 op=0 BIND dn="cn=Replication Manager,cn=config" method=128 version=3 [24/Nov/2006:17:26:56 -0800] conn=23 op=0 RESULT err=49 tag=97 nentries=0 etime=0 [24/Nov/2006:17:26:56 -0800] conn=23 op=1 UNBIND [24/Nov/2006:17:26:56 -0800] conn=23 op=1 fd=64 closed - U1 -- - Kyle --------------------------------------------- kylet at panix.com http://www.panix.com/~kylet --------------------------------------------- From kylet at panix.com Sat Nov 25 13:41:15 2006 From: kylet at panix.com (Kyle Tucker) Date: Sat, 25 Nov 2006 08:41:15 -0500 (EST) Subject: [Fedora-directory-users] Replication credentials issue In-Reply-To: <200611251328.kAPDSxr04486@panix1.panix.com> Message-ID: <200611251341.kAPDfF504793@panix1.panix.com> > > > userPassword: xxxxx > > 'userPassword' field should be clear text. So considering that you > > entered 'xxxxx' in this example, in the wizard you should provide > > 'xxxxx' as a password. Easiest way to do it: stop your replica, edit > > dse.ldif (can be found in ./slapd-hostname/config/) and type password in > > there in the userPassword. Start replica and run replication agreement > > wizard on the master. Initialization should go on without any problems. I stopped the service, edited the password in clear in userPassword field, reinput the password on the master and same errors. The error from the initialize consumer action is: The consumer initialization has unsuccessfully completed. The error received by the replica is: '49 - LDAP error: Invalid credentials'. Corresponding log entry is the same: [25/Nov/2006:05:37:17 -0800] conn=1 op=0 BIND dn="cn=Replication Manager,cn=config" method=128 version=3 [25/Nov/2006:05:37:17 -0800] conn=1 op=0 RESULT err=49 tag=97 nentries=0 etime=0 [25/Nov/2006:05:37:17 -0800] conn=1 op=1 UNBIND [25/Nov/2006:05:37:17 -0800] conn=1 op=1 fd=64 closed - U1 So how to debug this is the next step it seems. Thanks. -- - Kyle --------------------------------------------- kylet at panix.com http://www.panix.com/~kylet --------------------------------------------- From kylet at panix.com Sat Nov 25 13:58:39 2006 From: kylet at panix.com (Kyle Tucker) Date: Sat, 25 Nov 2006 08:58:39 -0500 (EST) Subject: [Fedora-directory-users] Replication credentials issue In-Reply-To: <200611251341.kAPDfF504793@panix1.panix.com> Message-ID: <200611251358.kAPDweI02716@panix1.panix.com> > I stopped the service, edited the password in clear in userPassword > field, reinput the password on the master and same errors. The error > from the initialize consumer action is: For grins, I stopped the master as well, edited its dse.ldif and changed it to clear (it was in DES method) and voila - it all took off and synched up. I checked my working test master and consumer and they were in DES and SSHA respectively, again always working from the onset. I'll leave it to the developers to take anything from this. Thanks for the pointer to dse.ldif. -- - Kyle --------------------------------------------- kylet at panix.com http://www.panix.com/~kylet --------------------------------------------- From subhash.gada at logicacmg.com Mon Nov 27 07:36:30 2006 From: subhash.gada at logicacmg.com (Gada, Subhash) Date: Mon, 27 Nov 2006 13:06:30 +0530 Subject: [Fedora-directory-users] migrate from NIS to Fedora DS Message-ID: <0139539A634FD04A99C9B8880AB70CB2033DFAF3@in-ex004.groupinfra.com> Hi All, Can any one point me to a script which migrates nis password, group and host files to ldif files compatible with fedora DS. How can we create a template like the one existing for creating a person? Regards, Subhash. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ebeda at udsm.ac.tz Mon Nov 27 12:13:25 2006 From: ebeda at udsm.ac.tz (Eric Beda) Date: Mon, 27 Nov 2006 15:13:25 +0300 (EAT) Subject: [Fedora-directory-users] access control lists help needed Message-ID: <2404.82.206.143.69.1164629605.squirrel@www.uccmail.co.tz> Hi, i am trying to setup dovecot, with virtual domains to authenticate via ldap, through the tutorial i was reading i had to setup access list that will allow dovecot-auth user privelage to read passwords, how do i set that up ? From rmeggins at redhat.com Mon Nov 27 16:53:00 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 27 Nov 2006 09:53:00 -0700 Subject: [Fedora-directory-users] migrate from NIS to Fedora DS In-Reply-To: <0139539A634FD04A99C9B8880AB70CB2033DFAF3@in-ex004.groupinfra.com> References: <0139539A634FD04A99C9B8880AB70CB2033DFAF3@in-ex004.groupinfra.com> Message-ID: <456B17EC.7020303@redhat.com> Gada, Subhash wrote: > > Hi All, > > > > Can any one point me to a script which migrates nis password, group > and host files to ldif files compatible with fedora DS. > http://directory.fedora.redhat.com/wiki/Howto:MigrateToLDAP > > How can we create a template like the one existing for creating a person? > You mean, in the console, or in the ds gateway web app? > > > > Regards, > > Subhash. > > > > > > This e-mail and any attachment is for authorised use by the intended > recipient(s) only. It may contain proprietary material, confidential > information and/or be subject to legal privilege. It should not be > copied, disclosed to, retained or used by, any other party. If you are > not an intended recipient then please promptly delete this e-mail and > any attachment and all copies and inform the sender. Thank you. > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Nov 27 16:55:45 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 27 Nov 2006 09:55:45 -0700 Subject: [Fedora-directory-users] Replication credentials issue In-Reply-To: <200611251358.kAPDweI02716@panix1.panix.com> References: <200611251358.kAPDweI02716@panix1.panix.com> Message-ID: <456B1891.90309@redhat.com> Kyle Tucker wrote: >> I stopped the service, edited the password in clear in userPassword >> field, reinput the password on the master and same errors. The error >> from the initialize consumer action is: >> > > For grins, I stopped the master as well, edited its dse.ldif and > changed it to clear (it was in DES method) and voila - it all took > off and synched up. I checked my working test master and consumer > and they were in DES and SSHA respectively, again always working > from the onset. I'll leave it to the developers to take anything from > this. Thanks for the pointer to dse.ldif. > The consumer should have the cn=Repl Manager user with userPassword as an SSHA hash (or some other secure hash), not cleartext. The supplier should store the repl manager credentials with the {DES} reversible password encryption type so that it can send the clear text password to the consumer in the BIND request (as is done in the normal LDAP simple BIND request). You can always test this by using the ldapsearch command line tool to attempt to bind using -D "cn=replication manager,cn=config" and the password to the consumer to test the bind and credentials. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From thanhn.tran at amd.com Mon Nov 27 16:48:44 2006 From: thanhn.tran at amd.com (Thanh N. Tran) Date: Mon, 27 Nov 2006 08:48:44 -0800 Subject: [Fedora-directory-users] migrate from NIS to Fedora DS In-Reply-To: <0139539A634FD04A99C9B8880AB70CB2033DFAF3@in-ex004.groupinfra.com> References: <0139539A634FD04A99C9B8880AB70CB2033DFAF3@in-ex004.groupinfra.com> Message-ID: <456B16EC.60909@cmdmail.amd.com> Hi Subhash, The migration scripts are located at /usr/share/openldap/migration -Thanh Gada, Subhash wrote: > > Hi All, > > > > Can any one point me to a script which migrates nis password, group > and host files to ldif files compatible with fedora DS. > > How can we create a template like the one existing for creating a person? > > > > Regards, > > Subhash. > > > > > > This e-mail and any attachment is for authorised use by the intended > recipient(s) only. It may contain proprietary material, confidential > information and/or be subject to legal privilege. It should not be > copied, disclosed to, retained or used by, any other party. If you are > not an intended recipient then please promptly delete this e-mail and > any attachment and all copies and inform the sender. Thank you. > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Email: thanhn.tran at amd.com Watt: (800) 538-8450 X45467 Phone: (408) 749 5467 Thanh Nhat Tran - MPDCA - AMD From kylet at panix.com Mon Nov 27 17:57:45 2006 From: kylet at panix.com (Kyle Tucker) Date: Mon, 27 Nov 2006 12:57:45 -0500 (EST) Subject: [Fedora-directory-users] Replication credentials issue In-Reply-To: <456B1891.90309@redhat.com> Message-ID: <200611271757.kARHvjb11373@panix3.panix.com> > Kyle Tucker wrote: > >> I stopped the service, edited the password in clear in userPassword > >> field, reinput the password on the master and same errors. The error > >> from the initialize consumer action is: > >> > > > > For grins, I stopped the master as well, edited its dse.ldif and > > changed it to clear (it was in DES method) and voila - it all took > > off and synched up. I checked my working test master and consumer > > and they were in DES and SSHA respectively, again always working > > from the onset. I'll leave it to the developers to take anything from > > this. Thanks for the pointer to dse.ldif. > > > The consumer should have the cn=Repl Manager user with userPassword as > an SSHA hash (or some other secure hash), not cleartext. The supplier > should store the repl manager credentials with the {DES} reversible > password encryption type so that it can send the clear text password to > the consumer in the BIND request (as is done in the normal LDAP simple > BIND request). You can always test this by using the ldapsearch command > line tool to attempt to bind using -D "cn=replication manager,cn=config" > and the password to the consumer to test the bind and credentials. Yes, but it wouldn't work in this configuration using DES->SSHA with 1.0.4 on RHEL, whereas it did in several tests on 1.0.3 on FC5. It wouldn't even work DES->clear. I did not try clear->SSHA. I have to set up 2 more consumers, so I will try all possible combinations when I do those and follow up. -- - Kyle --------------------------------------------- kylet at panix.com http://www.panix.com/~kylet --------------------------------------------- From matt_stucky-work at ntm.org.pg Tue Nov 28 00:55:58 2006 From: matt_stucky-work at ntm.org.pg (Matt Stucky (Office)) Date: Tue, 28 Nov 2006 10:55:58 +1000 Subject: [Fedora-directory-users] Samba LDAP password sync Message-ID: <456B891E.8050108@ntm.org.pg> Hi All, I've set up FDS as the ldap back end for a Samba PDC. It is working well, but I'm having a problem with Windows users changing their password from Windows. When I use "ldap passwd sync = yes" (in the samba config) Windows users receive an error message when they attempt to change their password. What actually happens is their Samba/NT passwords are changed, but the posix password is not. If I use "ldap passwd sync = no" (default) then the users can successfully change their passwords but, as per the smb.conf man page, only the Samba/NT passwords are changed, not the posix password. I have FDS, User Admin tool (Webmin - LDAP users and Groups), and /etc/ldap.conf set to use MD5 for password hashing. If, on the server I run "smbpasswd test_user" and attempt to change a user's password that way; it gives me the error: --------------- ldapsam_modify_entry: LDAP Password could not be changed for user test_user: Confidentiality required Operation requires a secure connection. Failed to modify entry for user test_user. Failed to modify password entry for user test_user --------------- It looks like FDS requires SSL in order for a user's posix password to be changed from Samba/Windows. I need to have the Samba and posix passwords syncronized. Do I need to set up SSL for that to work, or is there something else I am missing? I found a post where someone used "unix password sync = yes" with smbldap-passwd for the password program as a workaround for this same problem, but I would prefer the tidier and simpler "ldap passwd sync = yes". Has anyone run into this and figured out how to make it work? - Matt From craigwhite at azapple.com Tue Nov 28 01:04:21 2006 From: craigwhite at azapple.com (Craig White) Date: Mon, 27 Nov 2006 18:04:21 -0700 Subject: [Fedora-directory-users] Samba LDAP password sync In-Reply-To: <456B891E.8050108@ntm.org.pg> References: <456B891E.8050108@ntm.org.pg> Message-ID: <1164675861.16796.7.camel@lin-workstation.azapple.com> On Tue, 2006-11-28 at 10:55 +1000, Matt Stucky (Office) wrote: > Hi All, > > I've set up FDS as the ldap back end for a Samba PDC. It is working > well, but I'm having a problem with Windows users changing their > password from Windows. When I use "ldap passwd sync = yes" (in the > samba config) Windows users receive an error message when they attempt > to change their password. What actually happens is their Samba/NT > passwords are changed, but the posix password is not. If I use "ldap > passwd sync = no" (default) then the users can successfully change their > passwords but, as per the smb.conf man page, only the Samba/NT passwords > are changed, not the posix password. I have FDS, User Admin tool > (Webmin - LDAP users and Groups), and /etc/ldap.conf set to use MD5 for > password hashing. > > If, on the server I run "smbpasswd test_user" and attempt to change a > user's password that way; it gives me the error: > --------------- > ldapsam_modify_entry: LDAP Password could not be changed for user > test_user: Confidentiality required > Operation requires a secure connection. > > Failed to modify entry for user test_user. > Failed to modify password entry for user test_user > --------------- > > It looks like FDS requires SSL in order for a user's posix password to > be changed from Samba/Windows. I need to have the Samba and posix > passwords syncronized. Do I need to set up SSL for that to work, or is > there something else I am missing? I found a post where someone used > "unix password sync = yes" with smbldap-passwd for the password program > as a workaround for this same problem, but I would prefer the tidier and > simpler "ldap passwd sync = yes". Has anyone run into this and figured > out how to make it work? ---- my guess is that you have something wrong with your 'password chat script' in smb.conf or possibly something amiss in smbldap configuration because it does work. Craig From matt_stucky-work at ntm.org.pg Tue Nov 28 01:28:10 2006 From: matt_stucky-work at ntm.org.pg (Matt Stucky (Office)) Date: Tue, 28 Nov 2006 11:28:10 +1000 Subject: [Fedora-directory-users] Samba LDAP password sync In-Reply-To: <1164675861.16796.7.camel@lin-workstation.azapple.com> References: <456B891E.8050108@ntm.org.pg> <1164675861.16796.7.camel@lin-workstation.azapple.com> Message-ID: <456B90AA.8030906@ntm.org.pg> As I understand it, the password chat is only used with "unix password sync" and is not used with "ldap passwd sync". Are you using MD5 for your passwords? -Matt Craig White wrote: > On Tue, 2006-11-28 at 10:55 +1000, Matt Stucky (Office) wrote: > >> Hi All, >> >> I've set up FDS as the ldap back end for a Samba PDC. It is working >> well, but I'm having a problem with Windows users changing their >> password from Windows. When I use "ldap passwd sync = yes" (in the >> samba config) Windows users receive an error message when they attempt >> to change their password. What actually happens is their Samba/NT >> passwords are changed, but the posix password is not. If I use "ldap >> passwd sync = no" (default) then the users can successfully change their >> passwords but, as per the smb.conf man page, only the Samba/NT passwords >> are changed, not the posix password. I have FDS, User Admin tool >> (Webmin - LDAP users and Groups), and /etc/ldap.conf set to use MD5 for >> password hashing. >> >> If, on the server I run "smbpasswd test_user" and attempt to change a >> user's password that way; it gives me the error: >> --------------- >> ldapsam_modify_entry: LDAP Password could not be changed for user >> test_user: Confidentiality required >> Operation requires a secure connection. >> >> Failed to modify entry for user test_user. >> Failed to modify password entry for user test_user >> --------------- >> >> It looks like FDS requires SSL in order for a user's posix password to >> be changed from Samba/Windows. I need to have the Samba and posix >> passwords syncronized. Do I need to set up SSL for that to work, or is >> there something else I am missing? I found a post where someone used >> "unix password sync = yes" with smbldap-passwd for the password program >> as a workaround for this same problem, but I would prefer the tidier and >> simpler "ldap passwd sync = yes". Has anyone run into this and figured >> out how to make it work? >> > ---- > my guess is that you have something wrong with your 'password chat > script' in smb.conf or possibly something amiss in smbldap configuration > because it does work. > > Craig > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From craigwhite at azapple.com Tue Nov 28 02:09:47 2006 From: craigwhite at azapple.com (Craig White) Date: Mon, 27 Nov 2006 19:09:47 -0700 Subject: [Fedora-directory-users] Samba LDAP password sync In-Reply-To: <456B90AA.8030906@ntm.org.pg> References: <456B891E.8050108@ntm.org.pg> <1164675861.16796.7.camel@lin-workstation.azapple.com> <456B90AA.8030906@ntm.org.pg> Message-ID: <1164679787.16796.15.camel@lin-workstation.azapple.com> On Tue, 2006-11-28 at 11:28 +1000, Matt Stucky (Office) wrote: > As I understand it, the password chat is only used with "unix password > sync" and is not used with "ldap passwd sync". ---- I missed that detail - I use unix password sync and have never used ldap password sync and thus the chat. ---- > > Are you using MD5 for your passwords? ---- no - crypt ---- > -Matt ---- Craig ---- > > Craig White wrote: > > On Tue, 2006-11-28 at 10:55 +1000, Matt Stucky (Office) wrote: > > > >> Hi All, > >> > >> I've set up FDS as the ldap back end for a Samba PDC. It is working > >> well, but I'm having a problem with Windows users changing their > >> password from Windows. When I use "ldap passwd sync = yes" (in the > >> samba config) Windows users receive an error message when they attempt > >> to change their password. What actually happens is their Samba/NT > >> passwords are changed, but the posix password is not. If I use "ldap > >> passwd sync = no" (default) then the users can successfully change their > >> passwords but, as per the smb.conf man page, only the Samba/NT passwords > >> are changed, not the posix password. I have FDS, User Admin tool > >> (Webmin - LDAP users and Groups), and /etc/ldap.conf set to use MD5 for > >> password hashing. > >> > >> If, on the server I run "smbpasswd test_user" and attempt to change a > >> user's password that way; it gives me the error: > >> --------------- > >> ldapsam_modify_entry: LDAP Password could not be changed for user > >> test_user: Confidentiality required > >> Operation requires a secure connection. > >> > >> Failed to modify entry for user test_user. > >> Failed to modify password entry for user test_user > >> --------------- > >> > >> It looks like FDS requires SSL in order for a user's posix password to > >> be changed from Samba/Windows. I need to have the Samba and posix > >> passwords syncronized. Do I need to set up SSL for that to work, or is > >> there something else I am missing? I found a post where someone used > >> "unix password sync = yes" with smbldap-passwd for the password program > >> as a workaround for this same problem, but I would prefer the tidier and > >> simpler "ldap passwd sync = yes". Has anyone run into this and figured > >> out how to make it work? > >> > > ---- > > my guess is that you have something wrong with your 'password chat > > script' in smb.conf or possibly something amiss in smbldap configuration > > because it does work. > > > > Craig > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From craigwhite at azapple.com Tue Nov 28 02:30:02 2006 From: craigwhite at azapple.com (Craig White) Date: Mon, 27 Nov 2006 19:30:02 -0700 Subject: [Fedora-directory-users] Samba LDAP password sync In-Reply-To: <1164679787.16796.15.camel@lin-workstation.azapple.com> References: <456B891E.8050108@ntm.org.pg> <1164675861.16796.7.camel@lin-workstation.azapple.com> <456B90AA.8030906@ntm.org.pg> <1164679787.16796.15.camel@lin-workstation.azapple.com> Message-ID: <1164681002.16796.24.camel@lin-workstation.azapple.com> On Mon, 2006-11-27 at 19:09 -0700, Craig White wrote: > On Tue, 2006-11-28 at 11:28 +1000, Matt Stucky (Office) wrote: > > As I understand it, the password chat is only used with "unix password > > sync" and is not used with "ldap passwd sync". > ---- > I missed that detail - I use unix password sync and have never used ldap > password sync and thus the chat. > ---- > > > > Are you using MD5 for your passwords? > ---- > no - crypt ---- correction...on the system that I am using with fedora directory server, I see that it is using md5 Craig > ---- > > -Matt > ---- > Craig > ---- > > > > Craig White wrote: > > > On Tue, 2006-11-28 at 10:55 +1000, Matt Stucky (Office) wrote: > > > > > >> Hi All, > > >> > > >> I've set up FDS as the ldap back end for a Samba PDC. It is working > > >> well, but I'm having a problem with Windows users changing their > > >> password from Windows. When I use "ldap passwd sync = yes" (in the > > >> samba config) Windows users receive an error message when they attempt > > >> to change their password. What actually happens is their Samba/NT > > >> passwords are changed, but the posix password is not. If I use "ldap > > >> passwd sync = no" (default) then the users can successfully change their > > >> passwords but, as per the smb.conf man page, only the Samba/NT passwords > > >> are changed, not the posix password. I have FDS, User Admin tool > > >> (Webmin - LDAP users and Groups), and /etc/ldap.conf set to use MD5 for > > >> password hashing. > > >> > > >> If, on the server I run "smbpasswd test_user" and attempt to change a > > >> user's password that way; it gives me the error: > > >> --------------- > > >> ldapsam_modify_entry: LDAP Password could not be changed for user > > >> test_user: Confidentiality required > > >> Operation requires a secure connection. > > >> > > >> Failed to modify entry for user test_user. > > >> Failed to modify password entry for user test_user > > >> --------------- > > >> > > >> It looks like FDS requires SSL in order for a user's posix password to > > >> be changed from Samba/Windows. I need to have the Samba and posix > > >> passwords syncronized. Do I need to set up SSL for that to work, or is > > >> there something else I am missing? I found a post where someone used > > >> "unix password sync = yes" with smbldap-passwd for the password program > > >> as a workaround for this same problem, but I would prefer the tidier and > > >> simpler "ldap passwd sync = yes". Has anyone run into this and figured > > >> out how to make it work? > > >> > > > ---- > > > my guess is that you have something wrong with your 'password chat > > > script' in smb.conf or possibly something amiss in smbldap configuration > > > because it does work. > > > > > > Craig > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From subhash.gada at logicacmg.com Tue Nov 28 06:02:21 2006 From: subhash.gada at logicacmg.com (Gada, Subhash) Date: Tue, 28 Nov 2006 11:32:21 +0530 Subject: [Fedora-directory-users] migrate from NIS to Fedora DS Message-ID: <0139539A634FD04A99C9B8880AB70CB20341B701@in-ex004.groupinfra.com> In the java console. -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Monday, November 27, 2006 10:23 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] migrate from NIS to Fedora DS Gada, Subhash wrote: > > Hi All, > > > > Can any one point me to a script which migrates nis password, group > and host files to ldif files compatible with fedora DS. > http://directory.fedora.redhat.com/wiki/Howto:MigrateToLDAP > > How can we create a template like the one existing for creating a person? > You mean, in the console, or in the ds gateway web app? > > > > Regards, > > Subhash. > > > > > > This e-mail and any attachment is for authorised use by the intended > recipient(s) only. It may contain proprietary material, confidential > information and/or be subject to legal privilege. It should not be > copied, disclosed to, retained or used by, any other party. If you are > not an intended recipient then please promptly delete this e-mail and > any attachment and all copies and inform the sender. Thank you. > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Tue Nov 28 14:18:26 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 28 Nov 2006 07:18:26 -0700 Subject: [Fedora-directory-users] migrate from NIS to Fedora DS In-Reply-To: <0139539A634FD04A99C9B8880AB70CB20341B701@in-ex004.groupinfra.com> References: <0139539A634FD04A99C9B8880AB70CB20341B701@in-ex004.groupinfra.com> Message-ID: <456C4532.9060906@redhat.com> Gada, Subhash wrote: > In the java console. > You'll have to write some Java code in order to do this. See http://cvs.fedora.redhat.com/viewcvs/console/examples/customview/?root=dirsec > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard > Megginson > Sent: Monday, November 27, 2006 10:23 PM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] migrate from NIS to Fedora DS > > Gada, Subhash wrote: > >> Hi All, >> >> >> >> Can any one point me to a script which migrates nis password, group >> and host files to ldif files compatible with fedora DS. >> >> > http://directory.fedora.redhat.com/wiki/Howto:MigrateToLDAP > >> How can we create a template like the one existing for creating a >> > person? > > You mean, in the console, or in the ds gateway web app? > >> >> >> Regards, >> >> Subhash. >> >> >> >> >> >> This e-mail and any attachment is for authorised use by the intended >> recipient(s) only. It may contain proprietary material, confidential >> information and/or be subject to legal privilege. It should not be >> copied, disclosed to, retained or used by, any other party. If you are >> > > >> not an intended recipient then please promptly delete this e-mail and >> any attachment and all copies and inform the sender. Thank you. >> >> >> > ------------------------------------------------------------------------ > >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From joerg at schoppet.de Tue Nov 28 14:28:55 2006 From: joerg at schoppet.de (Joerg Schoppet) Date: Tue, 28 Nov 2006 15:28:55 +0100 Subject: [Fedora-directory-users] Authentication through Active Directory Message-ID: <456C47A7.3080109@schoppet.de> Hi all, I'm in an account of a bigger company, which uses Microsoft Active Directory for User Management and Authentication. Now we need to save some additional information for a subset of all employees, but the AD-Administrators do not want to include the required attributes in the company ad. Our plan is now to install "Fedora Directory Server" to hold these additional information. The users, which uses a special application, should now connect to this server to retrieve the necessary information, but the authentication should stay in the AD. Is it possible, and if yes how, to configure "Fedora Directory Server" to pass the authentication information to the AD and only let the specific user bind to the directory server if the AD-Authentication is OK? Thanks in advance Joerg Schoppet From nicholas.byrne at quadriga.com Tue Nov 28 14:46:02 2006 From: nicholas.byrne at quadriga.com (Nicholas Byrne) Date: Tue, 28 Nov 2006 14:46:02 +0000 Subject: [Fedora-directory-users] Console SSL Problem Message-ID: <456C4BAA.9060603@quadriga.com> Hi, With FDS 1.0.2, I've followed the configuration howto guide lines to setup the Directory Server to use SSL (as per my post a few days ago) however after configuring the Administration Server and Console to use SSL as well i've run into trouble. The directory server alone works fine with SSL. The reason i'm trying to get Admin and console working in SSL is so i can setup a secure windows sync agreement, without this all i can do is setup a insecure sync agreement. The console will not display anything (absolutely no screen or anything) after entering password and clicking OK in the authentication dialog. There are no messages in the console i started it on. Before i configured the SSL on the admin server and console it was working correctly and displayed the normal Admin server/Directory Server screens. The console which i'm running using (i also tried admin user): startconsole -u "cn=Directory Manager" -a https://ds01.tech:59910 -x nologo I turned loglevel to debug in the admin server and this is what i see: [Tue Nov 28 14:22:46 2006] [info] Connection to child 30 established (server ds01.tech:443, client 10.170.99.22) [Tue Nov 28 14:22:47 2006] [notice] [client 10.170.99.22] admserv_host_ip_check: ap_get_remote_host could not resolve 10.170.99.22 [Tue Nov 28 14:22:47 2006] [info] Initial (No.1) HTTPS request received for child 30 (server ds01.tech:443) [Tue Nov 28 14:22:47 2006] [debug] mod_admserv.c(2518): [client 10.170.99.22] checking user cache for: cn=Directory Manager [Tue Nov 28 14:22:47 2006] [debug] mod_admserv.c(2525): [client 10.170.99.22] not in cache, trying DS [Tue Nov 28 14:22:47 2006] [debug] mod_admserv.c(1480): [client 10.170.99.22] admserv_check_authz: request for uri [/admin-serv/authenticate] [Tue Nov 28 14:22:47 2006] [notice] [client 10.170.99.22] admserv_check_authz(): passing [/admin-serv/authenticate] to the userauth handler [Tue Nov 28 14:22:47 2006] [info] Connection to child 30 closed (server ds01.tech:443, client 10.170.99.22) In the slapd log i see: [28/Nov/2006:14:22:46 +0000] conn=51 fd=65 slot=65 SSL connection from 10.170.99.22 to 10.103.20.21 [28/Nov/2006:14:22:46 +0000] conn=51 SSL 128-bit RC4 [28/Nov/2006:14:22:46 +0000] conn=51 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [28/Nov/2006:14:22:46 +0000] conn=51 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [28/Nov/2006:14:22:46 +0000] conn=52 fd=64 slot=64 SSL connection from 10.170.99.22 to 10.103.20.21 [28/Nov/2006:14:32:04 +0000] conn=52 op=-1 fd=64 closed - Encountered end of file. Anyone know how i can fix this? Thanks very much Nick This e-mail is the property of Quadriga Worldwide Ltd, intended for the addressee only and confidential. Any dissemination, copying or distribution of this message or any attachments is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer. Messages sent to and from Quadriga may be monitored. Quadriga cannot guarantee any message delivery method is secure or error-free. Information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. We do not accept responsibility for any errors or omissions in this message and/or attachment that arise as a result of transmission. You should carry out your own virus checks before opening any attachment. Any views or opinions presented are solely those of the author and do not necessarily represent those of Quadriga. From joshkel at gmail.com Tue Nov 28 14:58:47 2006 From: joshkel at gmail.com (Josh Kelley) Date: Tue, 28 Nov 2006 09:58:47 -0500 Subject: [Fedora-directory-users] FDS - using one password for Samba and Linux accounts In-Reply-To: <45651F00.80208@gmail.com> References: <45651F00.80208@gmail.com> Message-ID: <97cbd1a90611280658i604db8fbx940f404aacdf6deb@mail.gmail.com> On 11/22/06, sigid at JINLab wrote: > on sysadmin side that should be no problem at all because by using > webmin the userPassword and sambaNTPassword+sambaLMPassword is always > syncronized. > > the problem was on user side (windows user), when they change their > password it only change sambaNTPassword and sambaLMPassword. this > problem should be solved too by using option "unix password > sync"+"passwd program"+"passwd chat" on samba so that userPassword can > be sync. > but i'm having error message "you do not have permission to change > password". Try using Samba's "ldap password sync" option rather than the "unix password sync" option. Josh Kelley From rmeggins at redhat.com Tue Nov 28 15:20:45 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 28 Nov 2006 08:20:45 -0700 Subject: [Fedora-directory-users] Console SSL Problem In-Reply-To: <456C4BAA.9060603@quadriga.com> References: <456C4BAA.9060603@quadriga.com> Message-ID: <456C53CD.6090606@redhat.com> Nicholas Byrne wrote: > Hi, > > With FDS 1.0.2, I've followed the configuration howto guide lines to > setup the Directory Server to use SSL (as per my post a few days ago) > however after configuring the Administration Server and Console to use > SSL as well i've run into trouble. The directory server alone works > fine with SSL. > > The reason i'm trying to get Admin and console working in SSL is so i > can setup a secure windows sync agreement, without this all i can do > is setup a insecure sync agreement. But you don't have to get Admin and console working with SSL in order to set up a windows sync agreement with SSL. Do the docs say you have to do this? If so, where? > > The console will not display anything (absolutely no screen or > anything) after entering password and clicking OK in the > authentication dialog. There are no messages in the console i started > it on. startconsole -D will give you debug information, and startconsole -D 9 will give you everything. > > Before i configured the SSL on the admin server and console it was > working correctly and displayed the normal Admin server/Directory > Server screens. > > The console which i'm running using (i also tried admin user): > > startconsole -u "cn=Directory Manager" -a https://ds01.tech:59910 -x > nologo > > I turned loglevel to debug in the admin server and this is what i see: > > [Tue Nov 28 14:22:46 2006] [info] Connection to child 30 established > (server ds01.tech:443, client 10.170.99.22) > [Tue Nov 28 14:22:47 2006] [notice] [client 10.170.99.22] > admserv_host_ip_check: ap_get_remote_host could not resolve 10.170.99.22 > [Tue Nov 28 14:22:47 2006] [info] Initial (No.1) HTTPS request > received for child 30 (server ds01.tech:443) > [Tue Nov 28 14:22:47 2006] [debug] mod_admserv.c(2518): [client > 10.170.99.22] checking user cache for: cn=Directory Manager > [Tue Nov 28 14:22:47 2006] [debug] mod_admserv.c(2525): [client > 10.170.99.22] not in cache, trying DS > [Tue Nov 28 14:22:47 2006] [debug] mod_admserv.c(1480): [client > 10.170.99.22] admserv_check_authz: request for uri > [/admin-serv/authenticate] > [Tue Nov 28 14:22:47 2006] [notice] [client 10.170.99.22] > admserv_check_authz(): passing [/admin-serv/authenticate] to the > userauth handler > [Tue Nov 28 14:22:47 2006] [info] Connection to child 30 closed > (server ds01.tech:443, client 10.170.99.22) This looks ok, except for the log shows port 443 and you are using port 59910. > > In the slapd log i see: > > [28/Nov/2006:14:22:46 +0000] conn=51 fd=65 slot=65 SSL connection from > 10.170.99.22 to 10.103.20.21 > [28/Nov/2006:14:22:46 +0000] conn=51 SSL 128-bit RC4 > [28/Nov/2006:14:22:46 +0000] conn=51 op=0 BIND dn="cn=Directory > Manager" method=128 version=3 > [28/Nov/2006:14:22:46 +0000] conn=51 op=0 RESULT err=0 tag=97 > nentries=0 etime=0 dn="cn=directory manager" This looks like the /admin-serv/authenticate request as logged in the admin server. > [28/Nov/2006:14:22:46 +0000] conn=52 fd=64 slot=64 SSL connection from > 10.170.99.22 to 10.103.20.21 > [28/Nov/2006:14:32:04 +0000] conn=52 op=-1 fd=64 closed - Encountered > end of file. This looks like the console is attempting to use ldap on the ldaps port. I think you need to tell the console to use SSL when talking to this directory server - http://directory.fedora.redhat.com/wiki/Howto:SSL#Using_the_command_line > > Anyone know how i can fix this? Thanks very much > Nick > > > > > This e-mail is the property of Quadriga Worldwide Ltd, intended for > the addressee only and confidential. Any dissemination, copying or > distribution of this message or any attachments is strictly prohibited. > > If you have received this message in error, please notify us > immediately by replying to the message and deleting it from your > computer. > > Messages sent to and from Quadriga may be monitored. > > Quadriga cannot guarantee any message delivery method is secure or > error-free. Information could be intercepted, corrupted, lost, > destroyed, arrive late or incomplete, or contain viruses. > > We do not accept responsibility for any errors or omissions in this > message and/or attachment that arise as a result of transmission. > > You should carry out your own virus checks before opening any attachment. > > Any views or opinions presented are solely those of the author and do > not necessarily represent those of Quadriga. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From glenn at mail.txwes.edu Tue Nov 28 17:01:08 2006 From: glenn at mail.txwes.edu (Glenn) Date: Tue, 28 Nov 2006 11:01:08 -0600 Subject: [Fedora-directory-users] Windows Sync Error Message-ID: <20061128164612.M79426@mail.txwes.edu> I'm still trying to get my evaluation copy of Red Hat Directory Server 7.1SP3 to sync with Windows Active Directory. The latest hitch is an error message following an initial re-synchronization attempt. The Directory Server has a few hundred users imported from a Windows NT domain. The Active Directory server has none of those users, so the initial re-sync should add them to AD. The error occurs when Windows Sync tries to add the first user entry to the Active Directory. The message is: Attempting to add entry cn=John Doe,ou=Domain Users,dc=ad,dc=example,dc=com to AD for local entry uid=jdoe,ou=people,o=ourorg.com Followed by: (ADserver:636): Received result code 21 (00000057: LdapErr: DSID-0C090B38, comment: Error in attribute conversion operation, data 0, vece) for add operation I would appreciate any insight. Hoping to see if this actually works before the 30-day evaluation runs out. Thanks. -Glenn. From rmeggins at redhat.com Tue Nov 28 17:09:32 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 28 Nov 2006 10:09:32 -0700 Subject: [Fedora-directory-users] Windows Sync Error In-Reply-To: <20061128164612.M79426@mail.txwes.edu> References: <20061128164612.M79426@mail.txwes.edu> Message-ID: <456C6D4C.5000507@redhat.com> Glenn wrote: > I'm still trying to get my evaluation copy of Red Hat Directory Server > 7.1SP3 to sync with Windows Active Directory. The latest hitch is an error > message following an initial re-synchronization attempt. The Directory > Server has a few hundred users imported from a Windows NT domain. The > Active Directory server has none of those users, so the initial re-sync > should add them to AD. The error occurs when Windows Sync tries to add the > first user entry to the Active Directory. The message is: > > Attempting to add entry cn=John Doe,ou=Domain Users,dc=ad,dc=example,dc=com > to AD for local entry uid=jdoe,ou=people,o=ourorg.com > > Followed by: > > (ADserver:636): Received result code 21 (00000057: LdapErr: DSID-0C090B38, > comment: Error in attribute conversion operation, data 0, vece) for add > operation > Error 21 is #define LDAP_INVALID_SYNTAX 0x15 /* 21 */ So AD thinks one of the attributes sent over has an invalid value that doesn't correspond to the syntax it is expecting, or something like that. It might be helpful if you post the LDIF of the entry it has problems with, being careful to obscure any private data. > I would appreciate any insight. Hoping to see if this actually works before > the 30-day evaluation runs out. Thanks. -Glenn. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From glenn at mail.txwes.edu Tue Nov 28 17:32:41 2006 From: glenn at mail.txwes.edu (Glenn) Date: Tue, 28 Nov 2006 11:32:41 -0600 Subject: [Fedora-directory-users] Windows Sync Error In-Reply-To: <456C6D4C.5000507@redhat.com> References: <20061128164612.M79426@mail.txwes.edu> <456C6D4C.5000507@redhat.com> Message-ID: <20061128172828.M30202@mail.txwes.edu> Posting the log entries near the error, including what appears to be the ldif. Thanks. -G. [28/Nov/2006:10:37:08 -0600] - Windows sync entry: Created new remote entry: dn: cn=John Doe,ou=Domain Users,dc=ad,dc=example,dc=com objectClass: top objectClass: person objectClass: organizationalperson objectClass: user userprincipalname: jdoe at ad.example.com samaccountname: jdoe mail: jdoe at example.com userparameters: description: Reference Librarian sn: Doe telephoneNumber: 817-555-1234 codepage:: AAAAAA== cn: John Doe userworkstations: title: Electronic Reference Librarian homeDirectory: profilepath: givenName: John facsimileTelephoneNumber: 817-555-2345 scriptpath: nt_script.bat [28/Nov/2006:10:37:08 -0600] - Attempting to add entry cn=John Doe,ou=Domain Users,dc=ad,dc=example,dc=com to AD for local entry uid=jdoe,ou=people, o=ourorg.org [28/Nov/2006:10:37:08 -0600] NSMMReplicationPlugin - agmt="cn=ldap-ad-5" (boccherini:636): Received result code 21 (00000057: LdapErr: DSID-0C090B38, comment: Error in attribute conversion operation, data 0, vece) for add operation [28/Nov/2006:10:37:08 -0600] NSMMReplicationPlugin - agmt="cn=ldap-ad-5" (boccherini:636): windows_replay_update: Cannot replay add operation. ---------- Original Message ----------- From: Richard Megginson To: "General discussion list for the Fedora Directory server project." Sent: Tue, 28 Nov 2006 10:09:32 -0700 Subject: Re: [Fedora-directory-users] Windows Sync Error > Glenn wrote: > > I'm still trying to get my evaluation copy of Red Hat Directory Server > > 7.1SP3 to sync with Windows Active Directory. The latest hitch is an error > > message following an initial re-synchronization attempt. The Directory > > Server has a few hundred users imported from a Windows NT domain. The > > Active Directory server has none of those users, so the initial re-sync > > should add them to AD. The error occurs when Windows Sync tries to add the > > first user entry to the Active Directory. The message is: > > > > Attempting to add entry cn=John Doe,ou=Domain Users,dc=ad,dc=example,dc=com > > to AD for local entry uid=jdoe,ou=people,o=ourorg.com > > > > Followed by: > > > > (ADserver:636): Received result code 21 (00000057: LdapErr: DSID- 0C090B38, > > comment: Error in attribute conversion operation, data 0, vece) for add > > operation > > > Error 21 is > #define LDAP_INVALID_SYNTAX 0x15 /* 21 */ > > So AD thinks one of the attributes sent over has an invalid value > that doesn't correspond to the syntax it is expecting, or something > like that. It might be helpful if you post the LDIF of the entry it > has problems with, being careful to obscure any private data. > > I would appreciate any insight. Hoping to see if this actually works before > > the 30-day evaluation runs out. Thanks. -Glenn. > > From rmeggins at redhat.com Tue Nov 28 17:46:52 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 28 Nov 2006 10:46:52 -0700 Subject: [Fedora-directory-users] Windows Sync Error In-Reply-To: <20061128172828.M30202@mail.txwes.edu> References: <20061128164612.M79426@mail.txwes.edu> <456C6D4C.5000507@redhat.com> <20061128172828.M30202@mail.txwes.edu> Message-ID: <456C760C.2000006@redhat.com> Glenn wrote: > Posting the log entries near the error, including what appears to be the > ldif. Thanks. -G. > > [28/Nov/2006:10:37:08 -0600] - Windows sync entry: Created new remote entry: > dn: cn=John Doe,ou=Domain Users,dc=ad,dc=example,dc=com > objectClass: top > objectClass: person > objectClass: organizationalperson > objectClass: user > userprincipalname: jdoe at ad.example.com > samaccountname: jdoe > mail: jdoe at example.com > userparameters: > description: Reference Librarian > sn: Doe > telephoneNumber: 817-555-1234 > codepage:: AAAAAA== > cn: John Doe > userworkstations: > title: Electronic Reference Librarian > homeDirectory: > profilepath: > givenName: John > facsimileTelephoneNumber: 817-555-2345 > scriptpath: nt_script.bat > > [28/Nov/2006:10:37:08 -0600] - Attempting to add entry cn=John Doe,ou=Domain > Users,dc=ad,dc=example,dc=com to AD for local entry uid=jdoe,ou=people, > o=ourorg.org > [28/Nov/2006:10:37:08 -0600] NSMMReplicationPlugin - agmt="cn=ldap-ad-5" > (boccherini:636): Received result code 21 (00000057: LdapErr: DSID-0C090B38, > comment: Error in attribute conversion operation, data 0, vece) for add > operation > [28/Nov/2006:10:37:08 -0600] NSMMReplicationPlugin - agmt="cn=ldap-ad-5" > (boccherini:636): windows_replay_update: Cannot replay add operation. > It's hard to tell without knowing which attribute is complaining about. But I would guess that, since this data has been migrated from NT4, some of the attributes have changed syntax, and MS AD does not like the old values, or perhaps doesn't like the empty values. > > > ---------- Original Message ----------- > From: Richard Megginson > To: "General discussion list for the Fedora Directory server project." > > Sent: Tue, 28 Nov 2006 10:09:32 -0700 > Subject: Re: [Fedora-directory-users] Windows Sync Error > > >> Glenn wrote: >> >>> I'm still trying to get my evaluation copy of Red Hat Directory Server >>> 7.1SP3 to sync with Windows Active Directory. The latest hitch is an >>> > error > >>> message following an initial re-synchronization attempt. The Directory >>> Server has a few hundred users imported from a Windows NT domain. The >>> Active Directory server has none of those users, so the initial re-sync >>> should add them to AD. The error occurs when Windows Sync tries to add >>> > the > >>> first user entry to the Active Directory. The message is: >>> >>> Attempting to add entry cn=John Doe,ou=Domain >>> > Users,dc=ad,dc=example,dc=com > >>> to AD for local entry uid=jdoe,ou=people,o=ourorg.com >>> >>> Followed by: >>> >>> (ADserver:636): Received result code 21 (00000057: LdapErr: DSID- >>> > 0C090B38, > >>> comment: Error in attribute conversion operation, data 0, vece) for add >>> operation >>> >>> >> Error 21 is >> #define LDAP_INVALID_SYNTAX 0x15 /* 21 */ >> >> So AD thinks one of the attributes sent over has an invalid value >> that doesn't correspond to the syntax it is expecting, or something >> like that. It might be helpful if you post the LDIF of the entry it >> has problems with, being careful to obscure any private data. >> >>> I would appreciate any insight. Hoping to see if this actually works >>> > before > >>> the 30-day evaluation runs out. Thanks. -Glenn. >>> >>> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From nicholas.byrne at quadriga.com Tue Nov 28 17:39:07 2006 From: nicholas.byrne at quadriga.com (Nicholas Byrne) Date: Tue, 28 Nov 2006 17:39:07 +0000 Subject: [Fedora-directory-users] Console SSL Problem In-Reply-To: <456C53CD.6090606@redhat.com> References: <456C4BAA.9060603@quadriga.com> <456C53CD.6090606@redhat.com> Message-ID: <456C743B.9070104@quadriga.com> Firstly, thanks for your help. Responding inline below - Richard Megginson wrote: > Nicholas Byrne wrote: >> Hi, >> >> With FDS 1.0.2, I've followed the configuration howto guide lines to >> setup the Directory Server to use SSL (as per my post a few days ago) >> however after configuring the Administration Server and Console to >> use SSL as well i've run into trouble. The directory server alone >> works fine with SSL. >> >> The reason i'm trying to get Admin and console working in SSL is so i >> can setup a secure windows sync agreement, without this all i can do >> is setup a insecure sync agreement. > But you don't have to get Admin and console working with SSL in order > to set up a windows sync agreement with SSL. Do the docs say you have > to do this? If so, where? No the docs don't say that explicitly but when setting up a windows sync agreement it doesn't give you the option of changing the supplier - it is set to "ds01.tech:389". The Windows side of the connection is fine as i can specify the connection details. I was following the guide at http://www.redhat.com/docs/manuals/dir-server/ag/7.1/sync.html#2859728 and the image under "step 6" indicates the supplier should be configured as port 636. I am new to this, so i may have got confused but i thought passwords won't be syncronised unless the FDS supplier and the Windows AD Server are set to use SSL/636. I also realise password changes won't be synced unless passsync is installed and configured on the AD side, but right now thats not necessary as i just want to get basics working. >> >> The console will not display anything (absolutely no screen or >> anything) after entering password and clicking OK in the >> authentication dialog. There are no messages in the console i started >> it on. > startconsole -D will give you debug information, and startconsole -D 9 > will give you everything. >> >> Before i configured the SSL on the admin server and console it was >> working correctly and displayed the normal Admin server/Directory >> Server screens. >> >> The console which i'm running using (i also tried admin user): >> >> startconsole -u "cn=Directory Manager" -a https://ds01.tech:59910 -x >> nologo >> >> I turned loglevel to debug in the admin server and this is what i see: >> >> [Tue Nov 28 14:22:46 2006] [info] Connection to child 30 established >> (server ds01.tech:443, client 10.170.99.22) >> [Tue Nov 28 14:22:47 2006] [notice] [client 10.170.99.22] >> admserv_host_ip_check: ap_get_remote_host could not resolve 10.170.99.22 >> [Tue Nov 28 14:22:47 2006] [info] Initial (No.1) HTTPS request >> received for child 30 (server ds01.tech:443) >> [Tue Nov 28 14:22:47 2006] [debug] mod_admserv.c(2518): [client >> 10.170.99.22] checking user cache for: cn=Directory Manager >> [Tue Nov 28 14:22:47 2006] [debug] mod_admserv.c(2525): [client >> 10.170.99.22] not in cache, trying DS >> [Tue Nov 28 14:22:47 2006] [debug] mod_admserv.c(1480): [client >> 10.170.99.22] admserv_check_authz: request for uri >> [/admin-serv/authenticate] >> [Tue Nov 28 14:22:47 2006] [notice] [client 10.170.99.22] >> admserv_check_authz(): passing [/admin-serv/authenticate] to the >> userauth handler >> [Tue Nov 28 14:22:47 2006] [info] Connection to child 30 closed >> (server ds01.tech:443, client 10.170.99.22) > This looks ok, except for the log shows port 443 and you are using > port 59910. Is there a way to fix this? If i'm using https that implies 443 but specifying the port 59910, which has precedence - i assume the the port. If i use http and port 59910 the console with debug shows the server fails to respond: CommManager> New CommRecord (http://ds01.tech:59910/admin-serv/authenticate) http://ds01.tech:59910/[0:0] open> Ready http://ds01.tech:59910/[0:0] accept> http://ds01.tech:59910/admin-serv/authenticate http://ds01.tech:59910/[0:0] send> GET \ http://ds01.tech:59910/[0:0] send> /admin-serv/authenticate \ http://ds01.tech:59910/[0:0] send> HTTP/1.0 http://ds01.tech:59910/[0:0] send> Host: ds01.tech:59910 http://ds01.tech:59910/[0:0] send> Connection: Keep-Alive http://ds01.tech:59910/[0:0] send> User-Agent: Fedora-Management-Console/1.0 http://ds01.tech:59910/[0:0] send> Accept-Language: en http://ds01.tech:59910/[0:0] send> Authorization: Basic \ http://ds01.tech:59910/[0:0] send> \ http://ds01.tech:59910/[0:0] send> http://ds01.tech:59910/[0:0] send> With https, i get to through the authentication stage at least. >> >> In the slapd log i see: >> >> [28/Nov/2006:14:22:46 +0000] conn=51 fd=65 slot=65 SSL connection >> from 10.170.99.22 to 10.103.20.21 >> [28/Nov/2006:14:22:46 +0000] conn=51 SSL 128-bit RC4 >> [28/Nov/2006:14:22:46 +0000] conn=51 op=0 BIND dn="cn=Directory >> Manager" method=128 version=3 >> [28/Nov/2006:14:22:46 +0000] conn=51 op=0 RESULT err=0 tag=97 >> nentries=0 etime=0 dn="cn=directory manager" > This looks like the /admin-serv/authenticate request as logged in the > admin server. >> [28/Nov/2006:14:22:46 +0000] conn=52 fd=64 slot=64 SSL connection >> from 10.170.99.22 to 10.103.20.21 >> [28/Nov/2006:14:32:04 +0000] conn=52 op=-1 fd=64 closed - Encountered >> end of file. > This looks like the console is attempting to use ldap on the ldaps > port. I think you need to tell the console to use SSL when talking to > this directory server - > http://directory.fedora.redhat.com/wiki/Howto:SSL#Using_the_command_line I ran through that part of the howto, here is the output below and as you can see " nsServerSecurity" is set to on (i assume this is the bit you mean?) - [nick at nblap ~]$ ldapsearch -x -D "cn=directory manager" -W -b o=netscaperoot "nsServerID=slapd-ds01" Enter LDAP Password: # extended LDIF # # LDAPv3 # base with scope subtree # filter: nsServerID=slapd-ds01 # requesting: ALL # # slapd-ds01, Fedora Directory Server, Server Group, ds01.tech, tech, Netscap eRoot dn: cn=slapd-ds01, cn=Fedora Directory Server, cn=Server Group, cn=ds01.tech, ou=tech, o=NetscapeRoot objectClass: netscapeServer objectClass: nsDirectoryServer objectClass: nsResourceRef objectClass: nsConfig objectClass: groupOfUniqueNames objectClass: top nsServerSecurity: on nsServerID: slapd-ds01 nsBindDN: cn=Directory Manager nsBaseDN: dc=tech serverRoot: /opt/fedora-ds nsServerPort: 389 nsSecureServerPort: 636 serverProductName: Directory Server (ds01) serverVersionNumber: 1.0.2 installationTimeStamp: 20061121103832Z nsSuiteSpotUser: ldap serverHostName: ds01.tech cn: slapd-ds01 uniqueMember: cn=slapd-ds01, cn=Fedora Directory Server, cn=Server Group, cn=d s01.tech, ou=tech, o=NetscapeRoot uniqueMember: cn=admin-serv-ds01, cn=Fedora Administration Server, cn=Server G roup, cn=ds01.tech, ou=tech, o=NetscapeRoot userPassword:: >> >> Anyone know how i can fix this? Thanks very much >> Nick >> >> >> >> >> This e-mail is the property of Quadriga Worldwide Ltd, intended for >> the addressee only and confidential. Any dissemination, copying or >> distribution of this message or any attachments is strictly prohibited. >> >> If you have received this message in error, please notify us >> immediately by replying to the message and deleting it from your >> computer. >> >> Messages sent to and from Quadriga may be monitored. >> >> Quadriga cannot guarantee any message delivery method is secure or >> error-free. Information could be intercepted, corrupted, lost, >> destroyed, arrive late or incomplete, or contain viruses. >> >> We do not accept responsibility for any errors or omissions in this >> message and/or attachment that arise as a result of transmission. >> >> You should carry out your own virus checks before opening any >> attachment. >> >> Any views or opinions presented are solely those of the author and do >> not necessarily represent those of Quadriga. >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > This e-mail is the property of Quadriga Worldwide Ltd, intended for the addressee only and confidential. Any dissemination, copying or distribution of this message or any attachments is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer. Messages sent to and from Quadriga may be monitored. Quadriga cannot guarantee any message delivery method is secure or error-free. Information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. We do not accept responsibility for any errors or omissions in this message and/or attachment that arise as a result of transmission. You should carry out your own virus checks before opening any attachment. Any views or opinions presented are solely those of the author and do not necessarily represent those of Quadriga. From rmeggins at redhat.com Tue Nov 28 18:16:59 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 28 Nov 2006 11:16:59 -0700 Subject: [Fedora-directory-users] Console SSL Problem In-Reply-To: <456C743B.9070104@quadriga.com> References: <456C4BAA.9060603@quadriga.com> <456C53CD.6090606@redhat.com> <456C743B.9070104@quadriga.com> Message-ID: <456C7D1B.8060908@redhat.com> Nicholas Byrne wrote: > Firstly, thanks for your help. Responding inline below - > > Richard Megginson wrote: >> Nicholas Byrne wrote: >>> Hi, >>> >>> With FDS 1.0.2, I've followed the configuration howto guide lines to >>> setup the Directory Server to use SSL (as per my post a few days >>> ago) however after configuring the Administration Server and Console >>> to use SSL as well i've run into trouble. The directory server alone >>> works fine with SSL. >>> >>> The reason i'm trying to get Admin and console working in SSL is so >>> i can setup a secure windows sync agreement, without this all i can >>> do is setup a insecure sync agreement. >> But you don't have to get Admin and console working with SSL in order >> to set up a windows sync agreement with SSL. Do the docs say you >> have to do this? If so, where? > No the docs don't say that explicitly but when setting up a windows > sync agreement it doesn't give you the option of changing the supplier > - it is set to "ds01.tech:389". That's just the label it uses for that particular server in the console. It really uses ldaps if you configure it to, even though it shows the non-secure port for the label in the console. This is merely used to identify the server. This is a well known source of confusion. > The Windows side of the connection is fine as i can specify the > connection details. I was following the guide at > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/sync.html#2859728 > and the image under "step 6" indicates the supplier should be > configured as port 636. > > I am new to this, so i may have got confused but i thought passwords > won't be syncronised unless the FDS supplier and the Windows AD Server > are set to use SSL/636. I also realise password changes won't be > synced unless passsync is installed and configured on the AD side, but > right now thats not necessary as i just want to get basics working. You can use passsync without SSL for testing purposes, but do not do this in production. > >>> >>> The console will not display anything (absolutely no screen or >>> anything) after entering password and clicking OK in the >>> authentication dialog. There are no messages in the console i >>> started it on. >> startconsole -D will give you debug information, and startconsole -D >> 9 will give you everything. >>> >>> Before i configured the SSL on the admin server and console it was >>> working correctly and displayed the normal Admin server/Directory >>> Server screens. >>> >>> The console which i'm running using (i also tried admin user): >>> >>> startconsole -u "cn=Directory Manager" -a https://ds01.tech:59910 -x >>> nologo >>> >>> I turned loglevel to debug in the admin server and this is what i see: >>> >>> [Tue Nov 28 14:22:46 2006] [info] Connection to child 30 established >>> (server ds01.tech:443, client 10.170.99.22) >>> [Tue Nov 28 14:22:47 2006] [notice] [client 10.170.99.22] >>> admserv_host_ip_check: ap_get_remote_host could not resolve >>> 10.170.99.22 >>> [Tue Nov 28 14:22:47 2006] [info] Initial (No.1) HTTPS request >>> received for child 30 (server ds01.tech:443) >>> [Tue Nov 28 14:22:47 2006] [debug] mod_admserv.c(2518): [client >>> 10.170.99.22] checking user cache for: cn=Directory Manager >>> [Tue Nov 28 14:22:47 2006] [debug] mod_admserv.c(2525): [client >>> 10.170.99.22] not in cache, trying DS >>> [Tue Nov 28 14:22:47 2006] [debug] mod_admserv.c(1480): [client >>> 10.170.99.22] admserv_check_authz: request for uri >>> [/admin-serv/authenticate] >>> [Tue Nov 28 14:22:47 2006] [notice] [client 10.170.99.22] >>> admserv_check_authz(): passing [/admin-serv/authenticate] to the >>> userauth handler >>> [Tue Nov 28 14:22:47 2006] [info] Connection to child 30 closed >>> (server ds01.tech:443, client 10.170.99.22) >> This looks ok, except for the log shows port 443 and you are using >> port 59910. > Is there a way to fix this? If i'm using https that implies 443 but > specifying the port 59910, which has precedence - i assume the the > port. If i use http and port 59910 the console with debug shows the > server fails to respond: Right. https tells it to use HTTP over SSL, and the port specifies which port the server is listening on. When you configure the Admin Server to use SSL, you can no longer use HTTP - you must use HTTPS. The admin server doesn't listen to both a non-secure port and a secure port, as does the directory server. > > CommManager> New CommRecord > (http://ds01.tech:59910/admin-serv/authenticate) > http://ds01.tech:59910/[0:0] open> Ready > http://ds01.tech:59910/[0:0] accept> > http://ds01.tech:59910/admin-serv/authenticate > http://ds01.tech:59910/[0:0] send> GET \ > http://ds01.tech:59910/[0:0] send> /admin-serv/authenticate \ > http://ds01.tech:59910/[0:0] send> HTTP/1.0 > http://ds01.tech:59910/[0:0] send> Host: ds01.tech:59910 > http://ds01.tech:59910/[0:0] send> Connection: Keep-Alive > http://ds01.tech:59910/[0:0] send> User-Agent: > Fedora-Management-Console/1.0 > http://ds01.tech:59910/[0:0] send> Accept-Language: en > http://ds01.tech:59910/[0:0] send> Authorization: Basic \ > http://ds01.tech:59910/[0:0] send> \ > http://ds01.tech:59910/[0:0] send> > http://ds01.tech:59910/[0:0] send> > > With https, i get to through the authentication stage at least. >>> >>> In the slapd log i see: >>> >>> [28/Nov/2006:14:22:46 +0000] conn=51 fd=65 slot=65 SSL connection >>> from 10.170.99.22 to 10.103.20.21 >>> [28/Nov/2006:14:22:46 +0000] conn=51 SSL 128-bit RC4 >>> [28/Nov/2006:14:22:46 +0000] conn=51 op=0 BIND dn="cn=Directory >>> Manager" method=128 version=3 >>> [28/Nov/2006:14:22:46 +0000] conn=51 op=0 RESULT err=0 tag=97 >>> nentries=0 etime=0 dn="cn=directory manager" >> This looks like the /admin-serv/authenticate request as logged in the >> admin server. >>> [28/Nov/2006:14:22:46 +0000] conn=52 fd=64 slot=64 SSL connection >>> from 10.170.99.22 to 10.103.20.21 >>> [28/Nov/2006:14:32:04 +0000] conn=52 op=-1 fd=64 closed - >>> Encountered end of file. >> This looks like the console is attempting to use ldap on the ldaps >> port. I think you need to tell the console to use SSL when talking >> to this directory server - >> http://directory.fedora.redhat.com/wiki/Howto:SSL#Using_the_command_line > I ran through that part of the howto, here is the output below and as > you can see " nsServerSecurity" is set to on (i assume this is the > bit you mean?) - Yes. So now attempt to restart the admin server and restart the console, using the https:// URL. > > [nick at nblap ~]$ ldapsearch -x -D "cn=directory manager" -W -b > o=netscaperoot "nsServerID=slapd-ds01" > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base with scope subtree > # filter: nsServerID=slapd-ds01 > # requesting: ALL > # > > # slapd-ds01, Fedora Directory Server, Server Group, ds01.tech, tech, > Netscap > eRoot > dn: cn=slapd-ds01, cn=Fedora Directory Server, cn=Server Group, > cn=ds01.tech, > ou=tech, o=NetscapeRoot > objectClass: netscapeServer > objectClass: nsDirectoryServer > objectClass: nsResourceRef > objectClass: nsConfig > objectClass: groupOfUniqueNames > objectClass: top > nsServerSecurity: on > nsServerID: slapd-ds01 > nsBindDN: cn=Directory Manager > nsBaseDN: dc=tech > serverRoot: /opt/fedora-ds > nsServerPort: 389 > nsSecureServerPort: 636 > serverProductName: Directory Server (ds01) > serverVersionNumber: 1.0.2 > installationTimeStamp: 20061121103832Z > nsSuiteSpotUser: ldap > serverHostName: ds01.tech > cn: slapd-ds01 > uniqueMember: cn=slapd-ds01, cn=Fedora Directory Server, cn=Server > Group, cn=d > s01.tech, ou=tech, o=NetscapeRoot > uniqueMember: cn=admin-serv-ds01, cn=Fedora Administration Server, > cn=Server G > roup, cn=ds01.tech, ou=tech, o=NetscapeRoot > userPassword:: > >>> >>> Anyone know how i can fix this? Thanks very much >>> Nick >>> >>> >>> >>> >>> This e-mail is the property of Quadriga Worldwide Ltd, intended for >>> the addressee only and confidential. Any dissemination, copying or >>> distribution of this message or any attachments is strictly prohibited. >>> >>> If you have received this message in error, please notify us >>> immediately by replying to the message and deleting it from your >>> computer. >>> >>> Messages sent to and from Quadriga may be monitored. >>> >>> Quadriga cannot guarantee any message delivery method is secure or >>> error-free. Information could be intercepted, corrupted, lost, >>> destroyed, arrive late or incomplete, or contain viruses. >>> >>> We do not accept responsibility for any errors or omissions in this >>> message and/or attachment that arise as a result of transmission. >>> >>> You should carry out your own virus checks before opening any >>> attachment. >>> >>> Any views or opinions presented are solely those of the author and >>> do not necessarily represent those of Quadriga. >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > > > This e-mail is the property of Quadriga Worldwide Ltd, intended for > the addressee only and confidential. Any dissemination, copying or > distribution of this message or any attachments is strictly prohibited. > > If you have received this message in error, please notify us > immediately by replying to the message and deleting it from your > computer. > > Messages sent to and from Quadriga may be monitored. > > Quadriga cannot guarantee any message delivery method is secure or > error-free. Information could be intercepted, corrupted, lost, > destroyed, arrive late or incomplete, or contain viruses. > > We do not accept responsibility for any errors or omissions in this > message and/or attachment that arise as a result of transmission. > > You should carry out your own virus checks before opening any attachment. > > Any views or opinions presented are solely those of the author and do > not necessarily represent those of Quadriga. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From nkinder at redhat.com Tue Nov 28 18:37:02 2006 From: nkinder at redhat.com (Nathan Kinder) Date: Tue, 28 Nov 2006 10:37:02 -0800 Subject: [Fedora-directory-users] Console SSL Problem In-Reply-To: <456C7D1B.8060908@redhat.com> References: <456C4BAA.9060603@quadriga.com> <456C53CD.6090606@redhat.com> <456C743B.9070104@quadriga.com> <456C7D1B.8060908@redhat.com> Message-ID: <456C81CE.10008@redhat.com> Richard Megginson wrote: > Nicholas Byrne wrote: >> Firstly, thanks for your help. Responding inline below - >> >> Richard Megginson wrote: >>> Nicholas Byrne wrote: >>>> Hi, >>>> >>>> With FDS 1.0.2, I've followed the configuration howto guide lines >>>> to setup the Directory Server to use SSL (as per my post a few days >>>> ago) however after configuring the Administration Server and >>>> Console to use SSL as well i've run into trouble. The directory >>>> server alone works fine with SSL. >>>> >>>> The reason i'm trying to get Admin and console working in SSL is so >>>> i can setup a secure windows sync agreement, without this all i can >>>> do is setup a insecure sync agreement. >>> But you don't have to get Admin and console working with SSL in >>> order to set up a windows sync agreement with SSL. Do the docs say >>> you have to do this? If so, where? >> No the docs don't say that explicitly but when setting up a windows >> sync agreement it doesn't give you the option of changing the >> supplier - it is set to "ds01.tech:389". > > That's just the label it uses for that particular server in the > console. It really uses ldaps if you configure it to, even though it > shows the non-secure port for the label in the console. This is > merely used to identify the server. This is a well known source of > confusion. > >> The Windows side of the connection is fine as i can specify the >> connection details. I was following the guide at >> http://www.redhat.com/docs/manuals/dir-server/ag/7.1/sync.html#2859728 >> and the image under "step 6" indicates the supplier should be >> configured as port 636. >> >> I am new to this, so i may have got confused but i thought passwords >> won't be syncronised unless the FDS supplier and the Windows AD >> Server are set to use SSL/636. I also realise password changes won't >> be synced unless passsync is installed and configured on the AD side, >> but right now thats not necessary as i just want to get basics working. > > You can use passsync without SSL for testing purposes, but do not do > this in production. This is incorrect. PassSync requires SSL to work. If SSL is not configured, PassSync will report errors in it's log file stating that SSL is required. -NGK > >> >>>> >>>> The console will not display anything (absolutely no screen or >>>> anything) after entering password and clicking OK in the >>>> authentication dialog. There are no messages in the console i >>>> started it on. >>> startconsole -D will give you debug information, and startconsole -D >>> 9 will give you everything. >>>> >>>> Before i configured the SSL on the admin server and console it was >>>> working correctly and displayed the normal Admin server/Directory >>>> Server screens. >>>> >>>> The console which i'm running using (i also tried admin user): >>>> >>>> startconsole -u "cn=Directory Manager" -a https://ds01.tech:59910 >>>> -x nologo >>>> >>>> I turned loglevel to debug in the admin server and this is what i see: >>>> >>>> [Tue Nov 28 14:22:46 2006] [info] Connection to child 30 >>>> established (server ds01.tech:443, client 10.170.99.22) >>>> [Tue Nov 28 14:22:47 2006] [notice] [client 10.170.99.22] >>>> admserv_host_ip_check: ap_get_remote_host could not resolve >>>> 10.170.99.22 >>>> [Tue Nov 28 14:22:47 2006] [info] Initial (No.1) HTTPS request >>>> received for child 30 (server ds01.tech:443) >>>> [Tue Nov 28 14:22:47 2006] [debug] mod_admserv.c(2518): [client >>>> 10.170.99.22] checking user cache for: cn=Directory Manager >>>> [Tue Nov 28 14:22:47 2006] [debug] mod_admserv.c(2525): [client >>>> 10.170.99.22] not in cache, trying DS >>>> [Tue Nov 28 14:22:47 2006] [debug] mod_admserv.c(1480): [client >>>> 10.170.99.22] admserv_check_authz: request for uri >>>> [/admin-serv/authenticate] >>>> [Tue Nov 28 14:22:47 2006] [notice] [client 10.170.99.22] >>>> admserv_check_authz(): passing [/admin-serv/authenticate] to the >>>> userauth handler >>>> [Tue Nov 28 14:22:47 2006] [info] Connection to child 30 closed >>>> (server ds01.tech:443, client 10.170.99.22) >>> This looks ok, except for the log shows port 443 and you are using >>> port 59910. >> Is there a way to fix this? If i'm using https that implies 443 but >> specifying the port 59910, which has precedence - i assume the the >> port. If i use http and port 59910 the console with debug shows the >> server fails to respond: > Right. https tells it to use HTTP over SSL, and the port specifies > which port the server is listening on. When you configure the Admin > Server to use SSL, you can no longer use HTTP - you must use HTTPS. > The admin server doesn't listen to both a non-secure port and a secure > port, as does the directory server. >> >> CommManager> New CommRecord >> (http://ds01.tech:59910/admin-serv/authenticate) >> http://ds01.tech:59910/[0:0] open> Ready >> http://ds01.tech:59910/[0:0] accept> >> http://ds01.tech:59910/admin-serv/authenticate >> http://ds01.tech:59910/[0:0] send> GET \ >> http://ds01.tech:59910/[0:0] send> /admin-serv/authenticate \ >> http://ds01.tech:59910/[0:0] send> HTTP/1.0 >> http://ds01.tech:59910/[0:0] send> Host: ds01.tech:59910 >> http://ds01.tech:59910/[0:0] send> Connection: Keep-Alive >> http://ds01.tech:59910/[0:0] send> User-Agent: >> Fedora-Management-Console/1.0 >> http://ds01.tech:59910/[0:0] send> Accept-Language: en >> http://ds01.tech:59910/[0:0] send> Authorization: Basic \ >> http://ds01.tech:59910/[0:0] send> \ >> http://ds01.tech:59910/[0:0] send> >> http://ds01.tech:59910/[0:0] send> >> >> With https, i get to through the authentication stage at least. >>>> >>>> In the slapd log i see: >>>> >>>> [28/Nov/2006:14:22:46 +0000] conn=51 fd=65 slot=65 SSL connection >>>> from 10.170.99.22 to 10.103.20.21 >>>> [28/Nov/2006:14:22:46 +0000] conn=51 SSL 128-bit RC4 >>>> [28/Nov/2006:14:22:46 +0000] conn=51 op=0 BIND dn="cn=Directory >>>> Manager" method=128 version=3 >>>> [28/Nov/2006:14:22:46 +0000] conn=51 op=0 RESULT err=0 tag=97 >>>> nentries=0 etime=0 dn="cn=directory manager" >>> This looks like the /admin-serv/authenticate request as logged in >>> the admin server. >>>> [28/Nov/2006:14:22:46 +0000] conn=52 fd=64 slot=64 SSL connection >>>> from 10.170.99.22 to 10.103.20.21 >>>> [28/Nov/2006:14:32:04 +0000] conn=52 op=-1 fd=64 closed - >>>> Encountered end of file. >>> This looks like the console is attempting to use ldap on the ldaps >>> port. I think you need to tell the console to use SSL when talking >>> to this directory server - >>> http://directory.fedora.redhat.com/wiki/Howto:SSL#Using_the_command_line >>> >> I ran through that part of the howto, here is the output below and as >> you can see " nsServerSecurity" is set to on (i assume this is the >> bit you mean?) - > Yes. So now attempt to restart the admin server and restart the > console, using the https:// URL. >> >> [nick at nblap ~]$ ldapsearch -x -D "cn=directory manager" -W -b >> o=netscaperoot "nsServerID=slapd-ds01" >> Enter LDAP Password: >> # extended LDIF >> # >> # LDAPv3 >> # base with scope subtree >> # filter: nsServerID=slapd-ds01 >> # requesting: ALL >> # >> >> # slapd-ds01, Fedora Directory Server, Server Group, ds01.tech, tech, >> Netscap >> eRoot >> dn: cn=slapd-ds01, cn=Fedora Directory Server, cn=Server Group, >> cn=ds01.tech, >> ou=tech, o=NetscapeRoot >> objectClass: netscapeServer >> objectClass: nsDirectoryServer >> objectClass: nsResourceRef >> objectClass: nsConfig >> objectClass: groupOfUniqueNames >> objectClass: top >> nsServerSecurity: on >> nsServerID: slapd-ds01 >> nsBindDN: cn=Directory Manager >> nsBaseDN: dc=tech >> serverRoot: /opt/fedora-ds >> nsServerPort: 389 >> nsSecureServerPort: 636 >> serverProductName: Directory Server (ds01) >> serverVersionNumber: 1.0.2 >> installationTimeStamp: 20061121103832Z >> nsSuiteSpotUser: ldap >> serverHostName: ds01.tech >> cn: slapd-ds01 >> uniqueMember: cn=slapd-ds01, cn=Fedora Directory Server, cn=Server >> Group, cn=d >> s01.tech, ou=tech, o=NetscapeRoot >> uniqueMember: cn=admin-serv-ds01, cn=Fedora Administration Server, >> cn=Server G >> roup, cn=ds01.tech, ou=tech, o=NetscapeRoot >> userPassword:: >> >>>> >>>> Anyone know how i can fix this? Thanks very much >>>> Nick >>>> >>>> >>>> >>>> >>>> This e-mail is the property of Quadriga Worldwide Ltd, intended for >>>> the addressee only and confidential. Any dissemination, copying or >>>> distribution of this message or any attachments is strictly >>>> prohibited. >>>> >>>> If you have received this message in error, please notify us >>>> immediately by replying to the message and deleting it from your >>>> computer. >>>> >>>> Messages sent to and from Quadriga may be monitored. >>>> >>>> Quadriga cannot guarantee any message delivery method is secure or >>>> error-free. Information could be intercepted, corrupted, lost, >>>> destroyed, arrive late or incomplete, or contain viruses. >>>> >>>> We do not accept responsibility for any errors or omissions in this >>>> message and/or attachment that arise as a result of transmission. >>>> >>>> You should carry out your own virus checks before opening any >>>> attachment. >>>> >>>> Any views or opinions presented are solely those of the author and >>>> do not necessarily represent those of Quadriga. >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> >> >> This e-mail is the property of Quadriga Worldwide Ltd, intended for >> the addressee only and confidential. Any dissemination, copying or >> distribution of this message or any attachments is strictly prohibited. >> >> If you have received this message in error, please notify us >> immediately by replying to the message and deleting it from your >> computer. >> >> Messages sent to and from Quadriga may be monitored. >> >> Quadriga cannot guarantee any message delivery method is secure or >> error-free. Information could be intercepted, corrupted, lost, >> destroyed, arrive late or incomplete, or contain viruses. >> >> We do not accept responsibility for any errors or omissions in this >> message and/or attachment that arise as a result of transmission. >> >> You should carry out your own virus checks before opening any >> attachment. >> >> Any views or opinions presented are solely those of the author and do >> not necessarily represent those of Quadriga. >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From glenn at mail.txwes.edu Tue Nov 28 23:07:57 2006 From: glenn at mail.txwes.edu (Glenn) Date: Tue, 28 Nov 2006 17:07:57 -0600 Subject: [Fedora-directory-users] Windows Sync Error In-Reply-To: <456C760C.2000006@redhat.com> References: <20061128164612.M79426@mail.txwes.edu> <456C6D4C.5000507@redhat.com> <20061128172828.M30202@mail.txwes.edu> <456C760C.2000006@redhat.com> Message-ID: <20061128225535.M87943@mail.txwes.edu> I wasn't thinking when I said the directory server data was imported from NT. It actually came from a Netscape Directory server. Just as a test, I exported a few users to an ldif file and tried to use the ldifde on the W2003 domain controller to import them. It seems to find a syntax error on every line in the file, making it impossible to narrow it down. I can't possibly be the only person who has run into this problem. Hoping someone can shed some light. Thanks. -Glenn. ---------- Original Message ----------- From: Richard Megginson To: "General discussion list for the Fedora Directory server project." Sent: Tue, 28 Nov 2006 10:46:52 -0700 Subject: Re: [Fedora-directory-users] Windows Sync Error > Glenn wrote: > > Posting the log entries near the error, including what appears to be the > > ldif. Thanks. -G. > > > > [28/Nov/2006:10:37:08 -0600] - Windows sync entry: Created new remote entry: > > dn: cn=John Doe,ou=Domain Users,dc=ad,dc=example,dc=com > > objectClass: top > > objectClass: person > > objectClass: organizationalperson > > objectClass: user > > userprincipalname: jdoe at ad.example.com > > samaccountname: jdoe > > mail: jdoe at example.com > > userparameters: > > description: Reference Librarian > > sn: Doe > > telephoneNumber: 817-555-1234 > > codepage:: AAAAAA== > > cn: John Doe > > userworkstations: > > title: Electronic Reference Librarian > > homeDirectory: > > profilepath: > > givenName: John > > facsimileTelephoneNumber: 817-555-2345 > > scriptpath: nt_script.bat > > > > [28/Nov/2006:10:37:08 -0600] - Attempting to add entry cn=John Doe,ou=Domain > > Users,dc=ad,dc=example,dc=com to AD for local entry uid=jdoe,ou=people, > > o=ourorg.org > > [28/Nov/2006:10:37:08 -0600] NSMMReplicationPlugin - agmt="cn=ldap-ad-5" > > (boccherini:636): Received result code 21 (00000057: LdapErr: DSID- 0C090B38, > > comment: Error in attribute conversion operation, data 0, vece) for add > > operation > > [28/Nov/2006:10:37:08 -0600] NSMMReplicationPlugin - agmt="cn=ldap-ad-5" > > (boccherini:636): windows_replay_update: Cannot replay add operation. > > > It's hard to tell without knowing which attribute is complaining > about. But I would guess that, since this data has been migrated > from NT4, some of the attributes have changed syntax, and MS AD does > not like the old values, or perhaps doesn't like the empty values. > > > > > > ---------- Original Message ----------- > > From: Richard Megginson > > To: "General discussion list for the Fedora Directory server project." > > > > Sent: Tue, 28 Nov 2006 10:09:32 -0700 > > Subject: Re: [Fedora-directory-users] Windows Sync Error > > > > > >> Glenn wrote: > >> > >>> I'm still trying to get my evaluation copy of Red Hat Directory Server > >>> 7.1SP3 to sync with Windows Active Directory. The latest hitch is an > >>> > > error > > > >>> message following an initial re-synchronization attempt. The Directory > >>> Server has a few hundred users imported from a Windows NT domain. The > >>> Active Directory server has none of those users, so the initial re-sync > >>> should add them to AD. The error occurs when Windows Sync tries to add > >>> > > the > > > >>> first user entry to the Active Directory. The message is: > >>> > >>> Attempting to add entry cn=John Doe,ou=Domain > >>> > > Users,dc=ad,dc=example,dc=com > > > >>> to AD for local entry uid=jdoe,ou=people,o=ourorg.com > >>> > >>> Followed by: > >>> > >>> (ADserver:636): Received result code 21 (00000057: LdapErr: DSID- > >>> > > 0C090B38, > > > >>> comment: Error in attribute conversion operation, data 0, vece) for add > >>> operation > >>> > >>> > >> Error 21 is > >> #define LDAP_INVALID_SYNTAX 0x15 /* 21 */ > >> > >> So AD thinks one of the attributes sent over has an invalid value > >> that doesn't correspond to the syntax it is expecting, or something > >> like that. It might be helpful if you post the LDIF of the entry it > >> has problems with, being careful to obscure any private data. > >> > >>> I would appreciate any insight. Hoping to see if this actually works > >>> > > before > > > >>> the 30-day evaluation runs out. Thanks. -Glenn. > >>> > >>> From rmeggins at redhat.com Tue Nov 28 23:28:39 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 28 Nov 2006 16:28:39 -0700 Subject: [Fedora-directory-users] Windows Sync Error In-Reply-To: <20061128225535.M87943@mail.txwes.edu> References: <20061128164612.M79426@mail.txwes.edu> <456C6D4C.5000507@redhat.com> <20061128172828.M30202@mail.txwes.edu> <456C760C.2000006@redhat.com> <20061128225535.M87943@mail.txwes.edu> Message-ID: <456CC627.9030408@redhat.com> Glenn wrote: > I wasn't thinking when I said the directory server data was imported from > NT. It actually came from a Netscape Directory server. Just as a test, I > exported a few users to an ldif file and tried to use the ldifde on the W2003 > domain controller to import them. It seems to find a syntax error on every > line in the file, making it impossible to narrow it down. > Do you have any trailing white space in those values? > I can't possibly be the only person who has run into this problem. Hoping > someone can shed some light. Thanks. -Glenn. > > > ---------- Original Message ----------- > From: Richard Megginson > To: "General discussion list for the Fedora Directory server project." > > Sent: Tue, 28 Nov 2006 10:46:52 -0700 > Subject: Re: [Fedora-directory-users] Windows Sync Error > > >> Glenn wrote: >> >>> Posting the log entries near the error, including what appears to be the >>> ldif. Thanks. -G. >>> >>> [28/Nov/2006:10:37:08 -0600] - Windows sync entry: Created new remote >>> > entry: > >>> dn: cn=John Doe,ou=Domain Users,dc=ad,dc=example,dc=com >>> objectClass: top >>> objectClass: person >>> objectClass: organizationalperson >>> objectClass: user >>> userprincipalname: jdoe at ad.example.com >>> samaccountname: jdoe >>> mail: jdoe at example.com >>> userparameters: >>> description: Reference Librarian >>> sn: Doe >>> telephoneNumber: 817-555-1234 >>> codepage:: AAAAAA== >>> cn: John Doe >>> userworkstations: >>> title: Electronic Reference Librarian >>> homeDirectory: >>> profilepath: >>> givenName: John >>> facsimileTelephoneNumber: 817-555-2345 >>> scriptpath: nt_script.bat >>> >>> [28/Nov/2006:10:37:08 -0600] - Attempting to add entry cn=John >>> > Doe,ou=Domain > >>> Users,dc=ad,dc=example,dc=com to AD for local entry uid=jdoe,ou=people, >>> o=ourorg.org >>> [28/Nov/2006:10:37:08 -0600] NSMMReplicationPlugin - agmt="cn=ldap-ad-5" >>> (boccherini:636): Received result code 21 (00000057: LdapErr: DSID- >>> > 0C090B38, > >>> comment: Error in attribute conversion operation, data 0, vece) for add >>> operation >>> [28/Nov/2006:10:37:08 -0600] NSMMReplicationPlugin - agmt="cn=ldap-ad-5" >>> (boccherini:636): windows_replay_update: Cannot replay add operation. >>> >>> >> It's hard to tell without knowing which attribute is complaining >> about. But I would guess that, since this data has been migrated >> from NT4, some of the attributes have changed syntax, and MS AD does >> not like the old values, or perhaps doesn't like the empty values. >> >>> ---------- Original Message ----------- >>> From: Richard Megginson >>> To: "General discussion list for the Fedora Directory server project." >>> >>> Sent: Tue, 28 Nov 2006 10:09:32 -0700 >>> Subject: Re: [Fedora-directory-users] Windows Sync Error >>> >>> >>> >>>> Glenn wrote: >>>> >>>> >>>>> I'm still trying to get my evaluation copy of Red Hat Directory Server >>>>> 7.1SP3 to sync with Windows Active Directory. The latest hitch is an >>>>> >>>>> >>> error >>> >>> >>>>> message following an initial re-synchronization attempt. The Directory >>>>> Server has a few hundred users imported from a Windows NT domain. The >>>>> Active Directory server has none of those users, so the initial re-sync >>>>> should add them to AD. The error occurs when Windows Sync tries to add >>>>> >>>>> >>> the >>> >>> >>>>> first user entry to the Active Directory. The message is: >>>>> >>>>> Attempting to add entry cn=John Doe,ou=Domain >>>>> >>>>> >>> Users,dc=ad,dc=example,dc=com >>> >>> >>>>> to AD for local entry uid=jdoe,ou=people,o=ourorg.com >>>>> >>>>> Followed by: >>>>> >>>>> (ADserver:636): Received result code 21 (00000057: LdapErr: DSID- >>>>> >>>>> >>> 0C090B38, >>> >>> >>>>> comment: Error in attribute conversion operation, data 0, vece) for add >>>>> operation >>>>> >>>>> >>>>> >>>> Error 21 is >>>> #define LDAP_INVALID_SYNTAX 0x15 /* 21 */ >>>> >>>> So AD thinks one of the attributes sent over has an invalid value >>>> that doesn't correspond to the syntax it is expecting, or something >>>> like that. It might be helpful if you post the LDIF of the entry it >>>> has problems with, being careful to obscure any private data. >>>> >>>> >>>>> I would appreciate any insight. Hoping to see if this actually works >>>>> >>>>> >>> before >>> >>> >>>>> the 30-day evaluation runs out. Thanks. -Glenn. >>>>> >>>>> >>>>> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From david_list at boreham.org Wed Nov 29 00:48:38 2006 From: david_list at boreham.org (David Boreham) Date: Tue, 28 Nov 2006 17:48:38 -0700 Subject: [Fedora-directory-users] Authentication through Active Directory In-Reply-To: <456C47A7.3080109@schoppet.de> References: <456C47A7.3080109@schoppet.de> Message-ID: <456CD8E6.30403@boreham.org> Joerg Schoppet wrote: > I'm in an account of a bigger company, which uses Microsoft Active > Directory for User Management and Authentication. > Now we need to save some additional information for a subset of all > employees, but the AD-Administrators do not want to include the > required attributes in the company ad. Our plan is now to install > "Fedora Directory Server" to hold these additional information. The > users, which uses a special application, should now connect to this > server to retrieve the necessary information, but the authentication > should stay in the AD. > > Is it possible, and if yes how, to configure "Fedora Directory Server" > to pass the authentication information to the AD and only let the > specific user bind to the directory server if the AD-Authentication is > OK? Hmm...I think what you are trying to implement is a form of Directory Federation. You might be able to achieve what you want with FDS and its AD sync feature. In that case, passwords are synchronized from AD to FDS (and vice versa) so your requirement for authentication 'against AD' would be met except that authentication would be done by FDS, using the AD password. If you want to proxy authentication directly to AD that might be possible without code changes in FDS, but I'm not sure. Another option you might look at is to deploy Microsoft's ADAM, which is a Federation add-on for AD. It was designed to meet your exact needs (application wants to use AD for directory services, but AD admins refuse to allow the schema to be extended). From david_list at boreham.org Wed Nov 29 00:57:56 2006 From: david_list at boreham.org (David Boreham) Date: Tue, 28 Nov 2006 17:57:56 -0700 Subject: [Fedora-directory-users] Windows Sync Error In-Reply-To: <20061128225535.M87943@mail.txwes.edu> References: <20061128164612.M79426@mail.txwes.edu> <456C6D4C.5000507@redhat.com> <20061128172828.M30202@mail.txwes.edu> <456C760C.2000006@redhat.com> <20061128225535.M87943@mail.txwes.edu> Message-ID: <456CDB14.9010003@boreham.org> Glenn wrote: >I wasn't thinking when I said the directory server data was imported from >NT. It actually came from a Netscape Directory server. Just as a test, I >exported a few users to an ldif file and tried to use the ldifde on the W2003 >domain controller to import them. It seems to find a syntax error on every >line in the file, making it impossible to narrow it down. > >I can't possibly be the only person who has run into this problem. Hoping >someone can shed some light. Thanks. -Glenn. > > We ran into this problem while developing the code. Unfortunately AD is brain-damaged with it comes to diagnosing why it objected to a particular operation. There seems to be no way to get it to log some decent diagnostic information, and it does not provide an adequate error message over the wire. In debugging these problems I first added the code that you have seen that dumps out the complete entry to the log. Then I pasted the entry into an ldapmodify command to reproduce the problem outside the server. Finally I edited the LDIF to trim off likely looking attributes until AD quit complaining. At that point I knew which one it was barfing over. I would begin by removing all the NT domain related attributes from a test entry and see if it adds ok. Then add them back one by one to see which is causing the problem. From ulf.weltman at hp.com Wed Nov 29 01:41:45 2006 From: ulf.weltman at hp.com (Ulf Weltman) Date: Tue, 28 Nov 2006 17:41:45 -0800 Subject: [Fedora-directory-users] Authentication through Active Directory In-Reply-To: <456CD8E6.30403@boreham.org> References: <456C47A7.3080109@schoppet.de> <456CD8E6.30403@boreham.org> Message-ID: <456CE559.2040606@hp.com> David Boreham wrote: > Joerg Schoppet wrote: > >> I'm in an account of a bigger company, which uses Microsoft Active >> Directory for User Management and Authentication. >> Now we need to save some additional information for a subset of all >> employees, but the AD-Administrators do not want to include the >> required attributes in the company ad. Our plan is now to install >> "Fedora Directory Server" to hold these additional information. The >> users, which uses a special application, should now connect to this >> server to retrieve the necessary information, but the authentication >> should stay in the AD. >> >> Is it possible, and if yes how, to configure "Fedora Directory >> Server" to pass the authentication information to the AD and only let >> the specific user bind to the directory server if the >> AD-Authentication is OK? > > Hmm...I think what you are trying to implement is a form of Directory > Federation. > You might be able to achieve what you want with FDS and its AD sync > feature. > In that case, passwords are synchronized from AD to FDS (and vice versa) > so your requirement for authentication 'against AD' would be met > except that > authentication would be done by FDS, using the AD password. If you > want to > proxy authentication directly to AD that might be possible without > code changes in > FDS, but I'm not sure. > > Another option you might look at is to deploy Microsoft's ADAM, which > is a Federation add-on for AD. It was designed to meet your exact needs > (application wants to use AD for directory services, but AD admins refuse > to allow the schema to be extended). > > The Pass Through Authentication plugin should also work with ADS because it doesn't rely on proxied authentication unlike the Chaining Backend plugin or the loop detection control. PTA is the magic that allows the uid=admin,..,o=Netscaperoot user to log in and configure all FDS servers in an instance group even though o=Netscaperoot only exists in the configuration instance. I've seen it work with ADS too though. Details: http://www.redhat.com/docs/manuals/dir-server/ag/7.1/pasthru.html#1095869 You may need a FDS build from the tip, the PTA doesn't correctly handle bind responses with server controls. I'm not sure about ADS' use of controls in bind responses. From david_list at boreham.org Wed Nov 29 01:53:22 2006 From: david_list at boreham.org (David Boreham) Date: Tue, 28 Nov 2006 18:53:22 -0700 Subject: [Fedora-directory-users] Authentication through Active Directory In-Reply-To: <456CE559.2040606@hp.com> References: <456C47A7.3080109@schoppet.de> <456CD8E6.30403@boreham.org> <456CE559.2040606@hp.com> Message-ID: <456CE812.7050500@boreham.org> Ulf Weltman wrote: > The Pass Through Authentication plugin should also work with ADS Right. Windows Sync would need to be deployed _without_ passsync otherwise I'm not quite sure what would happen when it does its binds to check the password for loops. FDS + Winsync + PTA - passsync might work for this application. From siggi at betware.com Wed Nov 29 09:25:30 2006 From: siggi at betware.com (=?iso-8859-1?Q?Sigur=F0ur_Bjarnason?=) Date: Wed, 29 Nov 2006 09:25:30 -0000 Subject: [Fedora-directory-users] Authentication and access rights Message-ID: <5C903B8112CC4F48B6A122A30BA40D20CF73AF@bwserver.betware.com> Hi all I am new to Fedora Directory Server, I have manage to set it up all right but I have one simple question as such.. :-) Before I will put a lot of effort into setting it up for my production env I would like to know atleast one thing.... When I manage to connect client to the directory server will I be able to control the users access to client thought the directory on file level? That is if for some reason I would not allow the user to access or read certain files or folders on the client could that be controlled in the Directory ? Regards Siggi -------------- next part -------------- An HTML attachment was scrubbed... URL: From nicholas.byrne at quadriga.com Wed Nov 29 11:35:40 2006 From: nicholas.byrne at quadriga.com (Nicholas Byrne) Date: Wed, 29 Nov 2006 11:35:40 +0000 Subject: [Fedora-directory-users] Console SSL Problem In-Reply-To: <456C7D1B.8060908@redhat.com> References: <456C4BAA.9060603@quadriga.com> <456C53CD.6090606@redhat.com> <456C743B.9070104@quadriga.com> <456C7D1B.8060908@redhat.com> Message-ID: <456D708C.2040503@quadriga.com> Richard Megginson wrote: > Nicholas Byrne wrote: >> Firstly, thanks for your help. Responding inline below - >> >> Richard Megginson wrote: >>> Nicholas Byrne wrote: >>>> Hi, >>>> >>>> With FDS 1.0.2, I've followed the configuration howto guide lines >>>> to setup the Directory Server to use SSL (as per my post a few days >>>> ago) however after configuring the Administration Server and >>>> Console to use SSL as well i've run into trouble. The directory >>>> server alone works fine with SSL. >>>> >>>> The reason i'm trying to get Admin and console working in SSL is so >>>> i can setup a secure windows sync agreement, without this all i can >>>> do is setup a insecure sync agreement. >>> But you don't have to get Admin and console working with SSL in >>> order to set up a windows sync agreement with SSL. Do the docs say >>> you have to do this? If so, where? >> No the docs don't say that explicitly but when setting up a windows >> sync agreement it doesn't give you the option of changing the >> supplier - it is set to "ds01.tech:389". > > That's just the label it uses for that particular server in the > console. It really uses ldaps if you configure it to, even though it > shows the non-secure port for the label in the console. This is > merely used to identify the server. This is a well known source of > confusion. OK, it is confusing thanks for clearing that up. > >> The Windows side of the connection is fine as i can specify the >> connection details. I was following the guide at >> http://www.redhat.com/docs/manuals/dir-server/ag/7.1/sync.html#2859728 >> and the image under "step 6" indicates the supplier should be >> configured as port 636. >> >> I am new to this, so i may have got confused but i thought passwords >> won't be syncronised unless the FDS supplier and the Windows AD >> Server are set to use SSL/636. I also realise password changes won't >> be synced unless passsync is installed and configured on the AD side, >> but right now thats not necessary as i just want to get basics working. > > You can use passsync without SSL for testing purposes, but do not do > this in production. > >> >>>> >>>> The console will not display anything (absolutely no screen or >>>> anything) after entering password and clicking OK in the >>>> authentication dialog. There are no messages in the console i >>>> started it on. >>> startconsole -D will give you debug information, and startconsole -D >>> 9 will give you everything. >>>> >>>> Before i configured the SSL on the admin server and console it was >>>> working correctly and displayed the normal Admin server/Directory >>>> Server screens. >>>> >>>> The console which i'm running using (i also tried admin user): >>>> >>>> startconsole -u "cn=Directory Manager" -a https://ds01.tech:59910 >>>> -x nologo >>>> >>>> I turned loglevel to debug in the admin server and this is what i see: >>>> >>>> [Tue Nov 28 14:22:46 2006] [info] Connection to child 30 >>>> established (server ds01.tech:443, client 10.170.99.22) >>>> [Tue Nov 28 14:22:47 2006] [notice] [client 10.170.99.22] >>>> admserv_host_ip_check: ap_get_remote_host could not resolve >>>> 10.170.99.22 >>>> [Tue Nov 28 14:22:47 2006] [info] Initial (No.1) HTTPS request >>>> received for child 30 (server ds01.tech:443) >>>> [Tue Nov 28 14:22:47 2006] [debug] mod_admserv.c(2518): [client >>>> 10.170.99.22] checking user cache for: cn=Directory Manager >>>> [Tue Nov 28 14:22:47 2006] [debug] mod_admserv.c(2525): [client >>>> 10.170.99.22] not in cache, trying DS >>>> [Tue Nov 28 14:22:47 2006] [debug] mod_admserv.c(1480): [client >>>> 10.170.99.22] admserv_check_authz: request for uri >>>> [/admin-serv/authenticate] >>>> [Tue Nov 28 14:22:47 2006] [notice] [client 10.170.99.22] >>>> admserv_check_authz(): passing [/admin-serv/authenticate] to the >>>> userauth handler >>>> [Tue Nov 28 14:22:47 2006] [info] Connection to child 30 closed >>>> (server ds01.tech:443, client 10.170.99.22) >>> This looks ok, except for the log shows port 443 and you are using >>> port 59910. >> Is there a way to fix this? If i'm using https that implies 443 but >> specifying the port 59910, which has precedence - i assume the the >> port. If i use http and port 59910 the console with debug shows the >> server fails to respond: > Right. https tells it to use HTTP over SSL, and the port specifies > which port the server is listening on. When you configure the Admin > Server to use SSL, you can no longer use HTTP - you must use HTTPS. > The admin server doesn't listen to both a non-secure port and a secure > port, as does the directory server. >> >> CommManager> New CommRecord >> (http://ds01.tech:59910/admin-serv/authenticate) >> http://ds01.tech:59910/[0:0] open> Ready >> http://ds01.tech:59910/[0:0] accept> >> http://ds01.tech:59910/admin-serv/authenticate >> http://ds01.tech:59910/[0:0] send> GET \ >> http://ds01.tech:59910/[0:0] send> /admin-serv/authenticate \ >> http://ds01.tech:59910/[0:0] send> HTTP/1.0 >> http://ds01.tech:59910/[0:0] send> Host: ds01.tech:59910 >> http://ds01.tech:59910/[0:0] send> Connection: Keep-Alive >> http://ds01.tech:59910/[0:0] send> User-Agent: >> Fedora-Management-Console/1.0 >> http://ds01.tech:59910/[0:0] send> Accept-Language: en >> http://ds01.tech:59910/[0:0] send> Authorization: Basic \ >> http://ds01.tech:59910/[0:0] send> \ >> http://ds01.tech:59910/[0:0] send> >> http://ds01.tech:59910/[0:0] send> >> >> With https, i get to through the authentication stage at least. >>>> >>>> In the slapd log i see: >>>> >>>> [28/Nov/2006:14:22:46 +0000] conn=51 fd=65 slot=65 SSL connection >>>> from 10.170.99.22 to 10.103.20.21 >>>> [28/Nov/2006:14:22:46 +0000] conn=51 SSL 128-bit RC4 >>>> [28/Nov/2006:14:22:46 +0000] conn=51 op=0 BIND dn="cn=Directory >>>> Manager" method=128 version=3 >>>> [28/Nov/2006:14:22:46 +0000] conn=51 op=0 RESULT err=0 tag=97 >>>> nentries=0 etime=0 dn="cn=directory manager" >>> This looks like the /admin-serv/authenticate request as logged in >>> the admin server. >>>> [28/Nov/2006:14:22:46 +0000] conn=52 fd=64 slot=64 SSL connection >>>> from 10.170.99.22 to 10.103.20.21 >>>> [28/Nov/2006:14:32:04 +0000] conn=52 op=-1 fd=64 closed - >>>> Encountered end of file. >>> This looks like the console is attempting to use ldap on the ldaps >>> port. I think you need to tell the console to use SSL when talking >>> to this directory server - >>> http://directory.fedora.redhat.com/wiki/Howto:SSL#Using_the_command_line >>> >> I ran through that part of the howto, here is the output below and as >> you can see " nsServerSecurity" is set to on (i assume this is the >> bit you mean?) - > Yes. So now attempt to restart the admin server and restart the > console, using the https:// URL. Sorry maybe i didn't make this clear. I had already done this and restarted the admin server and i'm using the https URL. I'm stuck at this point. The logs i copied in earlier are from a server configured in this state. This is where console does not open after the authentication attempt. >> >> [nick at nblap ~]$ ldapsearch -x -D "cn=directory manager" -W -b >> o=netscaperoot "nsServerID=slapd-ds01" >> Enter LDAP Password: >> # extended LDIF >> # >> # LDAPv3 >> # base with scope subtree >> # filter: nsServerID=slapd-ds01 >> # requesting: ALL >> # >> >> # slapd-ds01, Fedora Directory Server, Server Group, ds01.tech, tech, >> Netscap >> eRoot >> dn: cn=slapd-ds01, cn=Fedora Directory Server, cn=Server Group, >> cn=ds01.tech, >> ou=tech, o=NetscapeRoot >> objectClass: netscapeServer >> objectClass: nsDirectoryServer >> objectClass: nsResourceRef >> objectClass: nsConfig >> objectClass: groupOfUniqueNames >> objectClass: top >> nsServerSecurity: on >> nsServerID: slapd-ds01 >> nsBindDN: cn=Directory Manager >> nsBaseDN: dc=tech >> serverRoot: /opt/fedora-ds >> nsServerPort: 389 >> nsSecureServerPort: 636 >> serverProductName: Directory Server (ds01) >> serverVersionNumber: 1.0.2 >> installationTimeStamp: 20061121103832Z >> nsSuiteSpotUser: ldap >> serverHostName: ds01.tech >> cn: slapd-ds01 >> uniqueMember: cn=slapd-ds01, cn=Fedora Directory Server, cn=Server >> Group, cn=d >> s01.tech, ou=tech, o=NetscapeRoot >> uniqueMember: cn=admin-serv-ds01, cn=Fedora Administration Server, >> cn=Server G >> roup, cn=ds01.tech, ou=tech, o=NetscapeRoot >> userPassword:: >> >>>> >>>> Anyone know how i can fix this? Thanks very much >>>> Nick >>>> >>>> >>>> >>>> >>>> This e-mail is the property of Quadriga Worldwide Ltd, intended for >>>> the addressee only and confidential. Any dissemination, copying or >>>> distribution of this message or any attachments is strictly >>>> prohibited. >>>> >>>> If you have received this message in error, please notify us >>>> immediately by replying to the message and deleting it from your >>>> computer. >>>> >>>> Messages sent to and from Quadriga may be monitored. >>>> >>>> Quadriga cannot guarantee any message delivery method is secure or >>>> error-free. Information could be intercepted, corrupted, lost, >>>> destroyed, arrive late or incomplete, or contain viruses. >>>> >>>> We do not accept responsibility for any errors or omissions in this >>>> message and/or attachment that arise as a result of transmission. >>>> >>>> You should carry out your own virus checks before opening any >>>> attachment. >>>> >>>> Any views or opinions presented are solely those of the author and >>>> do not necessarily represent those of Quadriga. >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> >> >> This e-mail is the property of Quadriga Worldwide Ltd, intended for >> the addressee only and confidential. Any dissemination, copying or >> distribution of this message or any attachments is strictly prohibited. >> >> If you have received this message in error, please notify us >> immediately by replying to the message and deleting it from your >> computer. >> >> Messages sent to and from Quadriga may be monitored. >> >> Quadriga cannot guarantee any message delivery method is secure or >> error-free. Information could be intercepted, corrupted, lost, >> destroyed, arrive late or incomplete, or contain viruses. >> >> We do not accept responsibility for any errors or omissions in this >> message and/or attachment that arise as a result of transmission. >> >> You should carry out your own virus checks before opening any >> attachment. >> >> Any views or opinions presented are solely those of the author and do >> not necessarily represent those of Quadriga. >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > This e-mail is the property of Quadriga Worldwide Ltd, intended for the addressee only and confidential. Any dissemination, copying or distribution of this message or any attachments is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer. Messages sent to and from Quadriga may be monitored. Quadriga cannot guarantee any message delivery method is secure or error-free. Information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. We do not accept responsibility for any errors or omissions in this message and/or attachment that arise as a result of transmission. You should carry out your own virus checks before opening any attachment. Any views or opinions presented are solely those of the author and do not necessarily represent those of Quadriga. From doglesby at teleformix.com Wed Nov 29 14:03:27 2006 From: doglesby at teleformix.com (Dan Oglesby) Date: Wed, 29 Nov 2006 08:03:27 -0600 Subject: [Fedora-directory-users] AD + FDS sync stops working? Message-ID: <006901c713bf$24a71740$5e02a8c0@rmil> I have two seperate installations of FDS 1.0.1 that were successfully configured to sync with two seperate AD controllers. They both worked fine for about six months, and both have stopped synchronizing information that should pass from the AD to FDS. Basically, if a user changes his or her password through AD, nothing changes on FDS. If the password is changed through FDS, it does get pushed up to the AD controller. Has anyone else seen this happen? There have been no changes made to either the FDS or AD configurations since the initial installation was completed. The AD servers are Windows 2000 and Windows 2003 on seperate domains. I've tried to uninstall and reinstall the PassSync software. Every time that service is restarted, I see a connect via SSL in the logs in FDS, but nothing after that. --Dan From tngan at redhat.com Wed Nov 29 15:00:28 2006 From: tngan at redhat.com (To Ngan) Date: Wed, 29 Nov 2006 07:00:28 -0800 Subject: [Fedora-directory-users] AD + FDS sync stops working? In-Reply-To: <006901c713bf$24a71740$5e02a8c0@rmil> References: <006901c713bf$24a71740$5e02a8c0@rmil> Message-ID: <456DA08C.6010605@redhat.com> Dan Oglesby wrote: > I have two seperate installations of FDS 1.0.1 that were successfully > configured to sync with two seperate AD controllers. They both worked > fine for about six months, and both have stopped synchronizing > information that should pass from the AD to FDS. Basically, if a user > changes his or her password through AD, nothing changes on FDS. If > the password is changed through FDS, it does get pushed up to the AD > controller. > > Has anyone else seen this happen? There have been no changes made to > either the FDS or AD configurations since the initial installation was > completed. The AD servers are Windows 2000 and Windows 2003 on > seperate domains. > > I've tried to uninstall and reinstall the PassSync software. Every > time that service is restarted, I see a connect via SSL in the logs in > FDS, but nothing after that. Was the connect via SSL successful? Regards, -- toto > --Dan > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3233 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Nov 29 15:06:55 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 29 Nov 2006 08:06:55 -0700 Subject: [Fedora-directory-users] Authentication and access rights In-Reply-To: <5C903B8112CC4F48B6A122A30BA40D20CF73AF@bwserver.betware.com> References: <5C903B8112CC4F48B6A122A30BA40D20CF73AF@bwserver.betware.com> Message-ID: <456DA20F.1030409@redhat.com> Sigur?ur Bjarnason wrote: > > Hi all > > I am new to Fedora Directory Server, I have manage to set it up all > right but I have one simple question as such.. J > > Before I will put a lot of effort into setting it up for my production > env I would like to know atleast one thing?. When I manage to connect > client > It depends - what is the client? If the client is an OS, Fedora DS uses the standard posix objectclasses and attributes. > > to the directory server will I be able to control the users access to > client thought the directory on file level? > > That is if for some reason I would not allow the user to access or > read certain files or folders on the client could that be controlled > in the Directory ? > You can't control this through the directory server unless the client can already model the file/folder relationships through the directory server. Usually clients don't do this unless you are using some sort of policy engine like SiteMinder, and even that won't work for OS file/folder permissions. That is normally used for web site URL access. Usually ldap+os integration means that you still set file/folder ownership and permissions using the familiar chown and chmod commands, but the actual uid/gid information is looked up in ldap rather than from /etc/passwd and /etc/groups. > > Regards > > Siggi > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Nov 29 15:41:01 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 29 Nov 2006 08:41:01 -0700 Subject: [Fedora-directory-users] Console SSL Problem In-Reply-To: <456D708C.2040503@quadriga.com> References: <456C4BAA.9060603@quadriga.com> <456C53CD.6090606@redhat.com> <456C743B.9070104@quadriga.com> <456C7D1B.8060908@redhat.com> <456D708C.2040503@quadriga.com> Message-ID: <456DAA0D.8010907@redhat.com> Nicholas Byrne wrote: > > > Richard Megginson wrote: >> Nicholas Byrne wrote: >>> Firstly, thanks for your help. Responding inline below - >>> >>> Richard Megginson wrote: >>>> Nicholas Byrne wrote: >>>>> Hi, >>>>> >>>>> With FDS 1.0.2, I've followed the configuration howto guide lines >>>>> to setup the Directory Server to use SSL (as per my post a few >>>>> days ago) however after configuring the Administration Server and >>>>> Console to use SSL as well i've run into trouble. The directory >>>>> server alone works fine with SSL. >>>>> >>>>> The reason i'm trying to get Admin and console working in SSL is >>>>> so i can setup a secure windows sync agreement, without this all i >>>>> can do is setup a insecure sync agreement. >>>> But you don't have to get Admin and console working with SSL in >>>> order to set up a windows sync agreement with SSL. Do the docs say >>>> you have to do this? If so, where? >>> No the docs don't say that explicitly but when setting up a windows >>> sync agreement it doesn't give you the option of changing the >>> supplier - it is set to "ds01.tech:389". >> >> That's just the label it uses for that particular server in the >> console. It really uses ldaps if you configure it to, even though it >> shows the non-secure port for the label in the console. This is >> merely used to identify the server. This is a well known source of >> confusion. > OK, it is confusing thanks for clearing that up. >> >>> The Windows side of the connection is fine as i can specify the >>> connection details. I was following the guide at >>> http://www.redhat.com/docs/manuals/dir-server/ag/7.1/sync.html#2859728 >>> and the image under "step 6" indicates the supplier should be >>> configured as port 636. >>> >>> I am new to this, so i may have got confused but i thought passwords >>> won't be syncronised unless the FDS supplier and the Windows AD >>> Server are set to use SSL/636. I also realise password changes won't >>> be synced unless passsync is installed and configured on the AD >>> side, but right now thats not necessary as i just want to get basics >>> working. >> >> You can use passsync without SSL for testing purposes, but do not do >> this in production. >> >>> >>>>> >>>>> The console will not display anything (absolutely no screen or >>>>> anything) after entering password and clicking OK in the >>>>> authentication dialog. There are no messages in the console i >>>>> started it on. >>>> startconsole -D will give you debug information, and startconsole >>>> -D 9 will give you everything. >>>>> >>>>> Before i configured the SSL on the admin server and console it was >>>>> working correctly and displayed the normal Admin server/Directory >>>>> Server screens. >>>>> >>>>> The console which i'm running using (i also tried admin user): >>>>> >>>>> startconsole -u "cn=Directory Manager" -a https://ds01.tech:59910 >>>>> -x nologo >>>>> >>>>> I turned loglevel to debug in the admin server and this is what i >>>>> see: >>>>> >>>>> [Tue Nov 28 14:22:46 2006] [info] Connection to child 30 >>>>> established (server ds01.tech:443, client 10.170.99.22) >>>>> [Tue Nov 28 14:22:47 2006] [notice] [client 10.170.99.22] >>>>> admserv_host_ip_check: ap_get_remote_host could not resolve >>>>> 10.170.99.22 >>>>> [Tue Nov 28 14:22:47 2006] [info] Initial (No.1) HTTPS request >>>>> received for child 30 (server ds01.tech:443) >>>>> [Tue Nov 28 14:22:47 2006] [debug] mod_admserv.c(2518): [client >>>>> 10.170.99.22] checking user cache for: cn=Directory Manager >>>>> [Tue Nov 28 14:22:47 2006] [debug] mod_admserv.c(2525): [client >>>>> 10.170.99.22] not in cache, trying DS >>>>> [Tue Nov 28 14:22:47 2006] [debug] mod_admserv.c(1480): [client >>>>> 10.170.99.22] admserv_check_authz: request for uri >>>>> [/admin-serv/authenticate] >>>>> [Tue Nov 28 14:22:47 2006] [notice] [client 10.170.99.22] >>>>> admserv_check_authz(): passing [/admin-serv/authenticate] to the >>>>> userauth handler >>>>> [Tue Nov 28 14:22:47 2006] [info] Connection to child 30 closed >>>>> (server ds01.tech:443, client 10.170.99.22) >>>> This looks ok, except for the log shows port 443 and you are using >>>> port 59910. >>> Is there a way to fix this? If i'm using https that implies 443 but >>> specifying the port 59910, which has precedence - i assume the the >>> port. If i use http and port 59910 the console with debug shows the >>> server fails to respond: >> Right. https tells it to use HTTP over SSL, and the port specifies >> which port the server is listening on. When you configure the Admin >> Server to use SSL, you can no longer use HTTP - you must use HTTPS. >> The admin server doesn't listen to both a non-secure port and a >> secure port, as does the directory server. >>> >>> CommManager> New CommRecord >>> (http://ds01.tech:59910/admin-serv/authenticate) >>> http://ds01.tech:59910/[0:0] open> Ready >>> http://ds01.tech:59910/[0:0] accept> >>> http://ds01.tech:59910/admin-serv/authenticate >>> http://ds01.tech:59910/[0:0] send> GET \ >>> http://ds01.tech:59910/[0:0] send> /admin-serv/authenticate \ >>> http://ds01.tech:59910/[0:0] send> HTTP/1.0 >>> http://ds01.tech:59910/[0:0] send> Host: ds01.tech:59910 >>> http://ds01.tech:59910/[0:0] send> Connection: Keep-Alive >>> http://ds01.tech:59910/[0:0] send> User-Agent: >>> Fedora-Management-Console/1.0 >>> http://ds01.tech:59910/[0:0] send> Accept-Language: en >>> http://ds01.tech:59910/[0:0] send> Authorization: Basic \ >>> http://ds01.tech:59910/[0:0] send> \ >>> http://ds01.tech:59910/[0:0] send> >>> http://ds01.tech:59910/[0:0] send> >>> >>> With https, i get to through the authentication stage at least. >>>>> >>>>> In the slapd log i see: >>>>> >>>>> [28/Nov/2006:14:22:46 +0000] conn=51 fd=65 slot=65 SSL connection >>>>> from 10.170.99.22 to 10.103.20.21 >>>>> [28/Nov/2006:14:22:46 +0000] conn=51 SSL 128-bit RC4 >>>>> [28/Nov/2006:14:22:46 +0000] conn=51 op=0 BIND dn="cn=Directory >>>>> Manager" method=128 version=3 >>>>> [28/Nov/2006:14:22:46 +0000] conn=51 op=0 RESULT err=0 tag=97 >>>>> nentries=0 etime=0 dn="cn=directory manager" >>>> This looks like the /admin-serv/authenticate request as logged in >>>> the admin server. >>>>> [28/Nov/2006:14:22:46 +0000] conn=52 fd=64 slot=64 SSL connection >>>>> from 10.170.99.22 to 10.103.20.21 >>>>> [28/Nov/2006:14:32:04 +0000] conn=52 op=-1 fd=64 closed - >>>>> Encountered end of file. >>>> This looks like the console is attempting to use ldap on the ldaps >>>> port. I think you need to tell the console to use SSL when talking >>>> to this directory server - >>>> http://directory.fedora.redhat.com/wiki/Howto:SSL#Using_the_command_line >>>> >>> I ran through that part of the howto, here is the output below and >>> as you can see " nsServerSecurity" is set to on (i assume this is >>> the bit you mean?) - >> Yes. So now attempt to restart the admin server and restart the >> console, using the https:// URL. > > Sorry maybe i didn't make this clear. I had already done this and > restarted the admin server and i'm using the https URL. I'm stuck at > this point. The logs i copied in earlier are from a server configured > in this state. This is where console does not open after the > authentication attempt. Following the steps in http://directory.fedora.redhat.com/wiki/Howto:SSL, with a fresh installation of Fedora DS 1.0.4, it works. The key item is this: http://directory.fedora.redhat.com/wiki/Howto:SSL#Using_the_command_line If I use ldapmodify to turn nsServerSecurity: on, the console uses LDAPS - with it set to off, it uses LDAP. Do you have more than one directory server? Are you sure the directory server is listening to the LDAPS port? Can you use the ldapsearch command line tool to verify that you can connect to the directory server using ldaps? Did using startconsole -D 9 show anything? Finally, try removing ~/.fedora-console/*.db > >>> >>> [nick at nblap ~]$ ldapsearch -x -D "cn=directory manager" -W -b >>> o=netscaperoot "nsServerID=slapd-ds01" >>> Enter LDAP Password: >>> # extended LDIF >>> # >>> # LDAPv3 >>> # base with scope subtree >>> # filter: nsServerID=slapd-ds01 >>> # requesting: ALL >>> # >>> >>> # slapd-ds01, Fedora Directory Server, Server Group, ds01.tech, >>> tech, Netscap >>> eRoot >>> dn: cn=slapd-ds01, cn=Fedora Directory Server, cn=Server Group, >>> cn=ds01.tech, >>> ou=tech, o=NetscapeRoot >>> objectClass: netscapeServer >>> objectClass: nsDirectoryServer >>> objectClass: nsResourceRef >>> objectClass: nsConfig >>> objectClass: groupOfUniqueNames >>> objectClass: top >>> nsServerSecurity: on >>> nsServerID: slapd-ds01 >>> nsBindDN: cn=Directory Manager >>> nsBaseDN: dc=tech >>> serverRoot: /opt/fedora-ds >>> nsServerPort: 389 >>> nsSecureServerPort: 636 >>> serverProductName: Directory Server (ds01) >>> serverVersionNumber: 1.0.2 >>> installationTimeStamp: 20061121103832Z >>> nsSuiteSpotUser: ldap >>> serverHostName: ds01.tech >>> cn: slapd-ds01 >>> uniqueMember: cn=slapd-ds01, cn=Fedora Directory Server, cn=Server >>> Group, cn=d >>> s01.tech, ou=tech, o=NetscapeRoot >>> uniqueMember: cn=admin-serv-ds01, cn=Fedora Administration Server, >>> cn=Server G >>> roup, cn=ds01.tech, ou=tech, o=NetscapeRoot >>> userPassword:: >>> >>>>> >>>>> Anyone know how i can fix this? Thanks very much >>>>> Nick >>>>> >>>>> >>>>> >>>>> >>>>> This e-mail is the property of Quadriga Worldwide Ltd, intended >>>>> for the addressee only and confidential. Any dissemination, >>>>> copying or distribution of this message or any attachments is >>>>> strictly prohibited. >>>>> >>>>> If you have received this message in error, please notify us >>>>> immediately by replying to the message and deleting it from your >>>>> computer. >>>>> >>>>> Messages sent to and from Quadriga may be monitored. >>>>> >>>>> Quadriga cannot guarantee any message delivery method is secure or >>>>> error-free. Information could be intercepted, corrupted, lost, >>>>> destroyed, arrive late or incomplete, or contain viruses. >>>>> >>>>> We do not accept responsibility for any errors or omissions in >>>>> this message and/or attachment that arise as a result of >>>>> transmission. >>>>> >>>>> You should carry out your own virus checks before opening any >>>>> attachment. >>>>> >>>>> Any views or opinions presented are solely those of the author and >>>>> do not necessarily represent those of Quadriga. >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> ------------------------------------------------------------------------ >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> >>> >>> >>> This e-mail is the property of Quadriga Worldwide Ltd, intended for >>> the addressee only and confidential. Any dissemination, copying or >>> distribution of this message or any attachments is strictly prohibited. >>> >>> If you have received this message in error, please notify us >>> immediately by replying to the message and deleting it from your >>> computer. >>> >>> Messages sent to and from Quadriga may be monitored. >>> >>> Quadriga cannot guarantee any message delivery method is secure or >>> error-free. Information could be intercepted, corrupted, lost, >>> destroyed, arrive late or incomplete, or contain viruses. >>> >>> We do not accept responsibility for any errors or omissions in this >>> message and/or attachment that arise as a result of transmission. >>> >>> You should carry out your own virus checks before opening any >>> attachment. >>> >>> Any views or opinions presented are solely those of the author and >>> do not necessarily represent those of Quadriga. >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > > > This e-mail is the property of Quadriga Worldwide Ltd, intended for > the addressee only and confidential. Any dissemination, copying or > distribution of this message or any attachments is strictly prohibited. > > If you have received this message in error, please notify us > immediately by replying to the message and deleting it from your > computer. > > Messages sent to and from Quadriga may be monitored. > > Quadriga cannot guarantee any message delivery method is secure or > error-free. Information could be intercepted, corrupted, lost, > destroyed, arrive late or incomplete, or contain viruses. > > We do not accept responsibility for any errors or omissions in this > message and/or attachment that arise as a result of transmission. > > You should carry out your own virus checks before opening any attachment. > > Any views or opinions presented are solely those of the author and do > not necessarily represent those of Quadriga. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From doglesby at teleformix.com Wed Nov 29 15:46:15 2006 From: doglesby at teleformix.com (Dan Oglesby) Date: Wed, 29 Nov 2006 09:46:15 -0600 Subject: [Fedora-directory-users] AD + FDS sync stops working? In-Reply-To: <456DA08C.6010605@redhat.com> References: <006901c713bf$24a71740$5e02a8c0@rmil> <456DA08C.6010605@redhat.com> Message-ID: <456DAB47.7020006@teleformix.com> To Ngan wrote: > Dan Oglesby wrote: >> I have two seperate installations of FDS 1.0.1 that were successfully >> configured to sync with two seperate AD controllers. They both >> worked fine for about six months, and both have stopped synchronizing >> information that should pass from the AD to FDS. Basically, if a >> user changes his or her password through AD, nothing changes on FDS. >> If the password is changed through FDS, it does get pushed up to the >> AD controller. >> >> Has anyone else seen this happen? There have been no changes made to >> either the FDS or AD configurations since the initial installation >> was completed. The AD servers are Windows 2000 and Windows 2003 on >> seperate domains. >> >> I've tried to uninstall and reinstall the PassSync software. Every >> time that service is restarted, I see a connect via SSL in the logs >> in FDS, but nothing after that. > Was the connect via SSL successful? > It appears to be: [29/Nov/2006:09:42:29 -0600] conn=146041 fd=203 slot=203 SSL connection from 192.168.2.200 to 192.168.100.122 [29/Nov/2006:09:42:29 -0600] conn=146041 SSL 128-bit RC4 [29/Nov/2006:09:42:29 -0600] conn=146041 op=0 BIND dn="cn=directory manager" method=128 version=2 [29/Nov/2006:09:42:29 -0600] conn=146041 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [29/Nov/2006:09:42:29 -0600] conn=146041 op=1 UNBIND [29/Nov/2006:09:42:29 -0600] conn=146041 op=1 fd=203 closed - U1 That's all I ever see in the access log for the slapd server from my AD machine. --Dan From mjdshop at earthlink.net Wed Nov 29 16:42:24 2006 From: mjdshop at earthlink.net (MJD Shop Account) Date: Wed, 29 Nov 2006 11:42:24 -0500 (GMT-05:00) Subject: [Fedora-directory-users] setting up replication on consumer Message-ID: <6329351.1164818544166.JavaMail.root@elwamui-hybrid.atl.sa.earthlink.net> Hi All, I am trying to set up replication to have a read-only consumer getting updates from a multi-master supplier. I've looked at the online docs and am using the mmr.pl script as a basis for a modified script to set up a supplier->consumer agreement. I think I'm almost there except for one question. Before doing the script, I manually added the replica database on the consumer to see how it works. I went to the Configuration tab on the console for the consumer, and selected the database under Replication that I wish to replicate. I set it to be 'Dedicated Consumer'. When I did this in the console, it does not allow you to set a Replica ID, and it set it automatically to 65535 when I saved. In my modified script, I copied the 'config_supplier' subroutine by duplicating it as config_consumer, and I took out the part where it sets the nsDS5ReplicaId thinking it must be unnecessary for the consumer. When I try to run my script, I get this error on the consumer side because of removing that part: failed to add replica entry: missing attribute "nsDS5ReplicaId" required by object class "nsDS5Replica" So, I guess I need to add it back in... Can someone explain how this works and why the console doesn't allow you to set it? Is there some default value (eg 65535) that should *always* be set (seems unlikely in the case of multiple replica database objects). -Marty From tngan at redhat.com Wed Nov 29 17:14:47 2006 From: tngan at redhat.com (To Ngan) Date: Wed, 29 Nov 2006 09:14:47 -0800 Subject: [Fedora-directory-users] AD + FDS sync stops working? In-Reply-To: <456DAB47.7020006@teleformix.com> References: <006901c713bf$24a71740$5e02a8c0@rmil> <456DA08C.6010605@redhat.com> <456DAB47.7020006@teleformix.com> Message-ID: <456DC007.7010805@redhat.com> Dan Oglesby wrote: > To Ngan wrote: >> Dan Oglesby wrote: >>> I have two seperate installations of FDS 1.0.1 that were >>> successfully configured to sync with two seperate AD controllers. >>> They both worked fine for about six months, and both have stopped >>> synchronizing information that should pass from the AD to FDS. >>> Basically, if a user changes his or her password through AD, nothing >>> changes on FDS. If the password is changed through FDS, it does get >>> pushed up to the AD controller. >>> >>> Has anyone else seen this happen? There have been no changes made >>> to either the FDS or AD configurations since the initial >>> installation was completed. The AD servers are Windows 2000 and >>> Windows 2003 on seperate domains. >>> >>> I've tried to uninstall and reinstall the PassSync software. Every >>> time that service is restarted, I see a connect via SSL in the logs >>> in FDS, but nothing after that. >> Was the connect via SSL successful? >> > > It appears to be: > > [29/Nov/2006:09:42:29 -0600] conn=146041 fd=203 slot=203 SSL > connection from 192.168.2.200 to 192.168.100.122 > [29/Nov/2006:09:42:29 -0600] conn=146041 SSL 128-bit RC4 > [29/Nov/2006:09:42:29 -0600] conn=146041 op=0 BIND dn="cn=directory > manager" method=128 version=2 > [29/Nov/2006:09:42:29 -0600] conn=146041 op=0 RESULT err=0 tag=97 > nentries=0 etime=0 dn="cn=directory manager" > [29/Nov/2006:09:42:29 -0600] conn=146041 op=1 UNBIND > [29/Nov/2006:09:42:29 -0600] conn=146041 op=1 fd=203 closed - U1 > > That's all I ever see in the access log for the slapd server from my > AD machine. Nothing in DS error log either? How about the passsync log on your Windows box? (either under windows/system32 or your passsync install directory) -- toto -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3233 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Nov 29 17:20:47 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 29 Nov 2006 10:20:47 -0700 Subject: [Fedora-directory-users] setting up replication on consumer In-Reply-To: <6329351.1164818544166.JavaMail.root@elwamui-hybrid.atl.sa.earthlink.net> References: <6329351.1164818544166.JavaMail.root@elwamui-hybrid.atl.sa.earthlink.net> Message-ID: <456DC16F.8080900@redhat.com> MJD Shop Account wrote: > Hi All, > > I am trying to set up replication to have a read-only consumer getting updates from a multi-master supplier. I've looked at the online docs and am using the mmr.pl script as a basis for a modified script to set up a supplier->consumer agreement. I think I'm almost there except for one question. > > Before doing the script, I manually added the replica database on the consumer to see how it works. I went to the Configuration tab on the console for the consumer, and selected the database under Replication that I wish to replicate. I set it to be 'Dedicated Consumer'. When I did this in the console, it does not allow you to set a Replica ID, and it set it automatically to 65535 when I saved. > > In my modified script, I copied the 'config_supplier' subroutine by duplicating it as config_consumer, and I took out the part where it sets the nsDS5ReplicaId thinking it must be unnecessary for the consumer. When I try to run my script, I get this error on the consumer side because of removing that part: > > failed to add replica entry: missing attribute "nsDS5ReplicaId" required by object class "nsDS5Replica" > > So, I guess I need to add it back in... Can someone explain how this works and why the console doesn't allow you to set it? Is there some default value (eg 65535) that should *always* be set (seems unlikely in the case of multiple replica database objects). > The console is smarter and has additional logic to just hardcode the value to be 65535 for read only replicas. Read only consumers (hubs, dedicated consumers) must have the attribute "nsDS5ReplicaId" and must be set to the value of 65535. > -Marty > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From doglesby at teleformix.com Wed Nov 29 17:42:39 2006 From: doglesby at teleformix.com (Dan Oglesby) Date: Wed, 29 Nov 2006 11:42:39 -0600 Subject: [Fedora-directory-users] AD + FDS sync stops working? In-Reply-To: <456DC007.7010805@redhat.com> Message-ID: <200611291742.kATHgf4R032486@mail.teleformix.com> -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of To Ngan Sent: Wednesday, November 29, 2006 11:15 AM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] AD + FDS sync stops working? Dan Oglesby wrote: > To Ngan wrote: >> Dan Oglesby wrote: >>> I have two seperate installations of FDS 1.0.1 that were >>> successfully configured to sync with two seperate AD controllers. >>> They both worked fine for about six months, and both have stopped >>> synchronizing information that should pass from the AD to FDS. >>> Basically, if a user changes his or her password through AD, nothing >>> changes on FDS. If the password is changed through FDS, it does get >>> pushed up to the AD controller. >>> >>> Has anyone else seen this happen? There have been no changes made >>> to either the FDS or AD configurations since the initial >>> installation was completed. The AD servers are Windows 2000 and >>> Windows 2003 on seperate domains. >>> >>> I've tried to uninstall and reinstall the PassSync software. Every >>> time that service is restarted, I see a connect via SSL in the logs >>> in FDS, but nothing after that. >> Was the connect via SSL successful? >> > > It appears to be: > > [29/Nov/2006:09:42:29 -0600] conn=146041 fd=203 slot=203 SSL > connection from 192.168.2.200 to 192.168.100.122 > [29/Nov/2006:09:42:29 -0600] conn=146041 SSL 128-bit RC4 > [29/Nov/2006:09:42:29 -0600] conn=146041 op=0 BIND dn="cn=directory > manager" method=128 version=2 > [29/Nov/2006:09:42:29 -0600] conn=146041 op=0 RESULT err=0 tag=97 > nentries=0 etime=0 dn="cn=directory manager" > [29/Nov/2006:09:42:29 -0600] conn=146041 op=1 UNBIND > [29/Nov/2006:09:42:29 -0600] conn=146041 op=1 fd=203 closed - U1 > > That's all I ever see in the access log for the slapd server from my > AD machine. Nothing in DS error log either? How about the passsync log on your Windows box? (either under windows/system32 or your passsync install directory) I don't see any type of log for the passsync service in the program files area or the system/system32 directories. Error log on the FDS system has nothing other than start and stop information for the FDS server. --Dan From srigler at marathonoil.com Wed Nov 29 18:46:46 2006 From: srigler at marathonoil.com (Stephen C. Rigler) Date: Wed, 29 Nov 2006 12:46:46 -0600 Subject: [Fedora-directory-users] Limiting Number of Connections Serviced Message-ID: <1164826006.25779.9.camel@houuc8> We are in the process of moving from NIS to LDAP and one issue I've seen is that some clients will go through an infinite loop of hostname lookups if they are configured to use ldap for hosts resolution in their nsswitch.conf. This can be worked around quite easily on the client side, but one thing that concerns me is the potential for DoS (especially when there are people running around that like to play admin). Does Fedora-DS have any way of limiting the number of connections serviced from a given IP address? Thanks, Steve From tngan at redhat.com Wed Nov 29 19:06:32 2006 From: tngan at redhat.com (To Ngan) Date: Wed, 29 Nov 2006 11:06:32 -0800 Subject: [Fedora-directory-users] AD + FDS sync stops working? In-Reply-To: <200611291742.kATHgf4R032486@mail.teleformix.com> References: <200611291742.kATHgf4R032486@mail.teleformix.com> Message-ID: <456DDA38.1020800@redhat.com> Dan Oglesby wrote: > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of To Ngan > Sent: Wednesday, November 29, 2006 11:15 AM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] AD + FDS sync stops working? > > Dan Oglesby wrote: > >> To Ngan wrote: >> >>> Dan Oglesby wrote: >>> >>>> I have two seperate installations of FDS 1.0.1 that were >>>> successfully configured to sync with two seperate AD controllers. >>>> They both worked fine for about six months, and both have stopped >>>> synchronizing information that should pass from the AD to FDS. >>>> Basically, if a user changes his or her password through AD, nothing >>>> changes on FDS. If the password is changed through FDS, it does get >>>> pushed up to the AD controller. >>>> >>>> Has anyone else seen this happen? There have been no changes made >>>> to either the FDS or AD configurations since the initial >>>> installation was completed. The AD servers are Windows 2000 and >>>> Windows 2003 on seperate domains. >>>> >>>> I've tried to uninstall and reinstall the PassSync software. Every >>>> time that service is restarted, I see a connect via SSL in the logs >>>> in FDS, but nothing after that. >>>> >>> Was the connect via SSL successful? >>> >>> >> It appears to be: >> >> [29/Nov/2006:09:42:29 -0600] conn=146041 fd=203 slot=203 SSL >> connection from 192.168.2.200 to 192.168.100.122 >> [29/Nov/2006:09:42:29 -0600] conn=146041 SSL 128-bit RC4 >> [29/Nov/2006:09:42:29 -0600] conn=146041 op=0 BIND dn="cn=directory >> manager" method=128 version=2 >> [29/Nov/2006:09:42:29 -0600] conn=146041 op=0 RESULT err=0 tag=97 >> nentries=0 etime=0 dn="cn=directory manager" >> [29/Nov/2006:09:42:29 -0600] conn=146041 op=1 UNBIND >> [29/Nov/2006:09:42:29 -0600] conn=146041 op=1 fd=203 closed - U1 >> >> That's all I ever see in the access log for the slapd server from my >> AD machine. >> > > Nothing in DS error log either? How about the passsync log on your > Windows box? (either under windows/system32 or your passsync install > directory) > > I don't see any type of log for the passsync service in the program files > area or the system/system32 directories. > In windows registry->HKLM->Software->PasswordSync, try add string value "Log Level" and set it to "1". Restart the passsync service. This should log all transactions and errors. Turn this back to "0" and restart passsync after troubleshooting. > Error log on the FDS system has nothing other than start and stop > information for the FDS server. > Can you check your registry > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3233 bytes Desc: S/MIME Cryptographic Signature URL: From clockwork at sigsys.org Wed Nov 29 22:17:16 2006 From: clockwork at sigsys.org (clockwork at sigsys.org) Date: Wed, 29 Nov 2006 17:17:16 -0500 Subject: [Fedora-directory-users] Failed logins = lockout ? Message-ID: <5849d9130611291417re7287c9t84d6ee509bef1cd@mail.gmail.com> Is there a way to setup FDS to lockout an account after $number of failed login attempts ? If so under ideal circumstances the account would only be locked for a certain amount of time. I have checked google, and the wiki. Nothing particularly useful, though a few people mention custom scripts to handle this sort of thing. Thanks. Clockwork -------------- next part -------------- An HTML attachment was scrubbed... URL: From glenn at mail.txwes.edu Wed Nov 29 22:20:12 2006 From: glenn at mail.txwes.edu (Glenn) Date: Wed, 29 Nov 2006 16:20:12 -0600 Subject: [Fedora-directory-users] Windows Sync Error In-Reply-To: <456CDB14.9010003@boreham.org> References: <20061128164612.M79426@mail.txwes.edu> <456C6D4C.5000507@redhat.com> <20061128172828.M30202@mail.txwes.edu> <456C760C.2000006@redhat.com> <20061128225535.M87943@mail.txwes.edu> <456CDB14.9010003@boreham.org> Message-ID: <20061129210751.M23766@mail.txwes.edu> David, Richard - Thanks for the pointers. I took the ldif created by Windows Sync for one user and stripped it completely, then added lines from the original until it would import into Active Directory. I was not able to make ldapmodify connect to the AD server, so I continued to use ldifde on the AD server itself. I made a few import rules from this experience: - LDAP attributes cannot be blank. In the example below, I had to remove the entries for userparameters, userworkstations, homeDirectory and profilepath for the file to import. - I had to remove the codepage entry. I don't know whether AD objects to the attribute, the data, and/or the extra colon. - My directory includes the domain name and a colon in samaccountname. I don't know whether to blame this on the ldif export from Netscape Directory or the import to DS 7.1, but AD does not allow colons in this data. Also, the domain name should not be included, because this attribute is mapped to "pre-W2000 logon name" in Active Directory, which does not include the domain name. - The userprincipalname attribute has the same problem. The Windows Sync documentation indicates that Windows Sync will populate an Active Directory, but I find this difficult to believe given the limitations noted above. I admit that I haven't tried working with the schema. I'm thinking it might be faster to export an ldif from the Directory Server, clean it up with a word processor, and import it into AD using the Microsoft ldifde tool. But will synchronization work any better than initialization, given the differences that will exist between data in the two directories? Should I remove all the entries from the Directory Server after cleaning up the ldif, and import that into the Directory Server as well as the AD? -Glenn. Example: dn: cn=John Doe,ou=Domain Users,dc=ad,dc=example,dc=com objectClass: top objectClass: person objectClass: organizationalperson objectClass: user userprincipalname: TWU:jdoe at ad.example.com samaccountname: TWU:jdoe mail: jdoe at example.com userparameters: description: Reference Librarian sn: Doe telephoneNumber: 817-555-1234 codepage:: AAAAAA== cn: John Doe userworkstations: title: Electronic Reference Librarian homeDirectory: profilepath: givenName: John facsimileTelephoneNumber: 817-555-2345 scriptpath: nt_script.bat ---------- Original Message ----------- From: David Boreham To: "General discussion list for the Fedora Directory server project." Sent: Tue, 28 Nov 2006 17:57:56 -0700 Subject: Re: [Fedora-directory-users] Windows Sync Error > Glenn wrote: > > >I wasn't thinking when I said the directory server data was imported from > >NT. It actually came from a Netscape Directory server. Just as a test, I > >exported a few users to an ldif file and tried to use the ldifde on the W2003 > >domain controller to import them. It seems to find a syntax error on every > >line in the file, making it impossible to narrow it down. > > > >I can't possibly be the only person who has run into this problem. Hoping > >someone can shed some light. Thanks. -Glenn. > > > > > We ran into this problem while developing the code. > Unfortunately AD is brain-damaged with it comes to > diagnosing why it objected to a particular operation. > There seems to be no way to get it to log some decent > diagnostic information, and it does not provide an adequate > error message over the wire. > > In debugging these problems I first added the code that you > have seen that dumps out the complete entry to the log. > Then I pasted the entry into an ldapmodify command > to reproduce the problem outside the server. Finally I > edited the LDIF to trim off likely looking attributes until > AD quit complaining. At that point I knew which one it > was barfing over. > > I would begin by removing all the NT domain related > attributes from a test entry and see if it adds ok. > Then add them back one by one to see which is > causing the problem. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users ------- End of Original Message ------- From glenn at mail.txwes.edu Wed Nov 29 22:34:35 2006 From: glenn at mail.txwes.edu (Glenn) Date: Wed, 29 Nov 2006 16:34:35 -0600 Subject: [Fedora-directory-users] Help Desk Directory Editor? Message-ID: <20061129223056.M70625@mail.txwes.edu> Assuming I get Directory Server working, is there a web-based editor that our help desk and HR people can use to add and delete users and change passwords? What's the best way to set this up? Thanks. -Glenn. From bryan at yu.edu Wed Nov 29 22:37:33 2006 From: bryan at yu.edu (Zeli Kartzman) Date: Wed, 29 Nov 2006 17:37:33 -0500 Subject: [Fedora-directory-users] can you use chaining to retrieve some attribute Message-ID: <1164839853.32602.16.camel@zeli2.dev.mis.yu.edu> forgive my ignorance of ldap; i'm just beginning. we want to set up a directory server which contains all the attributes except one. the other attribute we want to retrive from an ActiveDirectory Server. in other words, the query should return the combined list of attributes from this directory server and the AD server. can this be done with chaining? thanks bz From bryan at yu.edu Wed Nov 29 22:58:06 2006 From: bryan at yu.edu (Zeli Kartzman) Date: Wed, 29 Nov 2006 17:58:06 -0500 Subject: [Fedora-directory-users] can you use chaining to retrieve some attributes Message-ID: <1164841086.32602.24.camel@zeli2.dev.mis.yu.edu> forgive my ignorance of ldap; i'm just beginning. we want to set up a directory server which contains all the attributes except one. the other attribute we want to retrive from an ActiveDirectory Server. in other words, the client will issue a search query to the directory server and the directory server should return the combined list of attributes from this directory server and the AD server. can this be done with chaining? thanks bz From david_list at boreham.org Wed Nov 29 23:03:28 2006 From: david_list at boreham.org (David Boreham) Date: Wed, 29 Nov 2006 16:03:28 -0700 Subject: [Fedora-directory-users] Windows Sync Error In-Reply-To: <20061129210751.M23766@mail.txwes.edu> References: <20061128164612.M79426@mail.txwes.edu> <456C6D4C.5000507@redhat.com> <20061128172828.M30202@mail.txwes.edu> <456C760C.2000006@redhat.com> <20061128225535.M87943@mail.txwes.edu> <456CDB14.9010003@boreham.org> <20061129210751.M23766@mail.txwes.edu> Message-ID: <456E11C0.5010404@boreham.org> Glenn wrote: >The Windows Sync documentation indicates that Windows Sync will populate an >Active Directory, but I find this difficult to believe given the >limitations noted above. > Erum, it will provided you don't feed it bad data. > I admit that I haven't tried working with the >schema. I'm thinking it might be faster to export an ldif from the >Directory Server, clean it up with a word processor, and import it into AD >using the Microsoft ldifde tool. > >But will synchronization work any better than initialization, given the >differences that will exist between data in the two directories? Should I >remove all the entries from the Directory Server after cleaning up the ldif, >and import that into the Directory Server as well as the AD? -Glenn. > > It depends on what your overall goal is. If you want sync (which implies a long term relationship between AD and FDS) then you should use sync. If all you're looking for is a way to import users into AD then please do not use Windows Sync for that. Overall the problem you are seeing I suspect is that the FDS Windows Sync feature was _not_ designed to cope with old Netscape DS data (from the Netscape Windows Sync feature). While the two share similar names for attributes and capabilities, they are entirely different and maintaining data compatibility was not a goal for the FDS feature. The old Netscape sync feature was designed to work with NT4 and it turns out that MS made changes to user schema in AD that are not compatible. It would probably be possible to write a sctipt that would convert data from a Netscape DS, sync'ed from NT into a form that would be compatible with FDS and AD. From mjdshop at earthlink.net Wed Nov 29 23:19:29 2006 From: mjdshop at earthlink.net (MJD Shop Account) Date: Wed, 29 Nov 2006 18:19:29 -0500 (GMT-05:00) Subject: [Fedora-directory-users] admin server attribute updates Message-ID: <19342285.1164842369613.JavaMail.root@elwamui-chisos.atl.sa.earthlink.net> I am trying to change the host/ip access settings for the admin server using an ldif file rather than manually in the console. I used ldapmodify with the input similar to what's below. I can see the attributes with the new settings in the directory via ldapsearch when binding as the directory manager, but the admin-serv config files don't update, in particular the local.conf has not refreshed to show this change. I've stopped/restarted both admin server and the directory server. What am I doing wrong? dn: cn=configuration, cn=admin-serv-host, cn=Fedora Administration Server, cn=Server Group, cn=host.domain1.com, ou=example, o=NetscapeRoot changetype: modify replace: nsAdminAccessAddresses nsAdminAccessHosts nsAdminAccessAddresses: * nsAdminAccessHosts: (*.domain1.com|*.domain2.com|localhost.localdomain) -Marty From rmeggins at redhat.com Wed Nov 29 23:27:24 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 29 Nov 2006 16:27:24 -0700 Subject: [Fedora-directory-users] admin server attribute updates In-Reply-To: <19342285.1164842369613.JavaMail.root@elwamui-chisos.atl.sa.earthlink.net> References: <19342285.1164842369613.JavaMail.root@elwamui-chisos.atl.sa.earthlink.net> Message-ID: <456E175C.9080902@redhat.com> MJD Shop Account wrote: > I am trying to change the host/ip access settings for the admin server using an ldif file rather than manually in the console. I used ldapmodify with the input similar to what's below. I can see the attributes with the new settings in the directory via ldapsearch when binding as the directory manager, but the admin-serv config files don't update, in particular the local.conf has not refreshed to show this change. I've stopped/restarted both admin server and the directory server. What am I doing wrong? > Nothing. local.conf is a read-only shadow copy of the data in the directory. The Admin Server should use the data in the directory and will only use local.conf if the configuration ds is down. > dn: cn=configuration, cn=admin-serv-host, cn=Fedora Administration Server, cn=Server Group, cn=host.domain1.com, ou=example, o=NetscapeRoot > changetype: modify > replace: nsAdminAccessAddresses nsAdminAccessHosts > nsAdminAccessAddresses: * > nsAdminAccessHosts: (*.domain1.com|*.domain2.com|localhost.localdomain) > > -Marty > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From patrick.morris at hp.com Wed Nov 29 23:30:12 2006 From: patrick.morris at hp.com (Patrick Morris) Date: Wed, 29 Nov 2006 15:30:12 -0800 Subject: [Fedora-directory-users] Failed logins = lockout ? In-Reply-To: <5849d9130611291417re7287c9t84d6ee509bef1cd@mail.gmail.com> References: <5849d9130611291417re7287c9t84d6ee509bef1cd@mail.gmail.com> Message-ID: <20061129233012.GP17454@pmorris.usa.hp.com> On Wed, 29 Nov 2006, clockwork at sigsys.org wrote: > Is there a way to setup FDS to lockout an account after $number of failed > login attempts ? If so under ideal circumstances the account would only be > locked for a certain amount of time. I have checked google, and the wiki. > Nothing particularly useful, though a few people mention custom scripts to > handle this sort of thing. Check the docs for password policies. From rmeggins at redhat.com Thu Nov 30 03:46:11 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 29 Nov 2006 20:46:11 -0700 Subject: [Fedora-directory-users] Help Desk Directory Editor? In-Reply-To: <20061129223056.M70625@mail.txwes.edu> References: <20061129223056.M70625@mail.txwes.edu> Message-ID: <456E5403.5020809@redhat.com> Glenn wrote: > Assuming I get Directory Server working, is there a web-based editor that > our help desk and HR people can use to add and delete users and change > passwords? What's the best way to set this up? Thanks. -Glenn. > The Directory Server Gateway is already set up for you when you run setup. Just open the admin server url in your web browser. You will see the web apps that are bundled with Fedora DS. > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Nov 30 03:48:34 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 29 Nov 2006 20:48:34 -0700 Subject: [Fedora-directory-users] can you use chaining to retrieve some attributes In-Reply-To: <1164841086.32602.24.camel@zeli2.dev.mis.yu.edu> References: <1164841086.32602.24.camel@zeli2.dev.mis.yu.edu> Message-ID: <456E5492.8040103@redhat.com> Zeli Kartzman wrote: > forgive my ignorance of ldap; i'm just beginning. we want to set up a > directory server which contains all the attributes except one. the other > attribute we want to retrive from an ActiveDirectory Server. in other > words, the client will issue a search query to the directory server > and the directory server should return the combined list of attributes > from this directory server and the AD server. can this be done with chaining? > No. Chaining works on a suffix/database basis, not on an individual attribute value basis. You would have to write a C code plug-in to provide this. For an example, see the presence plugin that is bundled with the DS. This allows you to set an attribute value via http. We used to use it to provide the AIM presence by querying the oscar aim http url. It also worked with Yahoo, ICQ, et. al. > thanks > > bz > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From koniczynek at uaznia.net Thu Nov 30 07:13:16 2006 From: koniczynek at uaznia.net (koniczynek) Date: Thu, 30 Nov 2006 08:13:16 +0100 Subject: [Fedora-directory-users] Help Desk Directory Editor? In-Reply-To: <456E5403.5020809@redhat.com> References: <20061129223056.M70625@mail.txwes.edu> <456E5403.5020809@redhat.com> Message-ID: <456E848C.6060301@uaznia.net> Richard Megginson napisa?(a): >> Assuming I get Directory Server working, is there a web-based editor >> that our help desk and HR people can use to add and delete users and >> change passwords? What's the best way to set this up? Thanks. -Glenn. > The Directory Server Gateway is already set up for you when you run > setup. Just open the admin server url in your web browser. You will > see the web apps that are bundled with Fedora DS. Or You could just use any LDAP editor, for Linux I recommend Luma, for Windows there is something called jXplorer or simply search "ldap browser windows" in Google. -- best regards koniczynek From koniczynek at uaznia.net Thu Nov 30 08:36:07 2006 From: koniczynek at uaznia.net (koniczynek) Date: Thu, 30 Nov 2006 09:36:07 +0100 Subject: [Fedora-directory-users] Memory usage Message-ID: <456E97F7.2050604@uaznia.net> Hello, I've installed FDS 1.0.4 on test system with only 256MiBs of RAM. Now I want to test performance and when I've started to query FDS with ldapsearch on my full LDAP tree the load of linux box raised to 12 but FDS memory usage stays @ 90-110MiBs of ram, regardless of that I've added RAM and now linux box has 2048MiBs. Is there any option to set for FDS, that it uses more ram for cache or some other purpose? -- xmpp/email: koniczynek at uaznia.net xmpp/email: koniczynek at gmail.com From Darren.Paxton at mercer.com Thu Nov 30 08:46:08 2006 From: Darren.Paxton at mercer.com (Paxton, Darren) Date: Thu, 30 Nov 2006 08:46:08 -0000 Subject: [Fedora-directory-users] Extracting details from Active Directoryto FDS Message-ID: <52F7C07B119CF4439B7EFBFE0FB3256B027CBC5D@eidwpexms06.mercer.com> Hi Has anyone had any thoughts on my query or can point me in the right direction? As is the nature of AD, I would have thought it is possible to extract this information using a scope setting or something similar. Thanks Darren ________________________________ From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Paxton, Darren Sent: 24 November 2006 14:56 To: fedora-directory-users at redhat.com Subject: [Fedora-directory-users] Extracting details from Active Directoryto FDS Hi all, I've been tinkering with integrating our Linux devices into our AD domain for some time and I've hit a few brick walls, however I've recently discovered FDS and the synchronisation features with AD. I've managed to set up a few replication jobs, however due to the extensive nature of our AD, I've realised that the sync only takes the group and user objects from the OU or CN being specified. Is there any way I can specify that it should traverse all subtrees of an OU and extract all that information back into FDS? Thanks Darren -- Darren Paxton EMEA Tier2 Red Hat Certified Engineer VMware Certified Professional MGTI Centralised ops -------------- next part -------------- An HTML attachment was scrubbed... URL: From doglesby at teleformix.com Thu Nov 30 15:21:24 2006 From: doglesby at teleformix.com (Dan Oglesby) Date: Thu, 30 Nov 2006 09:21:24 -0600 Subject: [Fedora-directory-users] AD + FDS sync stops working? Message-ID: <200611301521.kAUFLUk8012823@mail.teleformix.com> I tried the following: In windows registry->HKLM->Software->PasswordSync, try add string value ?Log Level? and set it to ?1?.? Restart the passsync service.? This should log all transactions and errors.? Turn this back to "0" and restart passsync after troubleshooting. All I see in the log is this: 11/30/06 09:12:58: begin log 11/30/06 09:12:59: 0 new entries loaded from file 11/30/06 09:14:20: 0 new entries loaded from file 11/30/06 09:14:20: 0 entries saved to file 11/30/06 09:14:20: end log 11/30/06 09:14:22: begin log 11/30/06 09:14:22: 0 new entries loaded from file That?s after restarting the passsync service twice, and changing a user?s password in AD four times. --Dan From rmeggins at redhat.com Thu Nov 30 15:45:48 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 30 Nov 2006 08:45:48 -0700 Subject: [Fedora-directory-users] Memory usage In-Reply-To: <456E97F7.2050604@uaznia.net> References: <456E97F7.2050604@uaznia.net> Message-ID: <456EFCAC.7010207@redhat.com> koniczynek wrote: > Hello, > I've installed FDS 1.0.4 on test system with only 256MiBs of RAM. Now > I want to test performance and when I've started to query FDS with > ldapsearch on my full LDAP tree the load of linux box raised to 12 but > FDS memory usage stays @ 90-110MiBs of ram, regardless of that I've > added RAM and now linux box has 2048MiBs. Is there any option to set > for FDS, that it uses more ram for cache or some other purpose? This is an excellent cache/memory tuning document from a Sun employee, primarily targeted to Sun DS users, but almost all of the information is relevant to Fedora DS (since they share a common lineage). http://www.directorymanager.org/blogs/ds_cache_sizing.pdf -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From mxheadroom at hotmail.com Thu Nov 30 17:31:50 2006 From: mxheadroom at hotmail.com (t b) Date: Thu, 30 Nov 2006 12:31:50 -0500 Subject: [Fedora-directory-users] pam_ldap with SSL/TLS Message-ID: I am trying to setup pam_ldap to use TLS to communicate with the FDS, but having lots of problems doing so; it works if I use the unencrypted way but not if I use ldaps ( port 636 ) I used the instructions at, http://directory.fedora.redhat.com/wiki/Howto:PAM Has anyone gotten PAM to work TLS Thanks _________________________________________________________________ Buy, Load, Play. The new Sympatico / MSN Music Store works seamlessly with Windows Media Player. Just Click PLAY. http://musicstore.sympatico.msn.ca/content/viewer.aspx?cid=SMS_Sept192006 From patrick.morris at hp.com Thu Nov 30 18:00:56 2006 From: patrick.morris at hp.com (Morris, Patrick) Date: Thu, 30 Nov 2006 13:00:56 -0500 Subject: [Fedora-directory-users] pam_ldap with SSL/TLS In-Reply-To: Message-ID: > I am trying to setup pam_ldap to use TLS to communicate with > the FDS, but having lots of problems doing so; it works if I > use the unencrypted way but not if I use ldaps ( port 636 ) Someone should jump in here and correct me if I'm wrong, but I believe it's normal for TLS connections to happen on the standard LDAP port. You should be able to tell from your logs whether the connection is encrypted or not. From rmeggins at redhat.com Thu Nov 30 18:08:08 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 30 Nov 2006 11:08:08 -0700 Subject: [Fedora-directory-users] pam_ldap with SSL/TLS In-Reply-To: References: Message-ID: <456F1E08.40601@redhat.com> Morris, Patrick wrote: >> I am trying to setup pam_ldap to use TLS to communicate with >> the FDS, but having lots of problems doing so; it works if I >> use the unencrypted way but not if I use ldaps ( port 636 ) >> > > Someone should jump in here and correct me if I'm wrong, but I believe > it's normal for TLS connections to happen on the standard LDAP port. > You should be able to tell from your logs whether the connection is > encrypted or not. > Yes. The LDAP "preferred" way is to use the startTLS extended operation which starts a TLS session on the non-secure port. This will be logged in the access log. > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: